6e372dc8f8fedc7a0ff610bfbda0ae532c26b340
[ira/wip.git] / source4 / auth / ntlmssp / ntlmssp_client.c
1 /* 
2    Unix SMB/Netbios implementation.
3    Version 3.0
4    handle NLTMSSP, client server side parsing
5
6    Copyright (C) Andrew Tridgell      2001
7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
8    Copyright (C) Stefan Metzmacher 2005
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 struct auth_session_info;
25
26 #include "includes.h"
27 #include "auth/ntlmssp/ntlmssp.h"
28 #include "source4/auth/ntlmssp/proto.h"
29 #include "../lib/crypto/crypto.h"
30 #include "../libcli/auth/libcli_auth.h"
31 #include "auth/credentials/credentials.h"
32 #include "auth/gensec/gensec.h"
33 #include "param/param.h"
34 #include "auth/ntlmssp/ntlmssp_private.h"
35 #include "../librpc/gen_ndr/ndr_ntlmssp.h"
36 #include "../auth/ntlmssp/ntlmssp_ndr.h"
37
38 /*********************************************************************
39  Client side NTLMSSP
40 *********************************************************************/
41
42 /**
43  * Next state function for the Initial packet
44  * 
45  * @param ntlmssp_state NTLMSSP State
46  * @param out_mem_ctx The DATA_BLOB *out will be allocated on this context
47  * @param in A NULL data blob (input ignored)
48  * @param out The initial negotiate request to the server, as an talloc()ed DATA_BLOB, on out_mem_ctx
49  * @return Errors or NT_STATUS_OK. 
50  */
51
52 NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security, 
53                                 TALLOC_CTX *out_mem_ctx, 
54                                 DATA_BLOB in, DATA_BLOB *out) 
55 {
56         struct gensec_ntlmssp_context *gensec_ntlmssp =
57                 talloc_get_type_abort(gensec_security->private_data,
58                                       struct gensec_ntlmssp_context);
59         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
60         const char *domain = ntlmssp_state->client.netbios_domain;
61         const char *workstation = ntlmssp_state->client.netbios_name;
62         NTSTATUS status;
63
64         /* These don't really matter in the initial packet, so don't panic if they are not set */
65         if (!domain) {
66                 domain = "";
67         }
68
69         if (!workstation) {
70                 workstation = "";
71         }
72
73         if (ntlmssp_state->unicode) {
74                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
75         } else {
76                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
77         }
78
79         if (ntlmssp_state->use_ntlmv2) {
80                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
81         }
82
83         /* generate the ntlmssp negotiate packet */
84         status = msrpc_gen(out_mem_ctx,
85                   out, "CddAA",
86                   "NTLMSSP",
87                   NTLMSSP_NEGOTIATE,
88                   ntlmssp_state->neg_flags,
89                   domain,
90                   workstation);
91
92         if (!NT_STATUS_IS_OK(status)) {
93                 DEBUG(0, ("ntlmssp_client_initial: failed to generate "
94                           "ntlmssp negotiate packet\n"));
95                 return status;
96         }
97
98         if (DEBUGLEVEL >= 10) {
99                 struct NEGOTIATE_MESSAGE *negotiate = talloc(
100                         talloc_tos(), struct NEGOTIATE_MESSAGE);
101                 if (negotiate != NULL) {
102                         status = ntlmssp_pull_NEGOTIATE_MESSAGE(
103                                 out, negotiate, negotiate);
104                         if (NT_STATUS_IS_OK(status)) {
105                                 NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE,
106                                                 negotiate);
107                         }
108                         TALLOC_FREE(negotiate);
109                 }
110         }
111
112         ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
113
114         return NT_STATUS_MORE_PROCESSING_REQUIRED;
115 }
116
117 /**
118  * Next state function for the Challenge Packet.  Generate an auth packet.
119  * 
120  * @param gensec_security GENSEC state
121  * @param out_mem_ctx Memory context for *out
122  * @param in The server challnege, as a DATA_BLOB.  reply.data must be NULL
123  * @param out The next request (auth packet) to the server, as an allocated DATA_BLOB, on the out_mem_ctx context
124  * @return Errors or NT_STATUS_OK. 
125  */
126
127 NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, 
128                                   TALLOC_CTX *out_mem_ctx,
129                                   const DATA_BLOB in, DATA_BLOB *out) 
130 {
131         struct gensec_ntlmssp_context *gensec_ntlmssp =
132                 talloc_get_type_abort(gensec_security->private_data,
133                                       struct gensec_ntlmssp_context);
134         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
135         uint32_t chal_flags, ntlmssp_command, unkn1, unkn2;
136         DATA_BLOB server_domain_blob;
137         DATA_BLOB challenge_blob;
138         DATA_BLOB target_info = data_blob(NULL, 0);
139         char *server_domain;
140         const char *chal_parse_string;
141         const char *auth_gen_string;
142         DATA_BLOB lm_response = data_blob(NULL, 0);
143         DATA_BLOB nt_response = data_blob(NULL, 0);
144         DATA_BLOB session_key = data_blob(NULL, 0);
145         DATA_BLOB lm_session_key = data_blob(NULL, 0);
146         DATA_BLOB encrypted_session_key = data_blob(NULL, 0);
147         NTSTATUS nt_status;
148         int flags = 0;
149         const char *user, *domain;
150
151         TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx);
152         if (!mem_ctx) {
153                 return NT_STATUS_NO_MEMORY;
154         }
155
156         if (!msrpc_parse(mem_ctx,
157                          &in, "CdBd",
158                          "NTLMSSP",
159                          &ntlmssp_command, 
160                          &server_domain_blob,
161                          &chal_flags)) {
162                 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
163                 dump_data(2, in.data, in.length);
164                 talloc_free(mem_ctx);
165
166                 return NT_STATUS_INVALID_PARAMETER;
167         }
168         
169         data_blob_free(&server_domain_blob);
170
171         DEBUG(3, ("Got challenge flags:\n"));
172         debug_ntlmssp_flags(chal_flags);
173
174         ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, ntlmssp_state->allow_lm_key);
175
176         if (ntlmssp_state->unicode) {
177                 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
178                         chal_parse_string = "CdUdbddB";
179                 } else {
180                         chal_parse_string = "CdUdbdd";
181                 }
182                 auth_gen_string = "CdBBUUUBd";
183         } else {
184                 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
185                         chal_parse_string = "CdAdbddB";
186                 } else {
187                         chal_parse_string = "CdAdbdd";
188                 }
189
190                 auth_gen_string = "CdBBAAABd";
191         }
192
193         if (!msrpc_parse(mem_ctx,
194                          &in, chal_parse_string,
195                          "NTLMSSP",
196                          &ntlmssp_command, 
197                          &server_domain,
198                          &chal_flags,
199                          &challenge_blob, 8,
200                          &unkn1, &unkn2,
201                          &target_info)) {
202                 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n"));
203                 dump_data(2, in.data, in.length);
204                 talloc_free(mem_ctx);
205                 return NT_STATUS_INVALID_PARAMETER;
206         }
207
208         if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) {
209                 ntlmssp_state->server.is_standalone = true;
210         } else {
211                 ntlmssp_state->server.is_standalone = false;
212         }
213         /* TODO: parse struct_blob and fill in the rest */
214         ntlmssp_state->server.netbios_name = "";
215         ntlmssp_state->server.netbios_domain = server_domain;
216         ntlmssp_state->server.dns_name = "";
217         ntlmssp_state->server.dns_domain = "";
218
219         if (challenge_blob.length != 8) {
220                 talloc_free(mem_ctx);
221                 return NT_STATUS_INVALID_PARAMETER;
222         }
223
224         cli_credentials_get_ntlm_username_domain(gensec_security->credentials, mem_ctx, 
225                                                  &user, &domain);
226
227         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
228                 flags |= CLI_CRED_NTLM2;
229         }
230         if (ntlmssp_state->use_ntlmv2) {
231                 flags |= CLI_CRED_NTLMv2_AUTH;
232         }
233         if (ntlmssp_state->use_nt_response) {
234                 flags |= CLI_CRED_NTLM_AUTH;
235         }
236         if (lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx)) {
237                 flags |= CLI_CRED_LANMAN_AUTH;
238         }
239
240         nt_status = cli_credentials_get_ntlm_response(gensec_security->credentials, mem_ctx, 
241                                                       &flags, challenge_blob, target_info,
242                                                       &lm_response, &nt_response, 
243                                                       &lm_session_key, &session_key);
244
245         if (!NT_STATUS_IS_OK(nt_status)) {
246                 return nt_status;
247         }
248         
249         if (!(flags & CLI_CRED_LANMAN_AUTH)) {
250                 /* LM Key is still possible, just silly, so we do not
251                  * allow it. Fortunetly all LM crypto is off by
252                  * default and we require command line options to end
253                  * up here */
254                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
255         }
256
257         if (!(flags & CLI_CRED_NTLM2)) {
258                 /* NTLM2 is incompatible... */
259                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
260         }
261         
262         if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
263             && lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx) && lm_session_key.length == 16) {
264                 DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16);
265                 if (lm_response.length == 24) {
266                         SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data, 
267                                                   new_session_key.data);
268                 } else {
269                         static const uint8_t zeros[24];
270                         SMBsesskeygen_lm_sess_key(lm_session_key.data, zeros,
271                                                   new_session_key.data);
272                 }
273                 session_key = new_session_key;
274                 dump_data_pw("LM session key\n", session_key.data, session_key.length);
275         }
276
277
278         /* Key exchange encryptes a new client-generated session key with
279            the password-derived key */
280         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
281                 /* Make up a new session key */
282                 uint8_t client_session_key[16];
283                 generate_secret_buffer(client_session_key, sizeof(client_session_key));
284
285                 /* Encrypt the new session key with the old one */
286                 encrypted_session_key = data_blob_talloc(ntlmssp_state,
287                                                          client_session_key, sizeof(client_session_key));
288                 dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
289                 arcfour_crypt(encrypted_session_key.data, session_key.data, encrypted_session_key.length);
290                 dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
291
292                 /* Mark the new session key as the 'real' session key */
293                 session_key = data_blob_talloc(mem_ctx, client_session_key, sizeof(client_session_key));
294         }
295
296         DEBUG(3, ("NTLMSSP: Set final flags:\n"));
297         debug_ntlmssp_flags(ntlmssp_state->neg_flags);
298
299         /* this generates the actual auth packet */
300         nt_status = msrpc_gen(mem_ctx, 
301                        out, auth_gen_string, 
302                        "NTLMSSP", 
303                        NTLMSSP_AUTH, 
304                        lm_response.data, lm_response.length,
305                        nt_response.data, nt_response.length,
306                        domain, 
307                        user, 
308                        cli_credentials_get_workstation(gensec_security->credentials),
309                        encrypted_session_key.data, encrypted_session_key.length,
310                        ntlmssp_state->neg_flags);
311         if (!NT_STATUS_IS_OK(nt_status)) {
312                 talloc_free(mem_ctx);
313                 return nt_status;
314         }
315
316         ntlmssp_state->session_key = session_key;
317         talloc_steal(ntlmssp_state, session_key.data);
318
319         talloc_steal(out_mem_ctx, out->data);
320
321         ntlmssp_state->chal = challenge_blob;
322         ntlmssp_state->lm_resp = lm_response;
323         talloc_steal(ntlmssp_state->lm_resp.data, lm_response.data);
324         ntlmssp_state->nt_resp = nt_response;
325         talloc_steal(ntlmssp_state->nt_resp.data, nt_response.data);
326
327         ntlmssp_state->expected_state = NTLMSSP_DONE;
328
329         if (gensec_security->want_features & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)) {
330                 nt_status = ntlmssp_sign_init(ntlmssp_state);
331                 if (!NT_STATUS_IS_OK(nt_status)) {
332                         DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", 
333                                   nt_errstr(nt_status)));
334                         talloc_free(mem_ctx);
335                         return nt_status;
336                 }
337         }
338
339         talloc_free(mem_ctx);
340         return NT_STATUS_OK;
341 }
342
343 NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
344 {
345         struct gensec_ntlmssp_context *gensec_ntlmssp;
346         struct ntlmssp_state *ntlmssp_state;
347         NTSTATUS nt_status;
348
349         nt_status = gensec_ntlmssp_start(gensec_security);
350         NT_STATUS_NOT_OK_RETURN(nt_status);
351
352         gensec_ntlmssp =
353                 talloc_get_type_abort(gensec_security->private_data,
354                                       struct gensec_ntlmssp_context);
355
356         ntlmssp_state = talloc_zero(gensec_ntlmssp,
357                                     struct ntlmssp_state);
358         if (!ntlmssp_state) {
359                 return NT_STATUS_NO_MEMORY;
360         }
361
362         ntlmssp_state->callback_private = gensec_ntlmssp;
363
364         gensec_ntlmssp->ntlmssp_state = ntlmssp_state;
365
366         ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
367
368         ntlmssp_state->role = NTLMSSP_CLIENT;
369
370         ntlmssp_state->client.netbios_domain = lpcfg_workgroup(gensec_security->settings->lp_ctx);
371         ntlmssp_state->client.netbios_name = cli_credentials_get_workstation(gensec_security->credentials);
372
373         ntlmssp_state->unicode = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "unicode", true);
374
375         ntlmssp_state->use_nt_response = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "send_nt_reponse", true);
376
377         ntlmssp_state->allow_lm_key = (lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx)
378                                               && (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "allow_lm_key", false)
379                                                   || gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false)));
380
381         ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx);
382
383         ntlmssp_state->expected_state = NTLMSSP_INITIAL;
384
385         ntlmssp_state->neg_flags =
386                 NTLMSSP_NEGOTIATE_NTLM |
387                 NTLMSSP_REQUEST_TARGET;
388
389         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "128bit", true)) {
390                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
391         }
392
393         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "56bit", false)) {
394                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
395         }
396
397         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false)) {
398                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
399         }
400
401         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "keyexchange", true)) {
402                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
403         }
404
405         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "alwayssign", true)) {
406                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
407         }
408
409         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "ntlm2", true)) {
410                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
411         } else {
412                 /* apparently we can't do ntlmv2 if we don't do ntlm2 */
413                 ntlmssp_state->use_ntlmv2 = false;
414         }
415
416         if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
417                 /*
418                  * We need to set this to allow a later SetPassword
419                  * via the SAMR pipe to succeed. Strange.... We could
420                  * also add  NTLMSSP_NEGOTIATE_SEAL here. JRA.
421                  * 
422                  * Without this, Windows will not create the master key
423                  * that it thinks is only used for NTLMSSP signing and 
424                  * sealing.  (It is actually pulled out and used directly) 
425                  */
426                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
427         }
428         if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
429                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
430         }
431         if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
432                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
433                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
434         }
435
436         return NT_STATUS_OK;
437 }
438