s4:auth Move struct auth_usersupplied_info to a common location
[kai/samba.git] / source4 / auth / ntlmssp / ntlmssp_server.c
1 /* 
2    Unix SMB/Netbios implementation.
3    Version 3.0
4    handle NLTMSSP, client server side parsing
5
6    Copyright (C) Andrew Tridgell      2001
7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
8    Copyright (C) Stefan Metzmacher 2005
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "system/network.h"
26 #include "lib/tsocket/tsocket.h"
27 #include "auth/ntlmssp/ntlmssp.h"
28 #include "../librpc/gen_ndr/ndr_ntlmssp.h"
29 #include "../libcli/auth/ntlmssp_ndr.h"
30 #include "../libcli/auth/ntlmssp_private.h"
31 #include "../libcli/auth/libcli_auth.h"
32 #include "../lib/crypto/crypto.h"
33 #include "auth/gensec/gensec.h"
34 #include "auth/gensec/gensec_proto.h"
35 #include "auth/auth.h"
36 #include "param/param.h"
37
38 /**
39  * Next state function for the Negotiate packet (GENSEC wrapper)
40  *
41  * @param gensec_security GENSEC state
42  * @param out_mem_ctx Memory context for *out
43  * @param in The request, as a DATA_BLOB.  reply.data must be NULL
44  * @param out The reply, as an allocated DATA_BLOB, caller to free.
45  * @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required.
46  */
47
48 NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security,
49                                          TALLOC_CTX *out_mem_ctx,
50                                          const DATA_BLOB request, DATA_BLOB *reply)
51 {
52         struct gensec_ntlmssp_context *gensec_ntlmssp =
53                 talloc_get_type_abort(gensec_security->private_data,
54                                       struct gensec_ntlmssp_context);
55         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
56         return ntlmssp_server_negotiate(ntlmssp_state, out_mem_ctx, request, reply);
57 }
58
59 /**
60  * Next state function for the Authenticate packet (GENSEC wrapper)
61  *
62  * @param gensec_security GENSEC state
63  * @param out_mem_ctx Memory context for *out
64  * @param in The request, as a DATA_BLOB.  reply.data must be NULL
65  * @param out The reply, as an allocated DATA_BLOB, caller to free.
66  * @return Errors or NT_STATUS_OK if authentication sucessful
67  */
68
69 NTSTATUS gensec_ntlmssp_server_auth(struct gensec_security *gensec_security,
70                                     TALLOC_CTX *out_mem_ctx,
71                                     const DATA_BLOB in, DATA_BLOB *out)
72 {
73         struct gensec_ntlmssp_context *gensec_ntlmssp =
74                 talloc_get_type_abort(gensec_security->private_data,
75                                       struct gensec_ntlmssp_context);
76         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
77         return ntlmssp_server_auth(ntlmssp_state, out_mem_ctx, in, out);
78 };
79
80 /**
81  * Return the challenge as determined by the authentication subsystem 
82  * @return an 8 byte random challenge
83  */
84
85 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
86                                            uint8_t chal[8])
87 {
88         struct gensec_ntlmssp_context *gensec_ntlmssp =
89                 talloc_get_type_abort(ntlmssp_state->callback_private,
90                                       struct gensec_ntlmssp_context);
91         struct auth_context *auth_context = gensec_ntlmssp->auth_context;
92         NTSTATUS status;
93
94         status = auth_context->get_challenge(auth_context, chal);
95         if (!NT_STATUS_IS_OK(status)) {
96                 DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n",
97                         nt_errstr(status)));
98                 return status;
99         }
100
101         return NT_STATUS_OK;
102 }
103
104 /**
105  * Some authentication methods 'fix' the challenge, so we may not be able to set it
106  *
107  * @return If the effective challenge used by the auth subsystem may be modified
108  */
109 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
110 {
111         struct gensec_ntlmssp_context *gensec_ntlmssp =
112                 talloc_get_type_abort(ntlmssp_state->callback_private,
113                                       struct gensec_ntlmssp_context);
114         struct auth_context *auth_context = gensec_ntlmssp->auth_context;
115
116         return auth_context->challenge_may_be_modified(auth_context);
117 }
118
119 /**
120  * NTLM2 authentication modifies the effective challenge, 
121  * @param challenge The new challenge value
122  */
123 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
124 {
125         struct gensec_ntlmssp_context *gensec_ntlmssp =
126                 talloc_get_type_abort(ntlmssp_state->callback_private,
127                                       struct gensec_ntlmssp_context);
128         struct auth_context *auth_context = gensec_ntlmssp->auth_context;
129         NTSTATUS nt_status;
130         const uint8_t *chal;
131
132         if (challenge->length != 8) {
133                 return NT_STATUS_INVALID_PARAMETER;
134         }
135
136         chal = challenge->data;
137
138         nt_status = auth_context->set_challenge(auth_context,
139                                                 chal,
140                                                 "NTLMSSP callback (NTLM2)");
141
142         return nt_status;
143 }
144
145 /**
146  * Check the password on an NTLMSSP login.  
147  *
148  * Return the session keys used on the connection.
149  */
150
151 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
152                                             DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
153 {
154         struct gensec_ntlmssp_context *gensec_ntlmssp =
155                 talloc_get_type_abort(ntlmssp_state->callback_private,
156                                       struct gensec_ntlmssp_context);
157         struct auth_context *auth_context = gensec_ntlmssp->auth_context;
158         NTSTATUS nt_status;
159         struct auth_usersupplied_info *user_info;
160
161         user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
162         if (!user_info) {
163                 return NT_STATUS_NO_MEMORY;
164         }
165
166         user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
167         user_info->flags = 0;
168         user_info->mapped_state = false;
169         user_info->client.account_name = ntlmssp_state->user;
170         user_info->client.domain_name = ntlmssp_state->domain;
171         user_info->workstation_name = ntlmssp_state->client.netbios_name;
172         user_info->remote_host = gensec_get_remote_address(gensec_ntlmssp->gensec_security);
173
174         user_info->password_state = AUTH_PASSWORD_RESPONSE;
175         user_info->password.response.lanman = ntlmssp_state->lm_resp;
176         user_info->password.response.lanman.data = talloc_steal(user_info, ntlmssp_state->lm_resp.data);
177         user_info->password.response.nt = ntlmssp_state->nt_resp;
178         user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data);
179
180         nt_status = auth_context->check_password(auth_context,
181                                                  gensec_ntlmssp,
182                                                  user_info,
183                                                  &gensec_ntlmssp->server_info);
184         talloc_free(user_info);
185         NT_STATUS_NOT_OK_RETURN(nt_status);
186
187         if (gensec_ntlmssp->server_info->user_session_key.length) {
188                 DEBUG(10, ("Got NT session key of length %u\n",
189                            (unsigned)gensec_ntlmssp->server_info->user_session_key.length));
190                 *user_session_key = gensec_ntlmssp->server_info->user_session_key;
191         }
192         if (gensec_ntlmssp->server_info->lm_session_key.length) {
193                 DEBUG(10, ("Got LM session key of length %u\n",
194                            (unsigned)gensec_ntlmssp->server_info->lm_session_key.length));
195                 *lm_session_key = gensec_ntlmssp->server_info->lm_session_key;
196         }
197         return nt_status;
198 }
199
200 /** 
201  * Return the credentials of a logged on user, including session keys
202  * etc.
203  *
204  * Only valid after a successful authentication
205  *
206  * May only be called once per authentication.
207  *
208  */
209
210 NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
211                                      struct auth_session_info **session_info) 
212 {
213         NTSTATUS nt_status;
214         struct gensec_ntlmssp_context *gensec_ntlmssp =
215                 talloc_get_type_abort(gensec_security->private_data,
216                                       struct gensec_ntlmssp_context);
217         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
218
219         nt_status = gensec_generate_session_info(ntlmssp_state,
220                                                  gensec_security,
221                                                  gensec_ntlmssp->server_info,
222                                                  session_info);
223         NT_STATUS_NOT_OK_RETURN(nt_status);
224
225         (*session_info)->session_key = data_blob_talloc(*session_info, 
226                                                         ntlmssp_state->session_key.data,
227                                                         ntlmssp_state->session_key.length);
228
229         return NT_STATUS_OK;
230 }
231
232 /**
233  * Start NTLMSSP on the server side 
234  *
235  */
236 NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
237 {
238         NTSTATUS nt_status;
239         struct ntlmssp_state *ntlmssp_state;
240         struct gensec_ntlmssp_context *gensec_ntlmssp;
241
242         nt_status = gensec_ntlmssp_start(gensec_security);
243         NT_STATUS_NOT_OK_RETURN(nt_status);
244
245         gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
246                                                struct gensec_ntlmssp_context);
247         ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
248
249         ntlmssp_state->role = NTLMSSP_SERVER;
250
251         ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
252
253         ntlmssp_state->allow_lm_key = (lpcfg_lanman_auth(gensec_security->settings->lp_ctx)
254                                           && gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "allow_lm_key", false));
255
256         ntlmssp_state->neg_flags =
257                 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION;
258
259         ntlmssp_state->lm_resp = data_blob(NULL, 0);
260         ntlmssp_state->nt_resp = data_blob(NULL, 0);
261
262         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "128bit", true)) {
263                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
264         }
265
266         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "56bit", true)) {
267                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
268         }
269
270         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "keyexchange", true)) {
271                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
272         }
273
274         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "alwayssign", true)) {
275                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
276         }
277
278         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "ntlm2", true)) {
279                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
280         }
281
282         if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
283                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
284         }
285         if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
286                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
287         }
288
289         gensec_ntlmssp->auth_context = gensec_security->auth_context;
290
291         ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
292         ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
293         ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
294         ntlmssp_state->check_password = auth_ntlmssp_check_password;
295         if (lpcfg_server_role(gensec_security->settings->lp_ctx) == ROLE_STANDALONE) {
296                 ntlmssp_state->server.is_standalone = true;
297         } else {
298                 ntlmssp_state->server.is_standalone = false;
299         }
300
301         ntlmssp_state->server.netbios_name = lpcfg_netbios_name(gensec_security->settings->lp_ctx);
302
303         ntlmssp_state->server.netbios_domain = lpcfg_workgroup(gensec_security->settings->lp_ctx);
304
305         {
306                 char dnsdomname[MAXHOSTNAMELEN], dnsname[MAXHOSTNAMELEN];
307
308                 /* Find out the DNS domain name */
309                 dnsdomname[0] = '\0';
310                 safe_strcpy(dnsdomname, lpcfg_dnsdomain(gensec_security->settings->lp_ctx), sizeof(dnsdomname) - 1);
311
312                 /* Find out the DNS host name */
313                 safe_strcpy(dnsname, ntlmssp_state->server.netbios_name, sizeof(dnsname) - 1);
314                 if (dnsdomname[0] != '\0') {
315                         safe_strcat(dnsname, ".", sizeof(dnsname) - 1);
316                         safe_strcat(dnsname, dnsdomname, sizeof(dnsname) - 1);
317                 }
318                 strlower_m(dnsname);
319
320                 ntlmssp_state->server.dns_name = talloc_strdup(ntlmssp_state,
321                                                                       dnsname);
322                 NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_name);
323
324                 ntlmssp_state->server.dns_domain = talloc_strdup(ntlmssp_state,
325                                                                         dnsdomname);
326                 NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_domain);
327         }
328
329         return NT_STATUS_OK;
330 }
331