auth/ntlmssp/ntlmssp_client.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 3.0
   4    handle NLTMSSP, client server side parsing
   5
   6    Copyright (C) Andrew Tridgell      2001
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
   8    Copyright (C) Stefan Metzmacher 2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 struct auth_session_info;
  25
  26 #include "includes.h"
  27 #include "auth/ntlmssp/ntlmssp.h"
  28 #include "../lib/crypto/crypto.h"
  29 #include "../libcli/auth/libcli_auth.h"
  30 #include "auth/credentials/credentials.h"
  31 #include "auth/gensec/gensec.h"
  32 #include "param/param.h"
  33 #include "auth/ntlmssp/ntlmssp_private.h"
  34 #include "../librpc/gen_ndr/ndr_ntlmssp.h"
  35 #include "../auth/ntlmssp/ntlmssp_ndr.h"
  36
  37 /*********************************************************************
  38  Client side NTLMSSP
  39 *********************************************************************/
  40
  41 /**
  42  * Next state function for the Initial packet
  43  *
  44  * @param ntlmssp_state NTLMSSP State
  45  * @param out_mem_ctx The DATA_BLOB *out will be allocated on this context
  46  * @param in A NULL data blob (input ignored)
  47  * @param out The initial negotiate request to the server, as an talloc()ed DATA_BLOB, on out_mem_ctx
  48  * @return Errors or NT_STATUS_OK.
  49  */
  50
  51 NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
  52                                 TALLOC_CTX *out_mem_ctx,
  53                                 DATA_BLOB in, DATA_BLOB *out)
  54 {
  55         struct gensec_ntlmssp_context *gensec_ntlmssp =
  56                 talloc_get_type_abort(gensec_security->private_data,
  57                                       struct gensec_ntlmssp_context);
  58         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
  59         const char *domain = ntlmssp_state->client.netbios_domain;
  60         const char *workstation = ntlmssp_state->client.netbios_name;
  61         NTSTATUS status;
  62
  63         /* These don't really matter in the initial packet, so don't panic if they are not set */
  64         if (!domain) {
  65                 domain = "";
  66         }
  67
  68         if (!workstation) {
  69                 workstation = "";
  70         }
  71
  72         if (ntlmssp_state->unicode) {
  73                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
  74         } else {
  75                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
  76         }
  77
  78         if (ntlmssp_state->use_ntlmv2) {
  79                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
  80         }
  81
  82         /* generate the ntlmssp negotiate packet */
  83         status = msrpc_gen(out_mem_ctx,
  84                   out, "CddAA",
  85                   "NTLMSSP",
  86                   NTLMSSP_NEGOTIATE,
  87                   ntlmssp_state->neg_flags,
  88                   domain,
  89                   workstation);
  90
  91         if (!NT_STATUS_IS_OK(status)) {
  92                 DEBUG(0, ("ntlmssp_client_initial: failed to generate "
  93                           "ntlmssp negotiate packet\n"));
  94                 return status;
  95         }
  96
  97         if (DEBUGLEVEL >= 10) {
  98                 struct NEGOTIATE_MESSAGE *negotiate = talloc(
  99                         talloc_tos(), struct NEGOTIATE_MESSAGE);
 100                 if (negotiate != NULL) {
 101                         status = ntlmssp_pull_NEGOTIATE_MESSAGE(
 102                                 out, negotiate, negotiate);
 103                         if (NT_STATUS_IS_OK(status)) {
 104                                 NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE,
 105                                                 negotiate);
 106                         }
 107                         TALLOC_FREE(negotiate);
 108                 }
 109         }
 110
 111         ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
 112
 113         return NT_STATUS_MORE_PROCESSING_REQUIRED;
 114 }
 115
 116 /**
 117  * Next state function for the Challenge Packet.  Generate an auth packet.
 118  *
 119  * @param gensec_security GENSEC state
 120  * @param out_mem_ctx Memory context for *out
 121  * @param in The server challnege, as a DATA_BLOB.  reply.data must be NULL
 122  * @param out The next request (auth packet) to the server, as an allocated DATA_BLOB, on the out_mem_ctx context
 123  * @return Errors or NT_STATUS_OK.
 124  */
 125
 126 NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
 127                                   TALLOC_CTX *out_mem_ctx,
 128                                   const DATA_BLOB in, DATA_BLOB *out)
 129 {
 130         struct gensec_ntlmssp_context *gensec_ntlmssp =
 131                 talloc_get_type_abort(gensec_security->private_data,
 132                                       struct gensec_ntlmssp_context);
 133         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
 134         uint32_t chal_flags, ntlmssp_command, unkn1, unkn2;
 135         DATA_BLOB server_domain_blob;
 136         DATA_BLOB challenge_blob;
 137         DATA_BLOB target_info = data_blob(NULL, 0);
 138         char *server_domain;
 139         const char *chal_parse_string;
 140         const char *auth_gen_string;
 141         DATA_BLOB lm_response = data_blob(NULL, 0);
 142         DATA_BLOB nt_response = data_blob(NULL, 0);
 143         DATA_BLOB session_key = data_blob(NULL, 0);
 144         DATA_BLOB lm_session_key = data_blob(NULL, 0);
 145         DATA_BLOB encrypted_session_key = data_blob(NULL, 0);
 146         NTSTATUS nt_status;
 147         int flags = 0;
 148         const char *user, *domain;
 149
 150         TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx);
 151         if (!mem_ctx) {
 152                 return NT_STATUS_NO_MEMORY;
 153         }
 154
 155         if (!msrpc_parse(mem_ctx,
 156                          &in, "CdBd",
 157                          "NTLMSSP",
 158                          &ntlmssp_command,
 159                          &server_domain_blob,
 160                          &chal_flags)) {
 161                 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
 162                 dump_data(2, in.data, in.length);
 163                 talloc_free(mem_ctx);
 164
 165                 return NT_STATUS_INVALID_PARAMETER;
 166         }
 167
 168         data_blob_free(&server_domain_blob);
 169
 170         DEBUG(3, ("Got challenge flags:\n"));
 171         debug_ntlmssp_flags(chal_flags);
 172
 173         ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, ntlmssp_state->allow_lm_key);
 174
 175         if (ntlmssp_state->unicode) {
 176                 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
 177                         chal_parse_string = "CdUdbddB";
 178                 } else {
 179                         chal_parse_string = "CdUdbdd";
 180                 }
 181                 auth_gen_string = "CdBBUUUBd";
 182         } else {
 183                 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
 184                         chal_parse_string = "CdAdbddB";
 185                 } else {
 186                         chal_parse_string = "CdAdbdd";
 187                 }
 188
 189                 auth_gen_string = "CdBBAAABd";
 190         }
 191
 192         if (!msrpc_parse(mem_ctx,
 193                          &in, chal_parse_string,
 194                          "NTLMSSP",
 195                          &ntlmssp_command,
 196                          &server_domain,
 197                          &chal_flags,
 198                          &challenge_blob, 8,
 199                          &unkn1, &unkn2,
 200                          &target_info)) {
 201                 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n"));
 202                 dump_data(2, in.data, in.length);
 203                 talloc_free(mem_ctx);
 204                 return NT_STATUS_INVALID_PARAMETER;
 205         }
 206
 207         if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) {
 208                 ntlmssp_state->server.is_standalone = true;
 209         } else {
 210                 ntlmssp_state->server.is_standalone = false;
 211         }
 212         /* TODO: parse struct_blob and fill in the rest */
 213         ntlmssp_state->server.netbios_name = "";
 214         ntlmssp_state->server.netbios_domain = server_domain;
 215         ntlmssp_state->server.dns_name = "";
 216         ntlmssp_state->server.dns_domain = "";
 217
 218         if (challenge_blob.length != 8) {
 219                 talloc_free(mem_ctx);
 220                 return NT_STATUS_INVALID_PARAMETER;
 221         }
 222
 223         cli_credentials_get_ntlm_username_domain(gensec_security->credentials, mem_ctx,
 224                                                  &user, &domain);
 225
 226         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
 227                 flags |= CLI_CRED_NTLM2;
 228         }
 229         if (ntlmssp_state->use_ntlmv2) {
 230                 flags |= CLI_CRED_NTLMv2_AUTH;
 231         }
 232         if (ntlmssp_state->use_nt_response) {
 233                 flags |= CLI_CRED_NTLM_AUTH;
 234         }
 235         if (lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx)) {
 236                 flags |= CLI_CRED_LANMAN_AUTH;
 237         }
 238
 239         nt_status = cli_credentials_get_ntlm_response(gensec_security->credentials, mem_ctx,
 240                                                       &flags, challenge_blob, target_info,
 241                                                       &lm_response, &nt_response,
 242                                                       &lm_session_key, &session_key);
 243
 244         if (!NT_STATUS_IS_OK(nt_status)) {
 245                 return nt_status;
 246         }
 247
 248         if (!(flags & CLI_CRED_LANMAN_AUTH)) {
 249                 /* LM Key is still possible, just silly, so we do not
 250                  * allow it. Fortunetly all LM crypto is off by
 251                  * default and we require command line options to end
 252                  * up here */
 253                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
 254         }
 255
 256         if (!(flags & CLI_CRED_NTLM2)) {
 257                 /* NTLM2 is incompatible... */
 258                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
 259         }
 260
 261         if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
 262             && lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx) && lm_session_key.length == 16) {
 263                 DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16);
 264                 if (lm_response.length == 24) {
 265                         SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data,
 266                                                   new_session_key.data);
 267                 } else {
 268                         static const uint8_t zeros[24];
 269                         SMBsesskeygen_lm_sess_key(lm_session_key.data, zeros,
 270                                                   new_session_key.data);
 271                 }
 272                 session_key = new_session_key;
 273                 dump_data_pw("LM session key\n", session_key.data, session_key.length);
 274         }
 275
 276
 277         /* Key exchange encryptes a new client-generated session key with
 278            the password-derived key */
 279         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
 280                 /* Make up a new session key */
 281                 uint8_t client_session_key[16];
 282                 generate_secret_buffer(client_session_key, sizeof(client_session_key));
 283
 284                 /* Encrypt the new session key with the old one */
 285                 encrypted_session_key = data_blob_talloc(ntlmssp_state,
 286                                                          client_session_key, sizeof(client_session_key));
 287                 dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
 288                 arcfour_crypt(encrypted_session_key.data, session_key.data, encrypted_session_key.length);
 289                 dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
 290
 291                 /* Mark the new session key as the 'real' session key */
 292                 session_key = data_blob_talloc(mem_ctx, client_session_key, sizeof(client_session_key));
 293         }
 294
 295         DEBUG(3, ("NTLMSSP: Set final flags:\n"));
 296         debug_ntlmssp_flags(ntlmssp_state->neg_flags);
 297
 298         /* this generates the actual auth packet */
 299         nt_status = msrpc_gen(mem_ctx,
 300                        out, auth_gen_string,
 301                        "NTLMSSP",
 302                        NTLMSSP_AUTH,
 303                        lm_response.data, lm_response.length,
 304                        nt_response.data, nt_response.length,
 305                        domain,
 306                        user,
 307                        cli_credentials_get_workstation(gensec_security->credentials),
 308                        encrypted_session_key.data, encrypted_session_key.length,
 309                        ntlmssp_state->neg_flags);
 310         if (!NT_STATUS_IS_OK(nt_status)) {
 311                 talloc_free(mem_ctx);
 312                 return nt_status;
 313         }
 314
 315         ntlmssp_state->session_key = session_key;
 316         talloc_steal(ntlmssp_state, session_key.data);
 317
 318         talloc_steal(out_mem_ctx, out->data);
 319
 320         ntlmssp_state->chal = challenge_blob;
 321         ntlmssp_state->lm_resp = lm_response;
 322         talloc_steal(ntlmssp_state->lm_resp.data, lm_response.data);
 323         ntlmssp_state->nt_resp = nt_response;
 324         talloc_steal(ntlmssp_state->nt_resp.data, nt_response.data);
 325
 326         ntlmssp_state->expected_state = NTLMSSP_DONE;
 327
 328         if (gensec_security->want_features & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)) {
 329                 nt_status = ntlmssp_sign_init(ntlmssp_state);
 330                 if (!NT_STATUS_IS_OK(nt_status)) {
 331                         DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n",
 332                                   nt_errstr(nt_status)));
 333                         talloc_free(mem_ctx);
 334                         return nt_status;
 335                 }
 336         }
 337
 338         talloc_free(mem_ctx);
 339         return NT_STATUS_OK;
 340 }
 341
 342 NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
 343 {
 344         struct gensec_ntlmssp_context *gensec_ntlmssp;
 345         struct ntlmssp_state *ntlmssp_state;
 346         NTSTATUS nt_status;
 347
 348         nt_status = gensec_ntlmssp_start(gensec_security);
 349         NT_STATUS_NOT_OK_RETURN(nt_status);
 350
 351         gensec_ntlmssp =
 352                 talloc_get_type_abort(gensec_security->private_data,
 353                                       struct gensec_ntlmssp_context);
 354
 355         ntlmssp_state = talloc_zero(gensec_ntlmssp,
 356                                     struct ntlmssp_state);
 357         if (!ntlmssp_state) {
 358                 return NT_STATUS_NO_MEMORY;
 359         }
 360
 361         ntlmssp_state->callback_private = gensec_ntlmssp;
 362
 363         gensec_ntlmssp->ntlmssp_state = ntlmssp_state;
 364
 365         ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
 366
 367         ntlmssp_state->role = NTLMSSP_CLIENT;
 368
 369         ntlmssp_state->client.netbios_domain = lpcfg_workgroup(gensec_security->settings->lp_ctx);
 370         ntlmssp_state->client.netbios_name = cli_credentials_get_workstation(gensec_security->credentials);
 371
 372         ntlmssp_state->unicode = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "unicode", true);
 373
 374         ntlmssp_state->use_nt_response = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "send_nt_reponse", true);
 375
 376         ntlmssp_state->allow_lm_key = (lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx)
 377                                               && (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "allow_lm_key", false)
 378                                                   || gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false)));
 379
 380         ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx);
 381
 382         ntlmssp_state->expected_state = NTLMSSP_INITIAL;
 383
 384         ntlmssp_state->neg_flags =
 385                 NTLMSSP_NEGOTIATE_NTLM |
 386                 NTLMSSP_REQUEST_TARGET;
 387
 388         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "128bit", true)) {
 389                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
 390         }
 391
 392         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "56bit", false)) {
 393                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
 394         }
 395
 396         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false)) {
 397                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
 398         }
 399
 400         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "keyexchange", true)) {
 401                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
 402         }
 403
 404         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "alwayssign", true)) {
 405                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
 406         }
 407
 408         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "ntlm2", true)) {
 409                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
 410         } else {
 411                 /* apparently we can't do ntlmv2 if we don't do ntlm2 */
 412                 ntlmssp_state->use_ntlmv2 = false;
 413         }
 414
 415         if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
 416                 /*
 417                  * We need to set this to allow a later SetPassword
 418                  * via the SAMR pipe to succeed. Strange.... We could
 419                  * also add  NTLMSSP_NEGOTIATE_SEAL here. JRA.
 420                  *
 421                  * Without this, Windows will not create the master key
 422                  * that it thinks is only used for NTLMSSP signing and
 423                  * sealing.  (It is actually pulled out and used directly)
 424                  */
 425                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
 426         }
 427         if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
 428                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
 429         }
 430         if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
 431                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
 432                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
 433         }
 434
 435         return NT_STATUS_OK;
 436 }