xref: /illumos-gate/usr/src/uts/common/smbsrv/netrauth.h (revision 861fa1490335b8e3cc91a1efafd8b9e481813931)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  *
25  * Copyright 2020 Tintri by DDN, Inc. All rights reserved.
26  */
27 
28 #ifndef _SMBSRV_NETRAUTH_H
29 #define	_SMBSRV_NETRAUTH_H
30 
31 /*
32  * NETR remote authentication and logon services.
33  */
34 
35 #include <sys/types.h>
36 #include <smb/wintypes.h>
37 #include <smbsrv/netbios.h>
38 #include <smbsrv/smbinfo.h>
39 #include <netdb.h>
40 
41 #ifdef __cplusplus
42 extern "C" {
43 #endif
44 
45 /*
46  * See also netlogon.ndl.
47  */
48 #define	NETR_WKSTA_TRUST_ACCOUNT_TYPE		0x02
49 #define	NETR_DOMAIN_TRUST_ACCOUNT_TYPE		0x04
50 
51 /*
52  * Negotiation flags for challenge/response authentication.
53  */
54 #define	NETR_NEGO_UNUSED_A_FLAG			0x00000001
55 #define	NETR_NEGO_BDC_UPDATE_FLAG		0x00000002
56 #define	NETR_NEGO_RC4_ENCRYPT_FLAG		0x00000004
57 #define	NETR_NEGO_UNUSED_D_FLAG			0x00000008
58 
59 #define	NETR_NEGO_BDC_CHANGELOG_FLAG		0x00000010
60 #define	NETR_NEGO_DC_RESTART_SYNC_FLAG		0x00000020
61 #define	NETR_NEGO_VALID2_NOTREQUIRED_FLAG	0x00000040
62 #define	NETR_NEGO_OPNUM17_FLAG			0x00000080
63 
64 #define	NETR_NEGO_PWCHANGE_REFUSE_FLAG		0x00000100
65 #define	NETR_NEGO_OPNUM32_FLAG			0x00000200
66 #define	NETR_NEGO_GENERIC_PASSTHRU_FLAG		0x00000400
67 #define	NETR_NEGO_CONCURRENT_RPC_FLAG		0x00000800
68 
69 #define	NETR_NEGO_AVOID_USERDB_REPL_FLAG	0x00001000
70 #define	NETR_NEGO_AVOID_SECURITYDB_REPL_FLAG	0x00002000
71 #define	NETR_NEGO_STRONGKEY_FLAG		0x00004000
72 #define	NETR_NEGO_TRANSITIVE_TRUSTFLAG		0x00008000
73 
74 #define	NETR_NEGO_UNUSED_Q_FLAG			0x00010000
75 #define	NETR_NEGO_PASSWORDSET2_FLAG		0x00020000
76 #define	NETR_NEGO_GETDOMAININFO_FLAG		0x00040000
77 #define	NETR_NEGO_CROSS_FOREST_TRUST_FLAG	0x00080000
78 
79 #define	NETR_NEGO_IGNORE_NT4EMULATOR_FLAG	0x00100000
80 #define	NETR_NEGO_RODC_PASSTHRU_FLAG		0x00200000
81 #define	NETR_NEGO_UNDEFINED_9_FLAG		0x00400000
82 #define	NETR_NEGO_UNDEFINED_8_FLAG		0x00800000
83 
84 #define	NETR_NEGO_AES_SHA2_FLAG			0x01000000
85 #define	NETR_NEGO_UNDEFINED_6_FLAG		0x02000000
86 #define	NETR_NEGO_UNDEFINED_5_FLAG		0x04000000
87 #define	NETR_NEGO_UNDEFINED_4_FLAG		0x08000000
88 
89 #define	NETR_NEGO_UNDEFINED_3_FLAG		0x10000000
90 #define	NETR_NEGO_UNUSED_X_FLAG			0x20000000
91 #define	NETR_NEGO_SECURE_RPC_FLAG		0x40000000
92 #define	NETR_NEGO_UNDEFINED_0_FLAG		0x80000000
93 
94 /*
95  * TODO: This needs review - some of these are inappropriate.
96  * I.E. BDC_UPDATE, BDC_CHANGELOG, and DC_RESTART_SYNC are
97  * server-to-server only, but we implement a client.
98  */
99 #define	NETR_NEGO_BASE_FLAGS	(		\
100 	NETR_NEGO_UNUSED_A_FLAG	|		\
101 	NETR_NEGO_BDC_UPDATE_FLAG |		\
102 	NETR_NEGO_RC4_ENCRYPT_FLAG |		\
103 	NETR_NEGO_UNUSED_D_FLAG |		\
104 	NETR_NEGO_BDC_CHANGELOG_FLAG |		\
105 	NETR_NEGO_DC_RESTART_SYNC_FLAG |	\
106 	NETR_NEGO_VALID2_NOTREQUIRED_FLAG |	\
107 	NETR_NEGO_OPNUM17_FLAG |		\
108 	NETR_NEGO_PWCHANGE_REFUSE_FLAG)		\
109 
110 #define	NETR_SESSKEY64_SZ			8
111 #define	NETR_SESSKEY128_SZ			16
112 #define	NETR_SESSKEY_MAXSZ			NETR_SESSKEY128_SZ
113 #define	NETR_CRED_DATA_SZ			8
114 #define	NETR_OWF_PASSWORD_SZ			16
115 
116 /*
117  * SAM logon levels: interactive and network.
118  */
119 #define	NETR_INTERACTIVE_LOGON			0x01
120 #define	NETR_NETWORK_LOGON			0x02
121 
122 /*
123  * SAM logon validation levels.
124  */
125 #define	NETR_VALIDATION_LEVEL3			0x03
126 
127 /*
128  * Most of these are from: "MSV1_0_LM20_LOGON structure"
129  * http://msdn.microsoft.com/en-us/library/windows/desktop/aa378762
130  * and a few are from the ntddk (ntmsv1_0.h) found many places.
131  */
132 #define	MSV1_0_CLEARTEXT_PASSWORD_ALLOWED	0x00000002
133 #define	MSV1_0_UPDATE_LOGON_STATISTICS		0x00000004
134 #define	MSV1_0_RETURN_USER_PARAMETERS		0x00000008
135 #define	MSV1_0_DONT_TRY_GUEST_ACCOUNT		0x00000010
136 #define	MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT	0x00000020
137 #define	MSV1_0_RETURN_PASSWORD_EXPIRY		0x00000040
138 /*
139  * MSV1_0_USE_CLIENT_CHALLENGE means the LM response field contains the
140  * "client challenge" in the first 8 bytes instead of the LM response.
141  */
142 #define	MSV1_0_USE_CLIENT_CHALLENGE		0x00000080
143 #define	MSV1_0_TRY_GUEST_ACCOUNT_ONLY		0x00000100
144 #define	MSV1_0_RETURN_PROFILE_PATH		0x00000200
145 #define	MSV1_0_TRY_SPECIFIED_DOMAIN_ONLY	0x00000400
146 #define	MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT	0x00000800
147 #define	MSV1_0_DISABLE_PERSONAL_FALLBACK	0x00001000
148 #define	MSV1_0_ALLOW_FORCE_GUEST		0x00002000
149 #define	MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED	0x00004000
150 #define	MSV1_0_USE_DOMAIN_FOR_ROUTING_ONLY	0x00008000
151 #define	MSV1_0_SUBAUTHENTICATION_DLL_EX		0x00100000
152 
153 /*
154  * This is a duplicate of the netr_credential
155  * from netlogon.ndl.
156  */
157 typedef struct netr_cred {
158 	BYTE data[NETR_CRED_DATA_SZ];
159 } netr_cred_t;
160 
161 typedef struct netr_session_key {
162 	BYTE key[NETR_SESSKEY_MAXSZ];
163 	short len;
164 } netr_session_key_t;
165 
166 #define	NETR_FLG_NULL		0x00000001
167 #define	NETR_FLG_VALID		0x00000001
168 #define	NETR_FLG_INIT		0x00000002
169 
170 /*
171  * 120-byte machine account password (null-terminated)
172  */
173 #define	NETR_MACHINE_ACCT_PASSWD_MAX	120 + 1
174 
175 typedef struct netr_info {
176 	DWORD flags;
177 	char server[MAXHOSTNAMELEN];		/* Current DC, FQDN */
178 	char hostname[NETBIOS_NAME_SZ * 2];	/* local "flat" name */
179 	char nb_domain[NETBIOS_NAME_SZ * 2];	/* Current NetBios domain */
180 	char fqdn_domain[MAXHOSTNAMELEN];	/* Current Domain */
181 	netr_cred_t client_challenge;
182 	netr_cred_t server_challenge;
183 	netr_cred_t client_credential;
184 	netr_cred_t server_credential;
185 	netr_session_key_t session_key;
186 	BYTE password[NETR_MACHINE_ACCT_PASSWD_MAX];
187 	time_t timestamp;
188 	uint64_t clh_seqnum; /* Client SequenceNumber for Netlogon SSP */
189 	DWORD nego_flags; /* Negotiated flags returned from ServerAuthenciate */
190 	boolean_t use_secure_rpc; /* Use "SecureRPC" (RPC-level auth) */
191 	boolean_t use_logon_ex; /* Use SamLogonEx (instead of SamLogon) */
192 } netr_info_t;
193 
194 /*
195  * NETLOGON private interface.
196  */
197 int netr_gen_skey64(netr_info_t *);
198 int netr_gen_skey128(netr_info_t *);
199 
200 int netr_gen_credentials(BYTE *, netr_cred_t *, DWORD, netr_cred_t *,
201     boolean_t);
202 
203 void netlogon_init_global(uint32_t);
204 
205 #define	NETR_A2H(c) (isdigit(c)) ? ((c) - '0') : ((c) - 'A' + 10)
206 
207 #ifdef __cplusplus
208 }
209 #endif
210 
211 #endif /* _SMBSRV_NETRAUTH_H */
212