Context Navigation

source: vendor/3.6.0/libcli/auth/ntlm_check.c

Visit:

Last change on this file was 740, checked in by Silvan Scherrer, 13 years ago
Samba Server: update vendor to 3.6.0
File size: 20.2 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	Password and authentication handling
4	Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2004
5	Copyright (C) Gerald Carter 2003
6	Copyright (C) Luke Kenneth Casson Leighton 1996-2000
7
8	This program is free software; you can redistribute it and/or modify
9	it under the terms of the GNU General Public License as published by
10	the Free Software Foundation; either version 3 of the License, or
11	(at your option) any later version.
12
13	This program is distributed in the hope that it will be useful,
14	but WITHOUT ANY WARRANTY; without even the implied warranty of
15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16	GNU General Public License for more details.
17
18	You should have received a copy of the GNU General Public License
19	along with this program. If not, see <http://www.gnu.org/licenses/>.
20	*/
21
22	#include "includes.h"
23	#include "../lib/crypto/crypto.h"
24	#include "librpc/gen_ndr/netlogon.h"
25	#include "libcli/auth/libcli_auth.h"
26
27	/****************************************************************************
28	Core of smb password checking routine.
29	****************************************************************************/
30
31	static bool smb_pwd_check_ntlmv1(TALLOC_CTX *mem_ctx,
32	const DATA_BLOB *nt_response,
33	const uint8_t *part_passwd,
34	const DATA_BLOB *sec_blob,
35	DATA_BLOB *user_sess_key)
36	{
37	/* Finish the encryption of part_passwd. */
38	uint8_t p24[24];
39
40	if (part_passwd == NULL) {
41	DEBUG(10,("No password set - DISALLOWING access\n"));
42	/* No password set - always false ! */
43	return false;
44	}
45
46	if (sec_blob->length != 8) {
47	DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%lu)\n",
48	(unsigned long)sec_blob->length));
49	return false;
50	}
51
52	if (nt_response->length != 24) {
53	DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%lu)\n",
54	(unsigned long)nt_response->length));
55	return false;
56	}
57
58	SMBOWFencrypt(part_passwd, sec_blob->data, p24);
59
60	#if DEBUG_PASSWORD
61	DEBUG(100,("Part password (P16) was \|\n"));
62	dump_data(100, part_passwd, 16);
63	DEBUGADD(100,("Password from client was \|\n"));
64	dump_data(100, nt_response->data, nt_response->length);
65	DEBUGADD(100,("Given challenge was \|\n"));
66	dump_data(100, sec_blob->data, sec_blob->length);
67	DEBUGADD(100,("Value from encryption was \|\n"));
68	dump_data(100, p24, 24);
69	#endif
70	if (memcmp(p24, nt_response->data, 24) == 0) {
71	if (user_sess_key != NULL) {
72	*user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
73	SMBsesskeygen_ntv1(part_passwd, user_sess_key->data);
74	}
75	return true;
76	}
77	return false;
78	}
79
80	/****************************************************************************
81	Core of smb password checking routine. (NTLMv2, LMv2)
82	Note: The same code works with both NTLMv2 and LMv2.
83	****************************************************************************/
84
85	static bool smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx,
86	const DATA_BLOB *ntv2_response,
87	const uint8_t *part_passwd,
88	const DATA_BLOB *sec_blob,
89	const char user, const char domain,
90	bool upper_case_domain, /* should the domain be transformed into upper case? */
91	DATA_BLOB *user_sess_key)
92	{
93	/* Finish the encryption of part_passwd. */
94	uint8_t kr[16];
95	uint8_t value_from_encryption[16];
96	DATA_BLOB client_key_data;
97
98	if (part_passwd == NULL) {
99	DEBUG(10,("No password set - DISALLOWING access\n"));
100	/* No password set - always false */
101	return false;
102	}
103
104	if (sec_blob->length != 8) {
105	DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect challenge size (%lu)\n",
106	(unsigned long)sec_blob->length));
107	return false;
108	}
109
110	if (ntv2_response->length < 24) {
111	/* We MUST have more than 16 bytes, or the stuff below will go
112	crazy. No known implementation sends less than the 24 bytes
113	for LMv2, let alone NTLMv2. */
114	DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%lu)\n",
115	(unsigned long)ntv2_response->length));
116	return false;
117	}
118
119	client_key_data = data_blob_talloc(mem_ctx, ntv2_response->data+16, ntv2_response->length-16);
120	/*
121	todo: should we be checking this for anything? We can't for LMv2,
122	but for NTLMv2 it is meant to contain the current time etc.
123	*/
124
125	if (!ntv2_owf_gen(part_passwd, user, domain, upper_case_domain, kr)) {
126	return false;
127	}
128
129	SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
130
131	#if DEBUG_PASSWORD
132	DEBUG(100,("Part password (P16) was \|\n"));
133	dump_data(100, part_passwd, 16);
134	DEBUGADD(100,("Password from client was \|\n"));
135	dump_data(100, ntv2_response->data, ntv2_response->length);
136	DEBUGADD(100,("Variable data from client was \|\n"));
137	dump_data(100, client_key_data.data, client_key_data.length);
138	DEBUGADD(100,("Given challenge was \|\n"));
139	dump_data(100, sec_blob->data, sec_blob->length);
140	DEBUGADD(100,("Value from encryption was \|\n"));
141	dump_data(100, value_from_encryption, 16);
142	#endif
143	data_blob_clear_free(&client_key_data);
144	if (memcmp(value_from_encryption, ntv2_response->data, 16) == 0) {
145	if (user_sess_key != NULL) {
146	*user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
147	SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data);
148	}
149	return true;
150	}
151	return false;
152	}
153
154	/****************************************************************************
155	Core of smb password checking routine. (NTLMv2, LMv2)
156	Note: The same code works with both NTLMv2 and LMv2.
157	****************************************************************************/
158
159	static bool smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx,
160	const DATA_BLOB *ntv2_response,
161	const uint8_t *part_passwd,
162	const DATA_BLOB *sec_blob,
163	const char user, const char domain,
164	bool upper_case_domain, /* should the domain be transformed into upper case? */
165	DATA_BLOB *user_sess_key)
166	{
167	/* Finish the encryption of part_passwd. */
168	uint8_t kr[16];
169	uint8_t value_from_encryption[16];
170	DATA_BLOB client_key_data;
171
172	if (part_passwd == NULL) {
173	DEBUG(10,("No password set - DISALLOWING access\n"));
174	/* No password set - always false */
175	return false;
176	}
177
178	if (sec_blob->length != 8) {
179	DEBUG(0, ("smb_sess_key_ntlmv2: incorrect challenge size (%lu)\n",
180	(unsigned long)sec_blob->length));
181	return false;
182	}
183
184	if (ntv2_response->length < 24) {
185	/* We MUST have more than 16 bytes, or the stuff below will go
186	crazy. No known implementation sends less than the 24 bytes
187	for LMv2, let alone NTLMv2. */
188	DEBUG(0, ("smb_sess_key_ntlmv2: incorrect password length (%lu)\n",
189	(unsigned long)ntv2_response->length));
190	return false;
191	}
192
193	client_key_data = data_blob_talloc(mem_ctx, ntv2_response->data+16, ntv2_response->length-16);
194
195	if (!ntv2_owf_gen(part_passwd, user, domain, upper_case_domain, kr)) {
196	return false;
197	}
198
199	SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
200	*user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
201	SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data);
202	return true;
203	}
204
205	/**
206	* Compare password hashes against those from the SAM
207	*
208	* @param mem_ctx talloc context
209	* @param client_lanman LANMAN password hash, as supplied by the client
210	* @param client_nt NT (MD4) password hash, as supplied by the client
211	* @param username internal Samba username, for log messages
212	* @param client_username username the client used
213	* @param client_domain domain name the client used (may be mapped)
214	* @param stored_lanman LANMAN password hash, as stored on the SAM
215	* @param stored_nt NT (MD4) password hash, as stored on the SAM
216	* @param user_sess_key User session key
217	* @param lm_sess_key LM session key (first 8 bytes of the LM hash)
218	*/
219
220	NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
221	bool lanman_auth,
222	const struct samr_Password *client_lanman,
223	const struct samr_Password *client_nt,
224	const char *username,
225	const struct samr_Password *stored_lanman,
226	const struct samr_Password *stored_nt)
227	{
228	if (stored_nt == NULL) {
229	DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n",
230	username));
231	}
232
233	if (client_nt && stored_nt) {
234	if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
235	return NT_STATUS_OK;
236	} else {
237	DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
238	username));
239	return NT_STATUS_WRONG_PASSWORD;
240	}
241
242	} else if (client_lanman && stored_lanman) {
243	if (!lanman_auth) {
244	DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
245	username));
246	return NT_STATUS_WRONG_PASSWORD;
247	}
248	if (strchr_m(username, '@')) {
249	return NT_STATUS_NOT_FOUND;
250	}
251
252	if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) {
253	return NT_STATUS_OK;
254	} else {
255	DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",
256	username));
257	return NT_STATUS_WRONG_PASSWORD;
258	}
259	}
260	if (strchr_m(username, '@')) {
261	return NT_STATUS_NOT_FOUND;
262	}
263	return NT_STATUS_WRONG_PASSWORD;
264	}
265
266	/**
267	* Check a challenge-response password against the value of the NT or
268	* LM password hash.
269	*
270	* @param mem_ctx talloc context
271	* @param challenge 8-byte challenge. If all zero, forces plaintext comparison
272	* @param nt_response 'unicode' NT response to the challenge, or unicode password
273	* @param lm_response ASCII or LANMAN response to the challenge, or password in DOS code page
274	* @param username internal Samba username, for log messages
275	* @param client_username username the client used
276	* @param client_domain domain name the client used (may be mapped)
277	* @param stored_lanman LANMAN ASCII password from our passdb or similar
278	* @param stored_nt MD4 unicode password from our passdb or similar
279	* @param user_sess_key User session key
280	* @param lm_sess_key LM session key (first 8 bytes of the LM hash)
281	*/
282
283	NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
284	bool lanman_auth,
285	bool ntlm_auth,
286	uint32_t logon_parameters,
287	const DATA_BLOB *challenge,
288	const DATA_BLOB *lm_response,
289	const DATA_BLOB *nt_response,
290	const char *username,
291	const char *client_username,
292	const char *client_domain,
293	const struct samr_Password *stored_lanman,
294	const struct samr_Password *stored_nt,
295	DATA_BLOB *user_sess_key,
296	DATA_BLOB *lm_sess_key)
297	{
298	const static uint8_t zeros[8];
299	DATA_BLOB tmp_sess_key;
300
301	if (stored_nt == NULL) {
302	DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n",
303	username));
304	}
305
306	*lm_sess_key = data_blob(NULL, 0);
307	*user_sess_key = data_blob(NULL, 0);
308
309	/* Check for cleartext netlogon. Used by Exchange 5.5. */
310	if ((logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_ALLOWED)
311	&& challenge->length == sizeof(zeros)
312	&& (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
313	struct samr_Password client_nt;
314	struct samr_Password client_lm;
315	char *unix_pw = NULL;
316	bool lm_ok;
317
318	DEBUG(4,("ntlm_password_check: checking plaintext passwords for user %s\n",
319	username));
320	mdfour(client_nt.hash, nt_response->data, nt_response->length);
321
322	if (lm_response->length &&
323	(convert_string_talloc(mem_ctx, CH_DOS, CH_UNIX,
324	lm_response->data, lm_response->length,
325	(void *)&unix_pw, NULL, false))) {
326	if (E_deshash(unix_pw, client_lm.hash)) {
327	lm_ok = true;
328	} else {
329	lm_ok = false;
330	}
331	} else {
332	lm_ok = false;
333	}
334	return hash_password_check(mem_ctx,
335	lanman_auth,
336	lm_ok ? &client_lm : NULL,
337	nt_response->length ? &client_nt : NULL,
338	username,
339	stored_lanman, stored_nt);
340	}
341
342	if (nt_response->length != 0 && nt_response->length < 24) {
343	DEBUG(2,("ntlm_password_check: invalid NT password length (%lu) for user %s\n",
344	(unsigned long)nt_response->length, username));
345	}
346
347	if (nt_response->length > 24 && stored_nt) {
348	/* We have the NT MD4 hash challenge available - see if we can
349	use it
350	*/
351	DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with domain [%s]\n", client_domain));
352	if (smb_pwd_check_ntlmv2(mem_ctx,
353	nt_response,
354	stored_nt->hash, challenge,
355	client_username,
356	client_domain,
357	false,
358	user_sess_key)) {
359	if (user_sess_key->length) {
360	*lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
361	}
362	return NT_STATUS_OK;
363	}
364
365	DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [%s]\n", client_domain));
366	if (smb_pwd_check_ntlmv2(mem_ctx,
367	nt_response,
368	stored_nt->hash, challenge,
369	client_username,
370	client_domain,
371	true,
372	user_sess_key)) {
373	if (user_sess_key->length) {
374	*lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
375	}
376	return NT_STATUS_OK;
377	}
378
379	DEBUG(4,("ntlm_password_check: Checking NTLMv2 password without a domain\n"));
380	if (smb_pwd_check_ntlmv2(mem_ctx,
381	nt_response,
382	stored_nt->hash, challenge,
383	client_username,
384	"",
385	false,
386	user_sess_key)) {
387	if (user_sess_key->length) {
388	*lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
389	}
390	return NT_STATUS_OK;
391	} else {
392	DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n"));
393	}
394	} else if (nt_response->length == 24 && stored_nt) {
395	if (ntlm_auth) {
396	/* We have the NT MD4 hash challenge available - see if we can
397	use it (ie. does it exist in the smbpasswd file).
398	*/
399	DEBUG(4,("ntlm_password_check: Checking NT MD4 password\n"));
400	if (smb_pwd_check_ntlmv1(mem_ctx,
401	nt_response,
402	stored_nt->hash, challenge,
403	user_sess_key)) {
404	/* The LM session key for this response is not very secure,
405	so use it only if we otherwise allow LM authentication */
406
407	if (lanman_auth && stored_lanman) {
408	*lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, MIN(8, user_sess_key->length));
409	}
410	return NT_STATUS_OK;
411	} else {
412	DEBUG(3,("ntlm_password_check: NT MD4 password check failed for user %s\n",
413	username));
414	return NT_STATUS_WRONG_PASSWORD;
415	}
416	} else {
417	DEBUG(2,("ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user %s\n",
418	username));
419	/* no return, because we might pick up LMv2 in the LM field */
420	}
421	}
422
423	if (lm_response->length == 0) {
424	DEBUG(3,("ntlm_password_check: NEITHER LanMan nor NT password supplied for user %s\n",
425	username));
426	return NT_STATUS_WRONG_PASSWORD;
427	}
428
429	if (lm_response->length < 24) {
430	DEBUG(2,("ntlm_password_check: invalid LanMan password length (%lu) for user %s\n",
431	(unsigned long)nt_response->length, username));
432	return NT_STATUS_WRONG_PASSWORD;
433	}
434
435	if (!lanman_auth) {
436	DEBUG(3,("ntlm_password_check: Lanman passwords NOT PERMITTED for user %s\n",
437	username));
438	} else if (!stored_lanman) {
439	DEBUG(3,("ntlm_password_check: NO LanMan password set for user %s (and no NT password supplied)\n",
440	username));
441	} else if (strchr_m(username, '@')) {
442	DEBUG(3,("ntlm_password_check: NO LanMan password allowed for username@realm logins (user: %s)\n",
443	username));
444	} else {
445	DEBUG(4,("ntlm_password_check: Checking LM password\n"));
446	if (smb_pwd_check_ntlmv1(mem_ctx,
447	lm_response,
448	stored_lanman->hash, challenge,
449	NULL)) {
450	/* The session key for this response is still very odd.
451	It not very secure, so use it only if we otherwise
452	allow LM authentication */
453
454	if (lanman_auth && stored_lanman) {
455	uint8_t first_8_lm_hash[16];
456	memcpy(first_8_lm_hash, stored_lanman->hash, 8);
457	memset(first_8_lm_hash + 8, '\0', 8);
458	*user_sess_key = data_blob_talloc(mem_ctx, first_8_lm_hash, 16);
459	*lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, 8);
460	}
461	return NT_STATUS_OK;
462	}
463	}
464
465	if (!stored_nt) {
466	DEBUG(4,("ntlm_password_check: LM password check failed for user, no NT password %s\n",username));
467	return NT_STATUS_WRONG_PASSWORD;
468	}
469
470	/* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes.
471	- related to Win9X, legacy NAS pass-though authentication
472	*/
473	DEBUG(4,("ntlm_password_check: Checking LMv2 password with domain %s\n", client_domain));
474	if (smb_pwd_check_ntlmv2(mem_ctx,
475	lm_response,
476	stored_nt->hash, challenge,
477	client_username,
478	client_domain,
479	false,
480	&tmp_sess_key)) {
481	if (nt_response->length > 24) {
482	/* If NTLMv2 authentication has preceeded us
483	* (even if it failed), then use the session
484	* key from that. See the RPC-SAMLOGON
485	* torture test */
486	smb_sess_key_ntlmv2(mem_ctx,
487	nt_response,
488	stored_nt->hash, challenge,
489	client_username,
490	client_domain,
491	false,
492	user_sess_key);
493	} else {
494	/* Otherwise, use the LMv2 session key */
495	*user_sess_key = tmp_sess_key;
496	}
497	if (user_sess_key->length) {
498	*lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
499	}
500	return NT_STATUS_OK;
501	}
502
503	DEBUG(4,("ntlm_password_check: Checking LMv2 password with upper-cased version of domain %s\n", client_domain));
504	if (smb_pwd_check_ntlmv2(mem_ctx,
505	lm_response,
506	stored_nt->hash, challenge,
507	client_username,
508	client_domain,
509	true,
510	&tmp_sess_key)) {
511	if (nt_response->length > 24) {
512	/* If NTLMv2 authentication has preceeded us
513	* (even if it failed), then use the session
514	* key from that. See the RPC-SAMLOGON
515	* torture test */
516	smb_sess_key_ntlmv2(mem_ctx,
517	nt_response,
518	stored_nt->hash, challenge,
519	client_username,
520	client_domain,
521	true,
522	user_sess_key);
523	} else {
524	/* Otherwise, use the LMv2 session key */
525	*user_sess_key = tmp_sess_key;
526	}
527	if (user_sess_key->length) {
528	*lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
529	}
530	return NT_STATUS_OK;
531	}
532
533	DEBUG(4,("ntlm_password_check: Checking LMv2 password without a domain\n"));
534	if (smb_pwd_check_ntlmv2(mem_ctx,
535	lm_response,
536	stored_nt->hash, challenge,
537	client_username,
538	"",
539	false,
540	&tmp_sess_key)) {
541	if (nt_response->length > 24) {
542	/* If NTLMv2 authentication has preceeded us
543	* (even if it failed), then use the session
544	* key from that. See the RPC-SAMLOGON
545	* torture test */
546	smb_sess_key_ntlmv2(mem_ctx,
547	nt_response,
548	stored_nt->hash, challenge,
549	client_username,
550	"",
551	false,
552	user_sess_key);
553	} else {
554	/* Otherwise, use the LMv2 session key */
555	*user_sess_key = tmp_sess_key;
556	}
557	if (user_sess_key->length) {
558	*lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
559	}
560	return NT_STATUS_OK;
561	}
562
563	/* Apparently NT accepts NT responses in the LM field
564	- I think this is related to Win9X pass-though authentication
565	*/
566	DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
567	if (ntlm_auth) {
568	if (smb_pwd_check_ntlmv1(mem_ctx,
569	lm_response,
570	stored_nt->hash, challenge,
571	NULL)) {
572	/* The session key for this response is still very odd.
573	It not very secure, so use it only if we otherwise
574	allow LM authentication */
575
576	if (lanman_auth && stored_lanman) {
577	uint8_t first_8_lm_hash[16];
578	memcpy(first_8_lm_hash, stored_lanman->hash, 8);
579	memset(first_8_lm_hash + 8, '\0', 8);
580	*user_sess_key = data_blob_talloc(mem_ctx, first_8_lm_hash, 16);
581	*lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, 8);
582	}
583	return NT_STATUS_OK;
584	}
585	DEBUG(3,("ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",username));
586	} else {
587	DEBUG(3,("ntlm_password_check: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username));
588	}
589
590	/* Try and match error codes */
591	if (strchr_m(username, '@')) {
592	return NT_STATUS_NOT_FOUND;
593	}
594	return NT_STATUS_WRONG_PASSWORD;
595	}
596

Note: See TracBrowser for help on using the repository browser.

Download in other formats: