diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2005-08-20 05:59:27 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:33:35 -0500 |
| commit | b456bfa0155ea70ca60590a83e19232c63ec1ac1 (patch) | |
| tree | a83f9c3f8e9d7b40e7a6c726f00356c06a7f8382 /source4 | |
| parent | 8e11003e214729462b7dcf46f09d47efc736e1e8 (diff) | |
| download | samba-b456bfa0155ea70ca60590a83e19232c63ec1ac1.tar.gz samba-b456bfa0155ea70ca60590a83e19232c63ec1ac1.tar.bz2 samba-b456bfa0155ea70ca60590a83e19232c63ec1ac1.zip | |
r9412: Simplfy this NTLM authentication code by requiring the caller to
supply the user_sess_key and lm_sess_key parameters. Inspired by
coverty complaining about inconsistant checking.
Also factor out some of this code, where we deal with just NT and LM
hashes, or embedded plaintext passwords.
Andrew Bartlett
(This used to be commit ceec35564f44c8043888c8ffa776f137bd1171c8)
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/auth/auth_sam.c | 7 | ||||
| -rw-r--r-- | source4/auth/ntlm_check.c | 131 |
2 files changed, 42 insertions, 96 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c index 008a7f3a84..57f645adc8 100644 --- a/source4/auth/auth_sam.c +++ b/source4/auth/auth_sam.c @@ -70,14 +70,13 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context, /* NO break */ } case AUTH_PASSWORD_HASH: + *lm_sess_key = data_blob(NULL, 0); + *user_sess_key = data_blob(NULL, 0); status = hash_password_check(mem_ctx, user_info->password.hash.lanman, user_info->password.hash.nt, user_info->mapped.account_name, - user_info->client.account_name, - user_info->client.domain_name, - lm_pwd, nt_pwd, - user_sess_key, lm_sess_key); + lm_pwd, nt_pwd); NT_STATUS_NOT_OK_RETURN(status); break; diff --git a/source4/auth/ntlm_check.c b/source4/auth/ntlm_check.c index fa9677e75e..d033dfeb79 100644 --- a/source4/auth/ntlm_check.c +++ b/source4/auth/ntlm_check.c @@ -221,31 +221,16 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, const struct samr_Password *client_lanman, const struct samr_Password *client_nt, const char *username, - const char *client_username, - const char *client_domain, const struct samr_Password *stored_lanman, - const struct samr_Password *stored_nt, - DATA_BLOB *user_sess_key, - DATA_BLOB *lm_sess_key) + const struct samr_Password *stored_nt) { if (stored_nt == NULL) { DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", username)); } - if (lm_sess_key) { - *lm_sess_key = data_blob(NULL, 0); - } - if (user_sess_key) { - *user_sess_key = data_blob(NULL, 0); - } - if (client_nt && stored_nt) { if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) { - if (user_sess_key) { - *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16); - SMBsesskeygen_ntv1(stored_nt->hash, user_sess_key->data); - } return NT_STATUS_OK; } else { DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n", @@ -308,56 +293,30 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, username)); } - if (lm_sess_key) { - *lm_sess_key = data_blob(NULL, 0); - } - if (user_sess_key) { - *user_sess_key = data_blob(NULL, 0); - } + *lm_sess_key = data_blob(NULL, 0); + *user_sess_key = data_blob(NULL, 0); /* Check for cleartext netlogon. Used by Exchange 5.5. */ if (challenge->length == sizeof(zeros) && (memcmp(challenge->data, zeros, challenge->length) == 0 )) { + struct samr_Password client_nt; + struct samr_Password client_lm; + uint8_t dospwd[14]; DEBUG(4,("ntlm_password_check: checking plaintext passwords for user %s\n", username)); - if (stored_nt && nt_response->length) { - uint8_t pwhash[16]; - mdfour(pwhash, nt_response->data, nt_response->length); - if (memcmp(pwhash, stored_nt->hash, sizeof(pwhash)) == 0) { - return NT_STATUS_OK; - } else { - DEBUG(3,("ntlm_password_check: NT (Unicode) plaintext password check failed for user %s\n", - username)); - return NT_STATUS_WRONG_PASSWORD; - } - - } else if (!lp_lanman_auth()) { - DEBUG(3,("ntlm_password_check: (plaintext password check) LANMAN passwords NOT PERMITTED for user %s\n", - username)); - - } else if (stored_lanman && lm_response->length) { - uint8_t dospwd[14]; - uint8_t p16[16]; - ZERO_STRUCT(dospwd); - - memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd))); - /* Only the fisrt 14 chars are considered, password need not be null terminated. */ - - /* we *might* need to upper-case the string here */ - E_P16((const uint8_t *)dospwd, p16); - - if (memcmp(p16, stored_lanman->hash, sizeof(p16)) == 0) { - return NT_STATUS_OK; - } else { - DEBUG(3,("ntlm_password_check: LANMAN (ASCII) plaintext password check failed for user %s\n", - username)); - return NT_STATUS_WRONG_PASSWORD; - } - } else { - DEBUG(3, ("Plaintext authentication for user %s attempted, but neither NT nor LM passwords available\n", username)); - return NT_STATUS_WRONG_PASSWORD; - } + mdfour(client_nt.hash, nt_response->data, nt_response->length); + ZERO_STRUCT(dospwd); + + memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd))); + /* Only the fisrt 14 chars are considered, password need not be null terminated. */ + + /* we *might* need to upper-case the string here */ + E_P16((const uint8_t *)dospwd, client_lm.hash); + + return hash_password_check(mem_ctx, &client_lm, &client_nt, + username, + stored_lanman, stored_nt); } if (nt_response->length != 0 && nt_response->length < 24) { @@ -377,11 +336,9 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, client_domain, False, user_sess_key)) { - if (lm_sess_key) { - *lm_sess_key = *user_sess_key; - if (user_sess_key->length) { - lm_sess_key->length = 8; - } + *lm_sess_key = *user_sess_key; + if (user_sess_key->length) { + lm_sess_key->length = 8; } return NT_STATUS_OK; } @@ -394,11 +351,9 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, client_domain, True, user_sess_key)) { - if (lm_sess_key) { - *lm_sess_key = *user_sess_key; - if (user_sess_key->length) { - lm_sess_key->length = 8; - } + *lm_sess_key = *user_sess_key; + if (user_sess_key->length) { + lm_sess_key->length = 8; } return NT_STATUS_OK; } @@ -411,11 +366,9 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, "", False, user_sess_key)) { - if (lm_sess_key) { - *lm_sess_key = *user_sess_key; - if (user_sess_key->length) { - lm_sess_key->length = 8; - } + *lm_sess_key = *user_sess_key; + if (user_sess_key->length) { + lm_sess_key->length = 8; } return NT_STATUS_OK; } else { @@ -517,15 +470,13 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, client_domain, False, user_sess_key); - } else if (user_sess_key) { + } else { /* Otherwise, use the LMv2 session key */ *user_sess_key = tmp_sess_key; } - if (user_sess_key && lm_sess_key) { - *lm_sess_key = *user_sess_key; - if (user_sess_key->length) { - lm_sess_key->length = 8; - } + *lm_sess_key = *user_sess_key; + if (user_sess_key->length) { + lm_sess_key->length = 8; } return NT_STATUS_OK; } @@ -550,15 +501,13 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, client_domain, True, user_sess_key); - } else if (user_sess_key) { + } else { /* Otherwise, use the LMv2 session key */ *user_sess_key = tmp_sess_key; } - if (user_sess_key && lm_sess_key) { - *lm_sess_key = *user_sess_key; - if (user_sess_key->length) { - lm_sess_key->length = 8; - } + *lm_sess_key = *user_sess_key; + if (user_sess_key->length) { + lm_sess_key->length = 8; } return NT_STATUS_OK; } @@ -583,15 +532,13 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, "", False, user_sess_key); - } else if (user_sess_key) { + } else { /* Otherwise, use the LMv2 session key */ *user_sess_key = tmp_sess_key; } - if (user_sess_key && lm_sess_key) { - *lm_sess_key = *user_sess_key; - if (user_sess_key->length) { - lm_sess_key->length = 8; - } + *lm_sess_key = *user_sess_key; + if (user_sess_key->length) { + lm_sess_key->length = 8; } return NT_STATUS_OK; } |