libcli/auth/ntlmssp.h

   1 /*
   2    Unix SMB/CIFS implementation.
   3    SMB parameters and setup
   4    Copyright (C) Andrew Tridgell 1992-1997
   5    Copyright (C) Luke Kenneth Casson Leighton 1996-1997
   6    Copyright (C) Paul Ashton 1997
   7    Copyright (C) Andrew Bartlett 2010
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "../librpc/gen_ndr/ntlmssp.h"
  24
  25 /* NTLMSSP mode */
  26 enum ntlmssp_role
  27 {
  28         NTLMSSP_SERVER,
  29         NTLMSSP_CLIENT
  30 };
  31
  32 /* NTLMSSP message types */
  33 enum ntlmssp_message_type
  34 {
  35         NTLMSSP_INITIAL = 0 /* samba internal state */,
  36         NTLMSSP_NEGOTIATE = 1,
  37         NTLMSSP_CHALLENGE = 2,
  38         NTLMSSP_AUTH      = 3,
  39         NTLMSSP_UNKNOWN   = 4,
  40         NTLMSSP_DONE      = 5 /* samba final state */
  41 };
  42
  43 #define NTLMSSP_FEATURE_SESSION_KEY        0x00000001
  44 #define NTLMSSP_FEATURE_SIGN               0x00000002
  45 #define NTLMSSP_FEATURE_SEAL               0x00000004
  46 #define NTLMSSP_FEATURE_CCACHE             0x00000008
  47
  48 union ntlmssp_crypt_state;
  49
  50 struct ntlmssp_state
  51 {
  52         enum ntlmssp_role role;
  53         uint32_t expected_state;
  54
  55         bool unicode;
  56         bool use_ntlmv2;
  57         bool use_ccache;
  58         bool use_nt_response;  /* Set to 'False' to debug what happens when the NT response is omited */
  59         bool allow_lm_key;     /* The LM_KEY code is not very secure... */
  60
  61         const char *user;
  62         const char *domain;
  63         uint8_t *nt_hash;
  64         uint8_t *lm_hash;
  65
  66         struct {
  67                 const char *netbios_name;
  68                 const char *netbios_domain;
  69         } client;
  70
  71         struct {
  72                 bool is_standalone;
  73                 const char *netbios_name;
  74                 const char *netbios_domain;
  75                 const char *dns_name;
  76                 const char *dns_domain;
  77         } server;
  78
  79         DATA_BLOB internal_chal; /* Random challenge as supplied to the client for NTLM authentication */
  80
  81         DATA_BLOB chal; /* Random challenge as input into the actual NTLM (or NTLM2) authentication */
  82         DATA_BLOB lm_resp;
  83         DATA_BLOB nt_resp;
  84         DATA_BLOB session_key;
  85
  86         uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
  87
  88         /**
  89          * Private data for the callback functions
  90          */
  91         void *callback_private;
  92
  93         /**
  94          * Callback to get the 'challenge' used for NTLM authentication.
  95          *
  96          * @param ntlmssp_state This structure
  97          * @return 8 bytes of challenge data, determined by the server to be the challenge for NTLM authentication
  98          *
  99          */
 100         NTSTATUS (*get_challenge)(const struct ntlmssp_state *ntlmssp_state,
 101                                   uint8_t challenge[8]);
 102
 103         /**
 104          * Callback to find if the challenge used by NTLM authentication may be modified
 105          *
 106          * The NTLM2 authentication scheme modifies the effective challenge, but this is not compatiable with the
 107          * current 'security=server' implementation..
 108          *
 109          * @param ntlmssp_state This structure
 110          * @return Can the challenge be set to arbitary values?
 111          *
 112          */
 113         bool (*may_set_challenge)(const struct ntlmssp_state *ntlmssp_state);
 114
 115         /**
 116          * Callback to set the 'challenge' used for NTLM authentication.
 117          *
 118          * The callback may use the void *auth_context to store state information, but the same value is always available
 119          * from the DATA_BLOB chal on this structure.
 120          *
 121          * @param ntlmssp_state This structure
 122          * @param challenge 8 bytes of data, agreed by the client and server to be the effective challenge for NTLM2 authentication
 123          *
 124          */
 125         NTSTATUS (*set_challenge)(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge);
 126
 127         /**
 128          * Callback to check the user's password.
 129          *
 130          * The callback must reads the feilds of this structure for the information it needs on the user
 131          * @param ntlmssp_state This structure
 132          * @param mem_ctx Talloc context for LM and NT session key to be returned on
 133          * @param nt_session_key If an NT session key is returned by the authentication process, return it here
 134          * @param lm_session_key If an LM session key is returned by the authentication process, return it here
 135          *
 136          */
 137         NTSTATUS (*check_password)(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *mem_ctx,
 138                                    DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key);
 139
 140         union ntlmssp_crypt_state *crypt;
 141 };
 142
 143 /* The following definitions come from libcli/auth/ntlmssp_sign.c  */
 144
 145 NTSTATUS ntlmssp_sign_packet(struct ntlmssp_state *ntlmssp_state,
 146                              TALLOC_CTX *sig_mem_ctx,
 147                              const uint8_t *data, size_t length,
 148                              const uint8_t *whole_pdu, size_t pdu_length,
 149                              DATA_BLOB *sig);
 150 NTSTATUS ntlmssp_check_packet(struct ntlmssp_state *ntlmssp_state,
 151                               const uint8_t *data, size_t length,
 152                               const uint8_t *whole_pdu, size_t pdu_length,
 153                               const DATA_BLOB *sig) ;
 154 NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
 155                              TALLOC_CTX *sig_mem_ctx,
 156                              uint8_t *data, size_t length,
 157                              const uint8_t *whole_pdu, size_t pdu_length,
 158                              DATA_BLOB *sig);
 159 NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state,
 160                                uint8_t *data, size_t length,
 161                                const uint8_t *whole_pdu, size_t pdu_length,
 162                                const DATA_BLOB *sig);
 163 NTSTATUS ntlmssp_wrap(struct ntlmssp_state *ntlmssp_state,
 164                       TALLOC_CTX *out_mem_ctx,
 165                       const DATA_BLOB *in,
 166                       DATA_BLOB *out);
 167 NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_stae,
 168                         TALLOC_CTX *out_mem_ctx,
 169                         const DATA_BLOB *in,
 170                         DATA_BLOB *out);
 171 NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state);
 172
 173 bool ntlmssp_blob_matches_magic(const DATA_BLOB *blob);