Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 : Password and authentication handling
4 : Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2004
5 : Copyright (C) Gerald Carter 2003
6 : Copyright (C) Luke Kenneth Casson Leighton 1996-2000
7 :
8 : This program is free software; you can redistribute it and/or modify
9 : it under the terms of the GNU General Public License as published by
10 : the Free Software Foundation; either version 3 of the License, or
11 : (at your option) any later version.
12 :
13 : This program is distributed in the hope that it will be useful,
14 : but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : GNU General Public License for more details.
17 :
18 : You should have received a copy of the GNU General Public License
19 : along with this program. If not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include "includes.h"
23 : #include "lib/crypto/md4.h"
24 : #include "librpc/gen_ndr/netlogon.h"
25 : #include "libcli/auth/libcli_auth.h"
26 :
27 : /****************************************************************************
28 : Core of smb password checking routine.
29 : ****************************************************************************/
30 :
31 5652 : static bool smb_pwd_check_ntlmv1(TALLOC_CTX *mem_ctx,
32 : const DATA_BLOB *nt_response,
33 : const uint8_t *part_passwd,
34 : const DATA_BLOB *sec_blob,
35 : DATA_BLOB *user_sess_key)
36 : {
37 : /* Finish the encryption of part_passwd. */
38 5 : uint8_t p24[24];
39 5 : int rc;
40 5 : bool ok;
41 :
42 5652 : if (part_passwd == NULL) {
43 0 : DEBUG(10,("No password set - DISALLOWING access\n"));
44 : /* No password set - always false ! */
45 0 : return false;
46 : }
47 :
48 5652 : if (sec_blob->length != 8) {
49 0 : DBG_ERR("incorrect challenge size (%zu)\n", sec_blob->length);
50 0 : return false;
51 : }
52 :
53 5652 : if (nt_response->length != 24) {
54 0 : DBG_ERR("incorrect password length (%zu)\n",
55 : nt_response->length);
56 0 : return false;
57 : }
58 :
59 5652 : rc = SMBOWFencrypt(part_passwd, sec_blob->data, p24);
60 5652 : if (rc != 0) {
61 0 : return false;
62 : }
63 :
64 : #if DEBUG_PASSWORD
65 5652 : DEBUG(100,("Part password (P16) was |\n"));
66 5652 : dump_data(100, part_passwd, 16);
67 5652 : DEBUGADD(100,("Password from client was |\n"));
68 5652 : dump_data(100, nt_response->data, nt_response->length);
69 5652 : DEBUGADD(100,("Given challenge was |\n"));
70 5652 : dump_data(100, sec_blob->data, sec_blob->length);
71 5652 : DEBUGADD(100,("Value from encryption was |\n"));
72 5652 : dump_data(100, p24, 24);
73 : #endif
74 5652 : ok = mem_equal_const_time(p24, nt_response->data, 24);
75 5652 : if (!ok) {
76 3248 : return false;
77 : }
78 2402 : if (user_sess_key != NULL) {
79 2184 : *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
80 2184 : if (user_sess_key->data == NULL) {
81 0 : DBG_ERR("data_blob_talloc failed\n");
82 0 : return false;
83 : }
84 2184 : SMBsesskeygen_ntv1(part_passwd, user_sess_key->data);
85 : }
86 2399 : return true;
87 : }
88 :
89 : /****************************************************************************
90 : Core of smb password checking routine. (NTLMv2, LMv2)
91 : Note: The same code works with both NTLMv2 and LMv2.
92 : ****************************************************************************/
93 :
94 51190 : static bool smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx,
95 : const DATA_BLOB *ntv2_response,
96 : const uint8_t *part_passwd,
97 : const DATA_BLOB *sec_blob,
98 : const char *user, const char *domain,
99 : DATA_BLOB *user_sess_key)
100 : {
101 : /* Finish the encryption of part_passwd. */
102 1419 : uint8_t kr[16];
103 1419 : uint8_t value_from_encryption[16];
104 1419 : DATA_BLOB client_key_data;
105 1419 : NTSTATUS status;
106 1419 : bool ok;
107 :
108 51190 : if (part_passwd == NULL) {
109 0 : DEBUG(10,("No password set - DISALLOWING access\n"));
110 : /* No password set - always false */
111 0 : return false;
112 : }
113 :
114 51190 : if (sec_blob->length != 8) {
115 0 : DBG_ERR("incorrect challenge size (%zu)\n", sec_blob->length);
116 0 : return false;
117 : }
118 :
119 51190 : if (ntv2_response->length < 24) {
120 : /* We MUST have more than 16 bytes, or the stuff below will go
121 : crazy. No known implementation sends less than the 24 bytes
122 : for LMv2, let alone NTLMv2. */
123 0 : DBG_ERR("incorrect password length (%zu)\n",
124 : ntv2_response->length);
125 0 : return false;
126 : }
127 :
128 51190 : client_key_data = data_blob_talloc(mem_ctx, ntv2_response->data+16, ntv2_response->length-16);
129 : /*
130 : todo: should we be checking this for anything? We can't for LMv2,
131 : but for NTLMv2 it is meant to contain the current time etc.
132 : */
133 :
134 51190 : if (!ntv2_owf_gen(part_passwd, user, domain, kr)) {
135 0 : return false;
136 : }
137 :
138 51190 : status = SMBOWFencrypt_ntv2(kr,
139 : sec_blob,
140 : &client_key_data,
141 : value_from_encryption);
142 51190 : if (!NT_STATUS_IS_OK(status)) {
143 0 : return false;
144 : }
145 :
146 : #if DEBUG_PASSWORD
147 51190 : DEBUG(100,("Part password (P16) was |\n"));
148 51190 : dump_data(100, part_passwd, 16);
149 51190 : DEBUGADD(100,("Password from client was |\n"));
150 51190 : dump_data(100, ntv2_response->data, ntv2_response->length);
151 51190 : DEBUGADD(100,("Variable data from client was |\n"));
152 51190 : dump_data(100, client_key_data.data, client_key_data.length);
153 51190 : DEBUGADD(100,("Given challenge was |\n"));
154 51190 : dump_data(100, sec_blob->data, sec_blob->length);
155 51190 : DEBUGADD(100,("Value from encryption was |\n"));
156 51190 : dump_data(100, value_from_encryption, 16);
157 : #endif
158 51190 : data_blob_clear_free(&client_key_data);
159 :
160 51190 : ok = mem_equal_const_time(value_from_encryption, ntv2_response->data, 16);
161 51190 : if (!ok) {
162 10626 : return false;
163 : }
164 40549 : if (user_sess_key != NULL) {
165 40549 : *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
166 40549 : if (user_sess_key->data == NULL) {
167 0 : DBG_ERR("data_blob_talloc failed\n");
168 0 : return false;
169 : }
170 :
171 40549 : status = SMBsesskeygen_ntv2(
172 : kr, value_from_encryption, user_sess_key->data);
173 40549 : if (!NT_STATUS_IS_OK(status)) {
174 0 : return false;
175 : }
176 : }
177 39145 : return true;
178 : }
179 :
180 : /****************************************************************************
181 : Core of smb password checking routine. (NTLMv2, LMv2)
182 : Note: The same code works with both NTLMv2 and LMv2.
183 : ****************************************************************************/
184 :
185 204 : static bool smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx,
186 : const DATA_BLOB *ntv2_response,
187 : const uint8_t *part_passwd,
188 : const DATA_BLOB *sec_blob,
189 : const char *user, const char *domain,
190 : DATA_BLOB *user_sess_key)
191 : {
192 : /* Finish the encryption of part_passwd. */
193 0 : uint8_t kr[16];
194 0 : uint8_t value_from_encryption[16];
195 0 : DATA_BLOB client_key_data;
196 0 : NTSTATUS status;
197 :
198 204 : if (part_passwd == NULL) {
199 0 : DEBUG(10,("No password set - DISALLOWING access\n"));
200 : /* No password set - always false */
201 0 : return false;
202 : }
203 :
204 204 : if (sec_blob->length != 8) {
205 0 : DBG_ERR("incorrect challenge size (%zu)\n", sec_blob->length);
206 0 : return false;
207 : }
208 :
209 204 : if (ntv2_response->length < 24) {
210 : /* We MUST have more than 16 bytes, or the stuff below will go
211 : crazy. No known implementation sends less than the 24 bytes
212 : for LMv2, let alone NTLMv2. */
213 0 : DBG_ERR("incorrect password length (%zu)\n",
214 : ntv2_response->length);
215 0 : return false;
216 : }
217 :
218 204 : client_key_data = data_blob_talloc(mem_ctx, ntv2_response->data+16, ntv2_response->length-16);
219 :
220 204 : if (!ntv2_owf_gen(part_passwd, user, domain, kr)) {
221 0 : return false;
222 : }
223 :
224 204 : status = SMBOWFencrypt_ntv2(kr,
225 : sec_blob,
226 : &client_key_data,
227 : value_from_encryption);
228 204 : if (!NT_STATUS_IS_OK(status)) {
229 0 : return false;
230 : }
231 204 : *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
232 204 : if (user_sess_key->data == NULL) {
233 0 : DBG_ERR("data_blob_talloc failed\n");
234 0 : return false;
235 : }
236 204 : status = SMBsesskeygen_ntv2(kr,
237 : value_from_encryption,
238 : user_sess_key->data);
239 204 : if (!NT_STATUS_IS_OK(status)) {
240 0 : return false;
241 : }
242 204 : return true;
243 : }
244 :
245 : /**
246 : * Compare password hashes against those from the SAM
247 : *
248 : * @param mem_ctx talloc context
249 : * @param client_lanman LANMAN password hash, as supplied by the client
250 : * @param client_nt NT (MD4) password hash, as supplied by the client
251 : * @param username internal Samba username, for log messages
252 : * @param client_username username the client used
253 : * @param client_domain domain name the client used (may be mapped)
254 : * @param stored_lanman LANMAN password hash, as stored on the SAM
255 : * @param stored_nt NT (MD4) password hash, as stored on the SAM
256 : * @param user_sess_key User session key
257 : * @param lm_sess_key LM session key (first 8 bytes of the LM hash)
258 : */
259 :
260 2215 : NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
261 : bool lanman_auth,
262 : enum ntlm_auth_level ntlm_auth,
263 : const struct samr_Password *client_lanman,
264 : const struct samr_Password *client_nt,
265 : const char *username,
266 : const struct samr_Password *stored_lanman,
267 : const struct samr_Password *stored_nt)
268 : {
269 2215 : if (ntlm_auth == NTLM_AUTH_DISABLED) {
270 0 : DBG_WARNING("hash_password_check: NTLM authentication not "
271 : "permitted by configuration.\n");
272 0 : return NT_STATUS_NTLM_BLOCKED;
273 : }
274 :
275 2215 : if (stored_nt == NULL) {
276 0 : DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
277 : username));
278 : }
279 :
280 2215 : if (client_nt && stored_nt) {
281 1975 : if (mem_equal_const_time(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash))) {
282 1323 : return NT_STATUS_OK;
283 : } else {
284 652 : DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n",
285 : username));
286 652 : return NT_STATUS_WRONG_PASSWORD;
287 : }
288 :
289 240 : } else if (client_lanman && stored_lanman) {
290 0 : if (!lanman_auth) {
291 0 : DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
292 : username));
293 0 : return NT_STATUS_WRONG_PASSWORD;
294 : }
295 0 : if (strchr_m(username, '@')) {
296 0 : return NT_STATUS_NOT_FOUND;
297 : }
298 :
299 0 : if (mem_equal_const_time(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash))) {
300 0 : return NT_STATUS_OK;
301 : } else {
302 0 : DEBUG(3,("hash_password_check: Interactive logon: LANMAN password check failed for user %s\n",
303 : username));
304 0 : return NT_STATUS_WRONG_PASSWORD;
305 : }
306 : }
307 240 : if (strchr_m(username, '@')) {
308 54 : return NT_STATUS_NOT_FOUND;
309 : }
310 186 : return NT_STATUS_WRONG_PASSWORD;
311 : }
312 :
313 : /**
314 : * Check a challenge-response password against the value of the NT or
315 : * LM password hash.
316 : *
317 : * @param mem_ctx talloc context
318 : * @param challenge 8-byte challenge. If all zero, forces plaintext comparison
319 : * @param nt_response 'unicode' NT response to the challenge, or unicode password
320 : * @param lm_response ASCII or LANMAN response to the challenge, or password in DOS code page
321 : * @param username internal Samba username, for log messages
322 : * @param client_username username the client used
323 : * @param client_domain domain name the client used (may be mapped)
324 : * @param stored_lanman LANMAN ASCII password from our passdb or similar
325 : * @param stored_nt MD4 unicode password from our passdb or similar
326 : * @param user_sess_key User session key
327 : * @param lm_sess_key LM session key (first 8 bytes of the LM hash)
328 : */
329 :
330 47518 : NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
331 : bool lanman_auth,
332 : enum ntlm_auth_level ntlm_auth,
333 : uint32_t logon_parameters,
334 : const DATA_BLOB *challenge,
335 : const DATA_BLOB *lm_response,
336 : const DATA_BLOB *nt_response,
337 : const char *username,
338 : const char *client_username,
339 : const char *client_domain,
340 : const struct samr_Password *stored_lanman,
341 : const struct samr_Password *stored_nt,
342 : DATA_BLOB *user_sess_key,
343 : DATA_BLOB *lm_sess_key)
344 : {
345 1414 : DATA_BLOB tmp_sess_key;
346 47518 : const char *upper_client_domain = NULL;
347 :
348 47518 : if (ntlm_auth == NTLM_AUTH_DISABLED) {
349 12 : DBG_WARNING("ntlm_password_check: NTLM authentication not "
350 : "permitted by configuration.\n");
351 12 : return NT_STATUS_NTLM_BLOCKED;
352 : }
353 :
354 47506 : if (client_domain != NULL) {
355 45742 : upper_client_domain = talloc_strdup_upper(mem_ctx, client_domain);
356 45742 : if (upper_client_domain == NULL) {
357 0 : return NT_STATUS_NO_MEMORY;
358 : }
359 : }
360 :
361 47506 : if (stored_nt == NULL) {
362 2 : DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n",
363 : username));
364 : }
365 :
366 47506 : *lm_sess_key = data_blob(NULL, 0);
367 47506 : *user_sess_key = data_blob(NULL, 0);
368 :
369 : /* Check for cleartext netlogon. Used by Exchange 5.5. */
370 47506 : if ((logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_ALLOWED)
371 1179 : && challenge->length == 8
372 1179 : && (all_zero(challenge->data, challenge->length))) {
373 0 : struct samr_Password client_nt;
374 0 : struct samr_Password client_lm;
375 1164 : char *unix_pw = NULL;
376 0 : bool lm_ok;
377 1164 : size_t converted_size = 0;
378 :
379 1164 : DEBUG(4,("ntlm_password_check: checking plaintext passwords for user %s\n",
380 : username));
381 1164 : mdfour(client_nt.hash, nt_response->data, nt_response->length);
382 :
383 2106 : if (lm_response->length &&
384 942 : (convert_string_talloc(mem_ctx, CH_DOS, CH_UNIX,
385 942 : lm_response->data, lm_response->length,
386 : &unix_pw, &converted_size))) {
387 950 : if (E_deshash(unix_pw, client_lm.hash)) {
388 240 : lm_ok = true;
389 : } else {
390 702 : lm_ok = false;
391 : }
392 : } else {
393 222 : lm_ok = false;
394 : }
395 1164 : return hash_password_check(mem_ctx,
396 : lanman_auth,
397 : ntlm_auth,
398 : lm_ok ? &client_lm : NULL,
399 1164 : nt_response->length ? &client_nt : NULL,
400 : username,
401 : stored_lanman, stored_nt);
402 : }
403 :
404 46342 : if (nt_response->length != 0 && nt_response->length < 24) {
405 0 : DBG_NOTICE("invalid NT password length (%zu) for user %s\n",
406 : nt_response->length,
407 : username);
408 : }
409 :
410 46342 : if (nt_response->length > 24 && stored_nt) {
411 : /* We have the NT MD4 hash challenge available - see if we can
412 : use it
413 : */
414 41395 : DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with domain [%s]\n",
415 : client_domain ? client_domain : "<NULL>"));
416 41395 : if (smb_pwd_check_ntlmv2(mem_ctx,
417 : nt_response,
418 41395 : stored_nt->hash, challenge,
419 : client_username,
420 : client_domain,
421 : user_sess_key)) {
422 39655 : if (user_sess_key->length) {
423 39655 : *lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
424 : }
425 39655 : return NT_STATUS_OK;
426 : }
427 :
428 1740 : DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [%s]\n",
429 : upper_client_domain ? upper_client_domain : "<NULL>"));
430 1740 : if (smb_pwd_check_ntlmv2(mem_ctx,
431 : nt_response,
432 1739 : stored_nt->hash, challenge,
433 : client_username,
434 : upper_client_domain,
435 : user_sess_key)) {
436 0 : if (user_sess_key->length) {
437 0 : *lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
438 : }
439 0 : return NT_STATUS_OK;
440 : }
441 :
442 1740 : DEBUG(4,("ntlm_password_check: Checking NTLMv2 password without a domain\n"));
443 1777 : if (smb_pwd_check_ntlmv2(mem_ctx,
444 : nt_response,
445 1739 : stored_nt->hash, challenge,
446 : client_username,
447 : "",
448 : user_sess_key)) {
449 288 : if (user_sess_key->length) {
450 288 : *lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
451 : }
452 288 : return NT_STATUS_OK;
453 : } else {
454 1452 : DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n"));
455 : }
456 4947 : } else if (nt_response->length == 24 && stored_nt) {
457 3913 : if (ntlm_auth == NTLM_AUTH_ON
458 65 : || (ntlm_auth == NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY && (logon_parameters & MSV1_0_ALLOW_MSVCHAPV2))) {
459 : /* We have the NT MD4 hash challenge available - see if we can
460 : use it (ie. does it exist in the smbpasswd file).
461 : */
462 3850 : DEBUG(4,("ntlm_password_check: Checking NT MD4 password\n"));
463 3850 : if (smb_pwd_check_ntlmv1(mem_ctx,
464 : nt_response,
465 3850 : stored_nt->hash, challenge,
466 : user_sess_key)) {
467 : /* The LM session key for this response is not very secure,
468 : so use it only if we otherwise allow LM authentication */
469 :
470 2184 : if (lanman_auth && stored_lanman) {
471 417 : *lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, MIN(8, user_sess_key->length));
472 : }
473 2184 : return NT_STATUS_OK;
474 : } else {
475 1666 : DEBUG(3,("ntlm_password_check: NT MD4 password check failed for user %s\n",
476 : username));
477 1666 : return NT_STATUS_WRONG_PASSWORD;
478 : }
479 : } else {
480 63 : DEBUG(2,("ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user %s\n",
481 : username));
482 : /* no return, because we might pick up LMv2 in the LM field */
483 : }
484 : }
485 :
486 2549 : if (lm_response->length == 0) {
487 120 : DEBUG(3,("ntlm_password_check: NEITHER LanMan nor NT password supplied for user %s\n",
488 : username));
489 120 : return NT_STATUS_WRONG_PASSWORD;
490 : }
491 :
492 2429 : if (lm_response->length < 24) {
493 0 : DBG_NOTICE("invalid LanMan password length (%zu) for "
494 : "user %s\n",
495 : nt_response->length, username);
496 0 : return NT_STATUS_WRONG_PASSWORD;
497 : }
498 :
499 2429 : if (!lanman_auth) {
500 2387 : DEBUG(3,("ntlm_password_check: Lanman passwords NOT PERMITTED for user %s\n",
501 : username));
502 42 : } else if (!stored_lanman) {
503 0 : DEBUG(3,("ntlm_password_check: NO LanMan password set for user %s (and no NT password supplied)\n",
504 : username));
505 42 : } else if (strchr_m(username, '@')) {
506 0 : DEBUG(3,("ntlm_password_check: NO LanMan password allowed for username@realm logins (user: %s)\n",
507 : username));
508 : } else {
509 42 : DEBUG(4,("ntlm_password_check: Checking LM password\n"));
510 42 : if (smb_pwd_check_ntlmv1(mem_ctx,
511 : lm_response,
512 42 : stored_lanman->hash, challenge,
513 : NULL)) {
514 : /* The session key for this response is still very odd.
515 : It not very secure, so use it only if we otherwise
516 : allow LM authentication */
517 :
518 14 : if (lanman_auth && stored_lanman) {
519 0 : uint8_t first_8_lm_hash[16];
520 14 : memcpy(first_8_lm_hash, stored_lanman->hash, 8);
521 14 : memset(first_8_lm_hash + 8, '\0', 8);
522 14 : *user_sess_key = data_blob_talloc(mem_ctx, first_8_lm_hash, 16);
523 14 : *lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, 8);
524 : }
525 14 : return NT_STATUS_OK;
526 : }
527 : }
528 :
529 2415 : if (!stored_nt) {
530 2 : DEBUG(4,("ntlm_password_check: LM password check failed for user, no NT password %s\n",username));
531 2 : return NT_STATUS_WRONG_PASSWORD;
532 : }
533 :
534 : /* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes.
535 : - related to Win9X, legacy NAS pass-though authentication
536 : */
537 2413 : DEBUG(4,("ntlm_password_check: Checking LMv2 password with domain %s\n",
538 : client_domain ? client_domain : "<NULL>"));
539 2413 : if (smb_pwd_check_ntlmv2(mem_ctx,
540 : lm_response,
541 2413 : stored_nt->hash, challenge,
542 : client_username,
543 : client_domain,
544 : &tmp_sess_key)) {
545 462 : if (nt_response->length > 24) {
546 : /* If NTLMv2 authentication has preceded us
547 : * (even if it failed), then use the session
548 : * key from that. See the RPC-SAMLOGON
549 : * torture test */
550 204 : smb_sess_key_ntlmv2(mem_ctx,
551 : nt_response,
552 204 : stored_nt->hash, challenge,
553 : client_username,
554 : client_domain,
555 : user_sess_key);
556 : } else {
557 : /* Otherwise, use the LMv2 session key */
558 258 : *user_sess_key = tmp_sess_key;
559 : }
560 462 : if (user_sess_key->length) {
561 462 : *lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
562 : }
563 462 : return NT_STATUS_OK;
564 : }
565 :
566 1951 : DEBUG(4,("ntlm_password_check: Checking LMv2 password with upper-cased version of domain %s\n",
567 : upper_client_domain ? upper_client_domain : "<NULL>"));
568 1951 : if (smb_pwd_check_ntlmv2(mem_ctx,
569 : lm_response,
570 1947 : stored_nt->hash, challenge,
571 : client_username,
572 : upper_client_domain,
573 : &tmp_sess_key)) {
574 0 : if (nt_response->length > 24) {
575 : /* If NTLMv2 authentication has preceded us
576 : * (even if it failed), then use the session
577 : * key from that. See the RPC-SAMLOGON
578 : * torture test */
579 0 : smb_sess_key_ntlmv2(mem_ctx,
580 : nt_response,
581 0 : stored_nt->hash, challenge,
582 : client_username,
583 : upper_client_domain,
584 : user_sess_key);
585 : } else {
586 : /* Otherwise, use the LMv2 session key */
587 0 : *user_sess_key = tmp_sess_key;
588 : }
589 0 : if (user_sess_key->length) {
590 0 : *lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
591 : }
592 0 : return NT_STATUS_OK;
593 : }
594 :
595 1951 : DEBUG(4,("ntlm_password_check: Checking LMv2 password without a domain\n"));
596 1951 : if (smb_pwd_check_ntlmv2(mem_ctx,
597 : lm_response,
598 1947 : stored_nt->hash, challenge,
599 : client_username,
600 : "",
601 : &tmp_sess_key)) {
602 144 : if (nt_response->length > 24) {
603 : /* If NTLMv2 authentication has preceded us
604 : * (even if it failed), then use the session
605 : * key from that. See the RPC-SAMLOGON
606 : * torture test */
607 0 : smb_sess_key_ntlmv2(mem_ctx,
608 : nt_response,
609 0 : stored_nt->hash, challenge,
610 : client_username,
611 : "",
612 : user_sess_key);
613 : } else {
614 : /* Otherwise, use the LMv2 session key */
615 144 : *user_sess_key = tmp_sess_key;
616 : }
617 144 : if (user_sess_key->length) {
618 144 : *lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
619 : }
620 144 : return NT_STATUS_OK;
621 : }
622 :
623 : /* Apparently NT accepts NT responses in the LM field
624 : - I think this is related to Win9X pass-though authentication
625 : */
626 1807 : DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
627 1807 : if (ntlm_auth == NTLM_AUTH_ON) {
628 1760 : if (smb_pwd_check_ntlmv1(mem_ctx,
629 : lm_response,
630 1759 : stored_nt->hash, challenge,
631 : NULL)) {
632 : /* The session key for this response is still very odd.
633 : It not very secure, so use it only if we otherwise
634 : allow LM authentication */
635 :
636 204 : if (lanman_auth && stored_lanman) {
637 0 : uint8_t first_8_lm_hash[16];
638 0 : memcpy(first_8_lm_hash, stored_lanman->hash, 8);
639 0 : memset(first_8_lm_hash + 8, '\0', 8);
640 0 : *user_sess_key = data_blob_talloc(mem_ctx, first_8_lm_hash, 16);
641 0 : *lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, 8);
642 : }
643 204 : return NT_STATUS_OK;
644 : }
645 1556 : DEBUG(3,("ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",username));
646 : } else {
647 47 : DEBUG(3,("ntlm_password_check: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username));
648 : }
649 :
650 : /* Try and match error codes */
651 1603 : if (strchr_m(username, '@')) {
652 162 : return NT_STATUS_NOT_FOUND;
653 : }
654 1441 : return NT_STATUS_WRONG_PASSWORD;
655 : }
656 :
|
