sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00
Code

r610: - Merge the Samba3 'ntlm_auth --diagnostics' testsuite to Samba4.

Browse Source 
- This required using NETLOGON_NEG_AUTH2_FLAGS for the
    SetupCredentials2 negotiation flags, which is what Samba3 does,
    because otherwise the server uses different crypto.
  - This tests the returned session keys, which we decrypt.

 - Update the Samba4 notion of a 'session key' to be a DATA_BLOB in
   most places.

 - Fix session key code to return NT_STATUS_NO_SESSION_KEY if none is
   available.

 - Remove a useless argument to SMBsesskeygen_ntv1

 - move netr_CredentialState from the .idl to the new credentials.h

Andrew Bartlett
(This used to be commit 44f8b5b53e)
This commit is contained in:
Andrew Bartlett 2004-05-09 12:42:18 +00:00 committed by Gerald (Jerry) Carter
parent 55fa62be31
commit dce84ffd37
17 changed files with 783 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
source4/include/cli_context.h
View File

@ -66,10 +66,6 @@ struct cli_negotiate {
unsigned int writebraw_supported:1;
const char *server_domain;
/* remember the session key for data encryption in various sub-protocols
such as LSA */
uint8 user_session_key[16];
};
/* this is the context for a SMB socket associated with the socket itself */
@ -189,6 +185,8 @@ struct cli_session {
/* default pid for this session */
uint32 pid;
DATA_BLOB user_session_key;
};
/*

1
source4/include/includes.h
View File

@ -709,6 +709,7 @@ extern int errno;
#include "hmacmd5.h"
#include "libcli/auth/ntlmssp.h"
#include "libcli/auth/credentials.h"
#include "libcli/auth/schannel.h"
#include "auth/auth.h"

50
source4/libcli/auth/credentials.c
View File

@ -27,7 +27,7 @@
this call is made after the netr_ServerReqChallenge call
*/
static void creds_init(struct netr_CredentialState *creds,
static void creds_init(struct creds_CredentialState *creds,
const struct netr_Credential *client_challenge,
const struct netr_Credential *server_challenge,
const uint8 machine_password[16])
@ -48,11 +48,11 @@ static void creds_init(struct netr_CredentialState *creds,
SIVAL(time_cred.data, 0, IVAL(client_challenge->data, 0));
SIVAL(time_cred.data, 4, IVAL(client_challenge->data, 4));
cred_hash2(creds->client.data, time_cred.data, creds->session_key);
cred_hash2(creds->client.data, time_cred.data, creds->session_key, 1);
SIVAL(time_cred.data, 0, IVAL(server_challenge->data, 0));
SIVAL(time_cred.data, 4, IVAL(server_challenge->data, 4));
cred_hash2(creds->server.data, time_cred.data, creds->session_key);
cred_hash2(creds->server.data, time_cred.data, creds->session_key, 1);
creds->seed = creds->client;
}
@ -62,7 +62,7 @@ static void creds_init(struct netr_CredentialState *creds,
step the credentials to the next element in the chain, updating the
current client and server credentials and the seed
*/
static void creds_step(struct netr_CredentialState *creds)
static void creds_step(struct creds_CredentialState *creds)
{
struct netr_Credential time_cred;
@ -76,7 +76,7 @@ static void creds_step(struct netr_CredentialState *creds)
DEBUG(5,("\tseed+time %08x:%08x\n", IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
cred_hash2(creds->client.data, time_cred.data, creds->session_key);
cred_hash2(creds->client.data, time_cred.data, creds->session_key, 1);
DEBUG(5,("\tCLIENT %08x:%08x\n",
IVAL(creds->client.data, 0), IVAL(creds->client.data, 4)));
@ -87,7 +87,7 @@ static void creds_step(struct netr_CredentialState *creds)
DEBUG(5,("\tseed+time+1 %08x:%08x\n",
IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
cred_hash2(creds->server.data, time_cred.data, creds->session_key);
cred_hash2(creds->server.data, time_cred.data, creds->session_key, 1);
DEBUG(5,("\tSERVER %08x:%08x\n",
IVAL(creds->server.data, 0), IVAL(creds->server.data, 4)));
@ -95,7 +95,30 @@ static void creds_step(struct netr_CredentialState *creds)
creds->seed = time_cred;
}
/*
DES encrypt a 16 byte password buffer using the session key
*/
void creds_des_encrypt(struct creds_CredentialState *creds, struct netr_Password *pass)
{
struct netr_Password tmp;
cred_hash3(tmp.data, pass->data, creds->session_key, 1);
*pass = tmp;
}
/*
ARCFOUR encrypt/decrypt a password buffer using the session key
*/
void creds_arcfour_crypt(struct creds_CredentialState *creds, char *data, size_t len)
{
DATA_BLOB session_key = data_blob(NULL, 16);
memcpy(&session_key.data[0], creds->session_key, 8);
memset(&session_key.data[8], '\0', 8);
SamOEMhashBlob(data, len, &session_key);
data_blob_free(&session_key);
}
/*****************************************************************
The above functions are common to the client and server interface
@ -106,7 +129,7 @@ next comes the client specific functions
initialise the credentials chain and return the first client
credentials
*/
void creds_client_init(struct netr_CredentialState *creds,
void creds_client_init(struct creds_CredentialState *creds,
const struct netr_Credential *client_challenge,
const struct netr_Credential *server_challenge,
const uint8 machine_password[16],
@ -120,7 +143,7 @@ void creds_client_init(struct netr_CredentialState *creds,
/*
check that a credentials reply from a server is correct
*/
BOOL creds_client_check(struct netr_CredentialState *creds,
BOOL creds_client_check(struct creds_CredentialState *creds,
const struct netr_Credential *received_credentials)
{
if (memcmp(received_credentials->data, creds->server.data, 8) != 0) {
@ -134,7 +157,7 @@ BOOL creds_client_check(struct netr_CredentialState *creds,
produce the next authenticator in the sequence ready to send to
the server
*/
void creds_client_authenticator(struct netr_CredentialState *creds,
void creds_client_authenticator(struct creds_CredentialState *creds,
struct netr_Authenticator *next)
{
creds_step(creds);
@ -144,12 +167,3 @@ void creds_client_authenticator(struct netr_CredentialState *creds,
}
/*
encrypt a 16 byte password buffer using the session key
*/
void creds_client_encrypt(struct netr_CredentialState *creds, struct netr_Password *pass)
{
struct netr_Password tmp;
cred_hash3(tmp.data, pass->data, creds->session_key, 1);
*pass = tmp;
}

29
source4/libcli/auth/credentials.h Normal file
View File

@ -0,0 +1,29 @@
/*
Unix SMB/CIFS implementation.
code to manipulate domain credentials
Copyright (C) Andrew Tridgell 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
struct creds_CredentialState {
uint8 session_key[8];
uint32 sequence;
struct netr_Credential seed;
struct netr_Credential client;
struct netr_Credential server;
};

4
source4/libcli/auth/ntlm_check.c
View File

@ -59,7 +59,7 @@ static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response,
SMBOWFencrypt(part_passwd, sec_blob->data, p24);
if (user_sess_key != NULL) {
*user_sess_key = data_blob(NULL, 16);
SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key->data);
SMBsesskeygen_ntv1(part_passwd, user_sess_key->data);
}
@ -195,7 +195,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
if (memcmp(nt_interactive_pwd->data, nt_pw, 16) == 0) {
if (user_sess_key) {
*user_sess_key = data_blob(NULL, 16);
SMBsesskeygen_ntv1(nt_pw, NULL, user_sess_key->data);
SMBsesskeygen_ntv1(nt_pw, user_sess_key->data);
}
return NT_STATUS_OK;
} else {

4
source4/libcli/auth/ntlmssp.c
View File

@ -1093,7 +1093,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16);
SMBsesskeygen_ntv1(nt_hash, NULL, user_session_key);
SMBsesskeygen_ntv1(nt_hash, user_session_key);
hmac_md5(user_session_key, session_nonce, sizeof(session_nonce), session_key.data);
dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
@ -1108,7 +1108,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
nt_response.data);
E_md4hash(ntlmssp_state->password, nt_hash);
session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16);
SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
SMBsesskeygen_ntv1(nt_hash, session_key.data);
dump_data_pw("NT session key:\n", session_key.data, session_key.length);
}

29
source4/libcli/raw/clisession.c
View File

@ -234,22 +234,34 @@ static DATA_BLOB nt_blob(const char *pass, DATA_BLOB challenge)
return blob;
}
/*
store the user session key for a transport
*/
void cli_session_set_user_session_key(struct cli_session *session,
const DATA_BLOB *session_key)
{
session->user_session_key = data_blob_talloc(session->mem_ctx,
session_key->data,
session_key->length);
}
/*
setup signing for a NT1 style session setup
*/
static void setup_nt1_signing(struct cli_transport *transport, const char *password)
static void use_nt1_session_keys(struct cli_session *session,
const char *password, const DATA_BLOB *nt_response)
{
struct cli_transport *transport = session->transport;
uchar nt_hash[16];
uchar session_key[16];
DATA_BLOB nt_response;
DATA_BLOB session_key = data_blob(NULL, 16);
E_md4hash(password, nt_hash);
SMBsesskeygen_ntv1(nt_hash, NULL, session_key);
nt_response = nt_blob(password, transport->negotiate.secblob);
SMBsesskeygen_ntv1(nt_hash, session_key.data);
cli_transport_set_session_key(transport, session_key);
cli_transport_simple_set_signing(transport, session_key, *nt_response);
cli_transport_simple_set_signing(transport, session_key, nt_response);
cli_session_set_user_session_key(session, &session_key);
data_blob_free(&session_key);
}
/****************************************************************************
@ -332,7 +344,8 @@ static NTSTATUS smb_raw_session_setup_generic_nt1(struct cli_session *session,
session->transport->negotiate.secblob);
s2.nt1.in.password2 = nt_blob(parms->generic.in.password,
session->transport->negotiate.secblob);
setup_nt1_signing(session->transport, parms->generic.in.password);
use_nt1_session_keys(session, parms->generic.in.password, &s2.nt1.in.password2);
} else {
s2.nt1.in.password1 = data_blob(parms->generic.in.password,
strlen(parms->generic.in.password));

8
source4/libcli/raw/clitransport.c
View File

@ -231,11 +231,3 @@ BOOL cli_transport_select(struct cli_transport *transport)
return True;
}
/*
store the user session key for a transport
*/
void cli_transport_set_session_key(struct cli_transport *transport,
const uint8 session_key[16])
{
memcpy(transport->negotiate.user_session_key, session_key, 16);
}

12
source4/libcli/raw/smb_signing.c
View File

@ -220,7 +220,8 @@ static void cli_transport_simple_free_signing_context(struct cli_transport *tran
SMB signing - Simple implementation - setup the MAC key.
************************************************************/
BOOL cli_transport_simple_set_signing(struct cli_transport *transport,
const uchar user_transport_key[16], const DATA_BLOB response)
const DATA_BLOB user_session_key,
const DATA_BLOB response)
{
struct smb_basic_signing_context *data;
@ -235,10 +236,13 @@ BOOL cli_transport_simple_set_signing(struct cli_transport *transport,
data = smb_xmalloc(sizeof(*data));
transport->negotiate.sign_info.signing_context = data;
data->mac_key = data_blob(NULL, MIN(response.length + 16, 40));
data->mac_key = data_blob(NULL, response.length + user_session_key.length);
memcpy(&data->mac_key.data[0], user_transport_key, 16);
memcpy(&data->mac_key.data[16],response.data, MIN(response.length, 40 - 16));
memcpy(&data->mac_key.data[0], user_session_key.data, user_session_key.length);
if (response.length) {
memcpy(&data->mac_key.data[user_session_key.length],response.data, response.length);
}
/* Initialise the sequence number */
data->next_seq_num = 0;

13
source4/libcli/util/smbdes.c
View File

@ -338,14 +338,14 @@ void cred_hash1(unsigned char *out, const unsigned char *in, const unsigned char
smbhash(out, buf, key+9, 1);
}
void cred_hash2(unsigned char *out, const unsigned char *in, const unsigned char *key)
void cred_hash2(unsigned char *out, const unsigned char *in, const unsigned char *key, int forw)
{
unsigned char buf[8];
unsigned char key2[8];
ZERO_STRUCT(key2);
smbhash(buf, in, key, 1);
smbhash(buf, in, key, forw);
key2[0] = key[7];
smbhash(out, buf, key2, 1);
smbhash(out, buf, key2, forw);
}
void cred_hash3(unsigned char *out, unsigned char *in, const unsigned char *key, int forw)
@ -401,12 +401,11 @@ void SamOEMhashBlob(unsigned char *data, int len, const DATA_BLOB *key)
*/
void SamOEMhash(unsigned char *data, const unsigned char keystr[16], int len)
{
DATA_BLOB key;
key.length = 16;
key.data = keystr;
DATA_BLOB key = data_blob(keystr, 16);
SamOEMhashBlob(data, len, &key);
data_blob_free(&key);
}

3
source4/libcli/util/smbencrypt.c
View File

@ -255,8 +255,7 @@ void SMBsesskeygen_ntv2(const uchar kr[16],
#endif
}
void SMBsesskeygen_ntv1(const uchar kr[16],
const uchar * nt_resp, uint8 sess_key[16])
void SMBsesskeygen_ntv1(const uchar kr[16], uint8 sess_key[16])
{
/* yes, this session key does not change - yes, this
is a problem - but it is 128 bits */

8
source4/librpc/idl/netlogon.idl
View File

@ -68,14 +68,6 @@ interface netlogon
uint8 data[8];
} netr_Credential;
typedef [flag(NDR_PAHEX)] struct {
uint8 session_key[8];
uint32 sequence;
netr_Credential seed;
netr_Credential client;
netr_Credential server;
} netr_CredentialState;
typedef struct {
[value(strlen_m(r->string)*2)] uint16 size;
[value(r->size)] uint16 length;

2
source4/librpc/rpc/dcerpc.h
View File

@ -35,7 +35,7 @@ struct dcerpc_security {
uchar *data, size_t length, DATA_BLOB *sig);
NTSTATUS (*sign_packet)(struct dcerpc_security *,
const uchar *data, size_t length, DATA_BLOB *sig);
NTSTATUS (*session_key)(struct dcerpc_security *, uint8 session_key[16]);
NTSTATUS (*session_key)(struct dcerpc_security *, DATA_BLOB *session_key);
void (*security_end)(struct dcerpc_security *);
};

8
source4/librpc/rpc/dcerpc_ntlm.c
View File

@ -57,13 +57,13 @@ static NTSTATUS ntlm_sign_packet(struct dcerpc_security *dcerpc_security,
}
static NTSTATUS ntlm_session_key(struct dcerpc_security *dcerpc_security,
uint8 session_key[16])
DATA_BLOB *session_key)
{
struct ntlmssp_state *ntlmssp_state = dcerpc_security->private;
if (!ntlmssp_state || ntlmssp_state->session_key.length < 16) {
return NT_STATUS_UNSUCCESSFUL;
if (!ntlmssp_state->session_key.data) {
return NT_STATUS_NO_USER_SESSION_KEY;
}
memcpy(session_key, ntlmssp_state->session_key.data, 16);
*session_key = ntlmssp_state->session_key;
return NT_STATUS_OK;
}

4
source4/librpc/rpc/dcerpc_schannel.c
View File

@ -57,7 +57,7 @@ static NTSTATUS schan_sign_packet(struct dcerpc_security *dcerpc_security,
}
static NTSTATUS schan_session_key(struct dcerpc_security *dcerpc_security,
uint8 session_key[16])
DATA_BLOB *session_key)
{
return NT_STATUS_NOT_IMPLEMENTED;
}
@ -84,7 +84,7 @@ NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
struct netr_ServerReqChallenge r;
struct netr_ServerAuthenticate2 a;
uint8 mach_pwd[16];
struct netr_CredentialState creds;
struct creds_CredentialState creds;
const char *workgroup, *workstation;
uint32 negotiate_flags = 0;

28
source4/librpc/rpc/dcerpc_util.c
View File

@ -673,27 +673,21 @@ NTSTATUS dcerpc_secondary_smb(struct dcerpc_pipe *p, struct dcerpc_pipe **p2,
only works for the ncacn_np transport
*/
NTSTATUS dcerpc_fetch_session_key(struct dcerpc_pipe *p,
uint8 session_key[16])
DATA_BLOB *session_key)
{
struct cli_tree *tree;
memset(session_key, 0, 16);
tree = dcerpc_smb_tree(p);
if (tree) {
memcpy(session_key,
tree->session->transport->negotiate.user_session_key,
16);
}
if (p->security_state) {
NTSTATUS status;
status = p->security_state->session_key(p->security_state, session_key);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return p->security_state->session_key(p->security_state, session_key);
}
return NT_STATUS_OK;
tree = dcerpc_smb_tree(p);
if (tree) {
if (tree->session->user_session_key.data) {
*session_key = tree->session->user_session_key;
return NT_STATUS_OK;
}
}
return NT_STATUS_NO_USER_SESSION_KEY;
}

720
source4/torture/rpc/netlogon.c
View File

@ -4,6 +4,8 @@
test suite for netlogon rpc operations
Copyright (C) Andrew Tridgell 2003
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
Copyright (C) Tim Potter 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -25,6 +27,14 @@
#define TEST_MACHINE_NAME "torturetest"
/* for the timebeing, use the same neg flags as Samba3. */
/* The 7 here seems to be required to get Win2k not to downgrade us
to NT4. Actually, anything other than 1ff would seem to do... */
#define NETLOGON_NEG_AUTH2_FLAGS 0x000701ff
#define NETLOGON_NEG_SCHANNEL 0x40000000
static struct {
struct dcerpc_pipe *p;
const char *machine_password;
@ -48,7 +58,7 @@ static BOOL join_domain_bdc(TALLOC_CTX *mem_ctx)
uint32 access_granted;
uint32 rid;
BOOL ret = True;
uint8 session_key[16];
DATA_BLOB session_key;
struct samr_Name name;
printf("Connecting to SAMR\n");
@ -129,14 +139,14 @@ again:
encode_pw_buffer(u.info24.password.data, join.machine_password, STR_UNICODE);
u.info24.pw_len = strlen(join.machine_password);
status = dcerpc_fetch_session_key(join.p, session_key);
status = dcerpc_fetch_session_key(join.p, &session_key);
if (!NT_STATUS_IS_OK(status)) {
printf("SetUserInfo level %u - no session key - %s\n",
s.in.level, nt_errstr(status));
return False;
}
SamOEMhash(u.info24.password.data, session_key, 516);
SamOEMhashBlob(u.info24.password.data, 516, &session_key);
status = dcerpc_samr_SetUserInfo(join.p, mem_ctx, &s);
if (!NT_STATUS_IS_OK(status)) {
@ -224,7 +234,7 @@ static BOOL test_LogonUasLogoff(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
}
static BOOL test_SetupCredentials(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
struct netr_CredentialState *creds)
struct creds_CredentialState *creds)
{
NTSTATUS status;
struct netr_ServerReqChallenge r;
@ -277,14 +287,14 @@ static BOOL test_SetupCredentials(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
}
static BOOL test_SetupCredentials2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
struct netr_CredentialState *creds)
uint32 negotiate_flags,
struct creds_CredentialState *creds)
{
NTSTATUS status;
struct netr_ServerReqChallenge r;
struct netr_ServerAuthenticate2 a;
const char *plain_pass;
uint8 mach_pwd[16];
uint32 negotiate_flags = 0;
printf("Testing ServerReqChallenge\n");
@ -334,63 +344,655 @@ static BOOL test_SetupCredentials2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
return True;
}
enum ntlm_break {
BREAK_NONE,
BREAK_LM,
BREAK_NT,
NO_LM,
NO_NT
};
struct samlogon_state {
TALLOC_CTX *mem_ctx;
const char *username;
const char *password;
struct dcerpc_pipe *p;
struct netr_LogonSamLogon r;
struct netr_Authenticator auth, auth2;
struct creds_CredentialState creds;
DATA_BLOB chall;
};
/*
Authenticate a user with a challenge/response, checking session key
and valid authentication types
*/
static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
enum ntlm_break break_which,
DATA_BLOB *chall,
DATA_BLOB *lm_response,
DATA_BLOB *nt_response,
uint8 lm_key[8],
uint8 user_session_key[16],
char **error_string)
{
NTSTATUS status;
struct netr_LogonSamLogon *r = &samlogon_state->r;
struct netr_NetworkInfo ninfo;
samlogon_state->r.in.logon_level = 2;
samlogon_state->r.in.logon.network = &ninfo;
ninfo.logon_info.domain_name.string = lp_workgroup();
ninfo.logon_info.parameter_control = 0;
ninfo.logon_info.logon_id_low = 0;
ninfo.logon_info.logon_id_high = 0;
ninfo.logon_info.username.string = samlogon_state->username;
ninfo.logon_info.workstation.string = TEST_MACHINE_NAME;
memcpy(ninfo.challenge, chall->data, 8);
switch (break_which) {
case BREAK_NONE:
break;
case BREAK_LM:
if (lm_response && lm_response->data) {
lm_response->data[0]++;
}
break;
case BREAK_NT:
if (nt_response && nt_response->data) {
nt_response->data[0]++;
}
break;
case NO_LM:
data_blob_free(lm_response);
break;
case NO_NT:
data_blob_free(nt_response);
break;
}
if (nt_response) {
ninfo.nt.data = nt_response->data;
ninfo.nt.length = nt_response->length;
} else {
ninfo.nt.data = NULL;
ninfo.nt.length = 0;
}
if (lm_response) {
ninfo.lm.data = lm_response->data;
ninfo.lm.length = lm_response->length;
} else {
ninfo.lm.data = NULL;
ninfo.lm.length = 0;
}
ZERO_STRUCT(samlogon_state->auth2);
creds_client_authenticator(&samlogon_state->creds, &samlogon_state->auth);
status = dcerpc_netr_LogonSamLogon(samlogon_state->p, samlogon_state->mem_ctx, r);
if (!NT_STATUS_IS_OK(status)) {
if (error_string) {
*error_string = strdup(nt_errstr(status));
}
}
if (!creds_client_check(&samlogon_state->creds, &r->out.authenticator->cred)) {
printf("Credential chaining failed\n");
}
if (!NT_STATUS_IS_OK(status)) {
/* we cannot check the session key, if the logon failed... */
return status;
}
/* find and decyrpt the session keys, return in parameters above */
if (r->in.validation_level == 2) {
static const char zeros[16];
if (memcmp(r->out.validation.sam->LMSessKey.key, zeros, sizeof(r->out.validation.sam->LMSessKey.key)) != 0) {
creds_arcfour_crypt(&samlogon_state->creds,
r->out.validation.sam->LMSessKey.key,
sizeof(r->out.validation.sam->LMSessKey.key));
}
if (lm_key) {
memcpy(lm_key, r->out.validation.sam->LMSessKey.key, 8);
}
if (memcmp(r->out.validation.sam->key.key, zeros, sizeof(r->out.validation.sam->key.key)) != 0) {
creds_arcfour_crypt(&samlogon_state->creds,
r->out.validation.sam->key.key,
sizeof(r->out.validation.sam->key.key));
}
if (user_session_key) {
memcpy(user_session_key, r->out.validation.sam->key.key, 16);
}
} else if (r->in.validation_level == 3) {
static const char zeros[16];
if (memcmp(r->out.validation.sam2->LMSessKey.key, zeros, sizeof(r->out.validation.sam2->LMSessKey.key)) != 0) {
creds_arcfour_crypt(&samlogon_state->creds,
r->out.validation.sam2->LMSessKey.key,
sizeof(r->out.validation.sam2->LMSessKey.key));
}
if (lm_key) {
memcpy(lm_key, r->out.validation.sam2->LMSessKey.key, 8);
}
if (memcmp(r->out.validation.sam2->key.key, zeros, sizeof(r->out.validation.sam2->key.key)) != 0) {
creds_arcfour_crypt(&samlogon_state->creds,
r->out.validation.sam2->key.key,
sizeof(r->out.validation.sam2->key.key));
}
if (user_session_key) {
memcpy(user_session_key, r->out.validation.sam2->key.key, 16);
}
}
return status;
}
/*
* Test the normal 'LM and NTLM' combination
*/
static BOOL test_lm_ntlm_broken(struct samlogon_state *samlogon_state, enum ntlm_break break_which, char **error_string)
{
BOOL pass = True;
NTSTATUS nt_status;
DATA_BLOB lm_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24);
DATA_BLOB nt_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24);
DATA_BLOB session_key = data_blob_talloc(samlogon_state->mem_ctx, NULL, 16);
uchar lm_key[8];
uchar user_session_key[16];
uchar lm_hash[16];
uchar nt_hash[16];
ZERO_STRUCT(lm_key);
ZERO_STRUCT(user_session_key);
SMBencrypt(samlogon_state->password, samlogon_state->chall.data, lm_response.data);
E_deshash(samlogon_state->password, lm_hash);
SMBNTencrypt(samlogon_state->password, samlogon_state->chall.data, nt_response.data);
E_md4hash(samlogon_state->password, nt_hash);
SMBsesskeygen_ntv1(nt_hash, session_key.data);
nt_status = check_samlogon(samlogon_state,
break_which,
&samlogon_state->chall,
&lm_response,
&nt_response,
lm_key,
user_session_key,
error_string);
data_blob_free(&lm_response);
if (!NT_STATUS_IS_OK(nt_status)) {
return break_which == BREAK_NT;
}
if (memcmp(lm_hash, lm_key,
sizeof(lm_key)) != 0) {
printf("LM Key does not match expectations!\n");
printf("lm_key:\n");
dump_data(1, (const char *)lm_key, 8);
printf("expected:\n");
dump_data(1, (const char *)lm_hash, 8);
pass = False;
}
if (break_which == NO_NT) {
char lm_key_expected[16];
memcpy(lm_key_expected, lm_hash, 8);
memset(lm_key_expected+8, '\0', 8);
if (memcmp(lm_key_expected, user_session_key,
16) != 0) {
printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n");
printf("user_session_key:\n");
dump_data(1, (const char *)user_session_key, sizeof(user_session_key));
printf("expected:\n");
dump_data(1, (const char *)lm_key_expected, sizeof(lm_key_expected));
pass = False;
}
} else {
if (memcmp(session_key.data, user_session_key,
sizeof(user_session_key)) != 0) {
printf("NT Session Key does not match expectations!\n");
printf("user_session_key:\n");
dump_data(1, (const char *)user_session_key, 16);
printf("expected:\n");
dump_data(1, (const char *)session_key.data, session_key.length);
pass = False;
}
}
return pass;
}
/*
* Test LM authentication, no NT response supplied
*/
static BOOL test_lm(struct samlogon_state *samlogon_state, char **error_string)
{
return test_lm_ntlm_broken(samlogon_state, NO_NT, error_string);
}
/*
* Test the NTLM response only, no LM.
*/
static BOOL test_ntlm(struct samlogon_state *samlogon_state, char **error_string)
{
return test_lm_ntlm_broken(samlogon_state, NO_LM, error_string);
}
/*
* Test the NTLM response only, but in the LM field.
*/
static BOOL test_ntlm_in_lm(struct samlogon_state *samlogon_state, char **error_string)
{
BOOL pass = True;
NTSTATUS nt_status;
DATA_BLOB nt_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24);
uchar lm_key[8];
uchar lm_hash[16];
uchar user_session_key[16];
ZERO_STRUCT(user_session_key);
SMBNTencrypt(samlogon_state->password, samlogon_state->chall.data, nt_response.data);
E_deshash(samlogon_state->password, lm_hash);
nt_status = check_samlogon(samlogon_state,
BREAK_NONE,
&samlogon_state->chall,
&nt_response,
NULL,
lm_key,
user_session_key,
error_string);
if (!NT_STATUS_IS_OK(nt_status)) {
return False;
}
if (memcmp(lm_hash, lm_key,
sizeof(lm_key)) != 0) {
printf("LM Key does not match expectations!\n");
printf("lm_key:\n");
dump_data(1, (const char *)lm_key, 8);
printf("expected:\n");
dump_data(1, (const char *)lm_hash, 8);
pass = False;
}
if (memcmp(lm_hash, user_session_key, 8) != 0) {
char lm_key_expected[16];
memcpy(lm_key_expected, lm_hash, 8);
memset(lm_key_expected+8, '\0', 8);
if (memcmp(lm_key_expected, user_session_key,
16) != 0) {
printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n");
printf("user_session_key:\n");
dump_data(1, (const char *)user_session_key, sizeof(user_session_key));
printf("expected:\n");
dump_data(1, (const char *)lm_key_expected, sizeof(lm_key_expected));
pass = False;
}
}
return pass;
}
/*
* Test the NTLM response only, but in the both the NT and LM fields.
*/
static BOOL test_ntlm_in_both(struct samlogon_state *samlogon_state, char **error_string)
{
BOOL pass = True;
NTSTATUS nt_status;
DATA_BLOB nt_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24);
DATA_BLOB session_key = data_blob_talloc(samlogon_state->mem_ctx, NULL, 16);
char lm_key[8];
char lm_hash[16];
char user_session_key[16];
char nt_hash[16];
ZERO_STRUCT(lm_key);
ZERO_STRUCT(user_session_key);
SMBNTencrypt(samlogon_state->password, samlogon_state->chall.data,
nt_response.data);
E_md4hash(samlogon_state->password, (unsigned char *)nt_hash);
SMBsesskeygen_ntv1((const unsigned char *)nt_hash,
session_key.data);
E_deshash(samlogon_state->password, (unsigned char *)lm_hash);
nt_status = check_samlogon(samlogon_state,
BREAK_NONE,
&samlogon_state->chall,
NULL,
&nt_response,
lm_key,
user_session_key,
error_string);
if (!NT_STATUS_IS_OK(nt_status)) {
return False;
}
if (memcmp(lm_hash, lm_key,
sizeof(lm_key)) != 0) {
printf("LM Key does not match expectations!\n");
printf("lm_key:\n");
dump_data(1, lm_key, 8);
printf("expected:\n");
dump_data(1, lm_hash, 8);
pass = False;
}
if (memcmp(session_key.data, user_session_key,
sizeof(user_session_key)) != 0) {
printf("NT Session Key does not match expectations!\n");
printf("user_session_key:\n");
dump_data(1, user_session_key, 16);
printf("expected:\n");
dump_data(1, (const char *)session_key.data, session_key.length);
pass = False;
}
return pass;
}
/*
* Test the NTLMv2 and LMv2 responses
*/
static BOOL test_lmv2_ntlmv2_broken(struct samlogon_state *samlogon_state, enum ntlm_break break_which, char **error_string)
{
BOOL pass = True;
NTSTATUS nt_status;
DATA_BLOB ntlmv2_response = data_blob(NULL, 0);
DATA_BLOB lmv2_response = data_blob(NULL, 0);
DATA_BLOB ntlmv2_session_key = data_blob(NULL, 0);
DATA_BLOB names_blob = NTLMv2_generate_names_blob(lp_netbios_name(), lp_workgroup());
uchar user_session_key[16];
ZERO_STRUCT(user_session_key);
if (!SMBNTLMv2encrypt(samlogon_state->username, lp_workgroup(), samlogon_state->password, &samlogon_state->chall,
&names_blob,
&lmv2_response, &ntlmv2_response,
&ntlmv2_session_key)) {
data_blob_free(&names_blob);
return False;
}
data_blob_free(&names_blob);
nt_status = check_samlogon(samlogon_state,
break_which,
&samlogon_state->chall,
&lmv2_response,
&ntlmv2_response,
NULL,
user_session_key,
error_string);
data_blob_free(&lmv2_response);
data_blob_free(&ntlmv2_response);
if (!NT_STATUS_IS_OK(nt_status)) {
return break_which == BREAK_NT;
}
if (break_which != NO_NT && break_which != BREAK_NT && memcmp(ntlmv2_session_key.data, user_session_key,
sizeof(user_session_key)) != 0) {
printf("USER (NTLMv2) Session Key does not match expectations!\n");
printf("user_session_key:\n");
dump_data(1, (const char *)user_session_key, 16);
printf("expected:\n");
dump_data(1, (const char *)ntlmv2_session_key.data, ntlmv2_session_key.length);
pass = False;
}
return pass;
}
/*
* Test the NTLMv2 and LMv2 responses
*/
static BOOL test_lmv2_ntlmv2(struct samlogon_state *samlogon_state, char **error_string)
{
return test_lmv2_ntlmv2_broken(samlogon_state, BREAK_NONE, error_string);
}
/*
* Test the LMv2 response only
*/
static BOOL test_lmv2(struct samlogon_state *samlogon_state, char **error_string)
{
return test_lmv2_ntlmv2_broken(samlogon_state, NO_NT, error_string);
}
/*
* Test the NTLMv2 response only
*/
static BOOL test_ntlmv2(struct samlogon_state *samlogon_state, char **error_string)
{
return test_lmv2_ntlmv2_broken(samlogon_state, NO_LM, error_string);
}
static BOOL test_lm_ntlm(struct samlogon_state *samlogon_state, char **error_string)
{
return test_lm_ntlm_broken(samlogon_state, BREAK_NONE, error_string);
}
static BOOL test_ntlm_lm_broken(struct samlogon_state *samlogon_state, char **error_string)
{
return test_lm_ntlm_broken(samlogon_state, BREAK_LM, error_string);
}
static BOOL test_ntlm_ntlm_broken(struct samlogon_state *samlogon_state, char **error_string)
{
return test_lm_ntlm_broken(samlogon_state, BREAK_NT, error_string);
}
static BOOL test_ntlmv2_lmv2_broken(struct samlogon_state *samlogon_state, char **error_string)
{
return test_lmv2_ntlmv2_broken(samlogon_state, BREAK_LM, error_string);
}
static BOOL test_ntlmv2_ntlmv2_broken(struct samlogon_state *samlogon_state, char **error_string)
{
return test_lmv2_ntlmv2_broken(samlogon_state, BREAK_NT, error_string);
}
static BOOL test_plaintext(struct samlogon_state *samlogon_state, enum ntlm_break break_which, char **error_string)
{
NTSTATUS nt_status;
DATA_BLOB nt_response = data_blob(NULL, 0);
DATA_BLOB lm_response = data_blob(NULL, 0);
char *password;
char *dospw;
smb_ucs2_t *unicodepw;
uchar user_session_key[16];
uchar lm_key[16];
static const uchar zeros[8];
DATA_BLOB chall = data_blob_talloc(samlogon_state->mem_ctx, zeros, sizeof(zeros));
ZERO_STRUCT(user_session_key);
if ((push_ucs2_talloc(samlogon_state->mem_ctx, (smb_ucs2_t **)&unicodepw,
samlogon_state->password)) == -1) {
DEBUG(0, ("push_ucs2_allocate failed!\n"));
exit(1);
}
nt_response = data_blob_talloc(samlogon_state->mem_ctx, unicodepw,
strlen_w(((void *)unicodepw))*sizeof(smb_ucs2_t));
password = strdup_upper(samlogon_state->password);
if ((convert_string_talloc(samlogon_state->mem_ctx, CH_UNIX,
CH_DOS, password,
strlen(password)+1,
(const void**)&dospw)) == -1) {
DEBUG(0, ("push_ascii_allocate failed!\n"));
exit(1);
}
SAFE_FREE(password);
lm_response = data_blob_talloc(samlogon_state->mem_ctx, dospw, strlen(dospw));
nt_status = check_samlogon(samlogon_state,
break_which,
&chall,
&lm_response,
&nt_response,
lm_key,
user_session_key,
error_string);
if (!NT_STATUS_IS_OK(nt_status)) {
return break_which == BREAK_NT;
}
return True;
}
static BOOL test_plaintext_none_broken(struct samlogon_state *samlogon_state,
char **error_string) {
return test_plaintext(samlogon_state, BREAK_NONE, error_string);
}
static BOOL test_plaintext_lm_broken(struct samlogon_state *samlogon_state,
char **error_string) {
return test_plaintext(samlogon_state, BREAK_LM, error_string);
}
static BOOL test_plaintext_nt_broken(struct samlogon_state *samlogon_state,
char **error_string) {
return test_plaintext(samlogon_state, BREAK_NT, error_string);
}
static BOOL test_plaintext_nt_only(struct samlogon_state *samlogon_state,
char **error_string) {
return test_plaintext(samlogon_state, NO_LM, error_string);
}
static BOOL test_plaintext_lm_only(struct samlogon_state *samlogon_state,
char **error_string) {
return test_plaintext(samlogon_state, NO_NT, error_string);
}
/*
Tests:
- LM only
- NT and LM
- NT
- NT in LM field
- NT in both fields
- NTLMv2
- NTLMv2 and LMv2
- LMv2
- plaintext tests (in challenge-response feilds)
check we get the correct session key in each case
check what values we get for the LM session key
*/
static const struct ntlm_tests {
BOOL (*fn)(struct samlogon_state *, char **);
const char *name;
BOOL expect_fail;
} test_table[] = {
{test_lm, "LM", False},
{test_lm_ntlm, "LM and NTLM", False},
{test_ntlm, "NTLM", False},
{test_ntlm_in_lm, "NTLM in LM", False},
{test_ntlm_in_both, "NTLM in both", False},
{test_ntlmv2, "NTLMv2", False},
{test_lmv2_ntlmv2, "NTLMv2 and LMv2", False},
{test_lmv2, "LMv2", False},
{test_ntlmv2_lmv2_broken, "NTLMv2 and LMv2, LMv2 broken", False},
{test_ntlmv2_ntlmv2_broken, "NTLMv2 and LMv2, NTLMv2 broken", False},
{test_ntlm_lm_broken, "NTLM and LM, LM broken", False},
{test_ntlm_ntlm_broken, "NTLM and LM, NTLM broken", False},
{test_plaintext_none_broken, "Plaintext", True},
{test_plaintext_lm_broken, "Plaintext LM broken", True},
{test_plaintext_nt_broken, "Plaintext NT broken", True},
{test_plaintext_nt_only, "Plaintext NT only", True},
{test_plaintext_lm_only, "Plaintext LM only", True},
{NULL, NULL}
};
/*
try a netlogon SamLogon
*/
static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
{
NTSTATUS status;
struct netr_LogonSamLogon r;
struct netr_Authenticator auth, auth2;
struct netr_NetworkInfo ninfo;
const char *username = lp_parm_string(-1, "torture", "username");
const char *password = lp_parm_string(-1, "torture", "password");
struct netr_CredentialState creds;
int i;
int i, j;
BOOL ret = True;
if (!test_SetupCredentials2(p, mem_ctx, &creds)) {
struct samlogon_state samlogon_state;
samlogon_state.mem_ctx = mem_ctx;
samlogon_state.username = lp_parm_string(-1, "torture", "username");
samlogon_state.password = lp_parm_string(-1, "torture", "password");
samlogon_state.p = p;
samlogon_state.chall = data_blob_talloc(mem_ctx, NULL, 8);
generate_random_buffer(samlogon_state.chall.data,
8, False);
if (!test_SetupCredentials2(p, mem_ctx, NETLOGON_NEG_AUTH2_FLAGS, &samlogon_state.creds)) {
return False;
}
ninfo.logon_info.domain_name.string = lp_workgroup();
ninfo.logon_info.parameter_control = 0;
ninfo.logon_info.logon_id_low = 0;
ninfo.logon_info.logon_id_high = 0;
ninfo.logon_info.username.string = username;
ninfo.logon_info.workstation.string = TEST_MACHINE_NAME;
generate_random_buffer(ninfo.challenge,
sizeof(ninfo.challenge), False);
ninfo.nt.length = 24;
ninfo.nt.data = talloc(mem_ctx, 24);
SMBNTencrypt(password, ninfo.challenge, ninfo.nt.data);
ninfo.lm.length = 24;
ninfo.lm.data = talloc(mem_ctx, 24);
SMBencrypt(password, ninfo.challenge, ninfo.lm.data);
r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
r.in.workstation = TEST_MACHINE_NAME;
r.in.credential = &auth;
r.in.authenticator = &auth2;
r.in.logon_level = 2;
r.in.logon.network = &ninfo;
samlogon_state.r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
samlogon_state.r.in.workstation = TEST_MACHINE_NAME;
samlogon_state.r.in.credential = &samlogon_state.auth;
samlogon_state.r.in.authenticator = &samlogon_state.auth2;
for (i=2;i<=3;i++) {
ZERO_STRUCT(auth2);
creds_client_authenticator(&creds, &auth);
r.in.validation_level = i;
printf("Testing SamLogon with validation level %d\n", i);
status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
printf("LogonSamLogon - %s\n", nt_errstr(status));
ret = False;
}
if (!creds_client_check(&creds, &r.out.authenticator->cred)) {
printf("Credential chaining failed\n");
samlogon_state.r.in.validation_level = i;
for (j=0; test_table[j].fn; j++) {
char *error_string = NULL;
printf("Testing SamLogon with '%s' at validation level %d\n", test_table[j].name, i);
if (!test_table[j].fn(&samlogon_state, &error_string)) {
if (test_table[j].expect_fail) {
printf("Test %s failed (expected, test incomplete): %s\n", test_table[j].name, error_string);
} else {
printf("Test %s failed: %s\n", test_table[j].name, error_string);
ret = False;
}
SAFE_FREE(error_string);
}
}
}
@ -406,7 +1008,7 @@ static BOOL test_SetPassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
NTSTATUS status;
struct netr_ServerPasswordSet r;
const char *password;
struct netr_CredentialState creds;
struct creds_CredentialState creds;
if (!test_SetupCredentials(p, mem_ctx, &creds)) {
return False;
@ -420,7 +1022,7 @@ static BOOL test_SetPassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
password = generate_random_str(8);
E_md4hash(password, r.in.new_password.data);
creds_client_encrypt(&creds, &r.in.new_password);
creds_des_encrypt(&creds, &r.in.new_password);
printf("Testing ServerPasswordSet on machine account\n");
@ -468,7 +1070,7 @@ static BOOL test_DatabaseSync(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
{
NTSTATUS status;
struct netr_DatabaseSync r;
struct netr_CredentialState creds;
struct creds_CredentialState creds;
const uint32 database_ids[] = {0, 1, 2};
int i;
BOOL ret = True;
@ -530,7 +1132,7 @@ static BOOL test_DatabaseDeltas(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
{
NTSTATUS status;
struct netr_DatabaseDeltas r;
struct netr_CredentialState creds;
struct creds_CredentialState creds;
const uint32 database_ids[] = {0, 1, 2};
int i;
BOOL ret = True;
@ -587,7 +1189,7 @@ static BOOL test_AccountDeltas(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
{
NTSTATUS status;
struct netr_AccountDeltas r;
struct netr_CredentialState creds;
struct creds_CredentialState creds;
BOOL ret = True;
if (!test_SetupCredentials(p, mem_ctx, &creds)) {
@ -622,7 +1224,7 @@ static BOOL test_AccountSync(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
{
NTSTATUS status;
struct netr_AccountSync r;
struct netr_CredentialState creds;
struct creds_CredentialState creds;
BOOL ret = True;
if (!test_SetupCredentials(p, mem_ctx, &creds)) {
@ -816,12 +1418,12 @@ static BOOL test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
{
NTSTATUS status;
struct netr_DatabaseSync2 r;
struct netr_CredentialState creds;
struct creds_CredentialState creds;
const uint32 database_ids[] = {0, 1, 2};
int i;
BOOL ret = True;
if (!test_SetupCredentials2(p, mem_ctx, &creds)) {
if (!test_SetupCredentials2(p, mem_ctx, NETLOGON_NEG_AUTH2_FLAGS, &creds)) {
return False;
}