added basic NTLMSSP support in smbd. This is still quite rough, and

loses things like username mapping. I wanted to get this in then discuss it a bit to see how we want to split up the existing session setup code (This used to be commit b74fda69bf23207c26d8b2af23910d8f2eb89875)
author: Andrew Tridgell <tridge@samba.org> 2001-10-17 08:54:19 +0000
committer: Andrew Tridgell <tridge@samba.org> 2001-10-17 08:54:19 +0000
commit: b728042334f67738fd1a6fdd03e619bdb78fe06a (patch)
tree: 2ae5e7d47a8c6f67789f671bc4ea3ea4a4546d72 /source3/libsmb
parent: d731149a41d7563ab99acd3d3d20fff899e7de8f (diff)
download: samba-b728042334f67738fd1a6fdd03e619bdb78fe06a.tar.gz
samba-b728042334f67738fd1a6fdd03e619bdb78fe06a.tar.bz2
samba-b728042334f67738fd1a6fdd03e619bdb78fe06a.zip
4 files changed, 258 insertions, 26 deletions
diff --git a/source3/libsmb/asn1.c b/source3/libsmb/asn1.c
index e72da897b9..59763408cf 100644
--- a/source3/libsmb/asn1.c
+++ b/source3/libsmb/asn1.c
@@ -87,13 +87,18 @@ BOOL asn1_pop_tag(ASN1_DATA *data)
 	/* yes, this is ugly. We don't know in advance how many bytes the length
 	   of a tag will take, so we assumed 1 byte. If we were wrong then we 
 	   need to correct our mistake */
-	if (len > 127) {
+	if (len > 255) {
 		data->data[nesting->start] = 0x82;
 		if (!asn1_write_uint8(data, 0)) return False;
 		if (!asn1_write_uint8(data, 0)) return False;
 		memmove(data->data+nesting->start+3, data->data+nesting->start+1, len);
 		data->data[nesting->start+1] = len>>8;
 		data->data[nesting->start+2] = len&0xff;
+	} else if (len > 127) {
+		data->data[nesting->start] = 0x81;
+		if (!asn1_write_uint8(data, 0)) return False;
+		memmove(data->data+nesting->start+2, data->data+nesting->start+1, len);
+		data->data[nesting->start+1] = len;
 	} else {
 		data->data[nesting->start] = len;
 	}
@@ -203,14 +208,16 @@ BOOL asn1_start_tag(ASN1_DATA *data, uint8 tag)
 	asn1_read_uint8(data, &b);
 	if (b & 0x80) {
 		int n = b & 0x7f;
-		if (n != 2) {
+		if (n > 2) {
 			data->has_error = True;
 			return False;
 		}
 		asn1_read_uint8(data, &b);
-		nesting->taglen = b<<8;
-		asn1_read_uint8(data, &b);
-		nesting->taglen |= b;
+		nesting->taglen = b;
+		if (n == 2) {
+			asn1_read_uint8(data, &b);
+			nesting->taglen = (nesting->taglen << 8) | b;
+		}
 	} else {
 		nesting->taglen = b;
 	}
@@ -320,7 +327,7 @@ BOOL asn1_read_GeneralString(ASN1_DATA *data, char **s)
 }
 
 /* read a octet string blob */
-BOOL asn1_read_octet_string(ASN1_DATA *data, DATA_BLOB *blob)
+BOOL asn1_read_OctetString(ASN1_DATA *data, DATA_BLOB *blob)
 {
 	int len;
 	if (!asn1_start_tag(data, ASN1_OCTET_STRING)) return False;
@@ -345,3 +352,12 @@ BOOL asn1_check_enumerated(ASN1_DATA *data, int v)
 	asn1_end_tag(data);
 	return !data->has_error && (v == b);
 }
+
+/* check a enumarted value is correct */
+BOOL asn1_write_enumerated(ASN1_DATA *data, uint8 v)
+{
+	if (!asn1_push_tag(data, ASN1_ENUMERATED)) return False;
+	asn1_write_uint8(data, v);
+	asn1_pop_tag(data);
+	return !data->has_error;
+}
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 94eda90a3b..6a01744240 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -31,11 +31,12 @@ static  struct {
 prots[] = 
     {
       {PROTOCOL_CORE,"PC NETWORK PROGRAM 1.0"},
+      {PROTOCOL_COREPLUS,"MICROSOFT NETWORKS 1.03"},
+      {PROTOCOL_LANMAN1,"MICROSOFT NETWORKS 3.0"},
       {PROTOCOL_LANMAN1,"LANMAN1.0"},
-      {PROTOCOL_LANMAN1,"Windows for Workgroups 3.1a"},
       {PROTOCOL_LANMAN2,"LM1.2X002"},
-      {PROTOCOL_NT1,"Samba"},
-      {PROTOCOL_NT1,"LANMAN2.1"},
+      {PROTOCOL_LANMAN2,"Samba"},
+      {PROTOCOL_NT1,"NT LANMAN 1.0"},
       {PROTOCOL_NT1,"NT LM 0.12"},
       {-1,NULL}
     };
@@ -394,7 +395,7 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principle, c
 	blob2 = cli_session_setup_blob(cli, negTokenTarg);
 
 	/* we don't need this blob for kerberos */
-	data_blob_free(blob2);
+	data_blob_free(&blob2);
 
 	return !cli_is_error(cli);
 }
@@ -428,12 +429,12 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user,
 
 	/* and wrap it in a SPNEGO wrapper */
 	msg1 = gen_negTokenTarg(mechs, blob);
-	data_blob_free(blob);		
+	data_blob_free(&blob);
 
 	/* now send that blob on its way */
 	blob = cli_session_setup_blob(cli, msg1);
 
-	data_blob_free(msg1); 
+	data_blob_free(&msg1);
 
 	if (!NT_STATUS_EQUAL(cli_nt_error(cli), NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 		return False;
@@ -445,18 +446,25 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user,
 
 	/* the server gives us back two challenges */
 	if (!spnego_parse_challenge(blob, &chal1, &chal2)) {
+		DEBUG(3,("Failed to parse challenges\n"));
 		return False;
 	}
 
-	data_blob_free(blob);		
+	data_blob_free(&blob);
 
 	/* encrypt the password with the challenge */
 	memcpy(challenge, chal1.data + 24, 8);
 	SMBencrypt(pass, challenge,lmhash);
 	SMBNTencrypt(pass, challenge,nthash);
 
-	data_blob_free(chal1);
-	data_blob_free(chal2);
+#if 0
+	file_save("nthash.dat", nthash, 24);
+	file_save("lmhash.dat", lmhash, 24);
+	file_save("chal1.dat", chal1.data, chal1.length);
+#endif
+
+	data_blob_free(&chal1);
+	data_blob_free(&chal2);
 
 	/* this generates the actual auth packet */
 	msrpc_gen(&blob, "CdBBUUUBd", 
@@ -473,13 +481,13 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user,
 	/* wrap it in SPNEGO */
 	auth = spnego_gen_auth(blob);
 
-	data_blob_free(blob);
+	data_blob_free(&blob);
 
 	/* now send the auth packet and we should be done */
 	blob = cli_session_setup_blob(cli, auth);
 
-	data_blob_free(auth);
-	data_blob_free(blob);
+	data_blob_free(&auth);
+	data_blob_free(&blob);
 
 	return !cli_is_error(cli);
 }
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index 25dc070024..ed0bc6481e 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -216,7 +216,7 @@ void cli_shutdown(struct cli_state *cli)
 	SAFE_FREE(cli->outbuf);
 	SAFE_FREE(cli->inbuf);
 
-	data_blob_free(cli->secblob);
+	data_blob_free(&cli->secblob);
 
 	if (cli->mem_ctx)
 		talloc_destroy(cli->mem_ctx);
diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index da8c6450ae..78cae3315a 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -25,12 +25,13 @@
   generate a negTokenInit packet given a GUID, a list of supported
   OIDs (the mechanisms) and a principle name string 
 */
-ASN1_DATA spnego_gen_negTokenInit(uint8 guid[16], 
+DATA_BLOB spnego_gen_negTokenInit(uint8 guid[16], 
 				  const char *OIDs[], 
 				  const char *principle)
 {
 	int i;
 	ASN1_DATA data;
+	DATA_BLOB ret;
 
 	memset(&data, 0, sizeof(data));
 
@@ -66,7 +67,10 @@ ASN1_DATA spnego_gen_negTokenInit(uint8 guid[16],
 		asn1_free(&data);
 	}
 
-	return data;
+	ret = data_blob(data.data, data.length);
+	asn1_free(&data);
+
+	return ret;
 }
 
 
@@ -167,6 +171,50 @@ DATA_BLOB gen_negTokenTarg(const char *OIDs[], DATA_BLOB blob)
 
 
 /*
+  parse a negTokenTarg packet giving a list of OIDs and a security blob
+*/
+BOOL parse_negTokenTarg(DATA_BLOB blob, char *OIDs[ASN1_MAX_OIDS], DATA_BLOB *secblob)
+{
+	int i;
+	ASN1_DATA data;
+
+	asn1_load(&data, blob);
+	asn1_start_tag(&data, ASN1_APPLICATION(0));
+	asn1_check_OID(&data,OID_SPNEGO);
+	asn1_start_tag(&data, ASN1_CONTEXT(0));
+	asn1_start_tag(&data, ASN1_SEQUENCE(0));
+
+	asn1_start_tag(&data, ASN1_CONTEXT(0));
+	asn1_start_tag(&data, ASN1_SEQUENCE(0));
+	for (i=0; asn1_tag_remaining(&data) > 0 && i < ASN1_MAX_OIDS; i++) {
+		char *oid = NULL;
+		asn1_read_OID(&data,&oid);
+		OIDs[i] = oid;
+	}
+	OIDs[i] = NULL;
+	asn1_end_tag(&data);
+	asn1_end_tag(&data);
+
+	asn1_start_tag(&data, ASN1_CONTEXT(2));
+	asn1_read_OctetString(&data,secblob);
+	asn1_end_tag(&data);
+
+	asn1_end_tag(&data);
+	asn1_end_tag(&data);
+
+	asn1_end_tag(&data);
+
+	if (data.has_error) {
+		DEBUG(1,("Failed to parse negTokenTarg at offset %d\n", (int)data.ofs));
+		asn1_free(&data);
+		return False;
+	}
+
+	asn1_free(&data);
+	return True;
+}
+
+/*
   generate a krb5 GSS-API wrapper packet given a ticket
 */
 static DATA_BLOB spnego_gen_krb5_wrap(DATA_BLOB ticket)
@@ -225,8 +273,8 @@ DATA_BLOB spnego_gen_negTokenTarg(struct cli_state *cli, char *principle)
 	/* and wrap that in a shiny SPNEGO wrapper */
 	targ = gen_negTokenTarg(krb_mechs, tkt_wrapped);
 
-	data_blob_free(tkt_wrapped);
-	data_blob_free(tkt);
+	data_blob_free(&tkt_wrapped);
+	data_blob_free(&tkt);
 
 	return targ;
 }
@@ -257,13 +305,13 @@ BOOL spnego_parse_challenge(DATA_BLOB blob,
 	asn1_end_tag(&data);
 
 	asn1_start_tag(&data,ASN1_CONTEXT(2));
-	asn1_read_octet_string(&data, chal1);
+	asn1_read_OctetString(&data, chal1);
 	asn1_end_tag(&data);
 
 	/* the second challenge is optional (XP doesn't send it) */
 	if (asn1_tag_remaining(&data)) {
 		asn1_start_tag(&data,ASN1_CONTEXT(3));
-		asn1_read_octet_string(&data, chal2);
+		asn1_read_OctetString(&data, chal2);
 		asn1_end_tag(&data);
 	}
 
@@ -275,6 +323,52 @@ BOOL spnego_parse_challenge(DATA_BLOB blob,
 	return ret;
 }
 
+
+/*
+  generate a spnego NTLMSSP challenge packet given two security blobs
+  The second challenge is optional
+*/
+BOOL spnego_gen_challenge(DATA_BLOB *blob,
+			  DATA_BLOB *chal1, DATA_BLOB *chal2)
+{
+	ASN1_DATA data;
+
+	ZERO_STRUCT(data);
+
+	asn1_push_tag(&data,ASN1_CONTEXT(1));
+	asn1_push_tag(&data,ASN1_SEQUENCE(0));
+
+	asn1_push_tag(&data,ASN1_CONTEXT(0));
+	asn1_write_enumerated(&data,1);
+	asn1_pop_tag(&data);
+
+	asn1_push_tag(&data,ASN1_CONTEXT(1));
+	asn1_write_OID(&data, OID_NTLMSSP);
+	asn1_pop_tag(&data);
+
+	asn1_push_tag(&data,ASN1_CONTEXT(2));
+	asn1_write_OctetString(&data, chal1->data, chal1->length);
+	asn1_pop_tag(&data);
+
+	/* the second challenge is optional (XP doesn't send it) */
+	if (chal2) {
+		asn1_push_tag(&data,ASN1_CONTEXT(3));
+		asn1_write_OctetString(&data, chal2->data, chal2->length);
+		asn1_pop_tag(&data);
+	}
+
+	asn1_pop_tag(&data);
+	asn1_pop_tag(&data);
+
+	if (data.has_error) {
+		return False;
+	}
+
+	*blob = data_blob(data.data, data.length);
+	asn1_free(&data);
+	return True;
+}
+
 /*
  generate a SPNEGO NTLMSSP auth packet. This will contain the encrypted passwords
 */
@@ -298,7 +392,32 @@ DATA_BLOB spnego_gen_auth(DATA_BLOB blob)
 	asn1_free(&data);
 
 	return ret;
-	
+}
+
+/*
+ parse a SPNEGO NTLMSSP auth packet. This contains the encrypted passwords
+*/
+BOOL spnego_parse_auth(DATA_BLOB blob, DATA_BLOB *auth)
+{
+	ASN1_DATA data;
+
+	asn1_load(&data, blob);
+	asn1_start_tag(&data, ASN1_CONTEXT(1));
+	asn1_start_tag(&data, ASN1_SEQUENCE(0));
+	asn1_start_tag(&data, ASN1_CONTEXT(2));
+	asn1_read_OctetString(&data,auth);
+	asn1_end_tag(&data);
+	asn1_end_tag(&data);
+	asn1_end_tag(&data);
+
+	if (data.has_error) {
+		DEBUG(3,("spnego_parse_auth failed at %d\n", (int)data.ofs));
+		asn1_free(&data);
+		return False;
+	}
+
+	asn1_free(&data);
+	return True;
 }
 
 
@@ -312,6 +431,7 @@ DATA_BLOB spnego_gen_auth(DATA_BLOB blob)
 
   U = unicode string (input is unix string)
   B = data blob (pointer + length)
+  b = data blob in header (pointer + length)
   d = word (4 bytes)
   C = constant ascii string
  */
@@ -339,6 +459,10 @@ BOOL msrpc_gen(DATA_BLOB *blob,
 			head_size += 8;
 			data_size += va_arg(ap, int);
 			break;
+		case 'b':
+			b = va_arg(ap, uint8 *);
+			head_size += va_arg(ap, int);
+			break;
 		case 'd':
 			n = va_arg(ap, int);
 			head_size += 4;
@@ -384,6 +508,12 @@ BOOL msrpc_gen(DATA_BLOB *blob,
 			n = va_arg(ap, int);
 			SIVAL(blob->data, head_ofs, n); head_ofs += 4;
 			break;
+		case 'b':
+			b = va_arg(ap, uint8 *);
+			n = va_arg(ap, int);
+			memcpy(blob->data + head_ofs, b, n);
+			head_ofs += n;
+			break;
 		case 'C':
 			s = va_arg(ap, char *);
 			head_ofs += push_string(NULL, blob->data+head_ofs, s, -1, 
@@ -395,3 +525,81 @@ BOOL msrpc_gen(DATA_BLOB *blob,
 
 	return True;
 }
+
+
+/*
+  this is a tiny msrpc packet parser. This the the partner of msrpc_gen
+
+  format specifiers are:
+
+  U = unicode string (input is unix string)
+  B = data blob
+  b = data blob in header
+  d = word (4 bytes)
+  C = constant ascii string
+ */
+BOOL msrpc_parse(DATA_BLOB *blob,
+		 const char *format, ...)
+{
+	int i;
+	va_list ap;
+	char **ps, *s;
+	DATA_BLOB *b;
+	int head_ofs = 0;
+	uint16 len1, len2;
+	uint32 ptr;
+	uint32 *v;
+	pstring p;
+
+	va_start(ap, format);
+	for (i=0; format[i]; i++) {
+		switch (format[i]) {
+		case 'U':
+			len1 = SVAL(blob->data, head_ofs); head_ofs += 2;
+			len2 = SVAL(blob->data, head_ofs); head_ofs += 2;
+			ptr =  IVAL(blob->data, head_ofs); head_ofs += 4;
+			/* make sure its in the right format - be strict */
+			if (len1 != len2 || (len1&1) || ptr + len1 > blob->length) {
+				return False;
+			}
+			ps = va_arg(ap, char **);
+			pull_string(NULL, p, blob->data + ptr, -1, len1, 
+				    STR_UNICODE|STR_NOALIGN);
+			(*ps) = strdup(p);
+			break;
+		case 'B':
+			len1 = SVAL(blob->data, head_ofs); head_ofs += 2;
+			len2 = SVAL(blob->data, head_ofs); head_ofs += 2;
+			ptr =  IVAL(blob->data, head_ofs); head_ofs += 4;
+			/* make sure its in the right format - be strict */
+			if (len1 != len2 || ptr + len1 > blob->length) {
+				return False;
+			}
+			b = (DATA_BLOB *)va_arg(ap, void *);
+			*b = data_blob(blob->data + ptr, len1);
+			break;
+		case 'b':
+			b = (DATA_BLOB *)va_arg(ap, void *);
+			len1 = va_arg(ap, unsigned);
+			*b = data_blob(blob->data + head_ofs, len1);
+			head_ofs += len1;
+			break;
+		case 'd':
+			v = va_arg(ap, uint32 *);
+			*v = IVAL(blob->data, head_ofs); head_ofs += 4;
+			break;
+		case 'C':
+			s = va_arg(ap, char *);
+			head_ofs += pull_string(NULL, p, blob->data+head_ofs, -1, 
+						blob->length - head_ofs, 
+						STR_ASCII|STR_TERMINATE);
+			if (strcmp(s, p) != 0) {
+				return False;
+			}
+			break;
+		}
+	}
+	va_end(ap);
+
+	return True;
+}
author	Andrew Tridgell <tridge@samba.org>	2001-10-17 08:54:19 +0000
committer	Andrew Tridgell <tridge@samba.org>	2001-10-17 08:54:19 +0000
commit	b728042334f67738fd1a6fdd03e619bdb78fe06a (patch)
tree	2ae5e7d47a8c6f67789f671bc4ea3ea4a4546d72 /source3/libsmb
parent	d731149a41d7563ab99acd3d3d20fff899e7de8f (diff)
download	samba-b728042334f67738fd1a6fdd03e619bdb78fe06a.tar.gz samba-b728042334f67738fd1a6fdd03e619bdb78fe06a.tar.bz2 samba-b728042334f67738fd1a6fdd03e619bdb78fe06a.zip