git.samba.org / samba.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking...
[samba.git] / auth / ntlmssp / ntlmssp_client.c
1 /*
2    Unix SMB/Netbios implementation.
3    Version 3.0
4    handle NLTMSSP, client server side parsing
5
6    Copyright (C) Andrew Tridgell      2001
7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
8    Copyright (C) Stefan Metzmacher 2005
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 struct auth_session_info;
25
26 #include "includes.h"
27 #include "auth/ntlmssp/ntlmssp.h"
28 #include "../lib/crypto/crypto.h"
29 #include "../libcli/auth/libcli_auth.h"
30 #include "auth/credentials/credentials.h"
31 #include "auth/gensec/gensec.h"
32 #include "auth/gensec/gensec_internal.h"
33 #include "param/param.h"
34 #include "auth/ntlmssp/ntlmssp_private.h"
35 #include "../librpc/gen_ndr/ndr_ntlmssp.h"
36 #include "../auth/ntlmssp/ntlmssp_ndr.h"
37 #include "../nsswitch/libwbclient/wbclient.h"
38
39 /*********************************************************************
40  Client side NTLMSSP
41 *********************************************************************/
42
43 /**
44  * Next state function for the Initial packet
45  *
46  * @param ntlmssp_state NTLMSSP State
47  * @param out_mem_ctx The DATA_BLOB *out will be allocated on this context
48  * @param in A NULL data blob (input ignored)
49  * @param out The initial negotiate request to the server, as an talloc()ed DATA_BLOB, on out_mem_ctx
50  * @return Errors or NT_STATUS_OK.
51  */
52
53 NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
54                                 TALLOC_CTX *out_mem_ctx,
55                                 DATA_BLOB in, DATA_BLOB *out)
56 {
57         struct gensec_ntlmssp_context *gensec_ntlmssp =
58                 talloc_get_type_abort(gensec_security->private_data,
59                                       struct gensec_ntlmssp_context);
60         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
61         NTSTATUS status;
62         const DATA_BLOB version_blob = ntlmssp_version_blob();
63
64         /* generate the ntlmssp negotiate packet */
65         status = msrpc_gen(out_mem_ctx,
66                   out, "CddAAb",
67                   "NTLMSSP",
68                   NTLMSSP_NEGOTIATE,
69                   ntlmssp_state->neg_flags,
70                   "", /* domain */
71                   "", /* workstation */
72                   version_blob.data, version_blob.length);
73         if (!NT_STATUS_IS_OK(status)) {
74                 DEBUG(0, ("ntlmssp_client_initial: failed to generate "
75                           "ntlmssp negotiate packet\n"));
76                 return status;
77         }
78
79         if (DEBUGLEVEL >= 10) {
80                 struct NEGOTIATE_MESSAGE *negotiate = talloc(
81                         ntlmssp_state, struct NEGOTIATE_MESSAGE);
82                 if (negotiate != NULL) {
83                         status = ntlmssp_pull_NEGOTIATE_MESSAGE(
84                                 out, negotiate, negotiate);
85                         if (NT_STATUS_IS_OK(status)) {
86                                 NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE,
87                                                 negotiate);
88                         }
89                         TALLOC_FREE(negotiate);
90                 }
91         }
92
93         ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
94
95         return NT_STATUS_MORE_PROCESSING_REQUIRED;
96 }
97
98 NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
99                                 TALLOC_CTX *out_mem_ctx,
100                                 DATA_BLOB in, DATA_BLOB *out)
101 {
102         struct gensec_ntlmssp_context *gensec_ntlmssp =
103                 talloc_get_type_abort(gensec_security->private_data,
104                                       struct gensec_ntlmssp_context);
105         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
106         uint32_t neg_flags = 0;
107         uint32_t ntlmssp_command;
108         NTSTATUS status;
109         bool ok;
110
111         *out = data_blob_null;
112
113         if (in.length == 0) {
114                 /*
115                  * This is compat code for older callers
116                  * which were missing the "initial_blob"
117                  */
118                 ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
119                 ntlmssp_state->required_flags = 0;
120                 ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
121                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
122         }
123
124         /* parse the NTLMSSP packet */
125
126         if (in.length > UINT16_MAX) {
127                 DEBUG(1, ("%s: reject large request of length %u\n",
128                         __func__, (unsigned int)in.length));
129                 return NT_STATUS_INVALID_PARAMETER;
130         }
131
132         ok = msrpc_parse(ntlmssp_state, &in, "Cdd",
133                          "NTLMSSP",
134                          &ntlmssp_command,
135                          &neg_flags);
136         if (!ok) {
137                 DEBUG(1, ("%s: failed to parse NTLMSSP Negotiate of length %u\n",
138                         __func__, (unsigned int)in.length));
139                 dump_data(2, in.data, in.length);
140                 return NT_STATUS_INVALID_PARAMETER;
141         }
142
143         if (ntlmssp_command != NTLMSSP_NEGOTIATE) {
144                 DEBUG(1, ("%s: no NTLMSSP Negotiate message (length %u)\n",
145                         __func__, (unsigned int)in.length));
146                 dump_data(2, in.data, in.length);
147                 return NT_STATUS_INVALID_PARAMETER;
148         }
149
150         ntlmssp_state->neg_flags = neg_flags;
151         DEBUG(3, ("Imported Negotiate flags:\n"));
152         debug_ntlmssp_flags(neg_flags);
153
154         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
155                 ntlmssp_state->unicode = true;
156         } else {
157                 ntlmssp_state->unicode = false;
158         }
159
160         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
161                 gensec_security->want_features |= GENSEC_FEATURE_SIGN;
162
163                 ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
164         }
165
166         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
167                 gensec_security->want_features |= GENSEC_FEATURE_SEAL;
168
169                 ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
170                 ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
171         }
172
173         ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
174         ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
175
176         if (DEBUGLEVEL >= 10) {
177                 struct NEGOTIATE_MESSAGE *negotiate = talloc(
178                         ntlmssp_state, struct NEGOTIATE_MESSAGE);
179                 if (negotiate != NULL) {
180                         status = ntlmssp_pull_NEGOTIATE_MESSAGE(
181                                 &in, negotiate, negotiate);
182                         if (NT_STATUS_IS_OK(status)) {
183                                 NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE,
184                                                 negotiate);
185                         }
186                         TALLOC_FREE(negotiate);
187                 }
188         }
189
190         ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
191
192         return NT_STATUS_MORE_PROCESSING_REQUIRED;
193 }
194
195 /**
196  * Next state function for the Challenge Packet.  Generate an auth packet.
197  *
198  * @param gensec_security GENSEC state
199  * @param out_mem_ctx Memory context for *out
200  * @param in The server challnege, as a DATA_BLOB.  reply.data must be NULL
201  * @param out The next request (auth packet) to the server, as an allocated DATA_BLOB, on the out_mem_ctx context
202  * @return Errors or NT_STATUS_OK.
203  */
204
205 NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
206                                   TALLOC_CTX *out_mem_ctx,
207                                   const DATA_BLOB in, DATA_BLOB *out)
208 {
209         struct gensec_ntlmssp_context *gensec_ntlmssp =
210                 talloc_get_type_abort(gensec_security->private_data,
211                                       struct gensec_ntlmssp_context);
212         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
213         uint32_t chal_flags, ntlmssp_command, unkn1 = 0, unkn2 = 0;
214         DATA_BLOB server_domain_blob;
215         DATA_BLOB challenge_blob;
216         DATA_BLOB target_info = data_blob(NULL, 0);
217         char *server_domain;
218         const char *chal_parse_string;
219         const char *chal_parse_string_short = NULL;
220         const char *auth_gen_string;
221         DATA_BLOB lm_response = data_blob(NULL, 0);
222         DATA_BLOB nt_response = data_blob(NULL, 0);
223         DATA_BLOB session_key = data_blob(NULL, 0);
224         DATA_BLOB lm_session_key = data_blob(NULL, 0);
225         DATA_BLOB encrypted_session_key = data_blob(NULL, 0);
226         NTSTATUS nt_status;
227         int flags = 0;
228         const char *user = NULL, *domain = NULL, *workstation = NULL;
229         bool is_anonymous = false;
230         const DATA_BLOB version_blob = ntlmssp_version_blob();
231         const NTTIME *server_timestamp = NULL;
232
233         TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx);
234         if (!mem_ctx) {
235                 return NT_STATUS_NO_MEMORY;
236         }
237
238         if (!msrpc_parse(mem_ctx,
239                          &in, "CdBd",
240                          "NTLMSSP",
241                          &ntlmssp_command,
242                          &server_domain_blob,
243                          &chal_flags)) {
244                 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
245                 dump_data(2, in.data, in.length);
246                 talloc_free(mem_ctx);
247
248                 return NT_STATUS_INVALID_PARAMETER;
249         }
250
251         data_blob_free(&server_domain_blob);
252
253         DEBUG(3, ("Got challenge flags:\n"));
254         debug_ntlmssp_flags(chal_flags);
255
256         nt_status = ntlmssp_handle_neg_flags(ntlmssp_state,
257                                              chal_flags, "challenge");
258         if (!NT_STATUS_IS_OK(nt_status)) {
259                 return nt_status;
260         }
261
262         if (ntlmssp_state->unicode) {
263                 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
264                         chal_parse_string = "CdUdbddB";
265                 } else {
266                         chal_parse_string = "CdUdbdd";
267                         chal_parse_string_short = "CdUdb";
268                 }
269                 auth_gen_string = "CdBBUUUBdb";
270         } else {
271                 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
272                         chal_parse_string = "CdAdbddB";
273                 } else {
274                         chal_parse_string = "CdAdbdd";
275                         chal_parse_string_short = "CdAdb";
276                 }
277
278                 auth_gen_string = "CdBBAAABdb";
279         }
280
281         if (!msrpc_parse(mem_ctx,
282                          &in, chal_parse_string,
283                          "NTLMSSP",
284                          &ntlmssp_command,
285                          &server_domain,
286                          &chal_flags,
287                          &challenge_blob, 8,
288                          &unkn1, &unkn2,
289                          &target_info)) {
290
291                 bool ok = false;
292
293                 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n"));
294
295                 if (chal_parse_string_short != NULL) {
296                         /*
297                          * In the case where NTLMSSP_NEGOTIATE_TARGET_INFO
298                          * is not used, some NTLMSSP servers don't return
299                          * the unused unkn1 and unkn2 fields.
300                          * See bug:
301                          * https://bugzilla.samba.org/show_bug.cgi?id=10016
302                          * for packet traces.
303                          * Try and parse again without them.
304                          */
305                         ok = msrpc_parse(mem_ctx,
306                                 &in, chal_parse_string_short,
307                                 "NTLMSSP",
308                                 &ntlmssp_command,
309                                 &server_domain,
310                                 &chal_flags,
311                                 &challenge_blob, 8);
312                         if (!ok) {
313                                 DEBUG(1, ("Failed to short parse "
314                                         "the NTLMSSP Challenge: (#2)\n"));
315                         }
316                 }
317
318                 if (!ok) {
319                         dump_data(2, in.data, in.length);
320                         talloc_free(mem_ctx);
321                         return NT_STATUS_INVALID_PARAMETER;
322                 }
323         }
324
325         if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) {
326                 ntlmssp_state->server.is_standalone = true;
327         } else {
328                 ntlmssp_state->server.is_standalone = false;
329         }
330         /* TODO: parse struct_blob and fill in the rest */
331         ntlmssp_state->server.netbios_name = "";
332         ntlmssp_state->server.netbios_domain = talloc_move(ntlmssp_state, &server_domain);
333         ntlmssp_state->server.dns_name = "";
334         ntlmssp_state->server.dns_domain = "";
335
336         if (challenge_blob.length != 8) {
337                 talloc_free(mem_ctx);
338                 return NT_STATUS_INVALID_PARAMETER;
339         }
340
341         is_anonymous = cli_credentials_is_anonymous(gensec_security->credentials);
342         cli_credentials_get_ntlm_username_domain(gensec_security->credentials, mem_ctx,
343                                                  &user, &domain);
344
345         workstation = cli_credentials_get_workstation(gensec_security->credentials);
346
347         if (user == NULL) {
348                 DEBUG(10, ("User is NULL, returning INVALID_PARAMETER\n"));
349                 return NT_STATUS_INVALID_PARAMETER;
350         }
351
352         if (domain == NULL) {
353                 DEBUG(10, ("Domain is NULL, returning INVALID_PARAMETER\n"));
354                 return NT_STATUS_INVALID_PARAMETER;
355         }
356
357         if (workstation == NULL) {
358                 DEBUG(10, ("Workstation is NULL, returning INVALID_PARAMETER\n"));
359                 return NT_STATUS_INVALID_PARAMETER;
360         }
361
362         if (is_anonymous) {
363                 ntlmssp_state->neg_flags |= NTLMSSP_ANONYMOUS;
364                 /*
365                  * don't use the ccache for anonymous auth
366                  */
367                 ntlmssp_state->use_ccache = false;
368         }
369         if (ntlmssp_state->use_ccache) {
370                 struct samr_Password *nt_hash = NULL;
371
372                 /*
373                  * If we have a password given we don't
374                  * use the ccache
375                  */
376                 nt_hash = cli_credentials_get_nt_hash(gensec_security->credentials,
377                                                       mem_ctx);
378                 if (nt_hash != NULL) {
379                         ZERO_STRUCTP(nt_hash);
380                         TALLOC_FREE(nt_hash);
381                         ntlmssp_state->use_ccache = false;
382                 }
383         }
384
385         if (ntlmssp_state->use_ccache) {
386                 struct wbcCredentialCacheParams params;
387                 struct wbcCredentialCacheInfo *info = NULL;
388                 struct wbcAuthErrorInfo *error = NULL;
389                 struct wbcNamedBlob auth_blobs[1];
390                 const struct wbcBlob *wbc_auth_blob = NULL;
391                 const struct wbcBlob *wbc_session_key = NULL;
392                 wbcErr wbc_status;
393                 int i;
394
395                 params.account_name = user;
396                 params.domain_name = domain;
397                 params.level = WBC_CREDENTIAL_CACHE_LEVEL_NTLMSSP;
398
399                 auth_blobs[0].name = "challenge_blob";
400                 auth_blobs[0].flags = 0;
401                 auth_blobs[0].blob.data = in.data;
402                 auth_blobs[0].blob.length = in.length;
403                 params.num_blobs = ARRAY_SIZE(auth_blobs);
404                 params.blobs = auth_blobs;
405
406                 wbc_status = wbcCredentialCache(&params, &info, &error);
407                 wbcFreeMemory(error);
408                 if (!WBC_ERROR_IS_OK(wbc_status)) {
409                         return NT_STATUS_WRONG_CREDENTIAL_HANDLE;
410                 }
411
412                 for (i=0; i<info->num_blobs; i++) {
413                         if (strequal(info->blobs[i].name, "auth_blob")) {
414                                 wbc_auth_blob = &info->blobs[i].blob;
415                         }
416                         if (strequal(info->blobs[i].name, "session_key")) {
417                                 wbc_session_key = &info->blobs[i].blob;
418                         }
419                 }
420                 if ((wbc_auth_blob == NULL) || (wbc_session_key == NULL)) {
421                         wbcFreeMemory(info);
422                         return NT_STATUS_WRONG_CREDENTIAL_HANDLE;
423                 }
424
425                 session_key = data_blob_talloc(mem_ctx,
426                                                wbc_session_key->data,
427                                                wbc_session_key->length);
428                 if (session_key.length != wbc_session_key->length) {
429                         wbcFreeMemory(info);
430                         return NT_STATUS_NO_MEMORY;
431                 }
432                 *out = data_blob_talloc(mem_ctx,
433                                         wbc_auth_blob->data,
434                                         wbc_auth_blob->length);
435                 if (out->length != wbc_auth_blob->length) {
436                         wbcFreeMemory(info);
437                         return NT_STATUS_NO_MEMORY;
438                 }
439
440                 wbcFreeMemory(info);
441                 goto done;
442         }
443
444         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
445                 flags |= CLI_CRED_NTLM2;
446         }
447         if (ntlmssp_state->use_ntlmv2) {
448                 flags |= CLI_CRED_NTLMv2_AUTH;
449         }
450         if (ntlmssp_state->use_nt_response) {
451                 flags |= CLI_CRED_NTLM_AUTH;
452         }
453         if (ntlmssp_state->allow_lm_response) {
454                 flags |= CLI_CRED_LANMAN_AUTH;
455         }
456
457         nt_status = cli_credentials_get_ntlm_response(gensec_security->credentials, mem_ctx,
458                                                       &flags, challenge_blob,
459                                                       server_timestamp, target_info,
460                                                       &lm_response, &nt_response,
461                                                       &lm_session_key, &session_key);
462         if (!NT_STATUS_IS_OK(nt_status)) {
463                 return nt_status;
464         }
465
466         if (!(flags & CLI_CRED_LANMAN_AUTH)) {
467                 /* LM Key is still possible, just silly, so we do not
468                  * allow it. Fortunetly all LM crypto is off by
469                  * default and we require command line options to end
470                  * up here */
471                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
472         }
473
474         if (!(flags & CLI_CRED_NTLM2)) {
475                 /* NTLM2 is incompatible... */
476                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
477         }
478
479         if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
480             && ntlmssp_state->allow_lm_key && lm_session_key.length == 16) {
481                 DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16);
482                 if (lm_response.length == 24) {
483                         SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data,
484                                                   new_session_key.data);
485                 } else {
486                         static const uint8_t zeros[24];
487                         SMBsesskeygen_lm_sess_key(lm_session_key.data, zeros,
488                                                   new_session_key.data);
489                 }
490                 session_key = new_session_key;
491                 dump_data_pw("LM session key\n", session_key.data, session_key.length);
492         }
493
494
495         /* Key exchange encryptes a new client-generated session key with
496            the password-derived key */
497         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
498                 /* Make up a new session key */
499                 uint8_t client_session_key[16];
500                 generate_secret_buffer(client_session_key, sizeof(client_session_key));
501
502                 /* Encrypt the new session key with the old one */
503                 encrypted_session_key = data_blob_talloc(ntlmssp_state,
504                                                          client_session_key, sizeof(client_session_key));
505                 dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
506                 arcfour_crypt(encrypted_session_key.data, session_key.data, encrypted_session_key.length);
507                 dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
508
509                 /* Mark the new session key as the 'real' session key */
510                 session_key = data_blob_talloc(mem_ctx, client_session_key, sizeof(client_session_key));
511         }
512
513         /* this generates the actual auth packet */
514         nt_status = msrpc_gen(mem_ctx,
515                        out, auth_gen_string,
516                        "NTLMSSP",
517                        NTLMSSP_AUTH,
518                        lm_response.data, lm_response.length,
519                        nt_response.data, nt_response.length,
520                        domain,
521                        user,
522                        workstation,
523                        encrypted_session_key.data, encrypted_session_key.length,
524                        ntlmssp_state->neg_flags,
525                        version_blob.data, version_blob.length);
526         if (!NT_STATUS_IS_OK(nt_status)) {
527                 talloc_free(mem_ctx);
528                 return nt_status;
529         }
530
531 done:
532         ntlmssp_state->session_key = session_key;
533         talloc_steal(ntlmssp_state, session_key.data);
534
535         DEBUG(3, ("NTLMSSP: Set final flags:\n"));
536         debug_ntlmssp_flags(ntlmssp_state->neg_flags);
537
538         talloc_steal(out_mem_ctx, out->data);
539
540         ntlmssp_state->expected_state = NTLMSSP_DONE;
541
542         if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
543                 nt_status = ntlmssp_sign_init(ntlmssp_state);
544                 if (!NT_STATUS_IS_OK(nt_status)) {
545                         DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n",
546                                   nt_errstr(nt_status)));
547                         talloc_free(mem_ctx);
548                         return nt_status;
549                 }
550         }
551
552         talloc_free(mem_ctx);
553         return NT_STATUS_OK;
554 }
555
556 NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
557 {
558         struct gensec_ntlmssp_context *gensec_ntlmssp;
559         struct ntlmssp_state *ntlmssp_state;
560         NTSTATUS nt_status;
561
562         nt_status = gensec_ntlmssp_start(gensec_security);
563         NT_STATUS_NOT_OK_RETURN(nt_status);
564
565         gensec_ntlmssp =
566                 talloc_get_type_abort(gensec_security->private_data,
567                                       struct gensec_ntlmssp_context);
568
569         ntlmssp_state = talloc_zero(gensec_ntlmssp,
570                                     struct ntlmssp_state);
571         if (!ntlmssp_state) {
572                 return NT_STATUS_NO_MEMORY;
573         }
574
575         gensec_ntlmssp->ntlmssp_state = ntlmssp_state;
576
577         ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
578
579         ntlmssp_state->role = NTLMSSP_CLIENT;
580
581         ntlmssp_state->client.netbios_domain = lpcfg_workgroup(gensec_security->settings->lp_ctx);
582         ntlmssp_state->client.netbios_name = cli_credentials_get_workstation(gensec_security->credentials);
583
584         ntlmssp_state->unicode = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "unicode", true);
585
586         ntlmssp_state->use_nt_response = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "send_nt_reponse", true);
587
588         ntlmssp_state->allow_lm_response = lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx);
589
590         ntlmssp_state->allow_lm_key = (ntlmssp_state->allow_lm_response
591                                               && (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "allow_lm_key", false)
592                                                   || gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false)));
593
594         ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx);
595
596         ntlmssp_state->expected_state = NTLMSSP_INITIAL;
597
598         ntlmssp_state->neg_flags =
599                 NTLMSSP_NEGOTIATE_NTLM |
600                 NTLMSSP_NEGOTIATE_VERSION |
601                 NTLMSSP_REQUEST_TARGET;
602
603         if (ntlmssp_state->unicode) {
604                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
605         } else {
606                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
607         }
608
609         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "128bit", true)) {
610                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
611         }
612
613         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "56bit", false)) {
614                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
615         }
616
617         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false)) {
618                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
619         }
620
621         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "keyexchange", true)) {
622                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
623         }
624
625         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "alwayssign", true)) {
626                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
627         }
628
629         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "ntlm2", true)) {
630                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
631         } else {
632                 /* apparently we can't do ntlmv2 if we don't do ntlm2 */
633                 ntlmssp_state->use_ntlmv2 = false;
634         }
635
636         if (ntlmssp_state->use_ntlmv2) {
637                 ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_NTLM2;
638                 ntlmssp_state->allow_lm_response = false;
639                 ntlmssp_state->allow_lm_key = false;
640         }
641
642         if (ntlmssp_state->allow_lm_key) {
643                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
644         }
645
646         if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
647                 /*
648                  * We need to set this to allow a later SetPassword
649                  * via the SAMR pipe to succeed. Strange.... We could
650                  * also add  NTLMSSP_NEGOTIATE_SEAL here. JRA.
651                  *
652                  * Without this, Windows will not create the master key
653                  * that it thinks is only used for NTLMSSP signing and
654                  * sealing.  (It is actually pulled out and used directly)
655                  */
656                 ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
657         }
658         if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
659                 ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
660
661                 if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
662                         /*
663                          * We need to handle NTLMSSP_NEGOTIATE_SIGN as
664                          * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
665                          * is requested.
666                          */
667                         ntlmssp_state->force_wrap_seal = true;
668                         /*
669                          * We want also work against old Samba servers
670                          * which didn't had GENSEC_FEATURE_LDAP_STYLE
671                          * we negotiate SEAL too. We may remove this
672                          * in a few years. As all servers should have
673                          * GENSEC_FEATURE_LDAP_STYLE by then.
674                          */
675                         ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
676                 }
677         }
678         if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
679                 ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
680                 ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
681         }
682         if (gensec_security->want_features & GENSEC_FEATURE_NTLM_CCACHE) {
683                 ntlmssp_state->use_ccache = true;
684         }
685
686         ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
687         ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
688
689         return NT_STATUS_OK;
690 }
691
692 NTSTATUS gensec_ntlmssp_resume_ccache_start(struct gensec_security *gensec_security)
693 {
694         struct gensec_ntlmssp_context *gensec_ntlmssp = NULL;
695         NTSTATUS status;
696
697         status = gensec_ntlmssp_client_start(gensec_security);
698         if (!NT_STATUS_IS_OK(status)) {
699                 return status;
700         }
701
702         gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
703                                                struct gensec_ntlmssp_context);
704         gensec_ntlmssp->ntlmssp_state->use_ccache = false;
705         gensec_ntlmssp->ntlmssp_state->resume_ccache = true;
706         gensec_ntlmssp->ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
707
708         return NT_STATUS_OK;
709 }
Samba Shared Repository