From dce84ffd379012812170f68f7de8aab73123f0b3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 9 May 2004 12:42:18 +0000 Subject: r610: - Merge the Samba3 'ntlm_auth --diagnostics' testsuite to Samba4. - This required using NETLOGON_NEG_AUTH2_FLAGS for the SetupCredentials2 negotiation flags, which is what Samba3 does, because otherwise the server uses different crypto. - This tests the returned session keys, which we decrypt. - Update the Samba4 notion of a 'session key' to be a DATA_BLOB in most places. - Fix session key code to return NT_STATUS_NO_SESSION_KEY if none is available. - Remove a useless argument to SMBsesskeygen_ntv1 - move netr_CredentialState from the .idl to the new credentials.h Andrew Bartlett (This used to be commit 44f8b5b53e6abd4de8a676f78d729988fadff320) --- source4/libcli/auth/credentials.c | 50 +++++++++++++++++++++++++-------------- source4/libcli/auth/credentials.h | 29 +++++++++++++++++++++++ source4/libcli/auth/ntlm_check.c | 4 ++-- source4/libcli/auth/ntlmssp.c | 4 ++-- source4/libcli/raw/clisession.c | 29 ++++++++++++++++------- source4/libcli/raw/clitransport.c | 8 ------- source4/libcli/raw/smb_signing.c | 12 ++++++---- source4/libcli/util/smbdes.c | 13 +++++----- source4/libcli/util/smbencrypt.c | 3 +-- 9 files changed, 101 insertions(+), 51 deletions(-) create mode 100644 source4/libcli/auth/credentials.h (limited to 'source4/libcli') diff --git a/source4/libcli/auth/credentials.c b/source4/libcli/auth/credentials.c index acc083d57f..638bff7e8b 100644 --- a/source4/libcli/auth/credentials.c +++ b/source4/libcli/auth/credentials.c @@ -27,7 +27,7 @@ this call is made after the netr_ServerReqChallenge call */ -static void creds_init(struct netr_CredentialState *creds, +static void creds_init(struct creds_CredentialState *creds, const struct netr_Credential *client_challenge, const struct netr_Credential *server_challenge, const uint8 machine_password[16]) @@ -48,11 +48,11 @@ static void creds_init(struct netr_CredentialState *creds, SIVAL(time_cred.data, 0, IVAL(client_challenge->data, 0)); SIVAL(time_cred.data, 4, IVAL(client_challenge->data, 4)); - cred_hash2(creds->client.data, time_cred.data, creds->session_key); + cred_hash2(creds->client.data, time_cred.data, creds->session_key, 1); SIVAL(time_cred.data, 0, IVAL(server_challenge->data, 0)); SIVAL(time_cred.data, 4, IVAL(server_challenge->data, 4)); - cred_hash2(creds->server.data, time_cred.data, creds->session_key); + cred_hash2(creds->server.data, time_cred.data, creds->session_key, 1); creds->seed = creds->client; } @@ -62,7 +62,7 @@ static void creds_init(struct netr_CredentialState *creds, step the credentials to the next element in the chain, updating the current client and server credentials and the seed */ -static void creds_step(struct netr_CredentialState *creds) +static void creds_step(struct creds_CredentialState *creds) { struct netr_Credential time_cred; @@ -76,7 +76,7 @@ static void creds_step(struct netr_CredentialState *creds) DEBUG(5,("\tseed+time %08x:%08x\n", IVAL(time_cred.data, 0), IVAL(time_cred.data, 4))); - cred_hash2(creds->client.data, time_cred.data, creds->session_key); + cred_hash2(creds->client.data, time_cred.data, creds->session_key, 1); DEBUG(5,("\tCLIENT %08x:%08x\n", IVAL(creds->client.data, 0), IVAL(creds->client.data, 4))); @@ -87,7 +87,7 @@ static void creds_step(struct netr_CredentialState *creds) DEBUG(5,("\tseed+time+1 %08x:%08x\n", IVAL(time_cred.data, 0), IVAL(time_cred.data, 4))); - cred_hash2(creds->server.data, time_cred.data, creds->session_key); + cred_hash2(creds->server.data, time_cred.data, creds->session_key, 1); DEBUG(5,("\tSERVER %08x:%08x\n", IVAL(creds->server.data, 0), IVAL(creds->server.data, 4))); @@ -95,7 +95,30 @@ static void creds_step(struct netr_CredentialState *creds) creds->seed = time_cred; } +/* + DES encrypt a 16 byte password buffer using the session key +*/ +void creds_des_encrypt(struct creds_CredentialState *creds, struct netr_Password *pass) +{ + struct netr_Password tmp; + cred_hash3(tmp.data, pass->data, creds->session_key, 1); + *pass = tmp; +} + +/* + ARCFOUR encrypt/decrypt a password buffer using the session key +*/ +void creds_arcfour_crypt(struct creds_CredentialState *creds, char *data, size_t len) +{ + DATA_BLOB session_key = data_blob(NULL, 16); + + memcpy(&session_key.data[0], creds->session_key, 8); + memset(&session_key.data[8], '\0', 8); + + SamOEMhashBlob(data, len, &session_key); + data_blob_free(&session_key); +} /***************************************************************** The above functions are common to the client and server interface @@ -106,7 +129,7 @@ next comes the client specific functions initialise the credentials chain and return the first client credentials */ -void creds_client_init(struct netr_CredentialState *creds, +void creds_client_init(struct creds_CredentialState *creds, const struct netr_Credential *client_challenge, const struct netr_Credential *server_challenge, const uint8 machine_password[16], @@ -120,7 +143,7 @@ void creds_client_init(struct netr_CredentialState *creds, /* check that a credentials reply from a server is correct */ -BOOL creds_client_check(struct netr_CredentialState *creds, +BOOL creds_client_check(struct creds_CredentialState *creds, const struct netr_Credential *received_credentials) { if (memcmp(received_credentials->data, creds->server.data, 8) != 0) { @@ -134,7 +157,7 @@ BOOL creds_client_check(struct netr_CredentialState *creds, produce the next authenticator in the sequence ready to send to the server */ -void creds_client_authenticator(struct netr_CredentialState *creds, +void creds_client_authenticator(struct creds_CredentialState *creds, struct netr_Authenticator *next) { creds_step(creds); @@ -144,12 +167,3 @@ void creds_client_authenticator(struct netr_CredentialState *creds, } -/* - encrypt a 16 byte password buffer using the session key -*/ -void creds_client_encrypt(struct netr_CredentialState *creds, struct netr_Password *pass) -{ - struct netr_Password tmp; - cred_hash3(tmp.data, pass->data, creds->session_key, 1); - *pass = tmp; -} diff --git a/source4/libcli/auth/credentials.h b/source4/libcli/auth/credentials.h new file mode 100644 index 0000000000..7a7a34ced2 --- /dev/null +++ b/source4/libcli/auth/credentials.h @@ -0,0 +1,29 @@ +/* + Unix SMB/CIFS implementation. + + code to manipulate domain credentials + + Copyright (C) Andrew Tridgell 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +struct creds_CredentialState { + uint8 session_key[8]; + uint32 sequence; + struct netr_Credential seed; + struct netr_Credential client; + struct netr_Credential server; +}; diff --git a/source4/libcli/auth/ntlm_check.c b/source4/libcli/auth/ntlm_check.c index a7764f9e98..32a7507c1f 100644 --- a/source4/libcli/auth/ntlm_check.c +++ b/source4/libcli/auth/ntlm_check.c @@ -59,7 +59,7 @@ static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response, SMBOWFencrypt(part_passwd, sec_blob->data, p24); if (user_sess_key != NULL) { *user_sess_key = data_blob(NULL, 16); - SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key->data); + SMBsesskeygen_ntv1(part_passwd, user_sess_key->data); } @@ -195,7 +195,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, if (memcmp(nt_interactive_pwd->data, nt_pw, 16) == 0) { if (user_sess_key) { *user_sess_key = data_blob(NULL, 16); - SMBsesskeygen_ntv1(nt_pw, NULL, user_sess_key->data); + SMBsesskeygen_ntv1(nt_pw, user_sess_key->data); } return NT_STATUS_OK; } else { diff --git a/source4/libcli/auth/ntlmssp.c b/source4/libcli/auth/ntlmssp.c index 161a15023a..9513d5a138 100644 --- a/source4/libcli/auth/ntlmssp.c +++ b/source4/libcli/auth/ntlmssp.c @@ -1093,7 +1093,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16); - SMBsesskeygen_ntv1(nt_hash, NULL, user_session_key); + SMBsesskeygen_ntv1(nt_hash, user_session_key); hmac_md5(user_session_key, session_nonce, sizeof(session_nonce), session_key.data); dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length); @@ -1108,7 +1108,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, nt_response.data); E_md4hash(ntlmssp_state->password, nt_hash); session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16); - SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data); + SMBsesskeygen_ntv1(nt_hash, session_key.data); dump_data_pw("NT session key:\n", session_key.data, session_key.length); } diff --git a/source4/libcli/raw/clisession.c b/source4/libcli/raw/clisession.c index 1c0af77d11..fe64565597 100644 --- a/source4/libcli/raw/clisession.c +++ b/source4/libcli/raw/clisession.c @@ -234,22 +234,34 @@ static DATA_BLOB nt_blob(const char *pass, DATA_BLOB challenge) return blob; } +/* + store the user session key for a transport +*/ +void cli_session_set_user_session_key(struct cli_session *session, + const DATA_BLOB *session_key) +{ + session->user_session_key = data_blob_talloc(session->mem_ctx, + session_key->data, + session_key->length); +} + /* setup signing for a NT1 style session setup */ -static void setup_nt1_signing(struct cli_transport *transport, const char *password) +static void use_nt1_session_keys(struct cli_session *session, + const char *password, const DATA_BLOB *nt_response) { + struct cli_transport *transport = session->transport; uchar nt_hash[16]; - uchar session_key[16]; - DATA_BLOB nt_response; + DATA_BLOB session_key = data_blob(NULL, 16); E_md4hash(password, nt_hash); - SMBsesskeygen_ntv1(nt_hash, NULL, session_key); - nt_response = nt_blob(password, transport->negotiate.secblob); + SMBsesskeygen_ntv1(nt_hash, session_key.data); - cli_transport_set_session_key(transport, session_key); + cli_transport_simple_set_signing(transport, session_key, *nt_response); - cli_transport_simple_set_signing(transport, session_key, nt_response); + cli_session_set_user_session_key(session, &session_key); + data_blob_free(&session_key); } /**************************************************************************** @@ -332,7 +344,8 @@ static NTSTATUS smb_raw_session_setup_generic_nt1(struct cli_session *session, session->transport->negotiate.secblob); s2.nt1.in.password2 = nt_blob(parms->generic.in.password, session->transport->negotiate.secblob); - setup_nt1_signing(session->transport, parms->generic.in.password); + use_nt1_session_keys(session, parms->generic.in.password, &s2.nt1.in.password2); + } else { s2.nt1.in.password1 = data_blob(parms->generic.in.password, strlen(parms->generic.in.password)); diff --git a/source4/libcli/raw/clitransport.c b/source4/libcli/raw/clitransport.c index b8eef65c7f..72cad2e925 100644 --- a/source4/libcli/raw/clitransport.c +++ b/source4/libcli/raw/clitransport.c @@ -231,11 +231,3 @@ BOOL cli_transport_select(struct cli_transport *transport) return True; } -/* - store the user session key for a transport -*/ -void cli_transport_set_session_key(struct cli_transport *transport, - const uint8 session_key[16]) -{ - memcpy(transport->negotiate.user_session_key, session_key, 16); -} diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 2ab61aa001..5f47a5e42a 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -220,7 +220,8 @@ static void cli_transport_simple_free_signing_context(struct cli_transport *tran SMB signing - Simple implementation - setup the MAC key. ************************************************************/ BOOL cli_transport_simple_set_signing(struct cli_transport *transport, - const uchar user_transport_key[16], const DATA_BLOB response) + const DATA_BLOB user_session_key, + const DATA_BLOB response) { struct smb_basic_signing_context *data; @@ -235,10 +236,13 @@ BOOL cli_transport_simple_set_signing(struct cli_transport *transport, data = smb_xmalloc(sizeof(*data)); transport->negotiate.sign_info.signing_context = data; - data->mac_key = data_blob(NULL, MIN(response.length + 16, 40)); + data->mac_key = data_blob(NULL, response.length + user_session_key.length); - memcpy(&data->mac_key.data[0], user_transport_key, 16); - memcpy(&data->mac_key.data[16],response.data, MIN(response.length, 40 - 16)); + memcpy(&data->mac_key.data[0], user_session_key.data, user_session_key.length); + + if (response.length) { + memcpy(&data->mac_key.data[user_session_key.length],response.data, response.length); + } /* Initialise the sequence number */ data->next_seq_num = 0; diff --git a/source4/libcli/util/smbdes.c b/source4/libcli/util/smbdes.c index 80b938b460..22bafcb449 100644 --- a/source4/libcli/util/smbdes.c +++ b/source4/libcli/util/smbdes.c @@ -338,14 +338,14 @@ void cred_hash1(unsigned char *out, const unsigned char *in, const unsigned char smbhash(out, buf, key+9, 1); } -void cred_hash2(unsigned char *out, const unsigned char *in, const unsigned char *key) +void cred_hash2(unsigned char *out, const unsigned char *in, const unsigned char *key, int forw) { unsigned char buf[8]; unsigned char key2[8]; ZERO_STRUCT(key2); - smbhash(buf, in, key, 1); + smbhash(buf, in, key, forw); key2[0] = key[7]; - smbhash(out, buf, key2, 1); + smbhash(out, buf, key2, forw); } void cred_hash3(unsigned char *out, unsigned char *in, const unsigned char *key, int forw) @@ -401,12 +401,11 @@ void SamOEMhashBlob(unsigned char *data, int len, const DATA_BLOB *key) */ void SamOEMhash(unsigned char *data, const unsigned char keystr[16], int len) { - DATA_BLOB key; - - key.length = 16; - key.data = keystr; + DATA_BLOB key = data_blob(keystr, 16); SamOEMhashBlob(data, len, &key); + + data_blob_free(&key); } diff --git a/source4/libcli/util/smbencrypt.c b/source4/libcli/util/smbencrypt.c index cefd01bf1c..5468bdbebe 100644 --- a/source4/libcli/util/smbencrypt.c +++ b/source4/libcli/util/smbencrypt.c @@ -255,8 +255,7 @@ void SMBsesskeygen_ntv2(const uchar kr[16], #endif } -void SMBsesskeygen_ntv1(const uchar kr[16], - const uchar * nt_resp, uint8 sess_key[16]) +void SMBsesskeygen_ntv1(const uchar kr[16], uint8 sess_key[16]) { /* yes, this session key does not change - yes, this is a problem - but it is 128 bits */ -- cgit