auth/ntlmssp/ntlmssp.h

   1 /*
   2    Unix SMB/CIFS implementation.
   3    SMB parameters and setup
   4    Copyright (C) Andrew Tridgell 1992-1997
   5    Copyright (C) Luke Kenneth Casson Leighton 1996-1997
   6    Copyright (C) Paul Ashton 1997
   7    Copyright (C) Andrew Bartlett 2010
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "../librpc/gen_ndr/ntlmssp.h"
  24
  25 NTSTATUS gensec_ntlmssp_init(void);
  26
  27 struct auth_context;
  28 struct auth_serversupplied_info;
  29 struct tsocket_address;
  30 struct auth_user_info_dc;
  31 struct gensec_security;
  32 struct ntlmssp_state;
  33
  34 struct gensec_ntlmssp_context {
  35         /* used only by s3 server implementation */
  36         struct auth_context *auth_context;
  37         struct auth_serversupplied_info *server_info;
  38
  39         /* Used by the s4 server implementation */
  40         struct auth_user_info_dc *user_info_dc;
  41
  42         /* For GENSEC users */
  43         struct gensec_security *gensec_security;
  44
  45         /* used by both client and server implementation */
  46         struct ntlmssp_state *ntlmssp_state;
  47 };
  48
  49 /* NTLMSSP mode */
  50 enum ntlmssp_role
  51 {
  52         NTLMSSP_SERVER,
  53         NTLMSSP_CLIENT
  54 };
  55
  56 /* NTLMSSP message types */
  57 enum ntlmssp_message_type
  58 {
  59         NTLMSSP_INITIAL = 0 /* samba internal state */,
  60         NTLMSSP_NEGOTIATE = 1,
  61         NTLMSSP_CHALLENGE = 2,
  62         NTLMSSP_AUTH      = 3,
  63         NTLMSSP_UNKNOWN   = 4,
  64         NTLMSSP_DONE      = 5 /* samba final state */
  65 };
  66
  67 #define NTLMSSP_FEATURE_SESSION_KEY        0x00000001
  68 #define NTLMSSP_FEATURE_SIGN               0x00000002
  69 #define NTLMSSP_FEATURE_SEAL               0x00000004
  70 #define NTLMSSP_FEATURE_CCACHE             0x00000008
  71
  72 union ntlmssp_crypt_state;
  73
  74 struct ntlmssp_state
  75 {
  76         enum ntlmssp_role role;
  77         uint32_t expected_state;
  78
  79         bool unicode;
  80         bool use_ntlmv2;
  81         bool use_ccache;
  82         bool use_nt_response;  /* Set to 'False' to debug what happens when the NT response is omited */
  83         bool allow_lm_key;     /* The LM_KEY code is not very secure... */
  84
  85         const char *user;
  86         const char *domain;
  87         uint8_t *nt_hash;
  88         uint8_t *lm_hash;
  89
  90         struct {
  91                 const char *netbios_name;
  92                 const char *netbios_domain;
  93         } client;
  94
  95         struct {
  96                 bool is_standalone;
  97                 const char *netbios_name;
  98                 const char *netbios_domain;
  99                 const char *dns_name;
 100                 const char *dns_domain;
 101         } server;
 102
 103         DATA_BLOB internal_chal; /* Random challenge as supplied to the client for NTLM authentication */
 104
 105         DATA_BLOB chal; /* Random challenge as input into the actual NTLM (or NTLM2) authentication */
 106         DATA_BLOB lm_resp;
 107         DATA_BLOB nt_resp;
 108         DATA_BLOB session_key;
 109
 110         uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
 111
 112         /**
 113          * Private data for the callback functions
 114          */
 115         void *callback_private;
 116
 117         /**
 118          * Callback to get the 'challenge' used for NTLM authentication.
 119          *
 120          * @param ntlmssp_state This structure
 121          * @return 8 bytes of challenge data, determined by the server to be the challenge for NTLM authentication
 122          *
 123          */
 124         NTSTATUS (*get_challenge)(const struct ntlmssp_state *ntlmssp_state,
 125                                   uint8_t challenge[8]);
 126
 127         /**
 128          * Callback to find if the challenge used by NTLM authentication may be modified
 129          *
 130          * The NTLM2 authentication scheme modifies the effective challenge, but this is not compatiable with the
 131          * current 'security=server' implementation..
 132          *
 133          * @param ntlmssp_state This structure
 134          * @return Can the challenge be set to arbitary values?
 135          *
 136          */
 137         bool (*may_set_challenge)(const struct ntlmssp_state *ntlmssp_state);
 138
 139         /**
 140          * Callback to set the 'challenge' used for NTLM authentication.
 141          *
 142          * The callback may use the void *auth_context to store state information, but the same value is always available
 143          * from the DATA_BLOB chal on this structure.
 144          *
 145          * @param ntlmssp_state This structure
 146          * @param challenge 8 bytes of data, agreed by the client and server to be the effective challenge for NTLM2 authentication
 147          *
 148          */
 149         NTSTATUS (*set_challenge)(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge);
 150
 151         /**
 152          * Callback to check the user's password.
 153          *
 154          * The callback must reads the feilds of this structure for the information it needs on the user
 155          * @param ntlmssp_state This structure
 156          * @param mem_ctx Talloc context for LM and NT session key to be returned on
 157          * @param nt_session_key If an NT session key is returned by the authentication process, return it here
 158          * @param lm_session_key If an LM session key is returned by the authentication process, return it here
 159          *
 160          */
 161         NTSTATUS (*check_password)(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *mem_ctx,
 162                                    DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key);
 163
 164         union ntlmssp_crypt_state *crypt;
 165 };
 166
 167 /* The following definitions come from libcli/auth/ntlmssp_sign.c  */
 168
 169 NTSTATUS ntlmssp_sign_packet(struct ntlmssp_state *ntlmssp_state,
 170                              TALLOC_CTX *sig_mem_ctx,
 171                              const uint8_t *data, size_t length,
 172                              const uint8_t *whole_pdu, size_t pdu_length,
 173                              DATA_BLOB *sig);
 174 NTSTATUS ntlmssp_check_packet(struct ntlmssp_state *ntlmssp_state,
 175                               const uint8_t *data, size_t length,
 176                               const uint8_t *whole_pdu, size_t pdu_length,
 177                               const DATA_BLOB *sig) ;
 178 NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
 179                              TALLOC_CTX *sig_mem_ctx,
 180                              uint8_t *data, size_t length,
 181                              const uint8_t *whole_pdu, size_t pdu_length,
 182                              DATA_BLOB *sig);
 183 NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state,
 184                                uint8_t *data, size_t length,
 185                                const uint8_t *whole_pdu, size_t pdu_length,
 186                                const DATA_BLOB *sig);
 187 NTSTATUS ntlmssp_wrap(struct ntlmssp_state *ntlmssp_state,
 188                       TALLOC_CTX *out_mem_ctx,
 189                       const DATA_BLOB *in,
 190                       DATA_BLOB *out);
 191 NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_stae,
 192                         TALLOC_CTX *out_mem_ctx,
 193                         const DATA_BLOB *in,
 194                         DATA_BLOB *out);
 195 NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state);
 196
 197 bool ntlmssp_blob_matches_magic(const DATA_BLOB *blob);
 198 /* The following definitions come from ../source4/auth/ntlmssp/ntlmssp.c  */
 199
 200
 201 /**
 202  * Return the NTLMSSP master session key
 203  *
 204  * @param ntlmssp_state NTLMSSP State
 205  */
 206 NTSTATUS gensec_ntlmssp_magic(struct gensec_security *gensec_security,
 207                               const DATA_BLOB *first_packet);
 208 bool gensec_ntlmssp_have_feature(struct gensec_security *gensec_security,
 209                                  uint32_t feature);
 210 NTSTATUS gensec_ntlmssp_session_key(struct gensec_security *gensec_security,
 211                                     TALLOC_CTX *mem_ctx,
 212                                     DATA_BLOB *session_key);
 213 NTSTATUS gensec_ntlmssp_start(struct gensec_security *gensec_security);
 214
 215 /* The following definitions come from ../source4/auth/ntlmssp/ntlmssp_sign.c  */
 216
 217 NTSTATUS gensec_ntlmssp_sign_packet(struct gensec_security *gensec_security,
 218                                     TALLOC_CTX *sig_mem_ctx,
 219                                     const uint8_t *data, size_t length,
 220                                     const uint8_t *whole_pdu, size_t pdu_length,
 221                                     DATA_BLOB *sig);
 222 NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security,
 223                                      const uint8_t *data, size_t length,
 224                                      const uint8_t *whole_pdu, size_t pdu_length,
 225                                      const DATA_BLOB *sig);
 226 NTSTATUS gensec_ntlmssp_seal_packet(struct gensec_security *gensec_security,
 227                                     TALLOC_CTX *sig_mem_ctx,
 228                                     uint8_t *data, size_t length,
 229                                     const uint8_t *whole_pdu, size_t pdu_length,
 230                                     DATA_BLOB *sig);
 231 NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security,
 232                                       uint8_t *data, size_t length,
 233                                       const uint8_t *whole_pdu, size_t pdu_length,
 234                                       const DATA_BLOB *sig);
 235 size_t gensec_ntlmssp_sig_size(struct gensec_security *gensec_security, size_t data_size) ;
 236 NTSTATUS gensec_ntlmssp_wrap(struct gensec_security *gensec_security,
 237                              TALLOC_CTX *out_mem_ctx,
 238                              const DATA_BLOB *in,
 239                              DATA_BLOB *out);
 240 NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security,
 241                                TALLOC_CTX *out_mem_ctx,
 242                                const DATA_BLOB *in,
 243                                DATA_BLOB *out);