search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ntlm_auth: Fix Coverity ID 240749 Resource leak
[samba4-gss.git] / source3 / utils / ntlm_auth_diagnostics.c
blobdbce3ed4fdf8b68576f10fabe1244fc9ff6d257f
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind status program.
5
6 Copyright (C) Tim Potter 2000-2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8 Copyright (C) Francesco Chemolli <kinkie@kame.usr.dsi.unimi.it> 2000
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "utils/ntlm_auth.h"
26 #include "../libcli/auth/libcli_auth.h"
27 #include "nsswitch/winbind_client.h"
28
29 #undef DBGC_CLASS
30 #define DBGC_CLASS DBGC_WINBIND
31
32 enum ntlm_break {
33 BREAK_NONE,
34 BREAK_LM,
35 BREAK_NT,
36 NO_LM,
37 NO_NT
38 };
39
40 /*
41 Authenticate a user with a challenge/response, checking session key
42 and valid authentication types
43 */
44
45 /*
46 * Test the normal 'LM and NTLM' combination
47 */
48
49 static bool test_lm_ntlm_broken(enum ntlm_break break_which,
50 bool lanman_support_expected)
51 {
52 bool pass = True;
53 NTSTATUS nt_status;
54 uint32_t flags = 0;
55 DATA_BLOB lm_response = data_blob(NULL, 24);
56 DATA_BLOB nt_response = data_blob(NULL, 24);
57 DATA_BLOB session_key = data_blob(NULL, 16);
58 uint8_t authoritative = 1;
59 uchar lm_key[8];
60 uchar user_session_key[16];
61 uchar lm_hash[16];
62 uchar nt_hash[16];
63 DATA_BLOB chall = get_challenge();
64 char *error_string;
65
66 ZERO_STRUCT(lm_key);
67 ZERO_STRUCT(user_session_key);
68
69 flags |= WBFLAG_PAM_LMKEY;
70 flags |= WBFLAG_PAM_USER_SESSION_KEY;
71
72 SMBencrypt(opt_password,chall.data,lm_response.data);
73 E_deshash(opt_password, lm_hash);
74
75 SMBNTencrypt(opt_password,chall.data,nt_response.data);
76
77 E_md4hash(opt_password, nt_hash);
78 SMBsesskeygen_ntv1(nt_hash, session_key.data);
79
80 switch (break_which) {
81 case BREAK_NONE:
82 break;
83 case BREAK_LM:
84 lm_response.data[0]++;
85 break;
86 case BREAK_NT:
87 nt_response.data[0]++;
88 break;
89 case NO_LM:
90 data_blob_free(&lm_response);
91 break;
92 case NO_NT:
93 data_blob_free(&nt_response);
94 break;
95 }
96
97 nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
98 opt_workstation,
99 &chall,
100 &lm_response,
101 &nt_response,
102 flags, 0,
103 lm_key,
104 user_session_key,
105 &authoritative,
106 &error_string, NULL);
107
108 data_blob_free(&lm_response);
109 data_blob_free(&nt_response);
110
111 if (!NT_STATUS_IS_OK(nt_status)) {
112 d_printf("%s (0x%x)\n",
113 error_string,
114 NT_STATUS_V(nt_status));
115 SAFE_FREE(error_string);
116 data_blob_free(&session_key);
117
118 return break_which == BREAK_NT;
119 }
120
121 /* If we are told the DC is Samba4, expect an LM key of zeros */
122 if (!lanman_support_expected) {
123 if (!all_zero(lm_key,
124 sizeof(lm_key))) {
125 DEBUG(1, ("LM Key does not match expectations!\n"));
126 DEBUG(1, ("lm_key:\n"));
127 dump_data(1, lm_key, 8);
128 DEBUG(1, ("expected: all zeros\n"));
129 pass = False;
130 }
131 } else {
132 if (memcmp(lm_hash, lm_key,
133 sizeof(lm_key)) != 0) {
134 DEBUG(1, ("LM Key does not match expectations!\n"));
135 DEBUG(1, ("lm_key:\n"));
136 dump_data(1, lm_key, 8);
137 DEBUG(1, ("expected:\n"));
138 dump_data(1, lm_hash, 8);
139 pass = False;
140 }
141 }
142
143 if (break_which == NO_NT) {
144 if (memcmp(lm_hash, user_session_key,
145 8) != 0) {
146 DEBUG(1, ("NT Session Key does not match expectations (should be LM hash)!\n"));
147 DEBUG(1, ("user_session_key:\n"));
148 dump_data(1, user_session_key, sizeof(user_session_key));
149 DEBUG(1, ("expected:\n"));
150 dump_data(1, lm_hash, sizeof(lm_hash));
151 pass = False;
152 }
153 } else {
154 if (memcmp(session_key.data, user_session_key,
155 sizeof(user_session_key)) != 0) {
156 DEBUG(1, ("NT Session Key does not match expectations!\n"));
157 DEBUG(1, ("user_session_key:\n"));
158 dump_data(1, user_session_key, 16);
159 DEBUG(1, ("expected:\n"));
160 dump_data(1, session_key.data, session_key.length);
161 pass = False;
162 }
163 }
164 data_blob_free(&session_key);
165
166 return pass;
167 }
168
169 /*
170 * Test LM authentication, no NT response supplied
171 */
172
173 static bool test_lm(bool lanman_support_expected)
174 {
175
176 return test_lm_ntlm_broken(NO_NT, lanman_support_expected);
177 }
178
179 /*
180 * Test the NTLM response only, no LM.
181 */
182
183 static bool test_ntlm(bool lanman_support_expected)
184 {
185 return test_lm_ntlm_broken(NO_LM, lanman_support_expected);
186 }
187
188 /*
189 * Test the NTLM response only, but in the LM field.
190 */
191
192 static bool test_ntlm_in_lm(bool lanman_support_expected)
193 {
194 bool pass = True;
195 NTSTATUS nt_status;
196 uint32_t flags = 0;
197 DATA_BLOB nt_response = data_blob(NULL, 24);
198 uint8_t authoritative = 1;
199 uchar lm_key[8];
200 uchar lm_hash[16];
201 uchar user_session_key[16];
202 DATA_BLOB chall = get_challenge();
203 char *error_string = NULL;
204
205 ZERO_STRUCT(user_session_key);
206
207 flags |= WBFLAG_PAM_LMKEY;
208 flags |= WBFLAG_PAM_USER_SESSION_KEY;
209
210 SMBNTencrypt(opt_password,chall.data,nt_response.data);
211
212 E_deshash(opt_password, lm_hash);
213
214 nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
215 opt_workstation,
216 &chall,
217 &nt_response,
218 NULL,
219 flags, 0,
220 lm_key,
221 user_session_key,
222 &authoritative,
223 &error_string, NULL);
224
225 data_blob_free(&nt_response);
226
227 if (!NT_STATUS_IS_OK(nt_status)) {
228 d_printf("%s (0x%x)\n",
229 error_string,
230 NT_STATUS_V(nt_status));
231 SAFE_FREE(error_string);
232 return False;
233 }
234 SAFE_FREE(error_string);
235
236 /* If we are told the DC is Samba4, expect an LM key of zeros */
237 if (!lanman_support_expected) {
238 if (!all_zero(lm_key,
239 sizeof(lm_key))) {
240 DEBUG(1, ("LM Key does not match expectations!\n"));
241 DEBUG(1, ("lm_key:\n"));
242 dump_data(1, lm_key, 8);
243 DEBUG(1, ("expected: all zeros\n"));
244 pass = False;
245 }
246 if (!all_zero(user_session_key,
247 sizeof(user_session_key))) {
248 DEBUG(1, ("Session Key (normally first 8 lm hash) does not match expectations!\n"));
249 DEBUG(1, ("user_session_key:\n"));
250 dump_data(1, user_session_key, 16);
251 DEBUG(1, ("expected all zeros:\n"));
252 pass = False;
253 }
254 } else {
255 if (memcmp(lm_hash, lm_key,
256 sizeof(lm_key)) != 0) {
257 DEBUG(1, ("LM Key does not match expectations!\n"));
258 DEBUG(1, ("lm_key:\n"));
259 dump_data(1, lm_key, 8);
260 DEBUG(1, ("expected:\n"));
261 dump_data(1, lm_hash, 8);
262 pass = False;
263 }
264 if (memcmp(lm_hash, user_session_key, 8) != 0) {
265 DEBUG(1, ("Session Key (first 8 lm hash) does not match expectations!\n"));
266 DEBUG(1, ("user_session_key:\n"));
267 dump_data(1, user_session_key, 16);
268 DEBUG(1, ("expected:\n"));
269 dump_data(1, lm_hash, 8);
270 pass = False;
271 }
272 }
273 return pass;
274 }
275
276 /*
277 * Test the NTLM response only, but in the both the NT and LM fields.
278 */
279
280 static bool test_ntlm_in_both(bool lanman_support_expected)
281 {
282 bool pass = True;
283 NTSTATUS nt_status;
284 uint32_t flags = 0;
285 DATA_BLOB nt_response = data_blob(NULL, 24);
286 DATA_BLOB session_key = data_blob(NULL, 16);
287 uint8_t authoritative = 1;
288 uint8_t lm_key[8];
289 uint8_t lm_hash[16];
290 uint8_t user_session_key[16];
291 uint8_t nt_hash[16];
292 DATA_BLOB chall = get_challenge();
293 char *error_string = NULL;
294
295 ZERO_STRUCT(lm_key);
296 ZERO_STRUCT(user_session_key);
297
298 flags |= WBFLAG_PAM_LMKEY;
299 flags |= WBFLAG_PAM_USER_SESSION_KEY;
300
301 SMBNTencrypt(opt_password,chall.data,nt_response.data);
302 E_md4hash(opt_password, nt_hash);
303 SMBsesskeygen_ntv1(nt_hash, session_key.data);
304
305 E_deshash(opt_password, lm_hash);
306
307 nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
308 opt_workstation,
309 &chall,
310 &nt_response,
311 &nt_response,
312 flags, 0,
313 lm_key,
314 user_session_key,
315 &authoritative,
316 &error_string, NULL);
317
318 data_blob_free(&nt_response);
319
320 if (!NT_STATUS_IS_OK(nt_status)) {
321 d_printf("%s (0x%x)\n",
322 error_string,
323 NT_STATUS_V(nt_status));
324 SAFE_FREE(error_string);
325 return False;
326 }
327 SAFE_FREE(error_string);
328
329 /* If we are told the DC is Samba4, expect an LM key of zeros */
330 if (!lanman_support_expected) {
331 if (!all_zero(lm_key,
332 sizeof(lm_key))) {
333 DEBUG(1, ("LM Key does not match expectations!\n"));
334 DEBUG(1, ("lm_key:\n"));
335 dump_data(1, lm_key, 8);
336 DEBUG(1, ("expected: all zeros\n"));
337 pass = False;
338 }
339 } else {
340 if (memcmp(lm_hash, lm_key,
341 sizeof(lm_key)) != 0) {
342 DEBUG(1, ("LM Key does not match expectations!\n"));
343 DEBUG(1, ("lm_key:\n"));
344 dump_data(1, lm_key, 8);
345 DEBUG(1, ("expected:\n"));
346 dump_data(1, lm_hash, 8);
347 pass = False;
348 }
349 }
350 if (memcmp(session_key.data, user_session_key,
351 sizeof(user_session_key)) != 0) {
352 DEBUG(1, ("NT Session Key does not match expectations!\n"));
353 DEBUG(1, ("user_session_key:\n"));
354 dump_data(1, user_session_key, 16);
355 DEBUG(1, ("expected:\n"));
356 dump_data(1, session_key.data, session_key.length);
357 pass = False;
358 }
359
360
361 return pass;
362 }
363
364 /*
365 * Test the NTLMv2 and LMv2 responses
366 */
367
368 static bool test_lmv2_ntlmv2_broken(enum ntlm_break break_which)
369 {
370 bool pass = True;
371 NTSTATUS nt_status;
372 uint32_t flags = 0;
373 DATA_BLOB ntlmv2_response = data_blob_null;
374 DATA_BLOB lmv2_response = data_blob_null;
375 DATA_BLOB ntlmv2_session_key = data_blob_null;
376 DATA_BLOB names_blob = NTLMv2_generate_names_blob(NULL, get_winbind_netbios_name(), get_winbind_domain());
377 uint8_t authoritative = 1;
378 uchar user_session_key[16];
379 DATA_BLOB chall = get_challenge();
380 char *error_string = NULL;
381
382 ZERO_STRUCT(user_session_key);
383
384 flags |= WBFLAG_PAM_USER_SESSION_KEY;
385
386 if (!SMBNTLMv2encrypt(NULL, opt_username, opt_domain, opt_password, &chall,
387 &names_blob,
388 &lmv2_response, &ntlmv2_response, NULL,
389 &ntlmv2_session_key)) {
390 data_blob_free(&names_blob);
391 return False;
392 }
393 data_blob_free(&names_blob);
394
395 switch (break_which) {
396 case BREAK_NONE:
397 break;
398 case BREAK_LM:
399 lmv2_response.data[0]++;
400 break;
401 case BREAK_NT:
402 ntlmv2_response.data[0]++;
403 break;
404 case NO_LM:
405 data_blob_free(&lmv2_response);
406 break;
407 case NO_NT:
408 data_blob_free(&ntlmv2_response);
409 break;
410 }
411
412 nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
413 opt_workstation,
414 &chall,
415 &lmv2_response,
416 &ntlmv2_response,
417 flags, 0,
418 NULL,
419 user_session_key,
420 &authoritative,
421 &error_string, NULL);
422
423 data_blob_free(&lmv2_response);
424 data_blob_free(&ntlmv2_response);
425
426 if (!NT_STATUS_IS_OK(nt_status)) {
427 d_printf("%s (0x%x)\n",
428 error_string,
429 NT_STATUS_V(nt_status));
430 SAFE_FREE(error_string);
431 return break_which == BREAK_NT;
432 }
433
434 SAFE_FREE(error_string);
435
436 if (break_which != NO_NT && break_which != BREAK_NT && memcmp(ntlmv2_session_key.data, user_session_key,
437 sizeof(user_session_key)) != 0) {
438 DEBUG(1, ("USER (NTLMv2) Session Key does not match expectations!\n"));
439 DEBUG(1, ("user_session_key:\n"));
440 dump_data(1, user_session_key, 16);
441 DEBUG(1, ("expected:\n"));
442 dump_data(1, ntlmv2_session_key.data, ntlmv2_session_key.length);
443 pass = False;
444 }
445
446 data_blob_free(&ntlmv2_session_key);
447 return pass;
448 }
449
450 /*
451 * Test the NTLMv2 and LMv2 responses
452 */
453
454 static bool test_lmv2_ntlmv2(bool lanman_support_expected)
455 {
456 return test_lmv2_ntlmv2_broken(BREAK_NONE);
457 }
458
459 /*
460 * Test the LMv2 response only
461 */
462
463 static bool test_lmv2(bool lanman_support_expected)
464 {
465 return test_lmv2_ntlmv2_broken(NO_NT);
466 }
467
468 /*
469 * Test the NTLMv2 response only
470 */
471
472 static bool test_ntlmv2(bool lanman_support_expected)
473 {
474 return test_lmv2_ntlmv2_broken(NO_LM);
475 }
476
477 static bool test_lm_ntlm(bool lanman_support_expected)
478 {
479 return test_lm_ntlm_broken(BREAK_NONE, lanman_support_expected);
480 }
481
482 static bool test_ntlm_lm_broken(bool lanman_support_expected)
483 {
484 return test_lm_ntlm_broken(BREAK_LM, lanman_support_expected);
485 }
486
487 static bool test_ntlm_ntlm_broken(bool lanman_support_expected)
488 {
489 return test_lm_ntlm_broken(BREAK_NT, lanman_support_expected);
490 }
491
492 static bool test_ntlmv2_lmv2_broken(bool lanman_support_expected)
493 {
494 return test_lmv2_ntlmv2_broken(BREAK_LM);
495 }
496
497 static bool test_ntlmv2_ntlmv2_broken(bool lanman_support_expected)
498 {
499 return test_lmv2_ntlmv2_broken(BREAK_NT);
500 }
501
502 static bool test_plaintext(enum ntlm_break break_which)
503 {
504 NTSTATUS nt_status;
505 uint32_t flags = 0;
506 DATA_BLOB nt_response = data_blob_null;
507 DATA_BLOB lm_response = data_blob_null;
508 char *password;
509 smb_ucs2_t *nt_response_ucs2;
510 size_t converted_size;
511 uint8_t authoritative = 1;
512 uchar user_session_key[16];
513 uchar lm_key[16];
514 static const uchar zeros[8] = { 0, };
515 DATA_BLOB chall = data_blob(zeros, sizeof(zeros));
516 char *error_string;
517
518 ZERO_STRUCT(user_session_key);
519
520 flags |= WBFLAG_PAM_LMKEY;
521 flags |= WBFLAG_PAM_USER_SESSION_KEY;
522
523 if (!push_ucs2_talloc(talloc_tos(), &nt_response_ucs2, opt_password,
524 &converted_size))
525 {
526 DEBUG(0, ("push_ucs2_talloc failed!\n"));
527 exit(1);
528 }
529
530 nt_response.data = (unsigned char *)nt_response_ucs2;
531 nt_response.length = strlen_w(nt_response_ucs2)*sizeof(smb_ucs2_t);
532
533 if ((password = strupper_talloc(talloc_tos(), opt_password)) == NULL) {
534 DEBUG(0, ("strupper_talloc() failed!\n"));
535 exit(1);
536 }
537
538 if (!convert_string_talloc(talloc_tos(), CH_UNIX,
539 CH_DOS, password,
540 strlen(password)+1,
541 &lm_response.data,
542 &lm_response.length)) {
543 DEBUG(0, ("convert_string_talloc failed!\n"));
544 exit(1);
545 }
546
547 TALLOC_FREE(password);
548
549 switch (break_which) {
550 case BREAK_NONE:
551 break;
552 case BREAK_LM:
553 lm_response.data[0]++;
554 break;
555 case BREAK_NT:
556 nt_response.data[0]++;
557 break;
558 case NO_LM:
559 TALLOC_FREE(lm_response.data);
560 lm_response.length = 0;
561 break;
562 case NO_NT:
563 TALLOC_FREE(nt_response.data);
564 nt_response.length = 0;
565 break;
566 }
567
568 nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
569 opt_workstation,
570 &chall,
571 &lm_response,
572 &nt_response,
573 flags, MSV1_0_CLEARTEXT_PASSWORD_ALLOWED,
574 lm_key,
575 user_session_key,
576 &authoritative,
577 &error_string, NULL);
578
579 TALLOC_FREE(nt_response.data);
580 TALLOC_FREE(lm_response.data);
581 data_blob_free(&chall);
582
583 if (!NT_STATUS_IS_OK(nt_status)) {
584 d_printf("%s (0x%x)\n",
585 error_string,
586 NT_STATUS_V(nt_status));
587 SAFE_FREE(error_string);
588 return break_which == BREAK_NT;
589 }
590
591 return break_which != BREAK_NT;
592 }
593
594 static bool test_plaintext_none_broken(bool lanman_support_expected) {
595 return test_plaintext(BREAK_NONE);
596 }
597
598 static bool test_plaintext_lm_broken(bool lanman_support_expected) {
599 return test_plaintext(BREAK_LM);
600 }
601
602 static bool test_plaintext_nt_broken(bool lanman_support_expected) {
603 return test_plaintext(BREAK_NT);
604 }
605
606 static bool test_plaintext_nt_only(bool lanman_support_expected) {
607 return test_plaintext(NO_LM);
608 }
609
610 static bool test_plaintext_lm_only(bool lanman_support_expected) {
611 return test_plaintext(NO_NT);
612 }
613
614 /*
615 Tests:
616
617 - LM only
618 - NT and LM
619 - NT
620 - NT in LM field
621 - NT in both fields
622 - NTLMv2
623 - NTLMv2 and LMv2
624 - LMv2
625 - plaintext tests (in challenge-response fields)
626
627 check we get the correct session key in each case
628 check what values we get for the LM session key
629
630 */
631
632 static const struct ntlm_tests {
633 bool (*fn)(bool lanman_support_expected);
634 const char *name;
635 bool lanman;
636 } test_table[] = {
637 {
638 .fn = test_lm,
639 .name = "LM",
640 .lanman = true
641 },
642 {
643 .fn = test_lm_ntlm,
644 .name = "LM and NTLM"
645 },
646 {
647 .fn = test_ntlm,
648 .name = "NTLM"
649 },
650 {
651 .fn = test_ntlm_in_lm,
652 .name = "NTLM in LM"
653 },
654 {
655 .fn = test_ntlm_in_both,
656 .name = "NTLM in both"
657 },
658 {
659 .fn = test_ntlmv2,
660 .name = "NTLMv2"
661 },
662 {
663 .fn = test_lmv2_ntlmv2,
664 .name = "NTLMv2 and LMv2"
665 },
666 {
667 .fn = test_lmv2,
668 .name = "LMv2"
669 },
670 {
671 .fn = test_ntlmv2_lmv2_broken,
672 .name = "NTLMv2 and LMv2, LMv2 broken"
673 },
674 {
675 .fn = test_ntlmv2_ntlmv2_broken,
676 .name = "NTLMv2 and LMv2, NTLMv2 broken"
677 },
678 {
679 .fn = test_ntlm_lm_broken,
680 .name = "NTLM and LM, LM broken"
681 },
682 {
683 .fn = test_ntlm_ntlm_broken,
684 .name = "NTLM and LM, NTLM broken"
685 },
686 {
687 .fn = test_plaintext_none_broken,
688 .name = "Plaintext"
689 },
690 {
691 .fn = test_plaintext_lm_broken,
692 .name = "Plaintext LM broken"
693 },
694 {
695 .fn = test_plaintext_nt_broken,
696 .name = "Plaintext NT broken"
697 },
698 {
699 .fn = test_plaintext_nt_only,
700 .name = "Plaintext NT only"
701 },
702 {
703 .fn = test_plaintext_lm_only,
704 .name = "Plaintext LM only",
705 .lanman = true
706 },
707 {
708 .fn = NULL
709 }
710 };
711
712 bool diagnose_ntlm_auth(bool lanman_support_expected)
713 {
714 unsigned int i;
715 bool pass = True;
716
717 for (i=0; test_table[i].fn; i++) {
718 bool test_pass = test_table[i].fn(lanman_support_expected);
719 if (!lanman_support_expected
720 && test_table[i].lanman) {
721 if (test_pass) {
722 DBG_ERR("Test %s unexpectedly passed "
723 "(server should have rejected LM)!\n",
724 test_table[i].name);
725 pass = false;
726 }
727 } else if (!test_pass) {
728 DBG_ERR("Test %s failed!\n", test_table[i].name);
729 pass = False;
730 }
731 }
732
733 return pass;
734 }
735
GSS-enabled samba4