* Return the session keys used on the connection.
*/
-static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key)
+static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
{
AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context;
auth_usersupplied_info *user_info = NULL;
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
- if (auth_ntlmssp_state->server_info->nt_session_key.length) {
- DEBUG(10, ("Got NT session key of length %u\n", auth_ntlmssp_state->server_info->nt_session_key.length));
- *nt_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx,
- auth_ntlmssp_state->server_info->nt_session_key.data,
- auth_ntlmssp_state->server_info->nt_session_key.length);
+ if (auth_ntlmssp_state->server_info->user_session_key.length) {
+ DEBUG(10, ("Got NT session key of length %u\n", auth_ntlmssp_state->server_info->user_session_key.length));
+ *user_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx,
+ auth_ntlmssp_state->server_info->user_session_key.data,
+ auth_ntlmssp_state->server_info->user_session_key.length);
}
if (auth_ntlmssp_state->server_info->lm_session_key.length) {
DEBUG(10, ("Got LM session key of length %u\n", auth_ntlmssp_state->server_info->lm_session_key.length));
return nt_status;
}
- (*server_info)->nt_session_key = user_sess_key;
+ (*server_info)->user_session_key = user_sess_key;
(*server_info)->lm_session_key = lm_sess_key;
return nt_status;
/* annoying, but the Guest really does have a session key,
and it is all zeros! */
- (*server_info)->nt_session_key = data_blob(zeros, sizeof(zeros));
+ (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
(*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
}
/* ensure we are never given NULL session keys */
if (memcmp(info3->user_sess_key, zeros, sizeof(zeros)) == 0) {
- (*server_info)->nt_session_key = data_blob(NULL, 0);
+ (*server_info)->user_session_key = data_blob(NULL, 0);
} else {
- (*server_info)->nt_session_key = data_blob(info3->user_sess_key, sizeof(info3->user_sess_key));
+ (*server_info)->user_session_key = data_blob(info3->user_sess_key, sizeof(info3->user_sess_key));
}
if (memcmp(info3->padding, zeros, sizeof(zeros)) == 0) {
SAFE_FREE((*server_info)->groups);
SAFE_FREE((*server_info)->unix_name);
data_blob_free(&(*server_info)->lm_session_key);
- data_blob_free(&(*server_info)->nt_session_key);
+ data_blob_free(&(*server_info)->user_session_key);
ZERO_STRUCT(**server_info);
}
SAFE_FREE(*server_info);
NT_USER_TOKEN *ptok;
- DATA_BLOB nt_session_key;
+ DATA_BLOB user_session_key;
DATA_BLOB lm_session_key;
uint32 sam_fill_level; /* How far is this structure filled? */
const DATA_BLOB request, DATA_BLOB *reply)
{
DATA_BLOB encrypted_session_key = data_blob(NULL, 0);
- DATA_BLOB nt_session_key = data_blob(NULL, 0);
+ DATA_BLOB user_session_key = data_blob(NULL, 0);
DATA_BLOB lm_session_key = data_blob(NULL, 0);
DATA_BLOB session_key = data_blob(NULL, 0);
uint32 ntlmssp_command, auth_flags;
/* Finally, actually ask if the password is OK */
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_state->check_password(ntlmssp_state,
- &nt_session_key, &lm_session_key))) {
+ &user_session_key, &lm_session_key))) {
data_blob_free(&encrypted_session_key);
return nt_status;
}
- dump_data_pw("NT session key:\n", nt_session_key.data, nt_session_key.length);
+ dump_data_pw("NT session key:\n", user_session_key.data, user_session_key.length);
dump_data_pw("LM first-8:\n", lm_session_key.data, lm_session_key.length);
/* Handle the different session key derivation for NTLM2 */
if (doing_ntlm2) {
- if (nt_session_key.data && nt_session_key.length == 16) {
+ if (user_session_key.data && user_session_key.length == 16) {
session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16);
- hmac_md5(nt_session_key.data, session_nonce,
+ hmac_md5(user_session_key.data, session_nonce,
sizeof(session_nonce), session_key.data);
DEBUG(10,("ntlmssp_server_auth: Created NTLM2 session key.\n"));
dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM session key.\n"));
session_key = data_blob(NULL, 0);
}
- } else if (nt_session_key.data) {
- session_key = nt_session_key;
+ } else if (user_session_key.data) {
+ session_key = user_session_key;
DEBUG(10,("ntlmssp_server_auth: Using unmodified nt session key.\n"));
dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
} else if (lm_session_key.data) {
uchar nt_hash[16];
uchar session_nonce[16];
uchar session_nonce_hash[16];
- uchar nt_session_key[16];
+ uchar user_session_key[16];
E_md4hash(ntlmssp_state->password, nt_hash);
lm_response = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 24);
session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16);
- SMBsesskeygen_ntv1(nt_hash, NULL, nt_session_key);
- hmac_md5(nt_session_key, session_nonce, sizeof(session_nonce), session_key.data);
+ SMBsesskeygen_ntv1(nt_hash, NULL, user_session_key);
+ hmac_md5(user_session_key, session_nonce, sizeof(session_nonce), session_key.data);
dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
} else {
const DATA_BLOB *server_chal,
const DATA_BLOB *names_blob,
DATA_BLOB *lm_response, DATA_BLOB *nt_response,
- DATA_BLOB *nt_session_key)
+ DATA_BLOB *user_session_key)
{
uchar nt_hash[16];
uchar ntlm_v2_hash[16];
if (nt_response) {
*nt_response = NTLMv2_generate_response(ntlm_v2_hash, server_chal,
names_blob);
- if (nt_session_key) {
- *nt_session_key = data_blob(NULL, 16);
+ if (user_session_key) {
+ *user_session_key = data_blob(NULL, 16);
/* The NTLMv2 calculations also provide a session key, for signing etc later */
/* use only the first 16 bytes of nt_response for session key */
- SMBsesskeygen_ntv2(ntlm_v2_hash, nt_response->data, nt_session_key->data);
+ SMBsesskeygen_ntv2(ntlm_v2_hash, nt_response->data, user_session_key->data);
}
}
#define WBFLAG_PAM_INFO3_NDR 0x0001
#define WBFLAG_PAM_INFO3_TEXT 0x0002
-#define WBFLAG_PAM_NTKEY 0x0004
+#define WBFLAG_PAM_USER_SESSION_KEY 0x0004
#define WBFLAG_PAM_LMKEY 0x0008
#define WBFLAG_PAM_CONTACT_TRUSTDOM 0x0010
#define WBFLAG_QUERY_ONLY 0x0020
fstring nt_status_string;
fstring error_string;
int pam_error;
- char nt_session_key[16];
+ char user_session_key[16];
char first_8_lm_hash[8];
} auth;
uint32 rid; /* create user or group */
state->response.length += strlen(state->response.extra_data)+1;
}
- if (state->request.flags & WBFLAG_PAM_NTKEY) {
- memcpy(state->response.data.auth.nt_session_key, info3.user_sess_key, sizeof(state->response.data.auth.nt_session_key) /* 16 */);
+ if (state->request.flags & WBFLAG_PAM_USER_SESSION_KEY) {
+ memcpy(state->response.data.auth.user_session_key, info3.user_sess_key, sizeof(state->response.data.auth.user_session_key) /* 16 */);
}
if (state->request.flags & WBFLAG_PAM_LMKEY) {
memcpy(state->response.data.auth.first_8_lm_hash, info3.padding, sizeof(state->response.data.auth.first_8_lm_hash) /* 8 */);
uint16 logon_count, uint16 bad_pw_count,
uint32 num_groups, const DOM_GID *gids,
- uint32 user_flgs, uchar nt_session_key[16],
+ uint32 user_flgs, uchar user_session_key[16],
uchar lm_session_key[16],
const char *logon_srv, const char *logon_dom,
const DOM_SID *dom_sid, const char *other_sids)
usr->buffer_groups = 1; /* indicates fill in groups, below, even if there are none */
usr->user_flgs = user_flgs;
- if (nt_session_key != NULL)
- memcpy(usr->user_sess_key, nt_session_key, sizeof(usr->user_sess_key));
+ if (user_session_key != NULL)
+ memcpy(usr->user_sess_key, user_session_key, sizeof(usr->user_sess_key));
else
memset((char *)usr->user_sess_key, '\0', sizeof(usr->user_sess_key));
pstring my_name;
fstring user_sid_string;
fstring group_sid_string;
- uchar nt_session_key[16];
+ uchar user_session_key[16];
uchar lm_session_key[16];
uchar netlogon_sess_key[16];
ZERO_STRUCT(netlogon_sess_key);
memcpy(netlogon_sess_key, p->dc.sess_key, 8);
- if (server_info->nt_session_key.length) {
- memcpy(nt_session_key, server_info->nt_session_key.data,
- MIN(sizeof(nt_session_key), server_info->nt_session_key.length));
- SamOEMhash(nt_session_key, netlogon_sess_key, 16);
+ if (server_info->user_session_key.length) {
+ memcpy(user_session_key, server_info->user_session_key.data,
+ MIN(sizeof(user_session_key), server_info->user_session_key.length));
+ SamOEMhash(user_session_key, netlogon_sess_key, 16);
}
if (server_info->lm_session_key.length) {
memcpy(lm_session_key, server_info->lm_session_key.data,
num_gids, /* uint32 num_groups */
gids , /* DOM_GID *gids */
0x20 , /* uint32 user_flgs (?) */
- server_info->nt_session_key.length ? nt_session_key : NULL,
+ server_info->user_session_key.length ? user_session_key : NULL,
server_info->lm_session_key.length ? lm_session_key : NULL,
my_name , /* char *logon_srv */
pdb_get_domain(sampw),
/* Should be users domain sid, not servers - for trusted domains */
NULL); /* char *other_sids */
- ZERO_STRUCT(nt_session_key);
+ ZERO_STRUCT(user_session_key);
ZERO_STRUCT(lm_session_key);
}
free_server_info(&server_info);
return ERROR_NT(nt_status_squash(nt_status));
}
- if (server_info->nt_session_key.data) {
- session_key = data_blob(server_info->nt_session_key.data, server_info->nt_session_key.length);
+ if (server_info->user_session_key.data) {
+ session_key = data_blob(server_info->user_session_key.data, server_info->user_session_key.length);
} else {
session_key = data_blob(NULL, 0);
}
memcpy(lm_key, response.data.auth.first_8_lm_hash,
sizeof(response.data.auth.first_8_lm_hash));
}
- if ((flags & WBFLAG_PAM_NTKEY) && nt_key
- && (memcmp(zeros, response.data.auth.nt_session_key,
- sizeof(response.data.auth.nt_session_key)) != 0)) {
- memcpy(nt_key, response.data.auth.nt_session_key,
- sizeof(response.data.auth.nt_session_key));
+ if ((flags & WBFLAG_PAM_USER_SESSION_KEY) && nt_key
+ && (memcmp(zeros, response.data.auth.user_session_key,
+ sizeof(response.data.auth.user_session_key)) != 0)) {
+ memcpy(nt_key, response.data.auth.user_session_key,
+ sizeof(response.data.auth.user_session_key));
}
if (flags & WBFLAG_PAM_UNIX_NAME) {
return nt_status;
}
-static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key)
+static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
{
static const char zeros[16];
NTSTATUS nt_status;
&ntlmssp_state->chal,
&ntlmssp_state->lm_resp,
&ntlmssp_state->nt_resp,
- WBFLAG_PAM_LMKEY | WBFLAG_PAM_NTKEY | WBFLAG_PAM_UNIX_NAME,
+ WBFLAG_PAM_LMKEY | WBFLAG_PAM_USER_SESSION_KEY | WBFLAG_PAM_UNIX_NAME,
lm_key, nt_key,
&error_string, &unix_name);
}
if (memcmp(nt_key, zeros, 16) != 0) {
- *nt_session_key = data_blob(nt_key, 16);
+ *user_session_key = data_blob(nt_key, 16);
}
ntlmssp_state->auth_context = talloc_strdup(ntlmssp_state->mem_ctx, unix_name);
SAFE_FREE(unix_name);
return nt_status;
}
-static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key)
+static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
{
static const char zeros[16];
NTSTATUS nt_status;
ntlmssp_state->user,
ntlmssp_state->user,
ntlmssp_state->domain,
- lm_pw, nt_pw, nt_session_key, lm_session_key);
+ lm_pw, nt_pw, user_session_key, lm_session_key);
if (NT_STATUS_IS_OK(nt_status)) {
if (memcmp(lm_key, zeros, 8) != 0) {
}
if (memcmp(nt_key, zeros, 16) != 0) {
- *nt_session_key = data_blob(nt_key, 16);
+ *user_session_key = data_blob(nt_key, 16);
}
ntlmssp_state->auth_context = talloc_asprintf(ntlmssp_state->mem_ctx, "%s%c%s", ntlmssp_state->domain, *lp_winbind_separator(), ntlmssp_state->user);
} else {
flags |= WBFLAG_PAM_LMKEY;
if (request_nt_key)
- flags |= WBFLAG_PAM_NTKEY;
+ flags |= WBFLAG_PAM_USER_SESSION_KEY;
nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
opt_workstation,
ZERO_STRUCT(nt_key);
flags |= WBFLAG_PAM_LMKEY;
- flags |= WBFLAG_PAM_NTKEY;
+ flags |= WBFLAG_PAM_USER_SESSION_KEY;
SMBencrypt(opt_password,chall.data,lm_response.data);
E_deshash(opt_password, lm_hash);
ZERO_STRUCT(nt_key);
flags |= WBFLAG_PAM_LMKEY;
- flags |= WBFLAG_PAM_NTKEY;
+ flags |= WBFLAG_PAM_USER_SESSION_KEY;
SMBNTencrypt(opt_password,chall.data,nt_response.data);
ZERO_STRUCT(nt_key);
flags |= WBFLAG_PAM_LMKEY;
- flags |= WBFLAG_PAM_NTKEY;
+ flags |= WBFLAG_PAM_USER_SESSION_KEY;
SMBNTencrypt(opt_password,chall.data,nt_response.data);
E_md4hash(opt_password, (unsigned char *)nt_hash);
uint32 flags = 0;
DATA_BLOB ntlmv2_response = data_blob(NULL, 0);
DATA_BLOB lmv2_response = data_blob(NULL, 0);
- DATA_BLOB nt_session_key = data_blob(NULL, 0);
+ DATA_BLOB user_session_key = data_blob(NULL, 0);
DATA_BLOB names_blob = NTLMv2_generate_names_blob(get_winbind_netbios_name(), get_winbind_domain());
uchar nt_key[16];
ZERO_STRUCT(nt_key);
- flags |= WBFLAG_PAM_NTKEY;
+ flags |= WBFLAG_PAM_USER_SESSION_KEY;
if (!SMBNTLMv2encrypt(opt_username, opt_domain, opt_password, &chall,
&names_blob,
&lmv2_response, &ntlmv2_response,
- &nt_session_key)) {
+ &user_session_key)) {
data_blob_free(&names_blob);
return False;
}
return break_which == BREAK_NT;
}
- if (break_which != NO_NT && break_which != BREAK_NT && memcmp(nt_session_key.data, nt_key,
+ if (break_which != NO_NT && break_which != BREAK_NT && memcmp(user_session_key.data, nt_key,
sizeof(nt_key)) != 0) {
- DEBUG(1, ("NT Session Key does not match expectations!\n"));
+ DEBUG(1, ("USER Session Key does not match expectations!\n"));
DEBUG(1, ("nt_key:\n"));
dump_data(1, (const char *)nt_key, 16);
DEBUG(1, ("expected:\n"));
- dump_data(1, (const char *)nt_session_key.data, nt_session_key.length);
+ dump_data(1, (const char *)user_session_key.data, user_session_key.length);
pass = False;
}
return pass;
ZERO_STRUCT(nt_key);
- flags |= WBFLAG_PAM_NTKEY;
flags |= WBFLAG_PAM_LMKEY;
+ flags |= WBFLAG_PAM_USER_SESSION_KEY;
if ((push_ucs2_allocate((smb_ucs2_t **)&nt_response.data, opt_password)) == -1) {
DEBUG(0, ("push_ucs2_allocate failed!\n"));
git.samba.org / amitay / samba.git / commitdiff