source4/auth/ntlmssp/ntlmssp_client.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 3.0
   4    handle NLTMSSP, client server side parsing
   5
   6    Copyright (C) Andrew Tridgell      2001
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
   8    Copyright (C) Stefan Metzmacher 2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "auth/ntlmssp/ntlmssp.h"
  26 #include "auth/ntlmssp/msrpc_parse.h"
  27 #include "lib/crypto/crypto.h"
  28 #include "libcli/auth/libcli_auth.h"
  29 #include "auth/credentials/credentials.h"
  30 #include "auth/gensec/gensec.h"
  31 #include "param/param.h"
  32
  33 /*********************************************************************
  34  Client side NTLMSSP
  35 *********************************************************************/
  36
  37 /**
  38  * Next state function for the Initial packet
  39  *
  40  * @param ntlmssp_state NTLMSSP State
  41  * @param out_mem_ctx The DATA_BLOB *out will be allocated on this context
  42  * @param in A NULL data blob (input ignored)
  43  * @param out The initial negotiate request to the server, as an talloc()ed DATA_BLOB, on out_mem_ctx
  44  * @return Errors or NT_STATUS_OK.
  45  */
  46
  47 NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
  48                                 TALLOC_CTX *out_mem_ctx,
  49                                 DATA_BLOB in, DATA_BLOB *out)
  50 {
  51         struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
  52
  53         if (gensec_ntlmssp_state->unicode) {
  54                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
  55         } else {
  56                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
  57         }
  58
  59         if (gensec_ntlmssp_state->use_ntlmv2) {
  60                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
  61         }
  62
  63         /* generate the ntlmssp negotiate packet */
  64         msrpc_gen(out_mem_ctx,
  65                   lp_iconv_convenience(gensec_security->lp_ctx),
  66                   out, "CddAA",
  67                   "NTLMSSP",
  68                   NTLMSSP_NEGOTIATE,
  69                   gensec_ntlmssp_state->neg_flags,
  70                   gensec_ntlmssp_state->domain,
  71                   cli_credentials_get_workstation(gensec_security->credentials));
  72
  73         gensec_ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
  74
  75         return NT_STATUS_MORE_PROCESSING_REQUIRED;
  76 }
  77
  78 /**
  79  * Next state function for the Challenge Packet.  Generate an auth packet.
  80  *
  81  * @param gensec_security GENSEC state
  82  * @param out_mem_ctx Memory context for *out
  83  * @param in The server challnege, as a DATA_BLOB.  reply.data must be NULL
  84  * @param out The next request (auth packet) to the server, as an allocated DATA_BLOB, on the out_mem_ctx context
  85  * @return Errors or NT_STATUS_OK.
  86  */
  87
  88 NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
  89                                   TALLOC_CTX *out_mem_ctx,
  90                                   const DATA_BLOB in, DATA_BLOB *out)
  91 {
  92         struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
  93         uint32_t chal_flags, ntlmssp_command, unkn1, unkn2;
  94         DATA_BLOB server_domain_blob;
  95         DATA_BLOB challenge_blob;
  96         DATA_BLOB target_info = data_blob(NULL, 0);
  97         char *server_domain;
  98         const char *chal_parse_string;
  99         const char *auth_gen_string;
 100         DATA_BLOB lm_response = data_blob(NULL, 0);
 101         DATA_BLOB nt_response = data_blob(NULL, 0);
 102         DATA_BLOB session_key = data_blob(NULL, 0);
 103         DATA_BLOB lm_session_key = data_blob(NULL, 0);
 104         DATA_BLOB encrypted_session_key = data_blob(NULL, 0);
 105         NTSTATUS nt_status;
 106         int flags = 0;
 107         const char *user, *domain;
 108
 109         TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx);
 110         if (!mem_ctx) {
 111                 return NT_STATUS_NO_MEMORY;
 112         }
 113
 114         if (!msrpc_parse(mem_ctx,
 115                          lp_iconv_convenience(gensec_security->lp_ctx),
 116                          &in, "CdBd",
 117                          "NTLMSSP",
 118                          &ntlmssp_command,
 119                          &server_domain_blob,
 120                          &chal_flags)) {
 121                 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
 122                 dump_data(2, in.data, in.length);
 123                 talloc_free(mem_ctx);
 124
 125                 return NT_STATUS_INVALID_PARAMETER;
 126         }
 127
 128         data_blob_free(&server_domain_blob);
 129
 130         DEBUG(3, ("Got challenge flags:\n"));
 131         debug_ntlmssp_flags(chal_flags);
 132
 133         ntlmssp_handle_neg_flags(gensec_ntlmssp_state, chal_flags, gensec_ntlmssp_state->allow_lm_key);
 134
 135         if (gensec_ntlmssp_state->unicode) {
 136                 if (chal_flags & NTLMSSP_CHAL_TARGET_INFO) {
 137                         chal_parse_string = "CdUdbddB";
 138                 } else {
 139                         chal_parse_string = "CdUdbdd";
 140                 }
 141                 auth_gen_string = "CdBBUUUBd";
 142         } else {
 143                 if (chal_flags & NTLMSSP_CHAL_TARGET_INFO) {
 144                         chal_parse_string = "CdAdbddB";
 145                 } else {
 146                         chal_parse_string = "CdAdbdd";
 147                 }
 148
 149                 auth_gen_string = "CdBBAAABd";
 150         }
 151
 152         if (!msrpc_parse(mem_ctx,
 153                          lp_iconv_convenience(gensec_security->lp_ctx),
 154                          &in, chal_parse_string,
 155                          "NTLMSSP",
 156                          &ntlmssp_command,
 157                          &server_domain,
 158                          &chal_flags,
 159                          &challenge_blob, 8,
 160                          &unkn1, &unkn2,
 161                          &target_info)) {
 162                 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n"));
 163                 dump_data(2, in.data, in.length);
 164                 talloc_free(mem_ctx);
 165                 return NT_STATUS_INVALID_PARAMETER;
 166         }
 167
 168         gensec_ntlmssp_state->server_domain = server_domain;
 169
 170         if (challenge_blob.length != 8) {
 171                 talloc_free(mem_ctx);
 172                 return NT_STATUS_INVALID_PARAMETER;
 173         }
 174
 175         cli_credentials_get_ntlm_username_domain(gensec_security->credentials, mem_ctx,
 176                                                  &user, &domain);
 177
 178         if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
 179                 flags |= CLI_CRED_NTLM2;
 180         }
 181         if (gensec_ntlmssp_state->use_ntlmv2) {
 182                 flags |= CLI_CRED_NTLMv2_AUTH;
 183         }
 184         if (gensec_ntlmssp_state->use_nt_response) {
 185                 flags |= CLI_CRED_NTLM_AUTH;
 186         }
 187         if (lp_client_lanman_auth(gensec_security->lp_ctx)) {
 188                 flags |= CLI_CRED_LANMAN_AUTH;
 189         }
 190
 191         nt_status = cli_credentials_get_ntlm_response(gensec_security->credentials, mem_ctx,
 192                                                       &flags, challenge_blob, target_info,
 193                                                       &lm_response, &nt_response,
 194                                                       &lm_session_key, &session_key);
 195
 196         if (!NT_STATUS_IS_OK(nt_status)) {
 197                 return nt_status;
 198         }
 199
 200         if (!(flags & CLI_CRED_LANMAN_AUTH)) {
 201                 /* LM Key is still possible, just silly.  Fortunetly
 202                  * we require command line options to end up here */
 203                 /* gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; */
 204         }
 205
 206         if (!(flags & CLI_CRED_NTLM2)) {
 207                 /* NTLM2 is incompatible... */
 208                 gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
 209         }
 210
 211         if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
 212             && lp_client_lanman_auth(gensec_security->lp_ctx) && lm_session_key.length == 16) {
 213                 DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16);
 214                 if (lm_response.length == 24) {
 215                         SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data,
 216                                                   new_session_key.data);
 217                 } else {
 218                         static const uint8_t zeros[24];
 219                         SMBsesskeygen_lm_sess_key(lm_session_key.data, zeros,
 220                                                   new_session_key.data);
 221                 }
 222                 session_key = new_session_key;
 223                 dump_data_pw("LM session key\n", session_key.data, session_key.length);
 224         }
 225
 226
 227         /* Key exchange encryptes a new client-generated session key with
 228            the password-derived key */
 229         if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
 230                 /* Make up a new session key */
 231                 uint8_t client_session_key[16];
 232                 generate_secret_buffer(client_session_key, sizeof(client_session_key));
 233
 234                 /* Encrypt the new session key with the old one */
 235                 encrypted_session_key = data_blob_talloc(gensec_ntlmssp_state,
 236                                                          client_session_key, sizeof(client_session_key));
 237                 dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
 238                 arcfour_crypt(encrypted_session_key.data, session_key.data, encrypted_session_key.length);
 239                 dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
 240
 241                 /* Mark the new session key as the 'real' session key */
 242                 session_key = data_blob_talloc(mem_ctx, client_session_key, sizeof(client_session_key));
 243         }
 244
 245         DEBUG(3, ("NTLMSSP: Set final flags:\n"));
 246         debug_ntlmssp_flags(gensec_ntlmssp_state->neg_flags);
 247
 248         /* this generates the actual auth packet */
 249         if (!msrpc_gen(mem_ctx,
 250                        lp_iconv_convenience(gensec_security->lp_ctx),
 251                        out, auth_gen_string,
 252                        "NTLMSSP",
 253                        NTLMSSP_AUTH,
 254                        lm_response.data, lm_response.length,
 255                        nt_response.data, nt_response.length,
 256                        domain,
 257                        user,
 258                        cli_credentials_get_workstation(gensec_security->credentials),
 259                        encrypted_session_key.data, encrypted_session_key.length,
 260                        gensec_ntlmssp_state->neg_flags)) {
 261                 talloc_free(mem_ctx);
 262                 return NT_STATUS_NO_MEMORY;
 263         }
 264
 265         gensec_ntlmssp_state->session_key = session_key;
 266         talloc_steal(gensec_ntlmssp_state, session_key.data);
 267
 268         talloc_steal(out_mem_ctx, out->data);
 269
 270         gensec_ntlmssp_state->chal = challenge_blob;
 271         gensec_ntlmssp_state->lm_resp = lm_response;
 272         talloc_steal(gensec_ntlmssp_state->lm_resp.data, lm_response.data);
 273         gensec_ntlmssp_state->nt_resp = nt_response;
 274         talloc_steal(gensec_ntlmssp_state->nt_resp.data, nt_response.data);
 275
 276         gensec_ntlmssp_state->expected_state = NTLMSSP_DONE;
 277
 278         if (gensec_security->want_features & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)) {
 279                 nt_status = ntlmssp_sign_init(gensec_ntlmssp_state);
 280                 if (!NT_STATUS_IS_OK(nt_status)) {
 281                         DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n",
 282                                   nt_errstr(nt_status)));
 283                         talloc_free(mem_ctx);
 284                         return nt_status;
 285                 }
 286         }
 287
 288         talloc_free(mem_ctx);
 289         return NT_STATUS_OK;
 290 }
 291
 292 NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
 293 {
 294         struct gensec_ntlmssp_state *gensec_ntlmssp_state;
 295         NTSTATUS nt_status;
 296
 297         nt_status = gensec_ntlmssp_start(gensec_security);
 298         NT_STATUS_NOT_OK_RETURN(nt_status);
 299
 300         gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
 301
 302         gensec_ntlmssp_state->role = NTLMSSP_CLIENT;
 303
 304         gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->lp_ctx);
 305
 306         gensec_ntlmssp_state->unicode = lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "unicode", true);
 307
 308         gensec_ntlmssp_state->use_nt_response = lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "send_nt_reponse", true);
 309
 310         gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth(gensec_security->lp_ctx)
 311                                               && (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "allow_lm_key", false)
 312                                                   || lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "lm_key", false)));
 313
 314         gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(gensec_security->lp_ctx);
 315
 316         gensec_ntlmssp_state->expected_state = NTLMSSP_INITIAL;
 317
 318         gensec_ntlmssp_state->neg_flags =
 319                 NTLMSSP_NEGOTIATE_NTLM |
 320                 NTLMSSP_REQUEST_TARGET;
 321
 322         if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "128bit", true)) {
 323                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
 324         }
 325
 326         if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "56bit", false)) {
 327                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
 328         }
 329
 330         if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "lm_key", false)) {
 331                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
 332         }
 333
 334         if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "keyexchange", true)) {
 335                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
 336         }
 337
 338         if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "alwayssign", true)) {
 339                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
 340         }
 341
 342         if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "ntlm2", true)) {
 343                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
 344         } else {
 345                 /* apparently we can't do ntlmv2 if we don't do ntlm2 */
 346                 gensec_ntlmssp_state->use_ntlmv2 = false;
 347         }
 348
 349         if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
 350                 /*
 351                  * We need to set this to allow a later SetPassword
 352                  * via the SAMR pipe to succeed. Strange.... We could
 353                  * also add  NTLMSSP_NEGOTIATE_SEAL here. JRA.
 354                  *
 355                  * Without this, Windows will not create the master key
 356                  * that it thinks is only used for NTLMSSP signing and
 357                  * sealing.  (It is actually pulled out and used directly)
 358                  */
 359                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
 360         }
 361         if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
 362                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
 363         }
 364         if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
 365                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
 366         }
 367
 368         gensec_security->private_data = gensec_ntlmssp_state;
 369
 370         return NT_STATUS_OK;
 371 }
 372