Use standardized types in ntlm_check.c.
[kai/samba.git] / source3 / libsmb / ntlm_check.c
1 /* 
2    Unix SMB/CIFS implementation.
3    Password and authentication handling
4    Copyright (C) Andrew Tridgell              1992-2000
5    Copyright (C) Luke Kenneth Casson Leighton 1996-2000
6    Copyright (C) Andrew Bartlett              2001-2003
7    Copyright (C) Gerald Carter                2003
8    
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24
25 #undef DBGC_CLASS
26 #define DBGC_CLASS DBGC_AUTH
27
28 /****************************************************************************
29  Core of smb password checking routine.
30 ****************************************************************************/
31
32 static bool smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response,
33                                  const uchar *part_passwd,
34                                  const DATA_BLOB *sec_blob,
35                                  DATA_BLOB *user_sess_key)
36 {
37         /* Finish the encryption of part_passwd. */
38         uchar p24[24];
39         
40         if (part_passwd == NULL) {
41                 DEBUG(10,("No password set - DISALLOWING access\n"));
42                 /* No password set - always false ! */
43                 return false;
44         }
45         
46         if (sec_blob->length != 8) {
47                 DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%lu)\n", 
48                           (unsigned long)sec_blob->length));
49                 return false;
50         }
51         
52         if (nt_response->length != 24) {
53                 DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%lu)\n", 
54                           (unsigned long)nt_response->length));
55                 return false;
56         }
57
58         SMBOWFencrypt(part_passwd, sec_blob->data, p24);
59         if (user_sess_key != NULL) {
60                 *user_sess_key = data_blob(NULL, 16);
61                 SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key->data);
62         }
63         
64         
65 #ifdef DEBUG_PASSWORD
66         DEBUG(100,("Part password (P16) was |\n"));
67         dump_data(100, part_passwd, 16);
68         DEBUGADD(100,("Password from client was |\n"));
69         dump_data(100, nt_response->data, nt_response->length);
70         DEBUGADD(100,("Given challenge was |\n"));
71         dump_data(100, sec_blob->data, sec_blob->length);
72         DEBUGADD(100,("Value from encryption was |\n"));
73         dump_data(100, p24, 24);
74 #endif
75         return (memcmp(p24, nt_response->data, 24) == 0);
76 }
77
78 /****************************************************************************
79  Core of smb password checking routine. (NTLMv2, LMv2)
80  Note:  The same code works with both NTLMv2 and LMv2.
81 ****************************************************************************/
82
83 static bool smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
84                                  const uchar *part_passwd,
85                                  const DATA_BLOB *sec_blob,
86                                  const char *user, const char *domain,
87                                  bool upper_case_domain, /* should the domain be transformed into upper case? */
88                                  DATA_BLOB *user_sess_key)
89 {
90         /* Finish the encryption of part_passwd. */
91         uchar kr[16];
92         uchar value_from_encryption[16];
93         uchar client_response[16];
94         DATA_BLOB client_key_data;
95         bool res;
96
97         if (part_passwd == NULL) {
98                 DEBUG(10,("No password set - DISALLOWING access\n"));
99                 /* No password set - always False */
100                 return false;
101         }
102
103         if (sec_blob->length != 8) {
104                 DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect challenge size (%lu)\n", 
105                           (unsigned long)sec_blob->length));
106                 return false;
107         }
108         
109         if (ntv2_response->length < 24) {
110                 /* We MUST have more than 16 bytes, or the stuff below will go
111                    crazy.  No known implementation sends less than the 24 bytes
112                    for LMv2, let alone NTLMv2. */
113                 DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%lu)\n", 
114                           (unsigned long)ntv2_response->length));
115                 return false;
116         }
117
118         client_key_data = data_blob(ntv2_response->data+16, ntv2_response->length-16);
119         /* 
120            todo:  should we be checking this for anything?  We can't for LMv2, 
121            but for NTLMv2 it is meant to contain the current time etc.
122         */
123
124         memcpy(client_response, ntv2_response->data, sizeof(client_response));
125
126         if (!ntv2_owf_gen(part_passwd, user, domain, upper_case_domain, kr)) {
127                 return False;
128         }
129
130         SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
131         if (user_sess_key != NULL) {
132                 *user_sess_key = data_blob(NULL, 16);
133                 SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data);
134         }
135
136 #if DEBUG_PASSWORD
137         DEBUG(100,("Part password (P16) was |\n"));
138         dump_data(100, part_passwd, 16);
139         DEBUGADD(100,("Password from client was |\n"));
140         dump_data(100, ntv2_response->data, ntv2_response->length);
141         DEBUGADD(100,("Variable data from client was |\n"));
142         dump_data(100, client_key_data.data, client_key_data.length);
143         DEBUGADD(100,("Given challenge was |\n"));
144         dump_data(100, sec_blob->data, sec_blob->length);
145         DEBUGADD(100,("Value from encryption was |\n"));
146         dump_data(100, value_from_encryption, 16);
147 #endif
148         data_blob_clear_free(&client_key_data);
149         res = (memcmp(value_from_encryption, client_response, 16) == 0);
150         if ((!res) && (user_sess_key != NULL))
151                 data_blob_clear_free(user_sess_key);
152         return res;
153 }
154
155 /**
156  * Check a challenge-response password against the value of the NT or
157  * LM password hash.
158  *
159  * @param mem_ctx talloc context
160  * @param challenge 8-byte challenge.  If all zero, forces plaintext comparison
161  * @param nt_response 'unicode' NT response to the challenge, or unicode password
162  * @param lm_response ASCII or LANMAN response to the challenge, or password in DOS code page
163  * @param username internal Samba username, for log messages
164  * @param client_username username the client used
165  * @param client_domain domain name the client used (may be mapped)
166  * @param nt_pw MD4 unicode password from our passdb or similar
167  * @param lm_pw LANMAN ASCII password from our passdb or similar
168  * @param user_sess_key User session key
169  * @param lm_sess_key LM session key (first 8 bytes of the LM hash)
170  */
171
172 NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
173                              const DATA_BLOB *challenge,
174                              const DATA_BLOB *lm_response,
175                              const DATA_BLOB *nt_response,
176                              const DATA_BLOB *lm_interactive_pwd,
177                              const DATA_BLOB *nt_interactive_pwd,
178                              const char *username, 
179                              const char *client_username, 
180                              const char *client_domain,
181                              const uint8_t *lm_pw, const uint8_t *nt_pw, 
182                              DATA_BLOB *user_sess_key, 
183                              DATA_BLOB *lm_sess_key)
184 {
185         unsigned char zeros[8];
186
187         ZERO_STRUCT(zeros);
188
189         if (nt_pw == NULL) {
190                 DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", 
191                          username));
192         }
193
194         if (nt_interactive_pwd && nt_interactive_pwd->length && nt_pw) { 
195                 if (nt_interactive_pwd->length != 16) {
196                         DEBUG(3,("ntlm_password_check: Interactive logon: Invalid NT password length (%d) supplied for user %s\n", (int)nt_interactive_pwd->length,
197                                  username));
198                         return NT_STATUS_WRONG_PASSWORD;
199                 }
200
201                 if (memcmp(nt_interactive_pwd->data, nt_pw, 16) == 0) {
202                         if (user_sess_key) {
203                                 *user_sess_key = data_blob(NULL, 16);
204                                 SMBsesskeygen_ntv1(nt_pw, NULL, user_sess_key->data);
205                         }
206                         return NT_STATUS_OK;
207                 } else {
208                         DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
209                                  username));
210                         return NT_STATUS_WRONG_PASSWORD;
211                 }
212
213         } else if (lm_interactive_pwd && lm_interactive_pwd->length && lm_pw) { 
214                 if (lm_interactive_pwd->length != 16) {
215                         DEBUG(3,("ntlm_password_check: Interactive logon: Invalid LANMAN password length (%d) supplied for user %s\n", (int)lm_interactive_pwd->length,
216                                  username));
217                         return NT_STATUS_WRONG_PASSWORD;
218                 }
219
220                 if (!lp_lanman_auth()) {
221                         DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
222                                  username));
223                         return NT_STATUS_WRONG_PASSWORD;
224                 }
225
226                 if (memcmp(lm_interactive_pwd->data, lm_pw, 16) == 0) {
227                         return NT_STATUS_OK;
228                 } else {
229                         DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",
230                                  username));
231                         return NT_STATUS_WRONG_PASSWORD;
232                 }
233         }
234
235         /* Check for cleartext netlogon. Used by Exchange 5.5. */
236         if (challenge->length == sizeof(zeros) && 
237             (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
238
239                 DEBUG(4,("ntlm_password_check: checking plaintext passwords for user %s\n",
240                          username));
241                 if (nt_pw && nt_response->length) {
242                         unsigned char pwhash[16];
243                         mdfour(pwhash, nt_response->data, nt_response->length);
244                         if (memcmp(pwhash, nt_pw, sizeof(pwhash)) == 0) {
245                                 return NT_STATUS_OK;
246                         } else {
247                                 DEBUG(3,("ntlm_password_check: NT (Unicode) plaintext password check failed for user %s\n",
248                                          username));
249                                 return NT_STATUS_WRONG_PASSWORD;
250                         }
251
252                 } else if (!lp_lanman_auth()) {
253                         DEBUG(3,("ntlm_password_check: (plaintext password check) LANMAN passwords NOT PERMITTED for user %s\n",
254                                  username));
255
256                 } else if (lm_pw && lm_response->length) {
257                         uchar dospwd[14]; 
258                         uchar p16[16]; 
259                         ZERO_STRUCT(dospwd);
260                         
261                         memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd)));
262                         /* Only the fisrt 14 chars are considered, password need not be null terminated. */
263
264                         /* we *might* need to upper-case the string here */
265                         E_P16((const unsigned char *)dospwd, p16);
266
267                         if (memcmp(p16, lm_pw, sizeof(p16)) == 0) {
268                                 return NT_STATUS_OK;
269                         } else {
270                                 DEBUG(3,("ntlm_password_check: LANMAN (ASCII) plaintext password check failed for user %s\n",
271                                          username));
272                                 return NT_STATUS_WRONG_PASSWORD;
273                         }
274                 } else {
275                         DEBUG(3, ("Plaintext authentication for user %s attempted, but neither NT nor LM passwords available\n", username));
276                         return NT_STATUS_WRONG_PASSWORD;
277                 }
278         }
279
280         if (nt_response->length != 0 && nt_response->length < 24) {
281                 DEBUG(2,("ntlm_password_check: invalid NT password length (%lu) for user %s\n", 
282                          (unsigned long)nt_response->length, username));                
283         }
284         
285         if (nt_response->length >= 24 && nt_pw) {
286                 if (nt_response->length > 24) {
287                         /* We have the NT MD4 hash challenge available - see if we can
288                            use it 
289                         */
290                         DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with domain [%s]\n", client_domain));
291                         if (smb_pwd_check_ntlmv2( nt_response, 
292                                                   nt_pw, challenge, 
293                                                   client_username, 
294                                                   client_domain,
295                                                   False,
296                                                   user_sess_key)) {
297                                 return NT_STATUS_OK;
298                         }
299                         
300                         DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [%s]\n", client_domain));
301                         if (smb_pwd_check_ntlmv2( nt_response, 
302                                                   nt_pw, challenge, 
303                                                   client_username, 
304                                                   client_domain,
305                                                   true,
306                                                   user_sess_key)) {
307                                 return NT_STATUS_OK;
308                         }
309                         
310                         DEBUG(4,("ntlm_password_check: Checking NTLMv2 password without a domain\n"));
311                         if (smb_pwd_check_ntlmv2( nt_response, 
312                                                   nt_pw, challenge, 
313                                                   client_username, 
314                                                   "",
315                                                   False,
316                                                   user_sess_key)) {
317                                 return NT_STATUS_OK;
318                         } else {
319                                 DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n"));
320                                 return NT_STATUS_WRONG_PASSWORD;
321                         }
322                 }
323
324                 if (lp_ntlm_auth()) {           
325                         /* We have the NT MD4 hash challenge available - see if we can
326                            use it (ie. does it exist in the smbpasswd file).
327                         */
328                         DEBUG(4,("ntlm_password_check: Checking NT MD4 password\n"));
329                         if (smb_pwd_check_ntlmv1(nt_response, 
330                                                  nt_pw, challenge,
331                                                  user_sess_key)) {
332                                 /* The LM session key for this response is not very secure, 
333                                    so use it only if we otherwise allow LM authentication */
334
335                                 if (lp_lanman_auth() && lm_pw) {
336                                         uint8_t first_8_lm_hash[16];
337                                         memcpy(first_8_lm_hash, lm_pw, 8);
338                                         memset(first_8_lm_hash + 8, '\0', 8);
339                                         if (lm_sess_key) {
340                                                 *lm_sess_key = data_blob(first_8_lm_hash, 16);
341                                         }
342                                 }
343                                 return NT_STATUS_OK;
344                         } else {
345                                 DEBUG(3,("ntlm_password_check: NT MD4 password check failed for user %s\n",
346                                          username));
347                                 return NT_STATUS_WRONG_PASSWORD;
348                         }
349                 } else {
350                         DEBUG(2,("ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user %s\n",
351                                  username));                    
352                         /* no return, becouse we might pick up LMv2 in the LM field */
353                 }
354         }
355         
356         if (lm_response->length == 0) {
357                 DEBUG(3,("ntlm_password_check: NEITHER LanMan nor NT password supplied for user %s\n",
358                          username));
359                 return NT_STATUS_WRONG_PASSWORD;
360         }
361         
362         if (lm_response->length < 24) {
363                 DEBUG(2,("ntlm_password_check: invalid LanMan password length (%lu) for user %s\n", 
364                          (unsigned long)nt_response->length, username));                
365                 return NT_STATUS_WRONG_PASSWORD;
366         }
367                 
368         if (!lp_lanman_auth()) {
369                 DEBUG(3,("ntlm_password_check: Lanman passwords NOT PERMITTED for user %s\n",
370                          username));
371         } else if (!lm_pw) {
372                 DEBUG(3,("ntlm_password_check: NO LanMan password set for user %s (and no NT password supplied)\n",
373                          username));
374         } else {
375                 DEBUG(4,("ntlm_password_check: Checking LM password\n"));
376                 if (smb_pwd_check_ntlmv1(lm_response, 
377                                          lm_pw, challenge,
378                                          NULL)) {
379                         uint8_t first_8_lm_hash[16];
380                         memcpy(first_8_lm_hash, lm_pw, 8);
381                         memset(first_8_lm_hash + 8, '\0', 8);
382                         if (user_sess_key) {
383                                 *user_sess_key = data_blob(first_8_lm_hash, 16);
384                         }
385
386                         if (lm_sess_key) {
387                                 *lm_sess_key = data_blob(first_8_lm_hash, 16);
388                         }
389                         return NT_STATUS_OK;
390                 }
391         }
392         
393         if (!nt_pw) {
394                 DEBUG(4,("ntlm_password_check: LM password check failed for user, no NT password %s\n",username));
395                 return NT_STATUS_WRONG_PASSWORD;
396         }
397         
398         /* This is for 'LMv2' authentication.  almost NTLMv2 but limited to 24 bytes.
399            - related to Win9X, legacy NAS pass-though authentication
400         */
401         DEBUG(4,("ntlm_password_check: Checking LMv2 password with domain %s\n", client_domain));
402         if (smb_pwd_check_ntlmv2( lm_response, 
403                                   nt_pw, challenge, 
404                                   client_username,
405                                   client_domain,
406                                   False,
407                                   NULL)) {
408                 return NT_STATUS_OK;
409         }
410         
411         DEBUG(4,("ntlm_password_check: Checking LMv2 password with upper-cased version of domain %s\n", client_domain));
412         if (smb_pwd_check_ntlmv2( lm_response, 
413                                   nt_pw, challenge, 
414                                   client_username,
415                                   client_domain,
416                                   true,
417                                   NULL)) {
418                 return NT_STATUS_OK;
419         }
420         
421         DEBUG(4,("ntlm_password_check: Checking LMv2 password without a domain\n"));
422         if (smb_pwd_check_ntlmv2( lm_response, 
423                                   nt_pw, challenge, 
424                                   client_username,
425                                   "",
426                                   false,
427                                   NULL)) {
428                 return NT_STATUS_OK;
429         }
430
431         /* Apparently NT accepts NT responses in the LM field
432            - I think this is related to Win9X pass-though authentication
433         */
434         DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
435         if (lp_ntlm_auth()) {
436                 if (smb_pwd_check_ntlmv1(lm_response, 
437                                          nt_pw, challenge,
438                                          NULL)) {
439                         /* The session key for this response is still very odd.  
440                            It not very secure, so use it only if we otherwise 
441                            allow LM authentication */
442
443                         if (lp_lanman_auth() && lm_pw) {
444                                 uint8_t first_8_lm_hash[16];
445                                 memcpy(first_8_lm_hash, lm_pw, 8);
446                                 memset(first_8_lm_hash + 8, '\0', 8);
447                                 if (user_sess_key) {
448                                         *user_sess_key = data_blob(first_8_lm_hash, 16);
449                                 }
450
451                                 if (lm_sess_key) {
452                                         *lm_sess_key = data_blob(first_8_lm_hash, 16);
453                                 }
454                         }
455                         return NT_STATUS_OK;
456                 }
457                 DEBUG(3,("ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",username));
458         } else {
459                 DEBUG(3,("ntlm_password_check: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username));
460         }
461         return NT_STATUS_WRONG_PASSWORD;
462 }
463