2 Unix SMB/Netbios implementation.
4 handle NTLMSSP, server side
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett 2001-2010
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "lib/util/time_basic.h"
25 #include "auth/ntlmssp/ntlmssp.h"
26 #include "auth/ntlmssp/ntlmssp_private.h"
27 #include "../librpc/gen_ndr/ndr_ntlmssp.h"
28 #include "auth/ntlmssp/ntlmssp_ndr.h"
29 #include "../libcli/auth/libcli_auth.h"
30 #include "../lib/crypto/crypto.h"
31 #include "auth/gensec/gensec.h"
32 #include "auth/gensec/gensec_internal.h"
33 #include "auth/common_auth.h"
34 #include "param/param.h"
35 #include "param/loadparm.h"
36 #include "libcli/security/session.h"
39 * Determine correct target name flags for reply, given server role
40 * and negotiated flags
42 * @param ntlmssp_state NTLMSSP State
43 * @param neg_flags The flags from the packet
44 * @param chal_flags The flags to be set in the reply packet
45 * @return The 'target name' string.
48 const char *ntlmssp_target_name(struct ntlmssp_state *ntlmssp_state,
49 uint32_t neg_flags, uint32_t *chal_flags)
51 if (neg_flags & NTLMSSP_REQUEST_TARGET) {
52 *chal_flags |= NTLMSSP_NEGOTIATE_TARGET_INFO;
53 *chal_flags |= NTLMSSP_REQUEST_TARGET;
54 if (ntlmssp_state->server.is_standalone) {
55 *chal_flags |= NTLMSSP_TARGET_TYPE_SERVER;
56 return ntlmssp_state->server.netbios_name;
58 *chal_flags |= NTLMSSP_TARGET_TYPE_DOMAIN;
59 return ntlmssp_state->server.netbios_domain;
67 * Next state function for the NTLMSSP Negotiate packet
69 * @param gensec_security GENSEC state
70 * @param out_mem_ctx Memory context for *out
71 * @param in The request, as a DATA_BLOB. reply.data must be NULL
72 * @param out The reply, as an allocated DATA_BLOB, caller to free.
73 * @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required.
76 NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security,
77 TALLOC_CTX *out_mem_ctx,
78 const DATA_BLOB request, DATA_BLOB *reply)
80 struct gensec_ntlmssp_context *gensec_ntlmssp =
81 talloc_get_type_abort(gensec_security->private_data,
82 struct gensec_ntlmssp_context);
83 struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
84 struct auth4_context *auth_context = gensec_security->auth_context;
85 DATA_BLOB struct_blob;
86 uint32_t neg_flags = 0;
87 uint32_t ntlmssp_command, chal_flags;
89 const char *target_name;
91 struct timeval tv_now = timeval_current();
95 * Windows NT 4.0, windows_2000: use 30 minutes,
96 * Windows XP, Windows Server 2003, Windows Vista,
97 * Windows Server 2008, Windows 7, and Windows Server 2008 R2
100 * Newer systems doesn't check this, likely because the
101 * connectionless NTLMSSP is no longer supported.
103 * As we expect the AUTHENTICATION_MESSAGE to arrive
104 * directly after the NEGOTIATE_MESSAGE (typically less than
105 * as 1 second later). We use a hard timeout of 30 Minutes.
107 * We don't look at AUTHENTICATE_MESSAGE.NtChallengeResponse.TimeStamp
108 * instead we just remember our own time.
110 uint32_t max_lifetime = 30 * 60;
111 struct timeval tv_end = timeval_add(&tv_now, max_lifetime, 0);
113 /* parse the NTLMSSP packet */
115 file_save("ntlmssp_negotiate.dat", request.data, request.length);
118 if (request.length) {
119 if (request.length > UINT16_MAX) {
120 DEBUG(1, ("ntlmssp_server_negotiate: reject large request of length %u\n",
121 (unsigned int)request.length));
122 return NT_STATUS_INVALID_PARAMETER;
125 if ((request.length < 16) || !msrpc_parse(ntlmssp_state, &request, "Cdd",
129 DEBUG(1, ("ntlmssp_server_negotiate: failed to parse NTLMSSP Negotiate of length %u\n",
130 (unsigned int)request.length));
131 dump_data(2, request.data, request.length);
132 return NT_STATUS_INVALID_PARAMETER;
134 debug_ntlmssp_flags(neg_flags);
136 if (DEBUGLEVEL >= 10) {
137 struct NEGOTIATE_MESSAGE *negotiate = talloc(
138 ntlmssp_state, struct NEGOTIATE_MESSAGE);
139 if (negotiate != NULL) {
140 status = ntlmssp_pull_NEGOTIATE_MESSAGE(
141 &request, negotiate, negotiate);
142 if (NT_STATUS_IS_OK(status)) {
143 NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE,
146 TALLOC_FREE(negotiate);
151 status = ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, "negotiate");
152 if (!NT_STATUS_IS_OK(status)){
156 /* Ask our caller what challenge they would like in the packet */
157 if (auth_context->get_ntlm_challenge) {
158 status = auth_context->get_ntlm_challenge(auth_context, cryptkey);
159 if (!NT_STATUS_IS_OK(status)) {
160 DEBUG(1, ("gensec_ntlmssp_server_negotiate: failed to get challenge: %s\n",
165 DEBUG(1, ("gensec_ntlmssp_server_negotiate: backend doesn't give a challenge\n"));
166 return NT_STATUS_NOT_IMPLEMENTED;
169 /* The flags we send back are not just the negotiated flags,
170 * they are also 'what is in this packet'. Therfore, we
171 * operate on 'chal_flags' from here on
174 chal_flags = ntlmssp_state->neg_flags;
175 ntlmssp_state->server.challenge_endtime = timeval_to_nttime(&tv_end);
177 /* get the right name to fill in as 'target' */
178 target_name = ntlmssp_target_name(ntlmssp_state,
179 neg_flags, &chal_flags);
180 if (target_name == NULL)
181 return NT_STATUS_INVALID_PARAMETER;
183 ntlmssp_state->chal = data_blob_talloc(ntlmssp_state, cryptkey, 8);
184 ntlmssp_state->internal_chal = data_blob_talloc(ntlmssp_state,
187 /* This creates the 'blob' of names that appears at the end of the packet */
188 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
189 enum ndr_err_code err;
190 struct AV_PAIR *pairs = NULL;
193 pairs = talloc_zero_array(ntlmssp_state, struct AV_PAIR, count + 1);
195 return NT_STATUS_NO_MEMORY;
198 pairs[0].AvId = MsvAvNbDomainName;
199 pairs[0].Value.AvNbDomainName = target_name;
201 pairs[1].AvId = MsvAvNbComputerName;
202 pairs[1].Value.AvNbComputerName = ntlmssp_state->server.netbios_name;
204 pairs[2].AvId = MsvAvDnsDomainName;
205 pairs[2].Value.AvDnsDomainName = ntlmssp_state->server.dns_domain;
207 pairs[3].AvId = MsvAvDnsComputerName;
208 pairs[3].Value.AvDnsComputerName= ntlmssp_state->server.dns_name;
210 if (!ntlmssp_state->force_old_spnego) {
211 pairs[4].AvId = MsvAvTimestamp;
212 pairs[4].Value.AvTimestamp =
213 timeval_to_nttime(&tv_now);
216 pairs[5].AvId = MsvAvEOL;
218 pairs[4].AvId = MsvAvEOL;
221 ntlmssp_state->server.av_pair_list.count = count;
222 ntlmssp_state->server.av_pair_list.pair = pairs;
224 err = ndr_push_struct_blob(&struct_blob,
226 &ntlmssp_state->server.av_pair_list,
227 (ndr_push_flags_fn_t)ndr_push_AV_PAIR_LIST);
228 if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
229 return NT_STATUS_NO_MEMORY;
232 struct_blob = data_blob_null;
236 /* Marshal the packet in the right format, be it unicode or ASCII */
237 const char *gen_string;
238 const DATA_BLOB version_blob = ntlmssp_version_blob();
240 if (ntlmssp_state->unicode) {
241 gen_string = "CdUdbddBb";
243 gen_string = "CdAdbddBb";
246 status = msrpc_gen(out_mem_ctx, reply, gen_string,
253 struct_blob.data, struct_blob.length,
254 version_blob.data, version_blob.length);
256 if (!NT_STATUS_IS_OK(status)) {
257 data_blob_free(&struct_blob);
261 if (DEBUGLEVEL >= 10) {
262 struct CHALLENGE_MESSAGE *challenge = talloc(
263 ntlmssp_state, struct CHALLENGE_MESSAGE);
264 if (challenge != NULL) {
265 challenge->NegotiateFlags = chal_flags;
266 status = ntlmssp_pull_CHALLENGE_MESSAGE(
267 reply, challenge, challenge);
268 if (NT_STATUS_IS_OK(status)) {
269 NDR_PRINT_DEBUG(CHALLENGE_MESSAGE,
272 TALLOC_FREE(challenge);
277 data_blob_free(&struct_blob);
279 ntlmssp_state->negotiate_blob = data_blob_dup_talloc(ntlmssp_state,
281 if (ntlmssp_state->negotiate_blob.length != request.length) {
282 return NT_STATUS_NO_MEMORY;
285 ntlmssp_state->challenge_blob = data_blob_dup_talloc(ntlmssp_state,
287 if (ntlmssp_state->challenge_blob.length != reply->length) {
288 return NT_STATUS_NO_MEMORY;
291 ntlmssp_state->expected_state = NTLMSSP_AUTH;
293 return NT_STATUS_MORE_PROCESSING_REQUIRED;
296 struct ntlmssp_server_auth_state {
297 struct auth_usersupplied_info *user_info;
298 DATA_BLOB user_session_key;
299 DATA_BLOB lm_session_key;
300 /* internal variables used by KEY_EXCH (client-supplied user session key */
301 DATA_BLOB encrypted_session_key;
303 /* internal variables used by NTLM2 */
304 uint8_t session_nonce[16];
308 * Next state function for the Authenticate packet
310 * @param ntlmssp_state NTLMSSP State
311 * @param request The request, as a DATA_BLOB
312 * @return Errors or NT_STATUS_OK.
315 static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
316 struct gensec_ntlmssp_context *gensec_ntlmssp,
317 struct ntlmssp_server_auth_state *state,
318 const DATA_BLOB request)
320 struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
321 struct auth4_context *auth_context = gensec_security->auth_context;
322 struct auth_usersupplied_info *user_info = NULL;
323 uint32_t ntlmssp_command, auth_flags;
325 const unsigned int version_len = 8;
326 DATA_BLOB version_blob = data_blob_null;
327 const unsigned int mic_len = NTLMSSP_MIC_SIZE;
328 DATA_BLOB mic_blob = data_blob_null;
329 uint8_t session_nonce_hash[16];
330 const char *parse_string;
332 struct timeval endtime;
333 bool expired = false;
336 file_save("ntlmssp_auth.dat", request.data, request.length);
339 if (ntlmssp_state->unicode) {
340 parse_string = "CdBBUUUBdbb";
342 parse_string = "CdBBAAABdbb";
346 data_blob_free(&ntlmssp_state->session_key);
347 data_blob_free(&ntlmssp_state->lm_resp);
348 data_blob_free(&ntlmssp_state->nt_resp);
350 ntlmssp_state->user = NULL;
351 ntlmssp_state->domain = NULL;
352 ntlmssp_state->client.netbios_name = NULL;
354 /* now the NTLMSSP encoded auth hashes */
355 ok = msrpc_parse(ntlmssp_state, &request, parse_string,
358 &ntlmssp_state->lm_resp,
359 &ntlmssp_state->nt_resp,
360 &ntlmssp_state->domain,
361 &ntlmssp_state->user,
362 &ntlmssp_state->client.netbios_name,
363 &state->encrypted_session_key,
365 &version_blob, version_len,
368 DEBUG(10, ("ntlmssp_server_auth: failed to parse NTLMSSP (nonfatal):\n"));
369 dump_data(10, request.data, request.length);
371 data_blob_free(&version_blob);
372 data_blob_free(&mic_blob);
374 if (ntlmssp_state->unicode) {
375 parse_string = "CdBBUUUBd";
377 parse_string = "CdBBAAABd";
380 ok = msrpc_parse(ntlmssp_state, &request, parse_string,
383 &ntlmssp_state->lm_resp,
384 &ntlmssp_state->nt_resp,
385 &ntlmssp_state->domain,
386 &ntlmssp_state->user,
387 &ntlmssp_state->client.netbios_name,
388 &state->encrypted_session_key,
393 DEBUG(10, ("ntlmssp_server_auth: failed to parse NTLMSSP (nonfatal):\n"));
394 dump_data(10, request.data, request.length);
397 data_blob_free(&state->encrypted_session_key);
400 /* Try again with a shorter string (Win9X truncates this packet) */
401 if (ntlmssp_state->unicode) {
402 parse_string = "CdBBUUU";
404 parse_string = "CdBBAAA";
407 /* now the NTLMSSP encoded auth hashes */
408 if (!msrpc_parse(ntlmssp_state, &request, parse_string,
411 &ntlmssp_state->lm_resp,
412 &ntlmssp_state->nt_resp,
413 &ntlmssp_state->domain,
414 &ntlmssp_state->user,
415 &ntlmssp_state->client.netbios_name)) {
416 DEBUG(1, ("ntlmssp_server_auth: failed to parse NTLMSSP (tried both formats):\n"));
417 dump_data(2, request.data, request.length);
419 return NT_STATUS_INVALID_PARAMETER;
423 talloc_steal(state, state->encrypted_session_key.data);
425 if (auth_flags != 0) {
426 nt_status = ntlmssp_handle_neg_flags(ntlmssp_state,
429 if (!NT_STATUS_IS_OK(nt_status)){
434 if (DEBUGLEVEL >= 10) {
435 struct AUTHENTICATE_MESSAGE *authenticate = talloc(
436 ntlmssp_state, struct AUTHENTICATE_MESSAGE);
437 if (authenticate != NULL) {
439 authenticate->NegotiateFlags = auth_flags;
440 status = ntlmssp_pull_AUTHENTICATE_MESSAGE(
441 &request, authenticate, authenticate);
442 if (NT_STATUS_IS_OK(status)) {
443 NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE,
446 TALLOC_FREE(authenticate);
450 DEBUG(3,("Got user=[%s] domain=[%s] workstation=[%s] len1=%lu len2=%lu\n",
451 ntlmssp_state->user, ntlmssp_state->domain,
452 ntlmssp_state->client.netbios_name,
453 (unsigned long)ntlmssp_state->lm_resp.length,
454 (unsigned long)ntlmssp_state->nt_resp.length));
457 file_save("nthash1.dat", &ntlmssp_state->nt_resp.data, &ntlmssp_state->nt_resp.length);
458 file_save("lmhash1.dat", &ntlmssp_state->lm_resp.data, &ntlmssp_state->lm_resp.length);
461 if (ntlmssp_state->nt_resp.length > 24) {
462 struct NTLMv2_RESPONSE v2_resp;
463 enum ndr_err_code err;
466 const struct AV_PAIR *flags = NULL;
467 const struct AV_PAIR *eol = NULL;
468 uint32_t av_flags = 0;
470 err = ndr_pull_struct_blob(&ntlmssp_state->nt_resp,
473 (ndr_pull_flags_fn_t)ndr_pull_NTLMv2_RESPONSE);
474 if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
475 nt_status = ndr_map_error2ntstatus(err);
476 DEBUG(1,("%s: failed to parse NTLMv2_RESPONSE of length %zu for "
477 "user=[%s] domain=[%s] workstation=[%s] - %s %s\n",
478 __func__, ntlmssp_state->nt_resp.length,
479 ntlmssp_state->user, ntlmssp_state->domain,
480 ntlmssp_state->client.netbios_name,
481 ndr_errstr(err), nt_errstr(nt_status)));
486 NDR_PRINT_DEBUG(NTLMv2_RESPONSE, &v2_resp);
489 eol = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
492 DEBUG(1,("%s: missing MsvAvEOL for "
493 "user=[%s] domain=[%s] workstation=[%s]\n",
494 __func__, ntlmssp_state->user, ntlmssp_state->domain,
495 ntlmssp_state->client.netbios_name));
496 return NT_STATUS_INVALID_PARAMETER;
499 flags = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
502 av_flags = flags->Value.AvFlags;
505 if (av_flags & NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE) {
506 if (mic_blob.length != NTLMSSP_MIC_SIZE) {
507 DEBUG(1,("%s: mic_blob.length[%u] for "
508 "user=[%s] domain=[%s] workstation=[%s]\n",
510 (unsigned)mic_blob.length,
512 ntlmssp_state->domain,
513 ntlmssp_state->client.netbios_name));
514 return NT_STATUS_INVALID_PARAMETER;
518 (NTLMSSP_MIC_OFFSET + NTLMSSP_MIC_SIZE))
520 DEBUG(1,("%s: missing MIC "
521 "request.length[%u] for "
522 "user=[%s] domain=[%s] workstation=[%s]\n",
524 (unsigned)request.length,
526 ntlmssp_state->domain,
527 ntlmssp_state->client.netbios_name));
528 return NT_STATUS_INVALID_PARAMETER;
531 ntlmssp_state->new_spnego = true;
534 count = ntlmssp_state->server.av_pair_list.count;
535 if (v2_resp.Challenge.AvPairs.count < count) {
536 return NT_STATUS_INVALID_PARAMETER;
539 for (i = 0; i < count; i++) {
540 const struct AV_PAIR *sp =
541 &ntlmssp_state->server.av_pair_list.pair[i];
542 const struct AV_PAIR *cp = NULL;
544 if (sp->AvId == MsvAvEOL) {
548 cp = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
551 DEBUG(1,("%s: AvId 0x%x missing for"
552 "user=[%s] domain=[%s] "
553 "workstation=[%s]\n",
557 ntlmssp_state->domain,
558 ntlmssp_state->client.netbios_name));
559 return NT_STATUS_INVALID_PARAMETER;
563 #define CASE_STRING(v) case Msv ## v: do { \
565 if (sp->Value.v == NULL) { \
566 return NT_STATUS_INTERNAL_ERROR; \
568 if (cp->Value.v == NULL) { \
569 DEBUG(1,("%s: invalid %s " \
570 "got[%s] expect[%s] for " \
571 "user=[%s] domain=[%s] workstation=[%s]\n", \
575 ntlmssp_state->user, \
576 ntlmssp_state->domain, \
577 ntlmssp_state->client.netbios_name)); \
578 return NT_STATUS_INVALID_PARAMETER; \
580 cmp = strcmp(cp->Value.v, sp->Value.v); \
582 DEBUG(1,("%s: invalid %s " \
583 "got[%s] expect[%s] for " \
584 "user=[%s] domain=[%s] workstation=[%s]\n", \
588 ntlmssp_state->user, \
589 ntlmssp_state->domain, \
590 ntlmssp_state->client.netbios_name)); \
591 return NT_STATUS_INVALID_PARAMETER; \
594 CASE_STRING(AvNbComputerName);
595 CASE_STRING(AvNbDomainName);
596 CASE_STRING(AvDnsComputerName);
597 CASE_STRING(AvDnsDomainName);
598 CASE_STRING(AvDnsTreeName);
600 if (cp->Value.AvTimestamp != sp->Value.AvTimestamp) {
603 struct timeval_buf tmp1;
604 struct timeval_buf tmp2;
606 nttime_to_timeval(&ct,
607 cp->Value.AvTimestamp);
608 nttime_to_timeval(&st,
609 sp->Value.AvTimestamp);
611 DEBUG(1,("%s: invalid AvTimestamp "
612 "got[%s] expect[%s] for "
613 "user=[%s] domain=[%s] "
614 "workstation=[%s]\n",
616 timeval_str_buf(&ct, false,
618 timeval_str_buf(&st, false,
621 ntlmssp_state->domain,
622 ntlmssp_state->client.netbios_name));
623 return NT_STATUS_INVALID_PARAMETER;
628 * This can't happen as we control
629 * ntlmssp_state->server.av_pair_list
631 return NT_STATUS_INTERNAL_ERROR;
636 nttime_to_timeval(&endtime, ntlmssp_state->server.challenge_endtime);
637 expired = timeval_expired(&endtime);
639 struct timeval_buf tmp;
640 DEBUG(1,("%s: challenge invalid (expired %s) for "
641 "user=[%s] domain=[%s] workstation=[%s]\n",
643 timeval_str_buf(&endtime, false, true, &tmp),
644 ntlmssp_state->user, ntlmssp_state->domain,
645 ntlmssp_state->client.netbios_name));
646 return NT_STATUS_INVALID_PARAMETER;
649 /* NTLM2 uses a 'challenge' that is made of up both the server challenge, and a
652 However, the NTLM2 flag may still be set for the real NTLMv2 logins, be careful.
654 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
655 if (ntlmssp_state->nt_resp.length == 24 && ntlmssp_state->lm_resp.length == 24) {
656 MD5_CTX md5_session_nonce_ctx;
657 state->doing_ntlm2 = true;
659 memcpy(state->session_nonce, ntlmssp_state->internal_chal.data, 8);
660 memcpy(&state->session_nonce[8], ntlmssp_state->lm_resp.data, 8);
662 SMB_ASSERT(ntlmssp_state->internal_chal.data && ntlmssp_state->internal_chal.length == 8);
664 MD5Init(&md5_session_nonce_ctx);
665 MD5Update(&md5_session_nonce_ctx, state->session_nonce, 16);
666 MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
668 /* LM response is no longer useful */
669 data_blob_free(&ntlmssp_state->lm_resp);
671 /* We changed the effective challenge - set it */
672 if (auth_context->set_ntlm_challenge) {
673 nt_status = auth_context->set_ntlm_challenge(auth_context,
675 "NTLMSSP callback (NTLM2)");
676 if (!NT_STATUS_IS_OK(nt_status)) {
677 DEBUG(1, ("gensec_ntlmssp_server_negotiate: failed to get challenge: %s\n",
678 nt_errstr(nt_status)));
682 DEBUG(1, ("gensec_ntlmssp_server_negotiate: backend doesn't have facility for challenge to be set\n"));
684 return NT_STATUS_NOT_IMPLEMENTED;
687 /* LM Key is incompatible. */
688 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
692 user_info = talloc_zero(state, struct auth_usersupplied_info);
694 return NT_STATUS_NO_MEMORY;
697 user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
698 user_info->flags = 0;
699 user_info->mapped_state = false;
700 user_info->client.account_name = ntlmssp_state->user;
701 user_info->client.domain_name = ntlmssp_state->domain;
702 user_info->workstation_name = ntlmssp_state->client.netbios_name;
703 user_info->remote_host = gensec_get_remote_address(gensec_security);
704 user_info->local_host = gensec_get_local_address(gensec_security);
705 user_info->service_description
706 = gensec_get_target_service_description(gensec_security);
709 * This will just be the string "NTLMSSP" from
710 * gensec_ntlmssp_final_auth_type, but ensures it stays in sync
711 * with the same use in the authorization logging triggered by
712 * gensec_session_info() later
714 user_info->auth_description = gensec_final_auth_type(gensec_security);
716 user_info->password_state = AUTH_PASSWORD_RESPONSE;
717 user_info->password.response.lanman = ntlmssp_state->lm_resp;
718 user_info->password.response.nt = ntlmssp_state->nt_resp;
720 state->user_info = user_info;
725 * Check the password on an NTLMSSP login.
727 * Return the session keys used on the connection.
730 static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_security,
731 struct gensec_ntlmssp_context *gensec_ntlmssp,
732 const struct auth_usersupplied_info *user_info,
734 DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
736 struct auth4_context *auth_context = gensec_security->auth_context;
737 NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
739 if (auth_context->check_ntlm_password) {
740 uint8_t authoritative = 0;
742 nt_status = auth_context->check_ntlm_password(auth_context,
746 &gensec_ntlmssp->server_returned_info,
747 user_session_key, lm_session_key);
750 if (!NT_STATUS_IS_OK(nt_status)) {
751 DEBUG(5, (__location__ ": Checking NTLMSSP password for %s\\%s failed: %s\n", user_info->client.domain_name, user_info->client.account_name, nt_errstr(nt_status)));
753 NT_STATUS_NOT_OK_RETURN(nt_status);
755 talloc_steal(mem_ctx, user_session_key->data);
756 talloc_steal(mem_ctx, lm_session_key->data);
762 * Next state function for the Authenticate packet
763 * (after authentication - figures out the session keys etc)
765 * @param ntlmssp_state NTLMSSP State
766 * @return Errors or NT_STATUS_OK.
769 static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
770 struct gensec_ntlmssp_context *gensec_ntlmssp,
771 struct ntlmssp_server_auth_state *state,
774 struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
775 struct auth4_context *auth_context = gensec_security->auth_context;
776 DATA_BLOB user_session_key = state->user_session_key;
777 DATA_BLOB lm_session_key = state->lm_session_key;
778 NTSTATUS nt_status = NT_STATUS_OK;
779 DATA_BLOB session_key = data_blob(NULL, 0);
780 struct auth_session_info *session_info = NULL;
782 TALLOC_FREE(state->user_info);
784 if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST
785 && auth_context->generate_session_info != NULL)
790 * We need to check if the auth is anonymous or mapped to guest
792 tmp_status = auth_context->generate_session_info(auth_context, state,
793 gensec_ntlmssp->server_returned_info,
794 gensec_ntlmssp->ntlmssp_state->user,
795 AUTH_SESSION_INFO_SIMPLE_PRIVILEGES,
797 if (!NT_STATUS_IS_OK(tmp_status)) {
799 * We don't care about failures,
800 * the worst result is that we try MIC checking
801 * for a map to guest authentication.
803 TALLOC_FREE(session_info);
807 if (session_info != NULL) {
808 if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
810 * Anonymous and GUEST are not secure anyway.
811 * avoid new_spnego and MIC checking.
813 ntlmssp_state->new_spnego = false;
814 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
815 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
817 TALLOC_FREE(session_info);
820 dump_data_pw("NT session key:\n", user_session_key.data, user_session_key.length);
821 dump_data_pw("LM first-8:\n", lm_session_key.data, lm_session_key.length);
823 /* Handle the different session key derivation for NTLM2 */
824 if (state->doing_ntlm2) {
825 if (user_session_key.data && user_session_key.length == 16) {
826 session_key = data_blob_talloc(ntlmssp_state,
828 hmac_md5(user_session_key.data, state->session_nonce,
829 sizeof(state->session_nonce), session_key.data);
830 DEBUG(10,("ntlmssp_server_auth: Created NTLM2 session key.\n"));
831 dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
834 DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM2 session key.\n"));
835 session_key = data_blob_null;
837 } else if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
838 /* Ensure we can never get here on NTLMv2 */
839 && (ntlmssp_state->nt_resp.length == 0 || ntlmssp_state->nt_resp.length == 24)) {
841 if (lm_session_key.data && lm_session_key.length >= 8) {
842 if (ntlmssp_state->lm_resp.data && ntlmssp_state->lm_resp.length == 24) {
843 session_key = data_blob_talloc(ntlmssp_state,
845 if (session_key.data == NULL) {
846 return NT_STATUS_NO_MEMORY;
848 SMBsesskeygen_lm_sess_key(lm_session_key.data, ntlmssp_state->lm_resp.data,
850 DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
852 static const uint8_t zeros[24] = {0, };
853 session_key = data_blob_talloc(
854 ntlmssp_state, NULL, 16);
855 if (session_key.data == NULL) {
856 return NT_STATUS_NO_MEMORY;
858 SMBsesskeygen_lm_sess_key(zeros, zeros,
860 DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
862 dump_data_pw("LM session key:\n", session_key.data,
865 /* LM Key not selected */
866 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
868 DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM session key.\n"));
869 session_key = data_blob_null;
872 } else if (user_session_key.data) {
873 session_key = user_session_key;
874 DEBUG(10,("ntlmssp_server_auth: Using unmodified nt session key.\n"));
875 dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
877 /* LM Key not selected */
878 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
880 } else if (lm_session_key.data) {
881 /* Very weird to have LM key, but no user session key, but anyway.. */
882 session_key = lm_session_key;
883 DEBUG(10,("ntlmssp_server_auth: Using unmodified lm session key.\n"));
884 dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
886 /* LM Key not selected */
887 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
890 DEBUG(10,("ntlmssp_server_auth: Failed to create unmodified session key.\n"));
891 session_key = data_blob_null;
893 /* LM Key not selected */
894 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
897 /* With KEY_EXCH, the client supplies the proposed session key,
898 but encrypts it with the long-term key */
899 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
900 if (!state->encrypted_session_key.data
901 || state->encrypted_session_key.length != 16) {
902 DEBUG(1, ("Client-supplied KEY_EXCH session key was of invalid length (%u)!\n",
903 (unsigned)state->encrypted_session_key.length));
904 return NT_STATUS_INVALID_PARAMETER;
905 } else if (!session_key.data || session_key.length != 16) {
906 DEBUG(5, ("server session key is invalid (len == %u), cannot do KEY_EXCH!\n",
907 (unsigned int)session_key.length));
908 ntlmssp_state->session_key = session_key;
909 talloc_steal(ntlmssp_state, session_key.data);
911 dump_data_pw("KEY_EXCH session key (enc):\n",
912 state->encrypted_session_key.data,
913 state->encrypted_session_key.length);
914 arcfour_crypt(state->encrypted_session_key.data,
916 state->encrypted_session_key.length);
917 ntlmssp_state->session_key = data_blob_talloc(ntlmssp_state,
918 state->encrypted_session_key.data,
919 state->encrypted_session_key.length);
920 dump_data_pw("KEY_EXCH session key:\n",
921 state->encrypted_session_key.data,
922 state->encrypted_session_key.length);
925 ntlmssp_state->session_key = session_key;
926 talloc_steal(ntlmssp_state, session_key.data);
929 if (ntlmssp_state->new_spnego) {
931 uint8_t mic_buffer[NTLMSSP_MIC_SIZE] = { 0, };
934 hmac_md5_init_limK_to_64(ntlmssp_state->session_key.data,
935 ntlmssp_state->session_key.length,
938 hmac_md5_update(ntlmssp_state->negotiate_blob.data,
939 ntlmssp_state->negotiate_blob.length,
941 hmac_md5_update(ntlmssp_state->challenge_blob.data,
942 ntlmssp_state->challenge_blob.length,
945 /* checked were we set ntlmssp_state->new_spnego */
946 SMB_ASSERT(request.length >
947 (NTLMSSP_MIC_OFFSET + NTLMSSP_MIC_SIZE));
949 hmac_md5_update(request.data, NTLMSSP_MIC_OFFSET, &ctx);
950 hmac_md5_update(mic_buffer, NTLMSSP_MIC_SIZE, &ctx);
951 hmac_md5_update(request.data +
952 (NTLMSSP_MIC_OFFSET + NTLMSSP_MIC_SIZE),
954 (NTLMSSP_MIC_OFFSET + NTLMSSP_MIC_SIZE),
956 hmac_md5_final(mic_buffer, &ctx);
958 cmp = memcmp(request.data + NTLMSSP_MIC_OFFSET,
959 mic_buffer, NTLMSSP_MIC_SIZE);
961 DEBUG(1,("%s: invalid NTLMSSP_MIC for "
962 "user=[%s] domain=[%s] workstation=[%s]\n",
965 ntlmssp_state->domain,
966 ntlmssp_state->client.netbios_name));
967 dump_data(1, request.data + NTLMSSP_MIC_OFFSET,
969 dump_data(1, mic_buffer,
971 return NT_STATUS_INVALID_PARAMETER;
975 data_blob_free(&ntlmssp_state->negotiate_blob);
976 data_blob_free(&ntlmssp_state->challenge_blob);
978 if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
979 nt_status = ntlmssp_sign_init(ntlmssp_state);
982 data_blob_clear_free(&ntlmssp_state->internal_chal);
983 data_blob_clear_free(&ntlmssp_state->chal);
984 data_blob_clear_free(&ntlmssp_state->lm_resp);
985 data_blob_clear_free(&ntlmssp_state->nt_resp);
987 ntlmssp_state->expected_state = NTLMSSP_DONE;
994 * Next state function for the NTLMSSP Authenticate packet
996 * @param gensec_security GENSEC state
997 * @param out_mem_ctx Memory context for *out
998 * @param in The request, as a DATA_BLOB. reply.data must be NULL
999 * @param out The reply, as an allocated DATA_BLOB, caller to free.
1000 * @return Errors or NT_STATUS_OK if authentication sucessful
1003 NTSTATUS gensec_ntlmssp_server_auth(struct gensec_security *gensec_security,
1004 TALLOC_CTX *out_mem_ctx,
1005 const DATA_BLOB in, DATA_BLOB *out)
1007 struct gensec_ntlmssp_context *gensec_ntlmssp =
1008 talloc_get_type_abort(gensec_security->private_data,
1009 struct gensec_ntlmssp_context);
1010 struct ntlmssp_server_auth_state *state;
1013 /* zero the outbound NTLMSSP packet */
1014 *out = data_blob_null;
1016 state = talloc_zero(gensec_ntlmssp, struct ntlmssp_server_auth_state);
1017 if (state == NULL) {
1018 return NT_STATUS_NO_MEMORY;
1021 nt_status = ntlmssp_server_preauth(gensec_security, gensec_ntlmssp, state, in);
1022 if (!NT_STATUS_IS_OK(nt_status)) {
1028 * Note we don't check here for NTLMv2 auth settings. If NTLMv2 auth
1029 * is required (by "ntlm auth = no" and "lm auth = no" being set in the
1030 * smb.conf file) and no NTLMv2 response was sent then the password check
1031 * will fail here. JRA.
1034 /* Finally, actually ask if the password is OK */
1035 nt_status = ntlmssp_server_check_password(gensec_security, gensec_ntlmssp,
1036 state->user_info, state,
1037 &state->user_session_key,
1038 &state->lm_session_key);
1039 if (!NT_STATUS_IS_OK(nt_status)) {
1044 /* When we get more async in the auth code behind
1045 ntlmssp_state->check_password, the ntlmssp_server_postpath
1046 can be done in a callback */
1048 nt_status = ntlmssp_server_postauth(gensec_security, gensec_ntlmssp, state, in);