gensec: clarify memory ownership for gensec_session_info() and gensec_session_key()
[amitay/samba.git] / source3 / auth / auth_ntlmssp.c
1 /* 
2    Unix SMB/Netbios implementation.
3    Version 3.0
4    handle NLTMSSP, server side
5
6    Copyright (C) Andrew Tridgell      2001
7    Copyright (C) Andrew Bartlett 2001-2003
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "auth.h"
25 #include "../libcli/auth/ntlmssp.h"
26 #include "ntlmssp_wrap.h"
27 #include "../librpc/gen_ndr/netlogon.h"
28 #include "../lib/tsocket/tsocket.h"
29
30 NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx,
31                                         struct auth_ntlmssp_state *auth_ntlmssp_state,
32                                         struct auth_session_info **session_info)
33 {
34         NTSTATUS nt_status = create_local_token(mem_ctx,
35                                                 auth_ntlmssp_state->server_info,
36                                                 &auth_ntlmssp_state->ntlmssp_state->session_key,
37                                                 session_info);
38
39         if (!NT_STATUS_IS_OK(nt_status)) {
40                 DEBUG(10, ("create_local_token failed: %s\n",
41                            nt_errstr(nt_status)));
42         }
43         return nt_status;
44 }
45
46 /**
47  * Return the challenge as determined by the authentication subsystem 
48  * @return an 8 byte random challenge
49  */
50
51 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
52                                            uint8_t chal[8])
53 {
54         struct auth_ntlmssp_state *auth_ntlmssp_state =
55                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
56         auth_ntlmssp_state->auth_context->get_ntlm_challenge(
57                 auth_ntlmssp_state->auth_context, chal);
58         return NT_STATUS_OK;
59 }
60
61 /**
62  * Some authentication methods 'fix' the challenge, so we may not be able to set it
63  *
64  * @return If the effective challenge used by the auth subsystem may be modified
65  */
66 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
67 {
68         struct auth_ntlmssp_state *auth_ntlmssp_state =
69                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
70         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
71
72         return auth_context->challenge_may_be_modified;
73 }
74
75 /**
76  * NTLM2 authentication modifies the effective challenge, 
77  * @param challenge The new challenge value
78  */
79 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
80 {
81         struct auth_ntlmssp_state *auth_ntlmssp_state =
82                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
83         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
84
85         SMB_ASSERT(challenge->length == 8);
86
87         auth_context->challenge = data_blob_talloc(auth_context,
88                                                    challenge->data, challenge->length);
89
90         auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)";
91
92         DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
93         DEBUG(5, ("challenge is: \n"));
94         dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
95         return NT_STATUS_OK;
96 }
97
98 /**
99  * Check the password on an NTLMSSP login.  
100  *
101  * Return the session keys used on the connection.
102  */
103
104 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *mem_ctx,
105                                             DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
106 {
107         struct auth_ntlmssp_state *auth_ntlmssp_state =
108                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
109         struct auth_usersupplied_info *user_info = NULL;
110         NTSTATUS nt_status;
111         bool username_was_mapped;
112
113         /* the client has given us its machine name (which we otherwise would not get on port 445).
114            we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
115
116         set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->client.netbios_name, True);
117
118         /* setup the string used by %U */
119         /* sub_set_smb_name checks for weird internally */
120         sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
121
122         lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
123
124         nt_status = make_user_info_map(&user_info,
125                                        auth_ntlmssp_state->ntlmssp_state->user, 
126                                        auth_ntlmssp_state->ntlmssp_state->domain, 
127                                        auth_ntlmssp_state->ntlmssp_state->client.netbios_name,
128                                        auth_ntlmssp_state->remote_address,
129                                        auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL, 
130                                        auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL, 
131                                        NULL, NULL, NULL,
132                                        AUTH_PASSWORD_RESPONSE);
133
134         if (!NT_STATUS_IS_OK(nt_status)) {
135                 return nt_status;
136         }
137
138         user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
139
140         nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context, 
141                                                                           user_info, &auth_ntlmssp_state->server_info); 
142
143         username_was_mapped = user_info->was_mapped;
144
145         free_user_info(&user_info);
146
147         if (!NT_STATUS_IS_OK(nt_status)) {
148                 return nt_status;
149         }
150
151         auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
152
153         /* Clear out the session keys, and pass them to the caller.
154          * They will not be used in this form again - instead the
155          * NTLMSSP code will decide on the final correct session key,
156          * and put it back here at the end of
157          * auth_ntlmssp_steal_server_info */
158         if (auth_ntlmssp_state->server_info->session_key.length) {
159                 DEBUG(10, ("Got NT session key of length %u\n",
160                         (unsigned int)auth_ntlmssp_state->server_info->session_key.length));
161                 *session_key = auth_ntlmssp_state->server_info->session_key;
162                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->session_key.data);
163                 auth_ntlmssp_state->server_info->session_key = data_blob_null;
164         }
165         if (auth_ntlmssp_state->server_info->lm_session_key.length) {
166                 DEBUG(10, ("Got LM session key of length %u\n",
167                         (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length));
168                 *lm_session_key = auth_ntlmssp_state->server_info->lm_session_key;
169                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->lm_session_key.data);
170                 auth_ntlmssp_state->server_info->lm_session_key = data_blob_null;
171         }
172         return nt_status;
173 }
174
175 static int auth_ntlmssp_state_destructor(void *ptr);
176
177 NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address,
178                             struct auth_ntlmssp_state **auth_ntlmssp_state)
179 {
180         NTSTATUS nt_status;
181         bool is_standalone;
182         const char *netbios_name;
183         const char *netbios_domain;
184         const char *dns_name;
185         char *dns_domain;
186         struct auth_ntlmssp_state *ans;
187         struct auth_context *auth_context;
188
189         if ((enum server_role)lp_server_role() == ROLE_STANDALONE) {
190                 is_standalone = true;
191         } else {
192                 is_standalone = false;
193         }
194
195         netbios_name = lp_netbios_name();
196         netbios_domain = lp_workgroup();
197         /* This should be a 'netbios domain -> DNS domain' mapping */
198         dns_domain = get_mydnsdomname(talloc_tos());
199         if (dns_domain) {
200                 strlower_m(dns_domain);
201         }
202         dns_name = get_mydnsfullname();
203
204         ans = talloc_zero(NULL, struct auth_ntlmssp_state);
205         if (!ans) {
206                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
207                 return NT_STATUS_NO_MEMORY;
208         }
209
210         ans->remote_address = tsocket_address_copy(remote_address, ans);
211         if (ans->remote_address == NULL) {
212                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
213                 return NT_STATUS_NO_MEMORY;
214         }
215
216         nt_status = ntlmssp_server_start(ans,
217                                          is_standalone,
218                                          netbios_name,
219                                          netbios_domain,
220                                          dns_name,
221                                          dns_domain,
222                                          &ans->ntlmssp_state);
223         if (!NT_STATUS_IS_OK(nt_status)) {
224                 return nt_status;
225         }
226
227         nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context);
228         if (!NT_STATUS_IS_OK(nt_status)) {
229                 return nt_status;
230         }
231         ans->auth_context = talloc_steal(ans, auth_context);
232
233         ans->ntlmssp_state->callback_private = ans;
234         ans->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
235         ans->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
236         ans->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
237         ans->ntlmssp_state->check_password = auth_ntlmssp_check_password;
238
239         talloc_set_destructor((TALLOC_CTX *)ans, auth_ntlmssp_state_destructor);
240
241         *auth_ntlmssp_state = ans;
242         return NT_STATUS_OK;
243 }
244
245 static int auth_ntlmssp_state_destructor(void *ptr)
246 {
247         struct auth_ntlmssp_state *ans;
248
249         ans = talloc_get_type(ptr, struct auth_ntlmssp_state);
250
251         TALLOC_FREE(ans->remote_address);
252         TALLOC_FREE(ans->server_info);
253         TALLOC_FREE(ans->ntlmssp_state);
254         return 0;
255 }