2 Unix SMB/Netbios implementation.
4 handle NLTMSSP, client server side parsing
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 struct auth_session_info
;
27 #include "auth/ntlmssp/ntlmssp.h"
28 #include "auth/ntlmssp/ntlmssp_private.h"
29 #include "../libcli/auth/libcli_auth.h"
30 #include "librpc/gen_ndr/ndr_dcerpc.h"
31 #include "auth/gensec/gensec.h"
34 * Callbacks for NTLMSSP - for both client and server operating modes
38 static const struct ntlmssp_callbacks
{
39 enum ntlmssp_role role
;
40 enum ntlmssp_message_type command
;
41 NTSTATUS (*sync_fn
)(struct gensec_security
*gensec_security
,
42 TALLOC_CTX
*out_mem_ctx
,
43 DATA_BLOB in
, DATA_BLOB
*out
);
44 } ntlmssp_callbacks
[] = {
46 .role
= NTLMSSP_CLIENT
,
47 .command
= NTLMSSP_INITIAL
,
48 .sync_fn
= ntlmssp_client_initial
,
50 .role
= NTLMSSP_SERVER
,
51 .command
= NTLMSSP_NEGOTIATE
,
52 .sync_fn
= gensec_ntlmssp_server_negotiate
,
54 .role
= NTLMSSP_CLIENT
,
55 .command
= NTLMSSP_CHALLENGE
,
56 .sync_fn
= ntlmssp_client_challenge
,
58 .role
= NTLMSSP_SERVER
,
59 .command
= NTLMSSP_AUTH
,
60 .sync_fn
= gensec_ntlmssp_server_auth
,
65 static NTSTATUS
gensec_ntlmssp_update_find(struct gensec_security
*gensec_security
,
66 struct gensec_ntlmssp_context
*gensec_ntlmssp
,
67 const DATA_BLOB input
, uint32_t *idx
)
69 uint32_t ntlmssp_command
;
72 if (gensec_ntlmssp
->ntlmssp_state
->expected_state
== NTLMSSP_DONE
) {
73 /* We are strict here because other modules, which we
74 * don't fully control (such as GSSAPI) are also
75 * strict, but are tested less often */
77 DEBUG(1, ("Called NTLMSSP after state machine was 'done'\n"));
78 return NT_STATUS_INVALID_PARAMETER
;
82 switch (gensec_ntlmssp
->ntlmssp_state
->role
) {
84 ntlmssp_command
= NTLMSSP_INITIAL
;
87 if (gensec_security
->want_features
& GENSEC_FEATURE_DATAGRAM_MODE
) {
88 /* 'datagram' mode - no neg packet */
89 ntlmssp_command
= NTLMSSP_NEGOTIATE
;
91 /* This is normal in SPNEGO mech negotiation fallback */
92 DEBUG(2, ("Failed to parse NTLMSSP packet: zero length\n"));
93 return NT_STATUS_INVALID_PARAMETER
;
98 if (!msrpc_parse(gensec_ntlmssp
->ntlmssp_state
,
102 DEBUG(1, ("Failed to parse NTLMSSP packet, could not extract NTLMSSP command\n"));
103 dump_data(2, input
.data
, input
.length
);
104 return NT_STATUS_INVALID_PARAMETER
;
108 if (ntlmssp_command
!= gensec_ntlmssp
->ntlmssp_state
->expected_state
) {
109 DEBUG(2, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command
,
110 gensec_ntlmssp
->ntlmssp_state
->expected_state
));
111 return NT_STATUS_INVALID_PARAMETER
;
114 for (i
=0; i
< ARRAY_SIZE(ntlmssp_callbacks
); i
++) {
115 if (ntlmssp_callbacks
[i
].role
== gensec_ntlmssp
->ntlmssp_state
->role
&&
116 ntlmssp_callbacks
[i
].command
== ntlmssp_command
) {
122 DEBUG(1, ("failed to find NTLMSSP callback for NTLMSSP mode %u, command %u\n",
123 gensec_ntlmssp
->ntlmssp_state
->role
, ntlmssp_command
));
125 return NT_STATUS_INVALID_PARAMETER
;
129 * Next state function for the wrapped NTLMSSP state machine
131 * @param gensec_security GENSEC state, initialised to NTLMSSP
132 * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
133 * @param in The request, as a DATA_BLOB
134 * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
135 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
136 * or NT_STATUS_OK if the user is authenticated.
139 NTSTATUS
gensec_ntlmssp_update(struct gensec_security
*gensec_security
,
140 TALLOC_CTX
*out_mem_ctx
,
141 struct tevent_context
*ev
,
142 const DATA_BLOB input
, DATA_BLOB
*out
)
144 struct gensec_ntlmssp_context
*gensec_ntlmssp
=
145 talloc_get_type_abort(gensec_security
->private_data
,
146 struct gensec_ntlmssp_context
);
147 struct ntlmssp_state
*ntlmssp_state
= gensec_ntlmssp
->ntlmssp_state
;
151 *out
= data_blob(NULL
, 0);
154 /* if the caller doesn't want to manage/own the memory,
155 we can put it on our context */
156 out_mem_ctx
= ntlmssp_state
;
159 status
= gensec_ntlmssp_update_find(gensec_security
, gensec_ntlmssp
, input
, &i
);
160 NT_STATUS_NOT_OK_RETURN(status
);
162 status
= ntlmssp_callbacks
[i
].sync_fn(gensec_security
, out_mem_ctx
, input
, out
);
163 NT_STATUS_NOT_OK_RETURN(status
);
168 static const char *gensec_ntlmssp_oids
[] = {
173 static const struct gensec_security_ops gensec_ntlmssp_security_ops
= {
175 .sasl_name
= GENSEC_SASL_NAME_NTLMSSP
, /* "NTLM" */
176 .auth_type
= DCERPC_AUTH_TYPE_NTLMSSP
,
177 .oid
= gensec_ntlmssp_oids
,
178 .client_start
= gensec_ntlmssp_client_start
,
179 .server_start
= gensec_ntlmssp_server_start
,
180 .magic
= gensec_ntlmssp_magic
,
181 .update
= gensec_ntlmssp_update
,
182 .sig_size
= gensec_ntlmssp_sig_size
,
183 .sign_packet
= gensec_ntlmssp_sign_packet
,
184 .check_packet
= gensec_ntlmssp_check_packet
,
185 .seal_packet
= gensec_ntlmssp_seal_packet
,
186 .unseal_packet
= gensec_ntlmssp_unseal_packet
,
187 .wrap
= gensec_ntlmssp_wrap
,
188 .unwrap
= gensec_ntlmssp_unwrap
,
189 .session_key
= gensec_ntlmssp_session_key
,
190 .session_info
= gensec_ntlmssp_session_info
,
191 .have_feature
= gensec_ntlmssp_have_feature
,
193 .priority
= GENSEC_NTLMSSP
197 _PUBLIC_ NTSTATUS
gensec_ntlmssp_init(void)
201 ret
= gensec_register(&gensec_ntlmssp_security_ops
);
202 if (!NT_STATUS_IS_OK(ret
)) {
203 DEBUG(0,("Failed to register '%s' gensec backend!\n",
204 gensec_ntlmssp_security_ops
.name
));
211 uint32_t gensec_ntlmssp_neg_flags(struct gensec_security
*gensec_security
)
213 struct gensec_ntlmssp_context
*gensec_ntlmssp
;
214 if (gensec_security
->ops
!= &gensec_ntlmssp_security_ops
) {
217 gensec_ntlmssp
= talloc_get_type_abort(gensec_security
->private_data
,
218 struct gensec_ntlmssp_context
);
219 return gensec_ntlmssp
->ntlmssp_state
->neg_flags
;