summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-12-30 07:33:58 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-12-30 07:33:58 +0000
commitadc07646a3057e5c572edb3ebdac2367206aaeef (patch)
tree0a045c21928c9e02f89cbf737995fd71d4644cba /source3
parentbccf3f374b984bf327057daa8d03374b70034d3b (diff)
downloadsamba-adc07646a3057e5c572edb3ebdac2367206aaeef.tar.gz
samba-adc07646a3057e5c572edb3ebdac2367206aaeef.tar.bz2
samba-adc07646a3057e5c572edb3ebdac2367206aaeef.zip
Move our basic password checking code from inside the authentication
subsystem into a seperate file - ntlm_check.c. This allows us to call these routines from ntlm_auth. The purpose of this exercise is to allow ntlm_auth (when operating as an NTLMSSP server) to avoid talking to winbind. This should allow for easier debugging. ntlm_auth itself has been reorgainised, so as to share more code between the SPNEGO-wrapped and 'raw' NTLMSSP modes. A new 'client' NTLMSSP mode has been added, for use with a Cyrus-SASL module I am writing (based on vl's work) Andrew Bartlett (This used to be commit 48315e8fd227978e0161be293ad4411b45e3ea5b)
Diffstat (limited to 'source3')
-rw-r--r--source3/Makefile.in3
-rw-r--r--source3/auth/auth_sam.c346
-rw-r--r--source3/libsmb/ntlm_check.c377
-rw-r--r--source3/utils/ntlm_auth.c308
4 files changed, 634 insertions, 400 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index e1087b9eb5..3fa53c577d 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -213,7 +213,8 @@ SECRETS_OBJ = passdb/secrets.o
LIBNMB_OBJ = libsmb/unexpected.o libsmb/namecache.o libsmb/nmblib.o \
libsmb/namequery.o libsmb/conncache.o
-LIBSAMBA_OBJ = libsmb/nterr.o libsmb/smbdes.o libsmb/smbencrypt.o libsmb/ntlmssp.o libsmb/ntlmssp_parse.o libsmb/ntlmssp_sign.o
+LIBSAMBA_OBJ = libsmb/nterr.o libsmb/smbdes.o libsmb/smbencrypt.o libsmb/ntlm_check.o \
+ libsmb/ntlmssp.o libsmb/ntlmssp_parse.o libsmb/ntlmssp_sign.o
LIBSMB_OBJ = libsmb/clientgen.o libsmb/cliconnect.o libsmb/clifile.o \
libsmb/clikrb5.o libsmb/clispnego.o libsmb/asn1.o \
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index 04b587343a..ebb1e3d861 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -3,7 +3,7 @@
Password and authentication handling
Copyright (C) Andrew Tridgell 1992-2000
Copyright (C) Luke Kenneth Casson Leighton 1996-2000
- Copyright (C) Andrew Bartlett 2001
+ Copyright (C) Andrew Bartlett 2001-2003
Copyright (C) Gerald Carter 2003
This program is free software; you can redistribute it and/or modify
@@ -27,350 +27,6 @@
#define DBGC_CLASS DBGC_AUTH
/****************************************************************************
- Core of smb password checking routine.
-****************************************************************************/
-
-static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response,
- const uchar *part_passwd,
- const DATA_BLOB *sec_blob,
- DATA_BLOB *user_sess_key)
-{
- /* Finish the encryption of part_passwd. */
- uchar p24[24];
-
- if (part_passwd == NULL) {
- DEBUG(10,("No password set - DISALLOWING access\n"));
- /* No password set - always false ! */
- return False;
- }
-
- if (sec_blob->length != 8) {
- DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%lu)\n", (unsigned long)sec_blob->length));
- return False;
- }
-
- if (nt_response->length != 24) {
- DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%lu)\n", (unsigned long)nt_response->length));
- return False;
- }
-
- SMBOWFencrypt(part_passwd, sec_blob->data, p24);
- if (user_sess_key != NULL) {
- *user_sess_key = data_blob(NULL, 16);
- SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key->data);
- }
-
-
-
-#if DEBUG_PASSWORD
- DEBUG(100,("Part password (P16) was |\n"));
- dump_data(100, part_passwd, 16);
- DEBUGADD(100,("Password from client was |\n"));
- dump_data(100, nt_response->data, nt_response->length);
- DEBUGADD(100,("Given challenge was |\n"));
- dump_data(100, sec_blob->data, sec_blob->length);
- DEBUGADD(100,("Value from encryption was |\n"));
- dump_data(100, p24, 24);
-#endif
- return (memcmp(p24, nt_response->data, 24) == 0);
-}
-
-/****************************************************************************
- Core of smb password checking routine. (NTLMv2, LMv2)
- Note: The same code works with both NTLMv2 and LMv2.
-****************************************************************************/
-
-static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
- const uchar *part_passwd,
- const DATA_BLOB *sec_blob,
- const char *user, const char *domain,
- DATA_BLOB *user_sess_key)
-{
- /* Finish the encryption of part_passwd. */
- uchar kr[16];
- uchar value_from_encryption[16];
- uchar client_response[16];
- DATA_BLOB client_key_data;
-
- if (part_passwd == NULL) {
- DEBUG(10,("No password set - DISALLOWING access\n"));
- /* No password set - always False */
- return False;
- }
-
- if (ntv2_response->length < 24) {
- /* We MUST have more than 16 bytes, or the stuff below will go
- crazy. No known implementation sends less than the 24 bytes
- for LMv2, let alone NTLMv2. */
- DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%lu)\n",
- (unsigned long)ntv2_response->length));
- return False;
- }
-
- client_key_data = data_blob(ntv2_response->data+16, ntv2_response->length-16);
- /*
- todo: should we be checking this for anything? We can't for LMv2,
- but for NTLMv2 it is meant to contain the current time etc.
- */
-
- memcpy(client_response, ntv2_response->data, sizeof(client_response));
-
- if (!ntv2_owf_gen(part_passwd, user, domain, kr)) {
- return False;
- }
-
- SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
- if (user_sess_key != NULL) {
- *user_sess_key = data_blob(NULL, 16);
- SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data);
- }
-
-#if DEBUG_PASSWORD
- DEBUG(100,("Part password (P16) was |\n"));
- dump_data(100, part_passwd, 16);
- DEBUGADD(100,("Password from client was |\n"));
- dump_data(100, ntv2_response->data, ntv2_response->length);
- DEBUGADD(100,("Variable data from client was |\n"));
- dump_data(100, client_key_data.data, client_key_data.length);
- DEBUGADD(100,("Given challenge was |\n"));
- dump_data(100, sec_blob->data, sec_blob->length);
- DEBUGADD(100,("Value from encryption was |\n"));
- dump_data(100, value_from_encryption, 16);
-#endif
- data_blob_clear_free(&client_key_data);
- return (memcmp(value_from_encryption, client_response, 16) == 0);
-}
-
-/**
- * Check a challenge-response password against the value of the NT or
- * LM password hash.
- *
- * @param mem_ctx talloc context
- * @param challenge 8-byte challenge. If all zero, forces plaintext comparison
- * @param nt_response 'unicode' NT response to the challenge, or unicode password
- * @param lm_response ASCII or LANMAN response to the challenge, or password in DOS code page
- * @param username internal Samba username, for log messages
- * @param client_username username the client used
- * @param client_domain domain name the client used (may be mapped)
- * @param nt_pw MD4 unicode password from our passdb or similar
- * @param lm_pw LANMAN ASCII password from our passdb or similar
- * @param user_sess_key User session key
- * @param lm_sess_key LM session key (first 8 bytes of the LM hash)
- */
-
-static NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
- const DATA_BLOB *challenge,
- const DATA_BLOB *lm_response,
- const DATA_BLOB *nt_response,
- const char *username,
- const char *client_username,
- const char *client_domain,
- const uint8 *lm_pw, const uint8 *nt_pw,
- DATA_BLOB *user_sess_key,
- DATA_BLOB *lm_sess_key)
-{
- static const unsigned char zeros[8];
- if (nt_pw == NULL) {
- DEBUG(3,("sam_password_ok: NO NT password stored for user %s.\n",
- username));
- }
-
- /* Check for cleartext netlogon. Used by Exchange 5.5. */
- if (challenge->length == sizeof(zeros) &&
- (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
-
- DEBUG(4,("sam_password_ok: checking plaintext passwords for user %s\n",
- username));
- if (nt_pw && nt_response->length) {
- unsigned char pwhash[16];
- mdfour(pwhash, nt_response->data, nt_response->length);
- if (memcmp(pwhash, nt_pw, sizeof(pwhash)) == 0) {
- return NT_STATUS_OK;
- } else {
- DEBUG(3,("sam_password_ok: NT (Unicode) plaintext password check failed for user %s\n",
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
-
- } else if (!lp_lanman_auth()) {
- DEBUG(3,("sam_password_ok: (plaintext password check) LANMAN passwords NOT PERMITTED for user %s\n",
- username));
-
- } else if (lm_pw && lm_response->length) {
- uchar dospwd[14];
- uchar p16[16];
- ZERO_STRUCT(dospwd);
-
- DEBUG(100, ("DOS password: %s\n"));
- memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd)));
- /* Only the fisrt 14 chars are considered, password need not be null terminated. */
- E_P16((const unsigned char *)dospwd, p16);
-
- dump_data_pw("DOS password (first buffer)\n", dospwd, 14);
- dump_data_pw("DOS password (wire DES hash)\n", p16, 16);
- dump_data_pw("DOS password (passdb DES hash)\n", lm_pw, 16);
- if (memcmp(p16, lm_pw, sizeof(p16)) == 0) {
- return NT_STATUS_OK;
- } else {
- DEBUG(3,("sam_password_ok: LANMAN (ASCII) plaintext password check failed for user %s\n",
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
- } else {
- DEBUG(3, ("Plaintext authentication for user %s attempted, but neither NT nor LM passwords available\n", username));
- return NT_STATUS_WRONG_PASSWORD;
- }
- }
-
- if (nt_response->length != 0 && nt_response->length < 24) {
- DEBUG(2,("sam_password_ok: invalid NT password length (%lu) for user %s\n",
- (unsigned long)nt_response->length, username));
- }
-
- if (nt_response->length >= 24 && nt_pw) {
- if (nt_response->length > 24) {
- /* We have the NT MD4 hash challenge available - see if we can
- use it (ie. does it exist in the smbpasswd file).
- */
- DEBUG(4,("sam_password_ok: Checking NTLMv2 password with domain [%s]\n", client_domain));
- if (smb_pwd_check_ntlmv2( nt_response,
- nt_pw, challenge,
- client_username,
- client_domain,
- user_sess_key)) {
- return NT_STATUS_OK;
- }
-
- DEBUG(4,("sam_password_ok: Checking NTLMv2 password without a domain\n"));
- if (smb_pwd_check_ntlmv2( nt_response,
- nt_pw, challenge,
- client_username,
- "",
- user_sess_key)) {
- return NT_STATUS_OK;
- } else {
- DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n"));
- return NT_STATUS_WRONG_PASSWORD;
- }
- }
-
- if (lp_ntlm_auth()) {
- /* We have the NT MD4 hash challenge available - see if we can
- use it (ie. does it exist in the smbpasswd file).
- */
- DEBUG(4,("sam_password_ok: Checking NT MD4 password\n"));
- if (smb_pwd_check_ntlmv1(nt_response,
- nt_pw, challenge,
- user_sess_key)) {
- /* The LM session key for this response is not very secure,
- so use it only if we otherwise allow LM authentication */
-
- if (lp_lanman_auth() && lm_pw) {
- uint8 first_8_lm_hash[16];
- memcpy(first_8_lm_hash, lm_pw, 8);
- memset(first_8_lm_hash + 8, '\0', 8);
- *lm_sess_key = data_blob(first_8_lm_hash, 16);
- }
- return NT_STATUS_OK;
- } else {
- DEBUG(3,("sam_password_ok: NT MD4 password check failed for user %s\n",
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
- } else {
- DEBUG(2,("sam_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n",
- username));
- /* no return, becouse we might pick up LMv2 in the LM field */
- }
- }
-
- if (lm_response->length == 0) {
- DEBUG(3,("sam_password_ok: NEITHER LanMan nor NT password supplied for user %s\n",
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
-
- if (lm_response->length < 24) {
- DEBUG(2,("sam_password_ok: invalid LanMan password length (%lu) for user %s\n",
- (unsigned long)nt_response->length, username));
- return NT_STATUS_WRONG_PASSWORD;
- }
-
- if (!lp_lanman_auth()) {
- DEBUG(3,("sam_password_ok: Lanman passwords NOT PERMITTED for user %s\n",
- username));
- } else if (!lm_pw) {
- DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",
- username));
- } else {
- DEBUG(4,("sam_password_ok: Checking LM password\n"));
- if (smb_pwd_check_ntlmv1(lm_response,
- lm_pw, challenge,
- NULL)) {
- uint8 first_8_lm_hash[16];
- memcpy(first_8_lm_hash, lm_pw, 8);
- memset(first_8_lm_hash + 8, '\0', 8);
- *user_sess_key = data_blob(first_8_lm_hash, 16);
- *lm_sess_key = data_blob(first_8_lm_hash, 16);
- return NT_STATUS_OK;
- }
- }
-
- if (!nt_pw) {
- DEBUG(4,("sam_password_ok: LM password check failed for user, no NT password %s\n",username));
- return NT_STATUS_WRONG_PASSWORD;
- }
-
- /* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes.
- - related to Win9X, legacy NAS pass-though authentication
- */
- DEBUG(4,("sam_password_ok: Checking LMv2 password with domain %s\n", client_domain));
- if (smb_pwd_check_ntlmv2( lm_response,
- nt_pw, challenge,
- client_username,
- client_domain,
- NULL)) {
- return NT_STATUS_OK;
- }
-
- DEBUG(4,("sam_password_ok: Checking LMv2 password without a domain\n"));
- if (smb_pwd_check_ntlmv2( lm_response,
- nt_pw, challenge,
- client_username,
- "",
- NULL)) {
- return NT_STATUS_OK;
- }
-
- /* Apparently NT accepts NT responses in the LM field
- - I think this is related to Win9X pass-though authentication
- */
- DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n"));
- if (lp_ntlm_auth()) {
- if (smb_pwd_check_ntlmv1(lm_response,
- nt_pw, challenge,
- NULL)) {
- /* The session key for this response is still very odd.
- It not very secure, so use it only if we otherwise
- allow LM authentication */
-
- if (lp_lanman_auth() && lm_pw) {
- uint8 first_8_lm_hash[16];
- memcpy(first_8_lm_hash, lm_pw, 8);
- memset(first_8_lm_hash + 8, '\0', 8);
- *user_sess_key = data_blob(first_8_lm_hash, 16);
- *lm_sess_key = data_blob(first_8_lm_hash, 16);
- }
- return NT_STATUS_OK;
- }
- DEBUG(3,("sam_password_ok: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",username));
- } else {
- DEBUG(3,("sam_password_ok: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username));
- }
- return NT_STATUS_WRONG_PASSWORD;
-}
-
-/****************************************************************************
Do a specific test for an smb password being correct, given a smb_password and
the lanman and NT responses.
****************************************************************************/
diff --git a/source3/libsmb/ntlm_check.c b/source3/libsmb/ntlm_check.c
new file mode 100644
index 0000000000..362b640f91
--- /dev/null
+++ b/source3/libsmb/ntlm_check.c
@@ -0,0 +1,377 @@
+/*
+ Unix SMB/CIFS implementation.
+ Password and authentication handling
+ Copyright (C) Andrew Tridgell 1992-2000
+ Copyright (C) Luke Kenneth Casson Leighton 1996-2000
+ Copyright (C) Andrew Bartlett 2001-2003
+ Copyright (C) Gerald Carter 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
+/****************************************************************************
+ Core of smb password checking routine.
+****************************************************************************/
+
+static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response,
+ const uchar *part_passwd,
+ const DATA_BLOB *sec_blob,
+ DATA_BLOB *user_sess_key)
+{
+ /* Finish the encryption of part_passwd. */
+ uchar p24[24];
+
+ if (part_passwd == NULL) {
+ DEBUG(10,("No password set - DISALLOWING access\n"));
+ /* No password set - always false ! */
+ return False;
+ }
+
+ if (sec_blob->length != 8) {
+ DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%lu)\n",
+ (unsigned long)sec_blob->length));
+ return False;
+ }
+
+ if (nt_response->length != 24) {
+ DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%lu)\n",
+ (unsigned long)nt_response->length));
+ return False;
+ }
+
+ SMBOWFencrypt(part_passwd, sec_blob->data, p24);
+ if (user_sess_key != NULL) {
+ *user_sess_key = data_blob(NULL, 16);
+ SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key->data);
+ }
+
+
+#if DEBUG_PASSWORD
+ DEBUG(100,("Part password (P16) was |\n"));
+ dump_data(100, part_passwd, 16);
+ DEBUGADD(100,("Password from client was |\n"));
+ dump_data(100, nt_response->data, nt_response->length);
+ DEBUGADD(100,("Given challenge was |\n"));
+ dump_data(100, sec_blob->data, sec_blob->length);
+ DEBUGADD(100,("Value from encryption was |\n"));
+ dump_data(100, p24, 24);
+#endif
+ return (memcmp(p24, nt_response->data, 24) == 0);
+}
+
+/****************************************************************************
+ Core of smb password checking routine. (NTLMv2, LMv2)
+ Note: The same code works with both NTLMv2 and LMv2.
+****************************************************************************/
+
+static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
+ const uchar *part_passwd,
+ const DATA_BLOB *sec_blob,
+ const char *user, const char *domain,
+ DATA_BLOB *user_sess_key)
+{
+ /* Finish the encryption of part_passwd. */
+ uchar kr[16];
+ uchar value_from_encryption[16];
+ uchar client_response[16];
+ DATA_BLOB client_key_data;
+
+ if (part_passwd == NULL) {
+ DEBUG(10,("No password set - DISALLOWING access\n"));
+ /* No password set - always False */
+ return False;
+ }
+
+ if (sec_blob->length != 8) {
+ DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect challenge size (%lu)\n",
+ (unsigned long)sec_blob->length));
+ return False;
+ }
+
+ if (ntv2_response->length < 24) {
+ /* We MUST have more than 16 bytes, or the stuff below will go
+ crazy. No known implementation sends less than the 24 bytes
+ for LMv2, let alone NTLMv2. */
+ DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%lu)\n",
+ (unsigned long)ntv2_response->length));
+ return False;
+ }
+
+ client_key_data = data_blob(ntv2_response->data+16, ntv2_response->length-16);
+ /*
+ todo: should we be checking this for anything? We can't for LMv2,
+ but for NTLMv2 it is meant to contain the current time etc.
+ */
+
+ memcpy(client_response, ntv2_response->data, sizeof(client_response));
+
+ if (!ntv2_owf_gen(part_passwd, user, domain, kr)) {
+ return False;
+ }
+
+ SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
+ if (user_sess_key != NULL) {
+ *user_sess_key = data_blob(NULL, 16);
+ SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data);
+ }
+
+#if DEBUG_PASSWORD
+ DEBUG(100,("Part password (P16) was |\n"));
+ dump_data(100, part_passwd, 16);
+ DEBUGADD(100,("Password from client was |\n"));
+ dump_data(100, ntv2_response->data, ntv2_response->length);
+ DEBUGADD(100,("Variable data from client was |\n"));
+ dump_data(100, client_key_data.data, client_key_data.length);
+ DEBUGADD(100,("Given challenge was |\n"));
+ dump_data(100, sec_blob->data, sec_blob->length);
+ DEBUGADD(100,("Value from encryption was |\n"));
+ dump_data(100, value_from_encryption, 16);
+#endif
+ data_blob_clear_free(&client_key_data);
+ return (memcmp(value_from_encryption, client_response, 16) == 0);
+}
+
+/**
+ * Check a challenge-response password against the value of the NT or
+ * LM password hash.
+ *
+ * @param mem_ctx talloc context
+ * @param challenge 8-byte challenge. If all zero, forces plaintext comparison
+ * @param nt_response 'unicode' NT response to the challenge, or unicode password
+ * @param lm_response ASCII or LANMAN response to the challenge, or password in DOS code page
+ * @param username internal Samba username, for log messages
+ * @param client_username username the client used
+ * @param client_domain domain name the client used (may be mapped)
+ * @param nt_pw MD4 unicode password from our passdb or similar
+ * @param lm_pw LANMAN ASCII password from our passdb or similar
+ * @param user_sess_key User session key
+ * @param lm_sess_key LM session key (first 8 bytes of the LM hash)
+ */
+
+NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
+ const DATA_BLOB *challenge,
+ const DATA_BLOB *lm_response,
+ const DATA_BLOB *nt_response,
+ const char *username,
+ const char *client_username,
+ const char *client_domain,
+ const uint8 *lm_pw, const uint8 *nt_pw,
+ DATA_BLOB *user_sess_key,
+ DATA_BLOB *lm_sess_key)
+{
+ static const unsigned char zeros[8];
+ if (nt_pw == NULL) {
+ DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n",
+ username));
+ }
+
+ /* Check for cleartext netlogon. Used by Exchange 5.5. */
+ if (challenge->length == sizeof(zeros) &&
+ (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
+
+ DEBUG(4,("ntlm_password_check: checking plaintext passwords for user %s\n",
+ username));
+ if (nt_pw && nt_response->length) {
+ unsigned char pwhash[16];
+ mdfour(pwhash, nt_response->data, nt_response->length);
+ if (memcmp(pwhash, nt_pw, sizeof(pwhash)) == 0) {
+ return NT_STATUS_OK;
+ } else {
+ DEBUG(3,("ntlm_password_check: NT (Unicode) plaintext password check failed for user %s\n",
+ username));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
+ } else if (!lp_lanman_auth()) {
+ DEBUG(3,("ntlm_password_check: (plaintext password check) LANMAN passwords NOT PERMITTED for user %s\n",
+ username));
+
+ } else if (lm_pw && lm_response->length) {
+ uchar dospwd[14];
+ uchar p16[16];
+ ZERO_STRUCT(dospwd);
+
+ memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd)));
+ /* Only the fisrt 14 chars are considered, password need not be null terminated. */
+
+ /* we *might* need to upper-case the string here */
+ E_P16((const unsigned char *)dospwd, p16);
+
+ if (memcmp(p16, lm_pw, sizeof(p16)) == 0) {
+ return NT_STATUS_OK;
+ } else {
+ DEBUG(3,("ntlm_password_check: LANMAN (ASCII) plaintext password check failed for user %s\n",
+ username));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+ } else {
+ DEBUG(3, ("Plaintext authentication for user %s attempted, but neither NT nor LM passwords available\n", username));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+ }
+
+ if (nt_response->length != 0 && nt_response->length < 24) {
+ DEBUG(2,("ntlm_password_check: invalid NT password length (%lu) for user %s\n",
+ (unsigned long)nt_response->length, username));
+ }
+
+ if (nt_response->length >= 24 && nt_pw) {
+ if (nt_response->length > 24) {
+ /* We have the NT MD4 hash challenge available - see if we can
+ use it (ie. does it exist in the smbpasswd file).
+ */
+ DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with domain [%s]\n", client_domain));
+ if (smb_pwd_check_ntlmv2( nt_response,
+ nt_pw, challenge,
+ client_username,
+ client_domain,
+ user_sess_key)) {
+ return NT_STATUS_OK;
+ }
+
+ DEBUG(4,("ntlm_password_check: Checking NTLMv2 password without a domain\n"));
+ if (smb_pwd_check_ntlmv2( nt_response,
+ nt_pw, challenge,
+ client_username,
+ "",
+ user_sess_key)) {
+ return NT_STATUS_OK;
+ } else {
+ DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n"));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+ }
+
+ if (lp_ntlm_auth()) {
+ /* We have the NT MD4 hash challenge available - see if we can
+ use it (ie. does it exist in the smbpasswd file).
+ */
+ DEBUG(4,("ntlm_password_check: Checking NT MD4 password\n"));
+ if (smb_pwd_check_ntlmv1(nt_response,
+ nt_pw, challenge,
+ user_sess_key)) {
+ /* The LM session key for this response is not very secure,
+ so use it only if we otherwise allow LM authentication */
+
+ if (lp_lanman_auth() && lm_pw) {
+ uint8 first_8_lm_hash[16];
+ memcpy(first_8_lm_hash, lm_pw, 8);
+ memset(first_8_lm_hash + 8, '\0', 8);
+ *lm_sess_key = data_blob(first_8_lm_hash, 16);
+ }
+ return NT_STATUS_OK;
+ } else {
+ DEBUG(3,("ntlm_password_check: NT MD4 password check failed for user %s\n",
+ username));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+ } else {
+ DEBUG(2,("ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user %s\n",
+ username));
+ /* no return, becouse we might pick up LMv2 in the LM field */
+ }
+ }
+
+ if (lm_response->length == 0) {
+ DEBUG(3,("ntlm_password_check: NEITHER LanMan nor NT password supplied for user %s\n",
+ username));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
+ if (lm_response->length < 24) {
+ DEBUG(2,("ntlm_password_check: invalid LanMan password length (%lu) for user %s\n",
+ (unsigned long)nt_response->length, username));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
+ if (!lp_lanman_auth()) {
+ DEBUG(3,("ntlm_password_check: Lanman passwords NOT PERMITTED for user %s\n",
+ username));
+ } else if (!lm_pw) {
+ DEBUG(3,("ntlm_password_check: NO LanMan password set for user %s (and no NT password supplied)\n",
+ username));
+ } else {
+ DEBUG(4,("ntlm_password_check: Checking LM password\n"));
+ if (smb_pwd_check_ntlmv1(lm_response,
+ lm_pw, challenge,
+ NULL)) {
+ uint8 first_8_lm_hash[16];
+ memcpy(first_8_lm_hash, lm_pw, 8);
+ memset(first_8_lm_hash + 8, '\0', 8);
+ *user_sess_key = data_blob(first_8_lm_hash, 16);
+ *lm_sess_key = data_blob(first_8_lm_hash, 16);
+ return NT_STATUS_OK;
+ }
+ }
+
+ if (!nt_pw) {
+ DEBUG(4,("ntlm_password_check: LM password check failed for user, no NT password %s\n",username));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
+ /* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes.
+ - related to Win9X, legacy NAS pass-though authentication
+ */
+ DEBUG(4,("ntlm_password_check: Checking LMv2 password with domain %s\n", client_domain));
+ if (smb_pwd_check_ntlmv2( lm_response,
+ nt_pw, challenge,
+ client_username,
+ client_domain,
+ NULL)) {
+ return NT_STATUS_OK;
+ }
+
+ DEBUG(4,("ntlm_password_check: Checking LMv2 password without a domain\n"));
+ if (smb_pwd_check_ntlmv2( lm_response,
+ nt_pw, challenge,
+ client_username,
+ "",
+ NULL)) {
+ return NT_STATUS_OK;
+ }
+
+ /* Apparently NT accepts NT responses in the LM field
+ - I think this is related to Win9X pass-though authentication
+ */
+ DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
+ if (lp_ntlm_auth()) {
+ if (smb_pwd_check_ntlmv1(lm_response,
+ nt_pw, challenge,
+ NULL)) {
+ /* The session key for this response is still very odd.
+ It not very secure, so use it only if we otherwise
+ allow LM authentication */
+
+ if (lp_lanman_auth() && lm_pw) {
+ uint8 first_8_lm_hash[16];
+ memcpy(first_8_lm_hash, lm_pw, 8);
+ memset(first_8_lm_hash + 8, '\0', 8);
+ *user_sess_key = data_blob(first_8_lm_hash, 16);
+ *lm_sess_key = data_blob(first_8_lm_hash, 16);
+ }
+ return NT_STATUS_OK;
+ }
+ DEBUG(3,("ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",username));
+ } else {
+ DEBUG(3,("ntlm_password_check: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username));
+ }
+ return NT_STATUS_WRONG_PASSWORD;
+}
+
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index e33f4c4dee..8c02b2741a 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -24,6 +24,8 @@
#include "includes.h"
+#undef HAVE_KRB5
+
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
@@ -33,6 +35,7 @@ enum stdio_helper_mode {
SQUID_2_4_BASIC,
SQUID_2_5_BASIC,
SQUID_2_5_NTLMSSP,
+ CLIENT_NTLMSSP_1,
GSS_SPNEGO,
GSS_SPNEGO_CLIENT,
NUM_HELPER_MODES
@@ -55,6 +58,9 @@ static void manage_squid_basic_request (enum stdio_helper_mode stdio_helper_mode
static void manage_squid_ntlmssp_request (enum stdio_helper_mode stdio_helper_mode,
char *buf, int length);
+static void manage_client_ntlmssp_request (enum stdio_helper_mode stdio_helper_mode,
+ char *buf, int length);
+
static void manage_gss_spnego_request (enum stdio_helper_mode stdio_helper_mode,
char *buf, int length);
@@ -69,6 +75,7 @@ static const struct {
{ SQUID_2_4_BASIC, "squid-2.4-basic", manage_squid_basic_request},
{ SQUID_2_5_BASIC, "squid-2.5-basic", manage_squid_basic_request},
{ SQUID_2_5_NTLMSSP, "squid-2.5-ntlmssp", manage_squid_ntlmssp_request},
+ { CLIENT_NTLMSSP_1, "client-ntlmssp-1", manage_client_ntlmssp_request},
{ GSS_SPNEGO, "gss-spnego", manage_gss_spnego_request},
{ GSS_SPNEGO_CLIENT, "gss-spnego-client", manage_gss_spnego_client_request},
{ NUM_HELPER_MODES, NULL, NULL}
@@ -335,6 +342,112 @@ static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB
return nt_status;
}
+static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key)
+{
+ static const char zeros[16];
+ NTSTATUS nt_status;
+ uint8 lm_key[8];
+ uint8 nt_key[16];
+ uint8 lm_pw[16], nt_pw[16];
+
+ nt_lm_owf_gen (opt_password, nt_pw, lm_pw);
+
+ nt_status = ntlm_password_check(ntlmssp_state->mem_ctx,
+ &ntlmssp_state->chal,
+ &ntlmssp_state->lm_resp,
+ &ntlmssp_state->nt_resp,
+ ntlmssp_state->user,
+ ntlmssp_state->user,
+ ntlmssp_state->domain,
+ lm_pw, nt_pw, nt_session_key, lm_session_key);
+
+ if (NT_STATUS_IS_OK(nt_status)) {
+ if (memcmp(lm_key, zeros, 8) != 0) {
+ *lm_session_key = data_blob(NULL, 16);
+ memcpy(lm_session_key->data, lm_key, 8);
+ memset(lm_session_key->data+8, '\0', 8);
+ }
+
+ if (memcmp(nt_key, zeros, 16) != 0) {
+ *nt_session_key = data_blob(nt_key, 16);
+ }
+ } else {
+ DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n",
+ ntlmssp_state->domain, ntlmssp_state->user, ntlmssp_state->workstation,
+ nt_errstr(nt_status)));
+ }
+ return nt_status;
+}
+
+static NTSTATUS ntlm_auth_start_ntlmssp_client(NTLMSSP_STATE **client_ntlmssp_state)
+{
+ NTSTATUS status;
+ if ( (opt_username == NULL) || (opt_domain == NULL) ) {
+ DEBUG(1, ("Need username and domain for NTLMSSP\n"));
+ return status;
+ }
+
+ status = ntlmssp_client_start(client_ntlmssp_state);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not start NTLMSSP client: %s\n",
+ nt_errstr(status)));
+ ntlmssp_end(client_ntlmssp_state);
+ return status;
+ }
+
+ status = ntlmssp_set_username(*client_ntlmssp_state, opt_username);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not set username: %s\n",
+ nt_errstr(status)));
+ ntlmssp_end(client_ntlmssp_state);
+ return status;
+ }
+
+ status = ntlmssp_set_domain(*client_ntlmssp_state, opt_domain);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not set domain: %s\n",
+ nt_errstr(status)));
+ ntlmssp_end(client_ntlmssp_state);
+ return status;
+ }
+
+ status = ntlmssp_set_password(*client_ntlmssp_state, opt_password);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not set password: %s\n",
+ nt_errstr(status)));
+ ntlmssp_end(client_ntlmssp_state);
+ return status;
+ }
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS ntlm_auth_start_ntlmssp_server(NTLMSSP_STATE **ntlmssp_state)
+{
+ NTSTATUS status = ntlmssp_server_start(ntlmssp_state);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not start NTLMSSP client: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ /* Have we been given a local password, or should we ask winbind? */
+ if (opt_password) {
+ (*ntlmssp_state)->check_password = local_pw_check;
+ (*ntlmssp_state)->get_domain = lp_workgroup;
+ (*ntlmssp_state)->get_global_myname = global_myname;
+ } else {
+ (*ntlmssp_state)->check_password = winbind_pw_check;
+ (*ntlmssp_state)->get_domain = get_winbind_domain;
+ (*ntlmssp_state)->get_global_myname = get_winbind_netbios_name;
+ }
+ return NT_STATUS_OK;
+}
+
static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mode,
char *buf, int length)
{
@@ -348,6 +461,29 @@ static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mod
return;
}
+ if (strlen(buf) > 3) {
+ request = base64_decode_data_blob(buf + 3);
+ } else {
+ request = data_blob(NULL, 0);
+ }
+
+ if ((strncmp(buf, "PW ", 3) == 0)) {
+ /* The calling application wants us to use a local password (rather than winbindd) */
+
+ opt_password = strndup((const char *)request.data, request.length);
+
+ if (opt_password == NULL) {
+ DEBUG(1, ("Out of memory\n"));
+ x_fprintf(x_stdout, "BH\n");
+ data_blob_free(&request);
+ return;
+ }
+
+ x_fprintf(x_stdout, "OK\n");
+ data_blob_free(&request);
+ return;
+ }
+
if (strncmp(buf, "YR", 2) == 0) {
if (ntlmssp_state)
ntlmssp_end(&ntlmssp_state);
@@ -359,17 +495,11 @@ static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mod
return;
}
- if (strlen(buf) > 3) {
- request = base64_decode_data_blob(buf + 3);
- } else {
- request = data_blob(NULL, 0);
- }
-
if (!ntlmssp_state) {
- ntlmssp_server_start(&ntlmssp_state);
- ntlmssp_state->check_password = winbind_pw_check;
- ntlmssp_state->get_domain = get_winbind_domain;
- ntlmssp_state->get_global_myname = get_winbind_netbios_name;
+ if (!NT_STATUS_IS_OK(nt_status = ntlm_auth_start_ntlmssp_server(&ntlmssp_state))) {
+ x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
+ return;
+ }
}
DEBUG(10, ("got NTLMSSP packet:\n"));
@@ -386,6 +516,8 @@ static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mod
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) {
x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
DEBUG(0, ("NTLMSSP BH: %s\n", nt_errstr(nt_status)));
+
+ ntlmssp_end(&ntlmssp_state);
} else if (!NT_STATUS_IS_OK(nt_status)) {
x_fprintf(x_stdout, "NA %s\n", nt_errstr(nt_status));
DEBUG(10, ("NTLMSSP %s\n", nt_errstr(nt_status)));
@@ -397,6 +529,102 @@ static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mod
data_blob_free(&request);
}
+static void manage_client_ntlmssp_request(enum stdio_helper_mode stdio_helper_mode,
+ char *buf, int length)
+{
+ static NTLMSSP_STATE *ntlmssp_state = NULL;
+ DATA_BLOB request, reply;
+ NTSTATUS nt_status;
+ BOOL first = False;
+
+ if (strlen(buf) < 2) {
+ DEBUG(1, ("NTLMSSP query [%s] invalid", buf));
+ x_fprintf(x_stdout, "BH\n");
+ return;
+ }
+
+ if (strlen(buf) > 3) {
+ request = base64_decode_data_blob(buf + 3);
+ } else {
+ request = data_blob(NULL, 0);
+ }
+
+ if (strncmp(buf, "PW ", 3) == 0) {
+ /* We asked for a password and obviously got it :-) */
+
+ opt_password = strndup((const char *)request.data, request.length);
+
+ if (opt_password == NULL) {
+ DEBUG(1, ("Out of memory\n"));
+ x_fprintf(x_stdout, "BH\n");
+ data_blob_free(&request);
+ return;
+ }
+
+ x_fprintf(x_stdout, "OK\n");
+ data_blob_free(&request);
+ return;
+ }
+
+ if (opt_password == NULL) {
+
+ /* Request a password from the calling process. After
+ sending it, the calling process should retry asking for the negotiate. */
+
+ DEBUG(10, ("Requesting password\n"));
+ x_fprintf(x_stdout, "PW\n");
+ return;
+ }
+
+ if (strncmp(buf, "YR", 2) == 0) {
+ if (ntlmssp_state)
+ ntlmssp_end(&ntlmssp_state);
+ } else if (strncmp(buf, "TT", 2) == 0) {
+
+ } else {
+ DEBUG(1, ("NTLMSSP query [%s] invalid", buf));
+ x_fprintf(x_stdout, "BH\n");
+ return;
+ }
+
+ if (!ntlmssp_state) {
+ if (!NT_STATUS_IS_OK(nt_status = ntlm_auth_start_ntlmssp_client(&ntlmssp_state))) {
+ x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
+ return;
+ }
+ first = True;
+ }
+
+ DEBUG(10, ("got NTLMSSP packet:\n"));
+ dump_data(10, (const char *)request.data, request.length);
+
+ nt_status = ntlmssp_update(ntlmssp_state, request, &reply);
+
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ char *reply_base64 = base64_encode_data_blob(reply);
+ if (first) {
+ x_fprintf(x_stdout, "YR %s\n", reply_base64);
+ } else {
+ x_fprintf(x_stdout, "KK %s\n", reply_base64);
+ }
+ SAFE_FREE(reply_base64);
+ data_blob_free(&reply);
+ DEBUG(10, ("NTLMSSP challenge\n"));
+ } else if (NT_STATUS_IS_OK(nt_status)) {
+ x_fprintf(x_stdout, "AF\n");
+ DEBUG(10, ("NTLMSSP OK!\n"));
+ if (ntlmssp_state)
+ ntlmssp_end(&ntlmssp_state);
+ } else {
+ x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
+ DEBUG(0, ("NTLMSSP BH: %s\n", nt_errstr(nt_status)));
+ if (ntlmssp_state)
+ ntlmssp_end(&ntlmssp_state);
+ }
+
+ data_blob_free(&request);
+}
+
static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode,
char *buf, int length)
{
@@ -561,10 +789,10 @@ static void manage_gss_spnego_request(enum stdio_helper_mode stdio_helper_mode,
return;
}
- ntlmssp_server_start(&ntlmssp_state);
- ntlmssp_state->check_password = winbind_pw_check;
- ntlmssp_state->get_domain = get_winbind_domain;
- ntlmssp_state->get_global_myname = get_winbind_netbios_name;
+ if (!NT_STATUS_IS_OK(status = ntlm_auth_start_ntlmssp_server(&ntlmssp_state))) {
+ x_fprintf(x_stdout, "BH %s\n", nt_errstr(status));
+ return;
+ }
DEBUG(10, ("got NTLMSSP packet:\n"));
dump_data(10, (const char *)request.negTokenInit.mechToken.data,
@@ -720,11 +948,14 @@ static BOOL manage_client_ntlmssp_init(SPNEGO_DATA spnego)
return False;
}
- if ( (opt_username == NULL) || (opt_domain == NULL) ) {
- DEBUG(1, ("Need username and domain for NTLMSSP\n"));
- return False;
+ if (!client_ntlmssp_state) {
+ if (!NT_STATUS_IS_OK(status = ntlm_auth_start_ntlmssp_client(&client_ntlmssp_state))) {
+ x_fprintf(x_stdout, "BH %s\n", nt_errstr(status));
+ return False;
+ }
}
+
if (opt_password == NULL) {
/* Request a password from the calling process. After
@@ -736,42 +967,6 @@ static BOOL manage_client_ntlmssp_init(SPNEGO_DATA spnego)
return True;
}
- status = ntlmssp_client_start(&client_ntlmssp_state);
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Could not start NTLMSSP client: %s\n",
- nt_errstr(status)));
- ntlmssp_end(&client_ntlmssp_state);
- return False;
- }
-
- status = ntlmssp_set_username(client_ntlmssp_state, opt_username);
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Could not set username: %s\n",
- nt_errstr(status)));
- ntlmssp_end(&client_ntlmssp_state);
- return False;
- }
-
- status = ntlmssp_set_domain(client_ntlmssp_state, opt_domain);
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Could not set domain: %s\n",
- nt_errstr(status)));
- ntlmssp_end(&client_ntlmssp_state);
- return False;
- }
-
- status = ntlmssp_set_password(client_ntlmssp_state, opt_password);
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Could not set password: %s\n",
- nt_errstr(status)));
- ntlmssp_end(&client_ntlmssp_state);
- return False;
- }
-
spnego.type = SPNEGO_NEG_TOKEN_INIT;
spnego.negTokenInit.mechTypes = my_mechs;
spnego.negTokenInit.reqFlags = 0;
@@ -1915,7 +2110,12 @@ enum {
exit(0);
}
}
- x_fprintf(x_stderr, "unknown helper protocol [%s]\n", helper_protocol);
+ x_fprintf(x_stderr, "unknown helper protocol [%s]\n\nValid helper protools:\n\n", helper_protocol);
+
+ for (i=0; i<NUM_HELPER_MODES; i++) {
+ x_fprintf(x_stderr, "%s\n", stdio_helper_protocols[i].name);
+ }
+
exit(1);
}