From 3045ecfa1df7506a826e53728231ca00451ccef4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 25 Apr 2005 05:03:50 +0000 Subject: r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796) --- source4/auth/ntlmssp/ntlmssp_client.c | 445 ++++++++++++++++++++++++++++++++++ 1 file changed, 445 insertions(+) create mode 100644 source4/auth/ntlmssp/ntlmssp_client.c (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c new file mode 100644 index 0000000000..bbde1d954b --- /dev/null +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -0,0 +1,445 @@ +/* + Unix SMB/Netbios implementation. + Version 3.0 + handle NLTMSSP, client server side parsing + + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Andrew Bartlett 2001-2005 + Copyright (C) Stefan Metzmacher 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "auth/auth.h" +#include "auth/ntlmssp/ntlmssp.h" +#include "lib/crypto/crypto.h" + +/********************************************************************* + Client side NTLMSSP +*********************************************************************/ + +/** + * Next state function for the Initial packet + * + * @param ntlmssp_state NTLMSSP State + * @param out_mem_ctx The DATA_BLOB *out will be allocated on this context + * @param in The request, as a DATA_BLOB. reply.data must be NULL + * @param out The reply, as an talloc()ed DATA_BLOB, on out_mem_ctx + * @return Errors or NT_STATUS_OK. + */ + +NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB in, DATA_BLOB *out) +{ + if (ntlmssp_state->unicode) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; + } else { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM; + } + + if (ntlmssp_state->use_ntlmv2) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; + } + + /* generate the ntlmssp negotiate packet */ + msrpc_gen(out_mem_ctx, + out, "CddAA", + "NTLMSSP", + NTLMSSP_NEGOTIATE, + ntlmssp_state->neg_flags, + ntlmssp_state->get_domain(), + ntlmssp_state->workstation); + + ntlmssp_state->expected_state = NTLMSSP_CHALLENGE; + + return NT_STATUS_MORE_PROCESSING_REQUIRED; +} + +/** + * Next state function for the Challenge Packet. Generate an auth packet. + * + * @param ntlmssp_state NTLMSSP State + * @param request The request, as a DATA_BLOB. reply.data must be NULL + * @param request The reply, as an allocated DATA_BLOB, caller to free. + * @return Errors or NT_STATUS_OK. + */ + +NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB in, DATA_BLOB *out) +{ + uint32_t chal_flags, ntlmssp_command, unkn1, unkn2; + DATA_BLOB server_domain_blob; + DATA_BLOB challenge_blob; + DATA_BLOB struct_blob = data_blob(NULL, 0); + char *server_domain; + const char *chal_parse_string; + const char *auth_gen_string; + uint8_t lm_hash[16]; + DATA_BLOB lm_response = data_blob(NULL, 0); + DATA_BLOB nt_response = data_blob(NULL, 0); + DATA_BLOB session_key = data_blob(NULL, 0); + DATA_BLOB lm_session_key = data_blob(NULL, 0); + DATA_BLOB encrypted_session_key = data_blob(NULL, 0); + NTSTATUS nt_status; + + if (!msrpc_parse(ntlmssp_state, + &in, "CdBd", + "NTLMSSP", + &ntlmssp_command, + &server_domain_blob, + &chal_flags)) { + DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n")); + dump_data(2, in.data, in.length); + + return NT_STATUS_INVALID_PARAMETER; + } + + data_blob_free(&server_domain_blob); + + DEBUG(3, ("Got challenge flags:\n")); + debug_ntlmssp_flags(chal_flags); + + ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, ntlmssp_state->allow_lm_key); + + if (ntlmssp_state->unicode) { + if (chal_flags & NTLMSSP_CHAL_TARGET_INFO) { + chal_parse_string = "CdUdbddB"; + } else { + chal_parse_string = "CdUdbdd"; + } + auth_gen_string = "CdBBUUUBd"; + } else { + if (chal_flags & NTLMSSP_CHAL_TARGET_INFO) { + chal_parse_string = "CdAdbddB"; + } else { + chal_parse_string = "CdAdbdd"; + } + + auth_gen_string = "CdBBAAABd"; + } + + DEBUG(3, ("NTLMSSP: Set final flags:\n")); + debug_ntlmssp_flags(ntlmssp_state->neg_flags); + + if (!msrpc_parse(ntlmssp_state, + &in, chal_parse_string, + "NTLMSSP", + &ntlmssp_command, + &server_domain, + &chal_flags, + &challenge_blob, 8, + &unkn1, &unkn2, + &struct_blob)) { + DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n")); + dump_data(2, in.data, in.length); + return NT_STATUS_INVALID_PARAMETER; + } + + ntlmssp_state->server_domain = server_domain; + + if (challenge_blob.length != 8) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (!ntlmssp_state->password) { + static const uint8_t zeros[16]; + /* do nothing - blobs are zero length */ + + /* session key is all zeros */ + session_key = data_blob_talloc(ntlmssp_state, zeros, 16); + lm_session_key = data_blob_talloc(ntlmssp_state, zeros, 16); + + /* not doing NLTM2 without a password */ + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; + } else if (ntlmssp_state->use_ntlmv2) { + + if (!struct_blob.length) { + /* be lazy, match win2k - we can't do NTLMv2 without it */ + DEBUG(1, ("Server did not provide 'target information', required for NTLMv2\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + /* TODO: if the remote server is standalone, then we should replace 'domain' + with the server name as supplied above */ + + if (!SMBNTLMv2encrypt(ntlmssp_state->user, + ntlmssp_state->domain, + ntlmssp_state->password, &challenge_blob, + &struct_blob, + &lm_response, &nt_response, + NULL, &session_key)) { + data_blob_free(&challenge_blob); + data_blob_free(&struct_blob); + return NT_STATUS_NO_MEMORY; + } + + /* LM Key is incompatible... */ + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + + } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + struct MD5Context md5_session_nonce_ctx; + uint8_t nt_hash[16]; + uint8_t session_nonce[16]; + uint8_t session_nonce_hash[16]; + uint8_t user_session_key[16]; + E_md4hash(ntlmssp_state->password, nt_hash); + + lm_response = data_blob_talloc(ntlmssp_state, NULL, 24); + generate_random_buffer(lm_response.data, 8); + memset(lm_response.data+8, 0, 16); + + memcpy(session_nonce, challenge_blob.data, 8); + memcpy(&session_nonce[8], lm_response.data, 8); + + MD5Init(&md5_session_nonce_ctx); + MD5Update(&md5_session_nonce_ctx, challenge_blob.data, 8); + MD5Update(&md5_session_nonce_ctx, lm_response.data, 8); + MD5Final(session_nonce_hash, &md5_session_nonce_ctx); + + DEBUG(5, ("NTLMSSP challenge set by NTLM2\n")); + DEBUG(5, ("challenge is: \n")); + dump_data(5, session_nonce_hash, 8); + + nt_response = data_blob_talloc(ntlmssp_state, NULL, 24); + SMBNTencrypt(ntlmssp_state->password, + session_nonce_hash, + nt_response.data); + + session_key = data_blob_talloc(ntlmssp_state, NULL, 16); + + SMBsesskeygen_ntv1(nt_hash, user_session_key); + hmac_md5(user_session_key, session_nonce, sizeof(session_nonce), session_key.data); + dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length); + + /* LM Key is incompatible... */ + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + } else { + uint8_t nt_hash[16]; + + if (ntlmssp_state->use_nt_response) { + nt_response = data_blob_talloc(ntlmssp_state, NULL, 24); + SMBNTencrypt(ntlmssp_state->password,challenge_blob.data, + nt_response.data); + E_md4hash(ntlmssp_state->password, nt_hash); + session_key = data_blob_talloc(ntlmssp_state, NULL, 16); + SMBsesskeygen_ntv1(nt_hash, session_key.data); + dump_data_pw("NT session key:\n", session_key.data, session_key.length); + } + + /* lanman auth is insecure, it may be disabled */ + if (lp_client_lanman_auth()) { + lm_response = data_blob_talloc(ntlmssp_state, NULL, 24); + if (!SMBencrypt(ntlmssp_state->password,challenge_blob.data, + lm_response.data)) { + /* If the LM password was too long (and therefore the LM hash being + of the first 14 chars only), don't send it */ + data_blob_free(&lm_response); + + /* LM Key is incompatible with 'long' passwords */ + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + } else { + E_deshash(ntlmssp_state->password, lm_hash); + lm_session_key = data_blob_talloc(ntlmssp_state, NULL, 16); + memcpy(lm_session_key.data, lm_hash, 8); + memset(&lm_session_key.data[8], '\0', 8); + + if (!ntlmssp_state->use_nt_response) { + session_key = lm_session_key; + } + } + } else { + /* LM Key is incompatible... */ + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + } + } + + if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) + && lp_client_lanman_auth() && lm_session_key.length == 16) { + DATA_BLOB new_session_key = data_blob_talloc(ntlmssp_state, NULL, 16); + if (lm_response.length == 24) { + SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data, + new_session_key.data); + } else { + static const uint8_t zeros[24]; + SMBsesskeygen_lm_sess_key(lm_session_key.data, zeros, + new_session_key.data); + } + new_session_key.length = 16; + session_key = new_session_key; + dump_data_pw("LM session key\n", session_key.data, session_key.length); + } + + + /* Key exchange encryptes a new client-generated session key with + the password-derived key */ + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { + /* Make up a new session key */ + uint8_t client_session_key[16]; + generate_random_buffer(client_session_key, sizeof(client_session_key)); + + /* Encrypt the new session key with the old one */ + encrypted_session_key = data_blob_talloc(ntlmssp_state, + client_session_key, sizeof(client_session_key)); + dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length); + arcfour_crypt(encrypted_session_key.data, session_key.data, encrypted_session_key.length); + dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length); + + /* Mark the new session key as the 'real' session key */ + session_key = data_blob_talloc(ntlmssp_state, client_session_key, sizeof(client_session_key)); + } + + /* this generates the actual auth packet */ + if (!msrpc_gen(out_mem_ctx, + out, auth_gen_string, + "NTLMSSP", + NTLMSSP_AUTH, + lm_response.data, lm_response.length, + nt_response.data, nt_response.length, + ntlmssp_state->domain, + ntlmssp_state->user, + ntlmssp_state->workstation, + encrypted_session_key.data, encrypted_session_key.length, + ntlmssp_state->neg_flags)) { + + return NT_STATUS_NO_MEMORY; + } + + ntlmssp_state->session_key = session_key; + + /* The client might be using 56 or 40 bit weakened keys */ + ntlmssp_weaken_keys(ntlmssp_state); + + ntlmssp_state->chal = challenge_blob; + ntlmssp_state->lm_resp = lm_response; + ntlmssp_state->nt_resp = nt_response; + + ntlmssp_state->expected_state = NTLMSSP_DONE; + + nt_status = ntlmssp_sign_init(ntlmssp_state); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", + nt_errstr(nt_status))); + return nt_status; + } + + return nt_status; +} + +static NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx, struct ntlmssp_state **ntlmssp_state) +{ + *ntlmssp_state = talloc(mem_ctx, struct ntlmssp_state); + if (!*ntlmssp_state) { + DEBUG(0,("ntlmssp_client_start: talloc failed!\n")); + return NT_STATUS_NO_MEMORY; + } + ZERO_STRUCTP(*ntlmssp_state); + + (*ntlmssp_state)->role = NTLMSSP_CLIENT; + + (*ntlmssp_state)->workstation = lp_netbios_name(); + (*ntlmssp_state)->get_domain = lp_workgroup; + + (*ntlmssp_state)->unicode = lp_parm_bool(-1, "ntlmssp_client", "unicode", True); + + (*ntlmssp_state)->use_nt_response = lp_parm_bool(-1, "ntlmssp_client", "send_nt_reponse", True); + + (*ntlmssp_state)->allow_lm_key = (lp_lanman_auth() + && lp_parm_bool(-1, "ntlmssp_client", "allow_lm_key", False)); + + (*ntlmssp_state)->use_ntlmv2 = lp_client_ntlmv2_auth(); + + (*ntlmssp_state)->expected_state = NTLMSSP_INITIAL; + + (*ntlmssp_state)->ref_count = 1; + + (*ntlmssp_state)->neg_flags = + NTLMSSP_NEGOTIATE_NTLM | + NTLMSSP_REQUEST_TARGET; + + if (lp_parm_bool(-1, "ntlmssp_client", "128bit", True)) { + (*ntlmssp_state)->neg_flags |= NTLMSSP_NEGOTIATE_128; + } + + if (lp_parm_bool(-1, "ntlmssp_client", "keyexchange", True)) { + (*ntlmssp_state)->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH; + } + + if (lp_parm_bool(-1, "ntlmssp_client", "ntlm2", True)) { + (*ntlmssp_state)->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; + } else { + /* apparently we can't do ntlmv2 if we don't do ntlm2 */ + (*ntlmssp_state)->use_ntlmv2 = False; + } + + return NT_STATUS_OK; +} + +NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) +{ + struct gensec_ntlmssp_state *gensec_ntlmssp_state; + const char *password = NULL; + NTSTATUS nt_status; + + nt_status = gensec_ntlmssp_start(gensec_security); + NT_STATUS_NOT_OK_RETURN(nt_status); + + gensec_ntlmssp_state = gensec_security->private_data; + nt_status = ntlmssp_client_start(gensec_ntlmssp_state, + &gensec_ntlmssp_state->ntlmssp_state); + NT_STATUS_NOT_OK_RETURN(nt_status); + + if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) { + /* + * We need to set this to allow a later SetPassword + * via the SAMR pipe to succeed. Strange.... We could + * also add NTLMSSP_NEGOTIATE_SEAL here. JRA. + * + * Without this, Windows will not create the master key + * that it thinks is only used for NTLMSSP signing and + * sealing. (It is actually pulled out and used directly) + */ + gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; + } + if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { + gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; + } + if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { + gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; + } + + nt_status = ntlmssp_set_domain(gensec_ntlmssp_state->ntlmssp_state, + cli_credentials_get_domain(gensec_security->credentials)); + NT_STATUS_NOT_OK_RETURN(nt_status); + + nt_status = ntlmssp_set_username(gensec_ntlmssp_state->ntlmssp_state, + cli_credentials_get_username(gensec_security->credentials)); + NT_STATUS_NOT_OK_RETURN(nt_status); + + password = cli_credentials_get_password(gensec_security->credentials); + + nt_status = ntlmssp_set_password(gensec_ntlmssp_state->ntlmssp_state, password); + NT_STATUS_NOT_OK_RETURN(nt_status); + + nt_status = ntlmssp_set_workstation(gensec_ntlmssp_state->ntlmssp_state, + cli_credentials_get_workstation(gensec_security->credentials)); + + gensec_security->private_data = gensec_ntlmssp_state; + + return NT_STATUS_OK; +} + -- cgit From 874cd2db86e7feb82eedd2b436c5c301d3cbe5fa Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 25 Apr 2005 06:33:20 +0000 Subject: r6460: Push the client credentials into NTLMSSP, allowing logins of the form user@REALM for the first time. Fix the build for smbencrypt.c Andrew Bartlett (This used to be commit 5a6a57cd93e22e612bfbb8a8f7bc29269a9a3ac6) --- source4/auth/ntlmssp/ntlmssp_client.c | 71 ++++++++++++++++++----------------- 1 file changed, 37 insertions(+), 34 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index bbde1d954b..dcd52af1f5 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -41,10 +41,13 @@ * @return Errors or NT_STATUS_OK. */ -NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, +NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, DATA_BLOB in, DATA_BLOB *out) { + struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data; + struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp_state->ntlmssp_state; + if (ntlmssp_state->unicode) { ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; } else { @@ -62,7 +65,7 @@ NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, NTLMSSP_NEGOTIATE, ntlmssp_state->neg_flags, ntlmssp_state->get_domain(), - ntlmssp_state->workstation); + cli_credentials_get_workstation(gensec_security->credentials)); ntlmssp_state->expected_state = NTLMSSP_CHALLENGE; @@ -78,10 +81,12 @@ NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, * @return Errors or NT_STATUS_OK. */ -NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, +NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, const DATA_BLOB in, DATA_BLOB *out) { + struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data; + struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp_state->ntlmssp_state; uint32_t chal_flags, ntlmssp_command, unkn1, unkn2; DATA_BLOB server_domain_blob; DATA_BLOB challenge_blob; @@ -97,6 +102,8 @@ NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB encrypted_session_key = data_blob(NULL, 0); NTSTATUS nt_status; + const char *user, *domain, *password; + if (!msrpc_parse(ntlmssp_state, &in, "CdBd", "NTLMSSP", @@ -156,7 +163,21 @@ NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, return NT_STATUS_INVALID_PARAMETER; } - if (!ntlmssp_state->password) { + /* Correctly handle username in the original form of user@REALM, which is valid */ + if (gensec_security->credentials->realm_obtained + > gensec_security->credentials->domain_obtained) { + user = talloc_asprintf(out_mem_ctx, "%s@%s", + cli_credentials_get_username(gensec_security->credentials), + cli_credentials_get_realm(gensec_security->credentials)); + domain = NULL; + } else { + user = cli_credentials_get_username(gensec_security->credentials); + domain = cli_credentials_get_domain(gensec_security->credentials); + } + + password = cli_credentials_get_password(gensec_security->credentials); + + if (!password) { static const uint8_t zeros[16]; /* do nothing - blobs are zero length */ @@ -177,9 +198,9 @@ NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, /* TODO: if the remote server is standalone, then we should replace 'domain' with the server name as supplied above */ - if (!SMBNTLMv2encrypt(ntlmssp_state->user, - ntlmssp_state->domain, - ntlmssp_state->password, &challenge_blob, + if (!SMBNTLMv2encrypt(user, + domain, + password, &challenge_blob, &struct_blob, &lm_response, &nt_response, NULL, &session_key)) { @@ -197,7 +218,7 @@ NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, uint8_t session_nonce[16]; uint8_t session_nonce_hash[16]; uint8_t user_session_key[16]; - E_md4hash(ntlmssp_state->password, nt_hash); + E_md4hash(password, nt_hash); lm_response = data_blob_talloc(ntlmssp_state, NULL, 24); generate_random_buffer(lm_response.data, 8); @@ -216,7 +237,7 @@ NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, dump_data(5, session_nonce_hash, 8); nt_response = data_blob_talloc(ntlmssp_state, NULL, 24); - SMBNTencrypt(ntlmssp_state->password, + SMBNTencrypt(password, session_nonce_hash, nt_response.data); @@ -233,9 +254,9 @@ NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, if (ntlmssp_state->use_nt_response) { nt_response = data_blob_talloc(ntlmssp_state, NULL, 24); - SMBNTencrypt(ntlmssp_state->password,challenge_blob.data, + SMBNTencrypt(password,challenge_blob.data, nt_response.data); - E_md4hash(ntlmssp_state->password, nt_hash); + E_md4hash(password, nt_hash); session_key = data_blob_talloc(ntlmssp_state, NULL, 16); SMBsesskeygen_ntv1(nt_hash, session_key.data); dump_data_pw("NT session key:\n", session_key.data, session_key.length); @@ -244,7 +265,7 @@ NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, /* lanman auth is insecure, it may be disabled */ if (lp_client_lanman_auth()) { lm_response = data_blob_talloc(ntlmssp_state, NULL, 24); - if (!SMBencrypt(ntlmssp_state->password,challenge_blob.data, + if (!SMBencrypt(password,challenge_blob.data, lm_response.data)) { /* If the LM password was too long (and therefore the LM hash being of the first 14 chars only), don't send it */ @@ -253,7 +274,7 @@ NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, /* LM Key is incompatible with 'long' passwords */ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; } else { - E_deshash(ntlmssp_state->password, lm_hash); + E_deshash(password, lm_hash); lm_session_key = data_blob_talloc(ntlmssp_state, NULL, 16); memcpy(lm_session_key.data, lm_hash, 8); memset(&lm_session_key.data[8], '\0', 8); @@ -310,9 +331,9 @@ NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, NTLMSSP_AUTH, lm_response.data, lm_response.length, nt_response.data, nt_response.length, - ntlmssp_state->domain, - ntlmssp_state->user, - ntlmssp_state->workstation, + domain, + user, + cli_credentials_get_workstation(gensec_security->credentials), encrypted_session_key.data, encrypted_session_key.length, ntlmssp_state->neg_flags)) { @@ -351,7 +372,6 @@ static NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx, struct ntlmssp_state * (*ntlmssp_state)->role = NTLMSSP_CLIENT; - (*ntlmssp_state)->workstation = lp_netbios_name(); (*ntlmssp_state)->get_domain = lp_workgroup; (*ntlmssp_state)->unicode = lp_parm_bool(-1, "ntlmssp_client", "unicode", True); @@ -392,7 +412,6 @@ static NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx, struct ntlmssp_state * NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) { struct gensec_ntlmssp_state *gensec_ntlmssp_state; - const char *password = NULL; NTSTATUS nt_status; nt_status = gensec_ntlmssp_start(gensec_security); @@ -422,22 +441,6 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; } - nt_status = ntlmssp_set_domain(gensec_ntlmssp_state->ntlmssp_state, - cli_credentials_get_domain(gensec_security->credentials)); - NT_STATUS_NOT_OK_RETURN(nt_status); - - nt_status = ntlmssp_set_username(gensec_ntlmssp_state->ntlmssp_state, - cli_credentials_get_username(gensec_security->credentials)); - NT_STATUS_NOT_OK_RETURN(nt_status); - - password = cli_credentials_get_password(gensec_security->credentials); - - nt_status = ntlmssp_set_password(gensec_ntlmssp_state->ntlmssp_state, password); - NT_STATUS_NOT_OK_RETURN(nt_status); - - nt_status = ntlmssp_set_workstation(gensec_ntlmssp_state->ntlmssp_state, - cli_credentials_get_workstation(gensec_security->credentials)); - gensec_security->private_data = gensec_ntlmssp_state; return NT_STATUS_OK; -- cgit From 0501a440bedde5e867e461d266aafe666be53e54 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 25 Apr 2005 08:26:53 +0000 Subject: r6462: Move the arcfour sbox state into it's own structure, and allocate it with talloc() for the NTLMSSP system. Andrew Bartlett (This used to be commit 7a93ac49c28d433ccf0f077294f473fe728b9995) --- source4/auth/ntlmssp/ntlmssp_client.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index dcd52af1f5..ceca0d6978 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -385,8 +385,6 @@ static NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx, struct ntlmssp_state * (*ntlmssp_state)->expected_state = NTLMSSP_INITIAL; - (*ntlmssp_state)->ref_count = 1; - (*ntlmssp_state)->neg_flags = NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_REQUEST_TARGET; -- cgit From 8b0e09e24f7a3afbaf836e4e4a28cf62f012b588 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 25 Apr 2005 10:33:00 +0000 Subject: r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c) --- source4/auth/ntlmssp/ntlmssp_client.c | 164 +++++++++++++++------------------- 1 file changed, 74 insertions(+), 90 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index ceca0d6978..e249fb66f4 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -36,8 +36,8 @@ * * @param ntlmssp_state NTLMSSP State * @param out_mem_ctx The DATA_BLOB *out will be allocated on this context - * @param in The request, as a DATA_BLOB. reply.data must be NULL - * @param out The reply, as an talloc()ed DATA_BLOB, on out_mem_ctx + * @param in A NULL data blob (input ignored) + * @param out The initial negotiate request to the server, as an talloc()ed DATA_BLOB, on out_mem_ctx * @return Errors or NT_STATUS_OK. */ @@ -46,16 +46,15 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security, DATA_BLOB in, DATA_BLOB *out) { struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data; - struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp_state->ntlmssp_state; - if (ntlmssp_state->unicode) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; + if (gensec_ntlmssp_state->unicode) { + gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; } else { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM; + gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM; } - if (ntlmssp_state->use_ntlmv2) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; + if (gensec_ntlmssp_state->use_ntlmv2) { + gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; } /* generate the ntlmssp negotiate packet */ @@ -63,11 +62,11 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security, out, "CddAA", "NTLMSSP", NTLMSSP_NEGOTIATE, - ntlmssp_state->neg_flags, - ntlmssp_state->get_domain(), + gensec_ntlmssp_state->neg_flags, + gensec_ntlmssp_state->get_domain(), cli_credentials_get_workstation(gensec_security->credentials)); - ntlmssp_state->expected_state = NTLMSSP_CHALLENGE; + gensec_ntlmssp_state->expected_state = NTLMSSP_CHALLENGE; return NT_STATUS_MORE_PROCESSING_REQUIRED; } @@ -75,9 +74,10 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security, /** * Next state function for the Challenge Packet. Generate an auth packet. * - * @param ntlmssp_state NTLMSSP State - * @param request The request, as a DATA_BLOB. reply.data must be NULL - * @param request The reply, as an allocated DATA_BLOB, caller to free. + * @param gensec_security GENSEC state + * @param out_mem_ctx Memory context for *out + * @param in The server challnege, as a DATA_BLOB. reply.data must be NULL + * @param out The next request (auth packet) to the server, as an allocated DATA_BLOB, on the out_mem_ctx context * @return Errors or NT_STATUS_OK. */ @@ -86,7 +86,6 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, const DATA_BLOB in, DATA_BLOB *out) { struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data; - struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp_state->ntlmssp_state; uint32_t chal_flags, ntlmssp_command, unkn1, unkn2; DATA_BLOB server_domain_blob; DATA_BLOB challenge_blob; @@ -104,7 +103,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, const char *user, *domain, *password; - if (!msrpc_parse(ntlmssp_state, + if (!msrpc_parse(out_mem_ctx, &in, "CdBd", "NTLMSSP", &ntlmssp_command, @@ -121,9 +120,9 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, DEBUG(3, ("Got challenge flags:\n")); debug_ntlmssp_flags(chal_flags); - ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, ntlmssp_state->allow_lm_key); + ntlmssp_handle_neg_flags(gensec_ntlmssp_state, chal_flags, gensec_ntlmssp_state->allow_lm_key); - if (ntlmssp_state->unicode) { + if (gensec_ntlmssp_state->unicode) { if (chal_flags & NTLMSSP_CHAL_TARGET_INFO) { chal_parse_string = "CdUdbddB"; } else { @@ -141,9 +140,9 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, } DEBUG(3, ("NTLMSSP: Set final flags:\n")); - debug_ntlmssp_flags(ntlmssp_state->neg_flags); + debug_ntlmssp_flags(gensec_ntlmssp_state->neg_flags); - if (!msrpc_parse(ntlmssp_state, + if (!msrpc_parse(out_mem_ctx, &in, chal_parse_string, "NTLMSSP", &ntlmssp_command, @@ -157,7 +156,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, return NT_STATUS_INVALID_PARAMETER; } - ntlmssp_state->server_domain = server_domain; + gensec_ntlmssp_state->server_domain = server_domain; if (challenge_blob.length != 8) { return NT_STATUS_INVALID_PARAMETER; @@ -182,12 +181,12 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, /* do nothing - blobs are zero length */ /* session key is all zeros */ - session_key = data_blob_talloc(ntlmssp_state, zeros, 16); - lm_session_key = data_blob_talloc(ntlmssp_state, zeros, 16); + session_key = data_blob_talloc(gensec_ntlmssp_state, zeros, 16); + lm_session_key = data_blob_talloc(gensec_ntlmssp_state, zeros, 16); /* not doing NLTM2 without a password */ - ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; - } else if (ntlmssp_state->use_ntlmv2) { + gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; + } else if (gensec_ntlmssp_state->use_ntlmv2) { if (!struct_blob.length) { /* be lazy, match win2k - we can't do NTLMv2 without it */ @@ -210,9 +209,9 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, } /* LM Key is incompatible... */ - ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; - } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + } else if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { struct MD5Context md5_session_nonce_ctx; uint8_t nt_hash[16]; uint8_t session_nonce[16]; @@ -220,7 +219,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, uint8_t user_session_key[16]; E_md4hash(password, nt_hash); - lm_response = data_blob_talloc(ntlmssp_state, NULL, 24); + lm_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24); generate_random_buffer(lm_response.data, 8); memset(lm_response.data+8, 0, 16); @@ -236,35 +235,35 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, DEBUG(5, ("challenge is: \n")); dump_data(5, session_nonce_hash, 8); - nt_response = data_blob_talloc(ntlmssp_state, NULL, 24); + nt_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24); SMBNTencrypt(password, session_nonce_hash, nt_response.data); - session_key = data_blob_talloc(ntlmssp_state, NULL, 16); + session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16); SMBsesskeygen_ntv1(nt_hash, user_session_key); hmac_md5(user_session_key, session_nonce, sizeof(session_nonce), session_key.data); dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length); /* LM Key is incompatible... */ - ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; } else { uint8_t nt_hash[16]; - if (ntlmssp_state->use_nt_response) { - nt_response = data_blob_talloc(ntlmssp_state, NULL, 24); + if (gensec_ntlmssp_state->use_nt_response) { + nt_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24); SMBNTencrypt(password,challenge_blob.data, nt_response.data); E_md4hash(password, nt_hash); - session_key = data_blob_talloc(ntlmssp_state, NULL, 16); + session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16); SMBsesskeygen_ntv1(nt_hash, session_key.data); dump_data_pw("NT session key:\n", session_key.data, session_key.length); } /* lanman auth is insecure, it may be disabled */ if (lp_client_lanman_auth()) { - lm_response = data_blob_talloc(ntlmssp_state, NULL, 24); + lm_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24); if (!SMBencrypt(password,challenge_blob.data, lm_response.data)) { /* If the LM password was too long (and therefore the LM hash being @@ -272,26 +271,26 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, data_blob_free(&lm_response); /* LM Key is incompatible with 'long' passwords */ - ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; } else { E_deshash(password, lm_hash); - lm_session_key = data_blob_talloc(ntlmssp_state, NULL, 16); + lm_session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16); memcpy(lm_session_key.data, lm_hash, 8); memset(&lm_session_key.data[8], '\0', 8); - if (!ntlmssp_state->use_nt_response) { + if (!gensec_ntlmssp_state->use_nt_response) { session_key = lm_session_key; } } } else { /* LM Key is incompatible... */ - ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; } } - if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) + if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && lp_client_lanman_auth() && lm_session_key.length == 16) { - DATA_BLOB new_session_key = data_blob_talloc(ntlmssp_state, NULL, 16); + DATA_BLOB new_session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16); if (lm_response.length == 24) { SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data, new_session_key.data); @@ -308,20 +307,20 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, /* Key exchange encryptes a new client-generated session key with the password-derived key */ - if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { + if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { /* Make up a new session key */ uint8_t client_session_key[16]; generate_random_buffer(client_session_key, sizeof(client_session_key)); /* Encrypt the new session key with the old one */ - encrypted_session_key = data_blob_talloc(ntlmssp_state, + encrypted_session_key = data_blob_talloc(gensec_ntlmssp_state, client_session_key, sizeof(client_session_key)); dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length); arcfour_crypt(encrypted_session_key.data, session_key.data, encrypted_session_key.length); dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length); /* Mark the new session key as the 'real' session key */ - session_key = data_blob_talloc(ntlmssp_state, client_session_key, sizeof(client_session_key)); + session_key = data_blob_talloc(gensec_ntlmssp_state, client_session_key, sizeof(client_session_key)); } /* this generates the actual auth packet */ @@ -335,23 +334,23 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, user, cli_credentials_get_workstation(gensec_security->credentials), encrypted_session_key.data, encrypted_session_key.length, - ntlmssp_state->neg_flags)) { + gensec_ntlmssp_state->neg_flags)) { return NT_STATUS_NO_MEMORY; } - ntlmssp_state->session_key = session_key; + gensec_ntlmssp_state->session_key = session_key; /* The client might be using 56 or 40 bit weakened keys */ - ntlmssp_weaken_keys(ntlmssp_state); + ntlmssp_weaken_keys(gensec_ntlmssp_state); - ntlmssp_state->chal = challenge_blob; - ntlmssp_state->lm_resp = lm_response; - ntlmssp_state->nt_resp = nt_response; + gensec_ntlmssp_state->chal = challenge_blob; + gensec_ntlmssp_state->lm_resp = lm_response; + gensec_ntlmssp_state->nt_resp = nt_response; - ntlmssp_state->expected_state = NTLMSSP_DONE; + gensec_ntlmssp_state->expected_state = NTLMSSP_DONE; - nt_status = ntlmssp_sign_init(ntlmssp_state); + nt_status = ntlmssp_sign_init(gensec_ntlmssp_state); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", nt_errstr(nt_status))); @@ -361,65 +360,50 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, return nt_status; } -static NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx, struct ntlmssp_state **ntlmssp_state) +NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) { - *ntlmssp_state = talloc(mem_ctx, struct ntlmssp_state); - if (!*ntlmssp_state) { - DEBUG(0,("ntlmssp_client_start: talloc failed!\n")); - return NT_STATUS_NO_MEMORY; - } - ZERO_STRUCTP(*ntlmssp_state); + struct gensec_ntlmssp_state *gensec_ntlmssp_state; + NTSTATUS nt_status; - (*ntlmssp_state)->role = NTLMSSP_CLIENT; + nt_status = gensec_ntlmssp_start(gensec_security); + NT_STATUS_NOT_OK_RETURN(nt_status); + + gensec_ntlmssp_state = gensec_security->private_data; - (*ntlmssp_state)->get_domain = lp_workgroup; + gensec_ntlmssp_state->role = NTLMSSP_CLIENT; - (*ntlmssp_state)->unicode = lp_parm_bool(-1, "ntlmssp_client", "unicode", True); + gensec_ntlmssp_state->get_domain = lp_workgroup; - (*ntlmssp_state)->use_nt_response = lp_parm_bool(-1, "ntlmssp_client", "send_nt_reponse", True); + gensec_ntlmssp_state->unicode = lp_parm_bool(-1, "ntlmssp_client", "unicode", True); - (*ntlmssp_state)->allow_lm_key = (lp_lanman_auth() + gensec_ntlmssp_state->use_nt_response = lp_parm_bool(-1, "ntlmssp_client", "send_nt_reponse", True); + + gensec_ntlmssp_state->allow_lm_key = (lp_lanman_auth() && lp_parm_bool(-1, "ntlmssp_client", "allow_lm_key", False)); - (*ntlmssp_state)->use_ntlmv2 = lp_client_ntlmv2_auth(); + gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(); - (*ntlmssp_state)->expected_state = NTLMSSP_INITIAL; + gensec_ntlmssp_state->expected_state = NTLMSSP_INITIAL; - (*ntlmssp_state)->neg_flags = + gensec_ntlmssp_state->neg_flags = NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_REQUEST_TARGET; if (lp_parm_bool(-1, "ntlmssp_client", "128bit", True)) { - (*ntlmssp_state)->neg_flags |= NTLMSSP_NEGOTIATE_128; + gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128; } if (lp_parm_bool(-1, "ntlmssp_client", "keyexchange", True)) { - (*ntlmssp_state)->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH; + gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH; } if (lp_parm_bool(-1, "ntlmssp_client", "ntlm2", True)) { - (*ntlmssp_state)->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; + gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; } else { /* apparently we can't do ntlmv2 if we don't do ntlm2 */ - (*ntlmssp_state)->use_ntlmv2 = False; + gensec_ntlmssp_state->use_ntlmv2 = False; } - return NT_STATUS_OK; -} - -NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) -{ - struct gensec_ntlmssp_state *gensec_ntlmssp_state; - NTSTATUS nt_status; - - nt_status = gensec_ntlmssp_start(gensec_security); - NT_STATUS_NOT_OK_RETURN(nt_status); - - gensec_ntlmssp_state = gensec_security->private_data; - nt_status = ntlmssp_client_start(gensec_ntlmssp_state, - &gensec_ntlmssp_state->ntlmssp_state); - NT_STATUS_NOT_OK_RETURN(nt_status); - if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) { /* * We need to set this to allow a later SetPassword @@ -430,13 +414,13 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) * that it thinks is only used for NTLMSSP signing and * sealing. (It is actually pulled out and used directly) */ - gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; + gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; } if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { - gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; + gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; } if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { - gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; + gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; } gensec_security->private_data = gensec_ntlmssp_state; -- cgit From a09593c37a307388c0fed175d70c896a9d2d47db Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Apr 2005 07:21:34 +0000 Subject: r6484: fix NTLMSSP client against w2k and w2k3 if we use lm_response = data_blob(NULL, 0); we got NT_STATUS_INVALID_PARAMETER (abartlet: we should maybe also give this error in our server code) metze (This used to be commit be5e301442c442a37bb6756d12b9f1452d634a17) --- source4/auth/ntlmssp/ntlmssp_client.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index e249fb66f4..df5cbab524 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -177,6 +177,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, password = cli_credentials_get_password(gensec_security->credentials); if (!password) { + static const uint8_t zero[1]; static const uint8_t zeros[16]; /* do nothing - blobs are zero length */ @@ -184,6 +185,9 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, session_key = data_blob_talloc(gensec_ntlmssp_state, zeros, 16); lm_session_key = data_blob_talloc(gensec_ntlmssp_state, zeros, 16); + lm_response = data_blob_talloc(gensec_ntlmssp_state, zero, 1); + nt_response = data_blob(NULL, 0); + /* not doing NLTM2 without a password */ gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; } else if (gensec_ntlmssp_state->use_ntlmv2) { -- cgit From d3481b160c1ae4e77b202739df562d0961f6e259 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 30 Apr 2005 08:09:47 +0000 Subject: r6522: I have no idea why this change was made, but it not only breaks connections to Win2k3, it doesn't match the well-known behaviour from samba3. Andrew Bartlett (This used to be commit 99c9afe45a345e78d7492fe01463922460d66e99) --- source4/auth/ntlmssp/ntlmssp_client.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index df5cbab524..8bbeb74490 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -177,7 +177,6 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, password = cli_credentials_get_password(gensec_security->credentials); if (!password) { - static const uint8_t zero[1]; static const uint8_t zeros[16]; /* do nothing - blobs are zero length */ @@ -185,7 +184,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, session_key = data_blob_talloc(gensec_ntlmssp_state, zeros, 16); lm_session_key = data_blob_talloc(gensec_ntlmssp_state, zeros, 16); - lm_response = data_blob_talloc(gensec_ntlmssp_state, zero, 1); + lm_response = data_blob(NULL, 0); nt_response = data_blob(NULL, 0); /* not doing NLTM2 without a password */ -- cgit From 5b19286df08d6cf10654d6e20c323ba44f7d2054 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 17 Jun 2005 13:12:13 +0000 Subject: r7690: Move the NT hash generation into the credentials system, rather than in all the callers. This also allows us to be more flexible in the type of password we store. Andrew Bartlett (This used to be commit 00b8588c68526e1d86fda0bd81c0b86f690b62c3) --- source4/auth/ntlmssp/ntlmssp_client.c | 43 +++++++++++++++++------------------ 1 file changed, 21 insertions(+), 22 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 8bbeb74490..23fe8f5cc9 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -26,6 +26,7 @@ #include "auth/auth.h" #include "auth/ntlmssp/ntlmssp.h" #include "lib/crypto/crypto.h" +#include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */ /********************************************************************* Client side NTLMSSP @@ -101,6 +102,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, DATA_BLOB encrypted_session_key = data_blob(NULL, 0); NTSTATUS nt_status; + const struct samr_Password *nt_hash; const char *user, *domain, *password; if (!msrpc_parse(out_mem_ctx, @@ -174,9 +176,10 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, domain = cli_credentials_get_domain(gensec_security->credentials); } + nt_hash = cli_credentials_get_nt_hash(gensec_security->credentials, out_mem_ctx); password = cli_credentials_get_password(gensec_security->credentials); - if (!password) { + if (!nt_hash) { static const uint8_t zeros[16]; /* do nothing - blobs are zero length */ @@ -200,12 +203,12 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, /* TODO: if the remote server is standalone, then we should replace 'domain' with the server name as supplied above */ - if (!SMBNTLMv2encrypt(user, - domain, - password, &challenge_blob, - &struct_blob, - &lm_response, &nt_response, - NULL, &session_key)) { + if (!SMBNTLMv2encrypt_hash(user, + domain, + nt_hash->hash, &challenge_blob, + &struct_blob, + &lm_response, &nt_response, + NULL, &session_key)) { data_blob_free(&challenge_blob); data_blob_free(&struct_blob); return NT_STATUS_NO_MEMORY; @@ -216,11 +219,9 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, } else if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { struct MD5Context md5_session_nonce_ctx; - uint8_t nt_hash[16]; uint8_t session_nonce[16]; uint8_t session_nonce_hash[16]; uint8_t user_session_key[16]; - E_md4hash(password, nt_hash); lm_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24); generate_random_buffer(lm_response.data, 8); @@ -239,33 +240,31 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, dump_data(5, session_nonce_hash, 8); nt_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24); - SMBNTencrypt(password, - session_nonce_hash, - nt_response.data); - + SMBOWFencrypt(nt_hash->hash, + session_nonce_hash, + nt_response.data); + session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16); - SMBsesskeygen_ntv1(nt_hash, user_session_key); + SMBsesskeygen_ntv1(nt_hash->hash, user_session_key); hmac_md5(user_session_key, session_nonce, sizeof(session_nonce), session_key.data); dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length); /* LM Key is incompatible... */ gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; } else { - uint8_t nt_hash[16]; - if (gensec_ntlmssp_state->use_nt_response) { nt_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24); - SMBNTencrypt(password,challenge_blob.data, - nt_response.data); - E_md4hash(password, nt_hash); + SMBOWFencrypt(nt_hash->hash, challenge_blob.data, + nt_response.data); + session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16); - SMBsesskeygen_ntv1(nt_hash, session_key.data); + SMBsesskeygen_ntv1(nt_hash->hash, session_key.data); dump_data_pw("NT session key:\n", session_key.data, session_key.length); } - /* lanman auth is insecure, it may be disabled */ - if (lp_client_lanman_auth()) { + /* lanman auth is insecure, it may be disabled. We may also not have a password */ + if (lp_client_lanman_auth() && password) { lm_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24); if (!SMBencrypt(password,challenge_blob.data, lm_response.data)) { -- cgit From e578c33c2c8bc23a9a78259613f33b65d7d1668f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 19 Jun 2005 13:26:32 +0000 Subject: r7757: Add NTLMv2 support to the NT1 Session setup (ie, not SPNEGO/NTLMSSP) Session Setup code. Add a mem_ctx argument to a few of the NTLMv2 support functions, and add smb.conf options to control client NTLMv2 behaviour. Andrew Bartlett (This used to be commit 3f35cdb218a3dae08a05e77452ca9f73716ceb28) --- source4/auth/ntlmssp/ntlmssp_client.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 23fe8f5cc9..726885c82f 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -203,7 +203,8 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, /* TODO: if the remote server is standalone, then we should replace 'domain' with the server name as supplied above */ - if (!SMBNTLMv2encrypt_hash(user, + if (!SMBNTLMv2encrypt_hash(gensec_ntlmssp_state, + user, domain, nt_hash->hash, &challenge_blob, &struct_blob, -- cgit From ba90b652d918fb34f1e43083f8283f669c73c340 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 23 Aug 2005 05:29:37 +0000 Subject: r9505: Work on GENSEC and the code that calls it, for tighter interface requirements, and for better error reporting. In particular, the composite session setup (extended security/SPNEGO) code now returns errors, rather than NT_STATUS_NO_MEMORY. This is seen particularly when GENSEC fails to start. The tighter interface rules apply to NTLMSSP, which must be called exactly the right number of times. This is to match some of our other less-tested modules, where adding flexablity is harder. (and this is security code, so let's just get it right). As such, the DCE/RPC and LDAP clients have been updated. Andrew Bartlett (This used to be commit 134550cf752b9edad66c3368750bfb4bbd9d55d1) --- source4/auth/ntlmssp/ntlmssp_client.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 726885c82f..add774f84e 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -353,11 +353,13 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, gensec_ntlmssp_state->expected_state = NTLMSSP_DONE; - nt_status = ntlmssp_sign_init(gensec_ntlmssp_state); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", - nt_errstr(nt_status))); - return nt_status; + if (gensec_security->want_features & GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL) { + nt_status = ntlmssp_sign_init(gensec_ntlmssp_state); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", + nt_errstr(nt_status))); + return nt_status; + } } return nt_status; -- cgit From 24186a80eb4887b5fb3e72e4b877b456cbe8e35f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 29 Aug 2005 04:30:22 +0000 Subject: r9728: A *major* update to the credentials system, to incorporate the Kerberos CCACHE into the system. This again allows the use of the system ccache when no username is specified, and brings more code in common between gensec_krb5 and gensec_gssapi. It also has a side-effect that may (or may not) be expected: If there is a ccache, even if it is not used (perhaps the remote server didn't want kerberos), it will change the default username. Andrew Bartlett (This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315) --- source4/auth/ntlmssp/ntlmssp_client.c | 55 ++++++++++++++++------------------- 1 file changed, 25 insertions(+), 30 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index add774f84e..feee14a857 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -164,20 +164,10 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, return NT_STATUS_INVALID_PARAMETER; } - /* Correctly handle username in the original form of user@REALM, which is valid */ - if (gensec_security->credentials->realm_obtained - > gensec_security->credentials->domain_obtained) { - user = talloc_asprintf(out_mem_ctx, "%s@%s", - cli_credentials_get_username(gensec_security->credentials), - cli_credentials_get_realm(gensec_security->credentials)); - domain = NULL; - } else { - user = cli_credentials_get_username(gensec_security->credentials); - domain = cli_credentials_get_domain(gensec_security->credentials); - } + user = cli_credentials_get_username(gensec_security->credentials, out_mem_ctx); + domain = cli_credentials_get_domain(gensec_security->credentials); nt_hash = cli_credentials_get_nt_hash(gensec_security->credentials, out_mem_ctx); - password = cli_credentials_get_password(gensec_security->credentials); if (!nt_hash) { static const uint8_t zeros[16]; @@ -265,24 +255,29 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, } /* lanman auth is insecure, it may be disabled. We may also not have a password */ - if (lp_client_lanman_auth() && password) { - lm_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24); - if (!SMBencrypt(password,challenge_blob.data, - lm_response.data)) { - /* If the LM password was too long (and therefore the LM hash being - of the first 14 chars only), don't send it */ - data_blob_free(&lm_response); - - /* LM Key is incompatible with 'long' passwords */ - gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + if (lp_client_lanman_auth()) { + password = cli_credentials_get_password(gensec_security->credentials); + if (!password) { + lm_response = nt_response; } else { - E_deshash(password, lm_hash); - lm_session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16); - memcpy(lm_session_key.data, lm_hash, 8); - memset(&lm_session_key.data[8], '\0', 8); - - if (!gensec_ntlmssp_state->use_nt_response) { + lm_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24); + if (!SMBencrypt(password,challenge_blob.data, + lm_response.data)) { + /* If the LM password was too long (and therefore the LM hash being + of the first 14 chars only), don't send it */ + data_blob_free(&lm_response); + + /* LM Key is incompatible with 'long' passwords */ + gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + } else { + E_deshash(password, lm_hash); + lm_session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16); + memcpy(lm_session_key.data, lm_hash, 8); + memset(&lm_session_key.data[8], '\0', 8); + + if (!gensec_ntlmssp_state->use_nt_response) { session_key = lm_session_key; + } } } } else { @@ -353,7 +348,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, gensec_ntlmssp_state->expected_state = NTLMSSP_DONE; - if (gensec_security->want_features & GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL) { + if (gensec_security->want_features & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)) { nt_status = ntlmssp_sign_init(gensec_ntlmssp_state); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", @@ -362,7 +357,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, } } - return nt_status; + return NT_STATUS_OK; } NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) -- cgit From 51cbc188df03f9ee38599fe5a87ec2608117a845 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 22 Sep 2005 01:50:58 +0000 Subject: r10402: Make the RPC-SAMLOGON test pass against Win2k3 SP0 again. I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own test for the moment, but I'm working on these issues :-) This required a change to the credentials API, so that the special case for NTLM logins using a principal was indeed handled as a special, not general case. Also don't set the realm from a ccache, as then it overrides --option=realm=. Andrew Bartlett (This used to be commit 194e8f07c0cb4685797c5a7a074577c62dfdebe3) --- source4/auth/ntlmssp/ntlmssp_client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index feee14a857..7801e0208d 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -164,8 +164,8 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, return NT_STATUS_INVALID_PARAMETER; } - user = cli_credentials_get_username(gensec_security->credentials, out_mem_ctx); - domain = cli_credentials_get_domain(gensec_security->credentials); + cli_credentials_get_ntlm_username_domain(gensec_security->credentials, out_mem_ctx, + &user, &domain); nt_hash = cli_credentials_get_nt_hash(gensec_security->credentials, out_mem_ctx); -- cgit From f7ff0540d2b2490b2ef502d02b422e74a298b43d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 14 Oct 2005 03:57:35 +0000 Subject: r10981: Pull code to decide between and implement NTLMv2, NTLM and LM authentication out of the various callers and into the kitchen sink.. err, credentials subsystem. This should ensure consistant logic, as well as get us one step closer to security=server operation in future. Andrew Bartlett (This used to be commit 09c95763301c0f7770d56462e8af4169b8c171fb) --- source4/auth/ntlmssp/ntlmssp_client.c | 175 ++++++++++------------------------ 1 file changed, 50 insertions(+), 125 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 7801e0208d..3f781825e3 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -26,7 +26,6 @@ #include "auth/auth.h" #include "auth/ntlmssp/ntlmssp.h" #include "lib/crypto/crypto.h" -#include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */ /********************************************************************* Client side NTLMSSP @@ -90,22 +89,25 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, uint32_t chal_flags, ntlmssp_command, unkn1, unkn2; DATA_BLOB server_domain_blob; DATA_BLOB challenge_blob; - DATA_BLOB struct_blob = data_blob(NULL, 0); + DATA_BLOB target_info = data_blob(NULL, 0); char *server_domain; const char *chal_parse_string; const char *auth_gen_string; - uint8_t lm_hash[16]; DATA_BLOB lm_response = data_blob(NULL, 0); DATA_BLOB nt_response = data_blob(NULL, 0); DATA_BLOB session_key = data_blob(NULL, 0); DATA_BLOB lm_session_key = data_blob(NULL, 0); DATA_BLOB encrypted_session_key = data_blob(NULL, 0); NTSTATUS nt_status; + int flags = 0; + const char *user, *domain; - const struct samr_Password *nt_hash; - const char *user, *domain, *password; + TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx); + if (!mem_ctx) { + return NT_STATUS_NO_MEMORY; + } - if (!msrpc_parse(out_mem_ctx, + if (!msrpc_parse(mem_ctx, &in, "CdBd", "NTLMSSP", &ntlmssp_command, @@ -113,6 +115,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, &chal_flags)) { DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n")); dump_data(2, in.data, in.length); + talloc_free(mem_ctx); return NT_STATUS_INVALID_PARAMETER; } @@ -144,7 +147,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, DEBUG(3, ("NTLMSSP: Set final flags:\n")); debug_ntlmssp_flags(gensec_ntlmssp_state->neg_flags); - if (!msrpc_parse(out_mem_ctx, + if (!msrpc_parse(mem_ctx, &in, chal_parse_string, "NTLMSSP", &ntlmssp_command, @@ -152,143 +155,58 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, &chal_flags, &challenge_blob, 8, &unkn1, &unkn2, - &struct_blob)) { + &target_info)) { DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n")); dump_data(2, in.data, in.length); + talloc_free(mem_ctx); return NT_STATUS_INVALID_PARAMETER; } gensec_ntlmssp_state->server_domain = server_domain; if (challenge_blob.length != 8) { + talloc_free(mem_ctx); return NT_STATUS_INVALID_PARAMETER; } - cli_credentials_get_ntlm_username_domain(gensec_security->credentials, out_mem_ctx, + cli_credentials_get_ntlm_username_domain(gensec_security->credentials, mem_ctx, &user, &domain); - nt_hash = cli_credentials_get_nt_hash(gensec_security->credentials, out_mem_ctx); - - if (!nt_hash) { - static const uint8_t zeros[16]; - /* do nothing - blobs are zero length */ - - /* session key is all zeros */ - session_key = data_blob_talloc(gensec_ntlmssp_state, zeros, 16); - lm_session_key = data_blob_talloc(gensec_ntlmssp_state, zeros, 16); - - lm_response = data_blob(NULL, 0); - nt_response = data_blob(NULL, 0); - - /* not doing NLTM2 without a password */ - gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; - } else if (gensec_ntlmssp_state->use_ntlmv2) { - - if (!struct_blob.length) { - /* be lazy, match win2k - we can't do NTLMv2 without it */ - DEBUG(1, ("Server did not provide 'target information', required for NTLMv2\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - /* TODO: if the remote server is standalone, then we should replace 'domain' - with the server name as supplied above */ - - if (!SMBNTLMv2encrypt_hash(gensec_ntlmssp_state, - user, - domain, - nt_hash->hash, &challenge_blob, - &struct_blob, - &lm_response, &nt_response, - NULL, &session_key)) { - data_blob_free(&challenge_blob); - data_blob_free(&struct_blob); - return NT_STATUS_NO_MEMORY; - } + if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + flags |= CLI_CRED_NTLM2; + } + if (gensec_ntlmssp_state->use_ntlmv2) { + flags |= CLI_CRED_NTLMv2_AUTH; + } + if (gensec_ntlmssp_state->use_nt_response) { + flags |= CLI_CRED_NTLM_AUTH; + } + if (lp_client_lanman_auth()) { + flags |= CLI_CRED_LANMAN_AUTH; + } - /* LM Key is incompatible... */ - gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + nt_status = cli_credentials_get_ntlm_response(gensec_security->credentials, mem_ctx, + &flags, challenge_blob, target_info, + &lm_response, &nt_response, + &lm_session_key, &session_key); - } else if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { - struct MD5Context md5_session_nonce_ctx; - uint8_t session_nonce[16]; - uint8_t session_nonce_hash[16]; - uint8_t user_session_key[16]; - - lm_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24); - generate_random_buffer(lm_response.data, 8); - memset(lm_response.data+8, 0, 16); - - memcpy(session_nonce, challenge_blob.data, 8); - memcpy(&session_nonce[8], lm_response.data, 8); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } - MD5Init(&md5_session_nonce_ctx); - MD5Update(&md5_session_nonce_ctx, challenge_blob.data, 8); - MD5Update(&md5_session_nonce_ctx, lm_response.data, 8); - MD5Final(session_nonce_hash, &md5_session_nonce_ctx); - - DEBUG(5, ("NTLMSSP challenge set by NTLM2\n")); - DEBUG(5, ("challenge is: \n")); - dump_data(5, session_nonce_hash, 8); - - nt_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24); - SMBOWFencrypt(nt_hash->hash, - session_nonce_hash, - nt_response.data); - - session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16); - - SMBsesskeygen_ntv1(nt_hash->hash, user_session_key); - hmac_md5(user_session_key, session_nonce, sizeof(session_nonce), session_key.data); - dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length); - + if (!(flags & CLI_CRED_LANMAN_AUTH)) { /* LM Key is incompatible... */ gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; - } else { - if (gensec_ntlmssp_state->use_nt_response) { - nt_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24); - SMBOWFencrypt(nt_hash->hash, challenge_blob.data, - nt_response.data); - - session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16); - SMBsesskeygen_ntv1(nt_hash->hash, session_key.data); - dump_data_pw("NT session key:\n", session_key.data, session_key.length); - } + } - /* lanman auth is insecure, it may be disabled. We may also not have a password */ - if (lp_client_lanman_auth()) { - password = cli_credentials_get_password(gensec_security->credentials); - if (!password) { - lm_response = nt_response; - } else { - lm_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24); - if (!SMBencrypt(password,challenge_blob.data, - lm_response.data)) { - /* If the LM password was too long (and therefore the LM hash being - of the first 14 chars only), don't send it */ - data_blob_free(&lm_response); - - /* LM Key is incompatible with 'long' passwords */ - gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; - } else { - E_deshash(password, lm_hash); - lm_session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16); - memcpy(lm_session_key.data, lm_hash, 8); - memset(&lm_session_key.data[8], '\0', 8); - - if (!gensec_ntlmssp_state->use_nt_response) { - session_key = lm_session_key; - } - } - } - } else { - /* LM Key is incompatible... */ - gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; - } + if (!(flags & CLI_CRED_NTLM2)) { + /* NTLM2 is incompatible... */ + gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; } if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && lp_client_lanman_auth() && lm_session_key.length == 16) { - DATA_BLOB new_session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16); + DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16); if (lm_response.length == 24) { SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data, new_session_key.data); @@ -318,11 +236,11 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length); /* Mark the new session key as the 'real' session key */ - session_key = data_blob_talloc(gensec_ntlmssp_state, client_session_key, sizeof(client_session_key)); + session_key = data_blob_talloc(mem_ctx, client_session_key, sizeof(client_session_key)); } /* this generates the actual auth packet */ - if (!msrpc_gen(out_mem_ctx, + if (!msrpc_gen(mem_ctx, out, auth_gen_string, "NTLMSSP", NTLMSSP_AUTH, @@ -333,18 +251,23 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, cli_credentials_get_workstation(gensec_security->credentials), encrypted_session_key.data, encrypted_session_key.length, gensec_ntlmssp_state->neg_flags)) { - + talloc_free(mem_ctx); return NT_STATUS_NO_MEMORY; } gensec_ntlmssp_state->session_key = session_key; + talloc_steal(gensec_ntlmssp_state, session_key.data); + + talloc_steal(out_mem_ctx, out->data); /* The client might be using 56 or 40 bit weakened keys */ ntlmssp_weaken_keys(gensec_ntlmssp_state); gensec_ntlmssp_state->chal = challenge_blob; gensec_ntlmssp_state->lm_resp = lm_response; + talloc_steal(gensec_ntlmssp_state->lm_resp.data, lm_response.data); gensec_ntlmssp_state->nt_resp = nt_response; + talloc_steal(gensec_ntlmssp_state->nt_resp.data, nt_response.data); gensec_ntlmssp_state->expected_state = NTLMSSP_DONE; @@ -353,10 +276,12 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", nt_errstr(nt_status))); + talloc_free(mem_ctx); return nt_status; } } + talloc_free(mem_ctx); return NT_STATUS_OK; } @@ -378,7 +303,7 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->use_nt_response = lp_parm_bool(-1, "ntlmssp_client", "send_nt_reponse", True); - gensec_ntlmssp_state->allow_lm_key = (lp_lanman_auth() + gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth() && lp_parm_bool(-1, "ntlmssp_client", "allow_lm_key", False)); gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(); -- cgit From ba04ff6736c0551da06d112af28d42b351c10481 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 12 Feb 2006 12:06:08 +0000 Subject: r13467: Add new parametric options (for testing) controlling LM_KEY and 56-bit encryption behaviour. Andrew Bartlett (This used to be commit 2b3b2f33a4c531f2b0f65521cc352e6d762e95bd) --- source4/auth/ntlmssp/ntlmssp_client.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 3f781825e3..d058b84a28 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -144,9 +144,6 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, auth_gen_string = "CdBBAAABd"; } - DEBUG(3, ("NTLMSSP: Set final flags:\n")); - debug_ntlmssp_flags(gensec_ntlmssp_state->neg_flags); - if (!msrpc_parse(mem_ctx, &in, chal_parse_string, "NTLMSSP", @@ -215,7 +212,6 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, SMBsesskeygen_lm_sess_key(lm_session_key.data, zeros, new_session_key.data); } - new_session_key.length = 16; session_key = new_session_key; dump_data_pw("LM session key\n", session_key.data, session_key.length); } @@ -239,6 +235,9 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, session_key = data_blob_talloc(mem_ctx, client_session_key, sizeof(client_session_key)); } + DEBUG(3, ("NTLMSSP: Set final flags:\n")); + debug_ntlmssp_flags(gensec_ntlmssp_state->neg_flags); + /* this generates the actual auth packet */ if (!msrpc_gen(mem_ctx, out, auth_gen_string, @@ -304,7 +303,8 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->use_nt_response = lp_parm_bool(-1, "ntlmssp_client", "send_nt_reponse", True); gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth() - && lp_parm_bool(-1, "ntlmssp_client", "allow_lm_key", False)); + && (lp_parm_bool(-1, "ntlmssp_client", "allow_lm_key", False) + || lp_parm_bool(-1, "ntlmssp_client", "lm_key", False))); gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(); @@ -318,6 +318,14 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128; } + if (lp_parm_bool(-1, "ntlmssp_client", "56bit", False)) { + gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56; + } + + if (lp_parm_bool(-1, "ntlmssp_client", "lm_key", False)) { + gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; + } + if (lp_parm_bool(-1, "ntlmssp_client", "keyexchange", True)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH; } -- cgit From e218c8442db38bcfcac9e9425e8d0e32f61c840f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 12 Feb 2006 12:42:37 +0000 Subject: r13470: Thanks to a report from VL: We were causing mayhem by weakening the keys at the wrong point in time. I think this is the correct place to do it. The session key for SMB signing, and the 'smb session key' (used for encrypting password sets) is never weakened. The session key used for bulk data encryption/signing is weakened. This also makes more sense, when we look at the NTLM2 code. Andrew Bartlett (This used to be commit 3fd32a12094ff2b6df52f5ab2af7c0ffceb5a4a0) --- source4/auth/ntlmssp/ntlmssp_client.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index d058b84a28..c2a1e1cde8 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -259,9 +259,6 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, talloc_steal(out_mem_ctx, out->data); - /* The client might be using 56 or 40 bit weakened keys */ - ntlmssp_weaken_keys(gensec_ntlmssp_state); - gensec_ntlmssp_state->chal = challenge_blob; gensec_ntlmssp_state->lm_resp = lm_response; talloc_steal(gensec_ntlmssp_state->lm_resp.data, lm_response.data); -- cgit From 4ac2be99588b48b0652a524bf12fb1aa9c3f5fbb Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 7 Mar 2006 11:07:23 +0000 Subject: r13924: Split more prototypes out of include/proto.h + initial work on header file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781) --- source4/auth/ntlmssp/ntlmssp_client.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index c2a1e1cde8..cc7a376643 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -26,6 +26,7 @@ #include "auth/auth.h" #include "auth/ntlmssp/ntlmssp.h" #include "lib/crypto/crypto.h" +#include "libcli/auth/proto.h" /********************************************************************* Client side NTLMSSP -- cgit From 7d8424ede21185a978a222f609263506c0e20f4e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 9 Mar 2006 12:42:45 +0000 Subject: r14064: - split out MSRPC_PARSE into a speperate subsystem - build gensec_ntlmssp always static for now, because torture/auth/ntlmssp.c needs to access functions from it metze (This used to be commit 43733c9556c1c92336780206e3f71bdee6e43eee) --- source4/auth/ntlmssp/ntlmssp_client.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index cc7a376643..acb17330fb 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -25,6 +25,7 @@ #include "includes.h" #include "auth/auth.h" #include "auth/ntlmssp/ntlmssp.h" +#include "auth/ntlmssp/msrpc_parse.h" #include "lib/crypto/crypto.h" #include "libcli/auth/proto.h" -- cgit From e3f2414cf9e582a4e4deecc662b64a7bb2679a34 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 14 Mar 2006 15:03:25 +0000 Subject: r14380: Reduce the size of structs.h (This used to be commit 1a16a6f1dfa66499af43a6b88b3ea69a6a75f1fe) --- source4/auth/ntlmssp/ntlmssp_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index acb17330fb..79f62349a6 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -27,7 +27,7 @@ #include "auth/ntlmssp/ntlmssp.h" #include "auth/ntlmssp/msrpc_parse.h" #include "lib/crypto/crypto.h" -#include "libcli/auth/proto.h" +#include "libcli/auth/libcli_auth.h" /********************************************************************* Client side NTLMSSP -- cgit From eb66b26cd18ceef2368506479d90bf7e4f0f83a0 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 25 Mar 2006 01:00:37 +0000 Subject: r14701: Allow, with non-default options, NTLMSSP to access the LM session key, even when not sending the LM response. Needed to pass the test_session_key against Win2k3. Yes, I think this is a security flaw in the use of Win2k3-compatible NTLM. Andrew Bartlett (This used to be commit cb6c27b4f29878a6a904f798e228eea05cc658e1) --- source4/auth/ntlmssp/ntlmssp_client.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 79f62349a6..1244c0dfbc 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -194,8 +194,9 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, } if (!(flags & CLI_CRED_LANMAN_AUTH)) { - /* LM Key is incompatible... */ - gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + /* LM Key is still possible, just silly. Fortunetly + * we require command line options to end up here */ + /* gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; */ } if (!(flags & CLI_CRED_NTLM2)) { -- cgit From 13dbee3ffea6065a826f010e50c9b4eb2c6ad109 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 7 Nov 2006 00:48:36 +0000 Subject: r19598: Ahead of a merge to current lorikeet-heimdal: Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9) --- source4/auth/ntlmssp/ntlmssp_client.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 1244c0dfbc..23d96fb90b 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -23,11 +23,12 @@ */ #include "includes.h" -#include "auth/auth.h" #include "auth/ntlmssp/ntlmssp.h" #include "auth/ntlmssp/msrpc_parse.h" #include "lib/crypto/crypto.h" #include "libcli/auth/libcli_auth.h" +#include "auth/credentials/credentials.h" +#include "auth/gensec/gensec.h" /********************************************************************* Client side NTLMSSP -- cgit From 84c5acc6153548a9c8c99e4f3d5134cdb1397492 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 20 Nov 2006 20:58:00 +0000 Subject: r19805: Add the (harmless, but apparently default) NTLMSSP_NEGOTIATE_ALWAYS_SIGN flags into the default set. Andrew Bartlett (This used to be commit 04709c75afda0234c7236fba674bf53a265f8dbb) --- source4/auth/ntlmssp/ntlmssp_client.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 23d96fb90b..5fc7707e68 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -331,6 +331,10 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH; } + if (lp_parm_bool(-1, "ntlmssp_client", "alwayssign", True)) { + gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; + } + if (lp_parm_bool(-1, "ntlmssp_client", "ntlm2", True)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; } else { -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/auth/ntlmssp/ntlmssp_client.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 5fc7707e68..3f507908f2 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -9,7 +9,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -18,8 +18,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From cd962355abad90a2161765a7be7d26e63572cab7 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 7 Sep 2007 15:08:14 +0000 Subject: r25000: Fix some more C++ compatibility warnings. (This used to be commit 08bb1ef643ab906f1645cf6f32763dc73b1884e4) --- source4/auth/ntlmssp/ntlmssp_client.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 3f507908f2..003394a21b 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -47,7 +47,7 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, DATA_BLOB in, DATA_BLOB *out) { - struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data; + struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; if (gensec_ntlmssp_state->unicode) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; @@ -87,7 +87,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, const DATA_BLOB in, DATA_BLOB *out) { - struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data; + struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; uint32_t chal_flags, ntlmssp_command, unkn1, unkn2; DATA_BLOB server_domain_blob; DATA_BLOB challenge_blob; @@ -292,7 +292,7 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) nt_status = gensec_ntlmssp_start(gensec_security); NT_STATUS_NOT_OK_RETURN(nt_status); - gensec_ntlmssp_state = gensec_security->private_data; + gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; gensec_ntlmssp_state->role = NTLMSSP_CLIENT; -- cgit From ffeee68e4b72dd94fee57366bd8d38b8c284c3d4 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 8 Sep 2007 12:42:09 +0000 Subject: r25026: Move param/param.h out of includes.h (This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31) --- source4/auth/ntlmssp/ntlmssp_client.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 003394a21b..a98918a54b 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -28,6 +28,7 @@ #include "libcli/auth/libcli_auth.h" #include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" +#include "param/param.h" /********************************************************************* Client side NTLMSSP -- cgit From 98b57d5eb61094a9c88e2f7d90d3e21b7e74e9d8 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 8 Sep 2007 16:46:30 +0000 Subject: r25035: Fix some more warnings, use service pointer rather than service number in more places. (This used to be commit df9cebcb97e20564359097148665bd519f31bc6f) --- source4/auth/ntlmssp/ntlmssp_client.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index a98918a54b..d2f28a394c 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -299,13 +299,13 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->get_domain = lp_workgroup; - gensec_ntlmssp_state->unicode = lp_parm_bool(-1, "ntlmssp_client", "unicode", True); + gensec_ntlmssp_state->unicode = lp_parm_bool(NULL, "ntlmssp_client", "unicode", true); - gensec_ntlmssp_state->use_nt_response = lp_parm_bool(-1, "ntlmssp_client", "send_nt_reponse", True); + gensec_ntlmssp_state->use_nt_response = lp_parm_bool(NULL, "ntlmssp_client", "send_nt_reponse", true); gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth() - && (lp_parm_bool(-1, "ntlmssp_client", "allow_lm_key", False) - || lp_parm_bool(-1, "ntlmssp_client", "lm_key", False))); + && (lp_parm_bool(NULL, "ntlmssp_client", "allow_lm_key", false) + || lp_parm_bool(NULL, "ntlmssp_client", "lm_key", false))); gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(); @@ -315,27 +315,27 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_REQUEST_TARGET; - if (lp_parm_bool(-1, "ntlmssp_client", "128bit", True)) { + if (lp_parm_bool(NULL, "ntlmssp_client", "128bit", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128; } - if (lp_parm_bool(-1, "ntlmssp_client", "56bit", False)) { + if (lp_parm_bool(NULL, "ntlmssp_client", "56bit", false)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56; } - if (lp_parm_bool(-1, "ntlmssp_client", "lm_key", False)) { + if (lp_parm_bool(NULL, "ntlmssp_client", "lm_key", false)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; } - if (lp_parm_bool(-1, "ntlmssp_client", "keyexchange", True)) { + if (lp_parm_bool(NULL, "ntlmssp_client", "keyexchange", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH; } - if (lp_parm_bool(-1, "ntlmssp_client", "alwayssign", True)) { + if (lp_parm_bool(NULL, "ntlmssp_client", "alwayssign", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; } - if (lp_parm_bool(-1, "ntlmssp_client", "ntlm2", True)) { + if (lp_parm_bool(NULL, "ntlmssp_client", "ntlm2", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; } else { /* apparently we can't do ntlmv2 if we don't do ntlm2 */ -- cgit From 37d53832a4623653f706e77985a79d84bd7c6694 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 28 Sep 2007 01:17:46 +0000 Subject: r25398: Parse loadparm context to all lp_*() functions. (This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238) --- source4/auth/ntlmssp/ntlmssp_client.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index d2f28a394c..f988facb60 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -66,7 +66,7 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security, "NTLMSSP", NTLMSSP_NEGOTIATE, gensec_ntlmssp_state->neg_flags, - gensec_ntlmssp_state->get_domain(), + gensec_ntlmssp_state->domain, cli_credentials_get_workstation(gensec_security->credentials)); gensec_ntlmssp_state->expected_state = NTLMSSP_CHALLENGE; @@ -181,7 +181,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, if (gensec_ntlmssp_state->use_nt_response) { flags |= CLI_CRED_NTLM_AUTH; } - if (lp_client_lanman_auth()) { + if (lp_client_lanman_auth(global_loadparm)) { flags |= CLI_CRED_LANMAN_AUTH; } @@ -206,7 +206,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, } if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) - && lp_client_lanman_auth() && lm_session_key.length == 16) { + && lp_client_lanman_auth(global_loadparm) && lm_session_key.length == 16) { DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16); if (lm_response.length == 24) { SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data, @@ -297,17 +297,17 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->role = NTLMSSP_CLIENT; - gensec_ntlmssp_state->get_domain = lp_workgroup; + gensec_ntlmssp_state->domain = lp_workgroup(global_loadparm); gensec_ntlmssp_state->unicode = lp_parm_bool(NULL, "ntlmssp_client", "unicode", true); gensec_ntlmssp_state->use_nt_response = lp_parm_bool(NULL, "ntlmssp_client", "send_nt_reponse", true); - gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth() + gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth(global_loadparm) && (lp_parm_bool(NULL, "ntlmssp_client", "allow_lm_key", false) || lp_parm_bool(NULL, "ntlmssp_client", "lm_key", false))); - gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(); + gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(global_loadparm); gensec_ntlmssp_state->expected_state = NTLMSSP_INITIAL; -- cgit From 60a1046c5c5783799bd64fe18e03534670f83d82 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 29 Sep 2007 18:00:19 +0000 Subject: r25430: Add the loadparm context to all parametric options. (This used to be commit fd697d77c9fe67a00939a1f04b35c451316fff58) --- source4/auth/ntlmssp/ntlmssp_client.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index f988facb60..8796e022d0 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -299,13 +299,13 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->domain = lp_workgroup(global_loadparm); - gensec_ntlmssp_state->unicode = lp_parm_bool(NULL, "ntlmssp_client", "unicode", true); + gensec_ntlmssp_state->unicode = lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "unicode", true); - gensec_ntlmssp_state->use_nt_response = lp_parm_bool(NULL, "ntlmssp_client", "send_nt_reponse", true); + gensec_ntlmssp_state->use_nt_response = lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "send_nt_reponse", true); gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth(global_loadparm) - && (lp_parm_bool(NULL, "ntlmssp_client", "allow_lm_key", false) - || lp_parm_bool(NULL, "ntlmssp_client", "lm_key", false))); + && (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "allow_lm_key", false) + || lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "lm_key", false))); gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(global_loadparm); @@ -315,27 +315,27 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_REQUEST_TARGET; - if (lp_parm_bool(NULL, "ntlmssp_client", "128bit", true)) { + if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "128bit", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128; } - if (lp_parm_bool(NULL, "ntlmssp_client", "56bit", false)) { + if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "56bit", false)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56; } - if (lp_parm_bool(NULL, "ntlmssp_client", "lm_key", false)) { + if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "lm_key", false)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; } - if (lp_parm_bool(NULL, "ntlmssp_client", "keyexchange", true)) { + if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "keyexchange", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH; } - if (lp_parm_bool(NULL, "ntlmssp_client", "alwayssign", true)) { + if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "alwayssign", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; } - if (lp_parm_bool(NULL, "ntlmssp_client", "ntlm2", true)) { + if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "ntlm2", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; } else { /* apparently we can't do ntlmv2 if we don't do ntlm2 */ -- cgit From 3642f3b40d755209a843745f160a9d7962a6deca Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 6 Oct 2007 22:16:19 +0000 Subject: r25552: Convert to standard bool type. (This used to be commit b8d6b82f1248d36a0aa91a1c58d06b4f7c66d245) --- source4/auth/ntlmssp/ntlmssp_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 8796e022d0..61d6f1b25f 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -339,7 +339,7 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; } else { /* apparently we can't do ntlmv2 if we don't do ntlm2 */ - gensec_ntlmssp_state->use_ntlmv2 = False; + gensec_ntlmssp_state->use_ntlmv2 = false; } if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) { -- cgit From 6554433fc227baab93398576db703c91db1541f2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 16 Oct 2007 01:27:15 +0200 Subject: r25660: Add a new interface 'generate_secret_buffer()', to be used when we require top-quality entropy. We don't want to waste system enropy generating challenges (which simply need to be unpredictable, not secret) or when generating UUIDs. Rework generate_random_buffer() to use /dev/urandom less often, only to seed the existing RC4 based PRNG. (With an exception to ensure we don't waste this setup cost for very small entropy requests). Perhaps we should be using heimdal's code for this instead? This should drasticly reduce our entropy use, particularly in the build farm (automated Samba build on hosts without much other source of entropy). Andrew Bartlett (This used to be commit 6a5630d37191542022f02fae519227b7829ef620) --- source4/auth/ntlmssp/ntlmssp_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 61d6f1b25f..bff9fc0b8a 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -226,7 +226,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { /* Make up a new session key */ uint8_t client_session_key[16]; - generate_random_buffer(client_session_key, sizeof(client_session_key)); + generate_secret_buffer(client_session_key, sizeof(client_session_key)); /* Encrypt the new session key with the old one */ encrypted_session_key = data_blob_talloc(gensec_ntlmssp_state, -- cgit From 78416aff6c96a9db9df4f5d4a2907e5afe762748 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 17:41:37 +0100 Subject: r26258: Use loadparm context in client_start function of gensec. (This used to be commit bad1891cae2c688b17a6a2b932e754f51291035c) --- source4/auth/ntlmssp/ntlmssp_client.c | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index bff9fc0b8a..49ba6d2409 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -285,7 +285,8 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, return NT_STATUS_OK; } -NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) +NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security, + struct loadparm_context *lp_ctx) { struct gensec_ntlmssp_state *gensec_ntlmssp_state; NTSTATUS nt_status; @@ -297,17 +298,17 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->role = NTLMSSP_CLIENT; - gensec_ntlmssp_state->domain = lp_workgroup(global_loadparm); + gensec_ntlmssp_state->domain = lp_workgroup(lp_ctx); - gensec_ntlmssp_state->unicode = lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "unicode", true); + gensec_ntlmssp_state->unicode = lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "unicode", true); - gensec_ntlmssp_state->use_nt_response = lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "send_nt_reponse", true); + gensec_ntlmssp_state->use_nt_response = lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "send_nt_reponse", true); - gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth(global_loadparm) - && (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "allow_lm_key", false) - || lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "lm_key", false))); + gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth(lp_ctx) + && (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "allow_lm_key", false) + || lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "lm_key", false))); - gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(global_loadparm); + gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(lp_ctx); gensec_ntlmssp_state->expected_state = NTLMSSP_INITIAL; @@ -315,27 +316,27 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_REQUEST_TARGET; - if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "128bit", true)) { + if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "128bit", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128; } - if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "56bit", false)) { + if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "56bit", false)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56; } - if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "lm_key", false)) { + if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "lm_key", false)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; } - if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "keyexchange", true)) { + if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "keyexchange", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH; } - if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "alwayssign", true)) { + if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "alwayssign", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; } - if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "ntlm2", true)) { + if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "ntlm2", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; } else { /* apparently we can't do ntlmv2 if we don't do ntlm2 */ -- cgit From ecea5ce24553989103d4a06296b24f4d29f30a36 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 17:41:50 +0100 Subject: r26260: Store loadparm context in gensec context. (This used to be commit b9e3a4862e267be39d603fed8207a237c3d72081) --- source4/auth/ntlmssp/ntlmssp_client.c | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 49ba6d2409..53b52ae701 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -181,7 +181,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, if (gensec_ntlmssp_state->use_nt_response) { flags |= CLI_CRED_NTLM_AUTH; } - if (lp_client_lanman_auth(global_loadparm)) { + if (lp_client_lanman_auth(gensec_security->lp_ctx)) { flags |= CLI_CRED_LANMAN_AUTH; } @@ -206,7 +206,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, } if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) - && lp_client_lanman_auth(global_loadparm) && lm_session_key.length == 16) { + && lp_client_lanman_auth(gensec_security->lp_ctx) && lm_session_key.length == 16) { DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16); if (lm_response.length == 24) { SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data, @@ -285,8 +285,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, return NT_STATUS_OK; } -NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security, - struct loadparm_context *lp_ctx) +NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) { struct gensec_ntlmssp_state *gensec_ntlmssp_state; NTSTATUS nt_status; @@ -298,17 +297,17 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security, gensec_ntlmssp_state->role = NTLMSSP_CLIENT; - gensec_ntlmssp_state->domain = lp_workgroup(lp_ctx); + gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->lp_ctx); - gensec_ntlmssp_state->unicode = lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "unicode", true); + gensec_ntlmssp_state->unicode = lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "unicode", true); - gensec_ntlmssp_state->use_nt_response = lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "send_nt_reponse", true); + gensec_ntlmssp_state->use_nt_response = lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "send_nt_reponse", true); - gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth(lp_ctx) - && (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "allow_lm_key", false) - || lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "lm_key", false))); + gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth(gensec_security->lp_ctx) + && (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "allow_lm_key", false) + || lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "lm_key", false))); - gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(lp_ctx); + gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(gensec_security->lp_ctx); gensec_ntlmssp_state->expected_state = NTLMSSP_INITIAL; @@ -316,27 +315,27 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security, NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_REQUEST_TARGET; - if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "128bit", true)) { + if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "128bit", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128; } - if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "56bit", false)) { + if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "56bit", false)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56; } - if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "lm_key", false)) { + if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "lm_key", false)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; } - if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "keyexchange", true)) { + if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "keyexchange", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH; } - if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "alwayssign", true)) { + if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "alwayssign", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; } - if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "ntlm2", true)) { + if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "ntlm2", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; } else { /* apparently we can't do ntlmv2 if we don't do ntlm2 */ -- cgit From 6f79af9d13cb400506e05f20fb68c7f97daccf38 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 3 Jan 2008 17:22:04 -0600 Subject: r26652: msrpc_parse/msrpc_gen: Add iconv_convenience argument. (This used to be commit e886f1bc0dc694971979716d1991535c7d2e08de) --- source4/auth/ntlmssp/ntlmssp_client.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 53b52ae701..e07c64befb 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -62,6 +62,7 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security, /* generate the ntlmssp negotiate packet */ msrpc_gen(out_mem_ctx, + lp_iconv_convenience(gensec_security->lp_ctx), out, "CddAA", "NTLMSSP", NTLMSSP_NEGOTIATE, @@ -111,6 +112,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, } if (!msrpc_parse(mem_ctx, + lp_iconv_convenience(gensec_security->lp_ctx), &in, "CdBd", "NTLMSSP", &ntlmssp_command, @@ -148,6 +150,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, } if (!msrpc_parse(mem_ctx, + lp_iconv_convenience(gensec_security->lp_ctx), &in, chal_parse_string, "NTLMSSP", &ntlmssp_command, @@ -244,6 +247,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, /* this generates the actual auth packet */ if (!msrpc_gen(mem_ctx, + lp_iconv_convenience(gensec_security->lp_ctx), out, auth_gen_string, "NTLMSSP", NTLMSSP_AUTH, -- cgit From 9caa8d3da12707c9409339fd294114fd489da648 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Jul 2008 15:04:06 +1000 Subject: Try to make NTLMSSP less fussy for unimportant messages. We don't really care (because nobody uses them) what we send as the domain and workstation in the negotiate packet. Andrew Bartlett (This used to be commit 9ac07e14873df2c18d0e9501691c2d4c4047e218) --- source4/auth/ntlmssp/ntlmssp_client.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_client.c') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index e07c64befb..891761860c 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -49,6 +49,17 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security, DATA_BLOB in, DATA_BLOB *out) { struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; + const char *domain = gensec_ntlmssp_state->domain; + const char *workstation = cli_credentials_get_workstation(gensec_security->credentials); + + /* These don't really matter in the initial packet, so don't panic if they are not set */ + if (!domain) { + domain = ""; + } + + if (!workstation) { + workstation = ""; + } if (gensec_ntlmssp_state->unicode) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; @@ -67,8 +78,8 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security, "NTLMSSP", NTLMSSP_NEGOTIATE, gensec_ntlmssp_state->neg_flags, - gensec_ntlmssp_state->domain, - cli_credentials_get_workstation(gensec_security->credentials)); + domain, + workstation); gensec_ntlmssp_state->expected_state = NTLMSSP_CHALLENGE; -- cgit