2003-12-30 07:33:58 +00:00
/*
Unix SMB / CIFS implementation .
Password and authentication handling
Copyright ( C ) Andrew Tridgell 1992 - 2000
Copyright ( C ) Luke Kenneth Casson Leighton 1996 - 2000
Copyright ( C ) Andrew Bartlett 2001 - 2003
Copyright ( C ) Gerald Carter 2003
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
the Free Software Foundation ; either version 3 of the License , or
2003-12-30 07:33:58 +00:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 00:52:41 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2003-12-30 07:33:58 +00:00
*/
# include "includes.h"
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_AUTH
/****************************************************************************
Core of smb password checking routine .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-18 17:40:25 -07:00
static bool smb_pwd_check_ntlmv1 ( const DATA_BLOB * nt_response ,
2003-12-30 07:33:58 +00:00
const uchar * part_passwd ,
const DATA_BLOB * sec_blob ,
DATA_BLOB * user_sess_key )
{
/* Finish the encryption of part_passwd. */
uchar p24 [ 24 ] ;
if ( part_passwd = = NULL ) {
DEBUG ( 10 , ( " No password set - DISALLOWING access \n " ) ) ;
/* No password set - always false ! */
return False ;
}
if ( sec_blob - > length ! = 8 ) {
DEBUG ( 0 , ( " smb_pwd_check_ntlmv1: incorrect challenge size (%lu) \n " ,
( unsigned long ) sec_blob - > length ) ) ;
return False ;
}
if ( nt_response - > length ! = 24 ) {
DEBUG ( 0 , ( " smb_pwd_check_ntlmv1: incorrect password length (%lu) \n " ,
( unsigned long ) nt_response - > length ) ) ;
return False ;
}
SMBOWFencrypt ( part_passwd , sec_blob - > data , p24 ) ;
if ( user_sess_key ! = NULL ) {
* user_sess_key = data_blob ( NULL , 16 ) ;
SMBsesskeygen_ntv1 ( part_passwd , NULL , user_sess_key - > data ) ;
}
2004-10-11 00:32:31 +00:00
# ifdef DEBUG_PASSWORD
2003-12-30 07:33:58 +00:00
DEBUG ( 100 , ( " Part password (P16) was | \n " ) ) ;
2007-03-28 13:34:59 +00:00
dump_data ( 100 , part_passwd , 16 ) ;
2003-12-30 07:33:58 +00:00
DEBUGADD ( 100 , ( " Password from client was | \n " ) ) ;
2007-03-28 13:34:59 +00:00
dump_data ( 100 , nt_response - > data , nt_response - > length ) ;
2003-12-30 07:33:58 +00:00
DEBUGADD ( 100 , ( " Given challenge was | \n " ) ) ;
2007-03-28 13:34:59 +00:00
dump_data ( 100 , sec_blob - > data , sec_blob - > length ) ;
2003-12-30 07:33:58 +00:00
DEBUGADD ( 100 , ( " Value from encryption was | \n " ) ) ;
2007-03-28 13:34:59 +00:00
dump_data ( 100 , p24 , 24 ) ;
2003-12-30 07:33:58 +00:00
# endif
return ( memcmp ( p24 , nt_response - > data , 24 ) = = 0 ) ;
}
/****************************************************************************
Core of smb password checking routine . ( NTLMv2 , LMv2 )
Note : The same code works with both NTLMv2 and LMv2 .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-18 17:40:25 -07:00
static bool smb_pwd_check_ntlmv2 ( const DATA_BLOB * ntv2_response ,
2003-12-30 07:33:58 +00:00
const uchar * part_passwd ,
const DATA_BLOB * sec_blob ,
const char * user , const char * domain ,
2007-10-18 17:40:25 -07:00
bool upper_case_domain , /* should the domain be transformed into upper case? */
2003-12-30 07:33:58 +00:00
DATA_BLOB * user_sess_key )
{
/* Finish the encryption of part_passwd. */
uchar kr [ 16 ] ;
uchar value_from_encryption [ 16 ] ;
uchar client_response [ 16 ] ;
DATA_BLOB client_key_data ;
2007-10-18 17:40:25 -07:00
bool res ;
2003-12-30 07:33:58 +00:00
if ( part_passwd = = NULL ) {
DEBUG ( 10 , ( " No password set - DISALLOWING access \n " ) ) ;
/* No password set - always False */
return False ;
}
if ( sec_blob - > length ! = 8 ) {
DEBUG ( 0 , ( " smb_pwd_check_ntlmv2: incorrect challenge size (%lu) \n " ,
( unsigned long ) sec_blob - > length ) ) ;
return False ;
}
if ( ntv2_response - > length < 24 ) {
/* We MUST have more than 16 bytes, or the stuff below will go
crazy . No known implementation sends less than the 24 bytes
for LMv2 , let alone NTLMv2 . */
DEBUG ( 0 , ( " smb_pwd_check_ntlmv2: incorrect password length (%lu) \n " ,
( unsigned long ) ntv2_response - > length ) ) ;
return False ;
}
client_key_data = data_blob ( ntv2_response - > data + 16 , ntv2_response - > length - 16 ) ;
/*
todo : should we be checking this for anything ? We can ' t for LMv2 ,
but for NTLMv2 it is meant to contain the current time etc .
*/
memcpy ( client_response , ntv2_response - > data , sizeof ( client_response ) ) ;
2004-03-27 07:53:47 +00:00
if ( ! ntv2_owf_gen ( part_passwd , user , domain , upper_case_domain , kr ) ) {
2003-12-30 07:33:58 +00:00
return False ;
}
SMBOWFencrypt_ntv2 ( kr , sec_blob , & client_key_data , value_from_encryption ) ;
if ( user_sess_key ! = NULL ) {
* user_sess_key = data_blob ( NULL , 16 ) ;
SMBsesskeygen_ntv2 ( kr , value_from_encryption , user_sess_key - > data ) ;
}
# if DEBUG_PASSWORD
DEBUG ( 100 , ( " Part password (P16) was | \n " ) ) ;
2007-03-28 13:34:59 +00:00
dump_data ( 100 , part_passwd , 16 ) ;
2003-12-30 07:33:58 +00:00
DEBUGADD ( 100 , ( " Password from client was | \n " ) ) ;
2007-03-28 13:34:59 +00:00
dump_data ( 100 , ntv2_response - > data , ntv2_response - > length ) ;
2003-12-30 07:33:58 +00:00
DEBUGADD ( 100 , ( " Variable data from client was | \n " ) ) ;
2007-03-28 13:34:59 +00:00
dump_data ( 100 , client_key_data . data , client_key_data . length ) ;
2003-12-30 07:33:58 +00:00
DEBUGADD ( 100 , ( " Given challenge was | \n " ) ) ;
2007-03-28 13:34:59 +00:00
dump_data ( 100 , sec_blob - > data , sec_blob - > length ) ;
2003-12-30 07:33:58 +00:00
DEBUGADD ( 100 , ( " Value from encryption was | \n " ) ) ;
2007-03-28 13:34:59 +00:00
dump_data ( 100 , value_from_encryption , 16 ) ;
2003-12-30 07:33:58 +00:00
# endif
data_blob_clear_free ( & client_key_data ) ;
2004-11-04 09:30:13 +00:00
res = ( memcmp ( value_from_encryption , client_response , 16 ) = = 0 ) ;
if ( ( ! res ) & & ( user_sess_key ! = NULL ) )
data_blob_clear_free ( user_sess_key ) ;
return res ;
2003-12-30 07:33:58 +00:00
}
/**
* Check a challenge - response password against the value of the NT or
* LM password hash .
*
* @ param mem_ctx talloc context
* @ param challenge 8 - byte challenge . If all zero , forces plaintext comparison
* @ param nt_response ' unicode ' NT response to the challenge , or unicode password
* @ param lm_response ASCII or LANMAN response to the challenge , or password in DOS code page
* @ param username internal Samba username , for log messages
* @ param client_username username the client used
* @ param client_domain domain name the client used ( may be mapped )
* @ param nt_pw MD4 unicode password from our passdb or similar
* @ param lm_pw LANMAN ASCII password from our passdb or similar
* @ param user_sess_key User session key
* @ param lm_sess_key LM session key ( first 8 bytes of the LM hash )
*/
NTSTATUS ntlm_password_check ( TALLOC_CTX * mem_ctx ,
const DATA_BLOB * challenge ,
const DATA_BLOB * lm_response ,
const DATA_BLOB * nt_response ,
2004-04-03 15:41:32 +00:00
const DATA_BLOB * lm_interactive_pwd ,
const DATA_BLOB * nt_interactive_pwd ,
2003-12-30 07:33:58 +00:00
const char * username ,
const char * client_username ,
const char * client_domain ,
const uint8 * lm_pw , const uint8 * nt_pw ,
DATA_BLOB * user_sess_key ,
DATA_BLOB * lm_sess_key )
{
2007-12-28 17:02:34 +01:00
unsigned char zeros [ 8 ] ;
ZERO_STRUCT ( zeros ) ;
2003-12-30 07:33:58 +00:00
if ( nt_pw = = NULL ) {
DEBUG ( 3 , ( " ntlm_password_check: NO NT password stored for user %s. \n " ,
username ) ) ;
}
2004-04-03 15:41:32 +00:00
if ( nt_interactive_pwd & & nt_interactive_pwd - > length & & nt_pw ) {
if ( nt_interactive_pwd - > length ! = 16 ) {
DEBUG ( 3 , ( " ntlm_password_check: Interactive logon: Invalid NT password length (%d) supplied for user %s \n " , ( int ) nt_interactive_pwd - > length ,
username ) ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
if ( memcmp ( nt_interactive_pwd - > data , nt_pw , 16 ) = = 0 ) {
if ( user_sess_key ) {
* user_sess_key = data_blob ( NULL , 16 ) ;
SMBsesskeygen_ntv1 ( nt_pw , NULL , user_sess_key - > data ) ;
}
return NT_STATUS_OK ;
} else {
DEBUG ( 3 , ( " ntlm_password_check: Interactive logon: NT password check failed for user %s \n " ,
username ) ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
} else if ( lm_interactive_pwd & & lm_interactive_pwd - > length & & lm_pw ) {
if ( lm_interactive_pwd - > length ! = 16 ) {
DEBUG ( 3 , ( " ntlm_password_check: Interactive logon: Invalid LANMAN password length (%d) supplied for user %s \n " , ( int ) lm_interactive_pwd - > length ,
username ) ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
if ( ! lp_lanman_auth ( ) ) {
DEBUG ( 3 , ( " ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled! \n " ,
username ) ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
if ( memcmp ( lm_interactive_pwd - > data , lm_pw , 16 ) = = 0 ) {
return NT_STATUS_OK ;
} else {
DEBUG ( 3 , ( " ntlm_password_check: Interactive logon: LANMAN password check failed for user %s \n " ,
username ) ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
}
2003-12-30 07:33:58 +00:00
/* Check for cleartext netlogon. Used by Exchange 5.5. */
if ( challenge - > length = = sizeof ( zeros ) & &
( memcmp ( challenge - > data , zeros , challenge - > length ) = = 0 ) ) {
DEBUG ( 4 , ( " ntlm_password_check: checking plaintext passwords for user %s \n " ,
username ) ) ;
if ( nt_pw & & nt_response - > length ) {
unsigned char pwhash [ 16 ] ;
mdfour ( pwhash , nt_response - > data , nt_response - > length ) ;
if ( memcmp ( pwhash , nt_pw , sizeof ( pwhash ) ) = = 0 ) {
return NT_STATUS_OK ;
} else {
DEBUG ( 3 , ( " ntlm_password_check: NT (Unicode) plaintext password check failed for user %s \n " ,
username ) ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
} else if ( ! lp_lanman_auth ( ) ) {
DEBUG ( 3 , ( " ntlm_password_check: (plaintext password check) LANMAN passwords NOT PERMITTED for user %s \n " ,
username ) ) ;
} else if ( lm_pw & & lm_response - > length ) {
uchar dospwd [ 14 ] ;
uchar p16 [ 16 ] ;
ZERO_STRUCT ( dospwd ) ;
memcpy ( dospwd , lm_response - > data , MIN ( lm_response - > length , sizeof ( dospwd ) ) ) ;
/* Only the fisrt 14 chars are considered, password need not be null terminated. */
/* we *might* need to upper-case the string here */
E_P16 ( ( const unsigned char * ) dospwd , p16 ) ;
if ( memcmp ( p16 , lm_pw , sizeof ( p16 ) ) = = 0 ) {
return NT_STATUS_OK ;
} else {
DEBUG ( 3 , ( " ntlm_password_check: LANMAN (ASCII) plaintext password check failed for user %s \n " ,
username ) ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
} else {
DEBUG ( 3 , ( " Plaintext authentication for user %s attempted, but neither NT nor LM passwords available \n " , username ) ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
}
if ( nt_response - > length ! = 0 & & nt_response - > length < 24 ) {
DEBUG ( 2 , ( " ntlm_password_check: invalid NT password length (%lu) for user %s \n " ,
( unsigned long ) nt_response - > length , username ) ) ;
}
if ( nt_response - > length > = 24 & & nt_pw ) {
if ( nt_response - > length > 24 ) {
/* We have the NT MD4 hash challenge available - see if we can
2004-03-27 07:53:47 +00:00
use it
2003-12-30 07:33:58 +00:00
*/
DEBUG ( 4 , ( " ntlm_password_check: Checking NTLMv2 password with domain [%s] \n " , client_domain ) ) ;
if ( smb_pwd_check_ntlmv2 ( nt_response ,
nt_pw , challenge ,
2004-03-27 07:53:47 +00:00
client_username ,
client_domain ,
False ,
user_sess_key ) ) {
return NT_STATUS_OK ;
}
DEBUG ( 4 , ( " ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [%s] \n " , client_domain ) ) ;
if ( smb_pwd_check_ntlmv2 ( nt_response ,
nt_pw , challenge ,
client_username ,
2003-12-30 07:33:58 +00:00
client_domain ,
2004-03-27 07:53:47 +00:00
True ,
2003-12-30 07:33:58 +00:00
user_sess_key ) ) {
return NT_STATUS_OK ;
}
DEBUG ( 4 , ( " ntlm_password_check: Checking NTLMv2 password without a domain \n " ) ) ;
if ( smb_pwd_check_ntlmv2 ( nt_response ,
nt_pw , challenge ,
client_username ,
" " ,
2004-03-27 07:53:47 +00:00
False ,
2003-12-30 07:33:58 +00:00
user_sess_key ) ) {
return NT_STATUS_OK ;
} else {
DEBUG ( 3 , ( " ntlm_password_check: NTLMv2 password check failed \n " ) ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
}
if ( lp_ntlm_auth ( ) ) {
/* We have the NT MD4 hash challenge available - see if we can
use it ( ie . does it exist in the smbpasswd file ) .
*/
DEBUG ( 4 , ( " ntlm_password_check: Checking NT MD4 password \n " ) ) ;
if ( smb_pwd_check_ntlmv1 ( nt_response ,
nt_pw , challenge ,
user_sess_key ) ) {
/* The LM session key for this response is not very secure,
so use it only if we otherwise allow LM authentication */
if ( lp_lanman_auth ( ) & & lm_pw ) {
uint8 first_8_lm_hash [ 16 ] ;
memcpy ( first_8_lm_hash , lm_pw , 8 ) ;
memset ( first_8_lm_hash + 8 , ' \0 ' , 8 ) ;
2004-04-10 19:24:31 +00:00
if ( lm_sess_key ) {
* lm_sess_key = data_blob ( first_8_lm_hash , 16 ) ;
}
2003-12-30 07:33:58 +00:00
}
return NT_STATUS_OK ;
} else {
DEBUG ( 3 , ( " ntlm_password_check: NT MD4 password check failed for user %s \n " ,
username ) ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
} else {
DEBUG ( 2 , ( " ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user %s \n " ,
username ) ) ;
/* no return, becouse we might pick up LMv2 in the LM field */
}
}
if ( lm_response - > length = = 0 ) {
DEBUG ( 3 , ( " ntlm_password_check: NEITHER LanMan nor NT password supplied for user %s \n " ,
username ) ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
if ( lm_response - > length < 24 ) {
DEBUG ( 2 , ( " ntlm_password_check: invalid LanMan password length (%lu) for user %s \n " ,
( unsigned long ) nt_response - > length , username ) ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
if ( ! lp_lanman_auth ( ) ) {
DEBUG ( 3 , ( " ntlm_password_check: Lanman passwords NOT PERMITTED for user %s \n " ,
username ) ) ;
} else if ( ! lm_pw ) {
DEBUG ( 3 , ( " ntlm_password_check: NO LanMan password set for user %s (and no NT password supplied) \n " ,
username ) ) ;
} else {
DEBUG ( 4 , ( " ntlm_password_check: Checking LM password \n " ) ) ;
if ( smb_pwd_check_ntlmv1 ( lm_response ,
lm_pw , challenge ,
NULL ) ) {
uint8 first_8_lm_hash [ 16 ] ;
memcpy ( first_8_lm_hash , lm_pw , 8 ) ;
memset ( first_8_lm_hash + 8 , ' \0 ' , 8 ) ;
2004-04-10 19:24:31 +00:00
if ( user_sess_key ) {
* user_sess_key = data_blob ( first_8_lm_hash , 16 ) ;
}
if ( lm_sess_key ) {
* lm_sess_key = data_blob ( first_8_lm_hash , 16 ) ;
}
2003-12-30 07:33:58 +00:00
return NT_STATUS_OK ;
}
}
if ( ! nt_pw ) {
DEBUG ( 4 , ( " ntlm_password_check: LM password check failed for user, no NT password %s \n " , username ) ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
/* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes.
- related to Win9X , legacy NAS pass - though authentication
*/
DEBUG ( 4 , ( " ntlm_password_check: Checking LMv2 password with domain %s \n " , client_domain ) ) ;
if ( smb_pwd_check_ntlmv2 ( lm_response ,
nt_pw , challenge ,
client_username ,
client_domain ,
2004-03-27 07:53:47 +00:00
False ,
NULL ) ) {
return NT_STATUS_OK ;
}
DEBUG ( 4 , ( " ntlm_password_check: Checking LMv2 password with upper-cased version of domain %s \n " , client_domain ) ) ;
if ( smb_pwd_check_ntlmv2 ( lm_response ,
nt_pw , challenge ,
client_username ,
client_domain ,
True ,
2003-12-30 07:33:58 +00:00
NULL ) ) {
return NT_STATUS_OK ;
}
DEBUG ( 4 , ( " ntlm_password_check: Checking LMv2 password without a domain \n " ) ) ;
if ( smb_pwd_check_ntlmv2 ( lm_response ,
nt_pw , challenge ,
client_username ,
" " ,
2004-03-27 07:53:47 +00:00
False ,
2003-12-30 07:33:58 +00:00
NULL ) ) {
return NT_STATUS_OK ;
}
/* Apparently NT accepts NT responses in the LM field
- I think this is related to Win9X pass - though authentication
*/
DEBUG ( 4 , ( " ntlm_password_check: Checking NT MD4 password in LM field \n " ) ) ;
if ( lp_ntlm_auth ( ) ) {
if ( smb_pwd_check_ntlmv1 ( lm_response ,
nt_pw , challenge ,
NULL ) ) {
/* The session key for this response is still very odd.
It not very secure , so use it only if we otherwise
allow LM authentication */
if ( lp_lanman_auth ( ) & & lm_pw ) {
uint8 first_8_lm_hash [ 16 ] ;
memcpy ( first_8_lm_hash , lm_pw , 8 ) ;
memset ( first_8_lm_hash + 8 , ' \0 ' , 8 ) ;
2004-04-10 19:24:31 +00:00
if ( user_sess_key ) {
* user_sess_key = data_blob ( first_8_lm_hash , 16 ) ;
}
if ( lm_sess_key ) {
* lm_sess_key = data_blob ( first_8_lm_hash , 16 ) ;
}
2003-12-30 07:33:58 +00:00
}
return NT_STATUS_OK ;
}
DEBUG ( 3 , ( " ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user %s \n " , username ) ) ;
} else {
DEBUG ( 3 , ( " ntlm_password_check: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted \n " , username ) ) ;
}
return NT_STATUS_WRONG_PASSWORD ;
}