auth/ntlmssp/ntlmssp_client.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 3.0
   4    handle NLTMSSP, client server side parsing
   5
   6    Copyright (C) Andrew Tridgell      2001
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
   8    Copyright (C) Stefan Metzmacher 2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 struct auth_session_info;
  25
  26 #include "includes.h"
  27 #include "auth/ntlmssp/ntlmssp.h"
  28 #include "../lib/crypto/crypto.h"
  29 #include "../libcli/auth/libcli_auth.h"
  30 #include "auth/credentials/credentials.h"
  31 #include "auth/gensec/gensec.h"
  32 #include "auth/gensec/gensec_internal.h"
  33 #include "param/param.h"
  34 #include "auth/ntlmssp/ntlmssp_private.h"
  35 #include "../librpc/gen_ndr/ndr_ntlmssp.h"
  36 #include "../auth/ntlmssp/ntlmssp_ndr.h"
  37 #include "../nsswitch/libwbclient/wbclient.h"
  38
  39 /*********************************************************************
  40  Client side NTLMSSP
  41 *********************************************************************/
  42
  43 /**
  44  * Next state function for the Initial packet
  45  *
  46  * @param ntlmssp_state NTLMSSP State
  47  * @param out_mem_ctx The DATA_BLOB *out will be allocated on this context
  48  * @param in A NULL data blob (input ignored)
  49  * @param out The initial negotiate request to the server, as an talloc()ed DATA_BLOB, on out_mem_ctx
  50  * @return Errors or NT_STATUS_OK.
  51  */
  52
  53 NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
  54                                 TALLOC_CTX *out_mem_ctx,
  55                                 DATA_BLOB in, DATA_BLOB *out)
  56 {
  57         struct gensec_ntlmssp_context *gensec_ntlmssp =
  58                 talloc_get_type_abort(gensec_security->private_data,
  59                                       struct gensec_ntlmssp_context);
  60         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
  61         NTSTATUS status;
  62         const DATA_BLOB version_blob = ntlmssp_version_blob();
  63
  64         /* generate the ntlmssp negotiate packet */
  65         status = msrpc_gen(out_mem_ctx,
  66                   out, "CddAAb",
  67                   "NTLMSSP",
  68                   NTLMSSP_NEGOTIATE,
  69                   ntlmssp_state->neg_flags,
  70                   "", /* domain */
  71                   "", /* workstation */
  72                   version_blob.data, version_blob.length);
  73         if (!NT_STATUS_IS_OK(status)) {
  74                 DEBUG(0, ("ntlmssp_client_initial: failed to generate "
  75                           "ntlmssp negotiate packet\n"));
  76                 return status;
  77         }
  78
  79         if (DEBUGLEVEL >= 10) {
  80                 struct NEGOTIATE_MESSAGE *negotiate = talloc(
  81                         ntlmssp_state, struct NEGOTIATE_MESSAGE);
  82                 if (negotiate != NULL) {
  83                         status = ntlmssp_pull_NEGOTIATE_MESSAGE(
  84                                 out, negotiate, negotiate);
  85                         if (NT_STATUS_IS_OK(status)) {
  86                                 NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE,
  87                                                 negotiate);
  88                         }
  89                         TALLOC_FREE(negotiate);
  90                 }
  91         }
  92
  93         ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
  94
  95         return NT_STATUS_MORE_PROCESSING_REQUIRED;
  96 }
  97
  98 NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
  99                                 TALLOC_CTX *out_mem_ctx,
 100                                 DATA_BLOB in, DATA_BLOB *out)
 101 {
 102         struct gensec_ntlmssp_context *gensec_ntlmssp =
 103                 talloc_get_type_abort(gensec_security->private_data,
 104                                       struct gensec_ntlmssp_context);
 105         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
 106         uint32_t neg_flags = 0;
 107         uint32_t ntlmssp_command;
 108         NTSTATUS status;
 109         bool ok;
 110
 111         *out = data_blob_null;
 112
 113         if (in.length == 0) {
 114                 /*
 115                  * This is compat code for older callers
 116                  * which were missing the "initial_blob"
 117                  */
 118                 ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
 119                 ntlmssp_state->required_flags = 0;
 120                 ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
 121                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
 122         }
 123
 124         /* parse the NTLMSSP packet */
 125
 126         if (in.length > UINT16_MAX) {
 127                 DEBUG(1, ("%s: reject large request of length %u\n",
 128                         __func__, (unsigned int)in.length));
 129                 return NT_STATUS_INVALID_PARAMETER;
 130         }
 131
 132         ok = msrpc_parse(ntlmssp_state, &in, "Cdd",
 133                          "NTLMSSP",
 134                          &ntlmssp_command,
 135                          &neg_flags);
 136         if (!ok) {
 137                 DEBUG(1, ("%s: failed to parse NTLMSSP Negotiate of length %u\n",
 138                         __func__, (unsigned int)in.length));
 139                 dump_data(2, in.data, in.length);
 140                 return NT_STATUS_INVALID_PARAMETER;
 141         }
 142
 143         if (ntlmssp_command != NTLMSSP_NEGOTIATE) {
 144                 DEBUG(1, ("%s: no NTLMSSP Negotiate message (length %u)\n",
 145                         __func__, (unsigned int)in.length));
 146                 dump_data(2, in.data, in.length);
 147                 return NT_STATUS_INVALID_PARAMETER;
 148         }
 149
 150         ntlmssp_state->neg_flags = neg_flags;
 151         DEBUG(3, ("Imported Negotiate flags:\n"));
 152         debug_ntlmssp_flags(neg_flags);
 153
 154         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
 155                 ntlmssp_state->unicode = true;
 156         } else {
 157                 ntlmssp_state->unicode = false;
 158         }
 159
 160         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
 161                 gensec_security->want_features |= GENSEC_FEATURE_SIGN;
 162
 163                 ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
 164         }
 165
 166         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
 167                 gensec_security->want_features |= GENSEC_FEATURE_SEAL;
 168
 169                 ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
 170                 ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
 171         }
 172
 173         ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
 174         ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
 175
 176         if (DEBUGLEVEL >= 10) {
 177                 struct NEGOTIATE_MESSAGE *negotiate = talloc(
 178                         ntlmssp_state, struct NEGOTIATE_MESSAGE);
 179                 if (negotiate != NULL) {
 180                         status = ntlmssp_pull_NEGOTIATE_MESSAGE(
 181                                 &in, negotiate, negotiate);
 182                         if (NT_STATUS_IS_OK(status)) {
 183                                 NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE,
 184                                                 negotiate);
 185                         }
 186                         TALLOC_FREE(negotiate);
 187                 }
 188         }
 189
 190         ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
 191
 192         return NT_STATUS_MORE_PROCESSING_REQUIRED;
 193 }
 194
 195 /**
 196  * Next state function for the Challenge Packet.  Generate an auth packet.
 197  *
 198  * @param gensec_security GENSEC state
 199  * @param out_mem_ctx Memory context for *out
 200  * @param in The server challnege, as a DATA_BLOB.  reply.data must be NULL
 201  * @param out The next request (auth packet) to the server, as an allocated DATA_BLOB, on the out_mem_ctx context
 202  * @return Errors or NT_STATUS_OK.
 203  */
 204
 205 NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
 206                                   TALLOC_CTX *out_mem_ctx,
 207                                   const DATA_BLOB in, DATA_BLOB *out)
 208 {
 209         struct gensec_ntlmssp_context *gensec_ntlmssp =
 210                 talloc_get_type_abort(gensec_security->private_data,
 211                                       struct gensec_ntlmssp_context);
 212         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
 213         uint32_t chal_flags, ntlmssp_command, unkn1 = 0, unkn2 = 0;
 214         DATA_BLOB server_domain_blob;
 215         DATA_BLOB challenge_blob;
 216         DATA_BLOB target_info = data_blob(NULL, 0);
 217         char *server_domain;
 218         const char *chal_parse_string;
 219         const char *chal_parse_string_short = NULL;
 220         const char *auth_gen_string;
 221         DATA_BLOB lm_response = data_blob(NULL, 0);
 222         DATA_BLOB nt_response = data_blob(NULL, 0);
 223         DATA_BLOB session_key = data_blob(NULL, 0);
 224         DATA_BLOB lm_session_key = data_blob(NULL, 0);
 225         DATA_BLOB encrypted_session_key = data_blob(NULL, 0);
 226         NTSTATUS nt_status;
 227         int flags = 0;
 228         const char *user = NULL, *domain = NULL, *workstation = NULL;
 229         bool is_anonymous = false;
 230         const DATA_BLOB version_blob = ntlmssp_version_blob();
 231
 232         TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx);
 233         if (!mem_ctx) {
 234                 return NT_STATUS_NO_MEMORY;
 235         }
 236
 237         if (!msrpc_parse(mem_ctx,
 238                          &in, "CdBd",
 239                          "NTLMSSP",
 240                          &ntlmssp_command,
 241                          &server_domain_blob,
 242                          &chal_flags)) {
 243                 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
 244                 dump_data(2, in.data, in.length);
 245                 talloc_free(mem_ctx);
 246
 247                 return NT_STATUS_INVALID_PARAMETER;
 248         }
 249
 250         data_blob_free(&server_domain_blob);
 251
 252         DEBUG(3, ("Got challenge flags:\n"));
 253         debug_ntlmssp_flags(chal_flags);
 254
 255         nt_status = ntlmssp_handle_neg_flags(ntlmssp_state,
 256                                              chal_flags, "challenge");
 257         if (!NT_STATUS_IS_OK(nt_status)) {
 258                 return nt_status;
 259         }
 260
 261         if (ntlmssp_state->unicode) {
 262                 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
 263                         chal_parse_string = "CdUdbddB";
 264                 } else {
 265                         chal_parse_string = "CdUdbdd";
 266                         chal_parse_string_short = "CdUdb";
 267                 }
 268                 auth_gen_string = "CdBBUUUBdb";
 269         } else {
 270                 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
 271                         chal_parse_string = "CdAdbddB";
 272                 } else {
 273                         chal_parse_string = "CdAdbdd";
 274                         chal_parse_string_short = "CdAdb";
 275                 }
 276
 277                 auth_gen_string = "CdBBAAABdb";
 278         }
 279
 280         if (!msrpc_parse(mem_ctx,
 281                          &in, chal_parse_string,
 282                          "NTLMSSP",
 283                          &ntlmssp_command,
 284                          &server_domain,
 285                          &chal_flags,
 286                          &challenge_blob, 8,
 287                          &unkn1, &unkn2,
 288                          &target_info)) {
 289
 290                 bool ok = false;
 291
 292                 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n"));
 293
 294                 if (chal_parse_string_short != NULL) {
 295                         /*
 296                          * In the case where NTLMSSP_NEGOTIATE_TARGET_INFO
 297                          * is not used, some NTLMSSP servers don't return
 298                          * the unused unkn1 and unkn2 fields.
 299                          * See bug:
 300                          * https://bugzilla.samba.org/show_bug.cgi?id=10016
 301                          * for packet traces.
 302                          * Try and parse again without them.
 303                          */
 304                         ok = msrpc_parse(mem_ctx,
 305                                 &in, chal_parse_string_short,
 306                                 "NTLMSSP",
 307                                 &ntlmssp_command,
 308                                 &server_domain,
 309                                 &chal_flags,
 310                                 &challenge_blob, 8);
 311                         if (!ok) {
 312                                 DEBUG(1, ("Failed to short parse "
 313                                         "the NTLMSSP Challenge: (#2)\n"));
 314                         }
 315                 }
 316
 317                 if (!ok) {
 318                         dump_data(2, in.data, in.length);
 319                         talloc_free(mem_ctx);
 320                         return NT_STATUS_INVALID_PARAMETER;
 321                 }
 322         }
 323
 324         if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) {
 325                 ntlmssp_state->server.is_standalone = true;
 326         } else {
 327                 ntlmssp_state->server.is_standalone = false;
 328         }
 329         /* TODO: parse struct_blob and fill in the rest */
 330         ntlmssp_state->server.netbios_name = "";
 331         ntlmssp_state->server.netbios_domain = talloc_move(ntlmssp_state, &server_domain);
 332         ntlmssp_state->server.dns_name = "";
 333         ntlmssp_state->server.dns_domain = "";
 334
 335         if (challenge_blob.length != 8) {
 336                 talloc_free(mem_ctx);
 337                 return NT_STATUS_INVALID_PARAMETER;
 338         }
 339
 340         is_anonymous = cli_credentials_is_anonymous(gensec_security->credentials);
 341         cli_credentials_get_ntlm_username_domain(gensec_security->credentials, mem_ctx,
 342                                                  &user, &domain);
 343
 344         workstation = cli_credentials_get_workstation(gensec_security->credentials);
 345
 346         if (user == NULL) {
 347                 DEBUG(10, ("User is NULL, returning INVALID_PARAMETER\n"));
 348                 return NT_STATUS_INVALID_PARAMETER;
 349         }
 350
 351         if (domain == NULL) {
 352                 DEBUG(10, ("Domain is NULL, returning INVALID_PARAMETER\n"));
 353                 return NT_STATUS_INVALID_PARAMETER;
 354         }
 355
 356         if (workstation == NULL) {
 357                 DEBUG(10, ("Workstation is NULL, returning INVALID_PARAMETER\n"));
 358                 return NT_STATUS_INVALID_PARAMETER;
 359         }
 360
 361         if (is_anonymous) {
 362                 ntlmssp_state->neg_flags |= NTLMSSP_ANONYMOUS;
 363                 /*
 364                  * don't use the ccache for anonymous auth
 365                  */
 366                 ntlmssp_state->use_ccache = false;
 367         }
 368         if (ntlmssp_state->use_ccache) {
 369                 struct samr_Password *nt_hash = NULL;
 370
 371                 /*
 372                  * If we have a password given we don't
 373                  * use the ccache
 374                  */
 375                 nt_hash = cli_credentials_get_nt_hash(gensec_security->credentials,
 376                                                       mem_ctx);
 377                 if (nt_hash != NULL) {
 378                         ZERO_STRUCTP(nt_hash);
 379                         TALLOC_FREE(nt_hash);
 380                         ntlmssp_state->use_ccache = false;
 381                 }
 382         }
 383
 384         if (ntlmssp_state->use_ccache) {
 385                 struct wbcCredentialCacheParams params;
 386                 struct wbcCredentialCacheInfo *info = NULL;
 387                 struct wbcAuthErrorInfo *error = NULL;
 388                 struct wbcNamedBlob auth_blobs[1];
 389                 const struct wbcBlob *wbc_auth_blob = NULL;
 390                 const struct wbcBlob *wbc_session_key = NULL;
 391                 wbcErr wbc_status;
 392                 int i;
 393
 394                 params.account_name = user;
 395                 params.domain_name = domain;
 396                 params.level = WBC_CREDENTIAL_CACHE_LEVEL_NTLMSSP;
 397
 398                 auth_blobs[0].name = "challenge_blob";
 399                 auth_blobs[0].flags = 0;
 400                 auth_blobs[0].blob.data = in.data;
 401                 auth_blobs[0].blob.length = in.length;
 402                 params.num_blobs = ARRAY_SIZE(auth_blobs);
 403                 params.blobs = auth_blobs;
 404
 405                 wbc_status = wbcCredentialCache(&params, &info, &error);
 406                 wbcFreeMemory(error);
 407                 if (!WBC_ERROR_IS_OK(wbc_status)) {
 408                         return NT_STATUS_WRONG_CREDENTIAL_HANDLE;
 409                 }
 410
 411                 for (i=0; i<info->num_blobs; i++) {
 412                         if (strequal(info->blobs[i].name, "auth_blob")) {
 413                                 wbc_auth_blob = &info->blobs[i].blob;
 414                         }
 415                         if (strequal(info->blobs[i].name, "session_key")) {
 416                                 wbc_session_key = &info->blobs[i].blob;
 417                         }
 418                 }
 419                 if ((wbc_auth_blob == NULL) || (wbc_session_key == NULL)) {
 420                         wbcFreeMemory(info);
 421                         return NT_STATUS_WRONG_CREDENTIAL_HANDLE;
 422                 }
 423
 424                 session_key = data_blob_talloc(mem_ctx,
 425                                                wbc_session_key->data,
 426                                                wbc_session_key->length);
 427                 if (session_key.length != wbc_session_key->length) {
 428                         wbcFreeMemory(info);
 429                         return NT_STATUS_NO_MEMORY;
 430                 }
 431                 *out = data_blob_talloc(mem_ctx,
 432                                         wbc_auth_blob->data,
 433                                         wbc_auth_blob->length);
 434                 if (out->length != wbc_auth_blob->length) {
 435                         wbcFreeMemory(info);
 436                         return NT_STATUS_NO_MEMORY;
 437                 }
 438
 439                 wbcFreeMemory(info);
 440                 goto done;
 441         }
 442
 443         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
 444                 flags |= CLI_CRED_NTLM2;
 445         }
 446         if (ntlmssp_state->use_ntlmv2) {
 447                 flags |= CLI_CRED_NTLMv2_AUTH;
 448         }
 449         if (ntlmssp_state->use_nt_response) {
 450                 flags |= CLI_CRED_NTLM_AUTH;
 451         }
 452         if (ntlmssp_state->allow_lm_response) {
 453                 flags |= CLI_CRED_LANMAN_AUTH;
 454         }
 455
 456         nt_status = cli_credentials_get_ntlm_response(gensec_security->credentials, mem_ctx,
 457                                                       &flags, challenge_blob, target_info,
 458                                                       &lm_response, &nt_response,
 459                                                       &lm_session_key, &session_key);
 460
 461         if (!NT_STATUS_IS_OK(nt_status)) {
 462                 return nt_status;
 463         }
 464
 465         if (!(flags & CLI_CRED_LANMAN_AUTH)) {
 466                 /* LM Key is still possible, just silly, so we do not
 467                  * allow it. Fortunetly all LM crypto is off by
 468                  * default and we require command line options to end
 469                  * up here */
 470                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
 471         }
 472
 473         if (!(flags & CLI_CRED_NTLM2)) {
 474                 /* NTLM2 is incompatible... */
 475                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
 476         }
 477
 478         if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
 479             && ntlmssp_state->allow_lm_key && lm_session_key.length == 16) {
 480                 DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16);
 481                 if (lm_response.length == 24) {
 482                         SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data,
 483                                                   new_session_key.data);
 484                 } else {
 485                         static const uint8_t zeros[24];
 486                         SMBsesskeygen_lm_sess_key(lm_session_key.data, zeros,
 487                                                   new_session_key.data);
 488                 }
 489                 session_key = new_session_key;
 490                 dump_data_pw("LM session key\n", session_key.data, session_key.length);
 491         }
 492
 493
 494         /* Key exchange encryptes a new client-generated session key with
 495            the password-derived key */
 496         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
 497                 /* Make up a new session key */
 498                 uint8_t client_session_key[16];
 499                 generate_secret_buffer(client_session_key, sizeof(client_session_key));
 500
 501                 /* Encrypt the new session key with the old one */
 502                 encrypted_session_key = data_blob_talloc(ntlmssp_state,
 503                                                          client_session_key, sizeof(client_session_key));
 504                 dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
 505                 arcfour_crypt(encrypted_session_key.data, session_key.data, encrypted_session_key.length);
 506                 dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
 507
 508                 /* Mark the new session key as the 'real' session key */
 509                 session_key = data_blob_talloc(mem_ctx, client_session_key, sizeof(client_session_key));
 510         }
 511
 512         /* this generates the actual auth packet */
 513         nt_status = msrpc_gen(mem_ctx,
 514                        out, auth_gen_string,
 515                        "NTLMSSP",
 516                        NTLMSSP_AUTH,
 517                        lm_response.data, lm_response.length,
 518                        nt_response.data, nt_response.length,
 519                        domain,
 520                        user,
 521                        workstation,
 522                        encrypted_session_key.data, encrypted_session_key.length,
 523                        ntlmssp_state->neg_flags,
 524                        version_blob.data, version_blob.length);
 525         if (!NT_STATUS_IS_OK(nt_status)) {
 526                 talloc_free(mem_ctx);
 527                 return nt_status;
 528         }
 529
 530 done:
 531         ntlmssp_state->session_key = session_key;
 532         talloc_steal(ntlmssp_state, session_key.data);
 533
 534         DEBUG(3, ("NTLMSSP: Set final flags:\n"));
 535         debug_ntlmssp_flags(ntlmssp_state->neg_flags);
 536
 537         talloc_steal(out_mem_ctx, out->data);
 538
 539         ntlmssp_state->expected_state = NTLMSSP_DONE;
 540
 541         if (gensec_security->want_features & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)) {
 542                 nt_status = ntlmssp_sign_init(ntlmssp_state);
 543                 if (!NT_STATUS_IS_OK(nt_status)) {
 544                         DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n",
 545                                   nt_errstr(nt_status)));
 546                         talloc_free(mem_ctx);
 547                         return nt_status;
 548                 }
 549         }
 550
 551         talloc_free(mem_ctx);
 552         return NT_STATUS_OK;
 553 }
 554
 555 NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
 556 {
 557         struct gensec_ntlmssp_context *gensec_ntlmssp;
 558         struct ntlmssp_state *ntlmssp_state;
 559         NTSTATUS nt_status;
 560
 561         nt_status = gensec_ntlmssp_start(gensec_security);
 562         NT_STATUS_NOT_OK_RETURN(nt_status);
 563
 564         gensec_ntlmssp =
 565                 talloc_get_type_abort(gensec_security->private_data,
 566                                       struct gensec_ntlmssp_context);
 567
 568         ntlmssp_state = talloc_zero(gensec_ntlmssp,
 569                                     struct ntlmssp_state);
 570         if (!ntlmssp_state) {
 571                 return NT_STATUS_NO_MEMORY;
 572         }
 573
 574         gensec_ntlmssp->ntlmssp_state = ntlmssp_state;
 575
 576         ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
 577
 578         ntlmssp_state->role = NTLMSSP_CLIENT;
 579
 580         ntlmssp_state->client.netbios_domain = lpcfg_workgroup(gensec_security->settings->lp_ctx);
 581         ntlmssp_state->client.netbios_name = cli_credentials_get_workstation(gensec_security->credentials);
 582
 583         ntlmssp_state->unicode = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "unicode", true);
 584
 585         ntlmssp_state->use_nt_response = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "send_nt_reponse", true);
 586
 587         ntlmssp_state->allow_lm_response = lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx);
 588
 589         ntlmssp_state->allow_lm_key = (ntlmssp_state->allow_lm_response
 590                                               && (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "allow_lm_key", false)
 591                                                   || gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false)));
 592
 593         ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx);
 594
 595         ntlmssp_state->expected_state = NTLMSSP_INITIAL;
 596
 597         ntlmssp_state->neg_flags =
 598                 NTLMSSP_NEGOTIATE_NTLM |
 599                 NTLMSSP_NEGOTIATE_VERSION |
 600                 NTLMSSP_REQUEST_TARGET;
 601
 602         if (ntlmssp_state->unicode) {
 603                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
 604         } else {
 605                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
 606         }
 607
 608         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "128bit", true)) {
 609                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
 610         }
 611
 612         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "56bit", false)) {
 613                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
 614         }
 615
 616         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false)) {
 617                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
 618         }
 619
 620         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "keyexchange", true)) {
 621                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
 622         }
 623
 624         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "alwayssign", true)) {
 625                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
 626         }
 627
 628         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "ntlm2", true)) {
 629                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
 630         } else {
 631                 /* apparently we can't do ntlmv2 if we don't do ntlm2 */
 632                 ntlmssp_state->use_ntlmv2 = false;
 633         }
 634
 635         if (ntlmssp_state->use_ntlmv2) {
 636                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
 637                 ntlmssp_state->allow_lm_response = false;
 638                 ntlmssp_state->allow_lm_key = false;
 639         }
 640
 641         if (ntlmssp_state->allow_lm_key) {
 642                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
 643         }
 644
 645         if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
 646                 /*
 647                  * We need to set this to allow a later SetPassword
 648                  * via the SAMR pipe to succeed. Strange.... We could
 649                  * also add  NTLMSSP_NEGOTIATE_SEAL here. JRA.
 650                  *
 651                  * Without this, Windows will not create the master key
 652                  * that it thinks is only used for NTLMSSP signing and
 653                  * sealing.  (It is actually pulled out and used directly)
 654                  */
 655                 ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
 656         }
 657         if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
 658                 ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
 659
 660                 if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
 661                         /*
 662                          * We need to handle NTLMSSP_NEGOTIATE_SIGN as
 663                          * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
 664                          * is requested.
 665                          */
 666                         ntlmssp_state->force_wrap_seal = true;
 667                         /*
 668                          * We want also work against old Samba servers
 669                          * which didn't had GENSEC_FEATURE_LDAP_STYLE
 670                          * we negotiate SEAL too. We may remove this
 671                          * in a few years. As all servers should have
 672                          * GENSEC_FEATURE_LDAP_STYLE by then.
 673                          */
 674                         ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
 675                 }
 676         }
 677         if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
 678                 ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
 679                 ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
 680         }
 681         if (gensec_security->want_features & GENSEC_FEATURE_NTLM_CCACHE) {
 682                 ntlmssp_state->use_ccache = true;
 683         }
 684
 685         ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
 686         ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
 687
 688         return NT_STATUS_OK;
 689 }
 690
 691 NTSTATUS gensec_ntlmssp_resume_ccache_start(struct gensec_security *gensec_security)
 692 {
 693         struct gensec_ntlmssp_context *gensec_ntlmssp = NULL;
 694         NTSTATUS status;
 695
 696         status = gensec_ntlmssp_client_start(gensec_security);
 697         if (!NT_STATUS_IS_OK(status)) {
 698                 return status;
 699         }
 700
 701         gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
 702                                                struct gensec_ntlmssp_context);
 703         gensec_ntlmssp->ntlmssp_state->use_ccache = false;
 704         gensec_ntlmssp->ntlmssp_state->resume_ccache = true;
 705         gensec_ntlmssp->ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
 706
 707         return NT_STATUS_OK;
 708 }