s3:ntlmssp Split the NTLMSSP server into before and after authentication
[amitay/samba.git] / source4 / auth / ntlmssp / ntlmssp_server.c
1 /* 
2    Unix SMB/Netbios implementation.
3    Version 3.0
4    handle NLTMSSP, client server side parsing
5
6    Copyright (C) Andrew Tridgell      2001
7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
8    Copyright (C) Stefan Metzmacher 2005
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "system/network.h"
26 #include "lib/tsocket/tsocket.h"
27 #include "auth/ntlmssp/ntlmssp.h"
28 #include "../librpc/gen_ndr/ndr_ntlmssp.h"
29 #include "../libcli/auth/ntlmssp_ndr.h"
30 #include "../libcli/auth/libcli_auth.h"
31 #include "../lib/crypto/crypto.h"
32 #include "auth/gensec/gensec.h"
33 #include "auth/gensec/gensec_proto.h"
34 #include "auth/auth.h"
35 #include "param/param.h"
36
37 /**
38  * Next state function for the Negotiate packet
39  * 
40  * @param ntlmssp_state NTLMSSP state
41  * @param out_mem_ctx Memory context for *out
42  * @param in The request, as a DATA_BLOB.  reply.data must be NULL
43  * @param out The reply, as an allocated DATA_BLOB, caller to free.
44  * @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required. 
45  */
46
47 NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
48                                   TALLOC_CTX *out_mem_ctx, 
49                                   const DATA_BLOB request, DATA_BLOB *reply)
50 {
51         DATA_BLOB struct_blob;
52         uint32_t neg_flags = 0;
53         uint32_t ntlmssp_command, chal_flags;
54         uint8_t cryptkey[8];
55         const char *target_name;
56         NTSTATUS status;
57
58         /* parse the NTLMSSP packet */
59 #if 0
60         file_save("ntlmssp_negotiate.dat", request.data, request.length);
61 #endif
62
63         if (request.length) {
64                 if ((request.length < 16) || !msrpc_parse(ntlmssp_state, &request, "Cdd",
65                                                           "NTLMSSP",
66                                                           &ntlmssp_command,
67                                                           &neg_flags)) {
68                         DEBUG(1, ("ntlmssp_server_negotiate: failed to parse NTLMSSP Negotiate of length %u\n",
69                                 (unsigned int)request.length));
70                         dump_data(2, request.data, request.length);
71                         return NT_STATUS_INVALID_PARAMETER;
72                 }
73                 debug_ntlmssp_flags(neg_flags);
74
75                 if (DEBUGLEVEL >= 10) {
76                         struct NEGOTIATE_MESSAGE *negotiate = talloc(
77                                 ntlmssp_state, struct NEGOTIATE_MESSAGE);
78                         if (negotiate != NULL) {
79                                 status = ntlmssp_pull_NEGOTIATE_MESSAGE(
80                                         &request, negotiate, negotiate);
81                                 if (NT_STATUS_IS_OK(status)) {
82                                         NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE,
83                                                         negotiate);
84                                 }
85                                 TALLOC_FREE(negotiate);
86                         }
87                 }
88         }
89         
90         ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, ntlmssp_state->allow_lm_key);
91
92         /* Ask our caller what challenge they would like in the packet */
93         status = ntlmssp_state->get_challenge(ntlmssp_state, cryptkey);
94         if (!NT_STATUS_IS_OK(status)) {
95                 DEBUG(1, ("ntlmssp_server_negotiate: backend doesn't give a challenge: %s\n",
96                           nt_errstr(status)));
97                 return status;
98         }
99
100         /* Check if we may set the challenge */
101         if (!ntlmssp_state->may_set_challenge(ntlmssp_state)) {
102                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
103         }
104
105         /* The flags we send back are not just the negotiated flags,
106          * they are also 'what is in this packet'.  Therfore, we
107          * operate on 'chal_flags' from here on
108          */
109
110         chal_flags = ntlmssp_state->neg_flags;
111
112         /* get the right name to fill in as 'target' */
113         target_name = ntlmssp_target_name(ntlmssp_state,
114                                           neg_flags, &chal_flags);
115         if (target_name == NULL)
116                 return NT_STATUS_INVALID_PARAMETER;
117
118         ntlmssp_state->chal = data_blob_talloc(ntlmssp_state, cryptkey, 8);
119         ntlmssp_state->internal_chal = data_blob_talloc(ntlmssp_state,
120                                                         cryptkey, 8);
121
122         /* This creates the 'blob' of names that appears at the end of the packet */
123         if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO)
124         {
125                 msrpc_gen(ntlmssp_state, &struct_blob, "aaaaa",
126                           MsvAvNbDomainName, target_name,
127                           MsvAvNbComputerName, ntlmssp_state->server.netbios_name,
128                           MsvAvDnsDomainName, ntlmssp_state->server.dns_domain,
129                           MsvAvDnsComputerName, ntlmssp_state->server.dns_name,
130                           MsvAvEOL, "");
131         } else {
132                 struct_blob = data_blob_null;
133         }
134
135         {
136                 /* Marshal the packet in the right format, be it unicode or ASCII */
137                 const char *gen_string;
138                 DATA_BLOB version_blob = data_blob_null;
139
140                 if (chal_flags & NTLMSSP_NEGOTIATE_VERSION) {
141                         enum ndr_err_code err;
142                         struct VERSION vers;
143
144                         /* "What Windows returns" as a version number. */
145                         ZERO_STRUCT(vers);
146                         vers.ProductMajorVersion = NTLMSSP_WINDOWS_MAJOR_VERSION_6;
147                         vers.ProductMinorVersion = NTLMSSP_WINDOWS_MINOR_VERSION_1;
148                         vers.ProductBuild = 0;
149                         vers.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
150
151                         err = ndr_push_struct_blob(&version_blob,
152                                                 ntlmssp_state,
153                                                 &vers,
154                                                 (ndr_push_flags_fn_t)ndr_push_VERSION);
155
156                         if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
157                                 data_blob_free(&struct_blob);
158                                 return NT_STATUS_NO_MEMORY;
159                         }
160                 }
161
162                 if (ntlmssp_state->unicode) {
163                         gen_string = "CdUdbddBb";
164                 } else {
165                         gen_string = "CdAdbddBb";
166                 }
167
168                 msrpc_gen(out_mem_ctx, reply, gen_string,
169                         "NTLMSSP",
170                         NTLMSSP_CHALLENGE,
171                         target_name,
172                         chal_flags,
173                         cryptkey, 8,
174                         0, 0,
175                         struct_blob.data, struct_blob.length,
176                         version_blob.data, version_blob.length);
177
178                 data_blob_free(&version_blob);
179
180                 if (DEBUGLEVEL >= 10) {
181                         struct CHALLENGE_MESSAGE *challenge = talloc(
182                                 ntlmssp_state, struct CHALLENGE_MESSAGE);
183                         if (challenge != NULL) {
184                                 challenge->NegotiateFlags = chal_flags;
185                                 status = ntlmssp_pull_CHALLENGE_MESSAGE(
186                                         reply, challenge, challenge);
187                                 if (NT_STATUS_IS_OK(status)) {
188                                         NDR_PRINT_DEBUG(CHALLENGE_MESSAGE,
189                                                         challenge);
190                                 }
191                                 TALLOC_FREE(challenge);
192                         }
193                 }
194         }
195
196         data_blob_free(&struct_blob);
197
198         ntlmssp_state->expected_state = NTLMSSP_AUTH;
199
200         return NT_STATUS_MORE_PROCESSING_REQUIRED;
201 }
202
203 struct ntlmssp_server_auth_state {
204         DATA_BLOB user_session_key;
205         DATA_BLOB lm_session_key;
206         /* internal variables used by KEY_EXCH (client-supplied user session key */
207         DATA_BLOB encrypted_session_key;
208         bool doing_ntlm2;
209         /* internal variables used by NTLM2 */
210         uint8_t session_nonce[16];
211 };
212
213 /**
214  * Next state function for the Authenticate packet
215  * 
216  * @param ntlmssp_state NTLMSSP State
217  * @param request The request, as a DATA_BLOB
218  * @return Errors or NT_STATUS_OK. 
219  */
220
221 static NTSTATUS ntlmssp_server_preauth(struct ntlmssp_state *ntlmssp_state,
222                                        struct ntlmssp_server_auth_state *state,
223                                        const DATA_BLOB request) 
224 {
225         uint32_t ntlmssp_command, auth_flags;
226         NTSTATUS nt_status;
227
228         uint8_t session_nonce_hash[16];
229
230         const char *parse_string;
231
232 #if 0
233         file_save("ntlmssp_auth.dat", request.data, request.length);
234 #endif
235
236         if (ntlmssp_state->unicode) {
237                 parse_string = "CdBBUUUBd";
238         } else {
239                 parse_string = "CdBBAAABd";
240         }
241
242         /* zero these out */
243         data_blob_free(&ntlmssp_state->session_key);
244         data_blob_free(&ntlmssp_state->lm_resp);
245         data_blob_free(&ntlmssp_state->nt_resp);
246
247         ntlmssp_state->user = NULL;
248         ntlmssp_state->domain = NULL;
249         ntlmssp_state->client.netbios_name = NULL;
250
251         /* now the NTLMSSP encoded auth hashes */
252         if (!msrpc_parse(ntlmssp_state, &request, parse_string,
253                          "NTLMSSP",
254                          &ntlmssp_command,
255                          &ntlmssp_state->lm_resp,
256                          &ntlmssp_state->nt_resp,
257                          &ntlmssp_state->domain,
258                          &ntlmssp_state->user,
259                          &ntlmssp_state->client.netbios_name,
260                          &state->encrypted_session_key,
261                          &auth_flags)) {
262                 DEBUG(10, ("ntlmssp_server_auth: failed to parse NTLMSSP (nonfatal):\n"));
263                 dump_data(10, request.data, request.length);
264
265                 /* zero this out */
266                 data_blob_free(&state->encrypted_session_key);
267                 auth_flags = 0;
268                 
269                 /* Try again with a shorter string (Win9X truncates this packet) */
270                 if (ntlmssp_state->unicode) {
271                         parse_string = "CdBBUUU";
272                 } else {
273                         parse_string = "CdBBAAA";
274                 }
275
276                 /* now the NTLMSSP encoded auth hashes */
277                 if (!msrpc_parse(ntlmssp_state, &request, parse_string,
278                                  "NTLMSSP",
279                                  &ntlmssp_command,
280                                  &ntlmssp_state->lm_resp,
281                                  &ntlmssp_state->nt_resp,
282                                  &ntlmssp_state->domain,
283                                  &ntlmssp_state->user,
284                                  &ntlmssp_state->client.netbios_name)) {
285                         DEBUG(1, ("ntlmssp_server_auth: failed to parse NTLMSSP (tried both formats):\n"));
286                         dump_data(2, request.data, request.length);
287
288                         return NT_STATUS_INVALID_PARAMETER;
289                 }
290         }
291
292         talloc_steal(state, state->encrypted_session_key.data);
293
294         if (auth_flags)
295                 ntlmssp_handle_neg_flags(ntlmssp_state, auth_flags, ntlmssp_state->allow_lm_key);
296
297         if (DEBUGLEVEL >= 10) {
298                 struct AUTHENTICATE_MESSAGE *authenticate = talloc(
299                         ntlmssp_state, struct AUTHENTICATE_MESSAGE);
300                 if (authenticate != NULL) {
301                         NTSTATUS status;
302                         authenticate->NegotiateFlags = auth_flags;
303                         status = ntlmssp_pull_AUTHENTICATE_MESSAGE(
304                                 &request, authenticate, authenticate);
305                         if (NT_STATUS_IS_OK(status)) {
306                                 NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE,
307                                                 authenticate);
308                         }
309                         TALLOC_FREE(authenticate);
310                 }
311         }
312
313         DEBUG(3,("Got user=[%s] domain=[%s] workstation=[%s] len1=%lu len2=%lu\n",
314                  ntlmssp_state->user, ntlmssp_state->domain,
315                  ntlmssp_state->client.netbios_name,
316                  (unsigned long)ntlmssp_state->lm_resp.length,
317                  (unsigned long)ntlmssp_state->nt_resp.length));
318
319 #if 0
320         file_save("nthash1.dat",  &ntlmssp_state->nt_resp.data,  &ntlmssp_state->nt_resp.length);
321         file_save("lmhash1.dat",  &ntlmssp_state->lm_resp.data,  &ntlmssp_state->lm_resp.length);
322 #endif
323
324         /* NTLM2 uses a 'challenge' that is made of up both the server challenge, and a
325            client challenge
326
327            However, the NTLM2 flag may still be set for the real NTLMv2 logins, be careful.
328         */
329         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
330                 if (ntlmssp_state->nt_resp.length == 24 && ntlmssp_state->lm_resp.length == 24) {
331                         struct MD5Context md5_session_nonce_ctx;
332                         state->doing_ntlm2 = true;
333
334                         memcpy(state->session_nonce, ntlmssp_state->internal_chal.data, 8);
335                         memcpy(&state->session_nonce[8], ntlmssp_state->lm_resp.data, 8);
336                         
337                         SMB_ASSERT(ntlmssp_state->internal_chal.data && ntlmssp_state->internal_chal.length == 8);
338
339                         MD5Init(&md5_session_nonce_ctx);
340                         MD5Update(&md5_session_nonce_ctx, state->session_nonce, 16);
341                         MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
342
343                         ntlmssp_state->chal = data_blob_talloc(
344                                 ntlmssp_state, session_nonce_hash, 8);
345
346                         /* LM response is no longer useful */
347                         data_blob_free(&ntlmssp_state->lm_resp);
348
349                         /* We changed the effective challenge - set it */
350                         if (!NT_STATUS_IS_OK(nt_status = ntlmssp_state->set_challenge(ntlmssp_state, &ntlmssp_state->chal))) {
351                                 return nt_status;
352                         }
353
354                         /* LM Key is incompatible. */
355                         ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
356                 }
357         }
358         return NT_STATUS_OK;
359 }
360
361 /**
362  * Next state function for the Authenticate packet 
363  * (after authentication - figures out the session keys etc)
364  * 
365  * @param ntlmssp_state NTLMSSP State
366  * @return Errors or NT_STATUS_OK. 
367  */
368
369 static NTSTATUS ntlmssp_server_postauth(struct ntlmssp_state *ntlmssp_state,
370                                         struct ntlmssp_server_auth_state *state)
371 {
372         DATA_BLOB user_session_key = state->user_session_key;
373         DATA_BLOB lm_session_key = state->lm_session_key;
374         NTSTATUS nt_status;
375         DATA_BLOB session_key = data_blob(NULL, 0);
376
377         dump_data_pw("NT session key:\n", user_session_key.data, user_session_key.length);
378         dump_data_pw("LM first-8:\n", lm_session_key.data, lm_session_key.length);
379
380         /* Handle the different session key derivation for NTLM2 */
381         if (state->doing_ntlm2) {
382                 if (user_session_key.data && user_session_key.length == 16) {
383                         session_key = data_blob_talloc(ntlmssp_state,
384                                                        NULL, 16);
385                         hmac_md5(user_session_key.data, state->session_nonce,
386                                  sizeof(state->session_nonce), session_key.data);
387                         DEBUG(10,("ntlmssp_server_auth: Created NTLM2 session key.\n"));
388                         dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
389
390                 } else {
391                         DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM2 session key.\n"));
392                         session_key = data_blob_null;
393                 }
394         } else if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
395                 /* Ensure we can never get here on NTLMv2 */
396                 && (ntlmssp_state->nt_resp.length == 0 || ntlmssp_state->nt_resp.length == 24)) {
397
398                 if (lm_session_key.data && lm_session_key.length >= 8) {
399                         if (ntlmssp_state->lm_resp.data && ntlmssp_state->lm_resp.length == 24) {
400                                 session_key = data_blob_talloc(ntlmssp_state,
401                                                                NULL, 16);
402                                 if (session_key.data == NULL) {
403                                         return NT_STATUS_NO_MEMORY;
404                                 }
405                                 SMBsesskeygen_lm_sess_key(lm_session_key.data, ntlmssp_state->lm_resp.data,
406                                                           session_key.data);
407                                 DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
408                         } else {
409                                 static const uint8_t zeros[24] = {0, };
410                                 session_key = data_blob_talloc(
411                                         ntlmssp_state, NULL, 16);
412                                 if (session_key.data == NULL) {
413                                         return NT_STATUS_NO_MEMORY;
414                                 }
415                                 SMBsesskeygen_lm_sess_key(zeros, zeros, 
416                                                           session_key.data);
417                                 DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
418                         }
419                         dump_data_pw("LM session key:\n", session_key.data,
420                                      session_key.length);
421                 } else {
422                         /* LM Key not selected */
423                         ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
424
425                         DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM session key.\n"));
426                         session_key = data_blob_null;
427                 }
428
429         } else if (user_session_key.data) {
430                 session_key = user_session_key;
431                 DEBUG(10,("ntlmssp_server_auth: Using unmodified nt session key.\n"));
432                 dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
433
434                 /* LM Key not selected */
435                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
436
437         } else if (lm_session_key.data) {
438                 /* Very weird to have LM key, but no user session key, but anyway.. */
439                 session_key = lm_session_key;
440                 DEBUG(10,("ntlmssp_server_auth: Using unmodified lm session key.\n"));
441                 dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
442
443                 /* LM Key not selected */
444                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
445
446         } else {
447                 DEBUG(10,("ntlmssp_server_auth: Failed to create unmodified session key.\n"));
448                 session_key = data_blob_null;
449
450                 /* LM Key not selected */
451                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
452         }
453
454         /* With KEY_EXCH, the client supplies the proposed session key,
455            but encrypts it with the long-term key */
456         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
457                 if (!state->encrypted_session_key.data
458                     || state->encrypted_session_key.length != 16) {
459                         data_blob_free(&state->encrypted_session_key);
460                         DEBUG(1, ("Client-supplied KEY_EXCH session key was of invalid length (%u)!\n", 
461                                   (unsigned)state->encrypted_session_key.length));
462                         return NT_STATUS_INVALID_PARAMETER;
463                 } else if (!session_key.data || session_key.length != 16) {
464                         DEBUG(5, ("server session key is invalid (len == %u), cannot do KEY_EXCH!\n",
465                                   (unsigned int)session_key.length));
466                         ntlmssp_state->session_key = session_key;
467                 } else {
468                         dump_data_pw("KEY_EXCH session key (enc):\n", 
469                                      state->encrypted_session_key.data,
470                                      state->encrypted_session_key.length);
471                         arcfour_crypt(state->encrypted_session_key.data,
472                                       session_key.data, 
473                                       state->encrypted_session_key.length);
474                         ntlmssp_state->session_key = data_blob_talloc(ntlmssp_state,
475                                                                       state->encrypted_session_key.data,
476                                                                       state->encrypted_session_key.length);
477                         dump_data_pw("KEY_EXCH session key:\n",
478                                      state->encrypted_session_key.data,
479                                      state->encrypted_session_key.length);
480                         talloc_free(session_key.data);
481                 }
482         } else {
483                 ntlmssp_state->session_key = session_key;
484         }
485
486         if (ntlmssp_state->session_key.length) {
487                 nt_status = ntlmssp_sign_init(ntlmssp_state);
488         }
489
490         ntlmssp_state->expected_state = NTLMSSP_DONE;
491
492         return nt_status;
493 }
494
495
496 /**
497  * Next state function for the Authenticate packet
498  * 
499  * @param gensec_security GENSEC state
500  * @param out_mem_ctx Memory context for *out
501  * @param in The request, as a DATA_BLOB.  reply.data must be NULL
502  * @param out The reply, as an allocated DATA_BLOB, caller to free.
503  * @return Errors or NT_STATUS_OK if authentication sucessful
504  */
505
506 NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
507                              TALLOC_CTX *out_mem_ctx, 
508                              const DATA_BLOB in, DATA_BLOB *out) 
509 {       
510         struct ntlmssp_server_auth_state *state;
511         NTSTATUS nt_status;
512
513         /* zero the outbound NTLMSSP packet */
514         *out = data_blob_null;
515
516         state = talloc_zero(ntlmssp_state, struct ntlmssp_server_auth_state);
517         if (state == NULL) {
518                 return NT_STATUS_NO_MEMORY;
519         }
520
521         nt_status = ntlmssp_server_preauth(ntlmssp_state, state, in);
522         if (!NT_STATUS_IS_OK(nt_status)) {
523                 TALLOC_FREE(state);
524                 return nt_status;
525         }
526
527         /*
528          * Note we don't check here for NTLMv2 auth settings. If NTLMv2 auth
529          * is required (by "ntlm auth = no" and "lm auth = no" being set in the
530          * smb.conf file) and no NTLMv2 response was sent then the password check
531          * will fail here. JRA.
532          */
533
534         /* Finally, actually ask if the password is OK */
535         nt_status = ntlmssp_state->check_password(ntlmssp_state,
536                                                   &state->user_session_key,
537                                                   &state->lm_session_key);
538         if (!NT_STATUS_IS_OK(nt_status)) {
539                 TALLOC_FREE(state);
540                 return nt_status;
541         }
542
543         /* When we get more async in the auth code behind
544            ntlmssp_state->check_password, the ntlmssp_server_postpath
545            can be done in a callback */
546
547         nt_status = ntlmssp_server_postauth(ntlmssp_state, state);
548         if (!NT_STATUS_IS_OK(nt_status)) {
549                 TALLOC_FREE(state);
550                 return nt_status;
551         }
552
553         TALLOC_FREE(state);
554         return NT_STATUS_OK;
555 }
556
557 /**
558  * Next state function for the Negotiate packet (GENSEC wrapper)
559  *
560  * @param gensec_security GENSEC state
561  * @param out_mem_ctx Memory context for *out
562  * @param in The request, as a DATA_BLOB.  reply.data must be NULL
563  * @param out The reply, as an allocated DATA_BLOB, caller to free.
564  * @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required.
565  */
566
567 NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security,
568                                          TALLOC_CTX *out_mem_ctx,
569                                          const DATA_BLOB request, DATA_BLOB *reply)
570 {
571         struct gensec_ntlmssp_context *gensec_ntlmssp =
572                 talloc_get_type_abort(gensec_security->private_data,
573                                       struct gensec_ntlmssp_context);
574         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
575         return ntlmssp_server_negotiate(ntlmssp_state, out_mem_ctx, request, reply);
576 }
577
578 /**
579  * Next state function for the Authenticate packet (GENSEC wrapper)
580  *
581  * @param gensec_security GENSEC state
582  * @param out_mem_ctx Memory context for *out
583  * @param in The request, as a DATA_BLOB.  reply.data must be NULL
584  * @param out The reply, as an allocated DATA_BLOB, caller to free.
585  * @return Errors or NT_STATUS_OK if authentication sucessful
586  */
587
588 NTSTATUS gensec_ntlmssp_server_auth(struct gensec_security *gensec_security,
589                                     TALLOC_CTX *out_mem_ctx,
590                                     const DATA_BLOB in, DATA_BLOB *out)
591 {
592         struct gensec_ntlmssp_context *gensec_ntlmssp =
593                 talloc_get_type_abort(gensec_security->private_data,
594                                       struct gensec_ntlmssp_context);
595         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
596         return ntlmssp_server_auth(ntlmssp_state, out_mem_ctx, in, out);
597 };
598
599 /**
600  * Return the challenge as determined by the authentication subsystem 
601  * @return an 8 byte random challenge
602  */
603
604 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
605                                            uint8_t chal[8])
606 {
607         struct gensec_ntlmssp_context *gensec_ntlmssp =
608                 talloc_get_type_abort(ntlmssp_state->callback_private,
609                                       struct gensec_ntlmssp_context);
610         struct auth_context *auth_context = gensec_ntlmssp->auth_context;
611         NTSTATUS status;
612
613         status = auth_context->get_challenge(auth_context, chal);
614         if (!NT_STATUS_IS_OK(status)) {
615                 DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n",
616                         nt_errstr(status)));
617                 return status;
618         }
619
620         return NT_STATUS_OK;
621 }
622
623 /**
624  * Some authentication methods 'fix' the challenge, so we may not be able to set it
625  *
626  * @return If the effective challenge used by the auth subsystem may be modified
627  */
628 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
629 {
630         struct gensec_ntlmssp_context *gensec_ntlmssp =
631                 talloc_get_type_abort(ntlmssp_state->callback_private,
632                                       struct gensec_ntlmssp_context);
633         struct auth_context *auth_context = gensec_ntlmssp->auth_context;
634
635         return auth_context->challenge_may_be_modified(auth_context);
636 }
637
638 /**
639  * NTLM2 authentication modifies the effective challenge, 
640  * @param challenge The new challenge value
641  */
642 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
643 {
644         struct gensec_ntlmssp_context *gensec_ntlmssp =
645                 talloc_get_type_abort(ntlmssp_state->callback_private,
646                                       struct gensec_ntlmssp_context);
647         struct auth_context *auth_context = gensec_ntlmssp->auth_context;
648         NTSTATUS nt_status;
649         const uint8_t *chal;
650
651         if (challenge->length != 8) {
652                 return NT_STATUS_INVALID_PARAMETER;
653         }
654
655         chal = challenge->data;
656
657         nt_status = auth_context->set_challenge(auth_context,
658                                                 chal,
659                                                 "NTLMSSP callback (NTLM2)");
660
661         return nt_status;
662 }
663
664 /**
665  * Check the password on an NTLMSSP login.  
666  *
667  * Return the session keys used on the connection.
668  */
669
670 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
671                                             DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
672 {
673         struct gensec_ntlmssp_context *gensec_ntlmssp =
674                 talloc_get_type_abort(ntlmssp_state->callback_private,
675                                       struct gensec_ntlmssp_context);
676         struct auth_context *auth_context = gensec_ntlmssp->auth_context;
677         NTSTATUS nt_status;
678         struct auth_usersupplied_info *user_info;
679
680         user_info = talloc(ntlmssp_state, struct auth_usersupplied_info);
681         if (!user_info) {
682                 return NT_STATUS_NO_MEMORY;
683         }
684
685         user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
686         user_info->flags = 0;
687         user_info->mapped_state = false;
688         user_info->client.account_name = ntlmssp_state->user;
689         user_info->client.domain_name = ntlmssp_state->domain;
690         user_info->workstation_name = ntlmssp_state->client.netbios_name;
691         user_info->remote_host = gensec_get_remote_address(gensec_ntlmssp->gensec_security);
692
693         user_info->password_state = AUTH_PASSWORD_RESPONSE;
694         user_info->password.response.lanman = ntlmssp_state->lm_resp;
695         user_info->password.response.lanman.data = talloc_steal(user_info, ntlmssp_state->lm_resp.data);
696         user_info->password.response.nt = ntlmssp_state->nt_resp;
697         user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data);
698
699         nt_status = auth_context->check_password(auth_context,
700                                                  gensec_ntlmssp,
701                                                  user_info,
702                                                  &gensec_ntlmssp->server_info);
703         talloc_free(user_info);
704         NT_STATUS_NOT_OK_RETURN(nt_status);
705
706         if (gensec_ntlmssp->server_info->user_session_key.length) {
707                 DEBUG(10, ("Got NT session key of length %u\n",
708                            (unsigned)gensec_ntlmssp->server_info->user_session_key.length));
709                 *user_session_key = gensec_ntlmssp->server_info->user_session_key;
710         }
711         if (gensec_ntlmssp->server_info->lm_session_key.length) {
712                 DEBUG(10, ("Got LM session key of length %u\n",
713                            (unsigned)gensec_ntlmssp->server_info->lm_session_key.length));
714                 *lm_session_key = gensec_ntlmssp->server_info->lm_session_key;
715         }
716         return nt_status;
717 }
718
719 /** 
720  * Return the credentials of a logged on user, including session keys
721  * etc.
722  *
723  * Only valid after a successful authentication
724  *
725  * May only be called once per authentication.
726  *
727  */
728
729 NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
730                                      struct auth_session_info **session_info) 
731 {
732         NTSTATUS nt_status;
733         struct gensec_ntlmssp_context *gensec_ntlmssp =
734                 talloc_get_type_abort(gensec_security->private_data,
735                                       struct gensec_ntlmssp_context);
736         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
737
738         nt_status = gensec_generate_session_info(ntlmssp_state,
739                                                  gensec_security,
740                                                  gensec_ntlmssp->server_info,
741                                                  session_info);
742         NT_STATUS_NOT_OK_RETURN(nt_status);
743
744         (*session_info)->session_key = data_blob_talloc(*session_info, 
745                                                         ntlmssp_state->session_key.data,
746                                                         ntlmssp_state->session_key.length);
747
748         return NT_STATUS_OK;
749 }
750
751 /**
752  * Start NTLMSSP on the server side 
753  *
754  */
755 NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
756 {
757         NTSTATUS nt_status;
758         struct ntlmssp_state *ntlmssp_state;
759         struct gensec_ntlmssp_context *gensec_ntlmssp;
760
761         nt_status = gensec_ntlmssp_start(gensec_security);
762         NT_STATUS_NOT_OK_RETURN(nt_status);
763
764         gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
765                                                struct gensec_ntlmssp_context);
766         ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
767
768         ntlmssp_state->role = NTLMSSP_SERVER;
769
770         ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
771
772         ntlmssp_state->allow_lm_key = (lpcfg_lanman_auth(gensec_security->settings->lp_ctx)
773                                           && gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "allow_lm_key", false));
774
775         ntlmssp_state->neg_flags =
776                 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION;
777
778         ntlmssp_state->lm_resp = data_blob(NULL, 0);
779         ntlmssp_state->nt_resp = data_blob(NULL, 0);
780
781         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "128bit", true)) {
782                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
783         }
784
785         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "56bit", true)) {
786                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
787         }
788
789         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "keyexchange", true)) {
790                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
791         }
792
793         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "alwayssign", true)) {
794                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
795         }
796
797         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "ntlm2", true)) {
798                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
799         }
800
801         if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
802                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
803         }
804         if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
805                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
806         }
807
808         gensec_ntlmssp->auth_context = gensec_security->auth_context;
809
810         ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
811         ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
812         ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
813         ntlmssp_state->check_password = auth_ntlmssp_check_password;
814         if (lpcfg_server_role(gensec_security->settings->lp_ctx) == ROLE_STANDALONE) {
815                 ntlmssp_state->server.is_standalone = true;
816         } else {
817                 ntlmssp_state->server.is_standalone = false;
818         }
819
820         ntlmssp_state->server.netbios_name = lpcfg_netbios_name(gensec_security->settings->lp_ctx);
821
822         ntlmssp_state->server.netbios_domain = lpcfg_workgroup(gensec_security->settings->lp_ctx);
823
824         {
825                 char dnsdomname[MAXHOSTNAMELEN], dnsname[MAXHOSTNAMELEN];
826
827                 /* Find out the DNS domain name */
828                 dnsdomname[0] = '\0';
829                 safe_strcpy(dnsdomname, lpcfg_dnsdomain(gensec_security->settings->lp_ctx), sizeof(dnsdomname) - 1);
830
831                 /* Find out the DNS host name */
832                 safe_strcpy(dnsname, ntlmssp_state->server.netbios_name, sizeof(dnsname) - 1);
833                 if (dnsdomname[0] != '\0') {
834                         safe_strcat(dnsname, ".", sizeof(dnsname) - 1);
835                         safe_strcat(dnsname, dnsdomname, sizeof(dnsname) - 1);
836                 }
837                 strlower_m(dnsname);
838
839                 ntlmssp_state->server.dns_name = talloc_strdup(ntlmssp_state,
840                                                                       dnsname);
841                 NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_name);
842
843                 ntlmssp_state->server.dns_domain = talloc_strdup(ntlmssp_state,
844                                                                         dnsdomname);
845                 NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_domain);
846         }
847
848         return NT_STATUS_OK;
849 }
850