diff options
| -rw-r--r-- | source3/include/config.h.in | 6 | ||||
| -rw-r--r-- | source3/lib/util.c | 4 | ||||
| -rw-r--r-- | source3/libsmb/asn1.c | 28 | ||||
| -rw-r--r-- | source3/libsmb/cliconnect.c | 32 | ||||
| -rw-r--r-- | source3/libsmb/clientgen.c | 2 | ||||
| -rw-r--r-- | source3/libsmb/clispnego.c | 222 | ||||
| -rw-r--r-- | source3/param/loadparm.c | 8 | ||||
| -rw-r--r-- | source3/smbd/negprot.c | 75 | ||||
| -rw-r--r-- | source3/smbd/process.c | 37 | ||||
| -rw-r--r-- | source3/smbd/sesssetup.c | 258 |
10 files changed, 606 insertions, 66 deletions
diff --git a/source3/include/config.h.in b/source3/include/config.h.in index 401ba5bef9..7a93b52f82 100644 --- a/source3/include/config.h.in +++ b/source3/include/config.h.in @@ -1019,6 +1019,9 @@ /* Define if you have the acl library (-lacl). */ #undef HAVE_LIBACL +/* Define if you have the com_err library (-lcom_err). */ +#undef HAVE_LIBCOM_ERR + /* Define if you have the cups library (-lcups). */ #undef HAVE_LIBCUPS @@ -1031,6 +1034,9 @@ /* Define if you have the inet library (-linet). */ #undef HAVE_LIBINET +/* Define if you have the k5crypto library (-lk5crypto). */ +#undef HAVE_LIBK5CRYPTO + /* Define if you have the nsl library (-lnsl). */ #undef HAVE_LIBNSL diff --git a/source3/lib/util.c b/source3/lib/util.c index 20422a00c7..d3f07dd0a8 100644 --- a/source3/lib/util.c +++ b/source3/lib/util.c @@ -1913,9 +1913,9 @@ DATA_BLOB data_blob(void *p, size_t length) /******************************************************************* free a data blob *******************************************************************/ -void data_blob_free(DATA_BLOB d) +void data_blob_free(DATA_BLOB *d) { - SAFE_FREE(d.data); + SAFE_FREE(d->data); } diff --git a/source3/libsmb/asn1.c b/source3/libsmb/asn1.c index e72da897b9..59763408cf 100644 --- a/source3/libsmb/asn1.c +++ b/source3/libsmb/asn1.c @@ -87,13 +87,18 @@ BOOL asn1_pop_tag(ASN1_DATA *data) /* yes, this is ugly. We don't know in advance how many bytes the length of a tag will take, so we assumed 1 byte. If we were wrong then we need to correct our mistake */ - if (len > 127) { + if (len > 255) { data->data[nesting->start] = 0x82; if (!asn1_write_uint8(data, 0)) return False; if (!asn1_write_uint8(data, 0)) return False; memmove(data->data+nesting->start+3, data->data+nesting->start+1, len); data->data[nesting->start+1] = len>>8; data->data[nesting->start+2] = len&0xff; + } else if (len > 127) { + data->data[nesting->start] = 0x81; + if (!asn1_write_uint8(data, 0)) return False; + memmove(data->data+nesting->start+2, data->data+nesting->start+1, len); + data->data[nesting->start+1] = len; } else { data->data[nesting->start] = len; } @@ -203,14 +208,16 @@ BOOL asn1_start_tag(ASN1_DATA *data, uint8 tag) asn1_read_uint8(data, &b); if (b & 0x80) { int n = b & 0x7f; - if (n != 2) { + if (n > 2) { data->has_error = True; return False; } asn1_read_uint8(data, &b); - nesting->taglen = b<<8; - asn1_read_uint8(data, &b); - nesting->taglen |= b; + nesting->taglen = b; + if (n == 2) { + asn1_read_uint8(data, &b); + nesting->taglen = (nesting->taglen << 8) | b; + } } else { nesting->taglen = b; } @@ -320,7 +327,7 @@ BOOL asn1_read_GeneralString(ASN1_DATA *data, char **s) } /* read a octet string blob */ -BOOL asn1_read_octet_string(ASN1_DATA *data, DATA_BLOB *blob) +BOOL asn1_read_OctetString(ASN1_DATA *data, DATA_BLOB *blob) { int len; if (!asn1_start_tag(data, ASN1_OCTET_STRING)) return False; @@ -345,3 +352,12 @@ BOOL asn1_check_enumerated(ASN1_DATA *data, int v) asn1_end_tag(data); return !data->has_error && (v == b); } + +/* check a enumarted value is correct */ +BOOL asn1_write_enumerated(ASN1_DATA *data, uint8 v) +{ + if (!asn1_push_tag(data, ASN1_ENUMERATED)) return False; + asn1_write_uint8(data, v); + asn1_pop_tag(data); + return !data->has_error; +} diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 94eda90a3b..6a01744240 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -31,11 +31,12 @@ static struct { prots[] = { {PROTOCOL_CORE,"PC NETWORK PROGRAM 1.0"}, + {PROTOCOL_COREPLUS,"MICROSOFT NETWORKS 1.03"}, + {PROTOCOL_LANMAN1,"MICROSOFT NETWORKS 3.0"}, {PROTOCOL_LANMAN1,"LANMAN1.0"}, - {PROTOCOL_LANMAN1,"Windows for Workgroups 3.1a"}, {PROTOCOL_LANMAN2,"LM1.2X002"}, - {PROTOCOL_NT1,"Samba"}, - {PROTOCOL_NT1,"LANMAN2.1"}, + {PROTOCOL_LANMAN2,"Samba"}, + {PROTOCOL_NT1,"NT LANMAN 1.0"}, {PROTOCOL_NT1,"NT LM 0.12"}, {-1,NULL} }; @@ -394,7 +395,7 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principle, c blob2 = cli_session_setup_blob(cli, negTokenTarg); /* we don't need this blob for kerberos */ - data_blob_free(blob2); + data_blob_free(&blob2); return !cli_is_error(cli); } @@ -428,12 +429,12 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, /* and wrap it in a SPNEGO wrapper */ msg1 = gen_negTokenTarg(mechs, blob); - data_blob_free(blob); + data_blob_free(&blob); /* now send that blob on its way */ blob = cli_session_setup_blob(cli, msg1); - data_blob_free(msg1); + data_blob_free(&msg1); if (!NT_STATUS_EQUAL(cli_nt_error(cli), NT_STATUS_MORE_PROCESSING_REQUIRED)) { return False; @@ -445,18 +446,25 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, /* the server gives us back two challenges */ if (!spnego_parse_challenge(blob, &chal1, &chal2)) { + DEBUG(3,("Failed to parse challenges\n")); return False; } - data_blob_free(blob); + data_blob_free(&blob); /* encrypt the password with the challenge */ memcpy(challenge, chal1.data + 24, 8); SMBencrypt(pass, challenge,lmhash); SMBNTencrypt(pass, challenge,nthash); - data_blob_free(chal1); - data_blob_free(chal2); +#if 0 + file_save("nthash.dat", nthash, 24); + file_save("lmhash.dat", lmhash, 24); + file_save("chal1.dat", chal1.data, chal1.length); +#endif + + data_blob_free(&chal1); + data_blob_free(&chal2); /* this generates the actual auth packet */ msrpc_gen(&blob, "CdBBUUUBd", @@ -473,13 +481,13 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, /* wrap it in SPNEGO */ auth = spnego_gen_auth(blob); - data_blob_free(blob); + data_blob_free(&blob); /* now send the auth packet and we should be done */ blob = cli_session_setup_blob(cli, auth); - data_blob_free(auth); - data_blob_free(blob); + data_blob_free(&auth); + data_blob_free(&blob); return !cli_is_error(cli); } diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c index 25dc070024..ed0bc6481e 100644 --- a/source3/libsmb/clientgen.c +++ b/source3/libsmb/clientgen.c @@ -216,7 +216,7 @@ void cli_shutdown(struct cli_state *cli) SAFE_FREE(cli->outbuf); SAFE_FREE(cli->inbuf); - data_blob_free(cli->secblob); + data_blob_free(&cli->secblob); if (cli->mem_ctx) talloc_destroy(cli->mem_ctx); diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c index da8c6450ae..78cae3315a 100644 --- a/source3/libsmb/clispnego.c +++ b/source3/libsmb/clispnego.c @@ -25,12 +25,13 @@ generate a negTokenInit packet given a GUID, a list of supported OIDs (the mechanisms) and a principle name string */ -ASN1_DATA spnego_gen_negTokenInit(uint8 guid[16], +DATA_BLOB spnego_gen_negTokenInit(uint8 guid[16], const char *OIDs[], const char *principle) { int i; ASN1_DATA data; + DATA_BLOB ret; memset(&data, 0, sizeof(data)); @@ -66,7 +67,10 @@ ASN1_DATA spnego_gen_negTokenInit(uint8 guid[16], asn1_free(&data); } - return data; + ret = data_blob(data.data, data.length); + asn1_free(&data); + + return ret; } @@ -167,6 +171,50 @@ DATA_BLOB gen_negTokenTarg(const char *OIDs[], DATA_BLOB blob) /* + parse a negTokenTarg packet giving a list of OIDs and a security blob +*/ +BOOL parse_negTokenTarg(DATA_BLOB blob, char *OIDs[ASN1_MAX_OIDS], DATA_BLOB *secblob) +{ + int i; + ASN1_DATA data; + + asn1_load(&data, blob); + asn1_start_tag(&data, ASN1_APPLICATION(0)); + asn1_check_OID(&data,OID_SPNEGO); + asn1_start_tag(&data, ASN1_CONTEXT(0)); + asn1_start_tag(&data, ASN1_SEQUENCE(0)); + + asn1_start_tag(&data, ASN1_CONTEXT(0)); + asn1_start_tag(&data, ASN1_SEQUENCE(0)); + for (i=0; asn1_tag_remaining(&data) > 0 && i < ASN1_MAX_OIDS; i++) { + char *oid = NULL; + asn1_read_OID(&data,&oid); + OIDs[i] = oid; + } + OIDs[i] = NULL; + asn1_end_tag(&data); + asn1_end_tag(&data); + + asn1_start_tag(&data, ASN1_CONTEXT(2)); + asn1_read_OctetString(&data,secblob); + asn1_end_tag(&data); + + asn1_end_tag(&data); + asn1_end_tag(&data); + + asn1_end_tag(&data); + + if (data.has_error) { + DEBUG(1,("Failed to parse negTokenTarg at offset %d\n", (int)data.ofs)); + asn1_free(&data); + return False; + } + + asn1_free(&data); + return True; +} + +/* generate a krb5 GSS-API wrapper packet given a ticket */ static DATA_BLOB spnego_gen_krb5_wrap(DATA_BLOB ticket) @@ -225,8 +273,8 @@ DATA_BLOB spnego_gen_negTokenTarg(struct cli_state *cli, char *principle) /* and wrap that in a shiny SPNEGO wrapper */ targ = gen_negTokenTarg(krb_mechs, tkt_wrapped); - data_blob_free(tkt_wrapped); - data_blob_free(tkt); + data_blob_free(&tkt_wrapped); + data_blob_free(&tkt); return targ; } @@ -257,13 +305,13 @@ BOOL spnego_parse_challenge(DATA_BLOB blob, asn1_end_tag(&data); asn1_start_tag(&data,ASN1_CONTEXT(2)); - asn1_read_octet_string(&data, chal1); + asn1_read_OctetString(&data, chal1); asn1_end_tag(&data); /* the second challenge is optional (XP doesn't send it) */ if (asn1_tag_remaining(&data)) { asn1_start_tag(&data,ASN1_CONTEXT(3)); - asn1_read_octet_string(&data, chal2); + asn1_read_OctetString(&data, chal2); asn1_end_tag(&data); } @@ -275,6 +323,52 @@ BOOL spnego_parse_challenge(DATA_BLOB blob, return ret; } + +/* + generate a spnego NTLMSSP challenge packet given two security blobs + The second challenge is optional +*/ +BOOL spnego_gen_challenge(DATA_BLOB *blob, + DATA_BLOB *chal1, DATA_BLOB *chal2) +{ + ASN1_DATA data; + + ZERO_STRUCT(data); + + asn1_push_tag(&data,ASN1_CONTEXT(1)); + asn1_push_tag(&data,ASN1_SEQUENCE(0)); + + asn1_push_tag(&data,ASN1_CONTEXT(0)); + asn1_write_enumerated(&data,1); + asn1_pop_tag(&data); + + asn1_push_tag(&data,ASN1_CONTEXT(1)); + asn1_write_OID(&data, OID_NTLMSSP); + asn1_pop_tag(&data); + + asn1_push_tag(&data,ASN1_CONTEXT(2)); + asn1_write_OctetString(&data, chal1->data, chal1->length); + asn1_pop_tag(&data); + + /* the second challenge is optional (XP doesn't send it) */ + if (chal2) { + asn1_push_tag(&data,ASN1_CONTEXT(3)); + asn1_write_OctetString(&data, chal2->data, chal2->length); + asn1_pop_tag(&data); + } + + asn1_pop_tag(&data); + asn1_pop_tag(&data); + + if (data.has_error) { + return False; + } + + *blob = data_blob(data.data, data.length); + asn1_free(&data); + return True; +} + /* generate a SPNEGO NTLMSSP auth packet. This will contain the encrypted passwords */ @@ -298,7 +392,32 @@ DATA_BLOB spnego_gen_auth(DATA_BLOB blob) asn1_free(&data); return ret; - +} + +/* + parse a SPNEGO NTLMSSP auth packet. This contains the encrypted passwords +*/ +BOOL spnego_parse_auth(DATA_BLOB blob, DATA_BLOB *auth) +{ + ASN1_DATA data; + + asn1_load(&data, blob); + asn1_start_tag(&data, ASN1_CONTEXT(1)); + asn1_start_tag(&data, ASN1_SEQUENCE(0)); + asn1_start_tag(&data, ASN1_CONTEXT(2)); + asn1_read_OctetString(&data,auth); + asn1_end_tag(&data); + asn1_end_tag(&data); + asn1_end_tag(&data); + + if (data.has_error) { + DEBUG(3,("spnego_parse_auth failed at %d\n", (int)data.ofs)); + asn1_free(&data); + return False; + } + + asn1_free(&data); + return True; } @@ -312,6 +431,7 @@ DATA_BLOB spnego_gen_auth(DATA_BLOB blob) U = unicode string (input is unix string) B = data blob (pointer + length) + b = data blob in header (pointer + length) d = word (4 bytes) C = constant ascii string */ @@ -339,6 +459,10 @@ BOOL msrpc_gen(DATA_BLOB *blob, head_size += 8; data_size += va_arg(ap, int); break; + case 'b': + b = va_arg(ap, uint8 *); + head_size += va_arg(ap, int); + break; case 'd': n = va_arg(ap, int); head_size += 4; @@ -384,6 +508,12 @@ BOOL msrpc_gen(DATA_BLOB *blob, n = va_arg(ap, int); SIVAL(blob->data, head_ofs, n); head_ofs += 4; break; + case 'b': + b = va_arg(ap, uint8 *); + n = va_arg(ap, int); + memcpy(blob->data + head_ofs, b, n); + head_ofs += n; + break; case 'C': s = va_arg(ap, char *); head_ofs += push_string(NULL, blob->data+head_ofs, s, -1, @@ -395,3 +525,81 @@ BOOL msrpc_gen(DATA_BLOB *blob, return True; } + + +/* + this is a tiny msrpc packet parser. This the the partner of msrpc_gen + + format specifiers are: + + U = unicode string (input is unix string) + B = data blob + b = data blob in header + d = word (4 bytes) + C = constant ascii string + */ +BOOL msrpc_parse(DATA_BLOB *blob, + const char *format, ...) +{ + int i; + va_list ap; + char **ps, *s; + DATA_BLOB *b; + int head_ofs = 0; + uint16 len1, len2; + uint32 ptr; + uint32 *v; + pstring p; + + va_start(ap, format); + for (i=0; format[i]; i++) { + switch (format[i]) { + case 'U': + len1 = SVAL(blob->data, head_ofs); head_ofs += 2; + len2 = SVAL(blob->data, head_ofs); head_ofs += 2; + ptr = IVAL(blob->data, head_ofs); head_ofs += 4; + /* make sure its in the right format - be strict */ + if (len1 != len2 || (len1&1) || ptr + len1 > blob->length) { + return False; + } + ps = va_arg(ap, char **); + pull_string(NULL, p, blob->data + ptr, -1, len1, + STR_UNICODE|STR_NOALIGN); + (*ps) = strdup(p); + break; + case 'B': + len1 = SVAL(blob->data, head_ofs); head_ofs += 2; + len2 = SVAL(blob->data, head_ofs); head_ofs += 2; + ptr = IVAL(blob->data, head_ofs); head_ofs += 4; + /* make sure its in the right format - be strict */ + if (len1 != len2 || ptr + len1 > blob->length) { + return False; + } + b = (DATA_BLOB *)va_arg(ap, void *); + *b = data_blob(blob->data + ptr, len1); + break; + case 'b': + b = (DATA_BLOB *)va_arg(ap, void *); + len1 = va_arg(ap, unsigned); + *b = data_blob(blob->data + head_ofs, len1); + head_ofs += len1; + break; + case 'd': + v = va_arg(ap, uint32 *); + *v = IVAL(blob->data, head_ofs); head_ofs += 4; + break; + case 'C': + s = va_arg(ap, char *); + head_ofs += pull_string(NULL, p, blob->data+head_ofs, -1, + blob->length - head_ofs, + STR_ASCII|STR_TERMINATE); + if (strcmp(s, p) != 0) { + return False; + } + break; + } + } + va_end(ap); + + return True; +} diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 80c9411fb0..f6abda4ac9 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -113,6 +113,7 @@ typedef struct char *szPasswordServer; char *szSocketOptions; char *szWorkGroup; + char *szRealm; char **szDomainAdminGroup; char **szDomainGuestGroup; char *szUsernameMap; @@ -650,6 +651,7 @@ static struct parm_struct parm_table[] = { {"path", P_STRING, P_LOCAL, &sDefault.szPath, NULL, NULL, FLAG_BASIC | FLAG_SHARE | FLAG_PRINT}, {"directory", P_STRING, P_LOCAL, &sDefault.szPath, NULL, NULL, 0}, {"workgroup", P_USTRING, P_GLOBAL, &Globals.szWorkGroup, NULL, NULL, FLAG_BASIC}, + {"realm", P_USTRING, P_GLOBAL, &Globals.szRealm, NULL, NULL, FLAG_BASIC}, {"netbios name", P_UGSTRING, P_GLOBAL, global_myname, handle_netbios_name, NULL, FLAG_BASIC}, {"netbios aliases", P_LIST, P_GLOBAL, &Globals.szNetbiosAliases, NULL, NULL, 0}, {"netbios scope", P_UGSTRING, P_GLOBAL, global_scope, NULL, NULL, 0}, @@ -1198,11 +1200,6 @@ static void init_globals(void) string_set(&Globals.szPasswdProgram, ""); string_set(&Globals.szPrintcapname, PRINTCAP_NAME); string_set(&Globals.szLockDir, LOCKDIR); -#ifdef WITH_UTMP - string_set(&Globals.szUtmpDir, ""); - string_set(&Globals.szWtmpDir, ""); - Globals.bUtmp = False; -#endif string_set(&Globals.szSocketAddress, "0.0.0.0"); pstrcpy(s, "Samba "); pstrcat(s, VERSION); @@ -1465,6 +1462,7 @@ FN_GLOBAL_STRING(lp_passwd_chat, &Globals.szPasswdChat) FN_GLOBAL_STRING(lp_passwordserver, &Globals.szPasswordServer) FN_GLOBAL_STRING(lp_name_resolve_order, &Globals.szNameResolveOrder) FN_GLOBAL_STRING(lp_workgroup, &Globals.szWorkGroup) +FN_GLOBAL_STRING(lp_realm, &Globals.szRealm) FN_GLOBAL_STRING(lp_username_map, &Globals.szUsernameMap) #ifdef USING_GROUPNAME_MAP FN_GLOBAL_STRING(lp_groupname_map, &Globals.szGroupnameMap) diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index d20f713113..cf14640a72 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -30,7 +30,7 @@ BOOL global_encrypted_passwords_negotiated; /**************************************************************************** reply for the core protocol ****************************************************************************/ -static int reply_corep(char *outbuf) +static int reply_corep(char *inbuf, char *outbuf) { int outsize = set_message(outbuf,1,0,True); @@ -43,7 +43,7 @@ static int reply_corep(char *outbuf) /**************************************************************************** reply for the coreplus protocol ****************************************************************************/ -static int reply_coreplus(char *outbuf) +static int reply_coreplus(char *inbuf, char *outbuf) { int raw = (lp_readraw()?1:0) | (lp_writeraw()?2:0); int outsize = set_message(outbuf,13,0,True); @@ -62,7 +62,7 @@ static int reply_coreplus(char *outbuf) /**************************************************************************** reply for the lanman 1.0 protocol ****************************************************************************/ -static int reply_lanman1(char *outbuf) +static int reply_lanman1(char *inbuf, char *outbuf) { int raw = (lp_readraw()?1:0) | (lp_writeraw()?2:0); int secword=0; @@ -100,7 +100,7 @@ static int reply_lanman1(char *outbuf) /**************************************************************************** reply for the lanman 2.0 protocol ****************************************************************************/ -static int reply_lanman2(char *outbuf) +static int reply_lanman2(char *inbuf, char *outbuf) { int raw = (lp_readraw()?1:0) | (lp_writeraw()?2:0); int secword=0; @@ -154,10 +154,44 @@ static int reply_lanman2(char *outbuf) } + +/* + generate the spnego negprot reply blob. Return the number of bytes used +*/ +static int negprot_spnego(char *p, uint8 cryptkey[8]) +{ + DATA_BLOB blob; + extern pstring global_myname; + uint8 guid[16]; + const char *OIDs[] = {OID_NTLMSSP, +#if 0 + /* not till we add kerberos in the server */ + OID_KERBEROS5_OLD, +#endif + NULL}; + char *principle; + int len; + + memset(guid, 0, 16); + safe_strcpy(guid, global_myname, 16); + strlower(guid); + + asprintf(&principle, "%s$@%s", guid, lp_realm()); + blob = spnego_gen_negTokenInit(guid, OIDs, principle); + free(principle); + + memcpy(p, blob.data, blob.length); + len = blob.length; + data_blob_free(&blob); + return len; +} + + + /**************************************************************************** reply for the nt protocol ****************************************************************************/ -static int reply_nt1(char *outbuf) +static int reply_nt1(char *inbuf, char *outbuf) { /* dual names + lock_and_read + nt SMBs + remote API calls */ int capabilities = CAP_NT_FIND|CAP_LOCK_AND_READ| @@ -166,10 +200,10 @@ static int reply_nt1(char *outbuf) int secword=0; time_t t = time(NULL); struct cli_state *cli = NULL; - char cryptkey[8]; - char crypt_len = 0; + uint8 cryptkey[8]; char *p, *q; - + BOOL negotiate_spnego = False; + global_encrypted_passwords_negotiated = lp_encrypted_passwords(); if (lp_security() == SEC_SERVER) { @@ -177,6 +211,14 @@ static int reply_nt1(char *outbuf) cli = server_cryptkey(); } else { DEBUG(5,("not attempting password server validation\n")); + /* do spnego in user level security if the client + supports it and we can do encrypted passwords */ + if (global_encrypted_passwords_negotiated && + lp_security() == SEC_USER && + (SVAL(inbuf, smb_flg2) & FLAGS2_EXTENDED_SECURITY)) { + negotiate_spnego = True; + capabilities |= CAP_EXTENDED_SECURITY; + } } if (cli) { @@ -187,7 +229,6 @@ static int reply_nt1(char *outbuf) } if (global_encrypted_passwords_negotiated) { - crypt_len = 8; if (!cli) { generate_next_challenge(cryptkey); } else { @@ -224,7 +265,6 @@ static int reply_nt1(char *outbuf) set_message(outbuf,17,0,True); CVAL(outbuf,smb_vwv1) = secword; - SSVALS(outbuf,smb_vwv16+1,crypt_len); Protocol = PROTOCOL_NT1; @@ -238,8 +278,15 @@ static int reply_nt1(char *outbuf) SSVALS(outbuf,smb_vwv15+1,TimeDiff(t)/60); p = q = smb_buf(outbuf); - if (global_encrypted_passwords_negotiated) memcpy(p, cryptkey, 8); - p += 8; + if (!negotiate_spnego) { + if (global_encrypted_passwords_negotiated) memcpy(p, cryptkey, 8); + SSVALS(outbuf,smb_vwv16+1,8); + p += 8; + } else { + int len = negprot_spnego(p, cryptkey); + SSVALS(outbuf,smb_vwv16+1,len); + p += len; + } p += srvstr_push(outbuf, p, global_myworkgroup, -1, STR_UNICODE|STR_TERMINATE|STR_NOALIGN); @@ -322,7 +369,7 @@ protocol [LANMAN2.1] static struct { char *proto_name; char *short_name; - int (*proto_reply_fn)(char *); + int (*proto_reply_fn)(char *, char *); int protocol_level; } supported_protocols[] = { {"NT LANMAN 1.0", "NT1", reply_nt1, PROTOCOL_NT1}, @@ -441,7 +488,7 @@ int reply_negprot(connection_struct *conn, extern fstring remote_proto; fstrcpy(remote_proto,supported_protocols[protocol].short_name); reload_services(True); - outsize = supported_protocols[protocol].proto_reply_fn(outbuf); + outsize = supported_protocols[protocol].proto_reply_fn(inbuf, outbuf); DEBUG(3,("Selected protocol %s\n",supported_protocols[protocol].proto_name)); } else { diff --git a/source3/smbd/process.c b/source3/smbd/process.c index ea97eea8a4..cf691ce9f3 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -911,25 +911,24 @@ char *smb_fn_name(int type) void construct_reply_common(char *inbuf,char *outbuf) { - memset(outbuf,'\0',smb_size); - - set_message(outbuf,0,0,True); - CVAL(outbuf,smb_com) = CVAL(inbuf,smb_com); - - memcpy(outbuf+4,inbuf+4,4); - CVAL(outbuf,smb_rcls) = SMB_SUCCESS; - CVAL(outbuf,smb_reh) = 0; - SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES)); /* bit 7 set - means a reply */ - SSVAL(outbuf,smb_flg2, - (SVAL(inbuf,smb_flg2)&FLAGS2_UNICODE_STRINGS) | FLAGS2_LONG_PATH_COMPONENTS); - /* say we support long filenames */ - - SSVAL(outbuf,smb_err,SMB_SUCCESS); - SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid)); - SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid)); - SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid)); - SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid)); + memset(outbuf,'\0',smb_size); + + set_message(outbuf,0,0,True); + CVAL(outbuf,smb_com) = CVAL(inbuf,smb_com); + + memcpy(outbuf+4,inbuf+4,4); + CVAL(outbuf,smb_rcls) = SMB_SUCCESS; + CVAL(outbuf,smb_reh) = 0; + SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES)); + SSVAL(outbuf,smb_flg2, + FLAGS2_UNICODE_STRINGS | FLAGS2_LONG_PATH_COMPONENTS | + FLAGS2_32_BIT_ERROR_CODES | FLAGS2_EXTENDED_SECURITY); + + SSVAL(outbuf,smb_err,SMB_SUCCESS); + SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid)); + SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid)); + SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid)); + SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid)); } /**************************************************************************** diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 45fa2d6a4a..34b431e404 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -22,6 +22,259 @@ #include "includes.h" + +/**************************************************************************** +send a security blob via a session setup reply +****************************************************************************/ +static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf, + DATA_BLOB blob) +{ + char *p; + + set_message(outbuf,4,0,True); + + /* we set NT_STATUS_MORE_PROCESSING_REQUIRED to tell the other end + that we aren't finished yet */ + + SIVAL(outbuf, smb_rcls, NT_STATUS_V(NT_STATUS_MORE_PROCESSING_REQUIRED)); + SSVAL(outbuf, smb_vwv0, 0xFF); /* no chaining possible */ + SSVAL(outbuf, smb_vwv3, blob.length); + p = smb_buf(outbuf); + memcpy(p, blob.data, blob.length); + p += blob.length; + p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE); + p += srvstr_push(outbuf, p, "Samba", -1, STR_TERMINATE); + p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE); + set_message_end(outbuf,p); + + return send_smb(smbd_server_fd(),outbuf); +} + + + + +/**************************************************************************** +reply to a session setup spnego negotiate packet +****************************************************************************/ +static int reply_spnego_negotiate(connection_struct *conn, char *outbuf, + DATA_BLOB blob1) +{ + char *OIDs[ASN1_MAX_OIDS]; + DATA_BLOB secblob; + int i; + uint32 ntlmssp_command, neg_flags; + DATA_BLOB sess_key, chal, spnego_chal; + uint8 cryptkey[8]; + + /* parse out the OIDs and the first sec blob */ + if (!parse_negTokenTarg(blob1, OIDs, &secblob)) { + return ERROR_NT(NT_STATUS_LOGON_FAILURE); + } + + for (i=0;OIDs[i];i++) { + DEBUG(3,("Got OID %s\n", OIDs[i])); + free(OIDs[i]); + } + DEBUG(3,("Got secblob of size %d\n", secblob.length)); + + /* parse the NTLMSSP packet */ +#if 0 + file_save("secblob.dat", secblob.data, secblob.length); +#endif + + msrpc_parse(&secblob, "CddB", + "NTLMSSP", + &ntlmssp_command, + &neg_flags, + &sess_key); + + data_blob_free(&secblob); + data_blob_free(&sess_key); + + if (ntlmssp_command != NTLMSSP_NEGOTIATE) { + return ERROR_NT(NT_STATUS_LOGON_FAILURE); + } + + DEBUG(3,("Got neg_flags=%08x\n", neg_flags)); + + last_challenge(cryptkey); + + /* Give them the challenge. For now, ignore neg_flags and just + return the flags we want. Obviously this is not correct */ + + neg_flags = NTLMSSP_NEGOTIATE_UNICODE | + NTLMSSP_NEGOTIATE_LM_KEY | + NTLMSSP_NEGOTIATE_NTLM; + + msrpc_gen(&chal, "Cddddbdddd", + "NTLMSSP", + NTLMSSP_CHALLENGE, + 0, + 0x30, /* ?? */ + neg_flags, + cryptkey, 8, + 0, 0, 0, + 0x3000); /* ?? */ + + if (!spnego_gen_challenge(&spnego_chal, &chal, &chal)) { + DEBUG(3,("Failed to generate challenge\n")); + return ERROR_NT(NT_STATUS_LOGON_FAILURE); + } + + /* now tell the client to send the auth packet */ + reply_sesssetup_blob(conn, outbuf, spnego_chal); + + data_blob_free(&chal); + data_blob_free(&spnego_chal); + + /* and tell smbd that we have already replied to this packet */ + return -1; +} + + +/**************************************************************************** +reply to a session setup spnego auth packet +****************************************************************************/ +static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf, + int length, int bufsize, + DATA_BLOB blob1) +{ + DATA_BLOB auth; + char *workgroup, *user, *machine; + DATA_BLOB lmhash, nthash, sess_key; + uint32 ntlmssp_command, neg_flags; + NTSTATUS nt_status; + int sess_vuid; + gid_t gid; + uid_t uid; + char *full_name; + char *p; + const struct passwd *pw; + + if (!spnego_parse_auth(blob1, &auth)) { + file_save("auth.dat", blob1.data, blob1.length); + return ERROR_NT(NT_STATUS_LOGON_FAILURE); + } + + /* now the NTLMSSP encoded auth hashes */ + if (!msrpc_parse(&auth, "CdBBUUUBd", + "NTLMSSP", + &ntlmssp_command, + &lmhash, + &nthash, + &workgroup, + &user, + &machine, + &sess_key, + &neg_flags)) { + return ERROR_NT(NT_STATUS_LOGON_FAILURE); + } + + data_blob_free(&auth); + data_blob_free(&sess_key); + + DEBUG(3,("Got user=[%s] workgroup=[%s] machine=[%s] len1=%d len2=%d\n", + user, workgroup, machine, lmhash.length, nthash.length)); + +#if 0 + file_save("nthash1.dat", nthash.data, nthash.length); + file_save("lmhash1.dat", lmhash.data, lmhash.length); +#endif + + nt_status = pass_check_smb(user, user, + workgroup, machine, + lmhash.data, + lmhash.length, + nthash.data, + nthash.length); + + data_blob_free(&nthash); + data_blob_free(&lmhash); + + if (!NT_STATUS_IS_OK(nt_status)) { + return ERROR_NT(nt_status); + } + + /* the password is good - let them in */ + pw = smb_getpwnam(user,False); + if (!pw) { + DEBUG(1,("Username %s is invalid on this system\n",user)); + return ERROR_NT(NT_STATUS_LOGON_FAILURE); + } + gid = pw->pw_gid; + uid = pw->pw_uid; + full_name = pw->pw_gecos; + + sess_vuid = register_vuid(uid,gid,user,user,workgroup,False, full_name); + + free(user); + free(workgroup); + free(machine); + + if (sess_vuid == -1) { + return ERROR_NT(NT_STATUS_LOGON_FAILURE); + } + + set_message(outbuf,4,0,True); + SSVAL(outbuf, smb_vwv3, 0); + p = smb_buf(outbuf); + p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE); + p += srvstr_push(outbuf, p, "Samba", -1, STR_TERMINATE); + p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE); + set_message_end(outbuf,p); + + SSVAL(outbuf,smb_uid,sess_vuid); + SSVAL(inbuf,smb_uid,sess_vuid); + + return chain_reply(inbuf,outbuf,length,bufsize); +} + + +/**************************************************************************** +reply to a session setup command +****************************************************************************/ +static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf,char *outbuf, + int length,int bufsize) +{ + uint8 *p; + DATA_BLOB blob1; + extern uint32 global_client_caps; + int ret; + + chdir("/home/tridge"); + + if (global_client_caps == 0) { + global_client_caps = IVAL(inbuf,smb_vwv10); + } + + p = smb_buf(inbuf); + + /* pull the spnego blob */ + blob1 = data_blob(p, SVAL(inbuf, smb_vwv7)); + + if (blob1.data[0] == ASN1_APPLICATION(0)) { + /* its a negTokenTarg packet */ + ret = reply_spnego_negotiate(conn, outbuf, blob1); + data_blob_free(&blob1); + return ret; + } + + if (blob1.data[0] == ASN1_CONTEXT(1)) { + /* its a auth packet */ + ret = reply_spnego_auth(conn, inbuf, outbuf, length, bufsize, blob1); + data_blob_free(&blob1); + return ret; + } + + /* what sort of packet is this? */ + DEBUG(1,("Unknown packet in reply_sesssetup_and_X_spnego\n")); + + data_blob_free(&blob1); + + return ERROR_NT(NT_STATUS_LOGON_FAILURE); +} + + /**************************************************************************** reply to a session setup command ****************************************************************************/ @@ -53,6 +306,11 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, BOOL doencrypt = global_encrypted_passwords_negotiated; START_PROFILE(SMBsesssetupX); + if (SVAL(inbuf, smb_flg2) & FLAGS2_EXTENDED_SECURITY) { + /* it's a SPNEGO session setup */ + return reply_sesssetup_and_X_spnego(conn, inbuf, outbuf, length, bufsize); + } + *smb_apasswd = *smb_ntpasswd = 0; smb_bufsize = SVAL(inbuf,smb_vwv2); |