/*
Unix SMB/Netbios implementation.
Version 3.0
handle NLTMSSP, server side
Copyright (C) Andrew Tridgell 2001
Copyright (C) Andrew Bartlett 2001-2003
Copyright (C) Andrew Bartlett 2005 (Updated from gensec).
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see .
*/
#include "includes.h"
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"
#include "../auth/ntlmssp/ntlmssp.h"
#include "../auth/ntlmssp/ntlmssp_private.h"
#include "lib/crypto/gnutls_helpers.h"
#include
#include
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
static void debug_ntlmssp_flags_raw(int level, uint32_t flags)
{
#define _PRINT_FLAG_LINE(v) do { \
if (flags & (v)) { \
DEBUGADD(level, (" " #v "\n")); \
} \
} while (0)
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_UNICODE);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_OEM);
_PRINT_FLAG_LINE(NTLMSSP_REQUEST_TARGET);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_SIGN);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_SEAL);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_DATAGRAM);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_LM_KEY);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_NETWARE);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_NTLM);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_NT_ONLY);
_PRINT_FLAG_LINE(NTLMSSP_ANONYMOUS);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_ALWAYS_SIGN);
_PRINT_FLAG_LINE(NTLMSSP_TARGET_TYPE_DOMAIN);
_PRINT_FLAG_LINE(NTLMSSP_TARGET_TYPE_SERVER);
_PRINT_FLAG_LINE(NTLMSSP_TARGET_TYPE_SHARE);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_IDENTIFY);
_PRINT_FLAG_LINE(NTLMSSP_REQUEST_NON_NT_SESSION_KEY);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_TARGET_INFO);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_VERSION);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_128);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_KEY_EXCH);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_56);
}
/**
* Print out the NTLMSSP flags for debugging
* @param neg_flags The flags from the packet
*/
void debug_ntlmssp_flags(uint32_t neg_flags)
{
DEBUG(3,("Got NTLMSSP neg_flags=0x%08x\n", neg_flags));
debug_ntlmssp_flags_raw(4, neg_flags);
}
NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
uint32_t flags, const char *name)
{
uint32_t missing_flags = ntlmssp_state->required_flags;
if (ntlmssp_state->use_ntlmv2) {
/*
* Using NTLMv2 as a client implies
* using NTLMSSP_NEGOTIATE_NTLM2
* (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
*
* Note that 'use_ntlmv2' is only set
* true in the client case.
*
* Even if the server has a bug and does not announce
* it, we need to assume it's present.
*
* Note that we also have the flag
* in ntlmssp_state->required_flags,
* see gensec_ntlmssp_client_start().
*
* See bug #12862.
*/
flags |= NTLMSSP_NEGOTIATE_NTLM2;
}
if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
ntlmssp_state->unicode = true;
} else {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
ntlmssp_state->unicode = false;
}
/*
* NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
* has priority over NTLMSSP_NEGOTIATE_LM_KEY
*/
if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
}
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
}
if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
}
if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
}
if (!(flags & NTLMSSP_NEGOTIATE_128)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
}
if (!(flags & NTLMSSP_NEGOTIATE_56)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
}
if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
}
if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
}
if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
}
if ((flags & NTLMSSP_REQUEST_TARGET)) {
ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
}
missing_flags &= ~ntlmssp_state->neg_flags;
if (missing_flags != 0) {
HRESULT hres = HRES_SEC_E_UNSUPPORTED_FUNCTION;
NTSTATUS status = NT_STATUS(HRES_ERROR_V(hres));
DEBUG(1, ("%s: Got %s flags[0x%08x] "
"- possible downgrade detected! "
"missing_flags[0x%08x] - %s\n",
__func__, name,
(unsigned)flags,
(unsigned)missing_flags,
nt_errstr(status)));
debug_ntlmssp_flags_raw(1, missing_flags);
DEBUGADD(4, ("neg_flags[0x%08x]\n",
(unsigned)ntlmssp_state->neg_flags));
debug_ntlmssp_flags_raw(4, ntlmssp_state->neg_flags);
return status;
}
return NT_STATUS_OK;
}
/* Does this blob looks like it could be NTLMSSP? */
bool ntlmssp_blob_matches_magic(const DATA_BLOB *blob)
{
if (blob->length > 8 && memcmp("NTLMSSP\0", blob->data, 8) == 0) {
return true;
} else {
return false;
}
}
const DATA_BLOB ntlmssp_version_blob(void)
{
/*
* This is a simplified version of
*
* enum ndr_err_code err;
* struct ntlmssp_VERSION vers;
*
* ZERO_STRUCT(vers);
* vers.ProductMajorVersion = NTLMSSP_WINDOWS_MAJOR_VERSION_6;
* vers.ProductMinorVersion = NTLMSSP_WINDOWS_MINOR_VERSION_1;
* vers.ProductBuild = 0;
* vers.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
*
* err = ndr_push_struct_blob(&version_blob,
* ntlmssp_state,
* &vers,
* (ndr_push_flags_fn_t)ndr_push_ntlmssp_VERSION);
*
* if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
* data_blob_free(&struct_blob);
* return NT_STATUS_NO_MEMORY;
* }
*/
static const uint8_t version_buffer[8] = {
NTLMSSP_WINDOWS_MAJOR_VERSION_6,
NTLMSSP_WINDOWS_MINOR_VERSION_1,
0x00, 0x00, /* product build */
0x00, 0x00, 0x00, /* reserved */
NTLMSSP_REVISION_W2K3
};
return data_blob_const(version_buffer, ARRAY_SIZE(version_buffer));
}
NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security,
uint8_t cb_hash[16])
{
const struct gensec_channel_bindings *cb =
gensec_security->channel_bindings;
gnutls_hash_hd_t hash_hnd = NULL;
uint8_t uint32buf[4];
int rc;
if (cb == NULL) {
memset(cb_hash, 0, 16);
return NT_STATUS_OK;
}
GNUTLS_FIPS140_SET_LAX_MODE();
rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
if (rc < 0) {
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
SIVAL(uint32buf, 0, cb->initiator_addrtype);
rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
SIVAL(uint32buf, 0, cb->initiator_address.length);
rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
if (cb->initiator_address.length > 0) {
rc = gnutls_hash(hash_hnd,
cb->initiator_address.data,
cb->initiator_address.length);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
}
SIVAL(uint32buf, 0, cb->acceptor_addrtype);
rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
SIVAL(uint32buf, 0, cb->acceptor_address.length);
rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
if (cb->acceptor_address.length > 0) {
rc = gnutls_hash(hash_hnd,
cb->acceptor_address.data,
cb->acceptor_address.length);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
}
SIVAL(uint32buf, 0, cb->application_data.length);
rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
if (cb->application_data.length > 0) {
rc = gnutls_hash(hash_hnd,
cb->application_data.data,
cb->application_data.length);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
}
gnutls_hash_deinit(hash_hnd, cb_hash);
GNUTLS_FIPS140_SET_STRICT_MODE();
return NT_STATUS_OK;
}