source3/auth/auth_compat.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Password and authentication handling
   4    Copyright (C) Andrew Bartlett         2001-2002
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21
  22 extern struct auth_context *negprot_global_auth_context;
  23 extern bool global_encrypted_passwords_negotiated;
  24
  25 #undef DBGC_CLASS
  26 #define DBGC_CLASS DBGC_AUTH
  27
  28 /****************************************************************************
  29  COMPATIBILITY INTERFACES:
  30  ***************************************************************************/
  31
  32 /****************************************************************************
  33 check if a username/password is OK assuming the password is a 24 byte
  34 SMB hash
  35 return True if the password is correct, False otherwise
  36 ****************************************************************************/
  37
  38 NTSTATUS check_plaintext_password(const char *smb_name,
  39                                   DATA_BLOB plaintext_password,
  40                                   struct auth_serversupplied_info **server_info)
  41 {
  42         struct auth_context *plaintext_auth_context = NULL;
  43         struct auth_usersupplied_info *user_info = NULL;
  44         uint8_t chal[8];
  45         NTSTATUS nt_status;
  46         if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&plaintext_auth_context))) {
  47                 return nt_status;
  48         }
  49
  50         plaintext_auth_context->get_ntlm_challenge(plaintext_auth_context,
  51                                                    chal);
  52
  53         if (!make_user_info_for_reply(&user_info,
  54                                       smb_name, lp_workgroup(), chal,
  55                                       plaintext_password)) {
  56                 return NT_STATUS_NO_MEMORY;
  57         }
  58
  59         nt_status = plaintext_auth_context->check_ntlm_password(plaintext_auth_context,
  60                                                                 user_info, server_info);
  61
  62         TALLOC_FREE(plaintext_auth_context);
  63         free_user_info(&user_info);
  64         return nt_status;
  65 }
  66
  67 static NTSTATUS pass_check_smb(struct auth_context *actx,
  68                                const char *smb_name,
  69                                const char *domain,
  70                                DATA_BLOB lm_pwd,
  71                                DATA_BLOB nt_pwd,
  72                                DATA_BLOB plaintext_password,
  73                                bool encrypted)
  74
  75 {
  76         NTSTATUS nt_status;
  77         struct auth_serversupplied_info *server_info = NULL;
  78         if (encrypted) {
  79                 struct auth_usersupplied_info *user_info = NULL;
  80                 if (actx == NULL) {
  81                         return NT_STATUS_INTERNAL_ERROR;
  82                 }
  83                 make_user_info_for_reply_enc(&user_info, smb_name,
  84                                              domain,
  85                                              lm_pwd,
  86                                              nt_pwd);
  87                 nt_status = actx->check_ntlm_password(actx, user_info, &server_info);
  88                 free_user_info(&user_info);
  89         } else {
  90                 nt_status = check_plaintext_password(smb_name, plaintext_password, &server_info);
  91         }
  92         TALLOC_FREE(server_info);
  93         return nt_status;
  94 }
  95
  96 /****************************************************************************
  97 check if a username/password pair is ok via the auth subsystem.
  98 return True if the password is correct, False otherwise
  99 ****************************************************************************/
 100
 101 bool password_ok(struct auth_context *actx, bool global_encrypted,
 102                  const char *session_workgroup,
 103                  const char *smb_name, DATA_BLOB password_blob)
 104 {
 105
 106         DATA_BLOB null_password = data_blob_null;
 107         bool encrypted = (global_encrypted && (password_blob.length == 24 || password_blob.length > 46));
 108
 109         if (encrypted) {
 110                 /*
 111                  * The password could be either NTLM or plain LM.  Try NTLM first,
 112                  * but fall-through as required.
 113                  * Vista sends NTLMv2 here - we need to try the client given workgroup.
 114                  */
 115                 if (session_workgroup) {
 116                         if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, null_password, password_blob, null_password, encrypted))) {
 117                                 return True;
 118                         }
 119                         if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, password_blob, null_password, null_password, encrypted))) {
 120                                 return True;
 121                         }
 122                 }
 123
 124                 if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), null_password, password_blob, null_password, encrypted))) {
 125                         return True;
 126                 }
 127
 128                 if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), password_blob, null_password, null_password, encrypted))) {
 129                         return True;
 130                 }
 131         } else {
 132                 if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), null_password, null_password, password_blob, encrypted))) {
 133                         return True;
 134                 }
 135         }
 136
 137         return False;
 138 }