s4-auth Rename auth -> auth4 to avoid conflict with s3 auth
[samba.git] / source4 / auth / ntlmssp / ntlmssp_server.c
1 /* 
2    Unix SMB/Netbios implementation.
3    Version 3.0
4    handle NLTMSSP, client server side parsing
5
6    Copyright (C) Andrew Tridgell      2001
7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
8    Copyright (C) Stefan Metzmacher 2005
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "system/network.h"
26 #include "lib/tsocket/tsocket.h"
27 #include "auth/ntlmssp/ntlmssp.h"
28 #include "../librpc/gen_ndr/ndr_ntlmssp.h"
29 #include "../libcli/auth/ntlmssp_ndr.h"
30 #include "../libcli/auth/ntlmssp_private.h"
31 #include "../libcli/auth/libcli_auth.h"
32 #include "../lib/crypto/crypto.h"
33 #include "auth/gensec/gensec.h"
34 #include "auth/gensec/gensec_proto.h"
35 #include "auth/auth.h"
36 #include "param/param.h"
37
38 /**
39  * Next state function for the Negotiate packet (GENSEC wrapper)
40  *
41  * @param gensec_security GENSEC state
42  * @param out_mem_ctx Memory context for *out
43  * @param in The request, as a DATA_BLOB.  reply.data must be NULL
44  * @param out The reply, as an allocated DATA_BLOB, caller to free.
45  * @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required.
46  */
47
48 NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security,
49                                          TALLOC_CTX *out_mem_ctx,
50                                          const DATA_BLOB request, DATA_BLOB *reply)
51 {
52         struct gensec_ntlmssp_context *gensec_ntlmssp =
53                 talloc_get_type_abort(gensec_security->private_data,
54                                       struct gensec_ntlmssp_context);
55         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
56         return ntlmssp_server_negotiate(ntlmssp_state, out_mem_ctx, request, reply);
57 }
58
59 /**
60  * Next state function for the Authenticate packet (GENSEC wrapper)
61  *
62  * @param gensec_security GENSEC state
63  * @param out_mem_ctx Memory context for *out
64  * @param in The request, as a DATA_BLOB.  reply.data must be NULL
65  * @param out The reply, as an allocated DATA_BLOB, caller to free.
66  * @return Errors or NT_STATUS_OK if authentication sucessful
67  */
68
69 NTSTATUS gensec_ntlmssp_server_auth(struct gensec_security *gensec_security,
70                                     TALLOC_CTX *out_mem_ctx,
71                                     const DATA_BLOB in, DATA_BLOB *out)
72 {
73         struct gensec_ntlmssp_context *gensec_ntlmssp =
74                 talloc_get_type_abort(gensec_security->private_data,
75                                       struct gensec_ntlmssp_context);
76         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
77         return ntlmssp_server_auth(ntlmssp_state, out_mem_ctx, in, out);
78 }
79
80 /**
81  * Return the challenge as determined by the authentication subsystem 
82  * @return an 8 byte random challenge
83  */
84
85 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
86                                            uint8_t chal[8])
87 {
88         struct gensec_ntlmssp_context *gensec_ntlmssp =
89                 talloc_get_type_abort(ntlmssp_state->callback_private,
90                                       struct gensec_ntlmssp_context);
91         struct auth4_context *auth_context = gensec_ntlmssp->auth_context;
92         NTSTATUS status;
93
94         status = auth_context->get_challenge(auth_context, chal);
95         if (!NT_STATUS_IS_OK(status)) {
96                 DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n",
97                         nt_errstr(status)));
98                 return status;
99         }
100
101         return NT_STATUS_OK;
102 }
103
104 /**
105  * Some authentication methods 'fix' the challenge, so we may not be able to set it
106  *
107  * @return If the effective challenge used by the auth subsystem may be modified
108  */
109 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
110 {
111         struct gensec_ntlmssp_context *gensec_ntlmssp =
112                 talloc_get_type_abort(ntlmssp_state->callback_private,
113                                       struct gensec_ntlmssp_context);
114         struct auth4_context *auth_context = gensec_ntlmssp->auth_context;
115
116         return auth_context->challenge_may_be_modified(auth_context);
117 }
118
119 /**
120  * NTLM2 authentication modifies the effective challenge, 
121  * @param challenge The new challenge value
122  */
123 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
124 {
125         struct gensec_ntlmssp_context *gensec_ntlmssp =
126                 talloc_get_type_abort(ntlmssp_state->callback_private,
127                                       struct gensec_ntlmssp_context);
128         struct auth4_context *auth_context = gensec_ntlmssp->auth_context;
129         NTSTATUS nt_status;
130         const uint8_t *chal;
131
132         if (challenge->length != 8) {
133                 return NT_STATUS_INVALID_PARAMETER;
134         }
135
136         chal = challenge->data;
137
138         nt_status = auth_context->set_challenge(auth_context,
139                                                 chal,
140                                                 "NTLMSSP callback (NTLM2)");
141
142         return nt_status;
143 }
144
145 /**
146  * Check the password on an NTLMSSP login.  
147  *
148  * Return the session keys used on the connection.
149  */
150
151 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
152                                             TALLOC_CTX *mem_ctx,
153                                             DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
154 {
155         struct gensec_ntlmssp_context *gensec_ntlmssp =
156                 talloc_get_type_abort(ntlmssp_state->callback_private,
157                                       struct gensec_ntlmssp_context);
158         struct auth4_context *auth_context = gensec_ntlmssp->auth_context;
159         NTSTATUS nt_status;
160         struct auth_usersupplied_info *user_info;
161
162         user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
163         if (!user_info) {
164                 return NT_STATUS_NO_MEMORY;
165         }
166
167         user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
168         user_info->flags = 0;
169         user_info->mapped_state = false;
170         user_info->client.account_name = ntlmssp_state->user;
171         user_info->client.domain_name = ntlmssp_state->domain;
172         user_info->workstation_name = ntlmssp_state->client.netbios_name;
173         user_info->remote_host = gensec_get_remote_address(gensec_ntlmssp->gensec_security);
174
175         user_info->password_state = AUTH_PASSWORD_RESPONSE;
176         user_info->password.response.lanman = ntlmssp_state->lm_resp;
177         user_info->password.response.lanman.data = talloc_steal(user_info, ntlmssp_state->lm_resp.data);
178         user_info->password.response.nt = ntlmssp_state->nt_resp;
179         user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data);
180
181         nt_status = auth_context->check_password(auth_context,
182                                                  gensec_ntlmssp,
183                                                  user_info,
184                                                  &gensec_ntlmssp->user_info_dc);
185         talloc_free(user_info);
186         NT_STATUS_NOT_OK_RETURN(nt_status);
187
188         if (gensec_ntlmssp->user_info_dc->user_session_key.length) {
189                 DEBUG(10, ("Got NT session key of length %u\n",
190                            (unsigned)gensec_ntlmssp->user_info_dc->user_session_key.length));
191                 *user_session_key = gensec_ntlmssp->user_info_dc->user_session_key;
192                 talloc_steal(mem_ctx, user_session_key->data);
193                 gensec_ntlmssp->user_info_dc->user_session_key = data_blob_null;
194         }
195         if (gensec_ntlmssp->user_info_dc->lm_session_key.length) {
196                 DEBUG(10, ("Got LM session key of length %u\n",
197                            (unsigned)gensec_ntlmssp->user_info_dc->lm_session_key.length));
198                 *lm_session_key = gensec_ntlmssp->user_info_dc->lm_session_key;
199                 talloc_steal(mem_ctx, lm_session_key->data);
200                 gensec_ntlmssp->user_info_dc->lm_session_key = data_blob_null;
201         }
202         return nt_status;
203 }
204
205 /** 
206  * Return the credentials of a logged on user, including session keys
207  * etc.
208  *
209  * Only valid after a successful authentication
210  *
211  * May only be called once per authentication.
212  *
213  */
214
215 NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
216                                      struct auth_session_info **session_info) 
217 {
218         NTSTATUS nt_status;
219         struct gensec_ntlmssp_context *gensec_ntlmssp =
220                 talloc_get_type_abort(gensec_security->private_data,
221                                       struct gensec_ntlmssp_context);
222         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
223
224         nt_status = gensec_generate_session_info(ntlmssp_state,
225                                                  gensec_security,
226                                                  gensec_ntlmssp->user_info_dc,
227                                                  session_info);
228         NT_STATUS_NOT_OK_RETURN(nt_status);
229
230         (*session_info)->session_key = data_blob_talloc(*session_info, 
231                                                         ntlmssp_state->session_key.data,
232                                                         ntlmssp_state->session_key.length);
233
234         return NT_STATUS_OK;
235 }
236
237 /**
238  * Start NTLMSSP on the server side 
239  *
240  */
241 NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
242 {
243         NTSTATUS nt_status;
244         struct ntlmssp_state *ntlmssp_state;
245         struct gensec_ntlmssp_context *gensec_ntlmssp;
246
247         nt_status = gensec_ntlmssp_start(gensec_security);
248         NT_STATUS_NOT_OK_RETURN(nt_status);
249
250         gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
251                                                struct gensec_ntlmssp_context);
252         ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
253
254         ntlmssp_state->role = NTLMSSP_SERVER;
255
256         ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
257
258         ntlmssp_state->allow_lm_key = (lpcfg_lanman_auth(gensec_security->settings->lp_ctx)
259                                           && gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "allow_lm_key", false));
260
261         ntlmssp_state->neg_flags =
262                 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION;
263
264         ntlmssp_state->lm_resp = data_blob(NULL, 0);
265         ntlmssp_state->nt_resp = data_blob(NULL, 0);
266
267         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "128bit", true)) {
268                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
269         }
270
271         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "56bit", true)) {
272                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
273         }
274
275         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "keyexchange", true)) {
276                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
277         }
278
279         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "alwayssign", true)) {
280                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
281         }
282
283         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "ntlm2", true)) {
284                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
285         }
286
287         if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
288                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
289         }
290         if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
291                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
292         }
293
294         gensec_ntlmssp->auth_context = gensec_security->auth_context;
295
296         ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
297         ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
298         ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
299         ntlmssp_state->check_password = auth_ntlmssp_check_password;
300         if (lpcfg_server_role(gensec_security->settings->lp_ctx) == ROLE_STANDALONE) {
301                 ntlmssp_state->server.is_standalone = true;
302         } else {
303                 ntlmssp_state->server.is_standalone = false;
304         }
305
306         ntlmssp_state->server.netbios_name = lpcfg_netbios_name(gensec_security->settings->lp_ctx);
307
308         ntlmssp_state->server.netbios_domain = lpcfg_workgroup(gensec_security->settings->lp_ctx);
309
310         {
311                 char *dnsdomain = lpcfg_dnsdomain(gensec_security->settings->lp_ctx);
312                 char *dnsname, *lower_netbiosname;
313                 lower_netbiosname = strlower_talloc(ntlmssp_state, ntlmssp_state->server.netbios_name);
314
315                 /* Find out the DNS host name */
316                 if (dnsdomain && dnsdomain[0] != '\0') {
317                         dnsname = talloc_asprintf(ntlmssp_state, "%s.%s",
318                                                   lower_netbiosname,
319                                                   dnsdomain);
320                         talloc_free(lower_netbiosname);
321                         ntlmssp_state->server.dns_name = dnsname;
322                 } else {
323                         ntlmssp_state->server.dns_name = lower_netbiosname;
324                 }
325
326                 NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_name);
327
328                 ntlmssp_state->server.dns_domain
329                         = talloc_strdup(ntlmssp_state,
330                                         lpcfg_dnsdomain(gensec_security->settings->lp_ctx));
331                 NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_domain);
332         }
333
334         return NT_STATUS_OK;
335 }
336