search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
WHATSNEW: SMB3 Directory Leases
[Samba.git] / libcli / auth / smbencrypt.c
blob7818d2921f8062ae3aef8dc6d79b26baf1e1e387
1 /*
2 Unix SMB/CIFS implementation.
3 SMB parameters and setup
4 Copyright (C) Andrew Tridgell 1992-1998
5 Modified by Jeremy Allison 1995.
6 Copyright (C) Jeremy Allison 1995-2000.
7 Copyright (C) Luke Kennethc Casson Leighton 1996-2000.
8 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2002-2003
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "system/time.h"
26 #include "../libcli/auth/msrpc_parse.h"
27 #include "../lib/crypto/crypto.h"
28 #include "../libcli/auth/libcli_auth.h"
29 #include "../librpc/gen_ndr/ndr_ntlmssp.h"
30 #include "lib/util/bytearray.h"
31
32 #include "lib/crypto/gnutls_helpers.h"
33 #include <gnutls/gnutls.h>
34 #include <gnutls/crypto.h>
35
36 int SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24])
37 {
38 uint8_t p21[21];
39 int rc;
40
41 memset(p21,'\0',21);
42 memcpy(p21, lm_hash, 16);
43
44 rc = SMBOWFencrypt(p21, c8, p24);
45
46 #ifdef DEBUG_PASSWORD
47 DEBUG(100,("SMBencrypt_hash: lm#, challenge, response\n"));
48 dump_data(100, p21, 16);
49 dump_data(100, c8, 8);
50 dump_data(100, p24, 24);
51 #endif
52
53 return rc;
54 }
55
56 /*
57 This implements the X/Open SMB password encryption
58 It takes a password ('unix' string), a 8 byte "crypt key"
59 and puts 24 bytes of encrypted password into p24
60
61 Returns False if password must have been truncated to create LM hash
62 */
63
64 bool SMBencrypt(const char *passwd, const uint8_t *c8, uint8_t p24[24])
65 {
66 bool ret;
67 uint8_t lm_hash[16];
68 int rc;
69
70 ret = E_deshash(passwd, lm_hash);
71 rc = SMBencrypt_hash(lm_hash, c8, p24);
72 if (rc != 0) {
73 ret = false;
74 }
75 return ret;
76 }
77
78 /**
79 * Creates the MD4 Hash of the users password in NT UNICODE.
80 * @param passwd password in 'unix' charset.
81 * @param p16 return password hashed with md4, caller allocated 16 byte buffer
82 */
83
84 bool E_md4hash(const char *passwd, uint8_t p16[16])
85 {
86 size_t len;
87 smb_ucs2_t *wpwd;
88 bool ret;
89
90 ret = push_ucs2_talloc(NULL, &wpwd, passwd, &len);
91 if (!ret || len < 2) {
92 /* We don't want to return fixed data, as most callers
93 * don't check */
94 mdfour(p16, (const uint8_t *)passwd, strlen(passwd));
95 return false;
96 }
97
98 len -= 2;
99 mdfour(p16, (const uint8_t *)wpwd, len);
100
101 talloc_free(wpwd);
102 return true;
103 }
104
105 /**
106 * Creates the DES forward-only Hash of the users password in DOS ASCII charset
107 * @param passwd password in 'unix' charset.
108 * @param p16 return password hashed with DES, caller allocated 16 byte buffer
109 * @return false if password was > 14 characters, and therefore may be incorrect, otherwise true
110 * @note p16 is filled in regardless
111 */
112
113 bool E_deshash(const char *passwd, uint8_t p16[16])
114 {
115 bool ret;
116 int rc;
117 uint8_t dospwd[14];
118 TALLOC_CTX *frame = talloc_stackframe();
119
120 size_t converted_size;
121
122 char *tmpbuf;
123
124 ZERO_STRUCT(dospwd);
125
126 tmpbuf = strupper_talloc(frame, passwd);
127 if (tmpbuf == NULL) {
128 /* Too many callers don't check this result, we need to fill in the buffer with something */
129 strlcpy((char *)dospwd, passwd ? passwd : "", sizeof(dospwd));
130 E_P16(dospwd, p16);
131 talloc_free(frame);
132 return false;
133 }
134
135 ZERO_STRUCT(dospwd);
136
137 ret = convert_string_error(CH_UNIX, CH_DOS, tmpbuf, strlen(tmpbuf), dospwd, sizeof(dospwd), &converted_size);
138 talloc_free(frame);
139
140 /* Only the first 14 chars are considered, password need not
141 * be null terminated. We do this in the error and success
142 * case to avoid returning a fixed 'password' buffer, but
143 * callers should not use it when E_deshash returns false */
144
145 rc = E_P16((const uint8_t *)dospwd, p16);
146 if (rc != 0) {
147 ret = false;
148 }
149
150 ZERO_STRUCT(dospwd);
151
152 return ret;
153 }
154
155 /**
156 * Creates the MD4 and DES (LM) Hash of the users password.
157 * MD4 is of the NT Unicode, DES is of the DOS UPPERCASE password.
158 * @param passwd password in 'unix' charset.
159 * @param nt_p16 return password hashed with md4, caller allocated 16 byte buffer
160 * @param p16 return password hashed with des, caller allocated 16 byte buffer
161 */
162
163 /* Does both the NT and LM owfs of a user's password */
164 void nt_lm_owf_gen(const char *pwd, uint8_t nt_p16[16], uint8_t p16[16])
165 {
166 /* Calculate the MD4 hash (NT compatible) of the password */
167 memset(nt_p16, '\0', 16);
168 E_md4hash(pwd, nt_p16);
169
170 #ifdef DEBUG_PASSWORD
171 DEBUG(100,("nt_lm_owf_gen: pwd, nt#\n"));
172 dump_data(120, (const uint8_t *)pwd, strlen(pwd));
173 dump_data(100, nt_p16, 16);
174 #endif
175
176 E_deshash(pwd, (uint8_t *)p16);
177
178 #ifdef DEBUG_PASSWORD
179 DEBUG(100,("nt_lm_owf_gen: pwd, lm#\n"));
180 dump_data(120, (const uint8_t *)pwd, strlen(pwd));
181 dump_data(100, p16, 16);
182 #endif
183 }
184
185 /* Does both the NTLMv2 owfs of a user's password */
186 bool ntv2_owf_gen(const uint8_t owf[16],
187 const char *user_in, const char *domain_in,
188 uint8_t kr_buf[16])
189 {
190 smb_ucs2_t *user;
191 smb_ucs2_t *domain;
192 size_t user_byte_len;
193 size_t domain_byte_len;
194 gnutls_hmac_hd_t hmac_hnd = NULL;
195 int rc;
196 bool ok = false;
197 TALLOC_CTX *mem_ctx = talloc_init("ntv2_owf_gen for %s\\%s", domain_in, user_in);
198
199 if (!mem_ctx) {
200 return false;
201 }
202
203 if (!user_in) {
204 user_in = "";
205 }
206
207 if (!domain_in) {
208 domain_in = "";
209 }
210
211 user_in = strupper_talloc(mem_ctx, user_in);
212 if (user_in == NULL) {
213 talloc_free(mem_ctx);
214 return false;
215 }
216
217 ok = push_ucs2_talloc(mem_ctx, &user, user_in, &user_byte_len );
218 if (!ok) {
219 DEBUG(0, ("push_uss2_talloc() for user failed)\n"));
220 talloc_free(mem_ctx);
221 return false;
222 }
223
224 ok = push_ucs2_talloc(mem_ctx, &domain, domain_in, &domain_byte_len);
225 if (!ok) {
226 DEBUG(0, ("push_ucs2_talloc() for domain failed\n"));
227 talloc_free(mem_ctx);
228 return false;
229 }
230
231 SMB_ASSERT(user_byte_len >= 2);
232 SMB_ASSERT(domain_byte_len >= 2);
233
234 /* We don't want null termination */
235 user_byte_len = user_byte_len - 2;
236 domain_byte_len = domain_byte_len - 2;
237
238 rc = gnutls_hmac_init(&hmac_hnd,
239 GNUTLS_MAC_MD5,
240 owf,
241 16);
242 if (rc < 0) {
243 ok = false;
244 goto out;
245 }
246
247 rc = gnutls_hmac(hmac_hnd, user, user_byte_len);
248 if (rc < 0) {
249 gnutls_hmac_deinit(hmac_hnd, NULL);
250 ok = false;
251 goto out;
252 }
253 rc = gnutls_hmac(hmac_hnd, domain, domain_byte_len);
254 if (rc < 0) {
255 gnutls_hmac_deinit(hmac_hnd, NULL);
256 ok = false;
257 goto out;
258 }
259
260 gnutls_hmac_deinit(hmac_hnd, kr_buf);
261
262 #ifdef DEBUG_PASSWORD
263 DEBUG(100, ("ntv2_owf_gen: user, domain, owfkey, kr\n"));
264 dump_data(100, (uint8_t *)user, user_byte_len);
265 dump_data(100, (uint8_t *)domain, domain_byte_len);
266 dump_data(100, owf, 16);
267 dump_data(100, kr_buf, 16);
268 #endif
269
270 ok = true;
271 out:
272 talloc_free(mem_ctx);
273 return ok;
274 }
275
276 /* Does the des encryption from the NT or LM MD4 hash. */
277 int SMBOWFencrypt(const uint8_t passwd[16], const uint8_t *c8, uint8_t p24[24])
278 {
279 uint8_t p21[21];
280
281 ZERO_STRUCT(p21);
282
283 memcpy(p21, passwd, 16);
284 return E_P24(p21, c8, p24);
285 }
286
287 /* Does the des encryption. */
288
289 int SMBNTencrypt_hash(const uint8_t nt_hash[16], const uint8_t *c8, uint8_t *p24)
290 {
291 uint8_t p21[21];
292 int rc;
293
294 memset(p21,'\0',21);
295 memcpy(p21, nt_hash, 16);
296 rc = SMBOWFencrypt(p21, c8, p24);
297
298 #ifdef DEBUG_PASSWORD
299 DEBUG(100,("SMBNTencrypt: nt#, challenge, response\n"));
300 dump_data(100, p21, 16);
301 dump_data(100, c8, 8);
302 dump_data(100, p24, 24);
303 #endif
304
305 return rc;
306 }
307
308 /* Does the NT MD4 hash then des encryption. Plaintext version of the above. */
309
310 int SMBNTencrypt(const char *passwd, const uint8_t *c8, uint8_t *p24)
311 {
312 uint8_t nt_hash[16];
313 E_md4hash(passwd, nt_hash);
314 return SMBNTencrypt_hash(nt_hash, c8, p24);
315 }
316
317
318 /* Does the md5 encryption from the Key Response for NTLMv2. */
319 NTSTATUS SMBOWFencrypt_ntv2(const uint8_t kr[16],
320 const DATA_BLOB *srv_chal,
321 const DATA_BLOB *smbcli_chal,
322 uint8_t resp_buf[16])
323 {
324 gnutls_hmac_hd_t hmac_hnd = NULL;
325 NTSTATUS status;
326 int rc;
327
328 rc = gnutls_hmac_init(&hmac_hnd,
329 GNUTLS_MAC_MD5,
330 kr,
331 16);
332 if (rc < 0) {
333 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
334 }
335
336 rc = gnutls_hmac(hmac_hnd, srv_chal->data, srv_chal->length);
337 if (rc < 0) {
338 status = gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
339 goto out;
340 }
341 rc = gnutls_hmac(hmac_hnd, smbcli_chal->data, smbcli_chal->length);
342 if (rc < 0) {
343 status = gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
344 goto out;
345 }
346
347
348 status = NT_STATUS_OK;
349 out:
350 gnutls_hmac_deinit(hmac_hnd, resp_buf);
351 #ifdef DEBUG_PASSWORD
352 DEBUG(100, ("SMBOWFencrypt_ntv2: srv_chal, smbcli_chal, resp_buf: %s\n",
353 nt_errstr(status)));
354 dump_data(100, srv_chal->data, srv_chal->length);
355 dump_data(100, smbcli_chal->data, smbcli_chal->length);
356 dump_data(100, resp_buf, 16);
357 #endif
358 return status;
359 }
360
361 NTSTATUS SMBsesskeygen_ntv2(const uint8_t kr[16],
362 const uint8_t *nt_resp,
363 uint8_t sess_key[16])
364 {
365 int rc;
366
367 /* a very nice, 128 bit, variable session key */
368 rc = gnutls_hmac_fast(GNUTLS_MAC_MD5,
369 kr,
370 16,
371 nt_resp,
372 16,
373 sess_key);
374 if (rc != 0) {
375 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
376 }
377
378 #ifdef DEBUG_PASSWORD
379 DEBUG(100, ("SMBsesskeygen_ntv2:\n"));
380 dump_data(100, sess_key, 16);
381 #endif
382
383 return NT_STATUS_OK;
384 }
385
386 void SMBsesskeygen_ntv1(const uint8_t kr[16], uint8_t sess_key[16])
387 {
388 /* yes, this session key does not change - yes, this
389 is a problem - but it is 128 bits */
390
391 mdfour((uint8_t *)sess_key, kr, 16);
392
393 #ifdef DEBUG_PASSWORD
394 DEBUG(100, ("SMBsesskeygen_ntv1:\n"));
395 dump_data(100, sess_key, 16);
396 #endif
397 }
398
399 NTSTATUS SMBsesskeygen_lm_sess_key(const uint8_t lm_hash[16],
400 const uint8_t lm_resp[24], /* only uses 8 */
401 uint8_t sess_key[16])
402 {
403 /* Calculate the LM session key (effective length 40 bits,
404 but changes with each session) */
405 uint8_t p24[24];
406 uint8_t partial_lm_hash[14];
407 int rc;
408
409 memcpy(partial_lm_hash, lm_hash, 8);
410 memset(partial_lm_hash + 8, 0xbd, 6);
411
412 rc = des_crypt56_gnutls(p24, lm_resp, partial_lm_hash, SAMBA_GNUTLS_ENCRYPT);
413 if (rc < 0) {
414 return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
415 }
416 rc = des_crypt56_gnutls(p24+8, lm_resp, partial_lm_hash + 7, SAMBA_GNUTLS_ENCRYPT);
417 if (rc < 0) {
418 return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
419 }
420
421 memcpy(sess_key, p24, 16);
422
423 #ifdef DEBUG_PASSWORD
424 DEBUG(100, ("SMBsesskeygen_lm_sess_key: \n"));
425 dump_data(100, sess_key, 16);
426 #endif
427
428 return NT_STATUS_OK;
429 }
430
431 DATA_BLOB NTLMv2_generate_names_blob(TALLOC_CTX *mem_ctx,
432 const char *hostname,
433 const char *domain)
434 {
435 DATA_BLOB names_blob = data_blob_talloc(mem_ctx, NULL, 0);
436
437 /* Deliberately ignore return here.. */
438 if (hostname != NULL) {
439 (void)msrpc_gen(mem_ctx, &names_blob,
440 "aaa",
441 MsvAvNbDomainName, domain,
442 MsvAvNbComputerName, hostname,
443 MsvAvEOL, "");
444 } else {
445 (void)msrpc_gen(mem_ctx, &names_blob,
446 "aa",
447 MsvAvNbDomainName, domain,
448 MsvAvEOL, "");
449 }
450 return names_blob;
451 }
452
453 static DATA_BLOB NTLMv2_generate_client_data(TALLOC_CTX *mem_ctx,
454 NTTIME nttime,
455 const DATA_BLOB *names_blob)
456 {
457 uint8_t client_chal[8];
458 DATA_BLOB response = data_blob(NULL, 0);
459 uint8_t long_date[8];
460
461 generate_random_buffer(client_chal, sizeof(client_chal));
462
463 push_nttime(long_date, 0, nttime);
464
465 /* See http://www.ubiqx.org/cifs/SMB.html#SMB.8.5 */
466
467 /* Deliberately ignore return here.. */
468 (void)msrpc_gen(mem_ctx, &response, "ddbbdb",
469 0x00000101, /* Header */
470 0, /* 'Reserved' */
471 long_date, 8, /* Timestamp */
472 client_chal, 8, /* client challenge */
473 0, /* Unknown */
474 names_blob->data, names_blob->length); /* End of name list */
475
476 return response;
477 }
478
479 static DATA_BLOB NTLMv2_generate_response(TALLOC_CTX *out_mem_ctx,
480 const uint8_t ntlm_v2_hash[16],
481 const DATA_BLOB *server_chal,
482 NTTIME nttime,
483 const DATA_BLOB *names_blob)
484 {
485 uint8_t ntlmv2_response[16];
486 DATA_BLOB ntlmv2_client_data;
487 DATA_BLOB final_response;
488 NTSTATUS status;
489
490 TALLOC_CTX *mem_ctx = talloc_named(out_mem_ctx, 0,
491 "NTLMv2_generate_response internal context");
492
493 if (!mem_ctx) {
494 return data_blob(NULL, 0);
495 }
496
497 /* NTLMv2 */
498 /* generate some data to pass into the response function - including
499 the hostname and domain name of the server */
500 ntlmv2_client_data = NTLMv2_generate_client_data(mem_ctx, nttime, names_blob);
501
502 /* Given that data, and the challenge from the server, generate a response */
503 status = SMBOWFencrypt_ntv2(ntlm_v2_hash,
504 server_chal,
505 &ntlmv2_client_data,
506 ntlmv2_response);
507 if (!NT_STATUS_IS_OK(status)) {
508 talloc_free(mem_ctx);
509 return data_blob(NULL, 0);
510 }
511
512 final_response = data_blob_talloc(out_mem_ctx, NULL, sizeof(ntlmv2_response) + ntlmv2_client_data.length);
513
514 memcpy(final_response.data, ntlmv2_response, sizeof(ntlmv2_response));
515
516 memcpy(final_response.data+sizeof(ntlmv2_response),
517 ntlmv2_client_data.data, ntlmv2_client_data.length);
518
519 talloc_free(mem_ctx);
520
521 return final_response;
522 }
523
524 static DATA_BLOB LMv2_generate_response(TALLOC_CTX *mem_ctx,
525 const uint8_t ntlm_v2_hash[16],
526 const DATA_BLOB *server_chal)
527 {
528 uint8_t lmv2_response[16];
529 DATA_BLOB lmv2_client_data = data_blob_talloc(mem_ctx, NULL, 8);
530 DATA_BLOB final_response = data_blob_talloc(mem_ctx, NULL,24);
531 NTSTATUS status;
532
533 /* LMv2 */
534 /* client-supplied random data */
535 generate_random_buffer(lmv2_client_data.data, lmv2_client_data.length);
536
537 /* Given that data, and the challenge from the server, generate a response */
538 status = SMBOWFencrypt_ntv2(ntlm_v2_hash,
539 server_chal,
540 &lmv2_client_data,
541 lmv2_response);
542 if (!NT_STATUS_IS_OK(status)) {
543 data_blob_free(&lmv2_client_data);
544 return data_blob(NULL, 0);
545 }
546 memcpy(final_response.data, lmv2_response, sizeof(lmv2_response));
547
548 /* after the first 16 bytes is the random data we generated above,
549 so the server can verify us with it */
550 memcpy(final_response.data+sizeof(lmv2_response),
551 lmv2_client_data.data, lmv2_client_data.length);
552
553 data_blob_free(&lmv2_client_data);
554
555 return final_response;
556 }
557
558 bool SMBNTLMv2encrypt_hash(TALLOC_CTX *mem_ctx,
559 const char *user, const char *domain, const uint8_t nt_hash[16],
560 const DATA_BLOB *server_chal,
561 const NTTIME *server_timestamp,
562 const DATA_BLOB *names_blob,
563 DATA_BLOB *lm_response, DATA_BLOB *nt_response,
564 DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key)
565 {
566 uint8_t ntlm_v2_hash[16];
567 NTSTATUS status;
568
569 /* We don't use the NT# directly. Instead we use it mashed up with
570 the username and domain.
571 This prevents username swapping during the auth exchange
572 */
573 if (!ntv2_owf_gen(nt_hash, user, domain, ntlm_v2_hash)) {
574 return false;
575 }
576
577 if (nt_response) {
578 const NTTIME *nttime = server_timestamp;
579 NTTIME _now = 0;
580
581 if (nttime == NULL) {
582 struct timeval tv_now = timeval_current();
583 _now = timeval_to_nttime(&tv_now);
584 nttime = &_now;
585 }
586
587 *nt_response = NTLMv2_generate_response(mem_ctx,
588 ntlm_v2_hash,
589 server_chal,
590 *nttime,
591 names_blob);
592 if (user_session_key) {
593 *user_session_key = data_blob_talloc(mem_ctx, NULL, 16);
594
595 /* The NTLMv2 calculations also provide a session key, for signing etc later */
596 /* use only the first 16 bytes of nt_response for session key */
597 status = SMBsesskeygen_ntv2(ntlm_v2_hash,
598 nt_response->data,
599 user_session_key->data);
600 if (!NT_STATUS_IS_OK(status)) {
601 return false;
602 }
603 }
604 }
605
606 /* LMv2 */
607
608 if (lm_response) {
609 if (server_timestamp != NULL) {
610 *lm_response = data_blob_talloc_zero(mem_ctx, 24);
611 } else {
612 *lm_response = LMv2_generate_response(mem_ctx,
613 ntlm_v2_hash,
614 server_chal);
615 }
616 if (lm_session_key) {
617 *lm_session_key = data_blob_talloc(mem_ctx, NULL, 16);
618
619 /* The NTLMv2 calculations also provide a session key, for signing etc later */
620 /* use only the first 16 bytes of lm_response for session key */
621 status = SMBsesskeygen_ntv2(ntlm_v2_hash,
622 lm_response->data,
623 lm_session_key->data);
624 if (!NT_STATUS_IS_OK(status)) {
625 return false;
626 }
627 }
628 }
629
630 return true;
631 }
632
633 bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx,
634 const char *user, const char *domain,
635 const char *password,
636 const DATA_BLOB *server_chal,
637 const DATA_BLOB *names_blob,
638 DATA_BLOB *lm_response, DATA_BLOB *nt_response,
639 DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key)
640 {
641 uint8_t nt_hash[16];
642 E_md4hash(password, nt_hash);
643
644 return SMBNTLMv2encrypt_hash(mem_ctx,
645 user, domain, nt_hash,
646 server_chal, NULL, names_blob,
647 lm_response, nt_response, lm_session_key, user_session_key);
648 }
649
650 NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
651 const char *account_domain,
652 const DATA_BLOB response,
653 const struct netlogon_creds_CredentialState *creds,
654 const char *workgroup)
655 {
656 TALLOC_CTX *frame = NULL;
657 /* RespType + HiRespType */
658 static const char *magic = "\x01\x01";
659 int cmp;
660 struct NTLMv2_RESPONSE v2_resp;
661 enum ndr_err_code err;
662 const struct AV_PAIR *av_nb_cn = NULL;
663 const struct AV_PAIR *av_nb_dn = NULL;
664
665 if (response.length < 48) {
666 /*
667 * NTLMv2_RESPONSE has at least 48 bytes.
668 */
669 return NT_STATUS_OK;
670 }
671
672 cmp = memcmp(response.data + 16, magic, 2);
673 if (cmp != 0) {
674 /*
675 * It doesn't look like a valid NTLMv2_RESPONSE
676 */
677 return NT_STATUS_OK;
678 }
679
680 if (response.length == 95) {
681 /*
682 * ndr_pull_NTLMv2_RESPONSE() fails on this strange blob,
683 * because the AvPairs content is not valid
684 * as AvLen of the first pair is 33032 (0x8108).
685 *
686 * I saw a single machine sending the following 3 times
687 * in a row, but I'm not sure if everything is static.
688 *
689 * Note this is NTLMv2_CLIENT_CHALLENGE only, not
690 * the full NTLMv2_RESPONSE (which has Response of 16 bytes
691 * before the NTLMv2_CLIENT_CHALLENGE).
692 *
693 * Note this code only prevents
694 * ndr_pull_error(Buffer Size Error): Pull bytes 39016
695 * debug message for a known case, the actual
696 * bug is also handled below in a generic way to
697 * map NT_STATUS_BUFFER_TOO_SMALL to NT_STATUS_OK.
698 *
699 * See https://bugzilla.samba.org/show_bug.cgi?id=14932
700 */
701 static const char *netapp_magic =
702 "\x01\x01\x00\x00\x00\x00\x00\x00"
703 "\x3f\x3f\x3f\x3f\x3f\x3f\x3f\x3f"
704 "\xb8\x82\x3a\xf1\xb3\xdd\x08\x15"
705 "\x00\x00\x00\x00\x11\xa2\x08\x81"
706 "\x50\x38\x22\x78\x2b\x94\x47\xfe"
707 "\x54\x94\x7b\xff\x17\x27\x5a\xb4"
708 "\xf4\x18\xba\xdc\x2c\x38\xfd\x5b"
709 "\xfb\x0e\xc1\x85\x1e\xcc\x92\xbb"
710 "\x9b\xb1\xc4\xd5\x53\x14\xff\x8c"
711 "\x76\x49\xf5\x45\x90\x19\xa2";
712 /*
713 * First we check the initial bytes
714 * and the 0x3F timestamp.
715 */
716 cmp = memcmp(response.data + 16,
717 netapp_magic,
718 16);
719 if (cmp == 0) {
720 /*
721 * Then check everything after the
722 * client challenge
723 */
724 cmp = memcmp(response.data + 40,
725 netapp_magic + 24,
726 response.length - 40);
727 if (cmp == 0) {
728 DBG_DEBUG("Invalid NETAPP NTLMv2_RESPONSE "
729 "for user[%s\\%s] against "
730 "SEC_CHAN(%u)[%s/%s] "
731 "in workgroup[%s]\n",
732 account_domain,
733 account_name,
734 creds->secure_channel_type,
735 creds->computer_name,
736 creds->account_name,
737 workgroup);
738 return NT_STATUS_OK;
739 }
740 }
741 }
742
743 frame = talloc_stackframe();
744
745 err = ndr_pull_struct_blob(&response, frame, &v2_resp,
746 (ndr_pull_flags_fn_t)ndr_pull_NTLMv2_RESPONSE);
747 if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
748 NTSTATUS status;
749 status = ndr_map_error2ntstatus(err);
750 if (NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) {
751 /*
752 * We are supposed to ignore invalid buffers,
753 * see https://bugzilla.samba.org/show_bug.cgi?id=14932
754 */
755 status = NT_STATUS_OK;
756 }
757 DEBUG(2,("%s: Failed to parse NTLMv2_RESPONSE length=%u "
758 "for user[%s\\%s] against SEC_CHAN(%u)[%s/%s] "
759 "in workgroup[%s] - %s %s %s\n",
760 __func__,
761 (unsigned)response.length,
762 account_domain,
763 account_name,
764 creds->secure_channel_type,
765 creds->computer_name,
766 creds->account_name,
767 workgroup,
768 ndr_map_error2string(err),
769 NT_STATUS_IS_OK(status) ? "(ignoring) =>" : "=>",
770 nt_errstr(status)));
771 dump_data(2, response.data, response.length);
772 TALLOC_FREE(frame);
773 return status;
774 }
775
776 if (DEBUGLVL(10)) {
777 NDR_PRINT_DEBUG(NTLMv2_RESPONSE, &v2_resp);
778 }
779
780 /*
781 * Make sure the netbios computer name in the
782 * NTLMv2_RESPONSE matches the computer name
783 * in the secure channel credentials for workstation
784 * trusts.
785 *
786 * And the netbios domain name matches our
787 * workgroup.
788 *
789 * This prevents workstations from requesting
790 * the session key of NTLMSSP sessions of clients
791 * to other hosts.
792 */
793 if (creds->secure_channel_type == SEC_CHAN_WKSTA) {
794 av_nb_cn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
795 MsvAvNbComputerName);
796 av_nb_dn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
797 MsvAvNbDomainName);
798 }
799
800 if (av_nb_cn != NULL) {
801 const char *v = NULL;
802 char *a = NULL;
803 size_t len;
804
805 v = av_nb_cn->Value.AvNbComputerName;
806
807 a = talloc_strdup(frame, creds->account_name);
808 if (a == NULL) {
809 TALLOC_FREE(frame);
810 return NT_STATUS_NO_MEMORY;
811 }
812 len = strlen(a);
813 if (len > 0 && a[len - 1] == '$') {
814 a[len - 1] = '\0';
815 }
816
817 cmp = strcasecmp_m(a, v);
818 if (cmp != 0) {
819 DEBUG(2,("%s: NTLMv2_RESPONSE with "
820 "NbComputerName[%s] rejected "
821 "for user[%s\\%s] "
822 "against SEC_CHAN_WKSTA[%s/%s] "
823 "in workgroup[%s]\n",
824 __func__, v,
825 account_domain,
826 account_name,
827 creds->computer_name,
828 creds->account_name,
829 workgroup));
830 TALLOC_FREE(frame);
831 return NT_STATUS_LOGON_FAILURE;
832 }
833 }
834 if (av_nb_dn != NULL) {
835 const char *v = NULL;
836
837 v = av_nb_dn->Value.AvNbDomainName;
838
839 cmp = strcasecmp_m(workgroup, v);
840 if (cmp != 0) {
841 DEBUG(2,("%s: NTLMv2_RESPONSE with "
842 "NbDomainName[%s] rejected "
843 "for user[%s\\%s] "
844 "against SEC_CHAN_WKSTA[%s/%s] "
845 "in workgroup[%s]\n",
846 __func__, v,
847 account_domain,
848 account_name,
849 creds->computer_name,
850 creds->account_name,
851 workgroup));
852 TALLOC_FREE(frame);
853 return NT_STATUS_LOGON_FAILURE;
854 }
855 }
856
857 TALLOC_FREE(frame);
858 return NT_STATUS_OK;
859 }
860
861 enum encode_order {
862 ENCODE_ORDER_PASSWORD_FIRST,
863 ENCODE_ORDER_PASSWORD_LAST,
864 };
865
866 #define PASSWORD_BUFFER_LEN 512
867
868 static ssize_t _encode_pwd_buffer_from_str(uint8_t buf[PASSWORD_BUFFER_LEN],
869 const char *password,
870 int string_flags,
871 enum encode_order order)
872 {
873 ssize_t new_pw_len;
874 size_t pw_pos = 0;
875 size_t random_pos = 0;
876 size_t random_len = 0;
877
878 /* The incoming buffer can be any alignment. */
879 string_flags |= STR_NOALIGN;
880
881 new_pw_len = push_string(buf,
882 password,
883 PASSWORD_BUFFER_LEN,
884 string_flags);
885 if (new_pw_len < 0) {
886 BURN_DATA_SIZE(buf, PASSWORD_BUFFER_LEN);
887 return -1;
888 }
889
890 if (new_pw_len == PASSWORD_BUFFER_LEN) {
891 return new_pw_len;
892 }
893
894 switch (order) {
895 case ENCODE_ORDER_PASSWORD_FIRST:
896 pw_pos = 0;
897 random_pos = new_pw_len;
898 random_len = PASSWORD_BUFFER_LEN - random_pos;
899 break;
900 case ENCODE_ORDER_PASSWORD_LAST:
901 pw_pos = PASSWORD_BUFFER_LEN - new_pw_len;
902 random_pos = 0;
903 random_len = pw_pos;
904 memmove(buf + pw_pos, buf, new_pw_len);
905 break;
906 }
907
908 generate_random_buffer(buf + random_pos, random_len);
909
910 return new_pw_len;
911 }
912
913 /***********************************************************
914 encode a password buffer with a unicode password. The buffer
915 is filled with random data to make it harder to attack.
916 ************************************************************/
917 bool encode_pw_buffer(uint8_t buffer[516], const char *password, int string_flags)
918 {
919 ssize_t pw_len;
920
921 pw_len = _encode_pwd_buffer_from_str(buffer,
922 password,
923 string_flags,
924 ENCODE_ORDER_PASSWORD_LAST);
925 if (pw_len < 0 || pw_len > PASSWORD_BUFFER_LEN) {
926 return false;
927 }
928
929 PUSH_LE_U32(buffer, PASSWORD_BUFFER_LEN, pw_len);
930
931 return true;
932 }
933
934
935 /***********************************************************
936 decode a password buffer
937 *new_pw_len is the length in bytes of the possibly mulitbyte
938 returned password including termination.
939 ************************************************************/
940
941 bool decode_pw_buffer(TALLOC_CTX *ctx,
942 uint8_t in_buffer[516],
943 char **pp_new_pwrd,
944 size_t *new_pw_len,
945 charset_t string_charset)
946 {
947 DATA_BLOB new_password;
948 int byte_len=0;
949 bool ok;
950
951 *pp_new_pwrd = NULL;
952 *new_pw_len = 0;
953
954 ok = extract_pw_from_buffer(ctx, in_buffer, &new_password);
955 if (!ok) {
956 return false;
957 }
958
959 /*
960 Warning !!! : This function is called from some rpc call.
961 The password IN the buffer may be a UNICODE string.
962 The password IN new_pwrd is an ASCII string
963 If you reuse that code somewhere else check first.
964 */
965
966 /* decode into the return buffer. */
967 ok = convert_string_talloc(ctx,
968 string_charset,
969 CH_UNIX,
970 new_password.data,
971 new_password.length,
972 pp_new_pwrd,
973 new_pw_len);
974 data_blob_free(&new_password);
975 if (!ok) {
976 DBG_ERR("Failed to convert incoming password\n");
977 return false;
978 }
979 talloc_keep_secret(*pp_new_pwrd);
980
981 #ifdef DEBUG_PASSWORD
982 DEBUG(100,("decode_pw_buffer: new_pwrd: "));
983 dump_data(100, (uint8_t *)*pp_new_pwrd, *new_pw_len);
984 DEBUG(100,("multibyte len:%lu\n", (unsigned long int)*new_pw_len));
985 DEBUG(100,("original char len:%d\n", byte_len/2));
986 #endif
987
988 return true;
989 }
990
991 #define MAX_PASSWORD_LEN 256
992
993 /*
994 * [MS-SAMR] 2.2.6.32 This creates the buffer to be sent. It is of type
995 * SAMPR_USER_PASSWORD_AES.
996 */
997 bool encode_pwd_buffer514_from_str(uint8_t buffer[514],
998 const char *password,
999 uint32_t string_flags)
1000 {
1001 ssize_t pw_len;
1002
1003 pw_len = _encode_pwd_buffer_from_str(buffer + 2,
1004 password,
1005 string_flags,
1006 ENCODE_ORDER_PASSWORD_FIRST);
1007 if (pw_len < 0) {
1008 return false;
1009 }
1010
1011 PUSH_LE_U16(buffer, 0, pw_len);
1012
1013 return true;
1014 }
1015
1016 bool extract_pwd_blob_from_buffer514(TALLOC_CTX *mem_ctx,
1017 const uint8_t in_buffer[514],
1018 DATA_BLOB *new_password)
1019 {
1020 #ifdef DEBUG_PASSWORD
1021 DEBUG(100, ("in_buffer: "));
1022 dump_data(100, in_buffer, 514);
1023 #endif
1024
1025 new_password->length = PULL_LE_U16(in_buffer, 0);
1026 if (new_password->length == 0 || new_password->length > 512) {
1027 return false;
1028 }
1029
1030 new_password->data =
1031 talloc_memdup(mem_ctx, in_buffer + 2, new_password->length);
1032 if (new_password->data == NULL) {
1033 return false;
1034 }
1035 talloc_keep_secret(new_password->data);
1036
1037 #ifdef DEBUG_PASSWORD
1038 DEBUG(100, ("new_pwd_len: %zu\n", new_password->length));
1039 DEBUG(100, ("new_pwd: "));
1040 dump_data(100, new_password->data, new_password->length);
1041 #endif
1042
1043 return true;
1044 }
1045
1046 bool decode_pwd_string_from_buffer514(TALLOC_CTX *mem_ctx,
1047 const uint8_t in_buffer[514],
1048 charset_t string_charset,
1049 DATA_BLOB *decoded_password)
1050 {
1051 DATA_BLOB new_password = {
1052 .length = 0,
1053 };
1054 bool ok;
1055
1056 ok = extract_pwd_blob_from_buffer514(mem_ctx, in_buffer, &new_password);
1057 if (!ok) {
1058 return false;
1059 }
1060
1061 ok = convert_string_talloc(mem_ctx,
1062 string_charset,
1063 CH_UNIX,
1064 new_password.data,
1065 new_password.length,
1066 &decoded_password->data,
1067 &decoded_password->length);
1068 data_blob_free(&new_password);
1069 if (!ok) {
1070 return false;
1071 }
1072 talloc_keep_secret(decoded_password->data);
1073
1074 return true;
1075 }
1076
1077 /***********************************************************
1078 Encode an arc4 password change buffer.
1079 ************************************************************/
1080 NTSTATUS encode_rc4_passwd_buffer(const char *passwd,
1081 const DATA_BLOB *session_key,
1082 struct samr_CryptPasswordEx *out_crypt_pwd)
1083 {
1084 uint8_t _confounder[16] = {0};
1085 DATA_BLOB confounder = data_blob_const(_confounder, 16);
1086 DATA_BLOB pw_data = data_blob_const(out_crypt_pwd->data, 516);
1087 bool ok;
1088 int rc;
1089
1090 ok = encode_pw_buffer(pw_data.data, passwd, STR_UNICODE);
1091 if (!ok) {
1092 return NT_STATUS_INVALID_PARAMETER;
1093 }
1094
1095 generate_random_buffer(confounder.data, confounder.length);
1096
1097 rc = samba_gnutls_arcfour_confounded_md5(&confounder,
1098 session_key,
1099 &pw_data,
1100 SAMBA_GNUTLS_ENCRYPT);
1101 if (rc < 0) {
1102 ZERO_ARRAY(_confounder);
1103 data_blob_clear(&pw_data);
1104 return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
1105 }
1106
1107 /*
1108 * The packet format is the 516 byte RC4 encrypted
1109 * password followed by the 16 byte confounder
1110 * The confounder is a salt to prevent pre-computed hash attacks on the
1111 * database.
1112 */
1113 memcpy(&out_crypt_pwd->data[516], confounder.data, confounder.length);
1114 ZERO_ARRAY(_confounder);
1115
1116 return NT_STATUS_OK;
1117 }
1118
1119 /***********************************************************
1120 Decode an arc4 encrypted password change buffer.
1121 ************************************************************/
1122
1123 NTSTATUS decode_rc4_passwd_buffer(const DATA_BLOB *psession_key,
1124 struct samr_CryptPasswordEx *inout_crypt_pwd)
1125 {
1126 /* Confounder is last 16 bytes. */
1127 DATA_BLOB confounder = data_blob_const(&inout_crypt_pwd->data[516], 16);
1128 DATA_BLOB pw_data = data_blob_const(&inout_crypt_pwd->data, 516);
1129 int rc;
1130
1131 rc = samba_gnutls_arcfour_confounded_md5(&confounder,
1132 psession_key,
1133 &pw_data,
1134 SAMBA_GNUTLS_DECRYPT);
1135 if (rc < 0) {
1136 return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
1137 }
1138
1139 return NT_STATUS_OK;
1140 }
1141
1142 /***********************************************************
1143 encode a password buffer with an already unicode password. The
1144 rest of the buffer is filled with random data to make it harder to attack.
1145 ************************************************************/
1146
1147 static bool create_pw_buffer_from_blob(uint8_t buffer[512],
1148 const DATA_BLOB *in_password,
1149 enum encode_order order)
1150 {
1151 size_t pwd_pos = 0;
1152 size_t random_pos = 0;
1153 size_t random_len = 0;
1154
1155 if (in_password->length > 512) {
1156 return false;
1157 }
1158
1159 switch (order) {
1160 case ENCODE_ORDER_PASSWORD_FIRST:
1161 pwd_pos = 0;
1162 random_pos = in_password->length;
1163 break;
1164 case ENCODE_ORDER_PASSWORD_LAST:
1165 pwd_pos = PASSWORD_BUFFER_LEN - in_password->length;
1166 random_pos = 0;
1167 break;
1168 }
1169 random_len = PASSWORD_BUFFER_LEN - in_password->length;
1170
1171 memcpy(buffer + pwd_pos, in_password->data, in_password->length);
1172 generate_random_buffer(buffer + random_pos, random_len);
1173
1174 return true;
1175 }
1176
1177 bool set_pw_in_buffer(uint8_t buffer[516], const DATA_BLOB *password)
1178 {
1179 bool ok;
1180
1181 ok = create_pw_buffer_from_blob(buffer,
1182 password,
1183 ENCODE_ORDER_PASSWORD_LAST);
1184 if (!ok) {
1185 return false;
1186 }
1187
1188 /*
1189 * The length of the new password is in the last 4 bytes of
1190 * the data buffer.
1191 */
1192 PUSH_LE_U32(buffer, PASSWORD_BUFFER_LEN, password->length);
1193
1194 return true;
1195 }
1196
1197 /***********************************************************
1198 decode a password buffer
1199 *new_pw_size is the length in bytes of the extracted unicode password
1200 ************************************************************/
1201 bool extract_pw_from_buffer(TALLOC_CTX *mem_ctx,
1202 uint8_t in_buffer[516], DATA_BLOB *new_pass)
1203 {
1204 int byte_len=0;
1205
1206 /* The length of the new password is in the last 4 bytes of the data buffer. */
1207
1208 byte_len = IVAL(in_buffer, 512);
1209
1210 #ifdef DEBUG_PASSWORD
1211 dump_data(100, in_buffer, 516);
1212 #endif
1213
1214 /* Password cannot be longer than the size of the password buffer */
1215 if ( (byte_len < 0) || (byte_len > 512)) {
1216 return false;
1217 }
1218
1219 *new_pass = data_blob_talloc(mem_ctx, &in_buffer[512 - byte_len], byte_len);
1220
1221 if (!new_pass->data) {
1222 return false;
1223 }
1224 talloc_keep_secret(new_pass->data);
1225
1226 return true;
1227 }
1228
1229
1230 /* encode a wkssvc_PasswordBuffer:
1231 *
1232 * similar to samr_CryptPasswordEx. Different: 8byte confounder (instead of
1233 * 16byte), confounder in front of the 516 byte buffer (instead of after that
1234 * buffer), calling MD5Update() first with session_key and then with confounder
1235 * (vice versa in samr) - Guenther */
1236
1237 WERROR encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
1238 const char *pwd,
1239 DATA_BLOB *session_key,
1240 struct wkssvc_PasswordBuffer **out_pwd_buf)
1241 {
1242 struct wkssvc_PasswordBuffer *pwd_buf = NULL;
1243 uint8_t _confounder[8] = {0};
1244 DATA_BLOB confounder = data_blob_const(_confounder, 8);
1245 uint8_t pwbuf[516] = {0};
1246 DATA_BLOB encrypt_pwbuf = data_blob_const(pwbuf, 516);
1247 int rc;
1248
1249 pwd_buf = talloc_zero(mem_ctx, struct wkssvc_PasswordBuffer);
1250 if (pwd_buf == NULL) {
1251 return WERR_NOT_ENOUGH_MEMORY;
1252 }
1253
1254 encode_pw_buffer(pwbuf, pwd, STR_UNICODE);
1255
1256 generate_random_buffer(_confounder, sizeof(_confounder));
1257
1258 rc = samba_gnutls_arcfour_confounded_md5(session_key,
1259 &confounder,
1260 &encrypt_pwbuf,
1261 SAMBA_GNUTLS_ENCRYPT);
1262 if (rc < 0) {
1263 ZERO_ARRAY(_confounder);
1264 TALLOC_FREE(pwd_buf);
1265 return gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED);
1266 }
1267
1268 memcpy(&pwd_buf->data[0], confounder.data, confounder.length);
1269 ZERO_ARRAY(_confounder);
1270 memcpy(&pwd_buf->data[8], encrypt_pwbuf.data, encrypt_pwbuf.length);
1271 ZERO_ARRAY(pwbuf);
1272
1273 *out_pwd_buf = pwd_buf;
1274
1275 return WERR_OK;
1276 }
1277
1278 WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
1279 struct wkssvc_PasswordBuffer *pwd_buf,
1280 DATA_BLOB *session_key,
1281 char **pwd)
1282 {
1283 uint8_t _confounder[8] = { 0 };
1284 DATA_BLOB confounder = data_blob_const(_confounder, 8);
1285 uint8_t pwbuf[516] = {0};
1286 DATA_BLOB decrypt_pwbuf = data_blob_const(pwbuf, 516);
1287 bool ok;
1288 int rc;
1289
1290 if (pwd_buf == NULL) {
1291 return WERR_INVALID_PASSWORD;
1292 }
1293
1294 *pwd = NULL;
1295
1296 if (session_key->length != 16) {
1297 DEBUG(10,("invalid session key\n"));
1298 return WERR_INVALID_PASSWORD;
1299 }
1300
1301 confounder = data_blob_const(&pwd_buf->data[0], 8);
1302 memcpy(&pwbuf, &pwd_buf->data[8], 516);
1303
1304 rc = samba_gnutls_arcfour_confounded_md5(session_key,
1305 &confounder,
1306 &decrypt_pwbuf,
1307 SAMBA_GNUTLS_ENCRYPT);
1308 if (rc < 0) {
1309 ZERO_ARRAY(_confounder);
1310 TALLOC_FREE(pwd_buf);
1311 return gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED);
1312 }
1313
1314 ok = decode_pw_buffer(mem_ctx,
1315 decrypt_pwbuf.data,
1316 pwd,
1317 &decrypt_pwbuf.length,
1318 CH_UTF16);
1319 ZERO_ARRAY(pwbuf);
1320
1321 if (!ok) {
1322 return WERR_INVALID_PASSWORD;
1323 }
1324
1325 return WERR_OK;
1326 }
Samba GIT mirror