search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
gensec: Pass service_description into auth_usersuppliedinfo during NTLMSSP
[Samba.git] / auth / ntlmssp / ntlmssp_server.c
blobdf7af9975dea893abd0a75503870fda01b0c2032
1 /*
2 Unix SMB/Netbios implementation.
3 Version 3.0
4 handle NTLMSSP, server side
5
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett 2001-2010
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "lib/util/time_basic.h"
25 #include "auth/ntlmssp/ntlmssp.h"
26 #include "auth/ntlmssp/ntlmssp_private.h"
27 #include "../librpc/gen_ndr/ndr_ntlmssp.h"
28 #include "auth/ntlmssp/ntlmssp_ndr.h"
29 #include "../libcli/auth/libcli_auth.h"
30 #include "../lib/crypto/crypto.h"
31 #include "auth/gensec/gensec.h"
32 #include "auth/gensec/gensec_internal.h"
33 #include "auth/common_auth.h"
34 #include "param/param.h"
35 #include "param/loadparm.h"
36 #include "libcli/security/session.h"
37
38 /**
39 * Determine correct target name flags for reply, given server role
40 * and negotiated flags
41 *
42 * @param ntlmssp_state NTLMSSP State
43 * @param neg_flags The flags from the packet
44 * @param chal_flags The flags to be set in the reply packet
45 * @return The 'target name' string.
46 */
47
48 const char *ntlmssp_target_name(struct ntlmssp_state *ntlmssp_state,
49 uint32_t neg_flags, uint32_t *chal_flags)
50 {
51 if (neg_flags & NTLMSSP_REQUEST_TARGET) {
52 *chal_flags |= NTLMSSP_NEGOTIATE_TARGET_INFO;
53 *chal_flags |= NTLMSSP_REQUEST_TARGET;
54 if (ntlmssp_state->server.is_standalone) {
55 *chal_flags |= NTLMSSP_TARGET_TYPE_SERVER;
56 return ntlmssp_state->server.netbios_name;
57 } else {
58 *chal_flags |= NTLMSSP_TARGET_TYPE_DOMAIN;
59 return ntlmssp_state->server.netbios_domain;
60 };
61 } else {
62 return "";
63 }
64 }
65
66 /**
67 * Next state function for the NTLMSSP Negotiate packet
68 *
69 * @param gensec_security GENSEC state
70 * @param out_mem_ctx Memory context for *out
71 * @param in The request, as a DATA_BLOB. reply.data must be NULL
72 * @param out The reply, as an allocated DATA_BLOB, caller to free.
73 * @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required.
74 */
75
76 NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security,
77 TALLOC_CTX *out_mem_ctx,
78 const DATA_BLOB request, DATA_BLOB *reply)
79 {
80 struct gensec_ntlmssp_context *gensec_ntlmssp =
81 talloc_get_type_abort(gensec_security->private_data,
82 struct gensec_ntlmssp_context);
83 struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
84 struct auth4_context *auth_context = gensec_security->auth_context;
85 DATA_BLOB struct_blob;
86 uint32_t neg_flags = 0;
87 uint32_t ntlmssp_command, chal_flags;
88 uint8_t cryptkey[8];
89 const char *target_name;
90 NTSTATUS status;
91 struct timeval tv_now = timeval_current();
92 /*
93 * See [MS-NLMP]
94 *
95 * Windows NT 4.0, windows_2000: use 30 minutes,
96 * Windows XP, Windows Server 2003, Windows Vista,
97 * Windows Server 2008, Windows 7, and Windows Server 2008 R2
98 * use 36 hours.
99 *
100 * Newer systems doesn't check this, likely because the
101 * connectionless NTLMSSP is no longer supported.
102 *
103 * As we expect the AUTHENTICATION_MESSAGE to arrive
104 * directly after the NEGOTIATE_MESSAGE (typically less than
105 * as 1 second later). We use a hard timeout of 30 Minutes.
106 *
107 * We don't look at AUTHENTICATE_MESSAGE.NtChallengeResponse.TimeStamp
108 * instead we just remember our own time.
109 */
110 uint32_t max_lifetime = 30 * 60;
111 struct timeval tv_end = timeval_add(&tv_now, max_lifetime, 0);
112
113 /* parse the NTLMSSP packet */
114 #if 0
115 file_save("ntlmssp_negotiate.dat", request.data, request.length);
116 #endif
117
118 if (request.length) {
119 if (request.length > UINT16_MAX) {
120 DEBUG(1, ("ntlmssp_server_negotiate: reject large request of length %u\n",
121 (unsigned int)request.length));
122 return NT_STATUS_INVALID_PARAMETER;
123 }
124
125 if ((request.length < 16) || !msrpc_parse(ntlmssp_state, &request, "Cdd",
126 "NTLMSSP",
127 &ntlmssp_command,
128 &neg_flags)) {
129 DEBUG(1, ("ntlmssp_server_negotiate: failed to parse NTLMSSP Negotiate of length %u\n",
130 (unsigned int)request.length));
131 dump_data(2, request.data, request.length);
132 return NT_STATUS_INVALID_PARAMETER;
133 }
134 debug_ntlmssp_flags(neg_flags);
135
136 if (DEBUGLEVEL >= 10) {
137 struct NEGOTIATE_MESSAGE *negotiate = talloc(
138 ntlmssp_state, struct NEGOTIATE_MESSAGE);
139 if (negotiate != NULL) {
140 status = ntlmssp_pull_NEGOTIATE_MESSAGE(
141 &request, negotiate, negotiate);
142 if (NT_STATUS_IS_OK(status)) {
143 NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE,
144 negotiate);
145 }
146 TALLOC_FREE(negotiate);
147 }
148 }
149 }
150
151 status = ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, "negotiate");
152 if (!NT_STATUS_IS_OK(status)){
153 return status;
154 }
155
156 /* Ask our caller what challenge they would like in the packet */
157 if (auth_context->get_ntlm_challenge) {
158 status = auth_context->get_ntlm_challenge(auth_context, cryptkey);
159 if (!NT_STATUS_IS_OK(status)) {
160 DEBUG(1, ("gensec_ntlmssp_server_negotiate: failed to get challenge: %s\n",
161 nt_errstr(status)));
162 return status;
163 }
164 } else {
165 DEBUG(1, ("gensec_ntlmssp_server_negotiate: backend doesn't give a challenge\n"));
166 return NT_STATUS_NOT_IMPLEMENTED;
167 }
168
169 /* The flags we send back are not just the negotiated flags,
170 * they are also 'what is in this packet'. Therfore, we
171 * operate on 'chal_flags' from here on
172 */
173
174 chal_flags = ntlmssp_state->neg_flags;
175 ntlmssp_state->server.challenge_endtime = timeval_to_nttime(&tv_end);
176
177 /* get the right name to fill in as 'target' */
178 target_name = ntlmssp_target_name(ntlmssp_state,
179 neg_flags, &chal_flags);
180 if (target_name == NULL)
181 return NT_STATUS_INVALID_PARAMETER;
182
183 ntlmssp_state->chal = data_blob_talloc(ntlmssp_state, cryptkey, 8);
184 ntlmssp_state->internal_chal = data_blob_talloc(ntlmssp_state,
185 cryptkey, 8);
186
187 /* This creates the 'blob' of names that appears at the end of the packet */
188 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
189 enum ndr_err_code err;
190 struct AV_PAIR *pairs = NULL;
191 uint32_t count = 5;
192
193 pairs = talloc_zero_array(ntlmssp_state, struct AV_PAIR, count + 1);
194 if (pairs == NULL) {
195 return NT_STATUS_NO_MEMORY;
196 }
197
198 pairs[0].AvId = MsvAvNbDomainName;
199 pairs[0].Value.AvNbDomainName = target_name;
200
201 pairs[1].AvId = MsvAvNbComputerName;
202 pairs[1].Value.AvNbComputerName = ntlmssp_state->server.netbios_name;
203
204 pairs[2].AvId = MsvAvDnsDomainName;
205 pairs[2].Value.AvDnsDomainName = ntlmssp_state->server.dns_domain;
206
207 pairs[3].AvId = MsvAvDnsComputerName;
208 pairs[3].Value.AvDnsComputerName= ntlmssp_state->server.dns_name;
209
210 if (!ntlmssp_state->force_old_spnego) {
211 pairs[4].AvId = MsvAvTimestamp;
212 pairs[4].Value.AvTimestamp =
213 timeval_to_nttime(&tv_now);
214 count += 1;
215
216 pairs[5].AvId = MsvAvEOL;
217 } else {
218 pairs[4].AvId = MsvAvEOL;
219 }
220
221 ntlmssp_state->server.av_pair_list.count = count;
222 ntlmssp_state->server.av_pair_list.pair = pairs;
223
224 err = ndr_push_struct_blob(&struct_blob,
225 ntlmssp_state,
226 &ntlmssp_state->server.av_pair_list,
227 (ndr_push_flags_fn_t)ndr_push_AV_PAIR_LIST);
228 if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
229 return NT_STATUS_NO_MEMORY;
230 }
231 } else {
232 struct_blob = data_blob_null;
233 }
234
235 {
236 /* Marshal the packet in the right format, be it unicode or ASCII */
237 const char *gen_string;
238 const DATA_BLOB version_blob = ntlmssp_version_blob();
239
240 if (ntlmssp_state->unicode) {
241 gen_string = "CdUdbddBb";
242 } else {
243 gen_string = "CdAdbddBb";
244 }
245
246 status = msrpc_gen(out_mem_ctx, reply, gen_string,
247 "NTLMSSP",
248 NTLMSSP_CHALLENGE,
249 target_name,
250 chal_flags,
251 cryptkey, 8,
252 0, 0,
253 struct_blob.data, struct_blob.length,
254 version_blob.data, version_blob.length);
255
256 if (!NT_STATUS_IS_OK(status)) {
257 data_blob_free(&struct_blob);
258 return status;
259 }
260
261 if (DEBUGLEVEL >= 10) {
262 struct CHALLENGE_MESSAGE *challenge = talloc(
263 ntlmssp_state, struct CHALLENGE_MESSAGE);
264 if (challenge != NULL) {
265 challenge->NegotiateFlags = chal_flags;
266 status = ntlmssp_pull_CHALLENGE_MESSAGE(
267 reply, challenge, challenge);
268 if (NT_STATUS_IS_OK(status)) {
269 NDR_PRINT_DEBUG(CHALLENGE_MESSAGE,
270 challenge);
271 }
272 TALLOC_FREE(challenge);
273 }
274 }
275 }
276
277 data_blob_free(&struct_blob);
278
279 ntlmssp_state->negotiate_blob = data_blob_dup_talloc(ntlmssp_state,
280 request);
281 if (ntlmssp_state->negotiate_blob.length != request.length) {
282 return NT_STATUS_NO_MEMORY;
283 }
284
285 ntlmssp_state->challenge_blob = data_blob_dup_talloc(ntlmssp_state,
286 *reply);
287 if (ntlmssp_state->challenge_blob.length != reply->length) {
288 return NT_STATUS_NO_MEMORY;
289 }
290
291 ntlmssp_state->expected_state = NTLMSSP_AUTH;
292
293 return NT_STATUS_MORE_PROCESSING_REQUIRED;
294 }
295
296 struct ntlmssp_server_auth_state {
297 DATA_BLOB user_session_key;
298 DATA_BLOB lm_session_key;
299 /* internal variables used by KEY_EXCH (client-supplied user session key */
300 DATA_BLOB encrypted_session_key;
301 bool doing_ntlm2;
302 /* internal variables used by NTLM2 */
303 uint8_t session_nonce[16];
304 };
305
306 /**
307 * Next state function for the Authenticate packet
308 *
309 * @param ntlmssp_state NTLMSSP State
310 * @param request The request, as a DATA_BLOB
311 * @return Errors or NT_STATUS_OK.
312 */
313
314 static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
315 struct gensec_ntlmssp_context *gensec_ntlmssp,
316 struct ntlmssp_server_auth_state *state,
317 const DATA_BLOB request)
318 {
319 struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
320 struct auth4_context *auth_context = gensec_security->auth_context;
321 uint32_t ntlmssp_command, auth_flags;
322 NTSTATUS nt_status;
323 const unsigned int version_len = 8;
324 DATA_BLOB version_blob = data_blob_null;
325 const unsigned int mic_len = NTLMSSP_MIC_SIZE;
326 DATA_BLOB mic_blob = data_blob_null;
327 uint8_t session_nonce_hash[16];
328 const char *parse_string;
329 bool ok;
330 struct timeval endtime;
331 bool expired = false;
332
333 #if 0
334 file_save("ntlmssp_auth.dat", request.data, request.length);
335 #endif
336
337 if (ntlmssp_state->unicode) {
338 parse_string = "CdBBUUUBdbb";
339 } else {
340 parse_string = "CdBBAAABdbb";
341 }
342
343 /* zero these out */
344 data_blob_free(&ntlmssp_state->session_key);
345 data_blob_free(&ntlmssp_state->lm_resp);
346 data_blob_free(&ntlmssp_state->nt_resp);
347
348 ntlmssp_state->user = NULL;
349 ntlmssp_state->domain = NULL;
350 ntlmssp_state->client.netbios_name = NULL;
351
352 /* now the NTLMSSP encoded auth hashes */
353 ok = msrpc_parse(ntlmssp_state, &request, parse_string,
354 "NTLMSSP",
355 &ntlmssp_command,
356 &ntlmssp_state->lm_resp,
357 &ntlmssp_state->nt_resp,
358 &ntlmssp_state->domain,
359 &ntlmssp_state->user,
360 &ntlmssp_state->client.netbios_name,
361 &state->encrypted_session_key,
362 &auth_flags,
363 &version_blob, version_len,
364 &mic_blob, mic_len);
365 if (!ok) {
366 DEBUG(10, ("ntlmssp_server_auth: failed to parse NTLMSSP (nonfatal):\n"));
367 dump_data(10, request.data, request.length);
368
369 data_blob_free(&version_blob);
370 data_blob_free(&mic_blob);
371
372 if (ntlmssp_state->unicode) {
373 parse_string = "CdBBUUUBd";
374 } else {
375 parse_string = "CdBBAAABd";
376 }
377
378 ok = msrpc_parse(ntlmssp_state, &request, parse_string,
379 "NTLMSSP",
380 &ntlmssp_command,
381 &ntlmssp_state->lm_resp,
382 &ntlmssp_state->nt_resp,
383 &ntlmssp_state->domain,
384 &ntlmssp_state->user,
385 &ntlmssp_state->client.netbios_name,
386 &state->encrypted_session_key,
387 &auth_flags);
388 }
389
390 if (!ok) {
391 DEBUG(10, ("ntlmssp_server_auth: failed to parse NTLMSSP (nonfatal):\n"));
392 dump_data(10, request.data, request.length);
393
394 /* zero this out */
395 data_blob_free(&state->encrypted_session_key);
396 auth_flags = 0;
397
398 /* Try again with a shorter string (Win9X truncates this packet) */
399 if (ntlmssp_state->unicode) {
400 parse_string = "CdBBUUU";
401 } else {
402 parse_string = "CdBBAAA";
403 }
404
405 /* now the NTLMSSP encoded auth hashes */
406 if (!msrpc_parse(ntlmssp_state, &request, parse_string,
407 "NTLMSSP",
408 &ntlmssp_command,
409 &ntlmssp_state->lm_resp,
410 &ntlmssp_state->nt_resp,
411 &ntlmssp_state->domain,
412 &ntlmssp_state->user,
413 &ntlmssp_state->client.netbios_name)) {
414 DEBUG(1, ("ntlmssp_server_auth: failed to parse NTLMSSP (tried both formats):\n"));
415 dump_data(2, request.data, request.length);
416
417 return NT_STATUS_INVALID_PARAMETER;
418 }
419 }
420
421 talloc_steal(state, state->encrypted_session_key.data);
422
423 if (auth_flags != 0) {
424 nt_status = ntlmssp_handle_neg_flags(ntlmssp_state,
425 auth_flags,
426 "authenticate");
427 if (!NT_STATUS_IS_OK(nt_status)){
428 return nt_status;
429 }
430 }
431
432 if (DEBUGLEVEL >= 10) {
433 struct AUTHENTICATE_MESSAGE *authenticate = talloc(
434 ntlmssp_state, struct AUTHENTICATE_MESSAGE);
435 if (authenticate != NULL) {
436 NTSTATUS status;
437 authenticate->NegotiateFlags = auth_flags;
438 status = ntlmssp_pull_AUTHENTICATE_MESSAGE(
439 &request, authenticate, authenticate);
440 if (NT_STATUS_IS_OK(status)) {
441 NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE,
442 authenticate);
443 }
444 TALLOC_FREE(authenticate);
445 }
446 }
447
448 DEBUG(3,("Got user=[%s] domain=[%s] workstation=[%s] len1=%lu len2=%lu\n",
449 ntlmssp_state->user, ntlmssp_state->domain,
450 ntlmssp_state->client.netbios_name,
451 (unsigned long)ntlmssp_state->lm_resp.length,
452 (unsigned long)ntlmssp_state->nt_resp.length));
453
454 #if 0
455 file_save("nthash1.dat", &ntlmssp_state->nt_resp.data, &ntlmssp_state->nt_resp.length);
456 file_save("lmhash1.dat", &ntlmssp_state->lm_resp.data, &ntlmssp_state->lm_resp.length);
457 #endif
458
459 if (ntlmssp_state->nt_resp.length > 24) {
460 struct NTLMv2_RESPONSE v2_resp;
461 enum ndr_err_code err;
462 uint32_t i = 0;
463 uint32_t count = 0;
464 const struct AV_PAIR *flags = NULL;
465 const struct AV_PAIR *eol = NULL;
466 uint32_t av_flags = 0;
467
468 err = ndr_pull_struct_blob(&ntlmssp_state->nt_resp,
469 ntlmssp_state,
470 &v2_resp,
471 (ndr_pull_flags_fn_t)ndr_pull_NTLMv2_RESPONSE);
472 if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
473 nt_status = ndr_map_error2ntstatus(err);
474 DEBUG(1,("%s: failed to parse NTLMv2_RESPONSE of length %zu for "
475 "user=[%s] domain=[%s] workstation=[%s] - %s %s\n",
476 __func__, ntlmssp_state->nt_resp.length,
477 ntlmssp_state->user, ntlmssp_state->domain,
478 ntlmssp_state->client.netbios_name,
479 ndr_errstr(err), nt_errstr(nt_status)));
480 return nt_status;
481 }
482
483 if (DEBUGLVL(10)) {
484 NDR_PRINT_DEBUG(NTLMv2_RESPONSE, &v2_resp);
485 }
486
487 eol = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
488 MsvAvEOL);
489 if (eol == NULL) {
490 DEBUG(1,("%s: missing MsvAvEOL for "
491 "user=[%s] domain=[%s] workstation=[%s]\n",
492 __func__, ntlmssp_state->user, ntlmssp_state->domain,
493 ntlmssp_state->client.netbios_name));
494 return NT_STATUS_INVALID_PARAMETER;
495 }
496
497 flags = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
498 MsvAvFlags);
499 if (flags != NULL) {
500 av_flags = flags->Value.AvFlags;
501 }
502
503 if (av_flags & NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE) {
504 if (mic_blob.length != NTLMSSP_MIC_SIZE) {
505 DEBUG(1,("%s: mic_blob.length[%u] for "
506 "user=[%s] domain=[%s] workstation=[%s]\n",
507 __func__,
508 (unsigned)mic_blob.length,
509 ntlmssp_state->user,
510 ntlmssp_state->domain,
511 ntlmssp_state->client.netbios_name));
512 return NT_STATUS_INVALID_PARAMETER;
513 }
514
515 if (request.length <
516 (NTLMSSP_MIC_OFFSET + NTLMSSP_MIC_SIZE))
517 {
518 DEBUG(1,("%s: missing MIC "
519 "request.length[%u] for "
520 "user=[%s] domain=[%s] workstation=[%s]\n",
521 __func__,
522 (unsigned)request.length,
523 ntlmssp_state->user,
524 ntlmssp_state->domain,
525 ntlmssp_state->client.netbios_name));
526 return NT_STATUS_INVALID_PARAMETER;
527 }
528
529 ntlmssp_state->new_spnego = true;
530 }
531
532 count = ntlmssp_state->server.av_pair_list.count;
533 if (v2_resp.Challenge.AvPairs.count < count) {
534 return NT_STATUS_INVALID_PARAMETER;
535 }
536
537 for (i = 0; i < count; i++) {
538 const struct AV_PAIR *sp =
539 &ntlmssp_state->server.av_pair_list.pair[i];
540 const struct AV_PAIR *cp = NULL;
541
542 if (sp->AvId == MsvAvEOL) {
543 continue;
544 }
545
546 cp = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
547 sp->AvId);
548 if (cp == NULL) {
549 DEBUG(1,("%s: AvId 0x%x missing for"
550 "user=[%s] domain=[%s] "
551 "workstation=[%s]\n",
552 __func__,
553 (unsigned)sp->AvId,
554 ntlmssp_state->user,
555 ntlmssp_state->domain,
556 ntlmssp_state->client.netbios_name));
557 return NT_STATUS_INVALID_PARAMETER;
558 }
559
560 switch (cp->AvId) {
561 #define CASE_STRING(v) case Msv ## v: do { \
562 int cmp; \
563 if (sp->Value.v == NULL) { \
564 return NT_STATUS_INTERNAL_ERROR; \
565 } \
566 if (cp->Value.v == NULL) { \
567 DEBUG(1,("%s: invalid %s " \
568 "got[%s] expect[%s] for " \
569 "user=[%s] domain=[%s] workstation=[%s]\n", \
570 __func__, #v, \
571 cp->Value.v, \
572 sp->Value.v, \
573 ntlmssp_state->user, \
574 ntlmssp_state->domain, \
575 ntlmssp_state->client.netbios_name)); \
576 return NT_STATUS_INVALID_PARAMETER; \
577 } \
578 cmp = strcmp(cp->Value.v, sp->Value.v); \
579 if (cmp != 0) { \
580 DEBUG(1,("%s: invalid %s " \
581 "got[%s] expect[%s] for " \
582 "user=[%s] domain=[%s] workstation=[%s]\n", \
583 __func__, #v, \
584 cp->Value.v, \
585 sp->Value.v, \
586 ntlmssp_state->user, \
587 ntlmssp_state->domain, \
588 ntlmssp_state->client.netbios_name)); \
589 return NT_STATUS_INVALID_PARAMETER; \
590 } \
591 } while(0); break
592 CASE_STRING(AvNbComputerName);
593 CASE_STRING(AvNbDomainName);
594 CASE_STRING(AvDnsComputerName);
595 CASE_STRING(AvDnsDomainName);
596 CASE_STRING(AvDnsTreeName);
597 case MsvAvTimestamp:
598 if (cp->Value.AvTimestamp != sp->Value.AvTimestamp) {
599 struct timeval ct;
600 struct timeval st;
601 struct timeval_buf tmp1;
602 struct timeval_buf tmp2;
603
604 nttime_to_timeval(&ct,
605 cp->Value.AvTimestamp);
606 nttime_to_timeval(&st,
607 sp->Value.AvTimestamp);
608
609 DEBUG(1,("%s: invalid AvTimestamp "
610 "got[%s] expect[%s] for "
611 "user=[%s] domain=[%s] "
612 "workstation=[%s]\n",
613 __func__,
614 timeval_str_buf(&ct, false,
615 true, &tmp1),
616 timeval_str_buf(&st, false,
617 true, &tmp2),
618 ntlmssp_state->user,
619 ntlmssp_state->domain,
620 ntlmssp_state->client.netbios_name));
621 return NT_STATUS_INVALID_PARAMETER;
622 }
623 break;
624 default:
625 /*
626 * This can't happen as we control
627 * ntlmssp_state->server.av_pair_list
628 */
629 return NT_STATUS_INTERNAL_ERROR;
630 }
631 }
632 }
633
634 nttime_to_timeval(&endtime, ntlmssp_state->server.challenge_endtime);
635 expired = timeval_expired(&endtime);
636 if (expired) {
637 struct timeval_buf tmp;
638 DEBUG(1,("%s: challenge invalid (expired %s) for "
639 "user=[%s] domain=[%s] workstation=[%s]\n",
640 __func__,
641 timeval_str_buf(&endtime, false, true, &tmp),
642 ntlmssp_state->user, ntlmssp_state->domain,
643 ntlmssp_state->client.netbios_name));
644 return NT_STATUS_INVALID_PARAMETER;
645 }
646
647 /* NTLM2 uses a 'challenge' that is made of up both the server challenge, and a
648 client challenge
649
650 However, the NTLM2 flag may still be set for the real NTLMv2 logins, be careful.
651 */
652 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
653 if (ntlmssp_state->nt_resp.length == 24 && ntlmssp_state->lm_resp.length == 24) {
654 MD5_CTX md5_session_nonce_ctx;
655 state->doing_ntlm2 = true;
656
657 memcpy(state->session_nonce, ntlmssp_state->internal_chal.data, 8);
658 memcpy(&state->session_nonce[8], ntlmssp_state->lm_resp.data, 8);
659
660 SMB_ASSERT(ntlmssp_state->internal_chal.data && ntlmssp_state->internal_chal.length == 8);
661
662 MD5Init(&md5_session_nonce_ctx);
663 MD5Update(&md5_session_nonce_ctx, state->session_nonce, 16);
664 MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
665
666 /* LM response is no longer useful */
667 data_blob_free(&ntlmssp_state->lm_resp);
668
669 /* We changed the effective challenge - set it */
670 if (auth_context->set_ntlm_challenge) {
671 nt_status = auth_context->set_ntlm_challenge(auth_context,
672 session_nonce_hash,
673 "NTLMSSP callback (NTLM2)");
674 if (!NT_STATUS_IS_OK(nt_status)) {
675 DEBUG(1, ("gensec_ntlmssp_server_negotiate: failed to get challenge: %s\n",
676 nt_errstr(nt_status)));
677 return nt_status;
678 }
679 } else {
680 DEBUG(1, ("gensec_ntlmssp_server_negotiate: backend doesn't have facility for challenge to be set\n"));
681
682 return NT_STATUS_NOT_IMPLEMENTED;
683 }
684
685 /* LM Key is incompatible. */
686 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
687 }
688 }
689 return NT_STATUS_OK;
690 }
691
692 /**
693 * Check the password on an NTLMSSP login.
694 *
695 * Return the session keys used on the connection.
696 */
697
698 static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_security,
699 struct gensec_ntlmssp_context *gensec_ntlmssp,
700 TALLOC_CTX *mem_ctx,
701 DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
702 {
703 struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
704 struct auth4_context *auth_context = gensec_security->auth_context;
705 NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
706 struct auth_session_info *session_info = NULL;
707 struct auth_usersupplied_info *user_info;
708
709 user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
710 if (!user_info) {
711 return NT_STATUS_NO_MEMORY;
712 }
713
714 user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
715 user_info->flags = 0;
716 user_info->mapped_state = false;
717 user_info->client.account_name = ntlmssp_state->user;
718 user_info->client.domain_name = ntlmssp_state->domain;
719 user_info->workstation_name = ntlmssp_state->client.netbios_name;
720 user_info->remote_host = gensec_get_remote_address(gensec_security);
721 user_info->service_description
722 = gensec_get_target_service_description(gensec_security);
723
724 user_info->password_state = AUTH_PASSWORD_RESPONSE;
725 user_info->password.response.lanman = ntlmssp_state->lm_resp;
726 user_info->password.response.lanman.data = talloc_steal(user_info, ntlmssp_state->lm_resp.data);
727 user_info->password.response.nt = ntlmssp_state->nt_resp;
728 user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data);
729
730 if (auth_context->check_ntlm_password) {
731 uint8_t authoritative = 0;
732
733 nt_status = auth_context->check_ntlm_password(auth_context,
734 gensec_ntlmssp,
735 user_info,
736 &authoritative,
737 &gensec_ntlmssp->server_returned_info,
738 user_session_key, lm_session_key);
739 }
740
741 if (!NT_STATUS_IS_OK(nt_status)) {
742 DEBUG(5, (__location__ ": Checking NTLMSSP password for %s\\%s failed: %s\n", user_info->client.domain_name, user_info->client.account_name, nt_errstr(nt_status)));
743 }
744 TALLOC_FREE(user_info);
745
746 NT_STATUS_NOT_OK_RETURN(nt_status);
747
748 if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST
749 && auth_context->generate_session_info != NULL)
750 {
751 NTSTATUS tmp_status;
752
753 /*
754 * We need to check if the auth is anonymous or mapped to guest
755 */
756 tmp_status = auth_context->generate_session_info(auth_context, mem_ctx,
757 gensec_ntlmssp->server_returned_info,
758 gensec_ntlmssp->ntlmssp_state->user,
759 AUTH_SESSION_INFO_SIMPLE_PRIVILEGES,
760 &session_info);
761 if (!NT_STATUS_IS_OK(tmp_status)) {
762 /*
763 * We don't care about failures,
764 * the worst result is that we try MIC checking
765 * for a map to guest authentication.
766 */
767 TALLOC_FREE(session_info);
768 }
769 }
770
771 if (session_info != NULL) {
772 if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
773 /*
774 * Anonymous and GUEST are not secure anyway.
775 * avoid new_spnego and MIC checking.
776 */
777 ntlmssp_state->new_spnego = false;
778 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
779 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
780 }
781 TALLOC_FREE(session_info);
782 }
783
784 talloc_steal(mem_ctx, user_session_key->data);
785 talloc_steal(mem_ctx, lm_session_key->data);
786
787 return nt_status;
788 }
789
790 /**
791 * Next state function for the Authenticate packet
792 * (after authentication - figures out the session keys etc)
793 *
794 * @param ntlmssp_state NTLMSSP State
795 * @return Errors or NT_STATUS_OK.
796 */
797
798 static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
799 struct gensec_ntlmssp_context *gensec_ntlmssp,
800 struct ntlmssp_server_auth_state *state,
801 DATA_BLOB request)
802 {
803 struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
804 DATA_BLOB user_session_key = state->user_session_key;
805 DATA_BLOB lm_session_key = state->lm_session_key;
806 NTSTATUS nt_status = NT_STATUS_OK;
807 DATA_BLOB session_key = data_blob(NULL, 0);
808
809 dump_data_pw("NT session key:\n", user_session_key.data, user_session_key.length);
810 dump_data_pw("LM first-8:\n", lm_session_key.data, lm_session_key.length);
811
812 /* Handle the different session key derivation for NTLM2 */
813 if (state->doing_ntlm2) {
814 if (user_session_key.data && user_session_key.length == 16) {
815 session_key = data_blob_talloc(ntlmssp_state,
816 NULL, 16);
817 hmac_md5(user_session_key.data, state->session_nonce,
818 sizeof(state->session_nonce), session_key.data);
819 DEBUG(10,("ntlmssp_server_auth: Created NTLM2 session key.\n"));
820 dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
821
822 } else {
823 DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM2 session key.\n"));
824 session_key = data_blob_null;
825 }
826 } else if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
827 /* Ensure we can never get here on NTLMv2 */
828 && (ntlmssp_state->nt_resp.length == 0 || ntlmssp_state->nt_resp.length == 24)) {
829
830 if (lm_session_key.data && lm_session_key.length >= 8) {
831 if (ntlmssp_state->lm_resp.data && ntlmssp_state->lm_resp.length == 24) {
832 session_key = data_blob_talloc(ntlmssp_state,
833 NULL, 16);
834 if (session_key.data == NULL) {
835 return NT_STATUS_NO_MEMORY;
836 }
837 SMBsesskeygen_lm_sess_key(lm_session_key.data, ntlmssp_state->lm_resp.data,
838 session_key.data);
839 DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
840 } else {
841 static const uint8_t zeros[24] = {0, };
842 session_key = data_blob_talloc(
843 ntlmssp_state, NULL, 16);
844 if (session_key.data == NULL) {
845 return NT_STATUS_NO_MEMORY;
846 }
847 SMBsesskeygen_lm_sess_key(zeros, zeros,
848 session_key.data);
849 DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
850 }
851 dump_data_pw("LM session key:\n", session_key.data,
852 session_key.length);
853 } else {
854 /* LM Key not selected */
855 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
856
857 DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM session key.\n"));
858 session_key = data_blob_null;
859 }
860
861 } else if (user_session_key.data) {
862 session_key = user_session_key;
863 DEBUG(10,("ntlmssp_server_auth: Using unmodified nt session key.\n"));
864 dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
865
866 /* LM Key not selected */
867 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
868
869 } else if (lm_session_key.data) {
870 /* Very weird to have LM key, but no user session key, but anyway.. */
871 session_key = lm_session_key;
872 DEBUG(10,("ntlmssp_server_auth: Using unmodified lm session key.\n"));
873 dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
874
875 /* LM Key not selected */
876 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
877
878 } else {
879 DEBUG(10,("ntlmssp_server_auth: Failed to create unmodified session key.\n"));
880 session_key = data_blob_null;
881
882 /* LM Key not selected */
883 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
884 }
885
886 /* With KEY_EXCH, the client supplies the proposed session key,
887 but encrypts it with the long-term key */
888 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
889 if (!state->encrypted_session_key.data
890 || state->encrypted_session_key.length != 16) {
891 DEBUG(1, ("Client-supplied KEY_EXCH session key was of invalid length (%u)!\n",
892 (unsigned)state->encrypted_session_key.length));
893 return NT_STATUS_INVALID_PARAMETER;
894 } else if (!session_key.data || session_key.length != 16) {
895 DEBUG(5, ("server session key is invalid (len == %u), cannot do KEY_EXCH!\n",
896 (unsigned int)session_key.length));
897 ntlmssp_state->session_key = session_key;
898 talloc_steal(ntlmssp_state, session_key.data);
899 } else {
900 dump_data_pw("KEY_EXCH session key (enc):\n",
901 state->encrypted_session_key.data,
902 state->encrypted_session_key.length);
903 arcfour_crypt(state->encrypted_session_key.data,
904 session_key.data,
905 state->encrypted_session_key.length);
906 ntlmssp_state->session_key = data_blob_talloc(ntlmssp_state,
907 state->encrypted_session_key.data,
908 state->encrypted_session_key.length);
909 dump_data_pw("KEY_EXCH session key:\n",
910 state->encrypted_session_key.data,
911 state->encrypted_session_key.length);
912 }
913 } else {
914 ntlmssp_state->session_key = session_key;
915 talloc_steal(ntlmssp_state, session_key.data);
916 }
917
918 if (ntlmssp_state->new_spnego) {
919 HMACMD5Context ctx;
920 uint8_t mic_buffer[NTLMSSP_MIC_SIZE] = { 0, };
921 int cmp;
922
923 hmac_md5_init_limK_to_64(ntlmssp_state->session_key.data,
924 ntlmssp_state->session_key.length,
925 &ctx);
926
927 hmac_md5_update(ntlmssp_state->negotiate_blob.data,
928 ntlmssp_state->negotiate_blob.length,
929 &ctx);
930 hmac_md5_update(ntlmssp_state->challenge_blob.data,
931 ntlmssp_state->challenge_blob.length,
932 &ctx);
933
934 /* checked were we set ntlmssp_state->new_spnego */
935 SMB_ASSERT(request.length >
936 (NTLMSSP_MIC_OFFSET + NTLMSSP_MIC_SIZE));
937
938 hmac_md5_update(request.data, NTLMSSP_MIC_OFFSET, &ctx);
939 hmac_md5_update(mic_buffer, NTLMSSP_MIC_SIZE, &ctx);
940 hmac_md5_update(request.data +
941 (NTLMSSP_MIC_OFFSET + NTLMSSP_MIC_SIZE),
942 request.length -
943 (NTLMSSP_MIC_OFFSET + NTLMSSP_MIC_SIZE),
944 &ctx);
945 hmac_md5_final(mic_buffer, &ctx);
946
947 cmp = memcmp(request.data + NTLMSSP_MIC_OFFSET,
948 mic_buffer, NTLMSSP_MIC_SIZE);
949 if (cmp != 0) {
950 DEBUG(1,("%s: invalid NTLMSSP_MIC for "
951 "user=[%s] domain=[%s] workstation=[%s]\n",
952 __func__,
953 ntlmssp_state->user,
954 ntlmssp_state->domain,
955 ntlmssp_state->client.netbios_name));
956 dump_data(1, request.data + NTLMSSP_MIC_OFFSET,
957 NTLMSSP_MIC_SIZE);
958 dump_data(1, mic_buffer,
959 NTLMSSP_MIC_SIZE);
960 return NT_STATUS_INVALID_PARAMETER;
961 }
962 }
963
964 data_blob_free(&ntlmssp_state->negotiate_blob);
965 data_blob_free(&ntlmssp_state->challenge_blob);
966
967 if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
968 nt_status = ntlmssp_sign_init(ntlmssp_state);
969 }
970
971 ntlmssp_state->expected_state = NTLMSSP_DONE;
972
973 return nt_status;
974 }
975
976
977 /**
978 * Next state function for the NTLMSSP Authenticate packet
979 *
980 * @param gensec_security GENSEC state
981 * @param out_mem_ctx Memory context for *out
982 * @param in The request, as a DATA_BLOB. reply.data must be NULL
983 * @param out The reply, as an allocated DATA_BLOB, caller to free.
984 * @return Errors or NT_STATUS_OK if authentication sucessful
985 */
986
987 NTSTATUS gensec_ntlmssp_server_auth(struct gensec_security *gensec_security,
988 TALLOC_CTX *out_mem_ctx,
989 const DATA_BLOB in, DATA_BLOB *out)
990 {
991 struct gensec_ntlmssp_context *gensec_ntlmssp =
992 talloc_get_type_abort(gensec_security->private_data,
993 struct gensec_ntlmssp_context);
994 struct ntlmssp_server_auth_state *state;
995 NTSTATUS nt_status;
996
997 /* zero the outbound NTLMSSP packet */
998 *out = data_blob_null;
999
1000 state = talloc_zero(gensec_ntlmssp, struct ntlmssp_server_auth_state);
1001 if (state == NULL) {
1002 return NT_STATUS_NO_MEMORY;
1003 }
1004
1005 nt_status = ntlmssp_server_preauth(gensec_security, gensec_ntlmssp, state, in);
1006 if (!NT_STATUS_IS_OK(nt_status)) {
1007 TALLOC_FREE(state);
1008 return nt_status;
1009 }
1010
1011 /*
1012 * Note we don't check here for NTLMv2 auth settings. If NTLMv2 auth
1013 * is required (by "ntlm auth = no" and "lm auth = no" being set in the
1014 * smb.conf file) and no NTLMv2 response was sent then the password check
1015 * will fail here. JRA.
1016 */
1017
1018 /* Finally, actually ask if the password is OK */
1019 nt_status = ntlmssp_server_check_password(gensec_security, gensec_ntlmssp,
1020 state,
1021 &state->user_session_key,
1022 &state->lm_session_key);
1023 if (!NT_STATUS_IS_OK(nt_status)) {
1024 TALLOC_FREE(state);
1025 return nt_status;
1026 }
1027
1028 /* When we get more async in the auth code behind
1029 ntlmssp_state->check_password, the ntlmssp_server_postpath
1030 can be done in a callback */
1031
1032 nt_status = ntlmssp_server_postauth(gensec_security, gensec_ntlmssp, state, in);
1033 TALLOC_FREE(state);
1034 return nt_status;
1035 }
Samba GIT mirror