summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2001-10-17 08:54:19 +0000
committerAndrew Tridgell <tridge@samba.org>2001-10-17 08:54:19 +0000
commitb728042334f67738fd1a6fdd03e619bdb78fe06a (patch)
tree2ae5e7d47a8c6f67789f671bc4ea3ea4a4546d72
parentd731149a41d7563ab99acd3d3d20fff899e7de8f (diff)
downloadsamba-b728042334f67738fd1a6fdd03e619bdb78fe06a.tar.gz
samba-b728042334f67738fd1a6fdd03e619bdb78fe06a.tar.bz2
samba-b728042334f67738fd1a6fdd03e619bdb78fe06a.zip
added basic NTLMSSP support in smbd. This is still quite rough, and
loses things like username mapping. I wanted to get this in then discuss it a bit to see how we want to split up the existing session setup code (This used to be commit b74fda69bf23207c26d8b2af23910d8f2eb89875)
-rw-r--r--source3/include/config.h.in6
-rw-r--r--source3/lib/util.c4
-rw-r--r--source3/libsmb/asn1.c28
-rw-r--r--source3/libsmb/cliconnect.c32
-rw-r--r--source3/libsmb/clientgen.c2
-rw-r--r--source3/libsmb/clispnego.c222
-rw-r--r--source3/param/loadparm.c8
-rw-r--r--source3/smbd/negprot.c75
-rw-r--r--source3/smbd/process.c37
-rw-r--r--source3/smbd/sesssetup.c258
10 files changed, 606 insertions, 66 deletions
diff --git a/source3/include/config.h.in b/source3/include/config.h.in
index 401ba5bef9..7a93b52f82 100644
--- a/source3/include/config.h.in
+++ b/source3/include/config.h.in
@@ -1019,6 +1019,9 @@
/* Define if you have the acl library (-lacl). */
#undef HAVE_LIBACL
+/* Define if you have the com_err library (-lcom_err). */
+#undef HAVE_LIBCOM_ERR
+
/* Define if you have the cups library (-lcups). */
#undef HAVE_LIBCUPS
@@ -1031,6 +1034,9 @@
/* Define if you have the inet library (-linet). */
#undef HAVE_LIBINET
+/* Define if you have the k5crypto library (-lk5crypto). */
+#undef HAVE_LIBK5CRYPTO
+
/* Define if you have the nsl library (-lnsl). */
#undef HAVE_LIBNSL
diff --git a/source3/lib/util.c b/source3/lib/util.c
index 20422a00c7..d3f07dd0a8 100644
--- a/source3/lib/util.c
+++ b/source3/lib/util.c
@@ -1913,9 +1913,9 @@ DATA_BLOB data_blob(void *p, size_t length)
/*******************************************************************
free a data blob
*******************************************************************/
-void data_blob_free(DATA_BLOB d)
+void data_blob_free(DATA_BLOB *d)
{
- SAFE_FREE(d.data);
+ SAFE_FREE(d->data);
}
diff --git a/source3/libsmb/asn1.c b/source3/libsmb/asn1.c
index e72da897b9..59763408cf 100644
--- a/source3/libsmb/asn1.c
+++ b/source3/libsmb/asn1.c
@@ -87,13 +87,18 @@ BOOL asn1_pop_tag(ASN1_DATA *data)
/* yes, this is ugly. We don't know in advance how many bytes the length
of a tag will take, so we assumed 1 byte. If we were wrong then we
need to correct our mistake */
- if (len > 127) {
+ if (len > 255) {
data->data[nesting->start] = 0x82;
if (!asn1_write_uint8(data, 0)) return False;
if (!asn1_write_uint8(data, 0)) return False;
memmove(data->data+nesting->start+3, data->data+nesting->start+1, len);
data->data[nesting->start+1] = len>>8;
data->data[nesting->start+2] = len&0xff;
+ } else if (len > 127) {
+ data->data[nesting->start] = 0x81;
+ if (!asn1_write_uint8(data, 0)) return False;
+ memmove(data->data+nesting->start+2, data->data+nesting->start+1, len);
+ data->data[nesting->start+1] = len;
} else {
data->data[nesting->start] = len;
}
@@ -203,14 +208,16 @@ BOOL asn1_start_tag(ASN1_DATA *data, uint8 tag)
asn1_read_uint8(data, &b);
if (b & 0x80) {
int n = b & 0x7f;
- if (n != 2) {
+ if (n > 2) {
data->has_error = True;
return False;
}
asn1_read_uint8(data, &b);
- nesting->taglen = b<<8;
- asn1_read_uint8(data, &b);
- nesting->taglen |= b;
+ nesting->taglen = b;
+ if (n == 2) {
+ asn1_read_uint8(data, &b);
+ nesting->taglen = (nesting->taglen << 8) | b;
+ }
} else {
nesting->taglen = b;
}
@@ -320,7 +327,7 @@ BOOL asn1_read_GeneralString(ASN1_DATA *data, char **s)
}
/* read a octet string blob */
-BOOL asn1_read_octet_string(ASN1_DATA *data, DATA_BLOB *blob)
+BOOL asn1_read_OctetString(ASN1_DATA *data, DATA_BLOB *blob)
{
int len;
if (!asn1_start_tag(data, ASN1_OCTET_STRING)) return False;
@@ -345,3 +352,12 @@ BOOL asn1_check_enumerated(ASN1_DATA *data, int v)
asn1_end_tag(data);
return !data->has_error && (v == b);
}
+
+/* check a enumarted value is correct */
+BOOL asn1_write_enumerated(ASN1_DATA *data, uint8 v)
+{
+ if (!asn1_push_tag(data, ASN1_ENUMERATED)) return False;
+ asn1_write_uint8(data, v);
+ asn1_pop_tag(data);
+ return !data->has_error;
+}
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 94eda90a3b..6a01744240 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -31,11 +31,12 @@ static struct {
prots[] =
{
{PROTOCOL_CORE,"PC NETWORK PROGRAM 1.0"},
+ {PROTOCOL_COREPLUS,"MICROSOFT NETWORKS 1.03"},
+ {PROTOCOL_LANMAN1,"MICROSOFT NETWORKS 3.0"},
{PROTOCOL_LANMAN1,"LANMAN1.0"},
- {PROTOCOL_LANMAN1,"Windows for Workgroups 3.1a"},
{PROTOCOL_LANMAN2,"LM1.2X002"},
- {PROTOCOL_NT1,"Samba"},
- {PROTOCOL_NT1,"LANMAN2.1"},
+ {PROTOCOL_LANMAN2,"Samba"},
+ {PROTOCOL_NT1,"NT LANMAN 1.0"},
{PROTOCOL_NT1,"NT LM 0.12"},
{-1,NULL}
};
@@ -394,7 +395,7 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principle, c
blob2 = cli_session_setup_blob(cli, negTokenTarg);
/* we don't need this blob for kerberos */
- data_blob_free(blob2);
+ data_blob_free(&blob2);
return !cli_is_error(cli);
}
@@ -428,12 +429,12 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user,
/* and wrap it in a SPNEGO wrapper */
msg1 = gen_negTokenTarg(mechs, blob);
- data_blob_free(blob);
+ data_blob_free(&blob);
/* now send that blob on its way */
blob = cli_session_setup_blob(cli, msg1);
- data_blob_free(msg1);
+ data_blob_free(&msg1);
if (!NT_STATUS_EQUAL(cli_nt_error(cli), NT_STATUS_MORE_PROCESSING_REQUIRED)) {
return False;
@@ -445,18 +446,25 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user,
/* the server gives us back two challenges */
if (!spnego_parse_challenge(blob, &chal1, &chal2)) {
+ DEBUG(3,("Failed to parse challenges\n"));
return False;
}
- data_blob_free(blob);
+ data_blob_free(&blob);
/* encrypt the password with the challenge */
memcpy(challenge, chal1.data + 24, 8);
SMBencrypt(pass, challenge,lmhash);
SMBNTencrypt(pass, challenge,nthash);
- data_blob_free(chal1);
- data_blob_free(chal2);
+#if 0
+ file_save("nthash.dat", nthash, 24);
+ file_save("lmhash.dat", lmhash, 24);
+ file_save("chal1.dat", chal1.data, chal1.length);
+#endif
+
+ data_blob_free(&chal1);
+ data_blob_free(&chal2);
/* this generates the actual auth packet */
msrpc_gen(&blob, "CdBBUUUBd",
@@ -473,13 +481,13 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user,
/* wrap it in SPNEGO */
auth = spnego_gen_auth(blob);
- data_blob_free(blob);
+ data_blob_free(&blob);
/* now send the auth packet and we should be done */
blob = cli_session_setup_blob(cli, auth);
- data_blob_free(auth);
- data_blob_free(blob);
+ data_blob_free(&auth);
+ data_blob_free(&blob);
return !cli_is_error(cli);
}
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index 25dc070024..ed0bc6481e 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -216,7 +216,7 @@ void cli_shutdown(struct cli_state *cli)
SAFE_FREE(cli->outbuf);
SAFE_FREE(cli->inbuf);
- data_blob_free(cli->secblob);
+ data_blob_free(&cli->secblob);
if (cli->mem_ctx)
talloc_destroy(cli->mem_ctx);
diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index da8c6450ae..78cae3315a 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -25,12 +25,13 @@
generate a negTokenInit packet given a GUID, a list of supported
OIDs (the mechanisms) and a principle name string
*/
-ASN1_DATA spnego_gen_negTokenInit(uint8 guid[16],
+DATA_BLOB spnego_gen_negTokenInit(uint8 guid[16],
const char *OIDs[],
const char *principle)
{
int i;
ASN1_DATA data;
+ DATA_BLOB ret;
memset(&data, 0, sizeof(data));
@@ -66,7 +67,10 @@ ASN1_DATA spnego_gen_negTokenInit(uint8 guid[16],
asn1_free(&data);
}
- return data;
+ ret = data_blob(data.data, data.length);
+ asn1_free(&data);
+
+ return ret;
}
@@ -167,6 +171,50 @@ DATA_BLOB gen_negTokenTarg(const char *OIDs[], DATA_BLOB blob)
/*
+ parse a negTokenTarg packet giving a list of OIDs and a security blob
+*/
+BOOL parse_negTokenTarg(DATA_BLOB blob, char *OIDs[ASN1_MAX_OIDS], DATA_BLOB *secblob)
+{
+ int i;
+ ASN1_DATA data;
+
+ asn1_load(&data, blob);
+ asn1_start_tag(&data, ASN1_APPLICATION(0));
+ asn1_check_OID(&data,OID_SPNEGO);
+ asn1_start_tag(&data, ASN1_CONTEXT(0));
+ asn1_start_tag(&data, ASN1_SEQUENCE(0));
+
+ asn1_start_tag(&data, ASN1_CONTEXT(0));
+ asn1_start_tag(&data, ASN1_SEQUENCE(0));
+ for (i=0; asn1_tag_remaining(&data) > 0 && i < ASN1_MAX_OIDS; i++) {
+ char *oid = NULL;
+ asn1_read_OID(&data,&oid);
+ OIDs[i] = oid;
+ }
+ OIDs[i] = NULL;
+ asn1_end_tag(&data);
+ asn1_end_tag(&data);
+
+ asn1_start_tag(&data, ASN1_CONTEXT(2));
+ asn1_read_OctetString(&data,secblob);
+ asn1_end_tag(&data);
+
+ asn1_end_tag(&data);
+ asn1_end_tag(&data);
+
+ asn1_end_tag(&data);
+
+ if (data.has_error) {
+ DEBUG(1,("Failed to parse negTokenTarg at offset %d\n", (int)data.ofs));
+ asn1_free(&data);
+ return False;
+ }
+
+ asn1_free(&data);
+ return True;
+}
+
+/*
generate a krb5 GSS-API wrapper packet given a ticket
*/
static DATA_BLOB spnego_gen_krb5_wrap(DATA_BLOB ticket)
@@ -225,8 +273,8 @@ DATA_BLOB spnego_gen_negTokenTarg(struct cli_state *cli, char *principle)
/* and wrap that in a shiny SPNEGO wrapper */
targ = gen_negTokenTarg(krb_mechs, tkt_wrapped);
- data_blob_free(tkt_wrapped);
- data_blob_free(tkt);
+ data_blob_free(&tkt_wrapped);
+ data_blob_free(&tkt);
return targ;
}
@@ -257,13 +305,13 @@ BOOL spnego_parse_challenge(DATA_BLOB blob,
asn1_end_tag(&data);
asn1_start_tag(&data,ASN1_CONTEXT(2));
- asn1_read_octet_string(&data, chal1);
+ asn1_read_OctetString(&data, chal1);
asn1_end_tag(&data);
/* the second challenge is optional (XP doesn't send it) */
if (asn1_tag_remaining(&data)) {
asn1_start_tag(&data,ASN1_CONTEXT(3));
- asn1_read_octet_string(&data, chal2);
+ asn1_read_OctetString(&data, chal2);
asn1_end_tag(&data);
}
@@ -275,6 +323,52 @@ BOOL spnego_parse_challenge(DATA_BLOB blob,
return ret;
}
+
+/*
+ generate a spnego NTLMSSP challenge packet given two security blobs
+ The second challenge is optional
+*/
+BOOL spnego_gen_challenge(DATA_BLOB *blob,
+ DATA_BLOB *chal1, DATA_BLOB *chal2)
+{
+ ASN1_DATA data;
+
+ ZERO_STRUCT(data);
+
+ asn1_push_tag(&data,ASN1_CONTEXT(1));
+ asn1_push_tag(&data,ASN1_SEQUENCE(0));
+
+ asn1_push_tag(&data,ASN1_CONTEXT(0));
+ asn1_write_enumerated(&data,1);
+ asn1_pop_tag(&data);
+
+ asn1_push_tag(&data,ASN1_CONTEXT(1));
+ asn1_write_OID(&data, OID_NTLMSSP);
+ asn1_pop_tag(&data);
+
+ asn1_push_tag(&data,ASN1_CONTEXT(2));
+ asn1_write_OctetString(&data, chal1->data, chal1->length);
+ asn1_pop_tag(&data);
+
+ /* the second challenge is optional (XP doesn't send it) */
+ if (chal2) {
+ asn1_push_tag(&data,ASN1_CONTEXT(3));
+ asn1_write_OctetString(&data, chal2->data, chal2->length);
+ asn1_pop_tag(&data);
+ }
+
+ asn1_pop_tag(&data);
+ asn1_pop_tag(&data);
+
+ if (data.has_error) {
+ return False;
+ }
+
+ *blob = data_blob(data.data, data.length);
+ asn1_free(&data);
+ return True;
+}
+
/*
generate a SPNEGO NTLMSSP auth packet. This will contain the encrypted passwords
*/
@@ -298,7 +392,32 @@ DATA_BLOB spnego_gen_auth(DATA_BLOB blob)
asn1_free(&data);
return ret;
-
+}
+
+/*
+ parse a SPNEGO NTLMSSP auth packet. This contains the encrypted passwords
+*/
+BOOL spnego_parse_auth(DATA_BLOB blob, DATA_BLOB *auth)
+{
+ ASN1_DATA data;
+
+ asn1_load(&data, blob);
+ asn1_start_tag(&data, ASN1_CONTEXT(1));
+ asn1_start_tag(&data, ASN1_SEQUENCE(0));
+ asn1_start_tag(&data, ASN1_CONTEXT(2));
+ asn1_read_OctetString(&data,auth);
+ asn1_end_tag(&data);
+ asn1_end_tag(&data);
+ asn1_end_tag(&data);
+
+ if (data.has_error) {
+ DEBUG(3,("spnego_parse_auth failed at %d\n", (int)data.ofs));
+ asn1_free(&data);
+ return False;
+ }
+
+ asn1_free(&data);
+ return True;
}
@@ -312,6 +431,7 @@ DATA_BLOB spnego_gen_auth(DATA_BLOB blob)
U = unicode string (input is unix string)
B = data blob (pointer + length)
+ b = data blob in header (pointer + length)
d = word (4 bytes)
C = constant ascii string
*/
@@ -339,6 +459,10 @@ BOOL msrpc_gen(DATA_BLOB *blob,
head_size += 8;
data_size += va_arg(ap, int);
break;
+ case 'b':
+ b = va_arg(ap, uint8 *);
+ head_size += va_arg(ap, int);
+ break;
case 'd':
n = va_arg(ap, int);
head_size += 4;
@@ -384,6 +508,12 @@ BOOL msrpc_gen(DATA_BLOB *blob,
n = va_arg(ap, int);
SIVAL(blob->data, head_ofs, n); head_ofs += 4;
break;
+ case 'b':
+ b = va_arg(ap, uint8 *);
+ n = va_arg(ap, int);
+ memcpy(blob->data + head_ofs, b, n);
+ head_ofs += n;
+ break;
case 'C':
s = va_arg(ap, char *);
head_ofs += push_string(NULL, blob->data+head_ofs, s, -1,
@@ -395,3 +525,81 @@ BOOL msrpc_gen(DATA_BLOB *blob,
return True;
}
+
+
+/*
+ this is a tiny msrpc packet parser. This the the partner of msrpc_gen
+
+ format specifiers are:
+
+ U = unicode string (input is unix string)
+ B = data blob
+ b = data blob in header
+ d = word (4 bytes)
+ C = constant ascii string
+ */
+BOOL msrpc_parse(DATA_BLOB *blob,
+ const char *format, ...)
+{
+ int i;
+ va_list ap;
+ char **ps, *s;
+ DATA_BLOB *b;
+ int head_ofs = 0;
+ uint16 len1, len2;
+ uint32 ptr;
+ uint32 *v;
+ pstring p;
+
+ va_start(ap, format);
+ for (i=0; format[i]; i++) {
+ switch (format[i]) {
+ case 'U':
+ len1 = SVAL(blob->data, head_ofs); head_ofs += 2;
+ len2 = SVAL(blob->data, head_ofs); head_ofs += 2;
+ ptr = IVAL(blob->data, head_ofs); head_ofs += 4;
+ /* make sure its in the right format - be strict */
+ if (len1 != len2 || (len1&1) || ptr + len1 > blob->length) {
+ return False;
+ }
+ ps = va_arg(ap, char **);
+ pull_string(NULL, p, blob->data + ptr, -1, len1,
+ STR_UNICODE|STR_NOALIGN);
+ (*ps) = strdup(p);
+ break;
+ case 'B':
+ len1 = SVAL(blob->data, head_ofs); head_ofs += 2;
+ len2 = SVAL(blob->data, head_ofs); head_ofs += 2;
+ ptr = IVAL(blob->data, head_ofs); head_ofs += 4;
+ /* make sure its in the right format - be strict */
+ if (len1 != len2 || ptr + len1 > blob->length) {
+ return False;
+ }
+ b = (DATA_BLOB *)va_arg(ap, void *);
+ *b = data_blob(blob->data + ptr, len1);
+ break;
+ case 'b':
+ b = (DATA_BLOB *)va_arg(ap, void *);
+ len1 = va_arg(ap, unsigned);
+ *b = data_blob(blob->data + head_ofs, len1);
+ head_ofs += len1;
+ break;
+ case 'd':
+ v = va_arg(ap, uint32 *);
+ *v = IVAL(blob->data, head_ofs); head_ofs += 4;
+ break;
+ case 'C':
+ s = va_arg(ap, char *);
+ head_ofs += pull_string(NULL, p, blob->data+head_ofs, -1,
+ blob->length - head_ofs,
+ STR_ASCII|STR_TERMINATE);
+ if (strcmp(s, p) != 0) {
+ return False;
+ }
+ break;
+ }
+ }
+ va_end(ap);
+
+ return True;
+}
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 80c9411fb0..f6abda4ac9 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -113,6 +113,7 @@ typedef struct
char *szPasswordServer;
char *szSocketOptions;
char *szWorkGroup;
+ char *szRealm;
char **szDomainAdminGroup;
char **szDomainGuestGroup;
char *szUsernameMap;
@@ -650,6 +651,7 @@ static struct parm_struct parm_table[] = {
{"path", P_STRING, P_LOCAL, &sDefault.szPath, NULL, NULL, FLAG_BASIC | FLAG_SHARE | FLAG_PRINT},
{"directory", P_STRING, P_LOCAL, &sDefault.szPath, NULL, NULL, 0},
{"workgroup", P_USTRING, P_GLOBAL, &Globals.szWorkGroup, NULL, NULL, FLAG_BASIC},
+ {"realm", P_USTRING, P_GLOBAL, &Globals.szRealm, NULL, NULL, FLAG_BASIC},
{"netbios name", P_UGSTRING, P_GLOBAL, global_myname, handle_netbios_name, NULL, FLAG_BASIC},
{"netbios aliases", P_LIST, P_GLOBAL, &Globals.szNetbiosAliases, NULL, NULL, 0},
{"netbios scope", P_UGSTRING, P_GLOBAL, global_scope, NULL, NULL, 0},
@@ -1198,11 +1200,6 @@ static void init_globals(void)
string_set(&Globals.szPasswdProgram, "");
string_set(&Globals.szPrintcapname, PRINTCAP_NAME);
string_set(&Globals.szLockDir, LOCKDIR);
-#ifdef WITH_UTMP
- string_set(&Globals.szUtmpDir, "");
- string_set(&Globals.szWtmpDir, "");
- Globals.bUtmp = False;
-#endif
string_set(&Globals.szSocketAddress, "0.0.0.0");
pstrcpy(s, "Samba ");
pstrcat(s, VERSION);
@@ -1465,6 +1462,7 @@ FN_GLOBAL_STRING(lp_passwd_chat, &Globals.szPasswdChat)
FN_GLOBAL_STRING(lp_passwordserver, &Globals.szPasswordServer)
FN_GLOBAL_STRING(lp_name_resolve_order, &Globals.szNameResolveOrder)
FN_GLOBAL_STRING(lp_workgroup, &Globals.szWorkGroup)
+FN_GLOBAL_STRING(lp_realm, &Globals.szRealm)
FN_GLOBAL_STRING(lp_username_map, &Globals.szUsernameMap)
#ifdef USING_GROUPNAME_MAP
FN_GLOBAL_STRING(lp_groupname_map, &Globals.szGroupnameMap)
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index d20f713113..cf14640a72 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -30,7 +30,7 @@ BOOL global_encrypted_passwords_negotiated;
/****************************************************************************
reply for the core protocol
****************************************************************************/
-static int reply_corep(char *outbuf)
+static int reply_corep(char *inbuf, char *outbuf)
{
int outsize = set_message(outbuf,1,0,True);
@@ -43,7 +43,7 @@ static int reply_corep(char *outbuf)
/****************************************************************************
reply for the coreplus protocol
****************************************************************************/
-static int reply_coreplus(char *outbuf)
+static int reply_coreplus(char *inbuf, char *outbuf)
{
int raw = (lp_readraw()?1:0) | (lp_writeraw()?2:0);
int outsize = set_message(outbuf,13,0,True);
@@ -62,7 +62,7 @@ static int reply_coreplus(char *outbuf)
/****************************************************************************
reply for the lanman 1.0 protocol
****************************************************************************/
-static int reply_lanman1(char *outbuf)
+static int reply_lanman1(char *inbuf, char *outbuf)
{
int raw = (lp_readraw()?1:0) | (lp_writeraw()?2:0);
int secword=0;
@@ -100,7 +100,7 @@ static int reply_lanman1(char *outbuf)
/****************************************************************************
reply for the lanman 2.0 protocol
****************************************************************************/
-static int reply_lanman2(char *outbuf)
+static int reply_lanman2(char *inbuf, char *outbuf)
{
int raw = (lp_readraw()?1:0) | (lp_writeraw()?2:0);
int secword=0;
@@ -154,10 +154,44 @@ static int reply_lanman2(char *outbuf)
}
+
+/*
+ generate the spnego negprot reply blob. Return the number of bytes used
+*/
+static int negprot_spnego(char *p, uint8 cryptkey[8])
+{
+ DATA_BLOB blob;
+ extern pstring global_myname;
+ uint8 guid[16];
+ const char *OIDs[] = {OID_NTLMSSP,
+#if 0
+ /* not till we add kerberos in the server */
+ OID_KERBEROS5_OLD,
+#endif
+ NULL};
+ char *principle;
+ int len;
+
+ memset(guid, 0, 16);
+ safe_strcpy(guid, global_myname, 16);
+ strlower(guid);
+
+ asprintf(&principle, "%s$@%s", guid, lp_realm());
+ blob = spnego_gen_negTokenInit(guid, OIDs, principle);
+ free(principle);
+
+ memcpy(p, blob.data, blob.length);
+ len = blob.length;
+ data_blob_free(&blob);
+ return len;
+}
+
+
+
/****************************************************************************
reply for the nt protocol
****************************************************************************/
-static int reply_nt1(char *outbuf)
+static int reply_nt1(char *inbuf, char *outbuf)
{
/* dual names + lock_and_read + nt SMBs + remote API calls */
int capabilities = CAP_NT_FIND|CAP_LOCK_AND_READ|
@@ -166,10 +200,10 @@ static int reply_nt1(char *outbuf)
int secword=0;
time_t t = time(NULL);
struct cli_state *cli = NULL;
- char cryptkey[8];
- char crypt_len = 0;
+ uint8 cryptkey[8];
char *p, *q;
-
+ BOOL negotiate_spnego = False;
+
global_encrypted_passwords_negotiated = lp_encrypted_passwords();
if (lp_security() == SEC_SERVER) {
@@ -177,6 +211,14 @@ static int reply_nt1(char *outbuf)
cli = server_cryptkey();
} else {
DEBUG(5,("not attempting password server validation\n"));
+ /* do spnego in user level security if the client
+ supports it and we can do encrypted passwords */
+ if (global_encrypted_passwords_negotiated &&
+ lp_security() == SEC_USER &&
+ (SVAL(inbuf, smb_flg2) & FLAGS2_EXTENDED_SECURITY)) {
+ negotiate_spnego = True;
+ capabilities |= CAP_EXTENDED_SECURITY;
+ }
}
if (cli) {
@@ -187,7 +229,6 @@ static int reply_nt1(char *outbuf)
}
if (global_encrypted_passwords_negotiated) {
- crypt_len = 8;
if (!cli) {
generate_next_challenge(cryptkey);
} else {
@@ -224,7 +265,6 @@ static int reply_nt1(char *outbuf)
set_message(outbuf,17,0,True);
CVAL(outbuf,smb_vwv1) = secword;
- SSVALS(outbuf,smb_vwv16+1,crypt_len);
Protocol = PROTOCOL_NT1;
@@ -238,8 +278,15 @@ static int reply_nt1(char *outbuf)
SSVALS(outbuf,smb_vwv15+1,TimeDiff(t)/60);
p = q = smb_buf(outbuf);
- if (global_encrypted_passwords_negotiated) memcpy(p, cryptkey, 8);
- p += 8;
+ if (!negotiate_spnego) {
+ if (global_encrypted_passwords_negotiated) memcpy(p, cryptkey, 8);
+ SSVALS(outbuf,smb_vwv16+1,8);
+ p += 8;
+ } else {
+ int len = negprot_spnego(p, cryptkey);
+ SSVALS(outbuf,smb_vwv16+1,len);
+ p += len;
+ }
p += srvstr_push(outbuf, p, global_myworkgroup, -1,
STR_UNICODE|STR_TERMINATE|STR_NOALIGN);
@@ -322,7 +369,7 @@ protocol [LANMAN2.1]
static struct {
char *proto_name;
char *short_name;
- int (*proto_reply_fn)(char *);
+ int (*proto_reply_fn)(char *, char *);
int protocol_level;
} supported_protocols[] = {
{"NT LANMAN 1.0", "NT1", reply_nt1, PROTOCOL_NT1},
@@ -441,7 +488,7 @@ int reply_negprot(connection_struct *conn,
extern fstring remote_proto;
fstrcpy(remote_proto,supported_protocols[protocol].short_name);
reload_services(True);
- outsize = supported_protocols[protocol].proto_reply_fn(outbuf);
+ outsize = supported_protocols[protocol].proto_reply_fn(inbuf, outbuf);
DEBUG(3,("Selected protocol %s\n",supported_protocols[protocol].proto_name));
}
else {
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index ea97eea8a4..cf691ce9f3 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -911,25 +911,24 @@ char *smb_fn_name(int type)
void construct_reply_common(char *inbuf,char *outbuf)
{
- memset(outbuf,'\0',smb_size);
-
- set_message(outbuf,0,0,True);
- CVAL(outbuf,smb_com) = CVAL(inbuf,smb_com);
-
- memcpy(outbuf+4,inbuf+4,4);
- CVAL(outbuf,smb_rcls) = SMB_SUCCESS;
- CVAL(outbuf,smb_reh) = 0;
- SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES)); /* bit 7 set
- means a reply */
- SSVAL(outbuf,smb_flg2,
- (SVAL(inbuf,smb_flg2)&FLAGS2_UNICODE_STRINGS) | FLAGS2_LONG_PATH_COMPONENTS);
- /* say we support long filenames */
-
- SSVAL(outbuf,smb_err,SMB_SUCCESS);
- SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
- SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
- SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
- SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
+ memset(outbuf,'\0',smb_size);
+
+ set_message(outbuf,0,0,True);
+ CVAL(outbuf,smb_com) = CVAL(inbuf,smb_com);
+
+ memcpy(outbuf+4,inbuf+4,4);
+ CVAL(outbuf,smb_rcls) = SMB_SUCCESS;
+ CVAL(outbuf,smb_reh) = 0;
+ SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES));
+ SSVAL(outbuf,smb_flg2,
+ FLAGS2_UNICODE_STRINGS | FLAGS2_LONG_PATH_COMPONENTS |
+ FLAGS2_32_BIT_ERROR_CODES | FLAGS2_EXTENDED_SECURITY);
+
+ SSVAL(outbuf,smb_err,SMB_SUCCESS);
+ SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
+ SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
+ SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
+ SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
}
/****************************************************************************
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 45fa2d6a4a..34b431e404 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -22,6 +22,259 @@
#include "includes.h"
+
+/****************************************************************************
+send a security blob via a session setup reply
+****************************************************************************/
+static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf,
+ DATA_BLOB blob)
+{
+ char *p;
+
+ set_message(outbuf,4,0,True);
+
+ /* we set NT_STATUS_MORE_PROCESSING_REQUIRED to tell the other end
+ that we aren't finished yet */
+
+ SIVAL(outbuf, smb_rcls, NT_STATUS_V(NT_STATUS_MORE_PROCESSING_REQUIRED));
+ SSVAL(outbuf, smb_vwv0, 0xFF); /* no chaining possible */
+ SSVAL(outbuf, smb_vwv3, blob.length);
+ p = smb_buf(outbuf);
+ memcpy(p, blob.data, blob.length);
+ p += blob.length;
+ p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE);
+ p += srvstr_push(outbuf, p, "Samba", -1, STR_TERMINATE);
+ p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE);
+ set_message_end(outbuf,p);
+
+ return send_smb(smbd_server_fd(),outbuf);
+}
+
+
+
+
+/****************************************************************************
+reply to a session setup spnego negotiate packet
+****************************************************************************/
+static int reply_spnego_negotiate(connection_struct *conn, char *outbuf,
+ DATA_BLOB blob1)
+{
+ char *OIDs[ASN1_MAX_OIDS];
+ DATA_BLOB secblob;
+ int i;
+ uint32 ntlmssp_command, neg_flags;
+ DATA_BLOB sess_key, chal, spnego_chal;
+ uint8 cryptkey[8];
+
+ /* parse out the OIDs and the first sec blob */
+ if (!parse_negTokenTarg(blob1, OIDs, &secblob)) {
+ return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+ }
+
+ for (i=0;OIDs[i];i++) {
+ DEBUG(3,("Got OID %s\n", OIDs[i]));
+ free(OIDs[i]);
+ }
+ DEBUG(3,("Got secblob of size %d\n", secblob.length));
+
+ /* parse the NTLMSSP packet */
+#if 0
+ file_save("secblob.dat", secblob.data, secblob.length);
+#endif
+
+ msrpc_parse(&secblob, "CddB",
+ "NTLMSSP",
+ &ntlmssp_command,
+ &neg_flags,
+ &sess_key);
+
+ data_blob_free(&secblob);
+ data_blob_free(&sess_key);
+
+ if (ntlmssp_command != NTLMSSP_NEGOTIATE) {
+ return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+ }
+
+ DEBUG(3,("Got neg_flags=%08x\n", neg_flags));
+
+ last_challenge(cryptkey);
+
+ /* Give them the challenge. For now, ignore neg_flags and just
+ return the flags we want. Obviously this is not correct */
+
+ neg_flags = NTLMSSP_NEGOTIATE_UNICODE |
+ NTLMSSP_NEGOTIATE_LM_KEY |
+ NTLMSSP_NEGOTIATE_NTLM;
+
+ msrpc_gen(&chal, "Cddddbdddd",
+ "NTLMSSP",
+ NTLMSSP_CHALLENGE,
+ 0,
+ 0x30, /* ?? */
+ neg_flags,
+ cryptkey, 8,
+ 0, 0, 0,
+ 0x3000); /* ?? */
+
+ if (!spnego_gen_challenge(&spnego_chal, &chal, &chal)) {
+ DEBUG(3,("Failed to generate challenge\n"));
+ return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+ }
+
+ /* now tell the client to send the auth packet */
+ reply_sesssetup_blob(conn, outbuf, spnego_chal);
+
+ data_blob_free(&chal);
+ data_blob_free(&spnego_chal);
+
+ /* and tell smbd that we have already replied to this packet */
+ return -1;
+}
+
+
+/****************************************************************************
+reply to a session setup spnego auth packet
+****************************************************************************/
+static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
+ int length, int bufsize,
+ DATA_BLOB blob1)
+{
+ DATA_BLOB auth;
+ char *workgroup, *user, *machine;
+ DATA_BLOB lmhash, nthash, sess_key;
+ uint32 ntlmssp_command, neg_flags;
+ NTSTATUS nt_status;
+ int sess_vuid;
+ gid_t gid;
+ uid_t uid;
+ char *full_name;
+ char *p;
+ const struct passwd *pw;
+
+ if (!spnego_parse_auth(blob1, &auth)) {
+ file_save("auth.dat", blob1.data, blob1.length);
+ return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+ }
+
+ /* now the NTLMSSP encoded auth hashes */
+ if (!msrpc_parse(&auth, "CdBBUUUBd",
+ "NTLMSSP",
+ &ntlmssp_command,
+ &lmhash,
+ &nthash,
+ &workgroup,
+ &user,
+ &machine,
+ &sess_key,
+ &neg_flags)) {
+ return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+ }
+
+ data_blob_free(&auth);
+ data_blob_free(&sess_key);
+
+ DEBUG(3,("Got user=[%s] workgroup=[%s] machine=[%s] len1=%d len2=%d\n",
+ user, workgroup, machine, lmhash.length, nthash.length));
+
+#if 0
+ file_save("nthash1.dat", nthash.data, nthash.length);
+ file_save("lmhash1.dat", lmhash.data, lmhash.length);
+#endif
+
+ nt_status = pass_check_smb(user, user,
+ workgroup, machine,
+ lmhash.data,
+ lmhash.length,
+ nthash.data,
+ nthash.length);
+
+ data_blob_free(&nthash);
+ data_blob_free(&lmhash);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return ERROR_NT(nt_status);
+ }
+
+ /* the password is good - let them in */
+ pw = smb_getpwnam(user,False);
+ if (!pw) {
+ DEBUG(1,("Username %s is invalid on this system\n",user));
+ return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+ }
+ gid = pw->pw_gid;
+ uid = pw->pw_uid;
+ full_name = pw->pw_gecos;
+
+ sess_vuid = register_vuid(uid,gid,user,user,workgroup,False, full_name);
+
+ free(user);
+ free(workgroup);
+ free(machine);
+
+ if (sess_vuid == -1) {
+ return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+ }
+
+ set_message(outbuf,4,0,True);
+ SSVAL(outbuf, smb_vwv3, 0);
+ p = smb_buf(outbuf);
+ p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE);
+ p += srvstr_push(outbuf, p, "Samba", -1, STR_TERMINATE);
+ p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE);
+ set_message_end(outbuf,p);
+
+ SSVAL(outbuf,smb_uid,sess_vuid);
+ SSVAL(inbuf,smb_uid,sess_vuid);
+
+ return chain_reply(inbuf,outbuf,length,bufsize);
+}
+
+
+/****************************************************************************
+reply to a session setup command
+****************************************************************************/
+static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf,char *outbuf,
+ int length,int bufsize)
+{
+ uint8 *p;
+ DATA_BLOB blob1;
+ extern uint32 global_client_caps;
+ int ret;
+
+ chdir("/home/tridge");
+
+ if (global_client_caps == 0) {
+ global_client_caps = IVAL(inbuf,smb_vwv10);
+ }
+
+ p = smb_buf(inbuf);
+
+ /* pull the spnego blob */
+ blob1 = data_blob(p, SVAL(inbuf, smb_vwv7));
+
+ if (blob1.data[0] == ASN1_APPLICATION(0)) {
+ /* its a negTokenTarg packet */
+ ret = reply_spnego_negotiate(conn, outbuf, blob1);
+ data_blob_free(&blob1);
+ return ret;
+ }
+
+ if (blob1.data[0] == ASN1_CONTEXT(1)) {
+ /* its a auth packet */
+ ret = reply_spnego_auth(conn, inbuf, outbuf, length, bufsize, blob1);
+ data_blob_free(&blob1);
+ return ret;
+ }
+
+ /* what sort of packet is this? */
+ DEBUG(1,("Unknown packet in reply_sesssetup_and_X_spnego\n"));
+
+ data_blob_free(&blob1);
+
+ return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+}
+
+
/****************************************************************************
reply to a session setup command
****************************************************************************/
@@ -53,6 +306,11 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
BOOL doencrypt = global_encrypted_passwords_negotiated;
START_PROFILE(SMBsesssetupX);
+ if (SVAL(inbuf, smb_flg2) & FLAGS2_EXTENDED_SECURITY) {
+ /* it's a SPNEGO session setup */
+ return reply_sesssetup_and_X_spnego(conn, inbuf, outbuf, length, bufsize);
+ }
+
*smb_apasswd = *smb_ntpasswd = 0;
smb_bufsize = SVAL(inbuf,smb_vwv2);