s3: Add the session key to the ccache_ntlm_auth response
[ira/wip.git] / source3 / winbindd / winbindd_ccache_access.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    Winbind daemon - cached credentials funcions
5
6    Copyright (C) Robert O'Callahan 2006
7    Copyright (C) Jeremy Allison 2006 (minor fixes to fit into Samba and
8                                       protect against integer wrap).
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "winbindd.h"
26 #include "ntlmssp.h"
27
28 #undef DBGC_CLASS
29 #define DBGC_CLASS DBGC_WINBIND
30
31 static bool client_can_access_ccache_entry(uid_t client_uid,
32                                         struct WINBINDD_MEMORY_CREDS *entry)
33 {
34         if (client_uid == entry->uid || client_uid == 0) {
35                 DEBUG(10, ("Access granted to uid %u\n", (unsigned int)client_uid));
36                 return True;
37         }
38
39         DEBUG(1, ("Access denied to uid %u (expected %u)\n",
40                 (unsigned int)client_uid, (unsigned int)entry->uid));
41         return False;
42 }
43
44 static NTSTATUS do_ntlm_auth_with_hashes(const char *username,
45                                         const char *domain,
46                                         const unsigned char lm_hash[LM_HASH_LEN],
47                                         const unsigned char nt_hash[NT_HASH_LEN],
48                                         const DATA_BLOB initial_msg,
49                                         const DATA_BLOB challenge_msg,
50                                         DATA_BLOB *auth_msg,
51                                         uint8_t session_key[16])
52 {
53         NTSTATUS status;
54         struct ntlmssp_state *ntlmssp_state = NULL;
55         DATA_BLOB dummy_msg, reply;
56
57         status = ntlmssp_client_start(&ntlmssp_state);
58
59         if (!NT_STATUS_IS_OK(status)) {
60                 DEBUG(1, ("Could not start NTLMSSP client: %s\n",
61                         nt_errstr(status)));
62                 goto done;
63         }
64
65         status = ntlmssp_set_username(ntlmssp_state, username);
66
67         if (!NT_STATUS_IS_OK(status)) {
68                 DEBUG(1, ("Could not set username: %s\n",
69                         nt_errstr(status)));
70                 goto done;
71         }
72
73         status = ntlmssp_set_domain(ntlmssp_state, domain);
74
75         if (!NT_STATUS_IS_OK(status)) {
76                 DEBUG(1, ("Could not set domain: %s\n",
77                         nt_errstr(status)));
78                 goto done;
79         }
80
81         status = ntlmssp_set_hashes(ntlmssp_state, lm_hash, nt_hash);
82
83         if (!NT_STATUS_IS_OK(status)) {
84                 DEBUG(1, ("Could not set hashes: %s\n",
85                         nt_errstr(status)));
86                 goto done;
87         }
88
89         ntlmssp_want_feature(ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
90
91         /* We need to get our protocol handler into the right state. So first
92            we ask it to generate the initial message. Actually the client has already
93            sent its own initial message, so we're going to drop this one on the floor.
94            The client might have sent a different message, for example with different
95            negotiation options, but as far as I can tell this won't hurt us. (Unless
96            the client sent a different username or domain, in which case that's their
97            problem for telling us the wrong username or domain.)
98            Since we have a copy of the initial message that the client sent, we could
99            resolve any discrepancies if we had to.
100         */
101         dummy_msg = data_blob_null;
102         reply = data_blob_null;
103         status = ntlmssp_update(ntlmssp_state, dummy_msg, &reply);
104         data_blob_free(&dummy_msg);
105         data_blob_free(&reply);
106
107         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
108                 DEBUG(1, ("Failed to create initial message! [%s]\n",
109                         nt_errstr(status)));
110                 goto done;
111         }
112
113         /* Now we are ready to handle the server's actual response. */
114         status = ntlmssp_update(ntlmssp_state, challenge_msg, &reply);
115
116         if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
117                 DEBUG(1, ("We didn't get a response to the challenge! [%s]\n",
118                         nt_errstr(status)));
119                 data_blob_free(&reply);
120                 goto done;
121         }
122
123         if (ntlmssp_state->session_key.length != 16) {
124                 DEBUG(1, ("invalid session key length %d\n",
125                           (int)ntlmssp_state->session_key.length));
126                 data_blob_free(&reply);
127                 goto done;
128         }
129
130         *auth_msg = data_blob(reply.data, reply.length);
131         memcpy(session_key, ntlmssp_state->session_key.data, 16);
132         status = NT_STATUS_OK;
133
134 done:
135         ntlmssp_end(&ntlmssp_state);
136         return status;
137 }
138
139 static bool check_client_uid(struct winbindd_cli_state *state, uid_t uid)
140 {
141         int ret;
142         uid_t ret_uid;
143
144         ret_uid = (uid_t)-1;
145
146         ret = sys_getpeereid(state->sock, &ret_uid);
147         if (ret != 0) {
148                 DEBUG(1, ("check_client_uid: Could not get socket peer uid: %s; "
149                         "denying access\n", strerror(errno)));
150                 return False;
151         }
152
153         if (uid != ret_uid) {
154                 DEBUG(1, ("check_client_uid: Client lied about its uid: said %u, "
155                         "actually was %u; denying access\n",
156                         (unsigned int)uid, (unsigned int)ret_uid));
157                 return False;
158         }
159
160         return True;
161 }
162
163 void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
164 {
165         struct winbindd_domain *domain;
166         fstring name_domain, name_user;
167
168         /* Ensure null termination */
169         state->request->data.ccache_ntlm_auth.user[
170                         sizeof(state->request->data.ccache_ntlm_auth.user)-1]='\0';
171
172         DEBUG(3, ("[%5lu]: perform NTLM auth on behalf of user %s\n", (unsigned long)state->pid,
173                 state->request->data.ccache_ntlm_auth.user));
174
175         /* Parse domain and username */
176
177         if (!canonicalize_username(state->request->data.ccache_ntlm_auth.user,
178                                 name_domain, name_user)) {
179                 DEBUG(5,("winbindd_ccache_ntlm_auth: cannot parse domain and user from name [%s]\n",
180                         state->request->data.ccache_ntlm_auth.user));
181                 request_error(state);
182                 return;
183         }
184
185         domain = find_auth_domain(state->request->flags, name_domain);
186
187         if (domain == NULL) {
188                 DEBUG(5,("winbindd_ccache_ntlm_auth: can't get domain [%s]\n",
189                         name_domain));
190                 request_error(state);
191                 return;
192         }
193
194         if (!check_client_uid(state, state->request->data.ccache_ntlm_auth.uid)) {
195                 request_error(state);
196                 return;
197         }
198
199         sendto_domain(state, domain);
200 }
201
202 enum winbindd_result winbindd_dual_ccache_ntlm_auth(struct winbindd_domain *domain,
203                                                 struct winbindd_cli_state *state)
204 {
205         NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
206         struct WINBINDD_MEMORY_CREDS *entry;
207         DATA_BLOB initial, challenge, auth;
208         fstring name_domain, name_user;
209         uint32 initial_blob_len, challenge_blob_len, extra_len;
210
211         /* Ensure null termination */
212         state->request->data.ccache_ntlm_auth.user[
213                 sizeof(state->request->data.ccache_ntlm_auth.user)-1]='\0';
214
215         DEBUG(3, ("winbindd_dual_ccache_ntlm_auth: [%5lu]: perform NTLM auth on "
216                 "behalf of user %s (dual)\n", (unsigned long)state->pid,
217                 state->request->data.ccache_ntlm_auth.user));
218
219         /* validate blob lengths */
220         initial_blob_len = state->request->data.ccache_ntlm_auth.initial_blob_len;
221         challenge_blob_len = state->request->data.ccache_ntlm_auth.challenge_blob_len;
222         extra_len = state->request->extra_len;
223
224         if (initial_blob_len > extra_len || challenge_blob_len > extra_len ||
225                 initial_blob_len + challenge_blob_len > extra_len ||
226                 initial_blob_len + challenge_blob_len < initial_blob_len ||
227                 initial_blob_len + challenge_blob_len < challenge_blob_len) {
228
229                 DEBUG(10,("winbindd_dual_ccache_ntlm_auth: blob lengths overrun "
230                         "or wrap. Buffer [%d+%d > %d]\n",
231                         initial_blob_len,
232                         challenge_blob_len,
233                         extra_len));
234                 goto process_result;
235         }
236
237         /* Parse domain and username */
238         if (!parse_domain_user(state->request->data.ccache_ntlm_auth.user, name_domain, name_user)) {
239                 DEBUG(10,("winbindd_dual_ccache_ntlm_auth: cannot parse "
240                         "domain and user from name [%s]\n",
241                         state->request->data.ccache_ntlm_auth.user));
242                 goto process_result;
243         }
244
245         entry = find_memory_creds_by_name(state->request->data.ccache_ntlm_auth.user);
246         if (entry == NULL || entry->nt_hash == NULL || entry->lm_hash == NULL) {
247                 DEBUG(10,("winbindd_dual_ccache_ntlm_auth: could not find "
248                         "credentials for user %s\n", 
249                         state->request->data.ccache_ntlm_auth.user));
250                 goto process_result;
251         }
252
253         DEBUG(10,("winbindd_dual_ccache_ntlm_auth: found ccache [%s]\n", entry->username));
254
255         if (!client_can_access_ccache_entry(state->request->data.ccache_ntlm_auth.uid, entry)) {
256                 goto process_result;
257         }
258
259         if (initial_blob_len == 0 && challenge_blob_len == 0) {
260                 /* this is just a probe to see if credentials are available. */
261                 result = NT_STATUS_OK;
262                 state->response->data.ccache_ntlm_auth.auth_blob_len = 0;
263                 goto process_result;
264         }
265
266         initial = data_blob_const(state->request->extra_data.data,
267                                   initial_blob_len);
268         challenge = data_blob_const(
269                 state->request->extra_data.data + initial_blob_len,
270                 state->request->data.ccache_ntlm_auth.challenge_blob_len);
271
272         result = do_ntlm_auth_with_hashes(
273                 name_user, name_domain, entry->lm_hash, entry->nt_hash,
274                 initial, challenge, &auth,
275                 state->response->data.ccache_ntlm_auth.session_key);
276
277         if (!NT_STATUS_IS_OK(result)) {
278                 goto process_result;
279         }
280
281         state->response->extra_data.data = talloc_memdup(
282                 state->mem_ctx, auth.data, auth.length);
283         if (!state->response->extra_data.data) {
284                 result = NT_STATUS_NO_MEMORY;
285                 goto process_result;
286         }
287         state->response->length += auth.length;
288         state->response->data.ccache_ntlm_auth.auth_blob_len = auth.length;
289
290         data_blob_free(&auth);
291
292   process_result:
293         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
294 }
295
296 void winbindd_ccache_save(struct winbindd_cli_state *state)
297 {
298         struct winbindd_domain *domain;
299         fstring name_domain, name_user;
300
301         /* Ensure null termination */
302         state->request->data.ccache_save.user[
303                 sizeof(state->request->data.ccache_save.user)-1]='\0';
304         state->request->data.ccache_save.pass[
305                 sizeof(state->request->data.ccache_save.pass)-1]='\0';
306
307         DEBUG(3, ("[%5lu]: save passord of user %s\n",
308                   (unsigned long)state->pid,
309                   state->request->data.ccache_save.user));
310
311         /* Parse domain and username */
312
313         if (!canonicalize_username(state->request->data.ccache_ntlm_auth.user,
314                                    name_domain, name_user)) {
315                 DEBUG(5,("winbindd_ccache_save: cannot parse domain and user "
316                          "from name [%s]\n",
317                          state->request->data.ccache_save.user));
318                 request_error(state);
319                 return;
320         }
321
322         domain = find_auth_domain(state->request->flags, name_domain);
323
324         if (domain == NULL) {
325                 DEBUG(5, ("winbindd_ccache_save: can't get domain [%s]\n",
326                           name_domain));
327                 request_error(state);
328                 return;
329         }
330
331         if (!check_client_uid(state, state->request->data.ccache_save.uid)) {
332                 request_error(state);
333                 return;
334         }
335
336         sendto_domain(state, domain);
337 }
338
339 enum winbindd_result winbindd_dual_ccache_save(
340         struct winbindd_domain *domain, struct winbindd_cli_state *state)
341 {
342         NTSTATUS status = NT_STATUS_NOT_SUPPORTED;
343
344         /* Ensure null termination */
345         state->request->data.ccache_save.user[
346                 sizeof(state->request->data.ccache_save.user)-1]='\0';
347         state->request->data.ccache_save.pass[
348                 sizeof(state->request->data.ccache_save.pass)-1]='\0';
349
350         DEBUG(3, ("winbindd_dual_ccache_save: [%5lu]: save password of user "
351                   "%s\n", (unsigned long)state->pid,
352                   state->request->data.ccache_save.user));
353
354         status = winbindd_add_memory_creds(
355                 state->request->data.ccache_save.user,
356                 state->request->data.ccache_save.uid,
357                 state->request->data.ccache_save.pass);
358
359         if (!NT_STATUS_IS_OK(status)) {
360                 DEBUG(1, ("winbindd_add_memory_creds failed %s\n",
361                           nt_errstr(status)));
362                 return WINBINDD_ERROR;
363         }
364
365         return WINBINDD_OK;
366 }