/*
perform a LDAP/SASL/SPNEGO/NTLMSSP bind (just how many layers can
we fit on one socket??)
*/
static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads)
{
DATA_BLOB msg1 = data_blob_null;
DATA_BLOB blob = data_blob_null;
DATA_BLOB blob_in = data_blob_null;
DATA_BLOB blob_out = data_blob_null;
struct berval cred, *scred = NULL;
int rc;
NTSTATUS nt_status;
ADS_STATUS status;
int turn = 1;
uint32 features = 0;
struct ntlmssp_state *ntlmssp_state;
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_client_start(&ntlmssp_state))) {
return ADS_ERROR_NT(nt_status);
}
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_username(ntlmssp_state, ads->auth.user_name))) {
return ADS_ERROR_NT(nt_status);
}
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_domain(ntlmssp_state, ads->auth.realm))) {
return ADS_ERROR_NT(nt_status);
}
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_password(ntlmssp_state, ads->auth.password))) {
return ADS_ERROR_NT(nt_status);
}
switch (ads->ldap.wrap_type) {
case ADS_SASLWRAP_TYPE_SEAL:
features = NTLMSSP_FEATURE_SIGN | NTLMSSP_FEATURE_SEAL;
break;
case ADS_SASLWRAP_TYPE_SIGN:
if (ads->auth.flags & ADS_AUTH_SASL_FORCE) {
features = NTLMSSP_FEATURE_SIGN;
} else {
/*
* windows servers are broken with sign only,
* so we need to use seal here too
*/
features = NTLMSSP_FEATURE_SIGN | NTLMSSP_FEATURE_SEAL;
ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_SEAL;
}
break;
case ADS_SASLWRAP_TYPE_PLAIN:
break;
}
ntlmssp_want_feature(ntlmssp_state, features);
blob_in = data_blob_null;
do {
nt_status = ntlmssp_update(ntlmssp_state,
blob_in, &blob_out);
data_blob_free(&blob_in);
if ((NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
|| NT_STATUS_IS_OK(nt_status))
&& blob_out.length) {
if (turn == 1) {
/* and wrap it in a SPNEGO wrapper */
msg1 = gen_negTokenInit(OID_NTLMSSP, blob_out);
} else {
/* wrap it in SPNEGO */
msg1 = spnego_gen_auth(blob_out);
}
data_blob_free(&blob_out);
cred.bv_val = (char *)msg1.data;
cred.bv_len = msg1.length;
scred = NULL;
rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred);
data_blob_free(&msg1);
if ((rc != LDAP_SASL_BIND_IN_PROGRESS) && (rc != 0)) {
if (scred) {
ber_bvfree(scred);
}
ntlmssp_end(&ntlmssp_state);
return ADS_ERROR(rc);
}
if (scred) {
blob = data_blob(scred->bv_val, scred->bv_len);
ber_bvfree(scred);
} else {
blob = data_blob_null;
}
} else {
ntlmssp_end(&ntlmssp_state);
data_blob_free(&blob_out);
return ADS_ERROR_NT(nt_status);
}
if ((turn == 1) &&
(rc == LDAP_SASL_BIND_IN_PROGRESS)) {
DATA_BLOB tmp_blob = data_blob_null;
/* the server might give us back two challenges */
if (!spnego_parse_challenge(blob, &blob_in,
&tmp_blob)) {
ntlmssp_end(&ntlmssp_state);
data_blob_free(&blob);
DEBUG(3,("Failed to parse challenges\n"));
return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
data_blob_free(&tmp_blob);
} else if (rc == LDAP_SASL_BIND_IN_PROGRESS) {
if (!spnego_parse_auth_response(blob, nt_status, OID_NTLMSSP,
&blob_in)) {
ntlmssp_end(&ntlmssp_state);
data_blob_free(&blob);
DEBUG(3,("Failed to parse auth response\n"));
return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
}
data_blob_free(&blob);
data_blob_free(&blob_out);
turn++;
} while (rc == LDAP_SASL_BIND_IN_PROGRESS && !NT_STATUS_IS_OK(nt_status));
/* we have a reference conter on ntlmssp_state, if we are signing
then the state will be kept by the signing engine */
if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE;
ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE;
ads->ldap.in.min_wrapped = ads->ldap.out.sig_size;
ads->ldap.in.max_wrapped = ADS_SASL_WRAPPING_IN_MAX_WRAPPED;
status = ads_setup_sasl_wrapping(ads, &ads_sasl_ntlmssp_ops, ntlmssp_state);
if (!ADS_ERR_OK(status)) {
DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n",
ads_errstr(status)));
ntlmssp_end(&ntlmssp_state);
return status;
}
} else {
ntlmssp_end(&ntlmssp_state);
}
return ADS_ERROR(rc);
}
static NTSTATUS do_ntlm_auth_with_hashes(const char *username,
const char *domain,
const unsigned char lm_hash[LM_HASH_LEN],
const unsigned char nt_hash[NT_HASH_LEN],
const DATA_BLOB initial_msg,
const DATA_BLOB challenge_msg,
DATA_BLOB *auth_msg,
uint8_t session_key[16])
{
NTSTATUS status;
struct ntlmssp_state *ntlmssp_state = NULL;
DATA_BLOB dummy_msg, reply;
status = ntlmssp_client_start(NULL,
global_myname(),
lp_workgroup(),
lp_client_ntlmv2_auth(),
&ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not start NTLMSSP client: %s\n",
nt_errstr(status)));
goto done;
}
status = ntlmssp_set_username(ntlmssp_state, username);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not set username: %s\n",
nt_errstr(status)));
goto done;
}
status = ntlmssp_set_domain(ntlmssp_state, domain);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not set domain: %s\n",
nt_errstr(status)));
goto done;
}
status = ntlmssp_set_hashes(ntlmssp_state, lm_hash, nt_hash);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not set hashes: %s\n",
nt_errstr(status)));
goto done;
}
ntlmssp_want_feature(ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
/* We need to get our protocol handler into the right state. So first
we ask it to generate the initial message. Actually the client has already
sent its own initial message, so we're going to drop this one on the floor.
The client might have sent a different message, for example with different
negotiation options, but as far as I can tell this won't hurt us. (Unless
the client sent a different username or domain, in which case that's their
problem for telling us the wrong username or domain.)
Since we have a copy of the initial message that the client sent, we could
resolve any discrepancies if we had to.
*/
dummy_msg = data_blob_null;
reply = data_blob_null;
status = ntlmssp_update(ntlmssp_state, dummy_msg, &reply);
data_blob_free(&dummy_msg);
data_blob_free(&reply);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(1, ("Failed to create initial message! [%s]\n",
nt_errstr(status)));
goto done;
}
/* Now we are ready to handle the server's actual response. */
status = ntlmssp_update(ntlmssp_state, challenge_msg, &reply);
if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
DEBUG(1, ("We didn't get a response to the challenge! [%s]\n",
nt_errstr(status)));
data_blob_free(&reply);
goto done;
}
if (ntlmssp_state->session_key.length != 16) {
DEBUG(1, ("invalid session key length %d\n",
(int)ntlmssp_state->session_key.length));
data_blob_free(&reply);
goto done;
}
*auth_msg = data_blob(reply.data, reply.length);
memcpy(session_key, ntlmssp_state->session_key.data, 16);
status = NT_STATUS_OK;
done:
TALLOC_FREE(ntlmssp_state);
return status;
}
