search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3/packaging: source -> source3
[Samba/gebeck_regimport.git] / libcli / auth / credentials.c
blobdc84ffb474594c3ca67949d4db103dd4d04d90e4
1 /*
2 Unix SMB/CIFS implementation.
3
4 code to manipulate domain credentials
5
6 Copyright (C) Andrew Tridgell 1997-2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "system/time.h"
25 #include "../lib/crypto/crypto.h"
26 #include "libcli/auth/libcli_auth.h"
27
28 /*
29 initialise the credentials state for old-style 64 bit session keys
30
31 this call is made after the netr_ServerReqChallenge call
32 */
33 static void netlogon_creds_init_64bit(struct netlogon_creds_CredentialState *creds,
34 const struct netr_Credential *client_challenge,
35 const struct netr_Credential *server_challenge,
36 const struct samr_Password *machine_password)
37 {
38 uint32_t sum[2];
39 uint8_t sum2[8];
40
41 sum[0] = IVAL(client_challenge->data, 0) + IVAL(server_challenge->data, 0);
42 sum[1] = IVAL(client_challenge->data, 4) + IVAL(server_challenge->data, 4);
43
44 SIVAL(sum2,0,sum[0]);
45 SIVAL(sum2,4,sum[1]);
46
47 ZERO_STRUCT(creds->session_key);
48
49 des_crypt128(creds->session_key, sum2, machine_password->hash);
50
51 des_crypt112(creds->client.data, client_challenge->data, creds->session_key, 1);
52 des_crypt112(creds->server.data, server_challenge->data, creds->session_key, 1);
53
54 creds->seed = creds->client;
55 }
56
57 /*
58 initialise the credentials state for ADS-style 128 bit session keys
59
60 this call is made after the netr_ServerReqChallenge call
61 */
62 static void netlogon_creds_init_128bit(struct netlogon_creds_CredentialState *creds,
63 const struct netr_Credential *client_challenge,
64 const struct netr_Credential *server_challenge,
65 const struct samr_Password *machine_password)
66 {
67 unsigned char zero[4], tmp[16];
68 HMACMD5Context ctx;
69 struct MD5Context md5;
70
71 ZERO_STRUCT(creds->session_key);
72
73 memset(zero, 0, sizeof(zero));
74
75 hmac_md5_init_rfc2104(machine_password->hash, sizeof(machine_password->hash), &ctx);
76 MD5Init(&md5);
77 MD5Update(&md5, zero, sizeof(zero));
78 MD5Update(&md5, client_challenge->data, 8);
79 MD5Update(&md5, server_challenge->data, 8);
80 MD5Final(tmp, &md5);
81 hmac_md5_update(tmp, sizeof(tmp), &ctx);
82 hmac_md5_final(creds->session_key, &ctx);
83
84 creds->client = *client_challenge;
85 creds->server = *server_challenge;
86
87 des_crypt112(creds->client.data, client_challenge->data, creds->session_key, 1);
88 des_crypt112(creds->server.data, server_challenge->data, creds->session_key, 1);
89
90 creds->seed = creds->client;
91 }
92
93
94 /*
95 step the credentials to the next element in the chain, updating the
96 current client and server credentials and the seed
97 */
98 static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds)
99 {
100 struct netr_Credential time_cred;
101
102 DEBUG(5,("\tseed %08x:%08x\n",
103 IVAL(creds->seed.data, 0), IVAL(creds->seed.data, 4)));
104
105 SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence);
106 SIVAL(time_cred.data, 4, IVAL(creds->seed.data, 4));
107
108 DEBUG(5,("\tseed+time %08x:%08x\n", IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
109
110 des_crypt112(creds->client.data, time_cred.data, creds->session_key, 1);
111
112 DEBUG(5,("\tCLIENT %08x:%08x\n",
113 IVAL(creds->client.data, 0), IVAL(creds->client.data, 4)));
114
115 SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence + 1);
116 SIVAL(time_cred.data, 4, IVAL(creds->seed.data, 4));
117
118 DEBUG(5,("\tseed+time+1 %08x:%08x\n",
119 IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
120
121 des_crypt112(creds->server.data, time_cred.data, creds->session_key, 1);
122
123 DEBUG(5,("\tSERVER %08x:%08x\n",
124 IVAL(creds->server.data, 0), IVAL(creds->server.data, 4)));
125
126 creds->seed = time_cred;
127 }
128
129
130 /*
131 DES encrypt a 8 byte LMSessionKey buffer using the Netlogon session key
132 */
133 void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key)
134 {
135 struct netr_LMSessionKey tmp;
136 des_crypt56(tmp.key, key->key, creds->session_key, 1);
137 *key = tmp;
138 }
139
140 /*
141 DES decrypt a 8 byte LMSessionKey buffer using the Netlogon session key
142 */
143 void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key)
144 {
145 struct netr_LMSessionKey tmp;
146 des_crypt56(tmp.key, key->key, creds->session_key, 0);
147 *key = tmp;
148 }
149
150 /*
151 DES encrypt a 16 byte password buffer using the session key
152 */
153 void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass)
154 {
155 struct samr_Password tmp;
156 des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 1);
157 *pass = tmp;
158 }
159
160 /*
161 DES decrypt a 16 byte password buffer using the session key
162 */
163 void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass)
164 {
165 struct samr_Password tmp;
166 des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 0);
167 *pass = tmp;
168 }
169
170 /*
171 ARCFOUR encrypt/decrypt a password buffer using the session key
172 */
173 void netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
174 {
175 DATA_BLOB session_key = data_blob(creds->session_key, 16);
176
177 arcfour_crypt_blob(data, len, &session_key);
178
179 data_blob_free(&session_key);
180 }
181
182 /*****************************************************************
183 The above functions are common to the client and server interface
184 next comes the client specific functions
185 ******************************************************************/
186
187 /*
188 initialise the credentials chain and return the first client
189 credentials
190 */
191
192 struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *mem_ctx,
193 const char *client_account,
194 const char *client_computer_name,
195 const struct netr_Credential *client_challenge,
196 const struct netr_Credential *server_challenge,
197 const struct samr_Password *machine_password,
198 struct netr_Credential *initial_credential,
199 uint32_t negotiate_flags)
200 {
201 struct netlogon_creds_CredentialState *creds = talloc(mem_ctx, struct netlogon_creds_CredentialState);
202
203 if (!creds) {
204 return NULL;
205 }
206
207 creds->sequence = time(NULL);
208 creds->negotiate_flags = negotiate_flags;
209
210 creds->computer_name = talloc_strdup(creds, client_computer_name);
211 if (!creds->computer_name) {
212 talloc_free(creds);
213 return NULL;
214 }
215 creds->account_name = talloc_strdup(creds, client_account);
216 if (!creds->account_name) {
217 talloc_free(creds);
218 return NULL;
219 }
220
221 dump_data_pw("Client chall", client_challenge->data, sizeof(client_challenge->data));
222 dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
223 dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash));
224
225 if (negotiate_flags & NETLOGON_NEG_128BIT) {
226 netlogon_creds_init_128bit(creds, client_challenge, server_challenge, machine_password);
227 } else {
228 netlogon_creds_init_64bit(creds, client_challenge, server_challenge, machine_password);
229 }
230
231 dump_data_pw("Session key", creds->session_key, 16);
232 dump_data_pw("Credential ", creds->client.data, 8);
233
234 *initial_credential = creds->client;
235 return creds;
236 }
237
238 /*
239 initialise the credentials structure with only a session key. The caller better know what they are doing!
240 */
241
242 struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TALLOC_CTX *mem_ctx,
243 const uint8_t session_key[16])
244 {
245 struct netlogon_creds_CredentialState *creds = talloc(mem_ctx, struct netlogon_creds_CredentialState);
246
247 if (!creds) {
248 return NULL;
249 }
250
251 memcpy(creds->session_key, session_key, 16);
252
253 return creds;
254 }
255
256 /*
257 step the credentials to the next element in the chain, updating the
258 current client and server credentials and the seed
259
260 produce the next authenticator in the sequence ready to send to
261 the server
262 */
263 void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds,
264 struct netr_Authenticator *next)
265 {
266 creds->sequence += 2;
267 netlogon_creds_step(creds);
268
269 next->cred = creds->client;
270 next->timestamp = creds->sequence;
271 }
272
273 /*
274 check that a credentials reply from a server is correct
275 */
276 bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds,
277 const struct netr_Credential *received_credentials)
278 {
279 if (!received_credentials ||
280 memcmp(received_credentials->data, creds->server.data, 8) != 0) {
281 DEBUG(2,("credentials check failed\n"));
282 return false;
283 }
284 return true;
285 }
286
287
288 /*****************************************************************
289 The above functions are common to the client and server interface
290 next comes the server specific functions
291 ******************************************************************/
292
293 /*
294 check that a credentials reply from a server is correct
295 */
296 static bool netlogon_creds_server_check_internal(const struct netlogon_creds_CredentialState *creds,
297 const struct netr_Credential *received_credentials)
298 {
299 if (memcmp(received_credentials->data, creds->client.data, 8) != 0) {
300 DEBUG(2,("credentials check failed\n"));
301 dump_data_pw("client creds", creds->client.data, 8);
302 dump_data_pw("calc creds", received_credentials->data, 8);
303 return false;
304 }
305 return true;
306 }
307
308 /*
309 initialise the credentials chain and return the first server
310 credentials
311 */
312 struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *mem_ctx,
313 const char *client_account,
314 const char *client_computer_name,
315 uint16_t secure_channel_type,
316 const struct netr_Credential *client_challenge,
317 const struct netr_Credential *server_challenge,
318 const struct samr_Password *machine_password,
319 struct netr_Credential *credentials_in,
320 struct netr_Credential *credentials_out,
321 uint32_t negotiate_flags)
322 {
323
324 struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
325
326 if (!creds) {
327 return NULL;
328 }
329
330 creds->negotiate_flags = negotiate_flags;
331
332 creds->computer_name = talloc_strdup(creds, client_computer_name);
333 if (!creds->computer_name) {
334 talloc_free(creds);
335 return NULL;
336 }
337 creds->account_name = talloc_strdup(creds, client_account);
338 if (!creds->account_name) {
339 talloc_free(creds);
340 return NULL;
341 }
342
343 if (negotiate_flags & NETLOGON_NEG_128BIT) {
344 netlogon_creds_init_128bit(creds, client_challenge, server_challenge,
345 machine_password);
346 } else {
347 netlogon_creds_init_64bit(creds, client_challenge, server_challenge,
348 machine_password);
349 }
350
351 /* And before we leak information about the machine account
352 * password, check that they got the first go right */
353 if (!netlogon_creds_server_check_internal(creds, credentials_in)) {
354 talloc_free(creds);
355 return NULL;
356 }
357
358 *credentials_out = creds->server;
359
360 return creds;
361 }
362
363 NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds,
364 struct netr_Authenticator *received_authenticator,
365 struct netr_Authenticator *return_authenticator)
366 {
367 if (!received_authenticator || !return_authenticator) {
368 return NT_STATUS_INVALID_PARAMETER;
369 }
370
371 if (!creds) {
372 return NT_STATUS_ACCESS_DENIED;
373 }
374
375 /* TODO: this may allow the a replay attack on a non-signed
376 connection. Should we check that this is increasing? */
377 creds->sequence = received_authenticator->timestamp;
378 netlogon_creds_step(creds);
379 if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
380 return_authenticator->cred = creds->server;
381 return_authenticator->timestamp = creds->sequence;
382 return NT_STATUS_OK;
383 } else {
384 ZERO_STRUCTP(return_authenticator);
385 return NT_STATUS_ACCESS_DENIED;
386 }
387 }
388
389 void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *creds,
390 uint16_t validation_level,
391 union netr_Validation *validation)
392 {
393 static const char zeros[16];
394
395 struct netr_SamBaseInfo *base = NULL;
396 switch (validation_level) {
397 case 2:
398 if (validation->sam2) {
399 base = &validation->sam2->base;
400 }
401 break;
402 case 3:
403 if (validation->sam3) {
404 base = &validation->sam3->base;
405 }
406 break;
407 case 6:
408 if (validation->sam6) {
409 base = &validation->sam6->base;
410 }
411 break;
412 default:
413 /* If we can't find it, we can't very well decrypt it */
414 return;
415 }
416
417 if (!base) {
418 return;
419 }
420
421 /* find and decyrpt the session keys, return in parameters above */
422 if (validation_level == 6) {
423 /* they aren't encrypted! */
424 } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
425 if (memcmp(base->key.key, zeros,
426 sizeof(base->key.key)) != 0) {
427 netlogon_creds_arcfour_crypt(creds,
428 base->key.key,
429 sizeof(base->key.key));
430 }
431
432 if (memcmp(base->LMSessKey.key, zeros,
433 sizeof(base->LMSessKey.key)) != 0) {
434 netlogon_creds_arcfour_crypt(creds,
435 base->LMSessKey.key,
436 sizeof(base->LMSessKey.key));
437 }
438 } else {
439 if (memcmp(base->LMSessKey.key, zeros,
440 sizeof(base->LMSessKey.key)) != 0) {
441 netlogon_creds_des_decrypt_LMKey(creds,
442 &base->LMSessKey);
443 }
444 }
445 }
446
reg import