2 Unix SMB/Netbios implementation.
4 handle NLTMSSP, server side
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett 2001-2003
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 * Print out the NTLMSSP flags for debugging
28 * @param neg_flags The flags from the packet
31 void debug_ntlmssp_flags(uint32 neg_flags)
33 DEBUG(3,("Got NTLMSSP neg_flags=0x%08x\n", neg_flags));
35 if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE)
36 DEBUGADD(4, (" NTLMSSP_NEGOTIATE_UNICODE\n"));
37 if (neg_flags & NTLMSSP_NEGOTIATE_OEM)
38 DEBUGADD(4, (" NTLMSSP_NEGOTIATE_OEM\n"));
39 if (neg_flags & NTLMSSP_REQUEST_TARGET)
40 DEBUGADD(4, (" NTLMSSP_REQUEST_TARGET\n"));
41 if (neg_flags & NTLMSSP_NEGOTIATE_SIGN)
42 DEBUGADD(4, (" NTLMSSP_NEGOTIATE_SIGN\n"));
43 if (neg_flags & NTLMSSP_NEGOTIATE_SEAL)
44 DEBUGADD(4, (" NTLMSSP_NEGOTIATE_SEAL\n"));
45 if (neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
46 DEBUGADD(4, (" NTLMSSP_NEGOTIATE_LM_KEY\n"));
47 if (neg_flags & NTLMSSP_NEGOTIATE_NETWARE)
48 DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NETWARE\n"));
49 if (neg_flags & NTLMSSP_NEGOTIATE_NTLM)
50 DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NTLM\n"));
51 if (neg_flags & NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED)
52 DEBUGADD(4, (" NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED\n"));
53 if (neg_flags & NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED)
54 DEBUGADD(4, (" NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED\n"));
55 if (neg_flags & NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL)
56 DEBUGADD(4, (" NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL\n"));
57 if (neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)
58 DEBUGADD(4, (" NTLMSSP_NEGOTIATE_ALWAYS_SIGN\n"));
59 if (neg_flags & NTLMSSP_NEGOTIATE_NTLM2)
60 DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NTLM2\n"));
61 if (neg_flags & NTLMSSP_CHAL_TARGET_INFO)
62 DEBUGADD(4, (" NTLMSSP_CHAL_TARGET_INFO\n"));
63 if (neg_flags & NTLMSSP_NEGOTIATE_128)
64 DEBUGADD(4, (" NTLMSSP_NEGOTIATE_128\n"));
65 if (neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)
66 DEBUGADD(4, (" NTLMSSP_NEGOTIATE_KEY_EXCH\n"));
70 * Default challenge generation code.
74 static const uint8 *get_challenge(struct ntlmssp_state *ntlmssp_state)
77 generate_random_buffer(chal, sizeof(chal), False);
83 * Determine correct target name flags for reply, given server role
84 * and negoitated falgs
86 * @param ntlmssp_state NTLMSSP State
87 * @param neg_flags The flags from the packet
88 * @param chal_flags The flags to be set in the reply packet
89 * @return The 'target name' string.
92 static const char *ntlmssp_target_name(struct ntlmssp_state *ntlmssp_state,
93 uint32 neg_flags, uint32 *chal_flags)
95 if (neg_flags & NTLMSSP_REQUEST_TARGET) {
96 *chal_flags |= NTLMSSP_CHAL_TARGET_INFO;
97 *chal_flags |= NTLMSSP_REQUEST_TARGET;
98 if (ntlmssp_state->server_role == ROLE_STANDALONE) {
99 *chal_flags |= NTLMSSP_TARGET_TYPE_SERVER;
100 return ntlmssp_state->get_global_myname();
102 *chal_flags |= NTLMSSP_TARGET_TYPE_DOMAIN;
103 return ntlmssp_state->get_domain();
111 * Next state function for the Negotiate packet
113 * @param ntlmssp_state NTLMSSP State
114 * @param request The request, as a DATA_BLOB
115 * @param request The reply, as an allocated DATA_BLOB, caller to free.
116 * @return Errors or MORE_PROCESSING_REQUIRED if a reply is sent.
119 static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
120 const DATA_BLOB request, DATA_BLOB *reply)
122 DATA_BLOB struct_blob;
123 fstring dnsname, dnsdomname;
124 uint32 ntlmssp_command, neg_flags, chal_flags;
125 char *cliname=NULL, *domname=NULL;
126 const uint8 *cryptkey;
127 const char *target_name;
129 /* parse the NTLMSSP packet */
131 file_save("ntlmssp_negotiate.dat", request.data, request.length);
134 if (!msrpc_parse(&request, "CddAA",
140 return NT_STATUS_INVALID_PARAMETER;
146 debug_ntlmssp_flags(neg_flags);
148 cryptkey = ntlmssp_state->get_challenge(ntlmssp_state);
150 data_blob_free(&ntlmssp_state->chal);
151 ntlmssp_state->chal = data_blob(cryptkey, 8);
153 /* Give them the challenge. For now, ignore neg_flags and just
154 return the flags we want. Obviously this is not correct */
157 NTLMSSP_NEGOTIATE_128 |
158 NTLMSSP_NEGOTIATE_NTLM;
160 if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
161 chal_flags |= NTLMSSP_NEGOTIATE_UNICODE;
162 ntlmssp_state->unicode = True;
164 chal_flags |= NTLMSSP_NEGOTIATE_OEM;
167 target_name = ntlmssp_target_name(ntlmssp_state,
168 neg_flags, &chal_flags);
170 /* This should be a 'netbios domain -> DNS domain' mapping */
171 dnsdomname[0] = '\0';
172 get_mydomname(dnsdomname);
173 strlower(dnsdomname);
176 get_myfullname(dnsname);
179 if (chal_flags & NTLMSSP_CHAL_TARGET_INFO)
181 const char *target_name_dns = "";
182 if (chal_flags |= NTLMSSP_TARGET_TYPE_DOMAIN) {
183 target_name_dns = dnsdomname;
184 } else if (chal_flags |= NTLMSSP_TARGET_TYPE_SERVER) {
185 target_name_dns = dnsname;
188 /* the numbers here are the string type flags */
189 msrpc_gen(&struct_blob, "aaaaa",
190 ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_DOMAIN, target_name,
191 ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_SERVER, ntlmssp_state->get_global_myname(),
192 ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_DOMAIN_DNS, target_name_dns,
193 ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_SERVER_DNS, dnsdomname,
194 ntlmssp_state->unicode, 0, "");
196 struct_blob = data_blob(NULL, 0);
200 const char *gen_string;
201 if (ntlmssp_state->unicode) {
202 gen_string = "CdUdbddB";
204 gen_string = "CdAdbddB";
207 msrpc_gen(reply, gen_string,
214 struct_blob.data, struct_blob.length);
217 data_blob_free(&struct_blob);
219 ntlmssp_state->expected_state = NTLMSSP_AUTH;
221 return NT_STATUS_MORE_PROCESSING_REQUIRED;
225 * Next state function for the Authenticate packet
227 * @param ntlmssp_state NTLMSSP State
228 * @param request The request, as a DATA_BLOB
229 * @param request The reply, as an allocated DATA_BLOB, caller to free.
230 * @return Errors or NT_STATUS_OK.
233 static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
234 const DATA_BLOB request, DATA_BLOB *reply)
237 uint32 ntlmssp_command, neg_flags;
240 const char *parse_string;
242 /* parse the NTLMSSP packet */
244 file_save("ntlmssp_auth.dat", request.data, request.length);
247 if (ntlmssp_state->unicode) {
248 parse_string = "CdBBUUUBd";
250 parse_string = "CdBBAAABd";
253 data_blob_free(&ntlmssp_state->lm_resp);
254 data_blob_free(&ntlmssp_state->nt_resp);
256 SAFE_FREE(ntlmssp_state->user);
257 SAFE_FREE(ntlmssp_state->domain);
258 SAFE_FREE(ntlmssp_state->workstation);
260 /* now the NTLMSSP encoded auth hashes */
261 if (!msrpc_parse(&request, parse_string,
264 &ntlmssp_state->lm_resp,
265 &ntlmssp_state->nt_resp,
266 &ntlmssp_state->domain,
267 &ntlmssp_state->user,
268 &ntlmssp_state->workstation,
271 return NT_STATUS_INVALID_PARAMETER;
274 data_blob_free(&sess_key);
276 DEBUG(3,("Got user=[%s] domain=[%s] workstation=[%s] len1=%d len2=%d\n",
277 ntlmssp_state->user, ntlmssp_state->domain, ntlmssp_state->workstation, ntlmssp_state->lm_resp.length, ntlmssp_state->nt_resp.length));
280 file_save("nthash1.dat", &ntlmssp_state->nt_resp.data, &ntlmssp_state->nt_resp.length);
281 file_save("lmhash1.dat", &ntlmssp_state->lm_resp.data, &ntlmssp_state->lm_resp.length);
284 nt_status = ntlmssp_state->check_password(ntlmssp_state);
286 *reply = data_blob(NULL, 0);
292 * Create an NTLMSSP state machine
294 * @param ntlmssp_state NTLMSSP State, allocated by this funciton
297 NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state)
301 mem_ctx = talloc_init("NTLMSSP context");
303 *ntlmssp_state = talloc_zero(mem_ctx, sizeof(**ntlmssp_state));
304 if (!*ntlmssp_state) {
305 DEBUG(0,("ntlmssp_server_start: talloc failed!\n"));
306 talloc_destroy(mem_ctx);
307 return NT_STATUS_NO_MEMORY;
310 (*ntlmssp_state)->mem_ctx = mem_ctx;
311 (*ntlmssp_state)->get_challenge = get_challenge;
313 (*ntlmssp_state)->get_global_myname = lp_netbios_name;
314 (*ntlmssp_state)->get_domain = lp_workgroup;
315 (*ntlmssp_state)->server_role = ROLE_DOMAIN_MEMBER; /* a good default */
317 (*ntlmssp_state)->expected_state = NTLMSSP_NEGOTIATE;
323 * End an NTLMSSP state machine
325 * @param ntlmssp_state NTLMSSP State, free()ed by this funciton
328 NTSTATUS ntlmssp_server_end(NTLMSSP_STATE **ntlmssp_state)
330 TALLOC_CTX *mem_ctx = (*ntlmssp_state)->mem_ctx;
332 data_blob_free(&(*ntlmssp_state)->chal);
333 data_blob_free(&(*ntlmssp_state)->lm_resp);
334 data_blob_free(&(*ntlmssp_state)->nt_resp);
336 SAFE_FREE((*ntlmssp_state)->user);
337 SAFE_FREE((*ntlmssp_state)->domain);
338 SAFE_FREE((*ntlmssp_state)->workstation);
340 talloc_destroy(mem_ctx);
341 *ntlmssp_state = NULL;
346 * Next state function for the NTLMSSP state machine
348 * @param ntlmssp_state NTLMSSP State
349 * @param request The request, as a DATA_BLOB
350 * @param request The reply, as an allocated DATA_BLOB, caller to free.
351 * @return Errors, NT_STATUS_MORE_PROCESSING_REQUIRED or NT_STATUS_OK.
354 NTSTATUS ntlmssp_server_update(NTLMSSP_STATE *ntlmssp_state,
355 const DATA_BLOB request, DATA_BLOB *reply)
357 uint32 ntlmssp_command;
358 *reply = data_blob(NULL, 0);
360 if (!msrpc_parse(&request, "Cd",
363 return NT_STATUS_INVALID_PARAMETER;
366 if (ntlmssp_command != ntlmssp_state->expected_state) {
367 return NT_STATUS_INVALID_PARAMETER;
370 if (ntlmssp_command == NTLMSSP_NEGOTIATE) {
371 return ntlmssp_server_negotiate(ntlmssp_state, request, reply);
372 } else if (ntlmssp_command == NTLMSSP_AUTH) {
373 return ntlmssp_server_auth(ntlmssp_state, request, reply);
375 return NT_STATUS_INVALID_PARAMETER;
379 /*********************************************************************
381 *********************************************************************/
384 * Next state function for the Initial packet
386 * @param ntlmssp_state NTLMSSP State
387 * @param request The request, as a DATA_BLOB. reply.data must be NULL
388 * @param request The reply, as an allocated DATA_BLOB, caller to free.
389 * @return Errors or NT_STATUS_OK.
392 static NTSTATUS ntlmssp_client_initial(struct ntlmssp_client_state *ntlmssp_state,
393 DATA_BLOB reply, DATA_BLOB *next_request)
395 if (ntlmssp_state->unicode) {
396 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
399 /* generate the ntlmssp negotiate packet */
400 msrpc_gen(next_request, "CddAA",
403 ntlmssp_state->neg_flags,
404 ntlmssp_state->get_domain(),
405 ntlmssp_state->get_global_myname());
407 return NT_STATUS_MORE_PROCESSING_REQUIRED;
411 * Next state function for the Challenge Packet. Generate an auth packet.
413 * @param ntlmssp_state NTLMSSP State
414 * @param request The request, as a DATA_BLOB. reply.data must be NULL
415 * @param request The reply, as an allocated DATA_BLOB, caller to free.
416 * @return Errors or NT_STATUS_OK.
419 static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_state,
420 const DATA_BLOB reply, DATA_BLOB *next_request)
422 uint32 chal_flags, ntlmssp_command, unkn1, unkn2;
423 DATA_BLOB server_domain_blob;
424 DATA_BLOB challenge_blob;
425 DATA_BLOB struct_blob;
427 const char *chal_parse_string;
428 const char *auth_gen_string;
429 DATA_BLOB lm_response = data_blob(NULL, 0);
430 DATA_BLOB nt_response = data_blob(NULL, 0);
431 DATA_BLOB session_key = data_blob(NULL, 0);
432 uint8 datagram_sess_key[16];
434 ZERO_STRUCT(datagram_sess_key);
436 if (!msrpc_parse(&reply, "CdBd",
441 DEBUG(0, ("Failed to parse the NTLMSSP Challenge\n"));
442 return NT_STATUS_INVALID_PARAMETER;
445 data_blob_free(&server_domain_blob);
447 if (chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
448 chal_parse_string = "CdUdbddB";
449 auth_gen_string = "CdBBUUUBd";
450 ntlmssp_state->unicode = True;
451 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
452 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
453 } else if (chal_flags & NTLMSSP_NEGOTIATE_OEM) {
454 chal_parse_string = "CdAdbddB";
455 auth_gen_string = "CdBBAAABd";
456 ntlmssp_state->unicode = False;
457 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
458 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
460 return NT_STATUS_INVALID_PARAMETER;
463 if (!msrpc_parse(&reply, chal_parse_string,
471 DEBUG(0, ("Failed to parse the NTLMSSP Challenge\n"));
472 return NT_STATUS_INVALID_PARAMETER;
475 SAFE_FREE(server_domain);
476 data_blob_free(&struct_blob);
478 if (challenge_blob.length != 8) {
479 return NT_STATUS_INVALID_PARAMETER;
482 if (ntlmssp_state->use_ntlmv2) {
484 /* TODO: if the remote server is standalone, then we should replace 'domain'
485 with the server name as supplied above */
487 if (!SMBNTLMv2encrypt(ntlmssp_state->user,
488 ntlmssp_state->domain,
489 ntlmssp_state->password, challenge_blob,
490 &lm_response, &nt_response, &session_key)) {
491 data_blob_free(&challenge_blob);
492 return NT_STATUS_NO_MEMORY;
496 E_md4hash(ntlmssp_state->password, nt_hash);
498 /* non encrypted password supplied. Ignore ntpass. */
499 if (lp_client_lanman_auth()) {
500 lm_response = data_blob(NULL, 24);
501 SMBencrypt(ntlmssp_state->password,challenge_blob.data,
505 nt_response = data_blob(NULL, 24);
506 SMBNTencrypt(ntlmssp_state->password,challenge_blob.data,
508 session_key = data_blob(NULL, 16);
509 SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
512 data_blob_free(&challenge_blob);
514 /* this generates the actual auth packet */
515 if (!msrpc_gen(next_request, auth_gen_string,
518 lm_response.data, lm_response.length,
519 nt_response.data, nt_response.length,
520 ntlmssp_state->domain,
522 ntlmssp_state->get_global_myname(),
523 datagram_sess_key, 0,
524 ntlmssp_state->neg_flags)) {
526 data_blob_free(&lm_response);
527 data_blob_free(&nt_response);
528 data_blob_free(&session_key);
529 return NT_STATUS_NO_MEMORY;
532 data_blob_free(&lm_response);
533 data_blob_free(&nt_response);
535 ntlmssp_state->session_key = session_key;
537 return NT_STATUS_MORE_PROCESSING_REQUIRED;
540 NTSTATUS ntlmssp_client_start(NTLMSSP_CLIENT_STATE **ntlmssp_state)
544 mem_ctx = talloc_init("NTLMSSP Client context");
546 *ntlmssp_state = talloc_zero(mem_ctx, sizeof(**ntlmssp_state));
547 if (!*ntlmssp_state) {
548 DEBUG(0,("ntlmssp_server_start: talloc failed!\n"));
549 talloc_destroy(mem_ctx);
550 return NT_STATUS_NO_MEMORY;
553 (*ntlmssp_state)->mem_ctx = mem_ctx;
555 (*ntlmssp_state)->get_global_myname = lp_netbios_name;
556 (*ntlmssp_state)->get_domain = lp_workgroup;
558 (*ntlmssp_state)->unicode = True;
560 (*ntlmssp_state)->neg_flags =
561 NTLMSSP_NEGOTIATE_128 |
562 NTLMSSP_NEGOTIATE_NTLM |
563 NTLMSSP_REQUEST_TARGET;
568 NTSTATUS ntlmssp_client_end(NTLMSSP_CLIENT_STATE **ntlmssp_state)
570 TALLOC_CTX *mem_ctx = (*ntlmssp_state)->mem_ctx;
572 data_blob_free(&(*ntlmssp_state)->session_key);
573 talloc_destroy(mem_ctx);
574 *ntlmssp_state = NULL;
578 NTSTATUS ntlmssp_client_update(NTLMSSP_CLIENT_STATE *ntlmssp_state,
579 DATA_BLOB reply, DATA_BLOB *next_request)
581 uint32 ntlmssp_command;
582 *next_request = data_blob(NULL, 0);
585 return ntlmssp_client_initial(ntlmssp_state, reply, next_request);
588 if (!msrpc_parse(&reply, "Cd",
591 return NT_STATUS_INVALID_PARAMETER;
594 if (ntlmssp_command == NTLMSSP_CHALLENGE) {
595 return ntlmssp_client_challenge(ntlmssp_state, reply, next_request);
597 return NT_STATUS_INVALID_PARAMETER;
600 NTSTATUS ntlmssp_set_username(NTLMSSP_CLIENT_STATE *ntlmssp_state, const char *user)
602 ntlmssp_state->user = talloc_strdup(ntlmssp_state->mem_ctx, user);
603 if (!ntlmssp_state->user) {
604 return NT_STATUS_NO_MEMORY;
609 NTSTATUS ntlmssp_set_password(NTLMSSP_CLIENT_STATE *ntlmssp_state, const char *password)
611 ntlmssp_state->password = talloc_strdup(ntlmssp_state->mem_ctx, password);
612 if (!ntlmssp_state->password) {
613 return NT_STATUS_NO_MEMORY;
618 NTSTATUS ntlmssp_set_domain(NTLMSSP_CLIENT_STATE *ntlmssp_state, const char *domain)
620 ntlmssp_state->domain = talloc_strdup(ntlmssp_state->mem_ctx, domain);
621 if (!ntlmssp_state->domain) {
622 return NT_STATUS_NO_MEMORY;