auth/ntlmssp/ntlmssp_util.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 3.0
   4    handle NLTMSSP, server side
   5
   6    Copyright (C) Andrew Tridgell      2001
   7    Copyright (C) Andrew Bartlett 2001-2003
   8    Copyright (C) Andrew Bartlett 2005 (Updated from gensec).
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "auth/gensec/gensec.h"
  26 #include "auth/gensec/gensec_internal.h"
  27 #include "../auth/ntlmssp/ntlmssp.h"
  28 #include "../auth/ntlmssp/ntlmssp_private.h"
  29
  30 #include "lib/crypto/gnutls_helpers.h"
  31 #include <gnutls/gnutls.h>
  32 #include <gnutls/crypto.h>
  33
  34 #undef DBGC_CLASS
  35 #define DBGC_CLASS DBGC_AUTH
  36
  37 static void debug_ntlmssp_flags_raw(int level, uint32_t flags)
  38 {
  39 #define _PRINT_FLAG_LINE(v) do { \
  40         if (flags & (v)) { \
  41                 DEBUGADD(level, ("  " #v "\n")); \
  42         } \
  43 } while (0)
  44         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_UNICODE);
  45         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_OEM);
  46         _PRINT_FLAG_LINE(NTLMSSP_REQUEST_TARGET);
  47         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_SIGN);
  48         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_SEAL);
  49         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_DATAGRAM);
  50         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_LM_KEY);
  51         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_NETWARE);
  52         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_NTLM);
  53         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_NT_ONLY);
  54         _PRINT_FLAG_LINE(NTLMSSP_ANONYMOUS);
  55         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED);
  56         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED);
  57         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL);
  58         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_ALWAYS_SIGN);
  59         _PRINT_FLAG_LINE(NTLMSSP_TARGET_TYPE_DOMAIN);
  60         _PRINT_FLAG_LINE(NTLMSSP_TARGET_TYPE_SERVER);
  61         _PRINT_FLAG_LINE(NTLMSSP_TARGET_TYPE_SHARE);
  62         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY);
  63         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_IDENTIFY);
  64         _PRINT_FLAG_LINE(NTLMSSP_REQUEST_NON_NT_SESSION_KEY);
  65         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_TARGET_INFO);
  66         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_VERSION);
  67         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_128);
  68         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_KEY_EXCH);
  69         _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_56);
  70 }
  71
  72 /**
  73  * Print out the NTLMSSP flags for debugging
  74  * @param neg_flags The flags from the packet
  75  */
  76 void debug_ntlmssp_flags(uint32_t neg_flags)
  77 {
  78         DEBUG(3,("Got NTLMSSP neg_flags=0x%08x\n", neg_flags));
  79         debug_ntlmssp_flags_raw(4, neg_flags);
  80 }
  81
  82 NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
  83                                   uint32_t flags, const char *name)
  84 {
  85         uint32_t missing_flags = ntlmssp_state->required_flags;
  86
  87         if (ntlmssp_state->use_ntlmv2) {
  88                 /*
  89                  * Using NTLMv2 as a client implies
  90                  * using NTLMSSP_NEGOTIATE_NTLM2
  91                  * (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
  92                  *
  93                  * Note that 'use_ntlmv2' is only set
  94                  * true in the client case.
  95                  *
  96                  * Even if the server has a bug and does not announce
  97                  * it, we need to assume it's present.
  98                  *
  99                  * Note that we also have the flag
 100                  * in ntlmssp_state->required_flags,
 101                  * see gensec_ntlmssp_client_start().
 102                  *
 103                  * See bug #12862.
 104                  */
 105                 flags |= NTLMSSP_NEGOTIATE_NTLM2;
 106         }
 107
 108         if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
 109                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
 110                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
 111                 ntlmssp_state->unicode = true;
 112         } else {
 113                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
 114                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
 115                 ntlmssp_state->unicode = false;
 116         }
 117
 118         /*
 119          * NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
 120          * has priority over NTLMSSP_NEGOTIATE_LM_KEY
 121          */
 122         if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
 123                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
 124         }
 125
 126         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
 127                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
 128         }
 129
 130         if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) {
 131                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
 132         }
 133
 134         if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
 135                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
 136         }
 137
 138         if (!(flags & NTLMSSP_NEGOTIATE_128)) {
 139                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
 140         }
 141
 142         if (!(flags & NTLMSSP_NEGOTIATE_56)) {
 143                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
 144         }
 145
 146         if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
 147                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
 148         }
 149
 150         if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) {
 151                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
 152         }
 153
 154         if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) {
 155                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
 156         }
 157
 158         if ((flags & NTLMSSP_REQUEST_TARGET)) {
 159                 ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
 160         }
 161
 162         missing_flags &= ~ntlmssp_state->neg_flags;
 163         if (missing_flags != 0) {
 164                 HRESULT hres = HRES_SEC_E_UNSUPPORTED_FUNCTION;
 165                 NTSTATUS status = NT_STATUS(HRES_ERROR_V(hres));
 166                 DEBUG(1, ("%s: Got %s flags[0x%08x] "
 167                           "- possible downgrade detected! "
 168                           "missing_flags[0x%08x] - %s\n",
 169                           __func__, name,
 170                           (unsigned)flags,
 171                           (unsigned)missing_flags,
 172                           nt_errstr(status)));
 173                 debug_ntlmssp_flags_raw(1, missing_flags);
 174                 DEBUGADD(4, ("neg_flags[0x%08x]\n",
 175                              (unsigned)ntlmssp_state->neg_flags));
 176                 debug_ntlmssp_flags_raw(4, ntlmssp_state->neg_flags);
 177                 return status;
 178         }
 179
 180         return NT_STATUS_OK;
 181 }
 182
 183 /* Does this blob looks like it could be NTLMSSP? */
 184 bool ntlmssp_blob_matches_magic(const DATA_BLOB *blob)
 185 {
 186         if (blob->length > 8 && memcmp("NTLMSSP\0", blob->data, 8) == 0) {
 187                 return true;
 188         } else {
 189                 return false;
 190         }
 191 }
 192
 193 const DATA_BLOB ntlmssp_version_blob(void)
 194 {
 195         /*
 196          * This is a simplified version of
 197          *
 198          * enum ndr_err_code err;
 199          * struct ntlmssp_VERSION vers;
 200          *
 201          * ZERO_STRUCT(vers);
 202          * vers.ProductMajorVersion = NTLMSSP_WINDOWS_MAJOR_VERSION_6;
 203          * vers.ProductMinorVersion = NTLMSSP_WINDOWS_MINOR_VERSION_1;
 204          * vers.ProductBuild = 0;
 205          * vers.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
 206          *
 207          * err = ndr_push_struct_blob(&version_blob,
 208          *                      ntlmssp_state,
 209          *                      &vers,
 210          *                      (ndr_push_flags_fn_t)ndr_push_ntlmssp_VERSION);
 211          *
 212          * if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
 213          *      data_blob_free(&struct_blob);
 214          *      return NT_STATUS_NO_MEMORY;
 215          * }
 216          */
 217         static const uint8_t version_buffer[8] = {
 218                 NTLMSSP_WINDOWS_MAJOR_VERSION_6,
 219                 NTLMSSP_WINDOWS_MINOR_VERSION_1,
 220                 0x00, 0x00, /* product build */
 221                 0x00, 0x00, 0x00, /* reserved */
 222                 NTLMSSP_REVISION_W2K3
 223         };
 224
 225         return data_blob_const(version_buffer, ARRAY_SIZE(version_buffer));
 226 }
 227
 228 NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security,
 229                                        uint8_t cb_hash[16])
 230 {
 231         const struct gensec_channel_bindings *cb =
 232                 gensec_security->channel_bindings;
 233         gnutls_hash_hd_t hash_hnd = NULL;
 234         uint8_t uint32buf[4];
 235         int rc;
 236
 237         if (cb == NULL) {
 238                 memset(cb_hash, 0, 16);
 239                 return NT_STATUS_OK;
 240         }
 241
 242         GNUTLS_FIPS140_SET_LAX_MODE();
 243         rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
 244         if (rc < 0) {
 245                 GNUTLS_FIPS140_SET_STRICT_MODE();
 246                 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
 247         }
 248
 249         SIVAL(uint32buf, 0, cb->initiator_addrtype);
 250         rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
 251         if (rc < 0) {
 252                 gnutls_hash_deinit(hash_hnd, NULL);
 253                 GNUTLS_FIPS140_SET_STRICT_MODE();
 254                 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
 255         }
 256         SIVAL(uint32buf, 0, cb->initiator_address.length);
 257         rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
 258         if (rc < 0) {
 259                 gnutls_hash_deinit(hash_hnd, NULL);
 260                 GNUTLS_FIPS140_SET_STRICT_MODE();
 261                 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
 262         }
 263         if (cb->initiator_address.length > 0) {
 264                 rc = gnutls_hash(hash_hnd,
 265                                  cb->initiator_address.data,
 266                                  cb->initiator_address.length);
 267                 if (rc < 0) {
 268                         gnutls_hash_deinit(hash_hnd, NULL);
 269                         GNUTLS_FIPS140_SET_STRICT_MODE();
 270                         return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
 271                 }
 272         }
 273         SIVAL(uint32buf, 0, cb->acceptor_addrtype);
 274         rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
 275         if (rc < 0) {
 276                 gnutls_hash_deinit(hash_hnd, NULL);
 277                 GNUTLS_FIPS140_SET_STRICT_MODE();
 278                 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
 279         }
 280         SIVAL(uint32buf, 0, cb->acceptor_address.length);
 281         rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
 282         if (rc < 0) {
 283                 gnutls_hash_deinit(hash_hnd, NULL);
 284                 GNUTLS_FIPS140_SET_STRICT_MODE();
 285                 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
 286         }
 287         if (cb->acceptor_address.length > 0) {
 288                 rc = gnutls_hash(hash_hnd,
 289                                  cb->acceptor_address.data,
 290                                  cb->acceptor_address.length);
 291                 if (rc < 0) {
 292                         gnutls_hash_deinit(hash_hnd, NULL);
 293                         GNUTLS_FIPS140_SET_STRICT_MODE();
 294                         return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
 295                 }
 296         }
 297         SIVAL(uint32buf, 0, cb->application_data.length);
 298         rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
 299         if (rc < 0) {
 300                 gnutls_hash_deinit(hash_hnd, NULL);
 301                 GNUTLS_FIPS140_SET_STRICT_MODE();
 302                 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
 303         }
 304         if (cb->application_data.length > 0) {
 305                 rc = gnutls_hash(hash_hnd,
 306                                  cb->application_data.data,
 307                                  cb->application_data.length);
 308                 if (rc < 0) {
 309                         gnutls_hash_deinit(hash_hnd, NULL);
 310                         GNUTLS_FIPS140_SET_STRICT_MODE();
 311                         return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
 312                 }
 313         }
 314
 315         gnutls_hash_deinit(hash_hnd, cb_hash);
 316         GNUTLS_FIPS140_SET_STRICT_MODE();
 317         return NT_STATUS_OK;
 318 }