X-Git-Url: http://git.samba.org/samba.git/?a=blobdiff_plain;f=source3%2Finclude%2Fntlmssp.h;h=30a37e06c3ef2e9dcef94988248eccada2de71ca;hb=54abd2aa66069e6baf7769c496f46d9dba18db39;hp=f0278ffece899adc653a2ee3a635f1bee3a08656;hpb=892599fb92b6158e86a3934c8f2045ee457f38e3;p=ira%2Fwip.git diff --git a/source3/include/ntlmssp.h b/source3/include/ntlmssp.h index f0278ffece8..30a37e06c3e 100644 --- a/source3/include/ntlmssp.h +++ b/source3/include/ntlmssp.h @@ -30,10 +30,12 @@ enum NTLMSSP_ROLE /* NTLMSSP message types */ enum NTLM_MESSAGE_TYPE { + NTLMSSP_INITIAL = 0 /* samba internal state */, NTLMSSP_NEGOTIATE = 1, NTLMSSP_CHALLENGE = 2, NTLMSSP_AUTH = 3, - NTLMSSP_UNKNOWN = 4 + NTLMSSP_UNKNOWN = 4, + NTLMSSP_DONE = 5 /* samba final state */ }; /* NTLMSSP negotiation flags */ @@ -60,39 +62,22 @@ enum NTLM_MESSAGE_TYPE #define NTLMSSP_CHAL_TARGET_INFO 0x00800000 #define NTLMSSP_NEGOTIATE_128 0x20000000 /* 128-bit encryption */ #define NTLMSSP_NEGOTIATE_KEY_EXCH 0x40000000 -#define NTLMSSP_NEGOTIATE_080000000 0x80000000 +#define NTLMSSP_NEGOTIATE_56 0x80000000 -#define NTLMSSP_NAME_TYPE_DOMAIN 0x01 -#define NTLMSSP_NAME_TYPE_SERVER 0x02 -#define NTLMSSP_NAME_TYPE_DOMAIN_DNS 0x03 -#define NTLMSSP_NAME_TYPE_SERVER_DNS 0x04 +#define NTLMSSP_NAME_TYPE_SERVER 0x01 +#define NTLMSSP_NAME_TYPE_DOMAIN 0x02 +#define NTLMSSP_NAME_TYPE_SERVER_DNS 0x03 +#define NTLMSSP_NAME_TYPE_DOMAIN_DNS 0x04 + +#define NTLMSSP_SIG_SIZE 16 typedef struct ntlmssp_state { TALLOC_CTX *mem_ctx; + unsigned int ref_count; enum NTLMSSP_ROLE role; - BOOL unicode; - char *user; - char *domain; - char *workstation; - DATA_BLOB lm_resp; - DATA_BLOB nt_resp; - DATA_BLOB chal; - void *auth_context; - const uint8 *(*get_challenge)(struct ntlmssp_state *ntlmssp_state); - NTSTATUS (*check_password)(struct ntlmssp_state *ntlmssp_state); - - const char *(*get_global_myname)(void); - const char *(*get_domain)(void); - - int server_role; + enum server_types server_role; uint32 expected_state; -} NTLMSSP_STATE; - -typedef struct ntlmssp_client_state -{ - TALLOC_CTX *mem_ctx; - unsigned int ref_count; BOOL unicode; BOOL use_ntlmv2; @@ -100,34 +85,86 @@ typedef struct ntlmssp_client_state char *domain; char *workstation; char *password; + char *server_domain; - const char *(*get_global_myname)(void); - const char *(*get_domain)(void); + DATA_BLOB internal_chal; /* Random challenge as supplied to the client for NTLM authentication */ - DATA_BLOB chal; + DATA_BLOB chal; /* Random challenge as input into the actual NTLM (or NTLM2) authentication */ DATA_BLOB lm_resp; DATA_BLOB nt_resp; DATA_BLOB session_key; - uint32 neg_flags; + uint32 neg_flags; /* the current state of negotiation with the NTLMSSP partner */ - /* SMB Signing */ - - uint32 ntlmssp_seq_num; + void *auth_context; + + /** + * Callback to get the 'challenge' used for NTLM authentication. + * + * @param ntlmssp_state This structure + * @return 8 bytes of challnege data, determined by the server to be the challenge for NTLM authentication + * + */ + const uint8 *(*get_challenge)(const struct ntlmssp_state *ntlmssp_state); + + /** + * Callback to find if the challenge used by NTLM authentication may be modified + * + * The NTLM2 authentication scheme modifies the effective challenge, but this is not compatiable with the + * current 'security=server' implementation.. + * + * @param ntlmssp_state This structure + * @return Can the challenge be set to arbitary values? + * + */ + BOOL (*may_set_challenge)(const struct ntlmssp_state *ntlmssp_state); + + /** + * Callback to set the 'challenge' used for NTLM authentication. + * + * The callback may use the void *auth_context to store state information, but the same value is always available + * from the DATA_BLOB chal on this structure. + * + * @param ntlmssp_state This structure + * @param challenge 8 bytes of data, agreed by the client and server to be the effective challenge for NTLM2 authentication + * + */ + NTSTATUS (*set_challenge)(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge); + + /** + * Callback to check the user's password. + * + * The callback must reads the feilds of this structure for the information it needs on the user + * @param ntlmssp_state This structure + * @param nt_session_key If an NT session key is returned by the authentication process, return it here + * @param lm_session_key If an LM session key is returned by the authentication process, return it here + * + */ + NTSTATUS (*check_password)(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key); + + const char *(*get_global_myname)(void); + const char *(*get_domain)(void); /* ntlmv2 */ - char cli_sign_const[16]; - char cli_seal_const[16]; - char srv_sign_const[16]; - char srv_seal_const[16]; - unsigned char cli_sign_hash[258]; - unsigned char cli_seal_hash[258]; - unsigned char srv_sign_hash[258]; - unsigned char srv_seal_hash[258]; + unsigned char send_sign_key[16]; + unsigned char send_seal_key[16]; + unsigned char recv_sign_key[16]; + unsigned char recv_seal_key[16]; - /* ntlmv1 */ - unsigned char ntlmssp_hash[258]; + unsigned char send_seal_arc4_state[258]; + unsigned char recv_seal_arc4_state[258]; -} NTLMSSP_CLIENT_STATE; + uint32 ntlm2_send_seq_num; + uint32 ntlm2_recv_seq_num; + /* ntlmv1 */ + unsigned char ntlmv1_arc4_state[258]; + uint32 ntlmv1_seq_num; + + /* it turns out that we don't always get the + response in at the time we want to process it. + Store it here, until we need it */ + DATA_BLOB stored_response; + +} NTLMSSP_STATE;