search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:ntlmssp: keep struct gensec_ntlmssp_context in gensec_security->private_data
[Samba/ekacnet.git] / source4 / auth / ntlmssp / ntlmssp_client.c
blob259f07fe00269cbe6c127dfee1918e678cc082e4
1 /*
2 Unix SMB/Netbios implementation.
3 Version 3.0
4 handle NLTMSSP, client server side parsing
5
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
8 Copyright (C) Stefan Metzmacher 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "auth/ntlmssp/ntlmssp.h"
26 #include "../lib/crypto/crypto.h"
27 #include "../libcli/auth/libcli_auth.h"
28 #include "auth/credentials/credentials.h"
29 #include "auth/gensec/gensec.h"
30 #include "param/param.h"
31
32 /*********************************************************************
33 Client side NTLMSSP
34 *********************************************************************/
35
36 /**
37 * Next state function for the Initial packet
38 *
39 * @param ntlmssp_state NTLMSSP State
40 * @param out_mem_ctx The DATA_BLOB *out will be allocated on this context
41 * @param in A NULL data blob (input ignored)
42 * @param out The initial negotiate request to the server, as an talloc()ed DATA_BLOB, on out_mem_ctx
43 * @return Errors or NT_STATUS_OK.
44 */
45
46 NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
47 TALLOC_CTX *out_mem_ctx,
48 DATA_BLOB in, DATA_BLOB *out)
49 {
50 struct gensec_ntlmssp_context *gensec_ntlmssp =
51 talloc_get_type_abort(gensec_security->private_data,
52 struct gensec_ntlmssp_context);
53 struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
54 const char *domain = gensec_ntlmssp_state->domain;
55 const char *workstation = cli_credentials_get_workstation(gensec_security->credentials);
56
57 /* These don't really matter in the initial packet, so don't panic if they are not set */
58 if (!domain) {
59 domain = "";
60 }
61
62 if (!workstation) {
63 workstation = "";
64 }
65
66 if (gensec_ntlmssp_state->unicode) {
67 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
68 } else {
69 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
70 }
71
72 if (gensec_ntlmssp_state->use_ntlmv2) {
73 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
74 }
75
76 /* generate the ntlmssp negotiate packet */
77 msrpc_gen(out_mem_ctx,
78 out, "CddAA",
79 "NTLMSSP",
80 NTLMSSP_NEGOTIATE,
81 gensec_ntlmssp_state->neg_flags,
82 domain,
83 workstation);
84
85 gensec_ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
86
87 return NT_STATUS_MORE_PROCESSING_REQUIRED;
88 }
89
90 /**
91 * Next state function for the Challenge Packet. Generate an auth packet.
92 *
93 * @param gensec_security GENSEC state
94 * @param out_mem_ctx Memory context for *out
95 * @param in The server challnege, as a DATA_BLOB. reply.data must be NULL
96 * @param out The next request (auth packet) to the server, as an allocated DATA_BLOB, on the out_mem_ctx context
97 * @return Errors or NT_STATUS_OK.
98 */
99
100 NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
101 TALLOC_CTX *out_mem_ctx,
102 const DATA_BLOB in, DATA_BLOB *out)
103 {
104 struct gensec_ntlmssp_context *gensec_ntlmssp =
105 talloc_get_type_abort(gensec_security->private_data,
106 struct gensec_ntlmssp_context);
107 struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
108 uint32_t chal_flags, ntlmssp_command, unkn1, unkn2;
109 DATA_BLOB server_domain_blob;
110 DATA_BLOB challenge_blob;
111 DATA_BLOB target_info = data_blob(NULL, 0);
112 char *server_domain;
113 const char *chal_parse_string;
114 const char *auth_gen_string;
115 DATA_BLOB lm_response = data_blob(NULL, 0);
116 DATA_BLOB nt_response = data_blob(NULL, 0);
117 DATA_BLOB session_key = data_blob(NULL, 0);
118 DATA_BLOB lm_session_key = data_blob(NULL, 0);
119 DATA_BLOB encrypted_session_key = data_blob(NULL, 0);
120 NTSTATUS nt_status;
121 int flags = 0;
122 const char *user, *domain;
123
124 TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx);
125 if (!mem_ctx) {
126 return NT_STATUS_NO_MEMORY;
127 }
128
129 if (!msrpc_parse(mem_ctx,
130 &in, "CdBd",
131 "NTLMSSP",
132 &ntlmssp_command,
133 &server_domain_blob,
134 &chal_flags)) {
135 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
136 dump_data(2, in.data, in.length);
137 talloc_free(mem_ctx);
138
139 return NT_STATUS_INVALID_PARAMETER;
140 }
141
142 data_blob_free(&server_domain_blob);
143
144 DEBUG(3, ("Got challenge flags:\n"));
145 debug_ntlmssp_flags(chal_flags);
146
147 ntlmssp_handle_neg_flags(gensec_ntlmssp_state, chal_flags, gensec_ntlmssp_state->allow_lm_key);
148
149 if (gensec_ntlmssp_state->unicode) {
150 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
151 chal_parse_string = "CdUdbddB";
152 } else {
153 chal_parse_string = "CdUdbdd";
154 }
155 auth_gen_string = "CdBBUUUBd";
156 } else {
157 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
158 chal_parse_string = "CdAdbddB";
159 } else {
160 chal_parse_string = "CdAdbdd";
161 }
162
163 auth_gen_string = "CdBBAAABd";
164 }
165
166 if (!msrpc_parse(mem_ctx,
167 &in, chal_parse_string,
168 "NTLMSSP",
169 &ntlmssp_command,
170 &server_domain,
171 &chal_flags,
172 &challenge_blob, 8,
173 &unkn1, &unkn2,
174 &target_info)) {
175 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n"));
176 dump_data(2, in.data, in.length);
177 talloc_free(mem_ctx);
178 return NT_STATUS_INVALID_PARAMETER;
179 }
180
181 gensec_ntlmssp_state->server_domain = server_domain;
182
183 if (challenge_blob.length != 8) {
184 talloc_free(mem_ctx);
185 return NT_STATUS_INVALID_PARAMETER;
186 }
187
188 cli_credentials_get_ntlm_username_domain(gensec_security->credentials, mem_ctx,
189 &user, &domain);
190
191 if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
192 flags |= CLI_CRED_NTLM2;
193 }
194 if (gensec_ntlmssp_state->use_ntlmv2) {
195 flags |= CLI_CRED_NTLMv2_AUTH;
196 }
197 if (gensec_ntlmssp_state->use_nt_response) {
198 flags |= CLI_CRED_NTLM_AUTH;
199 }
200 if (lp_client_lanman_auth(gensec_security->settings->lp_ctx)) {
201 flags |= CLI_CRED_LANMAN_AUTH;
202 }
203
204 nt_status = cli_credentials_get_ntlm_response(gensec_security->credentials, mem_ctx,
205 &flags, challenge_blob, target_info,
206 &lm_response, &nt_response,
207 &lm_session_key, &session_key);
208
209 if (!NT_STATUS_IS_OK(nt_status)) {
210 return nt_status;
211 }
212
213 if (!(flags & CLI_CRED_LANMAN_AUTH)) {
214 /* LM Key is still possible, just silly. Fortunetly
215 * we require command line options to end up here */
216 /* gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; */
217 }
218
219 if (!(flags & CLI_CRED_NTLM2)) {
220 /* NTLM2 is incompatible... */
221 gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
222 }
223
224 if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
225 && lp_client_lanman_auth(gensec_security->settings->lp_ctx) && lm_session_key.length == 16) {
226 DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16);
227 if (lm_response.length == 24) {
228 SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data,
229 new_session_key.data);
230 } else {
231 static const uint8_t zeros[24];
232 SMBsesskeygen_lm_sess_key(lm_session_key.data, zeros,
233 new_session_key.data);
234 }
235 session_key = new_session_key;
236 dump_data_pw("LM session key\n", session_key.data, session_key.length);
237 }
238
239
240 /* Key exchange encryptes a new client-generated session key with
241 the password-derived key */
242 if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
243 /* Make up a new session key */
244 uint8_t client_session_key[16];
245 generate_secret_buffer(client_session_key, sizeof(client_session_key));
246
247 /* Encrypt the new session key with the old one */
248 encrypted_session_key = data_blob_talloc(gensec_ntlmssp_state,
249 client_session_key, sizeof(client_session_key));
250 dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
251 arcfour_crypt(encrypted_session_key.data, session_key.data, encrypted_session_key.length);
252 dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
253
254 /* Mark the new session key as the 'real' session key */
255 session_key = data_blob_talloc(mem_ctx, client_session_key, sizeof(client_session_key));
256 }
257
258 DEBUG(3, ("NTLMSSP: Set final flags:\n"));
259 debug_ntlmssp_flags(gensec_ntlmssp_state->neg_flags);
260
261 /* this generates the actual auth packet */
262 if (!msrpc_gen(mem_ctx,
263 out, auth_gen_string,
264 "NTLMSSP",
265 NTLMSSP_AUTH,
266 lm_response.data, lm_response.length,
267 nt_response.data, nt_response.length,
268 domain,
269 user,
270 cli_credentials_get_workstation(gensec_security->credentials),
271 encrypted_session_key.data, encrypted_session_key.length,
272 gensec_ntlmssp_state->neg_flags)) {
273 talloc_free(mem_ctx);
274 return NT_STATUS_NO_MEMORY;
275 }
276
277 gensec_ntlmssp_state->session_key = session_key;
278 talloc_steal(gensec_ntlmssp_state, session_key.data);
279
280 talloc_steal(out_mem_ctx, out->data);
281
282 gensec_ntlmssp_state->chal = challenge_blob;
283 gensec_ntlmssp_state->lm_resp = lm_response;
284 talloc_steal(gensec_ntlmssp_state->lm_resp.data, lm_response.data);
285 gensec_ntlmssp_state->nt_resp = nt_response;
286 talloc_steal(gensec_ntlmssp_state->nt_resp.data, nt_response.data);
287
288 gensec_ntlmssp_state->expected_state = NTLMSSP_DONE;
289
290 if (gensec_security->want_features & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)) {
291 nt_status = ntlmssp_sign_init(gensec_ntlmssp_state);
292 if (!NT_STATUS_IS_OK(nt_status)) {
293 DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n",
294 nt_errstr(nt_status)));
295 talloc_free(mem_ctx);
296 return nt_status;
297 }
298 }
299
300 talloc_free(mem_ctx);
301 return NT_STATUS_OK;
302 }
303
304 NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
305 {
306 struct gensec_ntlmssp_context *gensec_ntlmssp;
307 struct gensec_ntlmssp_state *gensec_ntlmssp_state;
308 NTSTATUS nt_status;
309
310 nt_status = gensec_ntlmssp_start(gensec_security);
311 NT_STATUS_NOT_OK_RETURN(nt_status);
312
313 gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
314 struct gensec_ntlmssp_context);
315 gensec_ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
316
317 gensec_ntlmssp_state->role = NTLMSSP_CLIENT;
318
319 gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->settings->lp_ctx);
320
321 gensec_ntlmssp_state->unicode = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "unicode", true);
322
323 gensec_ntlmssp_state->use_nt_response = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "send_nt_reponse", true);
324
325 gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth(gensec_security->settings->lp_ctx)
326 && (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "allow_lm_key", false)
327 || gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false)));
328
329 gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(gensec_security->settings->lp_ctx);
330
331 gensec_ntlmssp_state->expected_state = NTLMSSP_INITIAL;
332
333 gensec_ntlmssp_state->neg_flags =
334 NTLMSSP_NEGOTIATE_NTLM |
335 NTLMSSP_REQUEST_TARGET;
336
337 if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "128bit", true)) {
338 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
339 }
340
341 if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "56bit", false)) {
342 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
343 }
344
345 if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false)) {
346 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
347 }
348
349 if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "keyexchange", true)) {
350 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
351 }
352
353 if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "alwayssign", true)) {
354 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
355 }
356
357 if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "ntlm2", true)) {
358 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
359 } else {
360 /* apparently we can't do ntlmv2 if we don't do ntlm2 */
361 gensec_ntlmssp_state->use_ntlmv2 = false;
362 }
363
364 if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
365 /*
366 * We need to set this to allow a later SetPassword
367 * via the SAMR pipe to succeed. Strange.... We could
368 * also add NTLMSSP_NEGOTIATE_SEAL here. JRA.
369 *
370 * Without this, Windows will not create the master key
371 * that it thinks is only used for NTLMSSP signing and
372 * sealing. (It is actually pulled out and used directly)
373 */
374 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
375 }
376 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
377 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
378 }
379 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
380 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
381 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
382 }
383
384 return NT_STATUS_OK;
385 }
386