Move libcli/auth to the top level

author: Andrew Bartlett <abartlet@samba.org> 2009-03-16 13:26:38 +1100
committer: Andrew Bartlett <abartlet@samba.org> 2009-04-14 14:19:39 +1000
commit: 927a8b330435b4c959ad851e32b83d97a6e3001b (patch)
tree: d8132fa21f60ae83ed7e19d6b07a8345071ed271 /source4/libcli
parent: 786447dea021f97a44582009bf33e28d972dacb4 (diff)
download: samba-927a8b330435b4c959ad851e32b83d97a6e3001b.tar.gz
samba-927a8b330435b4c959ad851e32b83d97a6e3001b.tar.bz2
samba-927a8b330435b4c959ad851e32b83d97a6e3001b.zip
8 files changed, 0 insertions, 1657 deletions
diff --git a/source4/libcli/auth/config.mk b/source4/libcli/auth/config.mk
deleted file mode 100644
index 498c2af258..0000000000
--- a/source4/libcli/auth/config.mk
+++ /dev/null
@@ -1,17 +0,0 @@
-#################################
-# Start SUBSYSTEM LIBCLI_AUTH
-[SUBSYSTEM::LIBCLI_AUTH]
-PUBLIC_DEPENDENCIES = \
-		MSRPC_PARSE \
-		LIBSAMBA-HOSTCONFIG
-# End SUBSYSTEM LIBCLI_AUTH
-#################################
-
-LIBCLI_AUTH_OBJ_FILES = $(addprefix $(libclisrcdir)/auth/, \
-		credentials.o \
-		session.o \
-		smbencrypt.o \
-		smbdes.o)
-
-PUBLIC_HEADERS += $(libclisrcdir)/auth/credentials.h
-$(eval $(call proto_header_template,$(libclisrcdir)/auth/proto.h,$(LIBCLI_AUTH_OBJ_FILES:.o=.c)))
diff --git a/source4/libcli/auth/credentials.c b/source4/libcli/auth/credentials.c
deleted file mode 100644
index 3c77b0836d..0000000000
--- a/source4/libcli/auth/credentials.c
+++ /dev/null
@@ -1,375 +0,0 @@
-/* 
-   Unix SMB/CIFS implementation.
-
-   code to manipulate domain credentials
-
-   Copyright (C) Andrew Tridgell 1997-2003
-   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
-   
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 3 of the License, or
-   (at your option) any later version.
-   
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-   
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "system/time.h"
-#include "auth/auth.h"
-#include "../lib/crypto/crypto.h"
-#include "libcli/auth/libcli_auth.h"
-
-/*
-  initialise the credentials state for old-style 64 bit session keys
-
-  this call is made after the netr_ServerReqChallenge call
-*/
-static void creds_init_64bit(struct creds_CredentialState *creds,
-			     const struct netr_Credential *client_challenge,
-			     const struct netr_Credential *server_challenge,
-			     const struct samr_Password *machine_password)
-{
-	uint32_t sum[2];
-	uint8_t sum2[8];
-
-	sum[0] = IVAL(client_challenge->data, 0) + IVAL(server_challenge->data, 0);
-	sum[1] = IVAL(client_challenge->data, 4) + IVAL(server_challenge->data, 4);
-
-	SIVAL(sum2,0,sum[0]);
-	SIVAL(sum2,4,sum[1]);
-
-	ZERO_STRUCT(creds->session_key);
-
-	des_crypt128(creds->session_key, sum2, machine_password->hash);
-
-	des_crypt112(creds->client.data, client_challenge->data, creds->session_key, 1);
-	des_crypt112(creds->server.data, server_challenge->data, creds->session_key, 1);
-
-	creds->seed = creds->client;
-}
-
-/*
-  initialise the credentials state for ADS-style 128 bit session keys
-
-  this call is made after the netr_ServerReqChallenge call
-*/
-static void creds_init_128bit(struct creds_CredentialState *creds,
-			      const struct netr_Credential *client_challenge,
-			      const struct netr_Credential *server_challenge,
-			      const struct samr_Password *machine_password)
-{
-	unsigned char zero[4], tmp[16];
-	HMACMD5Context ctx;
-	struct MD5Context md5;
-
-	ZERO_STRUCT(creds->session_key);
-
-	memset(zero, 0, sizeof(zero));
-
-	hmac_md5_init_rfc2104(machine_password->hash, sizeof(machine_password->hash), &ctx);	
-	MD5Init(&md5);
-	MD5Update(&md5, zero, sizeof(zero));
-	MD5Update(&md5, client_challenge->data, 8);
-	MD5Update(&md5, server_challenge->data, 8);
-	MD5Final(tmp, &md5);
-	hmac_md5_update(tmp, sizeof(tmp), &ctx);
-	hmac_md5_final(creds->session_key, &ctx);
-
-	creds->client = *client_challenge;
-	creds->server = *server_challenge;
-
-	des_crypt112(creds->client.data, client_challenge->data, creds->session_key, 1);
-	des_crypt112(creds->server.data, server_challenge->data, creds->session_key, 1);
-
-	creds->seed = creds->client;
-}
-
-
-/*
-  step the credentials to the next element in the chain, updating the
-  current client and server credentials and the seed
-*/
-static void creds_step(struct creds_CredentialState *creds)
-{
-	struct netr_Credential time_cred;
-
-	DEBUG(5,("\tseed        %08x:%08x\n", 
-		 IVAL(creds->seed.data, 0), IVAL(creds->seed.data, 4)));
-
-	SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence);
-	SIVAL(time_cred.data, 4, IVAL(creds->seed.data, 4));
-
-	DEBUG(5,("\tseed+time   %08x:%08x\n", IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
-
-	des_crypt112(creds->client.data, time_cred.data, creds->session_key, 1);
-
-	DEBUG(5,("\tCLIENT      %08x:%08x\n", 
-		 IVAL(creds->client.data, 0), IVAL(creds->client.data, 4)));
-
-	SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence + 1);
-	SIVAL(time_cred.data, 4, IVAL(creds->seed.data, 4));
-
-	DEBUG(5,("\tseed+time+1 %08x:%08x\n", 
-		 IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
-
-	des_crypt112(creds->server.data, time_cred.data, creds->session_key, 1);
-
-	DEBUG(5,("\tSERVER      %08x:%08x\n", 
-		 IVAL(creds->server.data, 0), IVAL(creds->server.data, 4)));
-
-	creds->seed = time_cred;
-}
-
-
-/*
-  DES encrypt a 8 byte LMSessionKey buffer using the Netlogon session key
-*/
-void creds_des_encrypt_LMKey(struct creds_CredentialState *creds, struct netr_LMSessionKey *key)
-{
-	struct netr_LMSessionKey tmp;
-	des_crypt56(tmp.key, key->key, creds->session_key, 1);
-	*key = tmp;
-}
-
-/*
-  DES decrypt a 8 byte LMSessionKey buffer using the Netlogon session key
-*/
-void creds_des_decrypt_LMKey(struct creds_CredentialState *creds, struct netr_LMSessionKey *key)
-{
-	struct netr_LMSessionKey tmp;
-	des_crypt56(tmp.key, key->key, creds->session_key, 0);
-	*key = tmp;
-}
-
-/*
-  DES encrypt a 16 byte password buffer using the session key
-*/
-void creds_des_encrypt(struct creds_CredentialState *creds, struct samr_Password *pass)
-{
-	struct samr_Password tmp;
-	des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 1);
-	*pass = tmp;
-}
-
-/*
-  DES decrypt a 16 byte password buffer using the session key
-*/
-void creds_des_decrypt(struct creds_CredentialState *creds, struct samr_Password *pass)
-{
-	struct samr_Password tmp;
-	des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 0);
-	*pass = tmp;
-}
-
-/*
-  ARCFOUR encrypt/decrypt a password buffer using the session key
-*/
-void creds_arcfour_crypt(struct creds_CredentialState *creds, uint8_t *data, size_t len)
-{
-	DATA_BLOB session_key = data_blob(creds->session_key, 16);
-
-	arcfour_crypt_blob(data, len, &session_key);
-
-	data_blob_free(&session_key);
-}
-
-/*****************************************************************
-The above functions are common to the client and server interface
-next comes the client specific functions
-******************************************************************/
-
-/*
-  initialise the credentials chain and return the first client
-  credentials
-*/
-void creds_client_init(struct creds_CredentialState *creds,
-		       const struct netr_Credential *client_challenge,
-		       const struct netr_Credential *server_challenge,
-		       const struct samr_Password *machine_password,
-		       struct netr_Credential *initial_credential,
-		       uint32_t negotiate_flags)
-{
-	creds->sequence = time(NULL);
-	creds->negotiate_flags = negotiate_flags;
-
-	dump_data_pw("Client chall", client_challenge->data, sizeof(client_challenge->data));
-	dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
-	dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash));
-
-	if (negotiate_flags & NETLOGON_NEG_128BIT) {
-		creds_init_128bit(creds, client_challenge, server_challenge, machine_password);
-	} else {
-		creds_init_64bit(creds, client_challenge, server_challenge, machine_password);
-	}
-
-	dump_data_pw("Session key", creds->session_key, 16);
-	dump_data_pw("Credential ", creds->client.data, 8);
-
-	*initial_credential = creds->client;
-}
-
-/*
-  step the credentials to the next element in the chain, updating the
-  current client and server credentials and the seed
-
-  produce the next authenticator in the sequence ready to send to 
-  the server
-*/
-void creds_client_authenticator(struct creds_CredentialState *creds,
-				struct netr_Authenticator *next)
-{	
-	creds->sequence += 2;
-	creds_step(creds);
-
-	next->cred = creds->client;
-	next->timestamp = creds->sequence;
-}
-
-/*
-  check that a credentials reply from a server is correct
-*/
-bool creds_client_check(struct creds_CredentialState *creds,
-			const struct netr_Credential *received_credentials)
-{
-	if (!received_credentials || 
-	    memcmp(received_credentials->data, creds->server.data, 8) != 0) {
-		DEBUG(2,("credentials check failed\n"));
-		return false;
-	}
-	return true;
-}
-
-
-/*****************************************************************
-The above functions are common to the client and server interface
-next comes the server specific functions
-******************************************************************/
-
-/*
-  initialise the credentials chain and return the first server
-  credentials
-*/
-void creds_server_init(struct creds_CredentialState *creds,
-		       const struct netr_Credential *client_challenge,
-		       const struct netr_Credential *server_challenge,
-		       const struct samr_Password *machine_password,
-		       struct netr_Credential *initial_credential,
-		       uint32_t negotiate_flags)
-{
-	if (negotiate_flags & NETLOGON_NEG_128BIT) {
-		creds_init_128bit(creds, client_challenge, server_challenge, 
-				  machine_password);
-	} else {
-		creds_init_64bit(creds, client_challenge, server_challenge, 
-				 machine_password);
-	}
-
-	*initial_credential = creds->server;
-	creds->negotiate_flags = negotiate_flags;
-}
-
-/*
-  check that a credentials reply from a server is correct
-*/
-bool creds_server_check(const struct creds_CredentialState *creds,
-			const struct netr_Credential *received_credentials)
-{
-	if (memcmp(received_credentials->data, creds->client.data, 8) != 0) {
-		DEBUG(2,("credentials check failed\n"));
-		dump_data_pw("client creds", creds->client.data, 8);
-		dump_data_pw("calc   creds", received_credentials->data, 8);
-		return false;
-	}
-	return true;
-}
-
-NTSTATUS creds_server_step_check(struct creds_CredentialState *creds,
-				 struct netr_Authenticator *received_authenticator,
-				 struct netr_Authenticator *return_authenticator) 
-{
-	if (!received_authenticator || !return_authenticator) {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	if (!creds) {
-		return NT_STATUS_ACCESS_DENIED;
-	}
-
-	/* TODO: this may allow the a replay attack on a non-signed
-	   connection. Should we check that this is increasing? */
-	creds->sequence = received_authenticator->timestamp;
-	creds_step(creds);
-	if (creds_server_check(creds, &received_authenticator->cred)) {
-		return_authenticator->cred = creds->server;
-		return_authenticator->timestamp = creds->sequence;
-		return NT_STATUS_OK;
-	} else {
-		ZERO_STRUCTP(return_authenticator);
-		return NT_STATUS_ACCESS_DENIED;
-	}
-}
-
-void creds_decrypt_samlogon(struct creds_CredentialState *creds,
-			    uint16_t validation_level,
-			    union netr_Validation *validation) 
-{
-	static const char zeros[16];
-
-	struct netr_SamBaseInfo *base = NULL;
-	switch (validation_level) {
-	case 2:
-		if (validation->sam2) {
-			base = &validation->sam2->base;
-		}
-		break;
-	case 3:
-		if (validation->sam3) {
-			base = &validation->sam3->base;
-		}
-		break;
-	case 6:
-		if (validation->sam6) {
-			base = &validation->sam6->base;
-		}
-		break;
-	default:
-		/* If we can't find it, we can't very well decrypt it */
-		return;
-	}
-
-	if (!base) {
-		return;
-	}
-
-	/* find and decyrpt the session keys, return in parameters above */
-	if (validation_level == 6) {
-		/* they aren't encrypted! */
-	} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-		if (memcmp(base->key.key, zeros,  
-			   sizeof(base->key.key)) != 0) {
-			creds_arcfour_crypt(creds, 
-					    base->key.key, 
-					    sizeof(base->key.key));
-		}
-			
-		if (memcmp(base->LMSessKey.key, zeros,  
-			   sizeof(base->LMSessKey.key)) != 0) {
-			creds_arcfour_crypt(creds, 
-					    base->LMSessKey.key, 
-					    sizeof(base->LMSessKey.key));
-		}
-	} else {
-		if (memcmp(base->LMSessKey.key, zeros,  
-			   sizeof(base->LMSessKey.key)) != 0) {
-			creds_des_decrypt_LMKey(creds, 
-						&base->LMSessKey);
-		}
-	}
-}	
diff --git a/source4/libcli/auth/credentials.h b/source4/libcli/auth/credentials.h
deleted file mode 100644
index 4e11cb090f..0000000000
--- a/source4/libcli/auth/credentials.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/* 
-   Unix SMB/CIFS implementation.
-
-   code to manipulate domain credentials
-
-   Copyright (C) Andrew Tridgell 2004
-   
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 3 of the License, or
-   (at your option) any later version.
-   
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-   
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "librpc/gen_ndr/netlogon.h"
-
-struct creds_CredentialState {
-	uint32_t negotiate_flags;
-	uint8_t session_key[16];
-	uint32_t sequence;
-	struct netr_Credential seed;
-	struct netr_Credential client;
-	struct netr_Credential server;
-	uint16_t secure_channel_type;
-	const char *domain;
-	const char *computer_name;
-	const char *account_name;
-	struct dom_sid *sid;
-};
-
-/* for the timebeing, use the same neg flags as Samba3. */
-/* The 7 here seems to be required to get Win2k not to downgrade us
-   to NT4.  Actually, anything other than 1ff would seem to do... */
-#define NETLOGON_NEG_AUTH2_FLAGS     0x000701ff
-
-/* these are the flags that ADS clients use */
-#define NETLOGON_NEG_AUTH2_ADS_FLAGS (0x200fbffb | NETLOGON_NEG_ARCFOUR | NETLOGON_NEG_128BIT | NETLOGON_NEG_SCHANNEL)
-
-
diff --git a/source4/libcli/auth/libcli_auth.h b/source4/libcli/auth/libcli_auth.h
deleted file mode 100644
index ec1c1e7d98..0000000000
--- a/source4/libcli/auth/libcli_auth.h
+++ /dev/null
@@ -1,24 +0,0 @@
-/* 
-   samba -- Unix SMB/CIFS implementation.
-
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 3 of the License, or
-   (at your option) any later version.
-   
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-   
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-#ifndef __LIBCLI_AUTH_H__
-#define __LIBCLI_AUTH_H__
-
-#include "librpc/gen_ndr/netlogon.h"
-#include "libcli/auth/credentials.h"
-#include "libcli/auth/proto.h"
-
-#endif /* __LIBCLI_AUTH_H__ */
diff --git a/source4/libcli/auth/session.c b/source4/libcli/auth/session.c
deleted file mode 100644
index 10c728662d..0000000000
--- a/source4/libcli/auth/session.c
+++ /dev/null
@@ -1,218 +0,0 @@
-/* 
-   Unix SMB/CIFS implementation.
-
-   code to encrypt/decrypt data using the user session key
-
-   Copyright (C) Andrew Tridgell 2004
-   
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 3 of the License, or
-   (at your option) any later version.
-   
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-   
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "libcli/auth/libcli_auth.h"
-
-/*
-  encrypt or decrypt a blob of data using the user session key
-  as used in lsa_SetSecret
-
-  before calling, the out blob must be initialised to be the same size
-  as the in blob
-*/
-void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key,
-		     bool forward)
-{
-	int i, k;
-
-	for (i=0,k=0;
-	     i<in->length;
-	     i += 8, k += 7) {
-		uint8_t bin[8], bout[8], key[7];
-
-		memset(bin, 0, 8);
-		memcpy(bin,  &in->data[i], MIN(8, in->length-i));
-
-		if (k + 7 > session_key->length) {
-			k = (session_key->length - k);
-		}
-		memcpy(key, &session_key->data[k], 7);
-
-		des_crypt56(bout, bin, key, forward?1:0);
-
-		memcpy(&out->data[i], bout, MIN(8, in->length-i));
-	}
-}
-
-
-/*
-  a convenient wrapper around sess_crypt_blob() for strings, using the LSA convention
-
-  note that we round the length to a multiple of 8. This seems to be needed for 
-  compatibility with windows
-
-  caller should free using data_blob_free()
-*/
-DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key)
-{
-	DATA_BLOB ret, src;
-	int slen = strlen(str);
-	int dlen = (slen+7) & ~7;
-
-	src = data_blob(NULL, 8+dlen);
-	if (!src.data) {
-		return data_blob(NULL, 0);
-	}
-
-	ret = data_blob(NULL, 8+dlen);
-	if (!ret.data) {
-		data_blob_free(&src);
-		return data_blob(NULL, 0);
-	}
-
-	SIVAL(src.data, 0, slen);
-	SIVAL(src.data, 4, 1);
-	memset(src.data+8, 0,   dlen);
-	memcpy(src.data+8, str, slen);
-
-	sess_crypt_blob(&ret, &src, session_key, true);
-	
-	data_blob_free(&src);
-
-	return ret;
-}
-
-/*
-  a convenient wrapper around sess_crypt_blob() for strings, using the LSA convention
-
-  caller should free the returned string
-*/
-char *sess_decrypt_string(TALLOC_CTX *mem_ctx, 
-			  DATA_BLOB *blob, const DATA_BLOB *session_key)
-{
-	DATA_BLOB out;
-	int slen;
-	char *ret;
-
-	if (blob->length < 8) {
-		return NULL;
-	}
-	
-	out = data_blob_talloc(mem_ctx, NULL, blob->length);
-	if (!out.data) {
-		return NULL;
-	}
-
-	sess_crypt_blob(&out, blob, session_key, false);
-
-	if (IVAL(out.data, 4) != 1) {
-		DEBUG(0,("Unexpected revision number %d in session crypted string\n",
-			 IVAL(out.data, 4)));
-		data_blob_free(&out);
-		return NULL;
-	}
-
-	slen = IVAL(out.data, 0);
-	if (slen > blob->length - 8) {
-		DEBUG(0,("Invalid crypt length %d\n", slen));
-		data_blob_free(&out);
-		return NULL;
-	}
-
-	ret = talloc_strndup(mem_ctx, (const char *)(out.data+8), slen);
-
-	data_blob_free(&out);
-
-	DEBUG(0,("decrypted string '%s' of length %d\n", ret, slen));
-
-	return ret;
-}
-
-/*
-  a convenient wrapper around sess_crypt_blob() for DATA_BLOBs, using the LSA convention
-
-  note that we round the length to a multiple of 8. This seems to be needed for 
-  compatibility with windows
-
-  caller should free using data_blob_free()
-*/
-DATA_BLOB sess_encrypt_blob(TALLOC_CTX *mem_ctx, DATA_BLOB *blob_in, const DATA_BLOB *session_key)
-{
-	DATA_BLOB ret, src;
-	int dlen = (blob_in->length+7) & ~7;
-
-	src = data_blob_talloc(mem_ctx, NULL, 8+dlen);
-	if (!src.data) {
-		return data_blob(NULL, 0);
-	}
-
-	ret = data_blob_talloc(mem_ctx, NULL, 8+dlen);
-	if (!ret.data) {
-		data_blob_free(&src);
-		return data_blob(NULL, 0);
-	}
-
-	SIVAL(src.data, 0, blob_in->length);
-	SIVAL(src.data, 4, 1);
-	memset(src.data+8, 0, dlen);
-	memcpy(src.data+8, blob_in->data, blob_in->length);
-
-	sess_crypt_blob(&ret, &src, session_key, true);
-	
-	data_blob_free(&src);
-
-	return ret;
-}
-
-/*
-  Decrypt a DATA_BLOB using the LSA convention
-*/
-NTSTATUS sess_decrypt_blob(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, const DATA_BLOB *session_key, 
-			   DATA_BLOB *ret)
-{
-	DATA_BLOB out;
-	int slen;
-
-	if (blob->length < 8) {
-		DEBUG(0, ("Unexpected length %d in session crypted secret (BLOB)\n",
-			  (int)blob->length));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-	
-	out = data_blob_talloc(mem_ctx, NULL, blob->length);
-	if (!out.data) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	sess_crypt_blob(&out, blob, session_key, false);
-
-	if (IVAL(out.data, 4) != 1) {
-		DEBUG(2,("Unexpected revision number %d in session crypted secret (BLOB)\n",
-			 IVAL(out.data, 4)));
-		return NT_STATUS_UNKNOWN_REVISION;
-	}
-		
-	slen = IVAL(out.data, 0);
-	if (slen > blob->length - 8) {
-		DEBUG(0,("Invalid crypt length %d in session crypted secret (BLOB)\n", slen));
-		return NT_STATUS_WRONG_PASSWORD;
-	}
-
-	*ret = data_blob_talloc(mem_ctx, out.data+8, slen);
-	if (slen && !ret->data) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	data_blob_free(&out);
-
-	return NT_STATUS_OK;
-}
diff --git a/source4/libcli/auth/smbdes.c b/source4/libcli/auth/smbdes.c
deleted file mode 100644
index 32e65e779d..0000000000
--- a/source4/libcli/auth/smbdes.c
+++ /dev/null
@@ -1,381 +0,0 @@
-/* 
-   Unix SMB/CIFS implementation.
-
-   a partial implementation of DES designed for use in the 
-   SMB authentication protocol
-
-   Copyright (C) Andrew Tridgell 1998
-   
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 3 of the License, or
-   (at your option) any later version.
-   
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-   
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "libcli/auth/libcli_auth.h"
-
-/* NOTES: 
-
-   This code makes no attempt to be fast! In fact, it is a very
-   slow implementation 
-
-   This code is NOT a complete DES implementation. It implements only
-   the minimum necessary for SMB authentication, as used by all SMB
-   products (including every copy of Microsoft Windows95 ever sold)
-
-   In particular, it can only do a unchained forward DES pass. This
-   means it is not possible to use this code for encryption/decryption
-   of data, instead it is only useful as a "hash" algorithm.
-
-   There is no entry point into this code that allows normal DES operation.
-
-   I believe this means that this code does not come under ITAR
-   regulations but this is NOT a legal opinion. If you are concerned
-   about the applicability of ITAR regulations to this code then you
-   should confirm it for yourself (and maybe let me know if you come
-   up with a different answer to the one above)
-*/
-
-
-static const uint8_t perm1[56] = {57, 49, 41, 33, 25, 17,  9,
-			 1, 58, 50, 42, 34, 26, 18,
-			10,  2, 59, 51, 43, 35, 27,
-			19, 11,  3, 60, 52, 44, 36,
-			63, 55, 47, 39, 31, 23, 15,
-			 7, 62, 54, 46, 38, 30, 22,
-			14,  6, 61, 53, 45, 37, 29,
-			21, 13,  5, 28, 20, 12,  4};
-
-static const uint8_t perm2[48] = {14, 17, 11, 24,  1,  5,
-                         3, 28, 15,  6, 21, 10,
-                        23, 19, 12,  4, 26,  8,
-                        16,  7, 27, 20, 13,  2,
-                        41, 52, 31, 37, 47, 55,
-                        30, 40, 51, 45, 33, 48,
-                        44, 49, 39, 56, 34, 53,
-                        46, 42, 50, 36, 29, 32};
-
-static const uint8_t perm3[64] = {58, 50, 42, 34, 26, 18, 10,  2,
-			60, 52, 44, 36, 28, 20, 12,  4,
-			62, 54, 46, 38, 30, 22, 14,  6,
-			64, 56, 48, 40, 32, 24, 16,  8,
-			57, 49, 41, 33, 25, 17,  9,  1,
-			59, 51, 43, 35, 27, 19, 11,  3,
-			61, 53, 45, 37, 29, 21, 13,  5,
-			63, 55, 47, 39, 31, 23, 15,  7};
-
-static const uint8_t perm4[48] = {   32,  1,  2,  3,  4,  5,
-                            4,  5,  6,  7,  8,  9,
-                            8,  9, 10, 11, 12, 13,
-                           12, 13, 14, 15, 16, 17,
-                           16, 17, 18, 19, 20, 21,
-                           20, 21, 22, 23, 24, 25,
-                           24, 25, 26, 27, 28, 29,
-                           28, 29, 30, 31, 32,  1};
-
-static const uint8_t perm5[32] = {      16,  7, 20, 21,
-                              29, 12, 28, 17,
-                               1, 15, 23, 26,
-                               5, 18, 31, 10,
-                               2,  8, 24, 14,
-                              32, 27,  3,  9,
-                              19, 13, 30,  6,
-                              22, 11,  4, 25};
-
-
-static const uint8_t perm6[64] ={ 40,  8, 48, 16, 56, 24, 64, 32,
-                        39,  7, 47, 15, 55, 23, 63, 31,
-                        38,  6, 46, 14, 54, 22, 62, 30,
-                        37,  5, 45, 13, 53, 21, 61, 29,
-                        36,  4, 44, 12, 52, 20, 60, 28,
-                        35,  3, 43, 11, 51, 19, 59, 27,
-                        34,  2, 42, 10, 50, 18, 58, 26,
-                        33,  1, 41,  9, 49, 17, 57, 25};
-
-
-static const uint8_t sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1};
-
-static const uint8_t sbox[8][4][16] = {
-	{{14,  4, 13,  1,  2, 15, 11,  8,  3, 10,  6, 12,  5,  9,  0,  7},
-	 {0, 15,  7,  4, 14,  2, 13,  1, 10,  6, 12, 11,  9,  5,  3,  8},
-	 {4,  1, 14,  8, 13,  6,  2, 11, 15, 12,  9,  7,  3, 10,  5,  0},
-	 {15, 12,  8,  2,  4,  9,  1,  7,  5, 11,  3, 14, 10,  0,  6, 13}},
-
-	{{15,  1,  8, 14,  6, 11,  3,  4,  9,  7,  2, 13, 12,  0,  5, 10},
-	 {3, 13,  4,  7, 15,  2,  8, 14, 12,  0,  1, 10,  6,  9, 11,  5},
-	 {0, 14,  7, 11, 10,  4, 13,  1,  5,  8, 12,  6,  9,  3,  2, 15},
-	 {13,  8, 10,  1,  3, 15,  4,  2, 11,  6,  7, 12,  0,  5, 14,  9}},
-
-	{{10,  0,  9, 14,  6,  3, 15,  5,  1, 13, 12,  7, 11,  4,  2,  8},
-	 {13,  7,  0,  9,  3,  4,  6, 10,  2,  8,  5, 14, 12, 11, 15,  1},
-	 {13,  6,  4,  9,  8, 15,  3,  0, 11,  1,  2, 12,  5, 10, 14,  7},
-	 {1, 10, 13,  0,  6,  9,  8,  7,  4, 15, 14,  3, 11,  5,  2, 12}},
-
-	{{7, 13, 14,  3,  0,  6,  9, 10,  1,  2,  8,  5, 11, 12,  4, 15},
-	 {13,  8, 11,  5,  6, 15,  0,  3,  4,  7,  2, 12,  1, 10, 14,  9},
-	 {10,  6,  9,  0, 12, 11,  7, 13, 15,  1,  3, 14,  5,  2,  8,  4},
-	 {3, 15,  0,  6, 10,  1, 13,  8,  9,  4,  5, 11, 12,  7,  2, 14}},
-
-	{{2, 12,  4,  1,  7, 10, 11,  6,  8,  5,  3, 15, 13,  0, 14,  9},
-	 {14, 11,  2, 12,  4,  7, 13,  1,  5,  0, 15, 10,  3,  9,  8,  6},
-	 {4,  2,  1, 11, 10, 13,  7,  8, 15,  9, 12,  5,  6,  3,  0, 14},
-	 {11,  8, 12,  7,  1, 14,  2, 13,  6, 15,  0,  9, 10,  4,  5,  3}},
-
-	{{12,  1, 10, 15,  9,  2,  6,  8,  0, 13,  3,  4, 14,  7,  5, 11},
-	 {10, 15,  4,  2,  7, 12,  9,  5,  6,  1, 13, 14,  0, 11,  3,  8},
-	 {9, 14, 15,  5,  2,  8, 12,  3,  7,  0,  4, 10,  1, 13, 11,  6},
-	 {4,  3,  2, 12,  9,  5, 15, 10, 11, 14,  1,  7,  6,  0,  8, 13}},
-
-	{{4, 11,  2, 14, 15,  0,  8, 13,  3, 12,  9,  7,  5, 10,  6,  1},
-	 {13,  0, 11,  7,  4,  9,  1, 10, 14,  3,  5, 12,  2, 15,  8,  6},
-	 {1,  4, 11, 13, 12,  3,  7, 14, 10, 15,  6,  8,  0,  5,  9,  2},
-	 {6, 11, 13,  8,  1,  4, 10,  7,  9,  5,  0, 15, 14,  2,  3, 12}},
-
-	{{13,  2,  8,  4,  6, 15, 11,  1, 10,  9,  3, 14,  5,  0, 12,  7},
-	 {1, 15, 13,  8, 10,  3,  7,  4, 12,  5,  6, 11,  0, 14,  9,  2},
-	 {7, 11,  4,  1,  9, 12, 14,  2,  0,  6, 10, 13, 15,  3,  5,  8},
-	 {2,  1, 14,  7,  4, 10,  8, 13, 15, 12,  9,  0,  3,  5,  6, 11}}};
-
-static void permute(char *out, const char *in, const uint8_t *p, int n)
-{
-	int i;
-	for (i=0;i<n;i++)
-		out[i] = in[p[i]-1];
-}
-
-static void lshift(char *d, int count, int n)
-{
-	char out[64];
-	int i;
-	for (i=0;i<n;i++)
-		out[i] = d[(i+count)%n];
-	for (i=0;i<n;i++)
-		d[i] = out[i];
-}
-
-static void concat(char *out, char *in1, char *in2, int l1, int l2)
-{
-	while (l1--)
-		*out++ = *in1++;
-	while (l2--)
-		*out++ = *in2++;
-}
-
-static void xor(char *out, char *in1, char *in2, int n)
-{
-	int i;
-	for (i=0;i<n;i++)
-		out[i] = in1[i] ^ in2[i];
-}
-
-static void dohash(char *out, char *in, char *key, int forw)
-{
-	int i, j, k;
-	char pk1[56];
-	char c[28];
-	char d[28];
-	char cd[56];
-	char ki[16][48];
-	char pd1[64];
-	char l[32], r[32];
-	char rl[64];
-
-	permute(pk1, key, perm1, 56);
-
-	for (i=0;i<28;i++)
-		c[i] = pk1[i];
-	for (i=0;i<28;i++)
-		d[i] = pk1[i+28];
-
-	for (i=0;i<16;i++) {
-		lshift(c, sc[i], 28);
-		lshift(d, sc[i], 28);
-
-		concat(cd, c, d, 28, 28); 
-		permute(ki[i], cd, perm2, 48); 
-	}
-
-	permute(pd1, in, perm3, 64);
-
-	for (j=0;j<32;j++) {
-		l[j] = pd1[j];
-		r[j] = pd1[j+32];
-	}
-
-	for (i=0;i<16;i++) {
-		char er[48];
-		char erk[48];
-		char b[8][6];
-		char cb[32];
-		char pcb[32];
-		char r2[32];
-
-		permute(er, r, perm4, 48);
-
-		xor(erk, er, ki[forw ? i : 15 - i], 48);
-
-		for (j=0;j<8;j++)
-			for (k=0;k<6;k++)
-				b[j][k] = erk[j*6 + k];
-
-		for (j=0;j<8;j++) {
-			int m, n;
-			m = (b[j][0]<<1) | b[j][5];
-
-			n = (b[j][1]<<3) | (b[j][2]<<2) | (b[j][3]<<1) | b[j][4]; 
-
-			for (k=0;k<4;k++) 
-				b[j][k] = (sbox[j][m][n] & (1<<(3-k)))?1:0; 
-		}
-
-		for (j=0;j<8;j++)
-			for (k=0;k<4;k++)
-				cb[j*4+k] = b[j][k];
-		permute(pcb, cb, perm5, 32);
-
-		xor(r2, l, pcb, 32);
-
-		for (j=0;j<32;j++)
-			l[j] = r[j];
-
-		for (j=0;j<32;j++)
-			r[j] = r2[j];
-	}
-
-	concat(rl, r, l, 32, 32);
-
-	permute(out, rl, perm6, 64);
-}
-
-static void str_to_key(const uint8_t *str,uint8_t *key)
-{
-	int i;
-
-	key[0] = str[0]>>1;
-	key[1] = ((str[0]&0x01)<<6) | (str[1]>>2);
-	key[2] = ((str[1]&0x03)<<5) | (str[2]>>3);
-	key[3] = ((str[2]&0x07)<<4) | (str[3]>>4);
-	key[4] = ((str[3]&0x0F)<<3) | (str[4]>>5);
-	key[5] = ((str[4]&0x1F)<<2) | (str[5]>>6);
-	key[6] = ((str[5]&0x3F)<<1) | (str[6]>>7);
-	key[7] = str[6]&0x7F;
-	for (i=0;i<8;i++) {
-		key[i] = (key[i]<<1);
-	}
-}
-
-/*
-  basic des crypt using a 56 bit (7 byte) key
-*/
-void des_crypt56(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], int forw)
-{
-	int i;
-	char outb[64];
-	char inb[64];
-	char keyb[64];
-	uint8_t key2[8];
-
-	str_to_key(key, key2);
-
-	for (i=0;i<64;i++) {
-		inb[i] = (in[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
-		keyb[i] = (key2[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
-		outb[i] = 0;
-	}
-
-	dohash(outb, inb, keyb, forw);
-
-	for (i=0;i<8;i++) {
-		out[i] = 0;
-	}
-
-	for (i=0;i<64;i++) {
-		if (outb[i])
-			out[i/8] |= (1<<(7-(i%8)));
-	}
-}
-
-void E_P16(const uint8_t *p14,uint8_t *p16)
-{
-	const uint8_t sp8[8] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
-	des_crypt56(p16, sp8, p14, 1);
-	des_crypt56(p16+8, sp8, p14+7, 1);
-}
-
-void E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24)
-{
-	des_crypt56(p24, c8, p21, 1);
-	des_crypt56(p24+8, c8, p21+7, 1);
-	des_crypt56(p24+16, c8, p21+14, 1);
-}
-
-void D_P16(const uint8_t *p14, const uint8_t *in, uint8_t *out)
-{
-	des_crypt56(out, in, p14, 0);
-        des_crypt56(out+8, in+8, p14+7, 0);
-}
-
-void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out)
-{
-        des_crypt56(out, in, p14, 1);
-        des_crypt56(out+8, in+8, p14+7, 1);
-}
-
-/* des encryption with a 128 bit key */
-void des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16])
-{
-	uint8_t buf[8];
-	des_crypt56(buf, in, key, 1);
-	des_crypt56(out, buf, key+9, 1);
-}
-
-/* des encryption with a 64 bit key */
-void des_crypt64(uint8_t out[8], const uint8_t in[8], const uint8_t key[8], int forw)
-{
-	uint8_t buf[8];
-	uint8_t key2[8];
-	ZERO_STRUCT(key2);
-	des_crypt56(buf, in, key, forw);
-	key2[0] = key[7];
-	des_crypt56(out, buf, key2, forw);
-}
-
-/* des encryption with a 112 bit (14 byte) key */
-void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw)
-{
-	uint8_t buf[8];
-	des_crypt56(buf, in, key, forw);
-	des_crypt56(out, buf, key+7, forw);
-}
-
-/* des encryption of a 16 byte lump of data with a 112 bit key */
-void des_crypt112_16(uint8_t out[16], uint8_t in[16], const uint8_t key[14], int forw)
-{
-        des_crypt56(out, in, key, forw);
-        des_crypt56(out + 8, in + 8, key+7, forw);
-}
-
-/* Decode a sam password hash into a password.  The password hash is the
-   same method used to store passwords in the NT registry.  The DES key
-   used is based on the RID of the user. */
-void sam_rid_crypt(uint_t rid, const uint8_t *in, uint8_t *out, int forw)
-{
-	uint8_t s[14];
-
-	s[0] = s[4] = s[8] = s[12] = (uint8_t)(rid & 0xFF);
-	s[1] = s[5] = s[9] = s[13] = (uint8_t)((rid >> 8) & 0xFF);
-	s[2] = s[6] = s[10]        = (uint8_t)((rid >> 16) & 0xFF);
-	s[3] = s[7] = s[11]        = (uint8_t)((rid >> 24) & 0xFF);
-
-	des_crypt56(out, in, s, forw);
-	des_crypt56(out+8, in+8, s+7, forw);
-}
diff --git a/source4/libcli/auth/smbencrypt.c b/source4/libcli/auth/smbencrypt.c
deleted file mode 100644
index c6118c6568..0000000000
--- a/source4/libcli/auth/smbencrypt.c
+++ /dev/null
@@ -1,595 +0,0 @@
-/* 
-   Unix SMB/CIFS implementation.
-   SMB parameters and setup
-   Copyright (C) Andrew Tridgell 1992-1998
-   Modified by Jeremy Allison 1995.
-   Copyright (C) Jeremy Allison 1995-2000.
-   Copyright (C) Luke Kennethc Casson Leighton 1996-2000.
-   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2002-2003
-   
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 3 of the License, or
-   (at your option) any later version.
-   
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-   
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "system/time.h"
-#include "auth/ntlmssp/ntlmssp.h"
-#include "auth/ntlmssp/msrpc_parse.h"
-#include "../lib/crypto/crypto.h"
-#include "libcli/auth/libcli_auth.h"
-
-/*
-   This implements the X/Open SMB password encryption
-   It takes a password ('unix' string), a 8 byte "crypt key" 
-   and puts 24 bytes of encrypted password into p24 
-
-   Returns false if password must have been truncated to create LM hash
-*/
-bool SMBencrypt(const char *passwd, const uint8_t *c8, uint8_t p24[24])
-{
-	bool ret;
-	uint8_t p21[21];
-
-	memset(p21,'\0',21);
-	ret = E_deshash(passwd, p21); 
-
-	SMBOWFencrypt(p21, c8, p24);
-
-#ifdef DEBUG_PASSWORD
-	DEBUG(100,("SMBencrypt: lm#, challenge, response\n"));
-	dump_data(100, p21, 16);
-	dump_data(100, c8, 8);
-	dump_data(100, p24, 24);
-#endif
-
-	return ret;
-}
-
-/**
- * Creates the MD4 Hash of the users password in NT UNICODE.
- * @param passwd password in 'unix' charset.
- * @param p16 return password hashed with md4, caller allocated 16 byte buffer
- */
- 
-bool E_md4hash(const char *passwd, uint8_t p16[16])
-{
-	size_t len;
-	smb_ucs2_t *wpwd;
-	bool ret;
-
-	ret = push_ucs2_talloc(NULL, &wpwd, passwd, &len);
-	if (!ret || len < 2) {
-		/* We don't want to return fixed data, as most callers
-		 * don't check */
-		mdfour(p16, (const uint8_t *)passwd, strlen(passwd));
-		return false;
-	}
-	
-	len -= 2;
-	mdfour(p16, (const uint8_t *)wpwd, len);
-
-	talloc_free(wpwd);
-	return true;
-}
-
-/**
- * Creates the DES forward-only Hash of the users password in DOS ASCII charset
- * @param passwd password in 'unix' charset.
- * @param p16 return password hashed with DES, caller allocated 16 byte buffer
- * @return false if password was > 14 characters, and therefore may be incorrect, otherwise true
- * @note p16 is filled in regardless
- */
- 
-bool E_deshash(const char *passwd, uint8_t p16[16])
-{
-	bool ret = true;
-	char dospwd[256];
-	ZERO_STRUCT(dospwd);
-
-	/* Password must be converted to DOS charset - null terminated, uppercase. */
-	push_string(dospwd, passwd, sizeof(dospwd), STR_ASCII|STR_UPPER|STR_TERMINATE);
-
-	/* Only the first 14 chars are considered, password need not be null terminated. */
-	E_P16((const uint8_t *)dospwd, p16);
-
-	if (strlen(dospwd) > 14) {
-		ret = false;
-	}
-
-	ZERO_STRUCT(dospwd);	
-
-	return ret;
-}
-
-/* Does both the NTLMv2 owfs of a user's password */
-bool ntv2_owf_gen(const uint8_t owf[16],
-		  const char *user_in, const char *domain_in,
-		  bool upper_case_domain, /* Transform the domain into UPPER case */
-		  uint8_t kr_buf[16])
-{
-	smb_ucs2_t *user;
-	smb_ucs2_t *domain;	
-	size_t user_byte_len;
-	size_t domain_byte_len;
-	bool ret;
-
-	HMACMD5Context ctx;
-	TALLOC_CTX *mem_ctx = talloc_init("ntv2_owf_gen for %s\\%s", domain_in, user_in); 
-
-	if (!mem_ctx) {
-		return false;
-	}
-
-	if (!user_in) {
-		user_in = "";
-	}
-
-	if (!domain_in) {
-		domain_in = "";
-	}
-
-	user_in = strupper_talloc(mem_ctx, user_in);
-	if (user_in == NULL) {
-		talloc_free(mem_ctx);
-		return false;
-	}
-
-	if (upper_case_domain) {
-		domain_in = strupper_talloc(mem_ctx, domain_in);
-		if (domain_in == NULL) {
-			talloc_free(mem_ctx);
-			return false;
-		}
-	}
-
-	ret = push_ucs2_talloc(mem_ctx, &user, user_in, &user_byte_len );
-	if (!ret) {
-		DEBUG(0, ("push_uss2_talloc() for user returned -1 (probably talloc() failure)\n"));
-		talloc_free(mem_ctx);
-		return false;
-	}
-
-	ret = push_ucs2_talloc(mem_ctx, &domain, domain_in, &domain_byte_len);
-	if (!ret) {
-		DEBUG(0, ("push_ucs2_talloc() for domain returned -1 (probably talloc() failure)\n"));
-		talloc_free(mem_ctx);
-		return false;
-	}
-
-	SMB_ASSERT(user_byte_len >= 2);
-	SMB_ASSERT(domain_byte_len >= 2);
-
-	/* We don't want null termination */
-	user_byte_len = user_byte_len - 2;
-	domain_byte_len = domain_byte_len - 2;
-	
-	hmac_md5_init_limK_to_64(owf, 16, &ctx);
-	hmac_md5_update((const void *)user, user_byte_len, &ctx);
-	hmac_md5_update((const void *)domain, domain_byte_len, &ctx);
-	hmac_md5_final(kr_buf, &ctx);
-
-#ifdef DEBUG_PASSWORD
-	DEBUG(100, ("ntv2_owf_gen: user, domain, owfkey, kr\n"));
-	dump_data(100, (const void *)user, user_byte_len);
-	dump_data(100, (const void *)domain, domain_byte_len);
-	dump_data(100, owf, 16);
-	dump_data(100, kr_buf, 16);
-#endif
-
-	talloc_free(mem_ctx);
-	return true;
-}
-
-/* Does the des encryption from the NT or LM MD4 hash. */
-void SMBOWFencrypt(const uint8_t passwd[16], const uint8_t *c8, uint8_t p24[24])
-{
-	uint8_t p21[21];
-
-	ZERO_STRUCT(p21);
- 
-	memcpy(p21, passwd, 16);    
-	E_P24(p21, c8, p24);
-}
-
-/* Does the NT MD4 hash then des encryption. */
- 
-void SMBNTencrypt(const char *passwd, uint8_t *c8, uint8_t *p24)
-{
-	uint8_t p21[21];
- 
-	memset(p21,'\0',21);
- 
-	E_md4hash(passwd, p21);    
-	SMBOWFencrypt(p21, c8, p24);
-
-#ifdef DEBUG_PASSWORD
-	DEBUG(100,("SMBNTencrypt: nt#, challenge, response\n"));
-	dump_data(100, p21, 16);
-	dump_data(100, c8, 8);
-	dump_data(100, p24, 24);
-#endif
-}
-
-/* Does the md5 encryption from the Key Response for NTLMv2. */
-void SMBOWFencrypt_ntv2(const uint8_t kr[16],
-			const DATA_BLOB *srv_chal,
-			const DATA_BLOB *smbcli_chal,
-			uint8_t resp_buf[16])
-{
-	HMACMD5Context ctx;
-
-	hmac_md5_init_limK_to_64(kr, 16, &ctx);
-	hmac_md5_update(srv_chal->data, srv_chal->length, &ctx);
-	hmac_md5_update(smbcli_chal->data, smbcli_chal->length, &ctx);
-	hmac_md5_final(resp_buf, &ctx);
-
-#ifdef DEBUG_PASSWORD
-	DEBUG(100, ("SMBOWFencrypt_ntv2: srv_chal, smbcli_chal, resp_buf\n"));
-	dump_data(100, srv_chal->data, srv_chal->length);
-	dump_data(100, smbcli_chal->data, smbcli_chal->length);
-	dump_data(100, resp_buf, 16);
-#endif
-}
-
-void SMBsesskeygen_ntv2(const uint8_t kr[16],
-			const uint8_t * nt_resp, uint8_t sess_key[16])
-{
-	/* a very nice, 128 bit, variable session key */
-	
-	HMACMD5Context ctx;
-
-	hmac_md5_init_limK_to_64(kr, 16, &ctx);
-	hmac_md5_update(nt_resp, 16, &ctx);
-	hmac_md5_final((uint8_t *)sess_key, &ctx);
-
-#ifdef DEBUG_PASSWORD
-	DEBUG(100, ("SMBsesskeygen_ntv2:\n"));
-	dump_data(100, sess_key, 16);
-#endif
-}
-
-void SMBsesskeygen_ntv1(const uint8_t kr[16], uint8_t sess_key[16])
-{
-	/* yes, this session key does not change - yes, this 
-	   is a problem - but it is 128 bits */
-	
-	mdfour((uint8_t *)sess_key, kr, 16);
-
-#ifdef DEBUG_PASSWORD
-	DEBUG(100, ("SMBsesskeygen_ntv1:\n"));
-	dump_data(100, sess_key, 16);
-#endif
-}
-
-void SMBsesskeygen_lm_sess_key(const uint8_t lm_hash[16],
-			       const uint8_t lm_resp[24], /* only uses 8 */ 
-			       uint8_t sess_key[16])
-{
-	/* Calculate the LM session key (effective length 40 bits,
-	   but changes with each session) */
-	uint8_t p24[24];
-	uint8_t partial_lm_hash[14];
- 
-	memcpy(partial_lm_hash, lm_hash, 8);    
-	memset(partial_lm_hash + 8, 0xbd, 6);
-
-	des_crypt56(p24,   lm_resp, partial_lm_hash,     1);
-	des_crypt56(p24+8, lm_resp, partial_lm_hash + 7, 1);
-
-	memcpy(sess_key, p24, 16);
-
-#ifdef DEBUG_PASSWORD
-	DEBUG(100, ("SMBsesskeygen_lm_sess_key: \n"));
-	dump_data(100, sess_key, 16);
-#endif
-}
-
-DATA_BLOB NTLMv2_generate_names_blob(TALLOC_CTX *mem_ctx, 
-				     const char *hostname, 
-				     const char *domain)
-{
-	DATA_BLOB names_blob = data_blob_talloc(mem_ctx, NULL, 0);
-	
-	msrpc_gen(mem_ctx, &names_blob, 
-		  "aaa", 
-		  NTLMSSP_NAME_TYPE_DOMAIN, domain,
-		  NTLMSSP_NAME_TYPE_SERVER, hostname,
-		  0, "");
-	return names_blob;
-}
-
-static DATA_BLOB NTLMv2_generate_client_data(TALLOC_CTX *mem_ctx, const DATA_BLOB *names_blob) 
-{
-	uint8_t client_chal[8];
-	DATA_BLOB response = data_blob(NULL, 0);
-	uint8_t long_date[8];
-	NTTIME nttime;
-
-	unix_to_nt_time(&nttime, time(NULL));
-
-	generate_random_buffer(client_chal, sizeof(client_chal));
-
-	push_nttime(long_date, 0, nttime);
-
-	/* See http://www.ubiqx.org/cifs/SMB.html#SMB.8.5 */
-
-	msrpc_gen(mem_ctx, &response, "ddbbdb", 
-		  0x00000101,     /* Header  */
-		  0,              /* 'Reserved'  */
-		  long_date, 8,	  /* Timestamp */
-		  client_chal, 8, /* client challenge */
-		  0,		  /* Unknown */
-		  names_blob->data, names_blob->length);	/* End of name list */
-
-	return response;
-}
-
-static DATA_BLOB NTLMv2_generate_response(TALLOC_CTX *out_mem_ctx, 
-					  const uint8_t ntlm_v2_hash[16],
-					  const DATA_BLOB *server_chal,
-					  const DATA_BLOB *names_blob)
-{
-	uint8_t ntlmv2_response[16];
-	DATA_BLOB ntlmv2_client_data;
-	DATA_BLOB final_response;
-	
-	TALLOC_CTX *mem_ctx = talloc_named(out_mem_ctx, 0, 
-					   "NTLMv2_generate_response internal context");
-
-	if (!mem_ctx) {
-		return data_blob(NULL, 0);
-	}
-	
-	/* NTLMv2 */
-	/* generate some data to pass into the response function - including
-	   the hostname and domain name of the server */
-	ntlmv2_client_data = NTLMv2_generate_client_data(mem_ctx, names_blob);
-
-	/* Given that data, and the challenge from the server, generate a response */
-	SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &ntlmv2_client_data, ntlmv2_response);
-	
-	final_response = data_blob_talloc(out_mem_ctx, NULL, sizeof(ntlmv2_response) + ntlmv2_client_data.length);
-
-	memcpy(final_response.data, ntlmv2_response, sizeof(ntlmv2_response));
-
-	memcpy(final_response.data+sizeof(ntlmv2_response), 
-	       ntlmv2_client_data.data, ntlmv2_client_data.length);
-
-	talloc_free(mem_ctx);
-
-	return final_response;
-}
-
-static DATA_BLOB LMv2_generate_response(TALLOC_CTX *mem_ctx, 
-					const uint8_t ntlm_v2_hash[16],
-					const DATA_BLOB *server_chal)
-{
-	uint8_t lmv2_response[16];
-	DATA_BLOB lmv2_client_data = data_blob_talloc(mem_ctx, NULL, 8);
-	DATA_BLOB final_response = data_blob_talloc(mem_ctx, NULL,24);
-	
-	/* LMv2 */
-	/* client-supplied random data */
-	generate_random_buffer(lmv2_client_data.data, lmv2_client_data.length);	
-
-	/* Given that data, and the challenge from the server, generate a response */
-	SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &lmv2_client_data, lmv2_response);
-	memcpy(final_response.data, lmv2_response, sizeof(lmv2_response));
-
-	/* after the first 16 bytes is the random data we generated above, 
-	   so the server can verify us with it */
-	memcpy(final_response.data+sizeof(lmv2_response), 
-	       lmv2_client_data.data, lmv2_client_data.length);
-
-	data_blob_free(&lmv2_client_data);
-
-	return final_response;
-}
-
-bool SMBNTLMv2encrypt_hash(TALLOC_CTX *mem_ctx, 
-			   const char *user, const char *domain, const uint8_t nt_hash[16],
-			   const DATA_BLOB *server_chal, 
-			   const DATA_BLOB *names_blob,
-			   DATA_BLOB *lm_response, DATA_BLOB *nt_response, 
-			   DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) 
-{
-	uint8_t ntlm_v2_hash[16];
-
-	/* We don't use the NT# directly.  Instead we use it mashed up with
-	   the username and domain.
-	   This prevents username swapping during the auth exchange
-	*/
-	if (!ntv2_owf_gen(nt_hash, user, domain, true, ntlm_v2_hash)) {
-		return false;
-	}
-	
-	if (nt_response) {
-		*nt_response = NTLMv2_generate_response(mem_ctx, 
-							ntlm_v2_hash, server_chal,
-							names_blob); 
-		if (user_session_key) {
-			*user_session_key = data_blob_talloc(mem_ctx, NULL, 16);
-			
-			/* The NTLMv2 calculations also provide a session key, for signing etc later */
-			/* use only the first 16 bytes of nt_response for session key */
-			SMBsesskeygen_ntv2(ntlm_v2_hash, nt_response->data, user_session_key->data);
-		}
-	}
-	
-	/* LMv2 */
-	
-	if (lm_response) {
-		*lm_response = LMv2_generate_response(mem_ctx, 
-						      ntlm_v2_hash, server_chal);
-		if (lm_session_key) {
-			*lm_session_key = data_blob_talloc(mem_ctx, NULL, 16);
-			
-			/* The NTLMv2 calculations also provide a session key, for signing etc later */
-			/* use only the first 16 bytes of lm_response for session key */
-			SMBsesskeygen_ntv2(ntlm_v2_hash, lm_response->data, lm_session_key->data);
-		}
-	}
-	
-	return true;
-}
-
-bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx, 
-		      const char *user, const char *domain, 
-		      const char *password, 
-		      const DATA_BLOB *server_chal, 
-		      const DATA_BLOB *names_blob,
-		      DATA_BLOB *lm_response, DATA_BLOB *nt_response, 
-		      DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) 
-{
-	uint8_t nt_hash[16];
-	E_md4hash(password, nt_hash);
-
-	return SMBNTLMv2encrypt_hash(mem_ctx, 
-				     user, domain, nt_hash, server_chal, names_blob,
-				     lm_response, nt_response, lm_session_key, user_session_key);
-}
-
-/***********************************************************
- encode a password buffer with a unicode password.  The buffer
- is filled with random data to make it harder to attack.
-************************************************************/
-bool encode_pw_buffer(uint8_t buffer[516], const char *password, int string_flags)
-{
-	uint8_t new_pw[512];
-	size_t new_pw_len;
-
-	/* the incoming buffer can be any alignment. */
-	string_flags |= STR_NOALIGN;
-
-	new_pw_len = push_string(new_pw,
-				 password, 
-				 sizeof(new_pw), string_flags);
-	
-	memcpy(&buffer[512 - new_pw_len], new_pw, new_pw_len);
-
-	generate_random_buffer(buffer, 512 - new_pw_len);
-
-	/* 
-	 * The length of the new password is in the last 4 bytes of
-	 * the data buffer.
-	 */
-	SIVAL(buffer, 512, new_pw_len);
-	ZERO_STRUCT(new_pw);
-	return true;
-}
-
-
-/***********************************************************
- decode a password buffer
- *new_pw_len is the length in bytes of the possibly mulitbyte
- returned password including termination.
-************************************************************/
-bool decode_pw_buffer(uint8_t in_buffer[516], char *new_pwrd,
-		      int new_pwrd_size, int string_flags)
-{
-	int byte_len=0;
-	ssize_t converted_pw_len;
-
-	/* the incoming buffer can be any alignment. */
-	string_flags |= STR_NOALIGN;
-
-	/*
-	  Warning !!! : This function is called from some rpc call.
-	  The password IN the buffer may be a UNICODE string.
-	  The password IN new_pwrd is an ASCII string
-	  If you reuse that code somewhere else check first.
-	*/
-
-	/* The length of the new password is in the last 4 bytes of the data buffer. */
-
-	byte_len = IVAL(in_buffer, 512);
-
-#ifdef DEBUG_PASSWORD
-	dump_data(100, in_buffer, 516);
-#endif
-
-	/* Password cannot be longer than the size of the password buffer */
-	if ( (byte_len < 0) || (byte_len > 512)) {
-		return false;
-	}
-
-	/* decode into the return buffer.  Buffer length supplied */
- 	converted_pw_len = pull_string(new_pwrd, &in_buffer[512 - byte_len], new_pwrd_size, 
-				  byte_len, string_flags);
-
-	if (converted_pw_len == -1) {
-		return false;
-	}
-
-#ifdef DEBUG_PASSWORD
-	DEBUG(100,("decode_pw_buffer: new_pwrd: "));
-	dump_data(100, (const uint8_t *)new_pwrd, converted_pw_len);
-	DEBUG(100,("multibyte len:%d\n", (int)converted_pw_len));
-	DEBUG(100,("original char len:%d\n", byte_len/2));
-#endif
-	
-	return true;
-}
-
-/***********************************************************
- encode a password buffer with an already unicode password.  The
- rest of the buffer is filled with random data to make it harder to attack.
-************************************************************/
-bool set_pw_in_buffer(uint8_t buffer[516], DATA_BLOB *password)
-{
-	if (password->length > 512) {
-		return false;
-	}
-
-	memcpy(&buffer[512 - password->length], password->data, password->length);
-
-	generate_random_buffer(buffer, 512 - password->length);
-
-	/* 
-	 * The length of the new password is in the last 4 bytes of
-	 * the data buffer.
-	 */
-	SIVAL(buffer, 512, password->length);
-	return true;
-}
-
-/***********************************************************
- decode a password buffer
- *new_pw_size is the length in bytes of the extracted unicode password
-************************************************************/
-bool extract_pw_from_buffer(TALLOC_CTX *mem_ctx, 
-			    uint8_t in_buffer[516], DATA_BLOB *new_pass)
-{
-	int byte_len=0;
-
-	/* The length of the new password is in the last 4 bytes of the data buffer. */
-
-	byte_len = IVAL(in_buffer, 512);
-
-#ifdef DEBUG_PASSWORD
-	dump_data(100, in_buffer, 516);
-#endif
-
-	/* Password cannot be longer than the size of the password buffer */
-	if ( (byte_len < 0) || (byte_len > 512)) {
-		return false;
-	}
-
-	*new_pass = data_blob_talloc(mem_ctx, &in_buffer[512 - byte_len], byte_len);
-
-	if (!new_pass->data) {
-		return false;
-	}
-
-	return true;
-}
diff --git a/source4/libcli/config.mk b/source4/libcli/config.mk
index 5b50bdfcbe..ad7bc311c2 100644
--- a/source4/libcli/config.mk
+++ b/source4/libcli/config.mk
@@ -1,4 +1,3 @@
-mkinclude auth/config.mk
 mkinclude ldap/config.mk
 mkinclude security/config.mk
 mkinclude wbclient/config.mk
author	Andrew Bartlett <abartlet@samba.org>	2009-03-16 13:26:38 +1100
committer	Andrew Bartlett <abartlet@samba.org>	2009-04-14 14:19:39 +1000
commit	927a8b330435b4c959ad851e32b83d97a6e3001b (patch)
tree	d8132fa21f60ae83ed7e19d6b07a8345071ed271 /source4/libcli
parent	786447dea021f97a44582009bf33e28d972dacb4 (diff)
download	samba-927a8b330435b4c959ad851e32b83d97a6e3001b.tar.gz samba-927a8b330435b4c959ad851e32b83d97a6e3001b.tar.bz2 samba-927a8b330435b4c959ad851e32b83d97a6e3001b.zip