uint8_t *smb_ntlm2_response(smb_ntlmh hash_v2, uint64_t srv_challenge,
smb_buffer *blob)
{
smb_buffer data;
uint8_t *response, hmac[16];
if (smb_buffer_alloc(&data, sizeof(uint64_t) + blob->size) == 0)
return NULL;
memcpy(data.data, (void *)&srv_challenge, sizeof(uint64_t));
memcpy((uint8_t*)data.data + sizeof(uint64_t), blob->data, blob->size);
HMAC_MD5(hash_v2, SMB_NTLM_HASH_SIZE, data.data, data.size, &hmac);
smb_buffer_free(&data);
response = malloc(blob->size + 16);
if (!response)
return NULL;
memcpy(response, (void *)hmac, 16);
memcpy(response + 16, blob->data, blob->size);
return response;
}
static int negotiate(smb_session *s, const char *domain)
{
smb_message *msg = NULL;
smb_session_xsec_req req;
smb_buffer ntlm;
ASN1_TYPE token;
int res, der_size = 128;
char der[128], err_desc[ASN1_MAX_ERROR_DESCRIPTION_SIZE];
msg = smb_message_new(SMB_CMD_SETUP);
if (!msg)
return DSM_ERROR_GENERIC;
// this struct will be set at the end when we know the payload size
SMB_MSG_ADVANCE_PKT(msg, smb_session_xsec_req);
asn1_create_element(s->spnego_asn1, "SPNEGO.GSSAPIContextToken", &token);
res = asn1_write_value(token, "thisMech", spnego_oid, 1);
if (res != ASN1_SUCCESS) goto error;
res = asn1_write_value(token, "spnego", "negTokenInit", 1);
if (res != ASN1_SUCCESS) goto error;
res = asn1_write_value(token, "spnego.negTokenInit.mechTypes", "NEW", 1);
if (res != ASN1_SUCCESS) goto error;
res = asn1_write_value(token, "spnego.negTokenInit.mechTypes.?1", ntlmssp_oid, 1);
if (res != ASN1_SUCCESS) goto error;
res = asn1_write_value(token, "spnego.negTokenInit.reqFlags", NULL, 0);
if (res != ASN1_SUCCESS) goto error;
res = asn1_write_value(token, "spnego.negTokenInit.mechListMIC", NULL, 0);
if (res != ASN1_SUCCESS) goto error;
smb_ntlmssp_negotiate(domain, domain, &ntlm);
res = asn1_write_value(token, "spnego.negTokenInit.mechToken", ntlm.data,
ntlm.size);
smb_buffer_free(&ntlm);
if (res != ASN1_SUCCESS) goto error;
res = asn1_der_coding(token, "", der, &der_size, err_desc);
if (res != ASN1_SUCCESS)
{
smb_message_destroy(msg);
BDSM_dbg("Encoding error: %s", err_desc);
return DSM_ERROR_GENERIC;
}
smb_message_append(msg, der, der_size);
smb_message_put_utf16(msg, SMB_OS, strlen(SMB_OS));
smb_message_put16(msg, 0);
smb_message_put_utf16(msg, SMB_LANMAN, strlen(SMB_LANMAN));
smb_message_put16(msg, 0);
smb_message_put16(msg, 0);
SMB_MSG_INIT_PKT_ANDX(req);
req.wct = 12;
req.max_buffer = SMB_SESSION_MAX_BUFFER;
req.mpx_count = 16;
req.vc_count = 1;
req.caps = s->srv.caps;
req.session_key = s->srv.session_key;
req.xsec_blob_size = der_size;
req.payload_size = msg->cursor - sizeof(smb_session_xsec_req);
SMB_MSG_INSERT_PKT(msg, 0, req);
asn1_delete_structure(&token);
if (!smb_session_send_msg(s, msg))
{
smb_message_destroy(msg);
BDSM_dbg("Unable to send Session Setup AndX (NTLMSSP_NEGOTIATE) message\n");
return DSM_ERROR_NETWORK;
}
smb_message_destroy(msg);
return DSM_SUCCESS;
error:
asn1_display_error("smb_session_login negotiate()", res);
smb_message_destroy(msg);
return DSM_ERROR_GENERIC;
}
static int auth(smb_session *s, const char *domain, const char *user,
const char *password)
{
smb_message *msg = NULL, resp;
smb_session_xsec_req req;
smb_buffer ntlm;
ASN1_TYPE token;
int res, der_size = 512;
char der[512], err_desc[ASN1_MAX_ERROR_DESCRIPTION_SIZE];
msg = smb_message_new(SMB_CMD_SETUP);
if (!msg)
return DSM_ERROR_GENERIC;
// this struct will be set at the end when we know the payload size
SMB_MSG_ADVANCE_PKT(msg, smb_session_xsec_req);
asn1_create_element(s->spnego_asn1, "SPNEGO.NegotiationToken", &token);
// Select a response message type
res = asn1_write_value(token, "", "negTokenResp", 1);
if (res != ASN1_SUCCESS) goto error;
// Delete all optionnal field except 'ResponseToken'
res = asn1_write_value(token, "negTokenResp.negResult", NULL, 0);
if (res != ASN1_SUCCESS) goto error;
res = asn1_write_value(token, "negTokenResp.supportedMech", NULL, 0);
if (res != ASN1_SUCCESS) goto error;
res = asn1_write_value(token, "negTokenResp.mechListMIC", NULL, 0);
if (res != ASN1_SUCCESS) goto error;
smb_ntlmssp_response(s->srv.challenge, s->srv.ts - 4200, domain, domain, user,
password, &s->xsec_target, &ntlm);
res = asn1_write_value(token, "negTokenResp.responseToken", ntlm.data,
ntlm.size);
smb_buffer_free(&ntlm);
if (res != ASN1_SUCCESS) goto error;
res = asn1_der_coding(token, "", der, &der_size, err_desc);
if (res != ASN1_SUCCESS)
{
smb_message_destroy(msg);
BDSM_dbg("Encoding error: %s", err_desc);
return DSM_ERROR_GENERIC;
}
smb_message_append(msg, der, der_size);
if (msg->cursor % 2)
smb_message_put8(msg, 0);
smb_message_put_utf16(msg, SMB_OS, strlen(SMB_OS));
smb_message_put16(msg, 0);
smb_message_put_utf16(msg, SMB_LANMAN, strlen(SMB_LANMAN));
smb_message_put16(msg, 0);
smb_message_put16(msg, 0); // Empty PDC name
SMB_MSG_INIT_PKT_ANDX(req);
req.wct = 12;
req.max_buffer = SMB_SESSION_MAX_BUFFER;
req.mpx_count = 16; // XXX ?
req.vc_count = 1;
req.caps = s->srv.caps; // XXX caps & our_caps_mask
req.session_key = s->srv.session_key;
req.xsec_blob_size = der_size;
req.payload_size = msg->cursor - sizeof(smb_session_xsec_req);
SMB_MSG_INSERT_PKT(msg, 0, req);
asn1_delete_structure(&token);
if (!smb_session_send_msg(s, msg))
{
smb_message_destroy(msg);
BDSM_dbg("Unable to send Session Setup AndX (NTLMSSP_AUTH) message\n");
return DSM_ERROR_NETWORK;
}
smb_message_destroy(msg);
if (smb_session_recv_msg(s, &resp) == 0)
return DSM_ERROR_NETWORK;
if (!smb_session_check_nt_status(s, &resp))
return DSM_ERROR_NT;
else
{
smb_session_xsec_resp *r = (smb_session_xsec_resp *)resp.packet->payload;
if (r->action & 0x0001)
s->guest = true;
s->srv.uid = resp.packet->header.uid;
s->logged = true;
return DSM_SUCCESS;
}
error:
asn1_display_error("smb_session_login auth()", res);
smb_message_destroy(msg);
return DSM_ERROR_GENERIC;
}
