summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-08-20 05:59:27 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:33:35 -0500
commitb456bfa0155ea70ca60590a83e19232c63ec1ac1 (patch)
treea83f9c3f8e9d7b40e7a6c726f00356c06a7f8382
parent8e11003e214729462b7dcf46f09d47efc736e1e8 (diff)
downloadsamba-b456bfa0155ea70ca60590a83e19232c63ec1ac1.tar.gz
samba-b456bfa0155ea70ca60590a83e19232c63ec1ac1.tar.bz2
samba-b456bfa0155ea70ca60590a83e19232c63ec1ac1.zip
r9412: Simplfy this NTLM authentication code by requiring the caller to
supply the user_sess_key and lm_sess_key parameters. Inspired by coverty complaining about inconsistant checking. Also factor out some of this code, where we deal with just NT and LM hashes, or embedded plaintext passwords. Andrew Bartlett (This used to be commit ceec35564f44c8043888c8ffa776f137bd1171c8)
-rw-r--r--source4/auth/auth_sam.c7
-rw-r--r--source4/auth/ntlm_check.c131
2 files changed, 42 insertions, 96 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index 008a7f3a84..57f645adc8 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -70,14 +70,13 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
/* NO break */
}
case AUTH_PASSWORD_HASH:
+ *lm_sess_key = data_blob(NULL, 0);
+ *user_sess_key = data_blob(NULL, 0);
status = hash_password_check(mem_ctx,
user_info->password.hash.lanman,
user_info->password.hash.nt,
user_info->mapped.account_name,
- user_info->client.account_name,
- user_info->client.domain_name,
- lm_pwd, nt_pwd,
- user_sess_key, lm_sess_key);
+ lm_pwd, nt_pwd);
NT_STATUS_NOT_OK_RETURN(status);
break;
diff --git a/source4/auth/ntlm_check.c b/source4/auth/ntlm_check.c
index fa9677e75e..d033dfeb79 100644
--- a/source4/auth/ntlm_check.c
+++ b/source4/auth/ntlm_check.c
@@ -221,31 +221,16 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
const struct samr_Password *client_lanman,
const struct samr_Password *client_nt,
const char *username,
- const char *client_username,
- const char *client_domain,
const struct samr_Password *stored_lanman,
- const struct samr_Password *stored_nt,
- DATA_BLOB *user_sess_key,
- DATA_BLOB *lm_sess_key)
+ const struct samr_Password *stored_nt)
{
if (stored_nt == NULL) {
DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n",
username));
}
- if (lm_sess_key) {
- *lm_sess_key = data_blob(NULL, 0);
- }
- if (user_sess_key) {
- *user_sess_key = data_blob(NULL, 0);
- }
-
if (client_nt && stored_nt) {
if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
- if (user_sess_key) {
- *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
- SMBsesskeygen_ntv1(stored_nt->hash, user_sess_key->data);
- }
return NT_STATUS_OK;
} else {
DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
@@ -308,56 +293,30 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
username));
}
- if (lm_sess_key) {
- *lm_sess_key = data_blob(NULL, 0);
- }
- if (user_sess_key) {
- *user_sess_key = data_blob(NULL, 0);
- }
+ *lm_sess_key = data_blob(NULL, 0);
+ *user_sess_key = data_blob(NULL, 0);
/* Check for cleartext netlogon. Used by Exchange 5.5. */
if (challenge->length == sizeof(zeros) &&
(memcmp(challenge->data, zeros, challenge->length) == 0 )) {
+ struct samr_Password client_nt;
+ struct samr_Password client_lm;
+ uint8_t dospwd[14];
DEBUG(4,("ntlm_password_check: checking plaintext passwords for user %s\n",
username));
- if (stored_nt && nt_response->length) {
- uint8_t pwhash[16];
- mdfour(pwhash, nt_response->data, nt_response->length);
- if (memcmp(pwhash, stored_nt->hash, sizeof(pwhash)) == 0) {
- return NT_STATUS_OK;
- } else {
- DEBUG(3,("ntlm_password_check: NT (Unicode) plaintext password check failed for user %s\n",
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
-
- } else if (!lp_lanman_auth()) {
- DEBUG(3,("ntlm_password_check: (plaintext password check) LANMAN passwords NOT PERMITTED for user %s\n",
- username));
-
- } else if (stored_lanman && lm_response->length) {
- uint8_t dospwd[14];
- uint8_t p16[16];
- ZERO_STRUCT(dospwd);
-
- memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd)));
- /* Only the fisrt 14 chars are considered, password need not be null terminated. */
-
- /* we *might* need to upper-case the string here */
- E_P16((const uint8_t *)dospwd, p16);
-
- if (memcmp(p16, stored_lanman->hash, sizeof(p16)) == 0) {
- return NT_STATUS_OK;
- } else {
- DEBUG(3,("ntlm_password_check: LANMAN (ASCII) plaintext password check failed for user %s\n",
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
- } else {
- DEBUG(3, ("Plaintext authentication for user %s attempted, but neither NT nor LM passwords available\n", username));
- return NT_STATUS_WRONG_PASSWORD;
- }
+ mdfour(client_nt.hash, nt_response->data, nt_response->length);
+ ZERO_STRUCT(dospwd);
+
+ memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd)));
+ /* Only the fisrt 14 chars are considered, password need not be null terminated. */
+
+ /* we *might* need to upper-case the string here */
+ E_P16((const uint8_t *)dospwd, client_lm.hash);
+
+ return hash_password_check(mem_ctx, &client_lm, &client_nt,
+ username,
+ stored_lanman, stored_nt);
}
if (nt_response->length != 0 && nt_response->length < 24) {
@@ -377,11 +336,9 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
client_domain,
False,
user_sess_key)) {
- if (lm_sess_key) {
- *lm_sess_key = *user_sess_key;
- if (user_sess_key->length) {
- lm_sess_key->length = 8;
- }
+ *lm_sess_key = *user_sess_key;
+ if (user_sess_key->length) {
+ lm_sess_key->length = 8;
}
return NT_STATUS_OK;
}
@@ -394,11 +351,9 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
client_domain,
True,
user_sess_key)) {
- if (lm_sess_key) {
- *lm_sess_key = *user_sess_key;
- if (user_sess_key->length) {
- lm_sess_key->length = 8;
- }
+ *lm_sess_key = *user_sess_key;
+ if (user_sess_key->length) {
+ lm_sess_key->length = 8;
}
return NT_STATUS_OK;
}
@@ -411,11 +366,9 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
"",
False,
user_sess_key)) {
- if (lm_sess_key) {
- *lm_sess_key = *user_sess_key;
- if (user_sess_key->length) {
- lm_sess_key->length = 8;
- }
+ *lm_sess_key = *user_sess_key;
+ if (user_sess_key->length) {
+ lm_sess_key->length = 8;
}
return NT_STATUS_OK;
} else {
@@ -517,15 +470,13 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
client_domain,
False,
user_sess_key);
- } else if (user_sess_key) {
+ } else {
/* Otherwise, use the LMv2 session key */
*user_sess_key = tmp_sess_key;
}
- if (user_sess_key && lm_sess_key) {
- *lm_sess_key = *user_sess_key;
- if (user_sess_key->length) {
- lm_sess_key->length = 8;
- }
+ *lm_sess_key = *user_sess_key;
+ if (user_sess_key->length) {
+ lm_sess_key->length = 8;
}
return NT_STATUS_OK;
}
@@ -550,15 +501,13 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
client_domain,
True,
user_sess_key);
- } else if (user_sess_key) {
+ } else {
/* Otherwise, use the LMv2 session key */
*user_sess_key = tmp_sess_key;
}
- if (user_sess_key && lm_sess_key) {
- *lm_sess_key = *user_sess_key;
- if (user_sess_key->length) {
- lm_sess_key->length = 8;
- }
+ *lm_sess_key = *user_sess_key;
+ if (user_sess_key->length) {
+ lm_sess_key->length = 8;
}
return NT_STATUS_OK;
}
@@ -583,15 +532,13 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
"",
False,
user_sess_key);
- } else if (user_sess_key) {
+ } else {
/* Otherwise, use the LMv2 session key */
*user_sess_key = tmp_sess_key;
}
- if (user_sess_key && lm_sess_key) {
- *lm_sess_key = *user_sess_key;
- if (user_sess_key->length) {
- lm_sess_key->length = 8;
- }
+ *lm_sess_key = *user_sess_key;
+ if (user_sess_key->length) {
+ lm_sess_key->length = 8;
}
return NT_STATUS_OK;
}