diff options
Diffstat (limited to 'source4/auth/ntlmssp')
| -rw-r--r-- | source4/auth/ntlmssp/ntlmssp.h | 34 | ||||
| -rw-r--r-- | source4/auth/ntlmssp/ntlmssp_server.c | 103 | ||||
| -rw-r--r-- | source4/auth/ntlmssp/ntlmssp_sign.c | 31 |
3 files changed, 81 insertions, 87 deletions
diff --git a/source4/auth/ntlmssp/ntlmssp.h b/source4/auth/ntlmssp/ntlmssp.h index 7743e7697e..7bed54d6d8 100644 --- a/source4/auth/ntlmssp/ntlmssp.h +++ b/source4/auth/ntlmssp/ntlmssp.h @@ -1,20 +1,20 @@ -/* +/* Unix SMB/CIFS implementation. SMB parameters and setup Copyright (C) Andrew Tridgell 1992-1997 Copyright (C) Luke Kenneth Casson Leighton 1996-1997 Copyright (C) Paul Ashton 1997 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -37,7 +37,7 @@ enum ntlmssp_message_type NTLMSSP_CHALLENGE = 2, NTLMSSP_AUTH = 3, NTLMSSP_UNKNOWN = 4, - NTLMSSP_DONE = 5 /* samba final state */ + NTLMSSP_DONE = 5 /* samba final state */ }; struct gensec_ntlmssp_state @@ -65,29 +65,30 @@ struct gensec_ntlmssp_state DATA_BLOB internal_chal; /* Random challenge as supplied to the client for NTLM authentication */ DATA_BLOB chal; /* Random challenge as input into the actual NTLM (or NTLM2) authentication */ - DATA_BLOB lm_resp; + DATA_BLOB lm_resp; DATA_BLOB nt_resp; DATA_BLOB session_key; - + uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */ /* internal variables used by KEY_EXCH (client-supplied user session key */ DATA_BLOB encrypted_session_key; /** - * Callback to get the 'challenge' used for NTLM authentication. + * Callback to get the 'challenge' used for NTLM authentication. * * @param ntlmssp_state This structure * @return 8 bytes of challenge data, determined by the server to be the challenge for NTLM authentication * */ - const uint8_t *(*get_challenge)(const struct gensec_ntlmssp_state *); + NTSTATUS (*get_challenge)(const struct gensec_ntlmssp_state *, + uint8_t challenge[8]); /** - * Callback to find if the challenge used by NTLM authentication may be modified + * Callback to find if the challenge used by NTLM authentication may be modified * * The NTLM2 authentication scheme modifies the effective challenge, but this is not compatiable with the - * current 'security=server' implementation.. + * current 'security=server' implementation.. * * @param ntlmssp_state This structure * @return Can the challenge be set to arbitary values? @@ -96,7 +97,7 @@ struct gensec_ntlmssp_state bool (*may_set_challenge)(const struct gensec_ntlmssp_state *); /** - * Callback to set the 'challenge' used for NTLM authentication. + * Callback to set the 'challenge' used for NTLM authentication. * * The callback may use the void *auth_context to store state information, but the same value is always available * from the DATA_BLOB chal on this structure. @@ -108,21 +109,20 @@ struct gensec_ntlmssp_state NTSTATUS (*set_challenge)(struct gensec_ntlmssp_state *, DATA_BLOB *challenge); /** - * Callback to check the user's password. + * Callback to check the user's password. * - * The callback must reads the feilds of this structure for the information it needs on the user + * The callback must reads the feilds of this structure for the information it needs on the user * @param ntlmssp_state This structure * @param nt_session_key If an NT session key is returned by the authentication process, return it here * @param lm_session_key If an LM session key is returned by the authentication process, return it here * */ - NTSTATUS (*check_password)(struct gensec_ntlmssp_state *, - TALLOC_CTX *mem_ctx, + NTSTATUS (*check_password)(struct gensec_ntlmssp_state *, DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key); const char *server_name; - bool doing_ntlm2; + bool doing_ntlm2; union { /* NTLM */ diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c index 94de920772..c49bf2fea7 100644 --- a/source4/auth/ntlmssp/ntlmssp_server.c +++ b/source4/auth/ntlmssp/ntlmssp_server.c @@ -124,8 +124,9 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security, DATA_BLOB struct_blob; uint32_t neg_flags = 0; uint32_t ntlmssp_command, chal_flags; - const uint8_t *cryptkey; + uint8_t cryptkey[8]; const char *target_name; + NTSTATUS status; /* parse the NTLMSSP packet */ #if 0 @@ -150,10 +151,11 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security, ntlmssp_handle_neg_flags(gensec_ntlmssp_state, neg_flags, gensec_ntlmssp_state->allow_lm_key); /* Ask our caller what challenge they would like in the packet */ - cryptkey = gensec_ntlmssp_state->get_challenge(gensec_ntlmssp_state); - if (!cryptkey) { - DEBUG(1, ("ntlmssp_server_negotiate: backend doesn't give a challenge\n")); - return NT_STATUS_INTERNAL_ERROR; + status = gensec_ntlmssp_state->get_challenge(gensec_ntlmssp_state, cryptkey); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("ntlmssp_server_negotiate: backend doesn't give a challenge: %s\n", + nt_errstr(status))); + return status; } /* Check if we may set the challenge */ @@ -180,7 +182,6 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security, /* This creates the 'blob' of names that appears at the end of the packet */ if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) { char dnsdomname[MAXHOSTNAMELEN], dnsname[MAXHOSTNAMELEN]; - const char *target_name_dns = ""; /* Find out the DNS domain name */ dnsdomname[0] = '\0'; @@ -194,12 +195,6 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security, } strlower_m(dnsname); - if (chal_flags |= NTLMSSP_TARGET_TYPE_DOMAIN) { - target_name_dns = dnsdomname; - } else if (chal_flags |= NTLMSSP_TARGET_TYPE_SERVER) { - target_name_dns = dnsname; - } - msrpc_gen(out_mem_ctx, &struct_blob, "aaaaa", MsvAvNbDomainName, target_name, @@ -268,6 +263,7 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_ntlmssp_state *gensec_ntlms } /* zero these out */ + data_blob_free(&gensec_ntlmssp_state->session_key); data_blob_free(&gensec_ntlmssp_state->lm_resp); data_blob_free(&gensec_ntlmssp_state->nt_resp); data_blob_free(&gensec_ntlmssp_state->encrypted_session_key); @@ -406,6 +402,11 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security, NTSTATUS nt_status; DATA_BLOB session_key = data_blob(NULL, 0); + if (!(gensec_security->want_features + & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL|GENSEC_FEATURE_SESSION_KEY))) { + return NT_STATUS_OK; + } + if (user_session_key) dump_data_pw("USER session key:\n", user_session_key->data, user_session_key->length); @@ -548,20 +549,15 @@ NTSTATUS ntlmssp_server_auth(struct gensec_security *gensec_security, const DATA_BLOB in, DATA_BLOB *out) { struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; - DATA_BLOB user_session_key = data_blob(NULL, 0); - DATA_BLOB lm_session_key = data_blob(NULL, 0); + DATA_BLOB user_session_key = data_blob_null; + DATA_BLOB lm_session_key = data_blob_null; NTSTATUS nt_status; - TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx); - if (!mem_ctx) { - return NT_STATUS_NO_MEMORY; - } - /* zero the outbound NTLMSSP packet */ - *out = data_blob_talloc(out_mem_ctx, NULL, 0); + *out = data_blob_null; - if (!NT_STATUS_IS_OK(nt_status = ntlmssp_server_preauth(gensec_ntlmssp_state, in))) { - talloc_free(mem_ctx); + nt_status = ntlmssp_server_preauth(gensec_ntlmssp_state, in); + if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } @@ -573,23 +569,21 @@ NTSTATUS ntlmssp_server_auth(struct gensec_security *gensec_security, */ /* Finally, actually ask if the password is OK */ - - if (!NT_STATUS_IS_OK(nt_status = gensec_ntlmssp_state->check_password(gensec_ntlmssp_state, mem_ctx, - &user_session_key, &lm_session_key))) { - talloc_free(mem_ctx); + nt_status = gensec_ntlmssp_state->check_password(gensec_ntlmssp_state, + &user_session_key, + &lm_session_key); + if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } - - if (gensec_security->want_features - & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL|GENSEC_FEATURE_SESSION_KEY)) { - nt_status = ntlmssp_server_postauth(gensec_security, &user_session_key, &lm_session_key); - talloc_free(mem_ctx); + + nt_status = ntlmssp_server_postauth(gensec_security, + &user_session_key, + &lm_session_key); + if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; - } else { - gensec_ntlmssp_state->session_key = data_blob(NULL, 0); - talloc_free(mem_ctx); - return NT_STATUS_OK; } + + return NT_STATUS_OK; } /** @@ -597,19 +591,19 @@ NTSTATUS ntlmssp_server_auth(struct gensec_security *gensec_security, * @return an 8 byte random challenge */ -static const uint8_t *auth_ntlmssp_get_challenge(const struct gensec_ntlmssp_state *gensec_ntlmssp_state) +static NTSTATUS auth_ntlmssp_get_challenge(const struct gensec_ntlmssp_state *gensec_ntlmssp_state, + uint8_t chal[8]) { NTSTATUS status; - const uint8_t *chal; - status = gensec_ntlmssp_state->auth_context->get_challenge(gensec_ntlmssp_state->auth_context, &chal); + status = gensec_ntlmssp_state->auth_context->get_challenge(gensec_ntlmssp_state->auth_context, chal); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n", nt_errstr(status))); - return NULL; + return status; } - return chal; + return NT_STATUS_OK; } /** @@ -651,12 +645,13 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct gensec_ntlmssp_state *gensec_n * Return the session keys used on the connection. */ -static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state *gensec_ntlmssp_state, - TALLOC_CTX *mem_ctx, - DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) +static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state *gensec_ntlmssp_state, + DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) { NTSTATUS nt_status; - struct auth_usersupplied_info *user_info = talloc(mem_ctx, struct auth_usersupplied_info); + struct auth_usersupplied_info *user_info; + + user_info = talloc(gensec_ntlmssp_state, struct auth_usersupplied_info); if (!user_info) { return NT_STATUS_NO_MEMORY; } @@ -675,31 +670,21 @@ static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state *gensec_ user_info->password.response.nt = gensec_ntlmssp_state->nt_resp; user_info->password.response.nt.data = talloc_steal(user_info, gensec_ntlmssp_state->nt_resp.data); - nt_status = gensec_ntlmssp_state->auth_context->check_password(gensec_ntlmssp_state->auth_context, - mem_ctx, - user_info, + nt_status = gensec_ntlmssp_state->auth_context->check_password(gensec_ntlmssp_state->auth_context, + gensec_ntlmssp_state, + user_info, &gensec_ntlmssp_state->server_info); talloc_free(user_info); NT_STATUS_NOT_OK_RETURN(nt_status); - talloc_steal(gensec_ntlmssp_state, gensec_ntlmssp_state->server_info); - if (gensec_ntlmssp_state->server_info->user_session_key.length) { - DEBUG(10, ("Got NT session key of length %u\n", + DEBUG(10, ("Got NT session key of length %u\n", (unsigned)gensec_ntlmssp_state->server_info->user_session_key.length)); - if (!talloc_reference(mem_ctx, gensec_ntlmssp_state->server_info->user_session_key.data)) { - return NT_STATUS_NO_MEMORY; - } - *user_session_key = gensec_ntlmssp_state->server_info->user_session_key; } if (gensec_ntlmssp_state->server_info->lm_session_key.length) { - DEBUG(10, ("Got LM session key of length %u\n", + DEBUG(10, ("Got LM session key of length %u\n", (unsigned)gensec_ntlmssp_state->server_info->lm_session_key.length)); - if (!talloc_reference(mem_ctx, gensec_ntlmssp_state->server_info->lm_session_key.data)) { - return NT_STATUS_NO_MEMORY; - } - *lm_session_key = gensec_ntlmssp_state->server_info->lm_session_key; } return nt_status; diff --git a/source4/auth/ntlmssp/ntlmssp_sign.c b/source4/auth/ntlmssp/ntlmssp_sign.c index 957d0a8fbc..9e0d80f788 100644 --- a/source4/auth/ntlmssp/ntlmssp_sign.c +++ b/source4/auth/ntlmssp/ntlmssp_sign.c @@ -171,7 +171,7 @@ NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security, NTLMSSP_RECEIVE, &local_sig, true); if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0, ("NTLMSSP packet check failed with %s\n", nt_errstr(nt_status))); + DEBUG(0, ("NTLMSSP packet sig creation failed with %s\n", nt_errstr(nt_status))); return nt_status; } @@ -179,26 +179,25 @@ NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security, if (local_sig.length != sig->length || memcmp(local_sig.data, sig->data, sig->length) != 0) { - DEBUG(5, ("BAD SIG NTLM2: wanted signature over %llu bytes of input:\n", (unsigned long long)pdu_length)); - dump_data(5, local_sig.data, local_sig.length); + + DEBUG(10, ("BAD SIG NTLM2: wanted signature over %llu bytes of input:\n", (unsigned long long)pdu_length)); + dump_data(10, local_sig.data, local_sig.length); - DEBUG(5, ("BAD SIG: got signature over %llu bytes of input:\n", (unsigned long long)pdu_length)); - dump_data(5, sig->data, sig->length); + DEBUG(10, ("BAD SIG: got signature over %llu bytes of input:\n", (unsigned long long)pdu_length)); + dump_data(10, sig->data, sig->length); - DEBUG(1, ("NTLMSSP NTLM2 packet check failed due to invalid signature on %llu bytes of input!\n", (unsigned long long)pdu_length)); return NT_STATUS_ACCESS_DENIED; } } else { if (local_sig.length != sig->length || memcmp(local_sig.data + 8, sig->data + 8, sig->length - 8) != 0) { - DEBUG(5, ("BAD SIG NTLM1: wanted signature of %llu bytes of input:\n", (unsigned long long)length)); + DEBUG(10, ("BAD SIG NTLM1: wanted signature of %llu bytes of input:\n", (unsigned long long)length)); dump_data(5, local_sig.data, local_sig.length); - DEBUG(5, ("BAD SIG: got signature of %llu bytes of input:\n", (unsigned long long)length)); - dump_data(5, sig->data, sig->length); + DEBUG(10, ("BAD SIG: got signature of %llu bytes of input:\n", (unsigned long long)length)); + dump_data(10, sig->data, sig->length); - DEBUG(1, ("NTLMSSP NTLM1 packet check failed due to invalid signature on %llu bytes of input:\n", (unsigned long long)length)); return NT_STATUS_ACCESS_DENIED; } } @@ -281,6 +280,7 @@ NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security, const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig) { + NTSTATUS status; struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; if (!gensec_ntlmssp_state->session_key.length) { DEBUG(3, ("NO session key, cannot unseal packet\n")); @@ -294,7 +294,12 @@ NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security, arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, data, length); } dump_data_pw("ntlmssp clear data\n", data, length); - return gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig); + status = gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("NTLMSSP packet check for unseal failed due to invalid signature on %llu bytes of input:\n", (unsigned long long)length)); + } + return status; } /** @@ -585,6 +590,10 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security, status = check_status; } } + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("NTLMSSP packet check for unwrap failed due to invalid signature\n")); + } return status; } else { *out = *in; |