auth/ntlmssp/ntlmssp.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 3.0
   4    handle NLTMSSP, client server side parsing
   5
   6    Copyright (C) Andrew Tridgell      2001
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
   8    Copyright (C) Stefan Metzmacher 2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 struct auth_session_info;
  25
  26 #include "includes.h"
  27 #include "auth/ntlmssp/ntlmssp.h"
  28 #include "auth/ntlmssp/ntlmssp_private.h"
  29 #include "../libcli/auth/libcli_auth.h"
  30 #include "librpc/gen_ndr/ndr_dcerpc.h"
  31 #include "auth/gensec/gensec.h"
  32 #include "auth/gensec/gensec_internal.h"
  33
  34 /**
  35  * Callbacks for NTLMSSP - for both client and server operating modes
  36  *
  37  */
  38
  39 static const struct ntlmssp_callbacks {
  40         enum ntlmssp_role role;
  41         enum ntlmssp_message_type command;
  42         NTSTATUS (*sync_fn)(struct gensec_security *gensec_security,
  43                             TALLOC_CTX *out_mem_ctx,
  44                             DATA_BLOB in, DATA_BLOB *out);
  45 } ntlmssp_callbacks[] = {
  46         {
  47                 .role           = NTLMSSP_CLIENT,
  48                 .command        = NTLMSSP_INITIAL,
  49                 .sync_fn        = ntlmssp_client_initial,
  50         },{
  51                 .role           = NTLMSSP_CLIENT,
  52                 .command        = NTLMSSP_NEGOTIATE,
  53                 .sync_fn        = gensec_ntlmssp_resume_ccache,
  54         },{
  55                 .role           = NTLMSSP_SERVER,
  56                 .command        = NTLMSSP_NEGOTIATE,
  57                 .sync_fn        = gensec_ntlmssp_server_negotiate,
  58         },{
  59                 .role           = NTLMSSP_CLIENT,
  60                 .command        = NTLMSSP_CHALLENGE,
  61                 .sync_fn        = ntlmssp_client_challenge,
  62         },{
  63                 .role           = NTLMSSP_SERVER,
  64                 .command        = NTLMSSP_AUTH,
  65                 .sync_fn        = gensec_ntlmssp_server_auth,
  66         }
  67 };
  68
  69
  70 static NTSTATUS gensec_ntlmssp_update_find(struct gensec_security *gensec_security,
  71                                            struct gensec_ntlmssp_context *gensec_ntlmssp,
  72                                            const DATA_BLOB input, uint32_t *idx)
  73 {
  74         uint32_t ntlmssp_command;
  75         uint32_t i;
  76
  77         if (gensec_ntlmssp->ntlmssp_state->expected_state == NTLMSSP_DONE) {
  78                 /* We are strict here because other modules, which we
  79                  * don't fully control (such as GSSAPI) are also
  80                  * strict, but are tested less often */
  81
  82                 DEBUG(1, ("Called NTLMSSP after state machine was 'done'\n"));
  83                 return NT_STATUS_INVALID_PARAMETER;
  84         }
  85
  86         if (!input.length) {
  87                 switch (gensec_ntlmssp->ntlmssp_state->role) {
  88                 case NTLMSSP_CLIENT:
  89                         if (gensec_ntlmssp->ntlmssp_state->resume_ccache) {
  90                                 /*
  91                                  * make sure gensec_ntlmssp_resume_ccache()
  92                                  * will be called
  93                                  */
  94                                 ntlmssp_command = NTLMSSP_NEGOTIATE;
  95                                 break;
  96                         }
  97
  98                         ntlmssp_command = NTLMSSP_INITIAL;
  99                         break;
 100                 case NTLMSSP_SERVER:
 101                         if (gensec_security->want_features & GENSEC_FEATURE_DATAGRAM_MODE) {
 102                                 /* 'datagram' mode - no neg packet */
 103                                 ntlmssp_command = NTLMSSP_NEGOTIATE;
 104                         } else {
 105                                 /* This is normal in SPNEGO mech negotiation fallback */
 106                                 DEBUG(2, ("Failed to parse NTLMSSP packet: zero length\n"));
 107                                 return NT_STATUS_INVALID_PARAMETER;
 108                         }
 109                         break;
 110                 default:
 111                         DEBUG(1, ("NTLMSSP state has invalid role %d\n",
 112                                   gensec_ntlmssp->ntlmssp_state->role));
 113                         return NT_STATUS_INVALID_PARAMETER;
 114                 }
 115         } else {
 116                 if (!msrpc_parse(gensec_ntlmssp->ntlmssp_state,
 117                                  &input, "Cd",
 118                                  "NTLMSSP",
 119                                  &ntlmssp_command)) {
 120                         DEBUG(1, ("Failed to parse NTLMSSP packet, could not extract NTLMSSP command\n"));
 121                         dump_data(2, input.data, input.length);
 122                         return NT_STATUS_INVALID_PARAMETER;
 123                 }
 124         }
 125
 126         if (ntlmssp_command != gensec_ntlmssp->ntlmssp_state->expected_state) {
 127                 DEBUG(2, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command,
 128                           gensec_ntlmssp->ntlmssp_state->expected_state));
 129                 return NT_STATUS_INVALID_PARAMETER;
 130         }
 131
 132         for (i=0; i < ARRAY_SIZE(ntlmssp_callbacks); i++) {
 133                 if (ntlmssp_callbacks[i].role == gensec_ntlmssp->ntlmssp_state->role &&
 134                     ntlmssp_callbacks[i].command == ntlmssp_command) {
 135                         *idx = i;
 136                         return NT_STATUS_OK;
 137                 }
 138         }
 139
 140         DEBUG(1, ("failed to find NTLMSSP callback for NTLMSSP mode %u, command %u\n",
 141                   gensec_ntlmssp->ntlmssp_state->role, ntlmssp_command));
 142
 143         return NT_STATUS_INVALID_PARAMETER;
 144 }
 145
 146 /**
 147  * Next state function for the wrapped NTLMSSP state machine
 148  *
 149  * @param gensec_security GENSEC state, initialised to NTLMSSP
 150  * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
 151  * @param in The request, as a DATA_BLOB
 152  * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
 153  * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
 154  *                or NT_STATUS_OK if the user is authenticated.
 155  */
 156
 157 NTSTATUS gensec_ntlmssp_update(struct gensec_security *gensec_security,
 158                                TALLOC_CTX *out_mem_ctx,
 159                                struct tevent_context *ev,
 160                                const DATA_BLOB input, DATA_BLOB *out)
 161 {
 162         struct gensec_ntlmssp_context *gensec_ntlmssp =
 163                 talloc_get_type_abort(gensec_security->private_data,
 164                                       struct gensec_ntlmssp_context);
 165         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
 166         NTSTATUS status;
 167         uint32_t i;
 168
 169         *out = data_blob(NULL, 0);
 170
 171         if (!out_mem_ctx) {
 172                 /* if the caller doesn't want to manage/own the memory,
 173                    we can put it on our context */
 174                 out_mem_ctx = ntlmssp_state;
 175         }
 176
 177         status = gensec_ntlmssp_update_find(gensec_security, gensec_ntlmssp, input, &i);
 178         NT_STATUS_NOT_OK_RETURN(status);
 179
 180         status = ntlmssp_callbacks[i].sync_fn(gensec_security, out_mem_ctx, input, out);
 181         NT_STATUS_NOT_OK_RETURN(status);
 182
 183         return NT_STATUS_OK;
 184 }
 185
 186 static NTSTATUS gensec_ntlmssp_may_reset_crypto(struct gensec_security *gensec_security,
 187                                                 bool full_reset)
 188 {
 189         struct gensec_ntlmssp_context *gensec_ntlmssp =
 190                 talloc_get_type_abort(gensec_security->private_data,
 191                                       struct gensec_ntlmssp_context);
 192         struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
 193         NTSTATUS status;
 194         bool reset_seqnums = full_reset;
 195
 196         if (!gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 197                 return NT_STATUS_OK;
 198         }
 199
 200         status = ntlmssp_sign_reset(ntlmssp_state, reset_seqnums);
 201         if (!NT_STATUS_IS_OK(status)) {
 202                 DEBUG(1, ("Could not reset NTLMSSP signing/sealing system (error was: %s)\n",
 203                           nt_errstr(status)));
 204                 return status;
 205         }
 206
 207         return NT_STATUS_OK;
 208 }
 209
 210 static const char *gensec_ntlmssp_final_auth_type(struct gensec_security *gensec_security)
 211 {
 212         return GENSEC_FINAL_AUTH_TYPE_NTLMSSP;
 213 }
 214
 215 static const char *gensec_ntlmssp_oids[] = {
 216         GENSEC_OID_NTLMSSP,
 217         NULL
 218 };
 219
 220 static const struct gensec_security_ops gensec_ntlmssp_security_ops = {
 221         .name           = "ntlmssp",
 222         .sasl_name      = GENSEC_SASL_NAME_NTLMSSP, /* "NTLM" */
 223         .auth_type      = DCERPC_AUTH_TYPE_NTLMSSP,
 224         .oid            = gensec_ntlmssp_oids,
 225         .client_start   = gensec_ntlmssp_client_start,
 226         .server_start   = gensec_ntlmssp_server_start,
 227         .magic          = gensec_ntlmssp_magic,
 228         .update         = gensec_ntlmssp_update,
 229         .may_reset_crypto= gensec_ntlmssp_may_reset_crypto,
 230         .sig_size       = gensec_ntlmssp_sig_size,
 231         .sign_packet    = gensec_ntlmssp_sign_packet,
 232         .check_packet   = gensec_ntlmssp_check_packet,
 233         .seal_packet    = gensec_ntlmssp_seal_packet,
 234         .unseal_packet  = gensec_ntlmssp_unseal_packet,
 235         .wrap           = gensec_ntlmssp_wrap,
 236         .unwrap         = gensec_ntlmssp_unwrap,
 237         .session_key    = gensec_ntlmssp_session_key,
 238         .session_info   = gensec_ntlmssp_session_info,
 239         .have_feature   = gensec_ntlmssp_have_feature,
 240         .final_auth_type = gensec_ntlmssp_final_auth_type,
 241         .enabled        = true,
 242         .priority       = GENSEC_NTLMSSP
 243 };
 244
 245 static const struct gensec_security_ops gensec_ntlmssp_resume_ccache_ops = {
 246         .name           = "ntlmssp_resume_ccache",
 247         .client_start   = gensec_ntlmssp_resume_ccache_start,
 248         .update         = gensec_ntlmssp_update,
 249         .session_key    = gensec_ntlmssp_session_key,
 250         .have_feature   = gensec_ntlmssp_have_feature,
 251         .enabled        = true,
 252         .priority       = GENSEC_NTLMSSP
 253 };
 254
 255 _PUBLIC_ NTSTATUS gensec_ntlmssp_init(void)
 256 {
 257         NTSTATUS ret;
 258
 259         ret = gensec_register(&gensec_ntlmssp_security_ops);
 260         if (!NT_STATUS_IS_OK(ret)) {
 261                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
 262                         gensec_ntlmssp_security_ops.name));
 263                 return ret;
 264         }
 265
 266         ret = gensec_register(&gensec_ntlmssp_resume_ccache_ops);
 267         if (!NT_STATUS_IS_OK(ret)) {
 268                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
 269                         gensec_ntlmssp_resume_ccache_ops.name));
 270                 return ret;
 271         }
 272
 273         return ret;
 274 }
 275
 276 static struct gensec_security *gensec_find_child_by_ops(struct gensec_security *gensec_security,
 277                                                         const struct gensec_security_ops *ops)
 278 {
 279         struct gensec_security *current = gensec_security;
 280
 281         while (current != NULL) {
 282                 if (current->ops == ops) {
 283                         return current;
 284                 }
 285
 286                 current = current->child_security;
 287         }
 288
 289         return NULL;
 290 }
 291
 292 uint32_t gensec_ntlmssp_neg_flags(struct gensec_security *gensec_security)
 293 {
 294         struct gensec_ntlmssp_context *gensec_ntlmssp;
 295
 296         gensec_security = gensec_find_child_by_ops(gensec_security,
 297                                         &gensec_ntlmssp_security_ops);
 298         if (gensec_security == NULL) {
 299                 return 0;
 300         }
 301
 302         gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
 303                                                struct gensec_ntlmssp_context);
 304         return gensec_ntlmssp->ntlmssp_state->neg_flags;
 305 }
 306
 307 const char *gensec_ntlmssp_server_domain(struct gensec_security *gensec_security)
 308 {
 309         struct gensec_ntlmssp_context *gensec_ntlmssp;
 310
 311         gensec_security = gensec_find_child_by_ops(gensec_security,
 312                                         &gensec_ntlmssp_security_ops);
 313         if (gensec_security == NULL) {
 314                 return NULL;
 315         }
 316
 317         gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
 318                                                struct gensec_ntlmssp_context);
 319         return gensec_ntlmssp->ntlmssp_state->server.netbios_domain;
 320 }