search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "ldb: Remove Samba-specific symbols."
[Samba/ekacnet.git] / source3 / libsmb / ntlmssp.c
blob1d475172fe80c8a1d7e48e95745d8e50ebd0ccde
1 /*
2 Unix SMB/Netbios implementation.
3 Version 3.0
4 handle NLTMSSP, server side
5
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett 2001-2003
8 Copyright (C) Andrew Bartlett 2005 (Updated from gensec).
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "../libcli/auth/ntlmssp.h"
26 #include "../libcli/auth/ntlmssp_private.h"
27 #include "../libcli/auth/libcli_auth.h"
28 #include "../librpc/gen_ndr/ndr_ntlmssp.h"
29 #include "../libcli/auth/ntlmssp_ndr.h"
30 #include "../lib/crypto/md5.h"
31 #include "../lib/crypto/arcfour.h"
32 #include "../lib/crypto/hmacmd5.h"
33
34 static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
35 DATA_BLOB reply, DATA_BLOB *next_request);
36 static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
37 const DATA_BLOB in, DATA_BLOB *out);
38 static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
39 const DATA_BLOB reply, DATA_BLOB *next_request);
40 static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
41 const DATA_BLOB request, DATA_BLOB *reply);
42
43 /**
44 * Callbacks for NTLMSSP - for both client and server operating modes
45 *
46 */
47
48 static const struct ntlmssp_callbacks {
49 enum ntlmssp_role role;
50 enum ntlmssp_message_type ntlmssp_command;
51 NTSTATUS (*fn)(struct ntlmssp_state *ntlmssp_state,
52 DATA_BLOB in, DATA_BLOB *out);
53 } ntlmssp_callbacks[] = {
54 {NTLMSSP_CLIENT, NTLMSSP_INITIAL, ntlmssp_client_initial},
55 {NTLMSSP_SERVER, NTLMSSP_NEGOTIATE, ntlmssp_server_negotiate},
56 {NTLMSSP_CLIENT, NTLMSSP_CHALLENGE, ntlmssp_client_challenge},
57 {NTLMSSP_SERVER, NTLMSSP_AUTH, ntlmssp_server_auth},
58 {NTLMSSP_CLIENT, NTLMSSP_UNKNOWN, NULL},
59 {NTLMSSP_SERVER, NTLMSSP_UNKNOWN, NULL}
60 };
61
62
63 /**
64 * Default challenge generation code.
65 *
66 */
67
68 static NTSTATUS get_challenge(const struct ntlmssp_state *ntlmssp_state,
69 uint8_t chal[8])
70 {
71 generate_random_buffer(chal, 8);
72 return NT_STATUS_OK;
73 }
74
75 /**
76 * Default 'we can set the challenge to anything we like' implementation
77 *
78 */
79
80 static bool may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
81 {
82 return True;
83 }
84
85 /**
86 * Default 'we can set the challenge to anything we like' implementation
87 *
88 * Does not actually do anything, as the value is always in the structure anyway.
89 *
90 */
91
92 static NTSTATUS set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
93 {
94 SMB_ASSERT(challenge->length == 8);
95 return NT_STATUS_OK;
96 }
97
98 /**
99 * Set a username on an NTLMSSP context - ensures it is talloc()ed
100 *
101 */
102
103 NTSTATUS ntlmssp_set_username(struct ntlmssp_state *ntlmssp_state, const char *user)
104 {
105 ntlmssp_state->user = talloc_strdup(ntlmssp_state, user ? user : "" );
106 if (!ntlmssp_state->user) {
107 return NT_STATUS_NO_MEMORY;
108 }
109 return NT_STATUS_OK;
110 }
111
112 /**
113 * Store NT and LM hashes on an NTLMSSP context - ensures they are talloc()ed
114 *
115 */
116 NTSTATUS ntlmssp_set_hashes(struct ntlmssp_state *ntlmssp_state,
117 const uint8_t lm_hash[16],
118 const uint8_t nt_hash[16])
119 {
120 ntlmssp_state->lm_hash = (uint8_t *)
121 TALLOC_MEMDUP(ntlmssp_state, lm_hash, 16);
122 ntlmssp_state->nt_hash = (uint8_t *)
123 TALLOC_MEMDUP(ntlmssp_state, nt_hash, 16);
124 if (!ntlmssp_state->lm_hash || !ntlmssp_state->nt_hash) {
125 TALLOC_FREE(ntlmssp_state->lm_hash);
126 TALLOC_FREE(ntlmssp_state->nt_hash);
127 return NT_STATUS_NO_MEMORY;
128 }
129 return NT_STATUS_OK;
130 }
131
132 /**
133 * Converts a password to the hashes on an NTLMSSP context.
134 *
135 */
136 NTSTATUS ntlmssp_set_password(struct ntlmssp_state *ntlmssp_state, const char *password)
137 {
138 if (!password) {
139 ntlmssp_state->lm_hash = NULL;
140 ntlmssp_state->nt_hash = NULL;
141 } else {
142 uint8_t lm_hash[16];
143 uint8_t nt_hash[16];
144
145 E_deshash(password, lm_hash);
146 E_md4hash(password, nt_hash);
147 return ntlmssp_set_hashes(ntlmssp_state, lm_hash, nt_hash);
148 }
149 return NT_STATUS_OK;
150 }
151
152 /**
153 * Set a domain on an NTLMSSP context - ensures it is talloc()ed
154 *
155 */
156 NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain)
157 {
158 ntlmssp_state->domain = talloc_strdup(ntlmssp_state,
159 domain ? domain : "" );
160 if (!ntlmssp_state->domain) {
161 return NT_STATUS_NO_MEMORY;
162 }
163 return NT_STATUS_OK;
164 }
165
166 /**
167 * Request features for the NTLMSSP negotiation
168 *
169 * @param ntlmssp_state NTLMSSP state
170 * @param feature_list List of space seperated features requested from NTLMSSP.
171 */
172 void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list)
173 {
174 /*
175 * We need to set this to allow a later SetPassword
176 * via the SAMR pipe to succeed. Strange.... We could
177 * also add NTLMSSP_NEGOTIATE_SEAL here. JRA.
178 */
179 if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
180 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
181 }
182 if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
183 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
184 }
185 if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
186 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
187 }
188 if (in_list("NTLMSSP_FEATURE_CCACHE", feature_list, true)) {
189 ntlmssp_state->use_ccache = true;
190 }
191 }
192
193 /**
194 * Request a feature for the NTLMSSP negotiation
195 *
196 * @param ntlmssp_state NTLMSSP state
197 * @param feature Bit flag specifying the requested feature
198 */
199 void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature)
200 {
201 /* As per JRA's comment above */
202 if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
203 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
204 }
205 if (feature & NTLMSSP_FEATURE_SIGN) {
206 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
207 }
208 if (feature & NTLMSSP_FEATURE_SEAL) {
209 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
210 }
211 if (feature & NTLMSSP_FEATURE_CCACHE) {
212 ntlmssp_state->use_ccache = true;
213 }
214 }
215
216 /**
217 * Next state function for the NTLMSSP state machine
218 *
219 * @param ntlmssp_state NTLMSSP State
220 * @param in The packet in from the NTLMSSP partner, as a DATA_BLOB
221 * @param out The reply, as an allocated DATA_BLOB, caller to free.
222 * @return Errors, NT_STATUS_MORE_PROCESSING_REQUIRED or NT_STATUS_OK.
223 */
224
225 NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state,
226 const DATA_BLOB input, DATA_BLOB *out)
227 {
228 uint32_t ntlmssp_command;
229 int i;
230
231 if (ntlmssp_state->expected_state == NTLMSSP_DONE) {
232 /* Called update after negotiations finished. */
233 DEBUG(1, ("Called NTLMSSP after state machine was 'done'\n"));
234 return NT_STATUS_INVALID_PARAMETER;
235 }
236
237 *out = data_blob_null;
238
239 if (!input.length) {
240 switch (ntlmssp_state->role) {
241 case NTLMSSP_CLIENT:
242 ntlmssp_command = NTLMSSP_INITIAL;
243 break;
244 case NTLMSSP_SERVER:
245 /* 'datagram' mode - no neg packet */
246 ntlmssp_command = NTLMSSP_NEGOTIATE;
247 break;
248 }
249 } else {
250 if (!msrpc_parse(ntlmssp_state, &input, "Cd",
251 "NTLMSSP",
252 &ntlmssp_command)) {
253 DEBUG(1, ("Failed to parse NTLMSSP packet, could not extract NTLMSSP command\n"));
254 dump_data(2, input.data, input.length);
255 return NT_STATUS_INVALID_PARAMETER;
256 }
257 }
258
259 if (ntlmssp_command != ntlmssp_state->expected_state) {
260 DEBUG(1, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command, ntlmssp_state->expected_state));
261 return NT_STATUS_INVALID_PARAMETER;
262 }
263
264 for (i=0; ntlmssp_callbacks[i].fn; i++) {
265 if (ntlmssp_callbacks[i].role == ntlmssp_state->role
266 && ntlmssp_callbacks[i].ntlmssp_command == ntlmssp_command) {
267 return ntlmssp_callbacks[i].fn(ntlmssp_state, input, out);
268 }
269 }
270
271 DEBUG(1, ("failed to find NTLMSSP callback for NTLMSSP mode %u, command %u\n",
272 ntlmssp_state->role, ntlmssp_command));
273
274 return NT_STATUS_INVALID_PARAMETER;
275 }
276
277 /**
278 * End an NTLMSSP state machine
279 *
280 * @param ntlmssp_state NTLMSSP State, free()ed by this function
281 */
282
283 void ntlmssp_end(struct ntlmssp_state **ntlmssp_state)
284 {
285 data_blob_free(&(*ntlmssp_state)->chal);
286 data_blob_free(&(*ntlmssp_state)->lm_resp);
287 data_blob_free(&(*ntlmssp_state)->nt_resp);
288 TALLOC_FREE(*ntlmssp_state);
289
290 *ntlmssp_state = NULL;
291 return;
292 }
293
294 /**
295 * Determine correct target name flags for reply, given server role
296 * and negotiated flags
297 *
298 * @param ntlmssp_state NTLMSSP State
299 * @param neg_flags The flags from the packet
300 * @param chal_flags The flags to be set in the reply packet
301 * @return The 'target name' string.
302 */
303
304 static const char *ntlmssp_target_name(struct ntlmssp_state *ntlmssp_state,
305 uint32_t neg_flags, uint32_t *chal_flags)
306 {
307 if (neg_flags & NTLMSSP_REQUEST_TARGET) {
308 *chal_flags |= NTLMSSP_NEGOTIATE_TARGET_INFO;
309 *chal_flags |= NTLMSSP_REQUEST_TARGET;
310 if (ntlmssp_state->server.is_standalone) {
311 *chal_flags |= NTLMSSP_TARGET_TYPE_SERVER;
312 return ntlmssp_state->server.netbios_name;
313 } else {
314 *chal_flags |= NTLMSSP_TARGET_TYPE_DOMAIN;
315 return ntlmssp_state->server.netbios_domain;
316 };
317 } else {
318 return "";
319 }
320 }
321
322 static void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
323 uint32_t neg_flags, bool allow_lm) {
324 if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
325 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
326 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
327 ntlmssp_state->unicode = True;
328 } else {
329 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
330 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
331 ntlmssp_state->unicode = False;
332 }
333
334 if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
335 /* other end forcing us to use LM */
336 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
337 ntlmssp_state->use_ntlmv2 = False;
338 } else {
339 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
340 }
341
342 if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
343 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
344 }
345
346 if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
347 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
348 }
349
350 if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
351 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
352 }
353
354 if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
355 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
356 }
357
358 if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
359 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
360 }
361
362 if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
363 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
364 }
365
366 if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
367 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
368 }
369
370 /* Woop Woop - unknown flag for Windows compatibility...
371 What does this really do ? JRA. */
372 if (!(neg_flags & NTLMSSP_NEGOTIATE_VERSION)) {
373 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_VERSION;
374 }
375
376 if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
377 ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
378 }
379 }
380
381 /**
382 * Next state function for the Negotiate packet
383 *
384 * @param ntlmssp_state NTLMSSP State
385 * @param request The request, as a DATA_BLOB
386 * @param request The reply, as an allocated DATA_BLOB, caller to free.
387 * @return Errors or MORE_PROCESSING_REQUIRED if a reply is sent.
388 */
389
390 static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
391 const DATA_BLOB request, DATA_BLOB *reply)
392 {
393 DATA_BLOB struct_blob;
394 uint32_t neg_flags = 0;
395 uint32_t ntlmssp_command, chal_flags;
396 uint8_t cryptkey[8];
397 const char *target_name;
398 struct NEGOTIATE_MESSAGE negotiate;
399 struct CHALLENGE_MESSAGE challenge;
400 NTSTATUS status;
401
402 /* parse the NTLMSSP packet */
403 #if 0
404 file_save("ntlmssp_negotiate.dat", request.data, request.length);
405 #endif
406
407 if (request.length) {
408 if ((request.length < 16) || !msrpc_parse(ntlmssp_state, &request, "Cdd",
409 "NTLMSSP",
410 &ntlmssp_command,
411 &neg_flags)) {
412 DEBUG(1, ("ntlmssp_server_negotiate: failed to parse NTLMSSP Negotiate of length %u\n",
413 (unsigned int)request.length));
414 dump_data(2, request.data, request.length);
415 return NT_STATUS_INVALID_PARAMETER;
416 }
417 debug_ntlmssp_flags(neg_flags);
418
419 if (DEBUGLEVEL >= 10) {
420 if (NT_STATUS_IS_OK(ntlmssp_pull_NEGOTIATE_MESSAGE(&request,
421 ntlmssp_state,
422 &negotiate)))
423 {
424 NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE, &negotiate);
425 }
426 }
427 }
428
429 ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, lp_lanman_auth());
430
431 /* Ask our caller what challenge they would like in the packet */
432 status = ntlmssp_state->get_challenge(ntlmssp_state, cryptkey);
433 if (!NT_STATUS_IS_OK(status)) {
434 return status;
435 }
436
437 /* Check if we may set the challenge */
438 if (!ntlmssp_state->may_set_challenge(ntlmssp_state)) {
439 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
440 }
441
442 /* The flags we send back are not just the negotiated flags,
443 * they are also 'what is in this packet'. Therfore, we
444 * operate on 'chal_flags' from here on
445 */
446
447 chal_flags = ntlmssp_state->neg_flags;
448
449 /* get the right name to fill in as 'target' */
450 target_name = ntlmssp_target_name(ntlmssp_state,
451 neg_flags, &chal_flags);
452 if (target_name == NULL)
453 return NT_STATUS_INVALID_PARAMETER;
454
455 ntlmssp_state->chal = data_blob_talloc(ntlmssp_state, cryptkey, 8);
456 ntlmssp_state->internal_chal = data_blob_talloc(ntlmssp_state,
457 cryptkey, 8);
458
459 /* This creates the 'blob' of names that appears at the end of the packet */
460 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO)
461 {
462 msrpc_gen(ntlmssp_state, &struct_blob, "aaaaa",
463 MsvAvNbDomainName, target_name,
464 MsvAvNbComputerName, ntlmssp_state->server.netbios_name,
465 MsvAvDnsDomainName, ntlmssp_state->server.dns_domain,
466 MsvAvDnsComputerName, ntlmssp_state->server.dns_name,
467 MsvAvEOL, "");
468 } else {
469 struct_blob = data_blob_null;
470 }
471
472 {
473 /* Marshal the packet in the right format, be it unicode or ASCII */
474 const char *gen_string;
475 DATA_BLOB version_blob = data_blob_null;
476
477 if (chal_flags & NTLMSSP_NEGOTIATE_VERSION) {
478 enum ndr_err_code err;
479 struct VERSION vers;
480
481 /* "What Windows returns" as a version number. */
482 ZERO_STRUCT(vers);
483 vers.ProductMajorVersion = NTLMSSP_WINDOWS_MAJOR_VERSION_6;
484 vers.ProductMinorVersion = NTLMSSP_WINDOWS_MINOR_VERSION_1;
485 vers.ProductBuild = 0;
486 vers.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
487
488 err = ndr_push_struct_blob(&version_blob,
489 ntlmssp_state,
490 &vers,
491 (ndr_push_flags_fn_t)ndr_push_VERSION);
492
493 if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
494 return NT_STATUS_NO_MEMORY;
495 }
496 }
497
498 if (ntlmssp_state->unicode) {
499 gen_string = "CdUdbddBb";
500 } else {
501 gen_string = "CdAdbddBb";
502 }
503
504 msrpc_gen(ntlmssp_state, reply, gen_string,
505 "NTLMSSP",
506 NTLMSSP_CHALLENGE,
507 target_name,
508 chal_flags,
509 cryptkey, 8,
510 0, 0,
511 struct_blob.data, struct_blob.length,
512 version_blob.data, version_blob.length);
513
514 data_blob_free(&version_blob);
515
516 if (DEBUGLEVEL >= 10) {
517 if (NT_STATUS_IS_OK(ntlmssp_pull_CHALLENGE_MESSAGE(reply,
518 ntlmssp_state,
519 &challenge)))
520 {
521 NDR_PRINT_DEBUG(CHALLENGE_MESSAGE, &challenge);
522 }
523 }
524 }
525
526 data_blob_free(&struct_blob);
527
528 ntlmssp_state->expected_state = NTLMSSP_AUTH;
529
530 return NT_STATUS_MORE_PROCESSING_REQUIRED;
531 }
532
533 /**
534 * Next state function for the Authenticate packet
535 *
536 * @param ntlmssp_state NTLMSSP State
537 * @param request The request, as a DATA_BLOB
538 * @param request The reply, as an allocated DATA_BLOB, caller to free.
539 * @return Errors or NT_STATUS_OK.
540 */
541
542 static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
543 const DATA_BLOB request, DATA_BLOB *reply)
544 {
545 DATA_BLOB encrypted_session_key = data_blob_null;
546 DATA_BLOB user_session_key = data_blob_null;
547 DATA_BLOB lm_session_key = data_blob_null;
548 DATA_BLOB session_key = data_blob_null;
549 uint32_t ntlmssp_command, auth_flags;
550 NTSTATUS nt_status = NT_STATUS_OK;
551 struct AUTHENTICATE_MESSAGE authenticate;
552
553 /* used by NTLM2 */
554 bool doing_ntlm2 = False;
555
556 uint8_t session_nonce[16];
557 uint8_t session_nonce_hash[16];
558
559 const char *parse_string;
560
561 /* parse the NTLMSSP packet */
562 *reply = data_blob_null;
563
564 #if 0
565 file_save("ntlmssp_auth.dat", request.data, request.length);
566 #endif
567
568 if (ntlmssp_state->unicode) {
569 parse_string = "CdBBUUUBd";
570 } else {
571 parse_string = "CdBBAAABd";
572 }
573
574 data_blob_free(&ntlmssp_state->lm_resp);
575 data_blob_free(&ntlmssp_state->nt_resp);
576
577 ntlmssp_state->user = NULL;
578 ntlmssp_state->domain = NULL;
579
580 /* now the NTLMSSP encoded auth hashes */
581 if (!msrpc_parse(ntlmssp_state, &request, parse_string,
582 "NTLMSSP",
583 &ntlmssp_command,
584 &ntlmssp_state->lm_resp,
585 &ntlmssp_state->nt_resp,
586 &ntlmssp_state->domain,
587 &ntlmssp_state->user,
588 &ntlmssp_state->client.netbios_name,
589 &encrypted_session_key,
590 &auth_flags)) {
591 auth_flags = 0;
592
593 /* Try again with a shorter string (Win9X truncates this packet) */
594 if (ntlmssp_state->unicode) {
595 parse_string = "CdBBUUU";
596 } else {
597 parse_string = "CdBBAAA";
598 }
599
600 /* now the NTLMSSP encoded auth hashes */
601 if (!msrpc_parse(ntlmssp_state, &request, parse_string,
602 "NTLMSSP",
603 &ntlmssp_command,
604 &ntlmssp_state->lm_resp,
605 &ntlmssp_state->nt_resp,
606 &ntlmssp_state->domain,
607 &ntlmssp_state->user,
608 &ntlmssp_state->client.netbios_name)) {
609 DEBUG(1, ("ntlmssp_server_auth: failed to parse NTLMSSP (tried both formats):\n"));
610 dump_data(2, request.data, request.length);
611
612 return NT_STATUS_INVALID_PARAMETER;
613 }
614 }
615
616 if (auth_flags)
617 ntlmssp_handle_neg_flags(ntlmssp_state, auth_flags, lp_lanman_auth());
618
619 if (DEBUGLEVEL >= 10) {
620 if (NT_STATUS_IS_OK(ntlmssp_pull_AUTHENTICATE_MESSAGE(&request,
621 ntlmssp_state,
622 &authenticate)))
623 {
624 NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE, &authenticate);
625 }
626 }
627
628 DEBUG(3,("Got user=[%s] domain=[%s] workstation=[%s] len1=%lu len2=%lu\n",
629 ntlmssp_state->user, ntlmssp_state->domain,
630 ntlmssp_state->client.netbios_name,
631 (unsigned long)ntlmssp_state->lm_resp.length,
632 (unsigned long)ntlmssp_state->nt_resp.length));
633
634 #if 0
635 file_save("nthash1.dat", &ntlmssp_state->nt_resp.data, &ntlmssp_state->nt_resp.length);
636 file_save("lmhash1.dat", &ntlmssp_state->lm_resp.data, &ntlmssp_state->lm_resp.length);
637 #endif
638
639 /* NTLM2 uses a 'challenge' that is made of up both the server challenge, and a
640 client challenge
641
642 However, the NTLM2 flag may still be set for the real NTLMv2 logins, be careful.
643 */
644 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
645 if (ntlmssp_state->nt_resp.length == 24 && ntlmssp_state->lm_resp.length == 24) {
646 struct MD5Context md5_session_nonce_ctx;
647 SMB_ASSERT(ntlmssp_state->internal_chal.data && ntlmssp_state->internal_chal.length == 8);
648
649 doing_ntlm2 = True;
650
651 memcpy(session_nonce, ntlmssp_state->internal_chal.data, 8);
652 memcpy(&session_nonce[8], ntlmssp_state->lm_resp.data, 8);
653
654 MD5Init(&md5_session_nonce_ctx);
655 MD5Update(&md5_session_nonce_ctx, session_nonce, 16);
656 MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
657
658 ntlmssp_state->chal = data_blob_talloc(
659 ntlmssp_state, session_nonce_hash, 8);
660
661 /* LM response is no longer useful */
662 data_blob_free(&ntlmssp_state->lm_resp);
663
664 /* We changed the effective challenge - set it */
665 if (!NT_STATUS_IS_OK(nt_status = ntlmssp_state->set_challenge(ntlmssp_state, &ntlmssp_state->chal))) {
666 data_blob_free(&encrypted_session_key);
667 return nt_status;
668 }
669
670 /* LM Key is incompatible. */
671 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
672 }
673 }
674
675 /*
676 * Note we don't check here for NTLMv2 auth settings. If NTLMv2 auth
677 * is required (by "ntlm auth = no" and "lm auth = no" being set in the
678 * smb.conf file) and no NTLMv2 response was sent then the password check
679 * will fail here. JRA.
680 */
681
682 /* Finally, actually ask if the password is OK */
683
684 if (!NT_STATUS_IS_OK(nt_status = ntlmssp_state->check_password(ntlmssp_state,
685 &user_session_key, &lm_session_key))) {
686 data_blob_free(&encrypted_session_key);
687 return nt_status;
688 }
689
690 dump_data_pw("NT session key:\n", user_session_key.data, user_session_key.length);
691 dump_data_pw("LM first-8:\n", lm_session_key.data, lm_session_key.length);
692
693 /* Handle the different session key derivation for NTLM2 */
694 if (doing_ntlm2) {
695 if (user_session_key.data && user_session_key.length == 16) {
696 session_key = data_blob_talloc(ntlmssp_state,
697 NULL, 16);
698 hmac_md5(user_session_key.data, session_nonce,
699 sizeof(session_nonce), session_key.data);
700 DEBUG(10,("ntlmssp_server_auth: Created NTLM2 session key.\n"));
701 dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
702
703 } else {
704 DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM2 session key.\n"));
705 session_key = data_blob_null;
706 }
707 } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
708 if (lm_session_key.data && lm_session_key.length >= 8) {
709 if (ntlmssp_state->lm_resp.data && ntlmssp_state->lm_resp.length == 24) {
710 session_key = data_blob_talloc(ntlmssp_state,
711 NULL, 16);
712 if (session_key.data == NULL) {
713 return NT_STATUS_NO_MEMORY;
714 }
715 SMBsesskeygen_lm_sess_key(lm_session_key.data, ntlmssp_state->lm_resp.data,
716 session_key.data);
717 DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
718 } else {
719 static const uint8_t zeros[24] = {0, };
720 session_key = data_blob_talloc(
721 ntlmssp_state, NULL, 16);
722 if (session_key.data == NULL) {
723 return NT_STATUS_NO_MEMORY;
724 }
725 SMBsesskeygen_lm_sess_key(
726 lm_session_key.data, zeros,
727 session_key.data);
728 }
729 dump_data_pw("LM session key:\n", session_key.data,
730 session_key.length);
731 } else {
732 DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM session key.\n"));
733 session_key = data_blob_null;
734 }
735 } else if (user_session_key.data) {
736 session_key = user_session_key;
737 DEBUG(10,("ntlmssp_server_auth: Using unmodified nt session key.\n"));
738 dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
739 } else if (lm_session_key.data) {
740 session_key = lm_session_key;
741 DEBUG(10,("ntlmssp_server_auth: Using unmodified lm session key.\n"));
742 dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
743 } else {
744 DEBUG(10,("ntlmssp_server_auth: Failed to create unmodified session key.\n"));
745 session_key = data_blob_null;
746 }
747
748 /* With KEY_EXCH, the client supplies the proposed session key,
749 but encrypts it with the long-term key */
750 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
751 if (!encrypted_session_key.data || encrypted_session_key.length != 16) {
752 data_blob_free(&encrypted_session_key);
753 DEBUG(1, ("Client-supplied KEY_EXCH session key was of invalid length (%u)!\n",
754 (unsigned int)encrypted_session_key.length));
755 return NT_STATUS_INVALID_PARAMETER;
756 } else if (!session_key.data || session_key.length != 16) {
757 DEBUG(5, ("server session key is invalid (len == %u), cannot do KEY_EXCH!\n",
758 (unsigned int)session_key.length));
759 ntlmssp_state->session_key = session_key;
760 } else {
761 dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
762 arcfour_crypt_blob(encrypted_session_key.data,
763 encrypted_session_key.length,
764 &session_key);
765 ntlmssp_state->session_key = data_blob_talloc(
766 ntlmssp_state, encrypted_session_key.data,
767 encrypted_session_key.length);
768 dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data,
769 encrypted_session_key.length);
770 }
771 } else {
772 ntlmssp_state->session_key = session_key;
773 }
774
775 if (!NT_STATUS_IS_OK(nt_status)) {
776 ntlmssp_state->session_key = data_blob_null;
777 } else if (ntlmssp_state->session_key.length) {
778 nt_status = ntlmssp_sign_init(ntlmssp_state);
779 }
780
781 data_blob_free(&encrypted_session_key);
782
783 /* Only one authentication allowed per server state. */
784 ntlmssp_state->expected_state = NTLMSSP_DONE;
785
786 return nt_status;
787 }
788
789 /**
790 * Create an NTLMSSP state machine
791 *
792 * @param ntlmssp_state NTLMSSP State, allocated by this function
793 */
794
795 NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
796 bool is_standalone,
797 const char *netbios_name,
798 const char *netbios_domain,
799 const char *dns_name,
800 const char *dns_domain,
801 struct ntlmssp_state **_ntlmssp_state)
802 {
803 struct ntlmssp_state *ntlmssp_state;
804
805 if (!netbios_name) {
806 netbios_name = "";
807 }
808
809 if (!netbios_domain) {
810 netbios_domain = "";
811 }
812
813 if (!dns_domain) {
814 dns_domain = "";
815 }
816
817 if (!dns_name) {
818 dns_name = "";
819 }
820
821 ntlmssp_state = talloc_zero(mem_ctx, struct ntlmssp_state);
822 if (!ntlmssp_state) {
823 return NT_STATUS_NO_MEMORY;
824 }
825
826 ntlmssp_state->role = NTLMSSP_SERVER;
827
828 ntlmssp_state->get_challenge = get_challenge;
829 ntlmssp_state->set_challenge = set_challenge;
830 ntlmssp_state->may_set_challenge = may_set_challenge;
831
832 ntlmssp_state->server.is_standalone = is_standalone;
833
834 ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
835
836 ntlmssp_state->neg_flags =
837 NTLMSSP_NEGOTIATE_128 |
838 NTLMSSP_NEGOTIATE_56 |
839 NTLMSSP_NEGOTIATE_VERSION |
840 NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
841 NTLMSSP_NEGOTIATE_NTLM |
842 NTLMSSP_NEGOTIATE_NTLM2 |
843 NTLMSSP_NEGOTIATE_KEY_EXCH |
844 NTLMSSP_NEGOTIATE_SIGN |
845 NTLMSSP_NEGOTIATE_SEAL;
846
847 ntlmssp_state->server.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
848 if (!ntlmssp_state->server.netbios_name) {
849 talloc_free(ntlmssp_state);
850 return NT_STATUS_NO_MEMORY;
851 }
852 ntlmssp_state->server.netbios_domain = talloc_strdup(ntlmssp_state, netbios_domain);
853 if (!ntlmssp_state->server.netbios_domain) {
854 talloc_free(ntlmssp_state);
855 return NT_STATUS_NO_MEMORY;
856 }
857 ntlmssp_state->server.dns_name = talloc_strdup(ntlmssp_state, dns_name);
858 if (!ntlmssp_state->server.dns_name) {
859 talloc_free(ntlmssp_state);
860 return NT_STATUS_NO_MEMORY;
861 }
862 ntlmssp_state->server.dns_domain = talloc_strdup(ntlmssp_state, dns_domain);
863 if (!ntlmssp_state->server.dns_domain) {
864 talloc_free(ntlmssp_state);
865 return NT_STATUS_NO_MEMORY;
866 }
867
868 *_ntlmssp_state = ntlmssp_state;
869 return NT_STATUS_OK;
870 }
871
872 /*********************************************************************
873 Client side NTLMSSP
874 *********************************************************************/
875
876 /**
877 * Next state function for the Initial packet
878 *
879 * @param ntlmssp_state NTLMSSP State
880 * @param request The request, as a DATA_BLOB. reply.data must be NULL
881 * @param request The reply, as an allocated DATA_BLOB, caller to free.
882 * @return Errors or NT_STATUS_OK.
883 */
884
885 static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
886 DATA_BLOB reply, DATA_BLOB *next_request)
887 {
888 struct NEGOTIATE_MESSAGE negotiate;
889
890 if (ntlmssp_state->unicode) {
891 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
892 } else {
893 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
894 }
895
896 if (ntlmssp_state->use_ntlmv2) {
897 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
898 }
899
900 /* generate the ntlmssp negotiate packet */
901 msrpc_gen(ntlmssp_state, next_request, "CddAA",
902 "NTLMSSP",
903 NTLMSSP_NEGOTIATE,
904 ntlmssp_state->neg_flags,
905 ntlmssp_state->client.netbios_domain,
906 ntlmssp_state->client.netbios_name);
907
908 if (DEBUGLEVEL >= 10) {
909 if (NT_STATUS_IS_OK(ntlmssp_pull_NEGOTIATE_MESSAGE(next_request,
910 ntlmssp_state,
911 &negotiate)))
912 {
913 NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE, &negotiate);
914 }
915 }
916
917 ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
918
919 return NT_STATUS_MORE_PROCESSING_REQUIRED;
920 }
921
922 /**
923 * Next state function for the Challenge Packet. Generate an auth packet.
924 *
925 * @param ntlmssp_state NTLMSSP State
926 * @param request The request, as a DATA_BLOB. reply.data must be NULL
927 * @param request The reply, as an allocated DATA_BLOB, caller to free.
928 * @return Errors or NT_STATUS_OK.
929 */
930
931 static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
932 const DATA_BLOB reply, DATA_BLOB *next_request)
933 {
934 uint32_t chal_flags, ntlmssp_command, unkn1, unkn2;
935 DATA_BLOB server_domain_blob;
936 DATA_BLOB challenge_blob;
937 DATA_BLOB struct_blob = data_blob_null;
938 char *server_domain;
939 const char *chal_parse_string;
940 const char *auth_gen_string;
941 DATA_BLOB lm_response = data_blob_null;
942 DATA_BLOB nt_response = data_blob_null;
943 DATA_BLOB session_key = data_blob_null;
944 DATA_BLOB encrypted_session_key = data_blob_null;
945 NTSTATUS nt_status = NT_STATUS_OK;
946 struct CHALLENGE_MESSAGE challenge;
947 struct AUTHENTICATE_MESSAGE authenticate;
948
949 if (ntlmssp_state->use_ccache) {
950 struct wbcCredentialCacheParams params;
951 struct wbcCredentialCacheInfo *info = NULL;
952 struct wbcAuthErrorInfo *error = NULL;
953 struct wbcNamedBlob auth_blob;
954 struct wbcBlob *wbc_next = NULL;
955 struct wbcBlob *wbc_session_key = NULL;
956 wbcErr wbc_status;
957 int i;
958
959 params.account_name = ntlmssp_state->user;
960 params.domain_name = ntlmssp_state->domain;
961 params.level = WBC_CREDENTIAL_CACHE_LEVEL_NTLMSSP;
962
963 auth_blob.name = "challenge_blob";
964 auth_blob.flags = 0;
965 auth_blob.blob.data = reply.data;
966 auth_blob.blob.length = reply.length;
967 params.num_blobs = 1;
968 params.blobs = &auth_blob;
969
970 wbc_status = wbcCredentialCache(&params, &info, &error);
971 if (error != NULL) {
972 wbcFreeMemory(error);
973 }
974 if (!WBC_ERROR_IS_OK(wbc_status)) {
975 goto noccache;
976 }
977
978 for (i=0; i<info->num_blobs; i++) {
979 if (strequal(info->blobs[i].name, "auth_blob")) {
980 wbc_next = &info->blobs[i].blob;
981 }
982 if (strequal(info->blobs[i].name, "session_key")) {
983 wbc_session_key = &info->blobs[i].blob;
984 }
985 }
986 if ((wbc_next == NULL) || (wbc_session_key == NULL)) {
987 wbcFreeMemory(info);
988 goto noccache;
989 }
990
991 *next_request = data_blob(wbc_next->data, wbc_next->length);
992 ntlmssp_state->session_key = data_blob(
993 wbc_session_key->data, wbc_session_key->length);
994
995 wbcFreeMemory(info);
996 goto done;
997 }
998
999 noccache:
1000
1001 if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
1002 "NTLMSSP",
1003 &ntlmssp_command,
1004 &server_domain_blob,
1005 &chal_flags)) {
1006 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
1007 dump_data(2, reply.data, reply.length);
1008
1009 return NT_STATUS_INVALID_PARAMETER;
1010 }
1011
1012 if (DEBUGLEVEL >= 10) {
1013 if (NT_STATUS_IS_OK(ntlmssp_pull_CHALLENGE_MESSAGE(&reply,
1014 ntlmssp_state,
1015 &challenge)))
1016 {
1017 NDR_PRINT_DEBUG(CHALLENGE_MESSAGE, &challenge);
1018 }
1019 }
1020
1021 data_blob_free(&server_domain_blob);
1022
1023 DEBUG(3, ("Got challenge flags:\n"));
1024 debug_ntlmssp_flags(chal_flags);
1025
1026 ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
1027
1028 if (ntlmssp_state->unicode) {
1029 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
1030 chal_parse_string = "CdUdbddB";
1031 } else {
1032 chal_parse_string = "CdUdbdd";
1033 }
1034 auth_gen_string = "CdBBUUUBd";
1035 } else {
1036 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
1037 chal_parse_string = "CdAdbddB";
1038 } else {
1039 chal_parse_string = "CdAdbdd";
1040 }
1041
1042 auth_gen_string = "CdBBAAABd";
1043 }
1044
1045 DEBUG(3, ("NTLMSSP: Set final flags:\n"));
1046 debug_ntlmssp_flags(ntlmssp_state->neg_flags);
1047
1048 if (!msrpc_parse(ntlmssp_state, &reply, chal_parse_string,
1049 "NTLMSSP",
1050 &ntlmssp_command,
1051 &server_domain,
1052 &chal_flags,
1053 &challenge_blob, 8,
1054 &unkn1, &unkn2,
1055 &struct_blob)) {
1056 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n"));
1057 dump_data(2, reply.data, reply.length);
1058 return NT_STATUS_INVALID_PARAMETER;
1059 }
1060
1061 if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) {
1062 ntlmssp_state->server.is_standalone = true;
1063 } else {
1064 ntlmssp_state->server.is_standalone = false;
1065 }
1066 /* TODO: parse struct_blob and fill in the rest */
1067 ntlmssp_state->server.netbios_name = "";
1068 ntlmssp_state->server.netbios_domain = server_domain;
1069 ntlmssp_state->server.dns_name = "";
1070 ntlmssp_state->server.dns_domain = "";
1071
1072 if (challenge_blob.length != 8) {
1073 data_blob_free(&struct_blob);
1074 return NT_STATUS_INVALID_PARAMETER;
1075 }
1076
1077 if (!ntlmssp_state->nt_hash || !ntlmssp_state->lm_hash) {
1078 static const uint8_t zeros[16] = {0, };
1079 /* do nothing - blobs are zero length */
1080
1081 /* session key is all zeros */
1082 session_key = data_blob_talloc(ntlmssp_state, zeros, 16);
1083
1084 /* not doing NLTM2 without a password */
1085 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
1086 } else if (ntlmssp_state->use_ntlmv2) {
1087 if (!struct_blob.length) {
1088 /* be lazy, match win2k - we can't do NTLMv2 without it */
1089 DEBUG(1, ("Server did not provide 'target information', required for NTLMv2\n"));
1090 return NT_STATUS_INVALID_PARAMETER;
1091 }
1092
1093 /* TODO: if the remote server is standalone, then we should replace 'domain'
1094 with the server name as supplied above */
1095
1096 if (!SMBNTLMv2encrypt_hash(ntlmssp_state,
1097 ntlmssp_state->user,
1098 ntlmssp_state->domain,
1099 ntlmssp_state->nt_hash, &challenge_blob,
1100 &struct_blob,
1101 &lm_response, &nt_response, NULL,
1102 &session_key)) {
1103 data_blob_free(&challenge_blob);
1104 data_blob_free(&struct_blob);
1105 return NT_STATUS_NO_MEMORY;
1106 }
1107 } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
1108 struct MD5Context md5_session_nonce_ctx;
1109 uint8_t session_nonce[16];
1110 uint8_t session_nonce_hash[16];
1111 uint8_t user_session_key[16];
1112
1113 lm_response = data_blob_talloc(ntlmssp_state, NULL, 24);
1114 generate_random_buffer(lm_response.data, 8);
1115 memset(lm_response.data+8, 0, 16);
1116
1117 memcpy(session_nonce, challenge_blob.data, 8);
1118 memcpy(&session_nonce[8], lm_response.data, 8);
1119
1120 MD5Init(&md5_session_nonce_ctx);
1121 MD5Update(&md5_session_nonce_ctx, challenge_blob.data, 8);
1122 MD5Update(&md5_session_nonce_ctx, lm_response.data, 8);
1123 MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
1124
1125 DEBUG(5, ("NTLMSSP challenge set by NTLM2\n"));
1126 DEBUG(5, ("challenge is: \n"));
1127 dump_data(5, session_nonce_hash, 8);
1128
1129 nt_response = data_blob_talloc(ntlmssp_state, NULL, 24);
1130 SMBNTencrypt_hash(ntlmssp_state->nt_hash,
1131 session_nonce_hash,
1132 nt_response.data);
1133
1134 session_key = data_blob_talloc(ntlmssp_state, NULL, 16);
1135
1136 SMBsesskeygen_ntv1(ntlmssp_state->nt_hash, user_session_key);
1137 hmac_md5(user_session_key, session_nonce, sizeof(session_nonce), session_key.data);
1138 dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
1139 } else {
1140 /* lanman auth is insecure, it may be disabled */
1141 if (lp_client_lanman_auth()) {
1142 lm_response = data_blob_talloc(ntlmssp_state,
1143 NULL, 24);
1144 SMBencrypt_hash(ntlmssp_state->lm_hash,challenge_blob.data,
1145 lm_response.data);
1146 }
1147
1148 nt_response = data_blob_talloc(ntlmssp_state, NULL, 24);
1149 SMBNTencrypt_hash(ntlmssp_state->nt_hash,challenge_blob.data,
1150 nt_response.data);
1151
1152 session_key = data_blob_talloc(ntlmssp_state, NULL, 16);
1153 if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
1154 && lp_client_lanman_auth()) {
1155 SMBsesskeygen_lm_sess_key(ntlmssp_state->lm_hash, lm_response.data,
1156 session_key.data);
1157 dump_data_pw("LM session key\n", session_key.data, session_key.length);
1158 } else {
1159 SMBsesskeygen_ntv1(ntlmssp_state->nt_hash, session_key.data);
1160 dump_data_pw("NT session key:\n", session_key.data, session_key.length);
1161 }
1162 }
1163 data_blob_free(&struct_blob);
1164
1165 /* Key exchange encryptes a new client-generated session key with
1166 the password-derived key */
1167 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
1168 /* Make up a new session key */
1169 uint8_t client_session_key[16];
1170 generate_random_buffer(client_session_key, sizeof(client_session_key));
1171
1172 /* Encrypt the new session key with the old one */
1173 encrypted_session_key = data_blob(client_session_key, sizeof(client_session_key));
1174 dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
1175 arcfour_crypt_blob(encrypted_session_key.data, encrypted_session_key.length, &session_key);
1176 dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
1177
1178 /* Mark the new session key as the 'real' session key */
1179 data_blob_free(&session_key);
1180 session_key = data_blob_talloc(ntlmssp_state,
1181 client_session_key,
1182 sizeof(client_session_key));
1183 }
1184
1185 /* this generates the actual auth packet */
1186 if (!msrpc_gen(ntlmssp_state, next_request, auth_gen_string,
1187 "NTLMSSP",
1188 NTLMSSP_AUTH,
1189 lm_response.data, lm_response.length,
1190 nt_response.data, nt_response.length,
1191 ntlmssp_state->domain,
1192 ntlmssp_state->user,
1193 ntlmssp_state->client.netbios_name,
1194 encrypted_session_key.data, encrypted_session_key.length,
1195 ntlmssp_state->neg_flags)) {
1196
1197 return NT_STATUS_NO_MEMORY;
1198 }
1199
1200 if (DEBUGLEVEL >= 10) {
1201 if (NT_STATUS_IS_OK(ntlmssp_pull_AUTHENTICATE_MESSAGE(next_request,
1202 ntlmssp_state,
1203 &authenticate)))
1204 {
1205 NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE, &authenticate);
1206 }
1207 }
1208
1209 data_blob_free(&encrypted_session_key);
1210
1211 data_blob_free(&ntlmssp_state->chal);
1212
1213 ntlmssp_state->session_key = session_key;
1214
1215 ntlmssp_state->chal = challenge_blob;
1216 ntlmssp_state->lm_resp = lm_response;
1217 ntlmssp_state->nt_resp = nt_response;
1218
1219 done:
1220
1221 ntlmssp_state->expected_state = NTLMSSP_DONE;
1222
1223 if (!NT_STATUS_IS_OK(nt_status = ntlmssp_sign_init(ntlmssp_state))) {
1224 DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", nt_errstr(nt_status)));
1225 }
1226
1227 return nt_status;
1228 }
1229
1230 NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx,
1231 const char *netbios_name,
1232 const char *netbios_domain,
1233 bool use_ntlmv2,
1234 struct ntlmssp_state **_ntlmssp_state)
1235 {
1236 struct ntlmssp_state *ntlmssp_state;
1237
1238 if (!netbios_name) {
1239 netbios_name = "";
1240 }
1241
1242 if (!netbios_domain) {
1243 netbios_domain = "";
1244 }
1245
1246 ntlmssp_state = talloc_zero(mem_ctx, struct ntlmssp_state);
1247 if (!ntlmssp_state) {
1248 return NT_STATUS_NO_MEMORY;
1249 }
1250
1251 ntlmssp_state->role = NTLMSSP_CLIENT;
1252
1253 ntlmssp_state->unicode = True;
1254
1255 ntlmssp_state->use_ntlmv2 = use_ntlmv2;
1256
1257 ntlmssp_state->expected_state = NTLMSSP_INITIAL;
1258
1259 ntlmssp_state->neg_flags =
1260 NTLMSSP_NEGOTIATE_128 |
1261 NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
1262 NTLMSSP_NEGOTIATE_NTLM |
1263 NTLMSSP_NEGOTIATE_NTLM2 |
1264 NTLMSSP_NEGOTIATE_KEY_EXCH |
1265 NTLMSSP_REQUEST_TARGET;
1266
1267 ntlmssp_state->client.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
1268 if (!ntlmssp_state->client.netbios_name) {
1269 talloc_free(ntlmssp_state);
1270 return NT_STATUS_NO_MEMORY;
1271 }
1272 ntlmssp_state->client.netbios_domain = talloc_strdup(ntlmssp_state, netbios_domain);
1273 if (!ntlmssp_state->client.netbios_domain) {
1274 talloc_free(ntlmssp_state);
1275 return NT_STATUS_NO_MEMORY;
1276 }
1277
1278 *_ntlmssp_state = ntlmssp_state;
1279 return NT_STATUS_OK;
1280 }