source3/auth/auth_ntlmssp.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 3.0
   4    handle NLTMSSP, server side
   5
   6    Copyright (C) Andrew Tridgell      2001
   7    Copyright (C) Andrew Bartlett 2001-2003
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "../libcli/auth/ntlmssp.h"
  25
  26 struct auth_ntlmssp_state {
  27         TALLOC_CTX *mem_ctx;
  28         struct auth_context *auth_context;
  29         struct auth_serversupplied_info *server_info;
  30         struct ntlmssp_state *ntlmssp_state;
  31 };
  32
  33 NTSTATUS auth_ntlmssp_sign_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
  34                                   TALLOC_CTX *sig_mem_ctx,
  35                                   const uint8_t *data, size_t length,
  36                                   const uint8_t *whole_pdu, size_t pdu_length,
  37                                   DATA_BLOB *sig)
  38 {
  39         return ntlmssp_sign_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
  40 }
  41
  42 NTSTATUS auth_ntlmssp_check_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
  43                                    const uint8_t *data, size_t length,
  44                                    const uint8_t *whole_pdu, size_t pdu_length,
  45                                    const DATA_BLOB *sig)
  46 {
  47         return ntlmssp_check_packet(auth_ntlmssp_state->ntlmssp_state, data, length, whole_pdu, pdu_length, sig);
  48 }
  49
  50 NTSTATUS auth_ntlmssp_seal_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
  51                                   TALLOC_CTX *sig_mem_ctx,
  52                                   uint8_t *data, size_t length,
  53                                   const uint8_t *whole_pdu, size_t pdu_length,
  54                                   DATA_BLOB *sig)
  55 {
  56         return ntlmssp_seal_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
  57 }
  58
  59 NTSTATUS auth_ntlmssp_unseal_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
  60                                     uint8_t *data, size_t length,
  61                                     const uint8_t *whole_pdu, size_t pdu_length,
  62                                     const DATA_BLOB *sig)
  63 {
  64         return ntlmssp_unseal_packet(auth_ntlmssp_state->ntlmssp_state, data, length, whole_pdu, pdu_length, sig);
  65 }
  66
  67 bool auth_ntlmssp_negotiated_sign(struct auth_ntlmssp_state *auth_ntlmssp_state)
  68 {
  69         return auth_ntlmssp_state->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN;
  70 }
  71
  72 bool auth_ntlmssp_negotiated_seal(struct auth_ntlmssp_state *auth_ntlmssp_state)
  73 {
  74         return auth_ntlmssp_state->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL;
  75 }
  76
  77 NTSTATUS auth_ntlmssp_server_info(TALLOC_CTX *mem_ctx,
  78                                   struct auth_ntlmssp_state *auth_ntlmssp_state,
  79                                   struct auth_serversupplied_info **_server_info)
  80 {
  81         struct auth_serversupplied_info *server_info = auth_ntlmssp_state->server_info;
  82         data_blob_free(&server_info->user_session_key);
  83         server_info->user_session_key =
  84                 data_blob_talloc(
  85                         server_info,
  86                         auth_ntlmssp_state->ntlmssp_state->session_key.data,
  87                         auth_ntlmssp_state->ntlmssp_state->session_key.length);
  88         if (auth_ntlmssp_state->ntlmssp_state->session_key.length && !server_info->user_session_key.data) {
  89                 return NT_STATUS_NO_MEMORY;
  90         }
  91         auth_ntlmssp_state->server_info = NULL;
  92         *_server_info = talloc_steal(mem_ctx, server_info);
  93         return NT_STATUS_OK;
  94 }
  95
  96 struct ntlmssp_state *auth_ntlmssp_get_ntlmssp_state(struct auth_ntlmssp_state *auth_ntlmssp_state)
  97 {
  98         return auth_ntlmssp_state->ntlmssp_state;
  99 }
 100
 101 /* Needed for 'map to guest' and 'smb username' processing */
 102 const char *auth_ntlmssp_get_username(struct auth_ntlmssp_state *auth_ntlmssp_state)
 103 {
 104         return auth_ntlmssp_state->ntlmssp_state->user;
 105 }
 106
 107 const char *auth_ntlmssp_get_domain(struct auth_ntlmssp_state *auth_ntlmssp_state)
 108 {
 109         return auth_ntlmssp_state->ntlmssp_state->domain;
 110 }
 111
 112 const char *auth_ntlmssp_get_client(struct auth_ntlmssp_state *auth_ntlmssp_state)
 113 {
 114         return auth_ntlmssp_state->ntlmssp_state->client.netbios_name;
 115 }
 116
 117 /**
 118  * Return the challenge as determined by the authentication subsystem
 119  * @return an 8 byte random challenge
 120  */
 121
 122 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
 123                                            uint8_t chal[8])
 124 {
 125         struct auth_ntlmssp_state *auth_ntlmssp_state =
 126                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
 127         auth_ntlmssp_state->auth_context->get_ntlm_challenge(
 128                 auth_ntlmssp_state->auth_context, chal);
 129         return NT_STATUS_OK;
 130 }
 131
 132 /**
 133  * Some authentication methods 'fix' the challenge, so we may not be able to set it
 134  *
 135  * @return If the effective challenge used by the auth subsystem may be modified
 136  */
 137 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
 138 {
 139         struct auth_ntlmssp_state *auth_ntlmssp_state =
 140                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
 141         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
 142
 143         return auth_context->challenge_may_be_modified;
 144 }
 145
 146 /**
 147  * NTLM2 authentication modifies the effective challenge,
 148  * @param challenge The new challenge value
 149  */
 150 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
 151 {
 152         struct auth_ntlmssp_state *auth_ntlmssp_state =
 153                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
 154         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
 155
 156         SMB_ASSERT(challenge->length == 8);
 157
 158         auth_context->challenge = data_blob_talloc(auth_context,
 159                                                    challenge->data, challenge->length);
 160
 161         auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)";
 162
 163         DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
 164         DEBUG(5, ("challenge is: \n"));
 165         dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
 166         return NT_STATUS_OK;
 167 }
 168
 169 /**
 170  * Check the password on an NTLMSSP login.
 171  *
 172  * Return the session keys used on the connection.
 173  */
 174
 175 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
 176 {
 177         struct auth_ntlmssp_state *auth_ntlmssp_state =
 178                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
 179         struct auth_usersupplied_info *user_info = NULL;
 180         NTSTATUS nt_status;
 181         bool username_was_mapped;
 182
 183         /* the client has given us its machine name (which we otherwise would not get on port 445).
 184            we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
 185
 186         set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->client.netbios_name, True);
 187
 188         /* setup the string used by %U */
 189         /* sub_set_smb_name checks for weird internally */
 190         sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
 191
 192         reload_services(True);
 193
 194         nt_status = make_user_info_map(&user_info,
 195                                        auth_ntlmssp_state->ntlmssp_state->user,
 196                                        auth_ntlmssp_state->ntlmssp_state->domain,
 197                                        auth_ntlmssp_state->ntlmssp_state->client.netbios_name,
 198                                        auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL,
 199                                        auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL,
 200                                        NULL, NULL, NULL,
 201                                        True);
 202
 203         user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
 204
 205         if (!NT_STATUS_IS_OK(nt_status)) {
 206                 return nt_status;
 207         }
 208
 209         nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context,
 210                                                                           user_info, &auth_ntlmssp_state->server_info);
 211
 212         username_was_mapped = user_info->was_mapped;
 213
 214         free_user_info(&user_info);
 215
 216         if (!NT_STATUS_IS_OK(nt_status)) {
 217                 return nt_status;
 218         }
 219
 220         auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
 221
 222         nt_status = create_local_token(auth_ntlmssp_state->server_info);
 223
 224         if (!NT_STATUS_IS_OK(nt_status)) {
 225                 DEBUG(10, ("create_local_token failed: %s\n",
 226                         nt_errstr(nt_status)));
 227                 return nt_status;
 228         }
 229
 230         if (auth_ntlmssp_state->server_info->user_session_key.length) {
 231                 DEBUG(10, ("Got NT session key of length %u\n",
 232                         (unsigned int)auth_ntlmssp_state->server_info->user_session_key.length));
 233                 *user_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx,
 234                                                    auth_ntlmssp_state->server_info->user_session_key.data,
 235                                                    auth_ntlmssp_state->server_info->user_session_key.length);
 236         }
 237         if (auth_ntlmssp_state->server_info->lm_session_key.length) {
 238                 DEBUG(10, ("Got LM session key of length %u\n",
 239                         (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length));
 240                 *lm_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx,
 241                                                    auth_ntlmssp_state->server_info->lm_session_key.data,
 242                                                    auth_ntlmssp_state->server_info->lm_session_key.length);
 243         }
 244         return nt_status;
 245 }
 246
 247 NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state)
 248 {
 249         NTSTATUS nt_status;
 250         TALLOC_CTX *mem_ctx;
 251         bool is_standalone;
 252         const char *netbios_name;
 253         const char *netbios_domain;
 254         const char *dns_name;
 255         char *dns_domain;
 256
 257         if ((enum server_types)lp_server_role() == ROLE_STANDALONE) {
 258                 is_standalone = true;
 259         } else {
 260                 is_standalone = false;
 261         }
 262
 263         netbios_name = global_myname();
 264         netbios_domain = lp_workgroup();
 265         /* This should be a 'netbios domain -> DNS domain' mapping */
 266         dns_domain = get_mydnsdomname(talloc_tos());
 267         if (dns_domain) {
 268                 strlower_m(dns_domain);
 269         }
 270         dns_name = get_mydnsfullname();
 271
 272         mem_ctx = talloc_init("AUTH NTLMSSP context");
 273
 274         *auth_ntlmssp_state = TALLOC_ZERO_P(mem_ctx, struct auth_ntlmssp_state);
 275         if (!*auth_ntlmssp_state) {
 276                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
 277                 talloc_destroy(mem_ctx);
 278                 return NT_STATUS_NO_MEMORY;
 279         }
 280
 281         ZERO_STRUCTP(*auth_ntlmssp_state);
 282
 283         (*auth_ntlmssp_state)->mem_ctx = mem_ctx;
 284
 285         nt_status = ntlmssp_server_start(NULL,
 286                                          is_standalone,
 287                                          netbios_name,
 288                                          netbios_domain,
 289                                          dns_name,
 290                                          dns_domain,
 291                                          &(*auth_ntlmssp_state)->ntlmssp_state);
 292         if (!NT_STATUS_IS_OK(nt_status)) {
 293                 return nt_status;
 294         }
 295
 296         if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&(*auth_ntlmssp_state)->auth_context))) {
 297                 return nt_status;
 298         }
 299
 300         (*auth_ntlmssp_state)->ntlmssp_state->callback_private = (*auth_ntlmssp_state);
 301         (*auth_ntlmssp_state)->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
 302         (*auth_ntlmssp_state)->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
 303         (*auth_ntlmssp_state)->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
 304         (*auth_ntlmssp_state)->ntlmssp_state->check_password = auth_ntlmssp_check_password;
 305
 306         return NT_STATUS_OK;
 307 }
 308
 309 void auth_ntlmssp_end(struct auth_ntlmssp_state **auth_ntlmssp_state)
 310 {
 311         TALLOC_CTX *mem_ctx;
 312
 313         if (*auth_ntlmssp_state == NULL) {
 314                 return;
 315         }
 316
 317         mem_ctx = (*auth_ntlmssp_state)->mem_ctx;
 318         if ((*auth_ntlmssp_state)->ntlmssp_state) {
 319                 ntlmssp_end(&(*auth_ntlmssp_state)->ntlmssp_state);
 320         }
 321         if ((*auth_ntlmssp_state)->auth_context) {
 322                 ((*auth_ntlmssp_state)->auth_context->free)(&(*auth_ntlmssp_state)->auth_context);
 323         }
 324         if ((*auth_ntlmssp_state)->server_info) {
 325                 TALLOC_FREE((*auth_ntlmssp_state)->server_info);
 326         }
 327         talloc_destroy(mem_ctx);
 328         *auth_ntlmssp_state = NULL;
 329 }
 330
 331 NTSTATUS auth_ntlmssp_update(struct auth_ntlmssp_state *auth_ntlmssp_state,
 332                              const DATA_BLOB request, DATA_BLOB *reply)
 333 {
 334         return ntlmssp_update(auth_ntlmssp_state->ntlmssp_state, request, reply);
 335 }