LCOV - code coverage report
Current view: top level - auth/ntlmssp - gensec_ntlmssp_server.c (source / functions) Hit Total Coverage
Test: coverage report for master 2b515b7d Lines: 93 98 94.9 %
Date: 2024-02-28 12:06:22 Functions: 2 2 100.0 %

          Line data    Source code
       1             : /*
       2             :    Unix SMB/Netbios implementation.
       3             :    Version 3.0
       4             :    handle NLTMSSP, client server side parsing
       5             : 
       6             :    Copyright (C) Andrew Tridgell      2001
       7             :    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
       8             :    Copyright (C) Stefan Metzmacher 2005
       9             : 
      10             :    This program is free software; you can redistribute it and/or modify
      11             :    it under the terms of the GNU General Public License as published by
      12             :    the Free Software Foundation; either version 3 of the License, or
      13             :    (at your option) any later version.
      14             : 
      15             :    This program is distributed in the hope that it will be useful,
      16             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      17             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      18             :    GNU General Public License for more details.
      19             : 
      20             :    You should have received a copy of the GNU General Public License
      21             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      22             : */
      23             : 
      24             : #include "includes.h"
      25             : #include "system/network.h"
      26             : #include "lib/tsocket/tsocket.h"
      27             : #include "auth/ntlmssp/ntlmssp.h"
      28             : #include "../librpc/gen_ndr/ndr_ntlmssp.h"
      29             : #include "auth/ntlmssp/ntlmssp_ndr.h"
      30             : #include "auth/ntlmssp/ntlmssp_private.h"
      31             : #include "../libcli/auth/libcli_auth.h"
      32             : #include "../lib/crypto/crypto.h"
      33             : #include "auth/gensec/gensec.h"
      34             : #include "auth/gensec/gensec_internal.h"
      35             : #include "auth/common_auth.h"
      36             : #include "param/param.h"
      37             : #include "param/loadparm.h"
      38             : #include "libds/common/roles.h"
      39             : 
      40             : #undef DBGC_CLASS
      41             : #define DBGC_CLASS DBGC_AUTH
      42             : 
      43             : /**
      44             :  * Return the credentials of a logged on user, including session keys
      45             :  * etc.
      46             :  *
      47             :  * Only valid after a successful authentication
      48             :  *
      49             :  * May only be called once per authentication.
      50             :  *
      51             :  */
      52             : 
      53       36885 : NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
      54             :                                      TALLOC_CTX *mem_ctx,
      55             :                                      struct auth_session_info **session_info)
      56             : {
      57         139 :         NTSTATUS nt_status;
      58         139 :         struct gensec_ntlmssp_context *gensec_ntlmssp =
      59       36885 :                 talloc_get_type_abort(gensec_security->private_data,
      60             :                                       struct gensec_ntlmssp_context);
      61       36885 :         uint32_t session_info_flags = 0;
      62             : 
      63       36885 :         if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
      64       25928 :                 session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
      65             :         }
      66             : 
      67       36885 :         session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
      68       36885 :         session_info_flags |= AUTH_SESSION_INFO_NTLM;
      69             : 
      70       36885 :         if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) {
      71       37024 :                 nt_status = gensec_security->auth_context->generate_session_info(gensec_security->auth_context, mem_ctx, 
      72             :                                                                                  gensec_ntlmssp->server_returned_info,
      73       36885 :                                                                                  gensec_ntlmssp->ntlmssp_state->user,
      74             :                                                                                  session_info_flags,
      75             :                                                                                  session_info);
      76             :         } else {
      77           0 :                 DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
      78           0 :                 return NT_STATUS_INTERNAL_ERROR;
      79             :         }
      80             : 
      81       36885 :         NT_STATUS_NOT_OK_RETURN(nt_status);
      82             : 
      83       37024 :         nt_status = gensec_ntlmssp_session_key(gensec_security, *session_info,
      84       36885 :                                                &(*session_info)->session_key);
      85       36885 :         if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_USER_SESSION_KEY)) {
      86          28 :                 (*session_info)->session_key = data_blob_null;
      87          28 :                 nt_status = NT_STATUS_OK;
      88             :         }
      89             : 
      90       36885 :         return nt_status;
      91             : }
      92             : 
      93             : /**
      94             :  * Start NTLMSSP on the server side
      95             :  *
      96             :  */
      97       80867 : NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
      98             : {
      99         148 :         NTSTATUS nt_status;
     100         148 :         struct ntlmssp_state *ntlmssp_state;
     101         148 :         struct gensec_ntlmssp_context *gensec_ntlmssp;
     102         148 :         const char *netbios_name;
     103         148 :         const char *netbios_domain;
     104         148 :         const char *dns_name;
     105         148 :         const char *dns_domain;
     106         148 :         enum server_role role;
     107             : 
     108       80867 :         role = lpcfg_server_role(gensec_security->settings->lp_ctx);
     109             : 
     110       80867 :         nt_status = gensec_ntlmssp_start(gensec_security);
     111       80867 :         NT_STATUS_NOT_OK_RETURN(nt_status);
     112             : 
     113         148 :         gensec_ntlmssp =
     114       80867 :                 talloc_get_type_abort(gensec_security->private_data,
     115             :                                       struct gensec_ntlmssp_context);
     116             : 
     117       80867 :         ntlmssp_state = talloc_zero(gensec_ntlmssp,
     118             :                                     struct ntlmssp_state);
     119       80867 :         if (!ntlmssp_state) {
     120           0 :                 return NT_STATUS_NO_MEMORY;
     121             :         }
     122       80867 :         gensec_ntlmssp->ntlmssp_state = ntlmssp_state;
     123             : 
     124       80867 :         ntlmssp_state->role = NTLMSSP_SERVER;
     125             : 
     126       80867 :         ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
     127             : 
     128       81015 :         ntlmssp_state->allow_lm_response =
     129       80867 :                 lpcfg_lanman_auth(gensec_security->settings->lp_ctx);
     130             : 
     131      116649 :         if (ntlmssp_state->allow_lm_response &&
     132       35782 :             gensec_setting_bool(gensec_security->settings,
     133             :                                 "ntlmssp_server", "allow_lm_key", false))
     134             :         {
     135           0 :                 ntlmssp_state->allow_lm_key = true;
     136             :         }
     137             : 
     138       80867 :         ntlmssp_state->force_old_spnego = false;
     139             : 
     140       80867 :         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "force_old_spnego", false)) {
     141             :                 /*
     142             :                  * For testing Windows 2000 mode
     143             :                  */
     144        1474 :                 ntlmssp_state->force_old_spnego = true;
     145             :         }
     146             : 
     147       80867 :         ntlmssp_state->neg_flags =
     148             :                 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION;
     149             : 
     150       80867 :         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "128bit", true)) {
     151       80867 :                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
     152             :         }
     153             : 
     154       80867 :         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "56bit", true)) {
     155       80867 :                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
     156             :         }
     157             : 
     158       80867 :         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "keyexchange", true)) {
     159       80867 :                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
     160             :         }
     161             : 
     162       80867 :         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "alwayssign", true)) {
     163       80867 :                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
     164             :         }
     165             : 
     166       80867 :         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "ntlm2", true)) {
     167       80867 :                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
     168             :         }
     169             : 
     170       80867 :         if (ntlmssp_state->allow_lm_key) {
     171           0 :                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
     172             :         }
     173             : 
     174             :         /*
     175             :          * We always allow NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL.
     176             :          *
     177             :          * These will be removed if the client doesn't want them.
     178             :          */
     179       80867 :         ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
     180       80867 :         ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
     181             : 
     182             : 
     183       80867 :         if (role == ROLE_STANDALONE) {
     184       42451 :                 ntlmssp_state->server.is_standalone = true;
     185             :         } else {
     186       38416 :                 ntlmssp_state->server.is_standalone = false;
     187             :         }
     188             : 
     189       80867 :         if (gensec_security->settings->server_netbios_name) {
     190         136 :                 netbios_name = gensec_security->settings->server_netbios_name;
     191             :         } else {
     192       80731 :                 netbios_name = lpcfg_netbios_name(gensec_security->settings->lp_ctx);
     193             :         }
     194             : 
     195       80867 :         if (gensec_security->settings->server_netbios_domain) {
     196         136 :                 netbios_domain = gensec_security->settings->server_netbios_domain;
     197             :         } else {
     198       80731 :                 netbios_domain = lpcfg_workgroup(gensec_security->settings->lp_ctx);
     199             :         }
     200             : 
     201       80867 :         if (gensec_security->settings->server_dns_name) {
     202       67451 :                 dns_name = gensec_security->settings->server_dns_name;
     203             :         } else {
     204       13416 :                 const char *dnsdomain = lpcfg_dnsdomain(gensec_security->settings->lp_ctx);
     205         148 :                 char *lower_netbiosname;
     206             : 
     207       13416 :                 lower_netbiosname = strlower_talloc(ntlmssp_state, netbios_name);
     208       13416 :                 NT_STATUS_HAVE_NO_MEMORY(lower_netbiosname);
     209             : 
     210             :                 /* Find out the DNS host name */
     211       13416 :                 if (dnsdomain && dnsdomain[0] != '\0') {
     212       13414 :                         dns_name = talloc_asprintf(ntlmssp_state, "%s.%s",
     213             :                                                    lower_netbiosname,
     214             :                                                    dnsdomain);
     215       13414 :                         talloc_free(lower_netbiosname);
     216       13414 :                         NT_STATUS_HAVE_NO_MEMORY(dns_name);
     217             :                 } else {
     218           2 :                         dns_name = lower_netbiosname;
     219             :                 }
     220             :         }
     221             : 
     222       80867 :         if (gensec_security->settings->server_dns_domain) {
     223       67451 :                 dns_domain = gensec_security->settings->server_dns_domain;
     224             :         } else {
     225       13416 :                 dns_domain = lpcfg_dnsdomain(gensec_security->settings->lp_ctx);
     226             :         }
     227             : 
     228       80867 :         ntlmssp_state->server.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
     229       80867 :         NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.netbios_name);
     230             : 
     231       80867 :         ntlmssp_state->server.netbios_domain = talloc_strdup(ntlmssp_state, netbios_domain);
     232       80867 :         NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.netbios_domain);
     233             : 
     234       80867 :         ntlmssp_state->server.dns_name = talloc_strdup(ntlmssp_state, dns_name);
     235       80867 :         NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_name);
     236             : 
     237       80867 :         ntlmssp_state->server.dns_domain = talloc_strdup(ntlmssp_state, dns_domain);
     238       80867 :         NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_domain);
     239             : 
     240       80867 :         ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
     241       80867 :         ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
     242             : 
     243       80867 :         return NT_STATUS_OK;
     244             : }
     245             : 

Generated by: LCOV version 1.14