sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-12 20:58:37 +03:00
Code

r874: This patch is a pile of work on NTLMSSP:

Browse Source 
Samba's NTLMSSP code is now fully talloc based, which should go a long
way to cleaning up the memory leaks in this code.  This also avoids a
lot of extra copies of data, as we now allocate the 'return' blobs on
a caller-supplied context.

I have also been doing a lot of work towards NTLM2 signing and
sealing.  I have this working for sealing, but not for the verifier
(MD5 integrity check on the stream) which is still incorrect.

(I can aim a rpcecho sinkdata from a Win2k3 box to my server, and the
data arrives intact, but the signature check fails.  It does however
match the test values I have...).

The new torture test is cludged in - when we get a unit test suite
back, I'll happliy put it in the 'right' place....

Andrew Bartlett
This commit is contained in:
Andrew Bartlett 2004-05-25 14:06:28 +00:00 committed by Gerald (Jerry) Carter
parent 9a9244a1c6
commit 399e2e2b11
18 changed files with 431 additions and 263 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
source/auth/auth_ntlmssp.c
View File

@ -162,7 +162,7 @@ NTSTATUS auth_ntlmssp_start(AUTH_NTLMSSP_STATE **auth_ntlmssp_state)
(*auth_ntlmssp_state)->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge; (*auth_ntlmssp_state)->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
(*auth_ntlmssp_state)->ntlmssp_state->check_password = auth_ntlmssp_check_password; (*auth_ntlmssp_state)->ntlmssp_state->check_password = auth_ntlmssp_check_password;
(*auth_ntlmssp_state)->ntlmssp_state->server_role = lp_server_role(); (*auth_ntlmssp_state)->ntlmssp_state->server_role = lp_server_role();
return NT_STATUS_OK; return NT_STATUS_OK;
} }
@ -183,8 +183,23 @@ void auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state)
*auth_ntlmssp_state = NULL; *auth_ntlmssp_state = NULL;
} }
/**
* Next state function for the wrapped NTLMSSP state machine
*
* @param auth_ntlmssp_state NTLMSSP State
* @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
* @param in The request, as a DATA_BLOB
* @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
* @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
* or NT_STATUS_OK if the user is authenticated.
*/
NTSTATUS auth_ntlmssp_update(AUTH_NTLMSSP_STATE *auth_ntlmssp_state, NTSTATUS auth_ntlmssp_update(AUTH_NTLMSSP_STATE *auth_ntlmssp_state,
const DATA_BLOB request, DATA_BLOB *reply) TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out)
{ {
return ntlmssp_update(auth_ntlmssp_state->ntlmssp_state, request, reply); return ntlmssp_update(auth_ntlmssp_state->ntlmssp_state,
out_mem_ctx,
in, out);
} }

15
source/lib/crypto/hmacmd5.c
View File

@ -77,20 +77,7 @@ void hmac_md5_init_limK_to_64(const uchar* key, int key_len,
key_len = 64; key_len = 64;
} }
/* start out by storing key in pads */ hmac_md5_init_rfc2104(key, key_len, ctx);
ZERO_STRUCT(ctx->k_ipad);
ZERO_STRUCT(ctx->k_opad);
memcpy( ctx->k_ipad, key, key_len);
memcpy( ctx->k_opad, key, key_len);
/* XOR key with ipad and opad values */
for (i=0; i<64; i++) {
ctx->k_ipad[i] ^= 0x36;
ctx->k_opad[i] ^= 0x5c;
}
MD5Init(&ctx->ctx);
MD5Update(&ctx->ctx, ctx->k_ipad, 64);
} }
/*********************************************************************** /***********************************************************************

56
source/lib/util_str.c
View File

@ -1196,6 +1196,62 @@ void ipstr_list_free(char* ipstr_list)
SAFE_FREE(ipstr_list); SAFE_FREE(ipstr_list);
} }
/**
Routine to get hex characters and turn them into a 16 byte array.
the array can be variable length, and any non-hex-numeric
characters are skipped. "0xnn" or "0Xnn" is specially catered
for.
valid examples: "0A5D15"; "0x15, 0x49, 0xa2"; "59\ta9\te3\n"
**/
size_t strhex_to_str(char *p, size_t len, const char *strhex)
{
size_t i;
size_t num_chars = 0;
unsigned char lonybble, hinybble;
const char *hexchars = "0123456789ABCDEF";
char *p1 = NULL, *p2 = NULL;
for (i = 0; i < len && strhex[i] != 0; i++) {
if (strnequal(hexchars, "0x", 2)) {
i++; /* skip two chars */
continue;
}
if (!(p1 = strchr_m(hexchars, toupper(strhex[i]))))
break;
i++; /* next hex digit */
if (!(p2 = strchr_m(hexchars, toupper(strhex[i]))))
break;
/* get the two nybbles */
hinybble = PTR_DIFF(p1, hexchars);
lonybble = PTR_DIFF(p2, hexchars);
p[num_chars] = (hinybble << 4) | lonybble;
num_chars++;
p1 = NULL;
p2 = NULL;
}
return num_chars;
}
DATA_BLOB strhex_to_data_blob(const char *strhex)
{
DATA_BLOB ret_blob = data_blob(NULL, strlen(strhex)/2+1);
ret_blob.length = strhex_to_str(ret_blob.data,
strlen(strhex),
strhex);
return ret_blob;
}
/** /**
Unescape a URL encoded string, in place. Unescape a URL encoded string, in place.

209
source/libcli/auth/ntlmssp.c
View File

@ -24,13 +24,17 @@
#include "includes.h" #include "includes.h"
static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
DATA_BLOB reply, DATA_BLOB *next_request); TALLOC_CTX *out_mem_ctx,
DATA_BLOB in, DATA_BLOB *out);
static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state, static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out); const DATA_BLOB in, DATA_BLOB *out);
static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
const DATA_BLOB reply, DATA_BLOB *next_request); TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out);
static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state, static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
const DATA_BLOB request, DATA_BLOB *reply); TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out);
/** /**
* Callbacks for NTLMSSP - for both client and server operating modes * Callbacks for NTLMSSP - for both client and server operating modes
@ -41,6 +45,7 @@ static const struct ntlmssp_callbacks {
enum NTLMSSP_ROLE role; enum NTLMSSP_ROLE role;
enum NTLM_MESSAGE_TYPE ntlmssp_command; enum NTLM_MESSAGE_TYPE ntlmssp_command;
NTSTATUS (*fn)(struct ntlmssp_state *ntlmssp_state, NTSTATUS (*fn)(struct ntlmssp_state *ntlmssp_state,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB in, DATA_BLOB *out); DATA_BLOB in, DATA_BLOB *out);
} ntlmssp_callbacks[] = { } ntlmssp_callbacks[] = {
{NTLMSSP_CLIENT, NTLMSSP_INITIAL, ntlmssp_client_initial}, {NTLMSSP_CLIENT, NTLMSSP_INITIAL, ntlmssp_client_initial},
@ -205,12 +210,15 @@ NTSTATUS ntlmssp_store_response(NTLMSSP_STATE *ntlmssp_state,
* Next state function for the NTLMSSP state machine * Next state function for the NTLMSSP state machine
* *
* @param ntlmssp_state NTLMSSP State * @param ntlmssp_state NTLMSSP State
* @param in The packet in from the NTLMSSP partner, as a DATA_BLOB * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
* @param out The reply, as an allocated DATA_BLOB, caller to free. * @param in The request, as a DATA_BLOB
* @return Errors, NT_STATUS_MORE_PROCESSING_REQUIRED or NT_STATUS_OK. * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
* @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
* or NT_STATUS_OK if the user is authenticated.
*/ */
NTSTATUS ntlmssp_update(NTLMSSP_STATE *ntlmssp_state, NTSTATUS ntlmssp_update(NTLMSSP_STATE *ntlmssp_state,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out) const DATA_BLOB in, DATA_BLOB *out)
{ {
DATA_BLOB input; DATA_BLOB input;
@ -219,6 +227,16 @@ NTSTATUS ntlmssp_update(NTLMSSP_STATE *ntlmssp_state,
*out = data_blob(NULL, 0); *out = data_blob(NULL, 0);
if (ntlmssp_state->expected_state == NTLMSSP_DONE) {
return NT_STATUS_INVALID_PARAMETER;
}
if (!out_mem_ctx) {
/* if the caller doesn't want to manage/own the memory,
we can put it on our context */
out_mem_ctx = ntlmssp_state->mem_ctx;
}
if (!in.length && ntlmssp_state->stored_response.length) { if (!in.length && ntlmssp_state->stored_response.length) {
input = ntlmssp_state->stored_response; input = ntlmssp_state->stored_response;
@ -239,7 +257,8 @@ NTSTATUS ntlmssp_update(NTLMSSP_STATE *ntlmssp_state,
break; break;
} }
} else { } else {
if (!msrpc_parse(&input, "Cd", if (!msrpc_parse(ntlmssp_state->mem_ctx,
&input, "Cd",
"NTLMSSP", "NTLMSSP",
&ntlmssp_command)) { &ntlmssp_command)) {
DEBUG(1, ("Failed to parse NTLMSSP packet, could not extract NTLMSSP command\n")); DEBUG(1, ("Failed to parse NTLMSSP packet, could not extract NTLMSSP command\n"));
@ -255,8 +274,9 @@ NTSTATUS ntlmssp_update(NTLMSSP_STATE *ntlmssp_state,
for (i=0; ntlmssp_callbacks[i].fn; i++) { for (i=0; ntlmssp_callbacks[i].fn; i++) {
if (ntlmssp_callbacks[i].role == ntlmssp_state->role if (ntlmssp_callbacks[i].role == ntlmssp_state->role
&& ntlmssp_callbacks[i].ntlmssp_command == ntlmssp_command) { && ntlmssp_callbacks[i].ntlmssp_command == ntlmssp_command
return ntlmssp_callbacks[i].fn(ntlmssp_state, input, out); && ntlmssp_callbacks[i].fn) {
return ntlmssp_callbacks[i].fn(ntlmssp_state, out_mem_ctx, input, out);
} }
} }
@ -279,10 +299,6 @@ void ntlmssp_end(NTLMSSP_STATE **ntlmssp_state)
(*ntlmssp_state)->ref_count--; (*ntlmssp_state)->ref_count--;
if ((*ntlmssp_state)->ref_count == 0) { if ((*ntlmssp_state)->ref_count == 0) {
data_blob_free(&(*ntlmssp_state)->chal);
data_blob_free(&(*ntlmssp_state)->lm_resp);
data_blob_free(&(*ntlmssp_state)->nt_resp);
data_blob_free(&(*ntlmssp_state)->encrypted_session_key);
talloc_destroy(mem_ctx); talloc_destroy(mem_ctx);
} }
@ -391,6 +407,7 @@ static void ntlmssp_weaken_keys(struct ntlmssp_state *ntlmssp_state) {
ntlmssp_state->session_key.data[6] = 0x38; ntlmssp_state->session_key.data[6] = 0x38;
ntlmssp_state->session_key.data[7] = 0xb0; ntlmssp_state->session_key.data[7] = 0xb0;
} }
ntlmssp_state->session_key.length = 8;
} }
} }
@ -398,13 +415,15 @@ static void ntlmssp_weaken_keys(struct ntlmssp_state *ntlmssp_state) {
* Next state function for the Negotiate packet * Next state function for the Negotiate packet
* *
* @param ntlmssp_state NTLMSSP State * @param ntlmssp_state NTLMSSP State
* @param request The request, as a DATA_BLOB * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
* @param request The reply, as an allocated DATA_BLOB, caller to free. * @param in The request, as a DATA_BLOB
* @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
* @return Errors or MORE_PROCESSING_REQUIRED if a reply is sent. * @return Errors or MORE_PROCESSING_REQUIRED if a reply is sent.
*/ */
static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state, static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
const DATA_BLOB request, DATA_BLOB *reply) TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out)
{ {
DATA_BLOB struct_blob; DATA_BLOB struct_blob;
fstring dnsname, dnsdomname; fstring dnsname, dnsdomname;
@ -419,21 +438,19 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
file_save("ntlmssp_negotiate.dat", request.data, request.length); file_save("ntlmssp_negotiate.dat", request.data, request.length);
#endif #endif
if (request.length) { if (in.length) {
if (!msrpc_parse(&request, "CddAA", if (!msrpc_parse(ntlmssp_state->mem_ctx,
&in, "CddAA",
"NTLMSSP", "NTLMSSP",
&ntlmssp_command, &ntlmssp_command,
&neg_flags, &neg_flags,
&cliname, &cliname,
&domname)) { &domname)) {
DEBUG(1, ("ntlmssp_server_negotiate: failed to parse NTLMSSP:\n")); DEBUG(1, ("ntlmssp_server_negotiate: failed to parse NTLMSSP:\n"));
dump_data(2, (const char *)request.data, request.length); dump_data(2, (const char *)in.data, in.length);
return NT_STATUS_INVALID_PARAMETER; return NT_STATUS_INVALID_PARAMETER;
} }
SAFE_FREE(cliname);
SAFE_FREE(domname);
debug_ntlmssp_flags(neg_flags); debug_ntlmssp_flags(neg_flags);
} }
@ -481,7 +498,8 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
target_name_dns = dnsname; target_name_dns = dnsname;
} }
msrpc_gen(&struct_blob, "aaaaa", msrpc_gen(out_mem_ctx,
&struct_blob, "aaaaa",
NTLMSSP_NAME_TYPE_DOMAIN, target_name, NTLMSSP_NAME_TYPE_DOMAIN, target_name,
NTLMSSP_NAME_TYPE_SERVER, ntlmssp_state->get_global_myname(), NTLMSSP_NAME_TYPE_SERVER, ntlmssp_state->get_global_myname(),
NTLMSSP_NAME_TYPE_DOMAIN_DNS, dnsdomname, NTLMSSP_NAME_TYPE_DOMAIN_DNS, dnsdomname,
@ -500,7 +518,8 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
gen_string = "CdAdbddB"; gen_string = "CdAdbddB";
} }
msrpc_gen(reply, gen_string, msrpc_gen(out_mem_ctx,
out, gen_string,
"NTLMSSP", "NTLMSSP",
NTLMSSP_CHALLENGE, NTLMSSP_CHALLENGE,
target_name, target_name,
@ -510,8 +529,6 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
struct_blob.data, struct_blob.length); struct_blob.data, struct_blob.length);
} }
data_blob_free(&struct_blob);
ntlmssp_state->expected_state = NTLMSSP_AUTH; ntlmssp_state->expected_state = NTLMSSP_AUTH;
return NT_STATUS_MORE_PROCESSING_REQUIRED; return NT_STATUS_MORE_PROCESSING_REQUIRED;
@ -522,7 +539,6 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
* *
* @param ntlmssp_state NTLMSSP State * @param ntlmssp_state NTLMSSP State
* @param request The request, as a DATA_BLOB * @param request The request, as a DATA_BLOB
* @param request The reply, as an allocated DATA_BLOB, caller to free.
* @return Errors or NT_STATUS_OK. * @return Errors or NT_STATUS_OK.
*/ */
@ -549,6 +565,7 @@ static NTSTATUS ntlmssp_server_preauth(struct ntlmssp_state *ntlmssp_state,
parse_string = "CdBBAAABd"; parse_string = "CdBBAAABd";
} }
/* zero these out */
data_blob_free(&ntlmssp_state->lm_resp); data_blob_free(&ntlmssp_state->lm_resp);
data_blob_free(&ntlmssp_state->nt_resp); data_blob_free(&ntlmssp_state->nt_resp);
@ -557,7 +574,8 @@ static NTSTATUS ntlmssp_server_preauth(struct ntlmssp_state *ntlmssp_state,
ntlmssp_state->workstation = NULL; ntlmssp_state->workstation = NULL;
/* now the NTLMSSP encoded auth hashes */ /* now the NTLMSSP encoded auth hashes */
if (!msrpc_parse(&request, parse_string, if (!msrpc_parse(ntlmssp_state->mem_ctx,
&request, parse_string,
"NTLMSSP", "NTLMSSP",
&ntlmssp_command, &ntlmssp_command,
&ntlmssp_state->lm_resp, &ntlmssp_state->lm_resp,
@ -569,9 +587,8 @@ static NTSTATUS ntlmssp_server_preauth(struct ntlmssp_state *ntlmssp_state,
&auth_flags)) { &auth_flags)) {
DEBUG(10, ("ntlmssp_server_auth: failed to parse NTLMSSP (nonfatal):\n")); DEBUG(10, ("ntlmssp_server_auth: failed to parse NTLMSSP (nonfatal):\n"));
dump_data(10, (const char *)request.data, request.length); dump_data(10, (const char *)request.data, request.length);
SAFE_FREE(domain);
SAFE_FREE(user); /* zero this out */
SAFE_FREE(workstation);
data_blob_free(&ntlmssp_state->encrypted_session_key); data_blob_free(&ntlmssp_state->encrypted_session_key);
auth_flags = 0; auth_flags = 0;
@ -583,7 +600,8 @@ static NTSTATUS ntlmssp_server_preauth(struct ntlmssp_state *ntlmssp_state,
} }
/* now the NTLMSSP encoded auth hashes */ /* now the NTLMSSP encoded auth hashes */
if (!msrpc_parse(&request, parse_string, if (!msrpc_parse(ntlmssp_state->mem_ctx,
&request, parse_string,
"NTLMSSP", "NTLMSSP",
&ntlmssp_command, &ntlmssp_command,
&ntlmssp_state->lm_resp, &ntlmssp_state->lm_resp,
@ -593,9 +611,6 @@ static NTSTATUS ntlmssp_server_preauth(struct ntlmssp_state *ntlmssp_state,
&workstation)) { &workstation)) {
DEBUG(1, ("ntlmssp_server_auth: failed to parse NTLMSSP:\n")); DEBUG(1, ("ntlmssp_server_auth: failed to parse NTLMSSP:\n"));
dump_data(2, (const char *)request.data, request.length); dump_data(2, (const char *)request.data, request.length);
SAFE_FREE(domain);
SAFE_FREE(user);
SAFE_FREE(workstation);
return NT_STATUS_INVALID_PARAMETER; return NT_STATUS_INVALID_PARAMETER;
} }
@ -605,33 +620,23 @@ static NTSTATUS ntlmssp_server_preauth(struct ntlmssp_state *ntlmssp_state,
ntlmssp_handle_neg_flags(ntlmssp_state, auth_flags, ntlmssp_state->allow_lm_key); ntlmssp_handle_neg_flags(ntlmssp_state, auth_flags, ntlmssp_state->allow_lm_key);
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_domain(ntlmssp_state, domain))) { if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_domain(ntlmssp_state, domain))) {
SAFE_FREE(domain); /* zero this out */
SAFE_FREE(user);
SAFE_FREE(workstation);
data_blob_free(&ntlmssp_state->encrypted_session_key); data_blob_free(&ntlmssp_state->encrypted_session_key);
return nt_status; return nt_status;
} }
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_username(ntlmssp_state, user))) { if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_username(ntlmssp_state, user))) {
SAFE_FREE(domain); /* zero this out */
SAFE_FREE(user);
SAFE_FREE(workstation);
data_blob_free(&ntlmssp_state->encrypted_session_key); data_blob_free(&ntlmssp_state->encrypted_session_key);
return nt_status; return nt_status;
} }
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_workstation(ntlmssp_state, workstation))) { if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_workstation(ntlmssp_state, workstation))) {
SAFE_FREE(domain); /* zero this out */
SAFE_FREE(user);
SAFE_FREE(workstation);
data_blob_free(&ntlmssp_state->encrypted_session_key); data_blob_free(&ntlmssp_state->encrypted_session_key);
return nt_status; return nt_status;
} }
SAFE_FREE(domain);
SAFE_FREE(user);
SAFE_FREE(workstation);
DEBUG(3,("Got user=[%s] domain=[%s] workstation=[%s] len1=%lu len2=%lu\n", DEBUG(3,("Got user=[%s] domain=[%s] workstation=[%s] len1=%lu len2=%lu\n",
ntlmssp_state->user, ntlmssp_state->domain, ntlmssp_state->workstation, (unsigned long)ntlmssp_state->lm_resp.length, (unsigned long)ntlmssp_state->nt_resp.length)); ntlmssp_state->user, ntlmssp_state->domain, ntlmssp_state->workstation, (unsigned long)ntlmssp_state->lm_resp.length, (unsigned long)ntlmssp_state->nt_resp.length));
@ -648,7 +653,8 @@ static NTSTATUS ntlmssp_server_preauth(struct ntlmssp_state *ntlmssp_state,
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
if (ntlmssp_state->nt_resp.length == 24 && ntlmssp_state->lm_resp.length == 24) { if (ntlmssp_state->nt_resp.length == 24 && ntlmssp_state->lm_resp.length == 24) {
struct MD5Context md5_session_nonce_ctx; struct MD5Context md5_session_nonce_ctx;
SMB_ASSERT(ntlmssp_state->internal_chal.data && ntlmssp_state->internal_chal.length == 8); SMB_ASSERT(ntlmssp_state->internal_chal.data
&& ntlmssp_state->internal_chal.length == 8);
ntlmssp_state->doing_ntlm2 = True; ntlmssp_state->doing_ntlm2 = True;
@ -659,13 +665,17 @@ static NTSTATUS ntlmssp_server_preauth(struct ntlmssp_state *ntlmssp_state,
MD5Update(&md5_session_nonce_ctx, ntlmssp_state->session_nonce, 16); MD5Update(&md5_session_nonce_ctx, ntlmssp_state->session_nonce, 16);
MD5Final(session_nonce_hash, &md5_session_nonce_ctx); MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
ntlmssp_state->chal = data_blob_talloc(ntlmssp_state->mem_ctx, session_nonce_hash, 8); ntlmssp_state->chal = data_blob_talloc(ntlmssp_state->mem_ctx,
session_nonce_hash, 8);
/* LM response is no longer useful */ /* LM response is no longer useful, zero it out */
data_blob_free(&ntlmssp_state->lm_resp); data_blob_free(&ntlmssp_state->lm_resp);
/* We changed the effective challenge - set it */ /* We changed the effective challenge - set it */
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_state->set_challenge(ntlmssp_state, &ntlmssp_state->chal))) { if (!NT_STATUS_IS_OK(nt_status =
ntlmssp_state->set_challenge(ntlmssp_state,
&ntlmssp_state->chal))) {
/* zero this out */
data_blob_free(&ntlmssp_state->encrypted_session_key); data_blob_free(&ntlmssp_state->encrypted_session_key);
return nt_status; return nt_status;
} }
@ -678,25 +688,20 @@ static NTSTATUS ntlmssp_server_preauth(struct ntlmssp_state *ntlmssp_state,
} }
/** /**
* Next state function for the Authenticate packet * Next state function for the Authenticate packet
* (after authentication - figures out the session keys etc)
* *
* @param ntlmssp_state NTLMSSP State * @param ntlmssp_state NTLMSSP State
* @param request The request, as a DATA_BLOB
* @param reply The reply, as an allocated DATA_BLOB, caller to free.
* @return Errors or NT_STATUS_OK. * @return Errors or NT_STATUS_OK.
*/ */
static NTSTATUS ntlmssp_server_postauth(struct ntlmssp_state *ntlmssp_state, static NTSTATUS ntlmssp_server_postauth(struct ntlmssp_state *ntlmssp_state,
DATA_BLOB *user_session_key, DATA_BLOB *user_session_key,
DATA_BLOB *lm_session_key, DATA_BLOB *lm_session_key)
DATA_BLOB *reply)
{ {
NTSTATUS nt_status; NTSTATUS nt_status;
DATA_BLOB session_key = data_blob(NULL, 0); DATA_BLOB session_key = data_blob(NULL, 0);
/* parse the NTLMSSP packet */
*reply = data_blob(NULL, 0);
if (user_session_key) if (user_session_key)
dump_data_pw("USER session key:\n", user_session_key->data, user_session_key->length); dump_data_pw("USER session key:\n", user_session_key->data, user_session_key->length);
@ -807,8 +812,15 @@ static NTSTATUS ntlmssp_server_postauth(struct ntlmssp_state *ntlmssp_state,
data_blob_free(&ntlmssp_state->encrypted_session_key); data_blob_free(&ntlmssp_state->encrypted_session_key);
/* allow arbitarily many authentications */ /* allow arbitarily many authentications, but watch that this will cause a
ntlmssp_state->expected_state = NTLMSSP_AUTH; memory leak, until the ntlmssp_state is shutdown
*/
if (ntlmssp_state->server_multiple_authentications) {
ntlmssp_state->expected_state = NTLMSSP_AUTH;
} else {
ntlmssp_state->expected_state = NTLMSSP_DONE;
}
return nt_status; return nt_status;
} }
@ -818,22 +830,23 @@ static NTSTATUS ntlmssp_server_postauth(struct ntlmssp_state *ntlmssp_state,
* Next state function for the Authenticate packet * Next state function for the Authenticate packet
* *
* @param ntlmssp_state NTLMSSP State * @param ntlmssp_state NTLMSSP State
* @param request The request, as a DATA_BLOB * @param in The packet in from the NTLMSSP partner, as a DATA_BLOB
* @param reply The reply, as an allocated DATA_BLOB, caller to free. * @param out The reply, as an allocated DATA_BLOB, caller to free.
* @return Errors or NT_STATUS_OK. * @return Errors, NT_STATUS_MORE_PROCESSING_REQUIRED or NT_STATUS_OK.
*/ */
static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state, static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
const DATA_BLOB request, DATA_BLOB *reply) TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out)
{ {
DATA_BLOB user_session_key = data_blob(NULL, 0); DATA_BLOB user_session_key = data_blob(NULL, 0);
DATA_BLOB lm_session_key = data_blob(NULL, 0); DATA_BLOB lm_session_key = data_blob(NULL, 0);
NTSTATUS nt_status; NTSTATUS nt_status;
/* parse the NTLMSSP packet */ /* zero the outbound NTLMSSP packet */
*reply = data_blob(NULL, 0); *out = data_blob_talloc(out_mem_ctx, NULL, 0);
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_server_preauth(ntlmssp_state, request))) { if (!NT_STATUS_IS_OK(nt_status = ntlmssp_server_preauth(ntlmssp_state, in))) {
return nt_status; return nt_status;
} }
@ -851,7 +864,12 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
return nt_status; return nt_status;
} }
return ntlmssp_server_postauth(ntlmssp_state, &user_session_key, &lm_session_key, reply); if (ntlmssp_state->server_use_session_keys) {
return ntlmssp_server_postauth(ntlmssp_state, &user_session_key, &lm_session_key);
} else {
ntlmssp_state->session_key = data_blob(NULL, 0);
return NT_STATUS_OK;
}
} }
/** /**
@ -889,6 +907,9 @@ NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state)
(*ntlmssp_state)->allow_lm_key = (lp_lanman_auth() (*ntlmssp_state)->allow_lm_key = (lp_lanman_auth()
&& lp_parm_bool(-1, "ntlmssp_server", "allow_lm_key", False)); && lp_parm_bool(-1, "ntlmssp_server", "allow_lm_key", False));
(*ntlmssp_state)->server_use_session_keys = True;
(*ntlmssp_state)->server_multiple_authentications = False;
(*ntlmssp_state)->ref_count = 1; (*ntlmssp_state)->ref_count = 1;
(*ntlmssp_state)->neg_flags = (*ntlmssp_state)->neg_flags =
@ -910,13 +931,15 @@ NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state)
* Next state function for the Initial packet * Next state function for the Initial packet
* *
* @param ntlmssp_state NTLMSSP State * @param ntlmssp_state NTLMSSP State
* @param request The request, as a DATA_BLOB. reply.data must be NULL * @param out_mem_ctx The DATA_BLOB *out will be allocated on this context
* @param request The reply, as an allocated DATA_BLOB, caller to free. * @param in The request, as a DATA_BLOB. reply.data must be NULL
* @param out The reply, as an talloc()ed DATA_BLOB, on out_mem_ctx
* @return Errors or NT_STATUS_OK. * @return Errors or NT_STATUS_OK.
*/ */
static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
DATA_BLOB reply, DATA_BLOB *next_request) TALLOC_CTX *out_mem_ctx,
DATA_BLOB in, DATA_BLOB *out)
{ {
if (ntlmssp_state->unicode) { if (ntlmssp_state->unicode) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
@ -929,7 +952,8 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
} }
/* generate the ntlmssp negotiate packet */ /* generate the ntlmssp negotiate packet */
msrpc_gen(next_request, "CddAA", msrpc_gen(out_mem_ctx,
out, "CddAA",
"NTLMSSP", "NTLMSSP",
NTLMSSP_NEGOTIATE, NTLMSSP_NEGOTIATE,
ntlmssp_state->neg_flags, ntlmssp_state->neg_flags,
@ -951,7 +975,8 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
*/ */
static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
const DATA_BLOB reply, DATA_BLOB *next_request) TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out)
{ {
uint32 chal_flags, ntlmssp_command, unkn1, unkn2; uint32 chal_flags, ntlmssp_command, unkn1, unkn2;
DATA_BLOB server_domain_blob; DATA_BLOB server_domain_blob;
@ -968,13 +993,14 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
DATA_BLOB encrypted_session_key = data_blob(NULL, 0); DATA_BLOB encrypted_session_key = data_blob(NULL, 0);
NTSTATUS nt_status; NTSTATUS nt_status;
if (!msrpc_parse(&reply, "CdBd", if (!msrpc_parse(ntlmssp_state->mem_ctx,
&in, "CdBd",
"NTLMSSP", "NTLMSSP",
&ntlmssp_command, &ntlmssp_command,
&server_domain_blob, &server_domain_blob,
&chal_flags)) { &chal_flags)) {
DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n")); DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
dump_data(2, (const char *)reply.data, reply.length); dump_data(2, (const char *)in.data, in.length);
return NT_STATUS_INVALID_PARAMETER; return NT_STATUS_INVALID_PARAMETER;
} }
@ -1006,7 +1032,8 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
DEBUG(3, ("NTLMSSP: Set final flags:\n")); DEBUG(3, ("NTLMSSP: Set final flags:\n"));
debug_ntlmssp_flags(ntlmssp_state->neg_flags); debug_ntlmssp_flags(ntlmssp_state->neg_flags);
if (!msrpc_parse(&reply, chal_parse_string, if (!msrpc_parse(ntlmssp_state->mem_ctx,
&in, chal_parse_string,
"NTLMSSP", "NTLMSSP",
&ntlmssp_command, &ntlmssp_command,
&server_domain, &server_domain,
@ -1015,16 +1042,13 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
&unkn1, &unkn2, &unkn1, &unkn2,
&struct_blob)) { &struct_blob)) {
DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n")); DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n"));
dump_data(2, (const char *)reply.data, reply.length); dump_data(2, (const char *)in.data, in.length);
return NT_STATUS_INVALID_PARAMETER; return NT_STATUS_INVALID_PARAMETER;
} }
ntlmssp_state->server_domain = talloc_strdup(ntlmssp_state->mem_ctx, ntlmssp_state->server_domain = server_domain;
server_domain);
SAFE_FREE(server_domain);
if (challenge_blob.length != 8) { if (challenge_blob.length != 8) {
data_blob_free(&struct_blob);
return NT_STATUS_INVALID_PARAMETER; return NT_STATUS_INVALID_PARAMETER;
} }
@ -1137,7 +1161,6 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
/* LM Key is incompatible... */ /* LM Key is incompatible... */
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
} }
} }
if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
@ -1156,8 +1179,6 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
dump_data_pw("LM session key\n", session_key.data, session_key.length); dump_data_pw("LM session key\n", session_key.data, session_key.length);
} }
data_blob_free(&struct_blob);
/* Key exchange encryptes a new client-generated session key with /* Key exchange encryptes a new client-generated session key with
the password-derived key */ the password-derived key */
@ -1167,18 +1188,19 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
generate_random_buffer(client_session_key, sizeof(client_session_key), False); generate_random_buffer(client_session_key, sizeof(client_session_key), False);
/* Encrypt the new session key with the old one */ /* Encrypt the new session key with the old one */
encrypted_session_key = data_blob(client_session_key, sizeof(client_session_key)); encrypted_session_key = data_blob_talloc(ntlmssp_state->mem_ctx,
client_session_key, sizeof(client_session_key));
dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length); dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
SamOEMhash(encrypted_session_key.data, session_key.data, encrypted_session_key.length); SamOEMhash(encrypted_session_key.data, session_key.data, encrypted_session_key.length);
dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length); dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
/* Mark the new session key as the 'real' session key */ /* Mark the new session key as the 'real' session key */
data_blob_free(&session_key);
session_key = data_blob_talloc(ntlmssp_state->mem_ctx, client_session_key, sizeof(client_session_key)); session_key = data_blob_talloc(ntlmssp_state->mem_ctx, client_session_key, sizeof(client_session_key));
} }
/* this generates the actual auth packet */ /* this generates the actual auth packet */
if (!msrpc_gen(next_request, auth_gen_string, if (!msrpc_gen(out_mem_ctx,
out, auth_gen_string,
"NTLMSSP", "NTLMSSP",
NTLMSSP_AUTH, NTLMSSP_AUTH,
lm_response.data, lm_response.length, lm_response.data, lm_response.length,
@ -1192,10 +1214,6 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
return NT_STATUS_NO_MEMORY; return NT_STATUS_NO_MEMORY;
} }
data_blob_free(&encrypted_session_key);
data_blob_free(&ntlmssp_state->chal);
ntlmssp_state->session_key = session_key; ntlmssp_state->session_key = session_key;
/* The client might be using 56 or 40 bit weakened keys */ /* The client might be using 56 or 40 bit weakened keys */
@ -1205,10 +1223,11 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
ntlmssp_state->lm_resp = lm_response; ntlmssp_state->lm_resp = lm_response;
ntlmssp_state->nt_resp = nt_response; ntlmssp_state->nt_resp = nt_response;
ntlmssp_state->expected_state = NTLMSSP_UNKNOWN; ntlmssp_state->expected_state = NTLMSSP_DONE;
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_sign_init(ntlmssp_state))) { if (!NT_STATUS_IS_OK(nt_status = ntlmssp_sign_init(ntlmssp_state))) {
DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", nt_errstr(nt_status))); DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n",
nt_errstr(nt_status)));
return nt_status; return nt_status;
} }

19
source/libcli/auth/ntlmssp.h
View File

@ -34,7 +34,8 @@ enum NTLM_MESSAGE_TYPE
NTLMSSP_NEGOTIATE = 1, NTLMSSP_NEGOTIATE = 1,
NTLMSSP_CHALLENGE = 2, NTLMSSP_CHALLENGE = 2,
NTLMSSP_AUTH = 3, NTLMSSP_AUTH = 3,
NTLMSSP_UNKNOWN = 4 NTLMSSP_UNKNOWN = 4,
NTLMSSP_DONE = 5 /* samba final state */
}; };
/* NTLMSSP negotiation flags */ /* NTLMSSP negotiation flags */
@ -80,9 +81,15 @@ typedef struct ntlmssp_state
BOOL unicode; BOOL unicode;
BOOL use_ntlmv2; BOOL use_ntlmv2;
BOOL use_nt_response; /* Set to 'NO' to debug what happens when the NT response is omited */ BOOL use_nt_response; /* Set to 'False' to debug what happens when the NT response is omited */
BOOL allow_lm_key; /* The LM_KEY code is not functional at this point, and it's not BOOL allow_lm_key; /* The LM_KEY code is not functional at this point, and it's not
very secure anyway */ very secure anyway */
BOOL server_use_session_keys; /* Set to 'False' for authentication only,
that will never return a session key */
BOOL server_multiple_authentications; /* Set to 'True' to allow squid 2.5
style 'challenge caching' */
char *user; char *user;
char *domain; char *domain;
char *workstation; char *workstation;
@ -159,10 +166,10 @@ typedef struct ntlmssp_state
uint32 ntlmssp_seq_num; uint32 ntlmssp_seq_num;
/* ntlmv2 */ /* ntlmv2 */
char send_sign_const[16]; char send_sign_key[16];
char send_seal_const[16]; char send_seal_key[16];
char recv_sign_const[16]; char recv_sign_key[16];
char recv_seal_const[16]; char recv_seal_key[16];
unsigned char send_sign_hash[258]; unsigned char send_sign_hash[258];
unsigned char send_seal_hash[258]; unsigned char send_seal_hash[258];

32
source/libcli/auth/ntlmssp_parse.c
View File

@ -40,7 +40,7 @@
d = word (4 bytes) d = word (4 bytes)
C = constant ascii string C = constant ascii string
*/ */
BOOL msrpc_gen(DATA_BLOB *blob, BOOL msrpc_gen(TALLOC_CTX *mem_ctx, DATA_BLOB *blob,
const char *format, ...) const char *format, ...)
{ {
int i, n; int i, n;
@ -91,7 +91,7 @@ BOOL msrpc_gen(DATA_BLOB *blob,
va_end(ap); va_end(ap);
/* allocate the space, then scan the format again to fill in the values */ /* allocate the space, then scan the format again to fill in the values */
*blob = data_blob(NULL, head_size + data_size); *blob = data_blob_talloc(mem_ctx, NULL, head_size + data_size);
head_ofs = 0; head_ofs = 0;
data_ofs = head_size; data_ofs = head_size;
@ -182,12 +182,12 @@ if ((head_ofs + amount) > blob->length) { \
C = constant ascii string C = constant ascii string
*/ */
BOOL msrpc_parse(const DATA_BLOB *blob, BOOL msrpc_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob,
const char *format, ...) const char *format, ...)
{ {
int i; int i;
va_list ap; va_list ap;
char **ps, *s; const char **ps, *s;
DATA_BLOB *b; DATA_BLOB *b;
size_t head_ofs = 0; size_t head_ofs = 0;
uint16 len1, len2; uint16 len1, len2;
@ -206,7 +206,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
ps = va_arg(ap, char **); ps = va_arg(ap, char **);
if (len1 == 0 && len2 == 0) { if (len1 == 0 && len2 == 0) {
*ps = smb_xstrdup(""); *ps = "";
} else { } else {
/* make sure its in the right format - be strict */ /* make sure its in the right format - be strict */
if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
@ -223,9 +223,12 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
pull_string(NULL, p, blob->data + ptr, sizeof(p), pull_string(NULL, p, blob->data + ptr, sizeof(p),
len1, len1,
STR_UNICODE|STR_NOALIGN); STR_UNICODE|STR_NOALIGN);
(*ps) = smb_xstrdup(p); (*ps) = talloc_strdup(mem_ctx, p);
if (!(*ps)) {
return False;
}
} else { } else {
(*ps) = smb_xstrdup(""); (*ps) = "";
} }
} }
break; break;
@ -238,7 +241,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
ps = va_arg(ap, char **); ps = va_arg(ap, char **);
/* make sure its in the right format - be strict */ /* make sure its in the right format - be strict */
if (len1 == 0 && len2 == 0) { if (len1 == 0 && len2 == 0) {
*ps = smb_xstrdup(""); *ps = "";
} else { } else {
if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
return False; return False;
@ -251,9 +254,12 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
pull_string(NULL, p, blob->data + ptr, sizeof(p), pull_string(NULL, p, blob->data + ptr, sizeof(p),
len1, len1,
STR_ASCII|STR_NOALIGN); STR_ASCII|STR_NOALIGN);
(*ps) = smb_xstrdup(p); (*ps) = talloc_strdup(mem_ctx, p);
if (!(*ps)) {
return False;
}
} else { } else {
(*ps) = smb_xstrdup(""); (*ps) = "";
} }
} }
break; break;
@ -265,7 +271,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
b = (DATA_BLOB *)va_arg(ap, void *); b = (DATA_BLOB *)va_arg(ap, void *);
if (len1 == 0 && len2 == 0) { if (len1 == 0 && len2 == 0) {
*b = data_blob(NULL, 0); *b = data_blob_talloc(mem_ctx, NULL, 0);
} else { } else {
/* make sure its in the right format - be strict */ /* make sure its in the right format - be strict */
if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
@ -275,7 +281,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
if (blob->data + ptr < (uint8 *)ptr || blob->data + ptr < blob->data) if (blob->data + ptr < (uint8 *)ptr || blob->data + ptr < blob->data)
return False; return False;
*b = data_blob(blob->data + ptr, len1); *b = data_blob_talloc(mem_ctx, blob->data + ptr, len1);
} }
break; break;
case 'b': case 'b':
@ -286,7 +292,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
if (blob->data + head_ofs < (uint8 *)head_ofs || blob->data + head_ofs < blob->data) if (blob->data + head_ofs < (uint8 *)head_ofs || blob->data + head_ofs < blob->data)
return False; return False;
*b = data_blob(blob->data + head_ofs, len1); *b = data_blob_talloc(mem_ctx, blob->data + head_ofs, len1);
head_ofs += len1; head_ofs += len1;
break; break;
case 'd': case 'd':

207
source/libcli/auth/ntlmssp_sign.c
View File

@ -53,7 +53,7 @@ static void NTLMSSPcalc_ap( unsigned char *hash, unsigned char *data, int len)
hash[257] = index_j; hash[257] = index_j;
} }
static void calc_hash(unsigned char hash[258], const char *k2, int k2l) static void calc_hash(unsigned char hash[258], const char *key, size_t key_len)
{ {
unsigned char j = 0; unsigned char j = 0;
int ind; int ind;
@ -67,7 +67,7 @@ static void calc_hash(unsigned char hash[258], const char *k2, int k2l)
{ {
unsigned char tc; unsigned char tc;
j += (hash[ind] + k2[ind%k2l]); j += (hash[ind] + key[ind%key_len]);
tc = hash[ind]; tc = hash[ind];
hash[ind] = hash[j]; hash[ind] = hash[j];
@ -78,23 +78,37 @@ static void calc_hash(unsigned char hash[258], const char *k2, int k2l)
hash[257] = 0; hash[257] = 0;
} }
static void calc_ntlmv2_hash(unsigned char hash[258], unsigned char digest[16], /**
* Some notes on then NTLM2 code:
*
* This code works correctly for the sealing part of the problem. If
* we disable the check for valid client signatures, then we see that
* the output of a rpcecho 'sinkdata' at smbd is correct. We get the
* valid data, and it is validly decrypted.
*
* This means that the quantity of data passing though the RC4 sealing
* pad is correct.
*
* This code also correctly matches test values that I have obtained,
* claiming to be the correct output of NTLM2 signature generation.
*
*/
static void calc_ntlmv2_hash(unsigned char hash[258], unsigned char subkey[16],
DATA_BLOB session_key, DATA_BLOB session_key,
const char *constant) const char *constant)
{ {
struct MD5Context ctx3; struct MD5Context ctx3;
/* NOTE: This code is currently complate fantasy - it's
got more in common with reality than the previous code
(the LM session key is not the right thing to use) but
it still needs work */
MD5Init(&ctx3); MD5Init(&ctx3);
MD5Update(&ctx3, session_key.data, session_key.length); MD5Update(&ctx3, session_key.data, session_key.length);
MD5Update(&ctx3, (const unsigned char *)constant, strlen(constant)+1); MD5Update(&ctx3, constant, strlen(constant)+1);
MD5Final(digest, &ctx3); MD5Final(subkey, &ctx3);
calc_hash(hash, digest, 16); calc_hash(hash, subkey, 16);
} }
enum ntlmssp_direction { enum ntlmssp_direction {
@ -103,40 +117,51 @@ enum ntlmssp_direction {
}; };
static NTSTATUS ntlmssp_make_packet_signature(NTLMSSP_STATE *ntlmssp_state, static NTSTATUS ntlmssp_make_packet_signature(NTLMSSP_STATE *ntlmssp_state,
TALLOC_CTX *sig_mem_ctx,
const uchar *data, size_t length, const uchar *data, size_t length,
enum ntlmssp_direction direction, enum ntlmssp_direction direction,
DATA_BLOB *sig) DATA_BLOB *sig)
{ {
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
HMACMD5Context ctx; HMACMD5Context ctx;
uchar seq_num[4]; uchar seq_num[4];
uchar digest[16]; uchar digest[16];
SIVAL(seq_num, 0, ntlmssp_state->ntlmssp_seq_num); SIVAL(seq_num, 0, ntlmssp_state->ntlmssp_seq_num);
hmac_md5_init_limK_to_64((const unsigned char *)(ntlmssp_state->send_sign_const), 16, &ctx); switch (direction) {
case NTLMSSP_SEND:
hmac_md5_init_limK_to_64(ntlmssp_state->send_sign_key,
sizeof(ntlmssp_state->send_sign_key), &ctx);
break;
case NTLMSSP_RECEIVE:
hmac_md5_init_limK_to_64(ntlmssp_state->recv_sign_key,
sizeof(ntlmssp_state->recv_sign_key), &ctx);
break;
}
hmac_md5_update(seq_num, 4, &ctx); hmac_md5_update(seq_num, 4, &ctx);
hmac_md5_update(data, length, &ctx); hmac_md5_update(data, length, &ctx);
hmac_md5_final(digest, &ctx); hmac_md5_final(digest, &ctx);
if (!msrpc_gen(sig, "dBd", NTLMSSP_SIGN_VERSION, digest, 8 /* only copy first 8 bytes */
, ntlmssp_state->ntlmssp_seq_num)) {
return NT_STATUS_NO_MEMORY;
}
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
switch (direction) { switch (direction) {
case NTLMSSP_SEND: case NTLMSSP_SEND:
NTLMSSPcalc_ap(ntlmssp_state->send_sign_hash, sig->data+4, sig->length-4); NTLMSSPcalc_ap(ntlmssp_state->send_seal_hash, digest, 8);
break; break;
case NTLMSSP_RECEIVE: case NTLMSSP_RECEIVE:
NTLMSSPcalc_ap(ntlmssp_state->recv_sign_hash, sig->data+4, sig->length-4); NTLMSSPcalc_ap(ntlmssp_state->recv_seal_hash, digest, 8);
break; break;
} }
} }
*sig = data_blob_talloc(sig_mem_ctx, NULL, 16);
SIVAL(sig->data, 0, NTLMSSP_SIGN_VERSION);
memcpy(sig->data + 4, digest, 8);
memcpy(sig->data + 12, seq_num, 4);
} else { } else {
uint32 crc; uint32 crc;
crc = crc32_calc_buffer((const char *)data, length); crc = crc32_calc_buffer((const char *)data, length);
if (!msrpc_gen(sig, "dddd", NTLMSSP_SIGN_VERSION, 0, crc, ntlmssp_state->ntlmssp_seq_num)) { if (!msrpc_gen(sig_mem_ctx, sig, "dddd", NTLMSSP_SIGN_VERSION, 0, crc, ntlmssp_state->ntlmssp_seq_num)) {
return NT_STATUS_NO_MEMORY; return NT_STATUS_NO_MEMORY;
} }
@ -148,16 +173,19 @@ static NTSTATUS ntlmssp_make_packet_signature(NTLMSSP_STATE *ntlmssp_state,
} }
NTSTATUS ntlmssp_sign_packet(NTLMSSP_STATE *ntlmssp_state, NTSTATUS ntlmssp_sign_packet(NTLMSSP_STATE *ntlmssp_state,
const uchar *data, size_t length, TALLOC_CTX *sig_mem_ctx,
DATA_BLOB *sig) const uchar *data, size_t length,
DATA_BLOB *sig)
{ {
NTSTATUS nt_status; NTSTATUS nt_status;
if (!ntlmssp_state->session_key.length) { if (!ntlmssp_state->session_key.length) {
DEBUG(3, ("NO session key, cannot check sign packet\n")); DEBUG(3, ("NO session key, cannot check sign packet\n"));
return NT_STATUS_NO_USER_SESSION_KEY; return NT_STATUS_NO_USER_SESSION_KEY;
} }
nt_status = ntlmssp_make_packet_signature(ntlmssp_state, data, length, NTLMSSP_SEND, sig); nt_status = ntlmssp_make_packet_signature(ntlmssp_state, sig_mem_ctx,
data, length, NTLMSSP_SEND, sig);
/* increment counter on send */ /* increment counter on send */
ntlmssp_state->ntlmssp_seq_num++; ntlmssp_state->ntlmssp_seq_num++;
@ -166,11 +194,11 @@ NTSTATUS ntlmssp_sign_packet(NTLMSSP_STATE *ntlmssp_state,
/** /**
* Check the signature of an incoming packet * Check the signature of an incoming packet
* @note caller *must* check that the signature is the size it expects
* *
*/ */
NTSTATUS ntlmssp_check_packet(NTLMSSP_STATE *ntlmssp_state, NTSTATUS ntlmssp_check_packet(NTLMSSP_STATE *ntlmssp_state,
TALLOC_CTX *sig_mem_ctx,
const uchar *data, size_t length, const uchar *data, size_t length,
const DATA_BLOB *sig) const DATA_BLOB *sig)
{ {
@ -187,7 +215,7 @@ NTSTATUS ntlmssp_check_packet(NTLMSSP_STATE *ntlmssp_state,
(unsigned long)sig->length)); (unsigned long)sig->length));
} }
nt_status = ntlmssp_make_packet_signature(ntlmssp_state, data, nt_status = ntlmssp_make_packet_signature(ntlmssp_state, sig_mem_ctx, data,
length, NTLMSSP_RECEIVE, &local_sig); length, NTLMSSP_RECEIVE, &local_sig);
if (!NT_STATUS_IS_OK(nt_status)) { if (!NT_STATUS_IS_OK(nt_status)) {
@ -195,22 +223,37 @@ NTSTATUS ntlmssp_check_packet(NTLMSSP_STATE *ntlmssp_state,
return nt_status; return nt_status;
} }
if (local_sig.length != sig->length || /* increment counter on recv */
memcmp(local_sig.data + local_sig.length - 8,
sig->data + sig->length - 8, 8) != 0) {
DEBUG(5, ("BAD SIG: wanted signature of\n"));
dump_data(5, (const char *)local_sig.data, local_sig.length);
DEBUG(5, ("BAD SIG: got signature of\n"));
dump_data(5, (const char *)(sig->data), sig->length);
DEBUG(0, ("NTLMSSP packet check failed due to invalid signature!\n"));
return NT_STATUS_ACCESS_DENIED;
}
/* increment counter on recieive */
ntlmssp_state->ntlmssp_seq_num++; ntlmssp_state->ntlmssp_seq_num++;
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
if (local_sig.length != sig->length ||
memcmp(local_sig.data,
sig->data, sig->length) != 0) {
DEBUG(5, ("BAD SIG NTLM2: wanted signature of\n"));
dump_data(5, local_sig.data, local_sig.length);
DEBUG(5, ("BAD SIG: got signature of\n"));
dump_data(5, sig->data, sig->length);
DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature!\n"));
return NT_STATUS_ACCESS_DENIED;
}
} else {
if (local_sig.length != sig->length ||
memcmp(local_sig.data + 8,
sig->data + 8, sig->length - 8) != 0) {
DEBUG(5, ("BAD SIG NTLM1: wanted signature of\n"));
dump_data(5, (const char *)local_sig.data, local_sig.length);
DEBUG(5, ("BAD SIG: got signature of\n"));
dump_data(5, (const char *)(sig->data), sig->length);
DEBUG(0, ("NTLMSSP NTLM1 packet check failed due to invalid signature!\n"));
return NT_STATUS_ACCESS_DENIED;
}
}
return NT_STATUS_OK; return NT_STATUS_OK;
} }
@ -221,6 +264,7 @@ NTSTATUS ntlmssp_check_packet(NTLMSSP_STATE *ntlmssp_state,
*/ */
NTSTATUS ntlmssp_seal_packet(NTLMSSP_STATE *ntlmssp_state, NTSTATUS ntlmssp_seal_packet(NTLMSSP_STATE *ntlmssp_state,
TALLOC_CTX *sig_mem_ctx,
uchar *data, size_t length, uchar *data, size_t length,
DATA_BLOB *sig) DATA_BLOB *sig)
{ {
@ -233,32 +277,34 @@ NTSTATUS ntlmssp_seal_packet(NTLMSSP_STATE *ntlmssp_state,
dump_data_pw("ntlmssp clear data\n", data, length); dump_data_pw("ntlmssp clear data\n", data, length);
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
HMACMD5Context ctx; HMACMD5Context ctx;
char seq_num[4]; uchar seq_num[4];
uchar digest[16]; uchar digest[16];
SIVAL(seq_num, 0, ntlmssp_state->ntlmssp_seq_num); SIVAL(seq_num, 0, ntlmssp_state->ntlmssp_seq_num);
hmac_md5_init_limK_to_64((const unsigned char *)(ntlmssp_state->send_sign_const), 16, &ctx); hmac_md5_init_limK_to_64(ntlmssp_state->send_sign_key,
hmac_md5_update((const unsigned char *)seq_num, 4, &ctx); sizeof(ntlmssp_state->send_sign_key), &ctx);
hmac_md5_update(seq_num, 4, &ctx);
hmac_md5_update(data, length, &ctx); hmac_md5_update(data, length, &ctx);
hmac_md5_final(digest, &ctx); hmac_md5_final(digest, &ctx);
if (!msrpc_gen(sig, "dBd", NTLMSSP_SIGN_VERSION, digest, 8 /* only copy first 8 bytes */ /* The order of these two operations matters - we must first seal the packet,
, ntlmssp_state->ntlmssp_seq_num)) { then seal the sequence number - this is becouse the send_seal_hash is not
return NT_STATUS_NO_MEMORY; constant, but is is rather updated with each iteration */
NTLMSSPcalc_ap(ntlmssp_state->send_seal_hash, data, length);
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
NTLMSSPcalc_ap(ntlmssp_state->send_seal_hash, digest, 8);
} }
dump_data_pw("ntlmssp client sealing hash:\n", *sig = data_blob_talloc(sig_mem_ctx, NULL, 16);
ntlmssp_state->send_seal_hash, SIVAL(sig->data, 0, NTLMSSP_SIGN_VERSION);
sizeof(ntlmssp_state->send_seal_hash)); memcpy(sig->data + 4, digest, 8);
NTLMSSPcalc_ap(ntlmssp_state->send_seal_hash, data, length); memcpy(sig->data + 12, seq_num, 4);
dump_data_pw("ntlmssp client signing hash:\n",
ntlmssp_state->send_sign_hash,
sizeof(ntlmssp_state->send_sign_hash));
NTLMSSPcalc_ap(ntlmssp_state->send_sign_hash, sig->data+4, sig->length-4);
} else { } else {
uint32 crc; uint32 crc;
crc = crc32_calc_buffer((const char *)data, length); crc = crc32_calc_buffer((const char *)data, length);
if (!msrpc_gen(sig, "dddd", NTLMSSP_SIGN_VERSION, 0, crc, ntlmssp_state->ntlmssp_seq_num)) { if (!msrpc_gen(sig_mem_ctx, sig, "dddd", NTLMSSP_SIGN_VERSION, 0, crc, ntlmssp_state->ntlmssp_seq_num)) {
return NT_STATUS_NO_MEMORY; return NT_STATUS_NO_MEMORY;
} }
@ -288,8 +334,9 @@ NTSTATUS ntlmssp_seal_packet(NTLMSSP_STATE *ntlmssp_state,
*/ */
NTSTATUS ntlmssp_unseal_packet(NTLMSSP_STATE *ntlmssp_state, NTSTATUS ntlmssp_unseal_packet(NTLMSSP_STATE *ntlmssp_state,
uchar *data, size_t length, TALLOC_CTX *sig_mem_ctx,
DATA_BLOB *sig) uchar *data, size_t length,
DATA_BLOB *sig)
{ {
if (!ntlmssp_state->session_key.length) { if (!ntlmssp_state->session_key.length) {
DEBUG(3, ("NO session key, cannot unseal packet\n")); DEBUG(3, ("NO session key, cannot unseal packet\n"));
@ -307,7 +354,10 @@ NTSTATUS ntlmssp_unseal_packet(NTLMSSP_STATE *ntlmssp_state,
} }
dump_data_pw("ntlmssp clear data\n", data, length); dump_data_pw("ntlmssp clear data\n", data, length);
return ntlmssp_check_packet(ntlmssp_state, data, length, sig); return ntlmssp_check_packet(ntlmssp_state, sig_mem_ctx, data, length, sig);
/* increment counter on recv */
ntlmssp_state->ntlmssp_seq_num++;
} }
/** /**
@ -348,57 +398,60 @@ NTSTATUS ntlmssp_sign_init(NTLMSSP_STATE *ntlmssp_state)
break; break;
} }
/* SEND */
calc_ntlmv2_hash(ntlmssp_state->send_sign_hash, calc_ntlmv2_hash(ntlmssp_state->send_sign_hash,
ntlmssp_state->send_sign_const, ntlmssp_state->send_sign_key,
ntlmssp_state->session_key, send_sign_const); ntlmssp_state->session_key, send_sign_const);
dump_data_pw("NTLMSSP send sign key:\n",
ntlmssp_state->send_sign_key,
sizeof(ntlmssp_state->send_sign_key));
dump_data_pw("NTLMSSP send sign hash:\n", dump_data_pw("NTLMSSP send sign hash:\n",
ntlmssp_state->send_sign_hash, ntlmssp_state->send_sign_hash,
sizeof(ntlmssp_state->send_sign_hash)); sizeof(ntlmssp_state->send_sign_hash));
calc_ntlmv2_hash(ntlmssp_state->send_seal_hash, calc_ntlmv2_hash(ntlmssp_state->send_seal_hash,
ntlmssp_state->send_seal_const, ntlmssp_state->send_seal_key,
ntlmssp_state->session_key, send_seal_const); ntlmssp_state->session_key, send_seal_const);
dump_data_pw("NTLMSSP send seal key:\n",
ntlmssp_state->send_seal_key,
sizeof(ntlmssp_state->send_seal_key));
dump_data_pw("NTLMSSP send sesl hash:\n", dump_data_pw("NTLMSSP send sesl hash:\n",
ntlmssp_state->send_seal_hash, ntlmssp_state->send_seal_hash,
sizeof(ntlmssp_state->send_seal_hash)); sizeof(ntlmssp_state->send_seal_hash));
/* RECV */
calc_ntlmv2_hash(ntlmssp_state->recv_sign_hash, calc_ntlmv2_hash(ntlmssp_state->recv_sign_hash,
ntlmssp_state->recv_sign_const, ntlmssp_state->recv_sign_key,
ntlmssp_state->session_key, recv_sign_const); ntlmssp_state->session_key, recv_sign_const);
dump_data_pw("NTLMSSP recv sign key:\n",
ntlmssp_state->recv_sign_key,
sizeof(ntlmssp_state->recv_sign_key));
dump_data_pw("NTLMSSP receive sign hash:\n", dump_data_pw("NTLMSSP receive sign hash:\n",
ntlmssp_state->recv_sign_hash, ntlmssp_state->recv_sign_hash,
sizeof(ntlmssp_state->recv_sign_hash)); sizeof(ntlmssp_state->recv_sign_hash));
calc_ntlmv2_hash(ntlmssp_state->recv_seal_hash, calc_ntlmv2_hash(ntlmssp_state->recv_seal_hash,
ntlmssp_state->recv_seal_const, ntlmssp_state->recv_seal_key,
ntlmssp_state->session_key, recv_seal_const); ntlmssp_state->session_key, recv_seal_const);
dump_data_pw("NTLMSSP recv seal key:\n",
ntlmssp_state->recv_sign_key,
sizeof(ntlmssp_state->recv_seal_key));
dump_data_pw("NTLMSSP receive seal hash:\n", dump_data_pw("NTLMSSP receive seal hash:\n",
ntlmssp_state->recv_sign_hash, ntlmssp_state->recv_sign_hash,
sizeof(ntlmssp_state->recv_sign_hash)); sizeof(ntlmssp_state->recv_sign_hash));
}
else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
if (!ntlmssp_state->session_key.data || ntlmssp_state->session_key.length < 8) {
/* can't sign or check signatures yet */
DEBUG(5, ("NTLMSSP Sign/Seal - cannot use LM KEY yet\n"));
return NT_STATUS_UNSUCCESSFUL;
}
DEBUG(5, ("NTLMSSP Sign/Seal - using LM KEY\n"));
calc_hash(ntlmssp_state->ntlmssp_hash, (const char *)(ntlmssp_state->session_key.data), 8);
dump_data_pw("NTLMSSP hash:\n", ntlmssp_state->ntlmssp_hash,
sizeof(ntlmssp_state->ntlmssp_hash));
} else { } else {
if (!ntlmssp_state->session_key.data || ntlmssp_state->session_key.length < 16) { if (!ntlmssp_state->session_key.data) {
/* can't sign or check signatures yet */ /* can't sign or check signatures yet */
DEBUG(5, ("NTLMSSP Sign/Seal - cannot use NT KEY yet\n")); DEBUG(5, ("NTLMSSP Sign/Seal - cannot use NT KEY\n"));
return NT_STATUS_UNSUCCESSFUL; return NT_STATUS_UNSUCCESSFUL;
} }
DEBUG(5, ("NTLMSSP Sign/Seal - using NT KEY\n")); DEBUG(5, ("NTLMSSP Sign/Seal - using NT KEY\n"));
calc_hash(ntlmssp_state->ntlmssp_hash, (const char *)(ntlmssp_state->session_key.data), 16); calc_hash(ntlmssp_state->ntlmssp_hash, (const char *)(ntlmssp_state->session_key.data), ntlmssp_state->session_key.length);
dump_data_pw("NTLMSSP hash:\n", ntlmssp_state->ntlmssp_hash, dump_data_pw("NTLMSSP hash:\n", ntlmssp_state->ntlmssp_hash,
sizeof(ntlmssp_state->ntlmssp_hash)); sizeof(ntlmssp_state->ntlmssp_hash));
} }

7
source/libcli/auth/schannel.c
View File

@ -93,6 +93,7 @@ static void schannel_digest(const uchar sess_key[16],
unseal a packet unseal a packet
*/ */
NTSTATUS schannel_unseal_packet(struct schannel_state *state, NTSTATUS schannel_unseal_packet(struct schannel_state *state,
TALLOC_CTX *mem_ctx,
uchar *data, size_t length, uchar *data, size_t length,
DATA_BLOB *sig) DATA_BLOB *sig)
{ {
@ -183,6 +184,7 @@ NTSTATUS schannel_check_packet(struct schannel_state *state,
seal a packet seal a packet
*/ */
NTSTATUS schannel_seal_packet(struct schannel_state *state, NTSTATUS schannel_seal_packet(struct schannel_state *state,
TALLOC_CTX *mem_ctx,
uchar *data, size_t length, uchar *data, size_t length,
DATA_BLOB *sig) DATA_BLOB *sig)
{ {
@ -208,7 +210,7 @@ NTSTATUS schannel_seal_packet(struct schannel_state *state,
netsec_deal_with_seq_num(state, digest_final, seq_num); netsec_deal_with_seq_num(state, digest_final, seq_num);
if (!state->signature.data) { if (!state->signature.data) {
state->signature = data_blob_talloc(state->mem_ctx, NULL, 32); state->signature = data_blob_talloc(mem_ctx, NULL, 32);
if (!state->signature.data) { if (!state->signature.data) {
return NT_STATUS_NO_MEMORY; return NT_STATUS_NO_MEMORY;
} }
@ -233,6 +235,7 @@ NTSTATUS schannel_seal_packet(struct schannel_state *state,
sign a packet sign a packet
*/ */
NTSTATUS schannel_sign_packet(struct schannel_state *state, NTSTATUS schannel_sign_packet(struct schannel_state *state,
TALLOC_CTX *mem_ctx,
const uchar *data, size_t length, const uchar *data, size_t length,
DATA_BLOB *sig) DATA_BLOB *sig)
{ {
@ -250,7 +253,7 @@ NTSTATUS schannel_sign_packet(struct schannel_state *state,
netsec_deal_with_seq_num(state, digest_final, seq_num); netsec_deal_with_seq_num(state, digest_final, seq_num);
if (!state->signature.data) { if (!state->signature.data) {
state->signature = data_blob_talloc(state->mem_ctx, NULL, 32); state->signature = data_blob_talloc(mem_ctx, NULL, 32);
if (!state->signature.data) { if (!state->signature.data) {
return NT_STATUS_NO_MEMORY; return NT_STATUS_NO_MEMORY;
} }

21
source/libcli/util/smbencrypt.c
View File

@ -291,19 +291,20 @@ void SMBsesskeygen_lm_sess_key(const uchar lm_hash[16],
#endif #endif
} }
DATA_BLOB NTLMv2_generate_names_blob(const char *hostname, DATA_BLOB NTLMv2_generate_names_blob(TALLOC_CTX *mem_ctx,
const char *hostname,
const char *domain) const char *domain)
{ {
DATA_BLOB names_blob = data_blob(NULL, 0); DATA_BLOB names_blob = data_blob_talloc(mem_ctx, NULL, 0);
msrpc_gen(&names_blob, "aaa", msrpc_gen(mem_ctx, &names_blob, "aaa",
NTLMSSP_NAME_TYPE_DOMAIN, domain, NTLMSSP_NAME_TYPE_DOMAIN, domain,
NTLMSSP_NAME_TYPE_SERVER, hostname, NTLMSSP_NAME_TYPE_SERVER, hostname,
0, ""); 0, "");
return names_blob; return names_blob;
} }
static DATA_BLOB NTLMv2_generate_client_data(const DATA_BLOB *names_blob) static DATA_BLOB NTLMv2_generate_client_data(TALLOC_CTX *mem_ctx, const DATA_BLOB *names_blob)
{ {
uchar client_chal[8]; uchar client_chal[8];
DATA_BLOB response = data_blob(NULL, 0); DATA_BLOB response = data_blob(NULL, 0);
@ -318,7 +319,7 @@ static DATA_BLOB NTLMv2_generate_client_data(const DATA_BLOB *names_blob)
/* See http://www.ubiqx.org/cifs/SMB.html#SMB.8.5 */ /* See http://www.ubiqx.org/cifs/SMB.html#SMB.8.5 */
msrpc_gen(&response, "ddbbdb", msrpc_gen(mem_ctx, &response, "ddbbdb",
0x00000101, /* Header */ 0x00000101, /* Header */
0, /* 'Reserved' */ 0, /* 'Reserved' */
long_date, 8, /* Timestamp */ long_date, 8, /* Timestamp */
@ -337,10 +338,16 @@ static DATA_BLOB NTLMv2_generate_response(const uchar ntlm_v2_hash[16],
DATA_BLOB ntlmv2_client_data; DATA_BLOB ntlmv2_client_data;
DATA_BLOB final_response; DATA_BLOB final_response;
TALLOC_CTX *mem_ctx = talloc_init("NTLMv2_generate_response internal context");
if (!mem_ctx) {
return data_blob(NULL, 0);
}
/* NTLMv2 */ /* NTLMv2 */
/* generate some data to pass into the response function - including /* generate some data to pass into the response function - including
the hostname and domain name of the server */ the hostname and domain name of the server */
ntlmv2_client_data = NTLMv2_generate_client_data(names_blob); ntlmv2_client_data = NTLMv2_generate_client_data(mem_ctx, names_blob);
/* Given that data, and the challenge from the server, generate a response */ /* Given that data, and the challenge from the server, generate a response */
SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &ntlmv2_client_data, ntlmv2_response); SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &ntlmv2_client_data, ntlmv2_response);
@ -352,7 +359,7 @@ static DATA_BLOB NTLMv2_generate_response(const uchar ntlm_v2_hash[16],
memcpy(final_response.data+sizeof(ntlmv2_response), memcpy(final_response.data+sizeof(ntlmv2_response),
ntlmv2_client_data.data, ntlmv2_client_data.length); ntlmv2_client_data.data, ntlmv2_client_data.length);
data_blob_free(&ntlmv2_client_data); talloc_destroy(mem_ctx);
return final_response; return final_response;
} }

10
source/librpc/idl/lsa.idl
View File

@ -499,7 +499,15 @@
/* Function: 0x2d */ /* Function: 0x2d */
NTSTATUS UNK_GET_CONNUSER (); NTSTATUS UNK_GET_CONNUSER (
[in] unistr *system_name,
[in] uint32 unknown1,
[in] uint32 unknown2,
[in] uint32 unknown3,
[out] unistr *username,
[out] unistr *domain_name
);
/* Function: 0x2e */ /* Function: 0x2e */
NTSTATUS QUERYINFO2 (); NTSTATUS QUERYINFO2 ();
} }

4
source/librpc/rpc/dcerpc.c
View File

@ -183,6 +183,7 @@ static NTSTATUS dcerpc_pull_request_sign(struct dcerpc_pipe *p,
switch (p->auth_info->auth_level) { switch (p->auth_info->auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY: case DCERPC_AUTH_LEVEL_PRIVACY:
status = p->security_state->unseal_packet(p->security_state, status = p->security_state->unseal_packet(p->security_state,
mem_ctx,
pkt->u.response.stub_and_verifier.data, pkt->u.response.stub_and_verifier.data,
pkt->u.response.stub_and_verifier.length, pkt->u.response.stub_and_verifier.length,
&auth.credentials); &auth.credentials);
@ -190,6 +191,7 @@ static NTSTATUS dcerpc_pull_request_sign(struct dcerpc_pipe *p,
case DCERPC_AUTH_LEVEL_INTEGRITY: case DCERPC_AUTH_LEVEL_INTEGRITY:
status = p->security_state->check_packet(p->security_state, status = p->security_state->check_packet(p->security_state,
mem_ctx,
pkt->u.response.stub_and_verifier.data, pkt->u.response.stub_and_verifier.data,
pkt->u.response.stub_and_verifier.length, pkt->u.response.stub_and_verifier.length,
&auth.credentials); &auth.credentials);
@ -250,6 +252,7 @@ static NTSTATUS dcerpc_push_request_sign(struct dcerpc_pipe *p,
switch (p->auth_info->auth_level) { switch (p->auth_info->auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY: case DCERPC_AUTH_LEVEL_PRIVACY:
status = p->security_state->seal_packet(p->security_state, status = p->security_state->seal_packet(p->security_state,
mem_ctx,
ndr->data + DCERPC_REQUEST_LENGTH, ndr->data + DCERPC_REQUEST_LENGTH,
ndr->offset - DCERPC_REQUEST_LENGTH, ndr->offset - DCERPC_REQUEST_LENGTH,
&p->auth_info->credentials); &p->auth_info->credentials);
@ -257,6 +260,7 @@ static NTSTATUS dcerpc_push_request_sign(struct dcerpc_pipe *p,
case DCERPC_AUTH_LEVEL_INTEGRITY: case DCERPC_AUTH_LEVEL_INTEGRITY:
status = p->security_state->sign_packet(p->security_state, status = p->security_state->sign_packet(p->security_state,
mem_ctx,
ndr->data + DCERPC_REQUEST_LENGTH, ndr->data + DCERPC_REQUEST_LENGTH,
ndr->offset - DCERPC_REQUEST_LENGTH, ndr->offset - DCERPC_REQUEST_LENGTH,
&p->auth_info->credentials); &p->auth_info->credentials);

6
source/librpc/rpc/dcerpc.h
View File

@ -28,12 +28,16 @@ enum dcerpc_transport_t {NCACN_NP, NCACN_IP_TCP};
struct dcerpc_security { struct dcerpc_security {
void *private; void *private;
NTSTATUS (*unseal_packet)(struct dcerpc_security *, NTSTATUS (*unseal_packet)(struct dcerpc_security *,
TALLOC_CTX *mem_ctx,
uchar *data, size_t length, DATA_BLOB *sig); uchar *data, size_t length, DATA_BLOB *sig);
NTSTATUS (*check_packet)(struct dcerpc_security *, NTSTATUS (*check_packet)(struct dcerpc_security *,
TALLOC_CTX *mem_ctx,
const uchar *data, size_t length, const DATA_BLOB *sig); const uchar *data, size_t length, const DATA_BLOB *sig);
NTSTATUS (*seal_packet)(struct dcerpc_security *, NTSTATUS (*seal_packet)(struct dcerpc_security *,
uchar *data, size_t length, DATA_BLOB *sig); TALLOC_CTX *mem_ctx,
uchar *data, size_t length, DATA_BLOB *sig);
NTSTATUS (*sign_packet)(struct dcerpc_security *, NTSTATUS (*sign_packet)(struct dcerpc_security *,
TALLOC_CTX *mem_ctx,
const uchar *data, size_t length, DATA_BLOB *sig); const uchar *data, size_t length, DATA_BLOB *sig);
NTSTATUS (*session_key)(struct dcerpc_security *, DATA_BLOB *session_key); NTSTATUS (*session_key)(struct dcerpc_security *, DATA_BLOB *session_key);
void (*security_end)(struct dcerpc_security *); void (*security_end)(struct dcerpc_security *);

39
source/librpc/rpc/dcerpc_ntlm.c
View File

@ -26,34 +26,38 @@
wrappers for the ntlmssp_*() functions wrappers for the ntlmssp_*() functions
*/ */
static NTSTATUS ntlm_unseal_packet(struct dcerpc_security *dcerpc_security, static NTSTATUS ntlm_unseal_packet(struct dcerpc_security *dcerpc_security,
uchar *data, size_t length, DATA_BLOB *sig) TALLOC_CTX *mem_ctx,
uchar *data, size_t length, DATA_BLOB *sig)
{ {
struct ntlmssp_state *ntlmssp_state = dcerpc_security->private; struct ntlmssp_state *ntlmssp_state = dcerpc_security->private;
return ntlmssp_unseal_packet(ntlmssp_state, data, length, sig); return ntlmssp_unseal_packet(ntlmssp_state, mem_ctx, data, length, sig);
} }
static NTSTATUS ntlm_check_packet(struct dcerpc_security *dcerpc_security, static NTSTATUS ntlm_check_packet(struct dcerpc_security *dcerpc_security,
TALLOC_CTX *mem_ctx,
const uchar *data, size_t length, const uchar *data, size_t length,
const DATA_BLOB *sig) const DATA_BLOB *sig)
{ {
struct ntlmssp_state *ntlmssp_state = dcerpc_security->private; struct ntlmssp_state *ntlmssp_state = dcerpc_security->private;
return ntlmssp_check_packet(ntlmssp_state, data, length, sig); return ntlmssp_check_packet(ntlmssp_state, mem_ctx, data, length, sig);
} }
static NTSTATUS ntlm_seal_packet(struct dcerpc_security *dcerpc_security, static NTSTATUS ntlm_seal_packet(struct dcerpc_security *dcerpc_security,
TALLOC_CTX *mem_ctx,
uchar *data, size_t length, uchar *data, size_t length,
DATA_BLOB *sig) DATA_BLOB *sig)
{ {
struct ntlmssp_state *ntlmssp_state = dcerpc_security->private; struct ntlmssp_state *ntlmssp_state = dcerpc_security->private;
return ntlmssp_seal_packet(ntlmssp_state, data, length, sig); return ntlmssp_seal_packet(ntlmssp_state, mem_ctx, data, length, sig);
} }
static NTSTATUS ntlm_sign_packet(struct dcerpc_security *dcerpc_security, static NTSTATUS ntlm_sign_packet(struct dcerpc_security *dcerpc_security,
TALLOC_CTX *mem_ctx,
const uchar *data, size_t length, const uchar *data, size_t length,
DATA_BLOB *sig) DATA_BLOB *sig)
{ {
struct ntlmssp_state *ntlmssp_state = dcerpc_security->private; struct ntlmssp_state *ntlmssp_state = dcerpc_security->private;
return ntlmssp_sign_packet(ntlmssp_state, data, length, sig); return ntlmssp_sign_packet(ntlmssp_state, mem_ctx, data, length, sig);
} }
static NTSTATUS ntlm_session_key(struct dcerpc_security *dcerpc_security, static NTSTATUS ntlm_session_key(struct dcerpc_security *dcerpc_security,
@ -137,35 +141,30 @@ NTSTATUS dcerpc_bind_auth_ntlm(struct dcerpc_pipe *p,
p->auth_info->credentials = data_blob(NULL, 0); p->auth_info->credentials = data_blob(NULL, 0);
p->security_state = NULL; p->security_state = NULL;
status = ntlmssp_update(state, status = ntlmssp_update(state, mem_ctx,
p->auth_info->credentials, p->auth_info->credentials,
&credentials); &credentials);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
goto done; goto done;
} }
p->auth_info->credentials = data_blob_talloc(mem_ctx, p->auth_info->credentials = credentials;
credentials.data,
credentials.length);
data_blob_free(&credentials);
status = dcerpc_bind_byuuid(p, mem_ctx, uuid, version); status = dcerpc_bind_byuuid(p, mem_ctx, uuid, version);
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
goto done; goto done;
} }
status = ntlmssp_update(state, mem_ctx,
status = ntlmssp_update(state,
p->auth_info->credentials, p->auth_info->credentials,
&credentials); &credentials);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
goto done; goto done;
} }
p->auth_info->credentials = data_blob_talloc(mem_ctx, p->auth_info->credentials = credentials;
credentials.data,
credentials.length);
data_blob_free(&credentials);
status = dcerpc_auth3(p, mem_ctx); status = dcerpc_auth3(p, mem_ctx);
@ -187,14 +186,6 @@ NTSTATUS dcerpc_bind_auth_ntlm(struct dcerpc_pipe *p,
p->security_state->session_key = ntlm_session_key; p->security_state->session_key = ntlm_session_key;
p->security_state->security_end = ntlm_security_end; p->security_state->security_end = ntlm_security_end;
switch (p->auth_info->auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
case DCERPC_AUTH_LEVEL_INTEGRITY:
/* setup for signing */
status = ntlmssp_sign_init(state);
break;
}
done: done:
talloc_destroy(mem_ctx); talloc_destroy(mem_ctx);

20
source/librpc/rpc/dcerpc_schannel.c
View File

@ -26,34 +26,38 @@
wrappers for the schannel_*() functions wrappers for the schannel_*() functions
*/ */
static NTSTATUS schan_unseal_packet(struct dcerpc_security *dcerpc_security, static NTSTATUS schan_unseal_packet(struct dcerpc_security *dcerpc_security,
uchar *data, size_t length, DATA_BLOB *sig) TALLOC_CTX *mem_ctx,
uchar *data, size_t length, DATA_BLOB *sig)
{ {
struct schannel_state *schannel_state = dcerpc_security->private; struct schannel_state *schannel_state = dcerpc_security->private;
return schannel_unseal_packet(schannel_state, data, length, sig); return schannel_unseal_packet(schannel_state, mem_ctx, data, length, sig);
} }
static NTSTATUS schan_check_packet(struct dcerpc_security *dcerpc_security, static NTSTATUS schan_check_packet(struct dcerpc_security *dcerpc_security,
const uchar *data, size_t length, TALLOC_CTX *mem_ctx,
const DATA_BLOB *sig) const uchar *data, size_t length,
const DATA_BLOB *sig)
{ {
struct schannel_state *schannel_state = dcerpc_security->private; struct schannel_state *schannel_state = dcerpc_security->private;
return schannel_check_packet(schannel_state, data, length, sig); return schannel_check_packet(schannel_state, data, length, sig);
} }
static NTSTATUS schan_seal_packet(struct dcerpc_security *dcerpc_security, static NTSTATUS schan_seal_packet(struct dcerpc_security *dcerpc_security,
uchar *data, size_t length, TALLOC_CTX *mem_ctx,
DATA_BLOB *sig) uchar *data, size_t length,
DATA_BLOB *sig)
{ {
struct schannel_state *schannel_state = dcerpc_security->private; struct schannel_state *schannel_state = dcerpc_security->private;
return schannel_seal_packet(schannel_state, data, length, sig); return schannel_seal_packet(schannel_state, mem_ctx, data, length, sig);
} }
static NTSTATUS schan_sign_packet(struct dcerpc_security *dcerpc_security, static NTSTATUS schan_sign_packet(struct dcerpc_security *dcerpc_security,
TALLOC_CTX *mem_ctx,
const uchar *data, size_t length, const uchar *data, size_t length,
DATA_BLOB *sig) DATA_BLOB *sig)
{ {
struct schannel_state *schannel_state = dcerpc_security->private; struct schannel_state *schannel_state = dcerpc_security->private;
return schannel_sign_packet(schannel_state, data, length, sig); return schannel_sign_packet(schannel_state, mem_ctx, data, length, sig);
} }
static NTSTATUS schan_session_key(struct dcerpc_security *dcerpc_security, static NTSTATUS schan_session_key(struct dcerpc_security *dcerpc_security,

17
source/rpc_server/dcesrv_auth.c
View File

@ -66,6 +66,7 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call)
status = auth_ntlmssp_start(&dce_conn->auth_state.ntlmssp_state); status = auth_ntlmssp_start(&dce_conn->auth_state.ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
DEBUG(2, ("Failed to start NTLMSSP subsystem!\n"));
return False; return False;
} }
@ -85,10 +86,12 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet *
} }
status = auth_ntlmssp_update(dce_conn->auth_state.ntlmssp_state, status = auth_ntlmssp_update(dce_conn->auth_state.ntlmssp_state,
call->mem_ctx,
dce_conn->auth_state.auth_info->credentials, dce_conn->auth_state.auth_info->credentials,
&dce_conn->auth_state.auth_info->credentials); &dce_conn->auth_state.auth_info->credentials);
if (!NT_STATUS_IS_OK(status) && if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(2, ("Failed to start NTLMSSP process NTLMSSP negotiate: %s\n", nt_errstr(status)));
return False; return False;
} }
@ -131,20 +134,14 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call)
} }
status = auth_ntlmssp_update(dce_conn->auth_state.ntlmssp_state, status = auth_ntlmssp_update(dce_conn->auth_state.ntlmssp_state,
call->mem_ctx,
dce_conn->auth_state.auth_info->credentials, dce_conn->auth_state.auth_info->credentials,
&dce_conn->auth_state.auth_info->credentials); &dce_conn->auth_state.auth_info->credentials);
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
DEBUG(4, ("User failed to authenticated with NTLMSSP: %s\n", nt_errstr(status)));
return False; return False;
} }
switch (dce_conn->auth_state.auth_info->auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
case DCERPC_AUTH_LEVEL_INTEGRITY:
/* setup for signing */
status = ntlmssp_sign_init(dce_conn->auth_state.ntlmssp_state->ntlmssp_state);
break;
}
return True; return True;
} }
@ -197,6 +194,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call)
switch (dce_conn->auth_state.auth_info->auth_level) { switch (dce_conn->auth_state.auth_info->auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY: case DCERPC_AUTH_LEVEL_PRIVACY:
status = ntlmssp_unseal_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, status = ntlmssp_unseal_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state,
call->mem_ctx,
pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.data,
pkt->u.request.stub_and_verifier.length, pkt->u.request.stub_and_verifier.length,
&auth.credentials); &auth.credentials);
@ -204,6 +202,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call)
case DCERPC_AUTH_LEVEL_INTEGRITY: case DCERPC_AUTH_LEVEL_INTEGRITY:
status = ntlmssp_check_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, status = ntlmssp_check_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state,
call->mem_ctx,
pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.data,
pkt->u.request.stub_and_verifier.length, pkt->u.request.stub_and_verifier.length,
&auth.credentials); &auth.credentials);
@ -262,6 +261,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
switch (dce_conn->auth_state.auth_info->auth_level) { switch (dce_conn->auth_state.auth_info->auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY: case DCERPC_AUTH_LEVEL_PRIVACY:
status = ntlmssp_seal_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, status = ntlmssp_seal_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state,
call->mem_ctx,
ndr->data + DCERPC_REQUEST_LENGTH, ndr->data + DCERPC_REQUEST_LENGTH,
ndr->offset - DCERPC_REQUEST_LENGTH, ndr->offset - DCERPC_REQUEST_LENGTH,
&dce_conn->auth_state.auth_info->credentials); &dce_conn->auth_state.auth_info->credentials);
@ -269,6 +269,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
case DCERPC_AUTH_LEVEL_INTEGRITY: case DCERPC_AUTH_LEVEL_INTEGRITY:
status = ntlmssp_sign_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, status = ntlmssp_sign_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state,
call->mem_ctx,
ndr->data + DCERPC_REQUEST_LENGTH, ndr->data + DCERPC_REQUEST_LENGTH,
ndr->offset - DCERPC_REQUEST_LENGTH, ndr->offset - DCERPC_REQUEST_LENGTH,
&dce_conn->auth_state.auth_info->credentials); &dce_conn->auth_state.auth_info->credentials);

5
source/torture/config.mk
View File

@ -9,7 +9,7 @@ ADD_OBJ_FILES = \
torture/basic/charset.o \ torture/basic/charset.o \
torture/basic/mangle_test.o \ torture/basic/mangle_test.o \
torture/basic/denytest.o \ torture/basic/denytest.o \
torture/basic/aliases.o torture/basic/aliases.o
REQUIRED_SUBSYSTEMS = \ REQUIRED_SUBSYSTEMS = \
LIBSMB LIBSMB
# End SUBSYSTEM TORTURE_BASIC # End SUBSYSTEM TORTURE_BASIC
@ -81,7 +81,8 @@ ADD_OBJ_FILES = \
[BINARY::smbtorture] [BINARY::smbtorture]
OBJ_FILES = \ OBJ_FILES = \
torture/torture.o \ torture/torture.o \
torture/torture_util.o torture/torture_util.o \
torture/ntlmssp.o
REQUIRED_SUBSYSTEMS = \ REQUIRED_SUBSYSTEMS = \
TORTURE_BASIC \ TORTURE_BASIC \
TORTURE_RAW \ TORTURE_RAW \

5
source/torture/rpc/netlogon.c
View File

@ -741,14 +741,15 @@ static BOOL test_lmv2_ntlmv2_broken(struct samlogon_state *samlogon_state, enum
DATA_BLOB ntlmv2_response = data_blob(NULL, 0); DATA_BLOB ntlmv2_response = data_blob(NULL, 0);
DATA_BLOB lmv2_response = data_blob(NULL, 0); DATA_BLOB lmv2_response = data_blob(NULL, 0);
DATA_BLOB ntlmv2_session_key = data_blob(NULL, 0); DATA_BLOB ntlmv2_session_key = data_blob(NULL, 0);
DATA_BLOB names_blob = NTLMv2_generate_names_blob(lp_netbios_name(), lp_workgroup()); DATA_BLOB names_blob = NTLMv2_generate_names_blob(samlogon_state->mem_ctx, lp_netbios_name(), lp_workgroup());
uchar user_session_key[16]; uchar user_session_key[16];
ZERO_STRUCT(user_session_key); ZERO_STRUCT(user_session_key);
/* TODO - test with various domain cases, and without domain */ /* TODO - test with various domain cases, and without domain */
if (!SMBNTLMv2encrypt(samlogon_state->username, lp_workgroup(), samlogon_state->password, &samlogon_state->chall, if (!SMBNTLMv2encrypt(samlogon_state->username, lp_workgroup(),
samlogon_state->password, &samlogon_state->chall,
&names_blob, &names_blob,
&lmv2_response, &ntlmv2_response, &lmv2_response, &ntlmv2_response,
&ntlmv2_session_key)) { &ntlmv2_session_key)) {

1
source/torture/torture.c
View File

@ -4140,6 +4140,7 @@ static struct {
{"RPC-MGMT", torture_rpc_mgmt, 0}, {"RPC-MGMT", torture_rpc_mgmt, 0},
{"RPC-SCANNER", torture_rpc_scanner, 0}, {"RPC-SCANNER", torture_rpc_scanner, 0},
{"RPC-AUTOIDL", torture_rpc_autoidl, 0}, {"RPC-AUTOIDL", torture_rpc_autoidl, 0},
{"NTLMSSP-SELFCHECK", torture_ntlmssp_self_check, 0},
{NULL, NULL, 0}}; {NULL, NULL, 0}};