}
-/*
- generate a spnego NTLMSSP challenge packet given two security blobs
- The second challenge is optional
-*/
-BOOL spnego_gen_challenge(DATA_BLOB *blob,
- DATA_BLOB *chal1, DATA_BLOB *chal2)
-{
- ASN1_DATA data;
-
- ZERO_STRUCT(data);
-
- asn1_push_tag(&data,ASN1_CONTEXT(1));
- asn1_push_tag(&data,ASN1_SEQUENCE(0));
-
- asn1_push_tag(&data,ASN1_CONTEXT(0));
- asn1_write_enumerated(&data,1);
- asn1_pop_tag(&data);
-
- asn1_push_tag(&data,ASN1_CONTEXT(1));
- asn1_write_OID(&data, OID_NTLMSSP);
- asn1_pop_tag(&data);
-
- asn1_push_tag(&data,ASN1_CONTEXT(2));
- asn1_write_OctetString(&data, chal1->data, chal1->length);
- asn1_pop_tag(&data);
-
- /* the second challenge is optional (XP doesn't send it) */
- if (chal2) {
- asn1_push_tag(&data,ASN1_CONTEXT(3));
- asn1_write_OctetString(&data, chal2->data, chal2->length);
- asn1_pop_tag(&data);
- }
-
- asn1_pop_tag(&data);
- asn1_pop_tag(&data);
-
- if (data.has_error) {
- return False;
- }
-
- *blob = data_blob(data.data, data.length);
- asn1_free(&data);
- return True;
-}
-
/*
generate a SPNEGO NTLMSSP auth packet. This will contain the encrypted passwords
*/
/*
generate a minimal SPNEGO NTLMSSP response packet. Doesn't contain much.
*/
-DATA_BLOB spnego_gen_auth_response(void)
+DATA_BLOB spnego_gen_auth_response(DATA_BLOB *ntlmssp_reply, NTSTATUS nt_status)
{
ASN1_DATA data;
DATA_BLOB ret;
+ uint8 negResult;
- memset(&data, 0, sizeof(data));
+ if (NT_STATUS_IS_OK(nt_status)) {
+ negResult = SPNGEO_NEG_RESULT_ACCEPT;
+ } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ negResult = SPNGEO_NEG_RESULT_INCOMPLETE;
+ } else {
+ negResult = SPNGEO_NEG_RESULT_REJECT;
+ }
+
+ ZERO_STRUCT(data);
asn1_push_tag(&data, ASN1_CONTEXT(1));
asn1_push_tag(&data, ASN1_SEQUENCE(0));
asn1_push_tag(&data, ASN1_CONTEXT(0));
- asn1_write_enumerated(&data, 0);
+ asn1_write_enumerated(&data, negResult);
asn1_pop_tag(&data);
+ if (negResult == SPNGEO_NEG_RESULT_INCOMPLETE) {
+ asn1_push_tag(&data,ASN1_CONTEXT(1));
+ asn1_write_OID(&data, OID_NTLMSSP);
+ asn1_pop_tag(&data);
+
+ asn1_push_tag(&data,ASN1_CONTEXT(2));
+ asn1_write_OctetString(&data, ntlmssp_reply->data, ntlmssp_reply->length);
+ asn1_pop_tag(&data);
+ }
+
asn1_pop_tag(&data);
asn1_pop_tag(&data);
format specifiers are:
U = unicode string (input is unix string)
- a = address (1 byte type, 1 byte length, unicode string, all inline)
- A = ASCII string (pointer + length) Actually same as B
+ a = address (input is BOOL unicode, char *unix_string)
+ (1 byte type, 1 byte length, unicode/ASCII string, all inline)
+ A = ASCII string (input is unix string)
B = data blob (pointer + length)
b = data blob in header (pointer + length)
D
uint8 *b;
int head_size=0, data_size=0;
int head_ofs, data_ofs;
+ BOOL unicode;
/* first scan the format to work out the header and body size */
va_start(ap, format);
head_size += 8;
data_size += str_charnum(s) * 2;
break;
+ case 'A':
+ s = va_arg(ap, char *);
+ head_size += 8;
+ data_size += str_ascii_charnum(s);
+ break;
case 'a':
+ unicode = va_arg(ap, BOOL);
n = va_arg(ap, int);
s = va_arg(ap, char *);
- data_size += (str_charnum(s) * 2) + 4;
+ if (unicode) {
+ data_size += (str_charnum(s) * 2) + 4;
+ } else {
+ data_size += (str_ascii_charnum(s)) + 4;
+ }
break;
- case 'A':
case 'B':
b = va_arg(ap, uint8 *);
head_size += 8;
push_string(NULL, blob->data+data_ofs, s, n*2, STR_UNICODE|STR_NOALIGN);
data_ofs += n*2;
break;
+ case 'A':
+ s = va_arg(ap, char *);
+ n = str_ascii_charnum(s);
+ SSVAL(blob->data, head_ofs, n); head_ofs += 2;
+ SSVAL(blob->data, head_ofs, n); head_ofs += 2;
+ SIVAL(blob->data, head_ofs, data_ofs); head_ofs += 4;
+ push_string(NULL, blob->data+data_ofs, s, n, STR_ASCII|STR_NOALIGN);
+ data_ofs += n;
+ break;
case 'a':
+ unicode = va_arg(ap, BOOL);
n = va_arg(ap, int);
SSVAL(blob->data, data_ofs, n); data_ofs += 2;
s = va_arg(ap, char *);
- n = str_charnum(s);
- SSVAL(blob->data, data_ofs, n*2); data_ofs += 2;
- if (0 < n) {
- push_string(NULL, blob->data+data_ofs, s, n*2,
- STR_UNICODE|STR_NOALIGN);
+ if (unicode) {
+ n = str_charnum(s);
+ SSVAL(blob->data, data_ofs, n*2); data_ofs += 2;
+ if (0 < n) {
+ push_string(NULL, blob->data+data_ofs, s, n*2,
+ STR_UNICODE|STR_NOALIGN);
+ }
+ data_ofs += n*2;
+ } else {
+ n = str_ascii_charnum(s);
+ SSVAL(blob->data, data_ofs, n); data_ofs += 2;
+ if (0 < n) {
+ push_string(NULL, blob->data+data_ofs, s, n,
+ STR_ASCII|STR_NOALIGN);
+ }
+ data_ofs += n;
}
- data_ofs += n*2;
break;
- case 'A':
case 'B':
b = va_arg(ap, uint8 *);
n = va_arg(ap, int);
break;
case 'C':
s = va_arg(ap, char *);
- head_ofs += pull_string(NULL, p, blob->data+head_ofs, -1,
+ head_ofs += pull_string(NULL, p, blob->data+head_ofs, sizeof(p),
blob->length - head_ofs,
STR_ASCII|STR_TERMINATE);
if (strcmp(s, p) != 0) {
#include "includes.h"
uint32 global_client_caps = 0;
-static struct auth_context *ntlmssp_auth_context = NULL;
+
+static struct auth_ntlmssp_state *global_ntlmssp_state;
/*
on a logon error possibly map the error to success if "map to guest"
set_message_end(outbuf,p);
}
+/****************************************************************************
+send a security blob via a session setup reply
+****************************************************************************/
+static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf,
+ DATA_BLOB blob, NTSTATUS nt_status)
+{
+ char *p;
+
+ set_message(outbuf,4,0,True);
+
+ /* we set NT_STATUS_MORE_PROCESSING_REQUIRED to tell the other end
+ that we aren't finished yet */
+
+ nt_status = nt_status_squash(nt_status);
+ SIVAL(outbuf, smb_rcls, NT_STATUS_V(nt_status));
+ SSVAL(outbuf, smb_vwv0, 0xFF); /* no chaining possible */
+ SSVAL(outbuf, smb_vwv3, blob.length);
+ p = smb_buf(outbuf);
+
+ /* should we cap this? */
+ memcpy(p, blob.data, blob.length);
+ p += blob.length;
+
+ p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE);
+ p += srvstr_push(outbuf, p, "Samba", -1, STR_TERMINATE);
+ p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE);
+ set_message_end(outbuf,p);
+
+ return send_smb(smbd_server_fd(),outbuf);
+}
+
/****************************************************************************
Do a 'guest' logon, getting back the
****************************************************************************/
/****************************************************************************
-send a security blob via a session setup reply
-****************************************************************************/
-static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf,
- DATA_BLOB blob, uint32 errcode)
+ send a session setup reply, wrapped in SPNEGO.
+ get vuid and check first.
+ end the NTLMSSP exchange context if we are OK/complete fail
+***************************************************************************/
+static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
+ AUTH_NTLMSSP_STATE **auth_ntlmssp_state,
+ DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status)
{
- char *p;
+ BOOL ret;
+ DATA_BLOB response;
+ struct auth_serversupplied_info *server_info;
+ server_info = (*auth_ntlmssp_state)->server_info;
- set_message(outbuf,4,0,True);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ nt_status = do_map_to_guest(nt_status,
+ &server_info,
+ (*auth_ntlmssp_state)->ntlmssp_state->user,
+ (*auth_ntlmssp_state)->ntlmssp_state->domain);
+ }
- /* we set NT_STATUS_MORE_PROCESSING_REQUIRED to tell the other end
- that we aren't finished yet */
+ if (NT_STATUS_IS_OK(nt_status)) {
+ int sess_vuid;
+ sess_vuid = register_vuid(server_info, (*auth_ntlmssp_state)->ntlmssp_state->user /* check this for weird */);
+
+ if (sess_vuid == -1) {
+ nt_status = NT_STATUS_LOGON_FAILURE;
+ } else {
+
+ set_message(outbuf,4,0,True);
+ SSVAL(outbuf, smb_vwv3, 0);
+
+ if ((*auth_ntlmssp_state)->server_info->guest) {
+ SSVAL(outbuf,smb_vwv2,1);
+ }
+
+ SSVAL(outbuf,smb_uid,sess_vuid);
+ }
+ }
- SIVAL(outbuf, smb_rcls, errcode);
- SSVAL(outbuf, smb_vwv0, 0xFF); /* no chaining possible */
- SSVAL(outbuf, smb_vwv3, blob.length);
- p = smb_buf(outbuf);
- memcpy(p, blob.data, blob.length);
- p += blob.length;
- p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE);
- p += srvstr_push(outbuf, p, "Samba", -1, STR_TERMINATE);
- p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE);
- set_message_end(outbuf,p);
-
- return send_smb(smbd_server_fd(),outbuf);
+ response = spnego_gen_auth_response(ntlmssp_blob, nt_status);
+ ret = reply_sesssetup_blob(conn, outbuf, response, nt_status);
+ data_blob_free(&response);
+
+ if (!ret || !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ auth_ntlmssp_end(&global_ntlmssp_state);
+ }
+
+ return ret;
}
/****************************************************************************
char *OIDs[ASN1_MAX_OIDS];
DATA_BLOB secblob;
int i;
- uint32 ntlmssp_command, neg_flags, chal_flags;
- DATA_BLOB chal, spnego_chal;
- const uint8 *cryptkey;
+ DATA_BLOB chal;
BOOL got_kerberos = False;
NTSTATUS nt_status;
- char *cliname=NULL, *domname=NULL;
/* parse out the OIDs and the first sec blob */
if (!parse_negTokenTarg(blob1, OIDs, &secblob)) {
}
#endif
- /* parse the NTLMSSP packet */
-#if 0
- file_save("secblob.dat", secblob.data, secblob.length);
-#endif
-
- if (!msrpc_parse(&secblob, "CddAA",
- "NTLMSSP",
- &ntlmssp_command,
- &neg_flags,
- &cliname,
- &domname)) {
- return ERROR_NT(NT_STATUS_LOGON_FAILURE);
- }
-
- data_blob_free(&secblob);
-
- if (ntlmssp_command != NTLMSSP_NEGOTIATE) {
- return ERROR_NT(NT_STATUS_LOGON_FAILURE);
- }
-
- debug_ntlmssp_flags(neg_flags);
-
- if (ntlmssp_auth_context) {
- (ntlmssp_auth_context->free)(&ntlmssp_auth_context);
+ if (global_ntlmssp_state) {
+ auth_ntlmssp_end(&global_ntlmssp_state);
}
- if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&ntlmssp_auth_context))) {
+ nt_status = auth_ntlmssp_start(&global_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(nt_status)) {
return ERROR_NT(nt_status);
}
- cryptkey = ntlmssp_auth_context->get_ntlm_challenge(ntlmssp_auth_context);
-
- /* Give them the challenge. For now, ignore neg_flags and just
- return the flags we want. Obviously this is not correct */
-
- chal_flags = NTLMSSP_NEGOTIATE_UNICODE |
- NTLMSSP_NEGOTIATE_128 |
- NTLMSSP_NEGOTIATE_NTLM |
- NTLMSSP_CHAL_TARGET_INFO;
-
- {
- DATA_BLOB domain_blob, struct_blob;
- fstring dnsname, dnsdomname;
-
- msrpc_gen(&domain_blob,
- "U",
- lp_workgroup());
-
- fstrcpy(dnsdomname, (SEC_ADS == lp_security())?lp_realm():"");
- strlower(dnsdomname);
-
- fstrcpy(dnsname, global_myname());
- fstrcat(dnsname, ".");
- fstrcat(dnsname, dnsdomname);
- strlower(dnsname);
-
- msrpc_gen(&struct_blob, "aaaaa",
- 2, lp_workgroup(),
- 1, global_myname(),
- 4, dnsdomname,
- 3, dnsname,
- 0, "");
-
- msrpc_gen(&chal, "CdUdbddB",
- "NTLMSSP",
- NTLMSSP_CHALLENGE,
- lp_workgroup(),
- chal_flags,
- cryptkey, 8,
- 0, 0,
- struct_blob.data, struct_blob.length);
-
- data_blob_free(&domain_blob);
- data_blob_free(&struct_blob);
- }
-
- if (!spnego_gen_challenge(&spnego_chal, &chal, &chal)) {
- DEBUG(3,("Failed to generate challenge\n"));
- data_blob_free(&chal);
- return ERROR_NT(NT_STATUS_LOGON_FAILURE);
- }
+ nt_status = auth_ntlmssp_update(global_ntlmssp_state,
+ secblob, &chal);
- /* now tell the client to send the auth packet */
- reply_sesssetup_blob(conn, outbuf, spnego_chal, NT_STATUS_V(NT_STATUS_MORE_PROCESSING_REQUIRED));
+ data_blob_free(&secblob);
+ reply_spnego_ntlmssp(conn, outbuf, &global_ntlmssp_state,
+ &chal, nt_status);
+
data_blob_free(&chal);
- data_blob_free(&spnego_chal);
- /* and tell smbd that we have already replied to this packet */
+ /* already replied */
return -1;
}
int length, int bufsize,
DATA_BLOB blob1)
{
- DATA_BLOB auth, response;
- char *workgroup = NULL, *user = NULL, *machine = NULL;
- DATA_BLOB lmhash, nthash, sess_key;
- DATA_BLOB plaintext_password = data_blob(NULL, 0);
- uint32 ntlmssp_command, neg_flags;
+ DATA_BLOB auth, auth_reply;
NTSTATUS nt_status;
- int sess_vuid;
- BOOL as_guest;
- uint32 auth_flags = AUTH_FLAG_NONE;
- auth_usersupplied_info *user_info = NULL;
- auth_serversupplied_info *server_info = NULL;
-
- /* we must have setup the auth context by now */
- if (!ntlmssp_auth_context) {
- DEBUG(2,("ntlmssp_auth_context is NULL in reply_spnego_auth\n"));
- return ERROR_NT(NT_STATUS_LOGON_FAILURE);
- }
if (!spnego_parse_auth(blob1, &auth)) {
#if 0
return ERROR_NT(NT_STATUS_LOGON_FAILURE);
}
- /* now the NTLMSSP encoded auth hashes */
- if (!msrpc_parse(&auth, "CdBBUUUBd",
- "NTLMSSP",
- &ntlmssp_command,
- &lmhash,
- &nthash,
- &workgroup,
- &user,
- &machine,
- &sess_key,
- &neg_flags)) {
- return ERROR_NT(NT_STATUS_LOGON_FAILURE);
- }
+ nt_status = auth_ntlmssp_update(global_ntlmssp_state,
+ auth, &auth_reply);
data_blob_free(&auth);
- data_blob_free(&sess_key);
-
- DEBUG(3,("Got user=[%s] workgroup=[%s] machine=[%s] len1=%d len2=%d\n",
- user, workgroup, machine, lmhash.length, nthash.length));
-
- /* the client has given us its machine name (which we otherwise would not get on port 445).
- we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
-
- set_remote_machine_name(machine);
-
- /* setup the string used by %U */
- sub_set_smb_name(user);
-
- reload_services(True);
-
-#if 0
- file_save("nthash1.dat", nthash.data, nthash.length);
- file_save("lmhash1.dat", lmhash.data, lmhash.length);
-#endif
-
- if (lmhash.length) {
- auth_flags |= AUTH_FLAG_LM_RESP;
- }
-
- if (nthash.length == 24) {
- auth_flags |= AUTH_FLAG_NTLM_RESP;
- } else if (nthash.length > 24) {
- auth_flags |= AUTH_FLAG_NTLMv2_RESP;
- };
-
- nt_status = make_user_info_map(&user_info, user, workgroup, machine,
- lmhash, nthash, plaintext_password,
- auth_flags, True);
-
- /* it looks a bit weird, but this function returns int type... */
- if (!NT_STATUS_IS_OK(nt_status)) {
- return ERROR_NT(NT_STATUS_NO_MEMORY);
- }
-
- nt_status = ntlmssp_auth_context->check_ntlm_password(ntlmssp_auth_context, user_info, &server_info);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- nt_status = do_map_to_guest(nt_status, &server_info, user, workgroup);
- }
-
- SAFE_FREE(workgroup);
- SAFE_FREE(machine);
-
- (ntlmssp_auth_context->free)(&ntlmssp_auth_context);
-
- free_user_info(&user_info);
-
- data_blob_free(&lmhash);
-
- data_blob_free(&nthash);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- SAFE_FREE(user);
- return ERROR_NT(nt_status_squash(nt_status));
- }
-
- as_guest = server_info->guest;
-
- sess_vuid = register_vuid(server_info, user);
- free_server_info(&server_info);
-
- SAFE_FREE(user);
-
- if (sess_vuid == -1) {
- return ERROR_NT(NT_STATUS_LOGON_FAILURE);
- }
-
- set_message(outbuf,4,0,True);
- SSVAL(outbuf, smb_vwv3, 0);
- if (as_guest) {
- SSVAL(outbuf,smb_vwv2,1);
- }
-
- add_signature(outbuf);
-
- SSVAL(outbuf,smb_uid,sess_vuid);
- SSVAL(inbuf,smb_uid,sess_vuid);
-
- response = spnego_gen_auth_response();
- reply_sesssetup_blob(conn, outbuf, response, 0);
+ reply_spnego_ntlmssp(conn, outbuf, &global_ntlmssp_state,
+ &auth_reply, nt_status);
+
+ data_blob_free(&auth_reply);
/* and tell smbd that we have already replied to this packet */
return -1;
}
-/****************************************************************************
-reply to a session setup spnego anonymous packet
-****************************************************************************/
-static int reply_spnego_anonymous(connection_struct *conn, char *inbuf, char *outbuf,
- int length, int bufsize)
-{
- int sess_vuid;
- auth_serversupplied_info *server_info = NULL;
- NTSTATUS nt_status;
-
- nt_status = check_guest_password(&server_info);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- return ERROR_NT(nt_status_squash(nt_status));
- }
-
- sess_vuid = register_vuid(server_info, lp_guestaccount());
-
- free_server_info(&server_info);
-
- if (sess_vuid == -1) {
- return ERROR_NT(NT_STATUS_LOGON_FAILURE);
- }
-
- set_message(outbuf,4,0,True);
- SSVAL(outbuf, smb_vwv3, 0);
- add_signature(outbuf);
-
- SSVAL(outbuf,smb_uid,sess_vuid);
- SSVAL(inbuf,smb_uid,sess_vuid);
-
- return chain_reply(inbuf,outbuf,length,bufsize);
-}
-
-
/****************************************************************************
reply to a session setup command
****************************************************************************/
-static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf,char *outbuf,
+static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf,
+ char *outbuf,
int length,int bufsize)
{
uint8 *p;
DATA_BLOB blob1;
int ret;
+ size_t bufrem;
DEBUG(3,("Doing spnego session setup\n"));
p = (uint8 *)smb_buf(inbuf);
if (SVAL(inbuf, smb_vwv7) == 0) {
- /* an anonymous request */
- return reply_spnego_anonymous(conn, inbuf, outbuf, length, bufsize);
+ /* an invalid request */
+ return ERROR_NT(NT_STATUS_LOGON_FAILURE);
}
+ bufrem = smb_bufrem(inbuf, p);
/* pull the spnego blob */
- blob1 = data_blob(p, SVAL(inbuf, smb_vwv7));
+ blob1 = data_blob(p, MIN(bufrem, SVAL(inbuf, smb_vwv7)));
#if 0
file_save("negotiate.dat", blob1.data, blob1.length);
nt_status = check_guest_password(&server_info);
} else if (doencrypt) {
+ if (!negprot_global_auth_context) {
+ DEBUG(0, ("reply_sesssetup_and_X: Attempted encrypted session setup without negprot denied!\n"));
+ return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+ }
nt_status = make_user_info_for_reply_enc(&user_info, user, domain,
lm_resp, nt_resp);
if (NT_STATUS_IS_OK(nt_status)) {
}
/* it's ok - setup a reply */
- if (Protocol < PROTOCOL_NT1) {
- set_message(outbuf,3,0,True);
- } else {
- set_message(outbuf,3,0,True);
+ set_message(outbuf,3,0,True);
+ if (Protocol >= PROTOCOL_NT1) {
add_signature(outbuf);
/* perhaps grab OS version here?? */
}