2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "auth/auth.h"
26 #include "libcli/auth/libcli_auth.h"
27 #include "param/param.h"
28 #include "auth/ntlm/auth_proto.h"
29 #include "librpc/gen_ndr/drsuapi.h"
30 #include "dsdb/samdb/samdb.h"
32 /* this default function can be used by mostly all backends
33 * which don't want to set a challenge
35 NTSTATUS
auth_get_challenge_not_implemented(struct auth_method_context
*ctx
, TALLOC_CTX
*mem_ctx
, uint8_t chal
[8])
37 /* we don't want to set a challenge */
38 return NT_STATUS_NOT_IMPLEMENTED
;
41 /****************************************************************************
42 Create an auth_usersupplied_data structure after appropriate mapping.
43 ****************************************************************************/
45 NTSTATUS
encrypt_user_info(TALLOC_CTX
*mem_ctx
, struct auth4_context
*auth_context
,
46 enum auth_password_state to_state
,
47 const struct auth_usersupplied_info
*user_info_in
,
48 const struct auth_usersupplied_info
**user_info_encrypted
)
51 struct auth_usersupplied_info
*user_info_temp
;
53 case AUTH_PASSWORD_RESPONSE
:
54 switch (user_info_in
->password_state
) {
55 case AUTH_PASSWORD_PLAIN
:
57 const struct auth_usersupplied_info
*user_info_temp2
;
58 nt_status
= encrypt_user_info(mem_ctx
, auth_context
,
60 user_info_in
, &user_info_temp2
);
61 if (!NT_STATUS_IS_OK(nt_status
)) {
64 user_info_in
= user_info_temp2
;
67 case AUTH_PASSWORD_HASH
:
71 user_info_temp
= talloc_zero(mem_ctx
, struct auth_usersupplied_info
);
72 if (!user_info_temp
) {
73 return NT_STATUS_NO_MEMORY
;
75 if (!talloc_reference(user_info_temp
, user_info_in
)) {
76 return NT_STATUS_NO_MEMORY
;
78 *user_info_temp
= *user_info_in
;
79 user_info_temp
->mapped_state
= to_state
;
81 nt_status
= auth_get_challenge(auth_context
, chal
);
82 if (!NT_STATUS_IS_OK(nt_status
)) {
86 chall_blob
= data_blob_talloc(mem_ctx
, chal
, 8);
87 if (lpcfg_client_ntlmv2_auth(auth_context
->lp_ctx
)) {
88 DATA_BLOB names_blob
= NTLMv2_generate_names_blob(mem_ctx
, lpcfg_netbios_name(auth_context
->lp_ctx
), lpcfg_workgroup(auth_context
->lp_ctx
));
89 DATA_BLOB lmv2_response
, ntlmv2_response
, lmv2_session_key
, ntlmv2_session_key
;
91 if (!SMBNTLMv2encrypt_hash(user_info_temp
,
92 user_info_in
->client
.account_name
,
93 user_info_in
->client
.domain_name
,
94 user_info_in
->password
.hash
.nt
->hash
,
96 NULL
, /* server_timestamp */
98 &lmv2_response
, &ntlmv2_response
,
99 &lmv2_session_key
, &ntlmv2_session_key
)) {
100 data_blob_free(&names_blob
);
101 return NT_STATUS_NO_MEMORY
;
103 data_blob_free(&names_blob
);
104 user_info_temp
->password
.response
.lanman
= lmv2_response
;
105 user_info_temp
->password
.response
.nt
= ntlmv2_response
;
107 data_blob_free(&lmv2_session_key
);
108 data_blob_free(&ntlmv2_session_key
);
110 DATA_BLOB blob
= data_blob_talloc(mem_ctx
, NULL
, 24);
111 SMBOWFencrypt(user_info_in
->password
.hash
.nt
->hash
, chal
, blob
.data
);
113 user_info_temp
->password
.response
.nt
= blob
;
114 if (lpcfg_client_lanman_auth(auth_context
->lp_ctx
) && user_info_in
->password
.hash
.lanman
) {
115 DATA_BLOB lm_blob
= data_blob_talloc(mem_ctx
, NULL
, 24);
116 SMBOWFencrypt(user_info_in
->password
.hash
.lanman
->hash
, chal
, blob
.data
);
117 user_info_temp
->password
.response
.lanman
= lm_blob
;
119 /* if not sending the LM password, send the NT password twice */
120 user_info_temp
->password
.response
.lanman
= user_info_temp
->password
.response
.nt
;
124 user_info_in
= user_info_temp
;
127 case AUTH_PASSWORD_RESPONSE
:
128 *user_info_encrypted
= user_info_in
;
131 case AUTH_PASSWORD_HASH
:
133 switch (user_info_in
->password_state
) {
134 case AUTH_PASSWORD_PLAIN
:
136 struct samr_Password lanman
;
137 struct samr_Password nt
;
139 user_info_temp
= talloc_zero(mem_ctx
, struct auth_usersupplied_info
);
140 if (!user_info_temp
) {
141 return NT_STATUS_NO_MEMORY
;
143 if (!talloc_reference(user_info_temp
, user_info_in
)) {
144 return NT_STATUS_NO_MEMORY
;
146 *user_info_temp
= *user_info_in
;
147 user_info_temp
->mapped_state
= to_state
;
149 if (E_deshash(user_info_in
->password
.plaintext
, lanman
.hash
)) {
150 user_info_temp
->password
.hash
.lanman
= talloc(user_info_temp
,
151 struct samr_Password
);
152 *user_info_temp
->password
.hash
.lanman
= lanman
;
154 user_info_temp
->password
.hash
.lanman
= NULL
;
157 E_md4hash(user_info_in
->password
.plaintext
, nt
.hash
);
158 user_info_temp
->password
.hash
.nt
= talloc(user_info_temp
,
159 struct samr_Password
);
160 *user_info_temp
->password
.hash
.nt
= nt
;
162 user_info_in
= user_info_temp
;
165 case AUTH_PASSWORD_HASH
:
166 *user_info_encrypted
= user_info_in
;
169 return NT_STATUS_INVALID_PARAMETER
;
175 return NT_STATUS_INVALID_PARAMETER
;