RIP BOOL. Convert BOOL -> bool. I found a few interesting
[nivanova/samba-autobuild/.git] / source3 / libsmb / ntlm_check.c
1 /* 
2    Unix SMB/CIFS implementation.
3    Password and authentication handling
4    Copyright (C) Andrew Tridgell              1992-2000
5    Copyright (C) Luke Kenneth Casson Leighton 1996-2000
6    Copyright (C) Andrew Bartlett              2001-2003
7    Copyright (C) Gerald Carter                2003
8    
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24
25 #undef DBGC_CLASS
26 #define DBGC_CLASS DBGC_AUTH
27
28 /****************************************************************************
29  Core of smb password checking routine.
30 ****************************************************************************/
31
32 static bool smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response,
33                                  const uchar *part_passwd,
34                                  const DATA_BLOB *sec_blob,
35                                  DATA_BLOB *user_sess_key)
36 {
37         /* Finish the encryption of part_passwd. */
38         uchar p24[24];
39         
40         if (part_passwd == NULL) {
41                 DEBUG(10,("No password set - DISALLOWING access\n"));
42                 /* No password set - always false ! */
43                 return False;
44         }
45         
46         if (sec_blob->length != 8) {
47                 DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%lu)\n", 
48                           (unsigned long)sec_blob->length));
49                 return False;
50         }
51         
52         if (nt_response->length != 24) {
53                 DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%lu)\n", 
54                           (unsigned long)nt_response->length));
55                 return False;
56         }
57
58         SMBOWFencrypt(part_passwd, sec_blob->data, p24);
59         if (user_sess_key != NULL) {
60                 *user_sess_key = data_blob(NULL, 16);
61                 SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key->data);
62         }
63         
64         
65 #ifdef DEBUG_PASSWORD
66         DEBUG(100,("Part password (P16) was |\n"));
67         dump_data(100, part_passwd, 16);
68         DEBUGADD(100,("Password from client was |\n"));
69         dump_data(100, nt_response->data, nt_response->length);
70         DEBUGADD(100,("Given challenge was |\n"));
71         dump_data(100, sec_blob->data, sec_blob->length);
72         DEBUGADD(100,("Value from encryption was |\n"));
73         dump_data(100, p24, 24);
74 #endif
75         return (memcmp(p24, nt_response->data, 24) == 0);
76 }
77
78 /****************************************************************************
79  Core of smb password checking routine. (NTLMv2, LMv2)
80  Note:  The same code works with both NTLMv2 and LMv2.
81 ****************************************************************************/
82
83 static bool smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
84                                  const uchar *part_passwd,
85                                  const DATA_BLOB *sec_blob,
86                                  const char *user, const char *domain,
87                                  bool upper_case_domain, /* should the domain be transformed into upper case? */
88                                  DATA_BLOB *user_sess_key)
89 {
90         /* Finish the encryption of part_passwd. */
91         uchar kr[16];
92         uchar value_from_encryption[16];
93         uchar client_response[16];
94         DATA_BLOB client_key_data;
95         bool res;
96
97         if (part_passwd == NULL) {
98                 DEBUG(10,("No password set - DISALLOWING access\n"));
99                 /* No password set - always False */
100                 return False;
101         }
102
103         if (sec_blob->length != 8) {
104                 DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect challenge size (%lu)\n", 
105                           (unsigned long)sec_blob->length));
106                 return False;
107         }
108         
109         if (ntv2_response->length < 24) {
110                 /* We MUST have more than 16 bytes, or the stuff below will go
111                    crazy.  No known implementation sends less than the 24 bytes
112                    for LMv2, let alone NTLMv2. */
113                 DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%lu)\n", 
114                           (unsigned long)ntv2_response->length));
115                 return False;
116         }
117
118         client_key_data = data_blob(ntv2_response->data+16, ntv2_response->length-16);
119         /* 
120            todo:  should we be checking this for anything?  We can't for LMv2, 
121            but for NTLMv2 it is meant to contain the current time etc.
122         */
123
124         memcpy(client_response, ntv2_response->data, sizeof(client_response));
125
126         if (!ntv2_owf_gen(part_passwd, user, domain, upper_case_domain, kr)) {
127                 return False;
128         }
129
130         SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
131         if (user_sess_key != NULL) {
132                 *user_sess_key = data_blob(NULL, 16);
133                 SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data);
134         }
135
136 #if DEBUG_PASSWORD
137         DEBUG(100,("Part password (P16) was |\n"));
138         dump_data(100, part_passwd, 16);
139         DEBUGADD(100,("Password from client was |\n"));
140         dump_data(100, ntv2_response->data, ntv2_response->length);
141         DEBUGADD(100,("Variable data from client was |\n"));
142         dump_data(100, client_key_data.data, client_key_data.length);
143         DEBUGADD(100,("Given challenge was |\n"));
144         dump_data(100, sec_blob->data, sec_blob->length);
145         DEBUGADD(100,("Value from encryption was |\n"));
146         dump_data(100, value_from_encryption, 16);
147 #endif
148         data_blob_clear_free(&client_key_data);
149         res = (memcmp(value_from_encryption, client_response, 16) == 0);
150         if ((!res) && (user_sess_key != NULL))
151                 data_blob_clear_free(user_sess_key);
152         return res;
153 }
154
155 /**
156  * Check a challenge-response password against the value of the NT or
157  * LM password hash.
158  *
159  * @param mem_ctx talloc context
160  * @param challenge 8-byte challenge.  If all zero, forces plaintext comparison
161  * @param nt_response 'unicode' NT response to the challenge, or unicode password
162  * @param lm_response ASCII or LANMAN response to the challenge, or password in DOS code page
163  * @param username internal Samba username, for log messages
164  * @param client_username username the client used
165  * @param client_domain domain name the client used (may be mapped)
166  * @param nt_pw MD4 unicode password from our passdb or similar
167  * @param lm_pw LANMAN ASCII password from our passdb or similar
168  * @param user_sess_key User session key
169  * @param lm_sess_key LM session key (first 8 bytes of the LM hash)
170  */
171
172 NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
173                              const DATA_BLOB *challenge,
174                              const DATA_BLOB *lm_response,
175                              const DATA_BLOB *nt_response,
176                              const DATA_BLOB *lm_interactive_pwd,
177                              const DATA_BLOB *nt_interactive_pwd,
178                              const char *username, 
179                              const char *client_username, 
180                              const char *client_domain,
181                              const uint8 *lm_pw, const uint8 *nt_pw, 
182                              DATA_BLOB *user_sess_key, 
183                              DATA_BLOB *lm_sess_key)
184 {
185         static const unsigned char zeros[8] = { 0, };
186         if (nt_pw == NULL) {
187                 DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", 
188                          username));
189         }
190
191         if (nt_interactive_pwd && nt_interactive_pwd->length && nt_pw) { 
192                 if (nt_interactive_pwd->length != 16) {
193                         DEBUG(3,("ntlm_password_check: Interactive logon: Invalid NT password length (%d) supplied for user %s\n", (int)nt_interactive_pwd->length,
194                                  username));
195                         return NT_STATUS_WRONG_PASSWORD;
196                 }
197
198                 if (memcmp(nt_interactive_pwd->data, nt_pw, 16) == 0) {
199                         if (user_sess_key) {
200                                 *user_sess_key = data_blob(NULL, 16);
201                                 SMBsesskeygen_ntv1(nt_pw, NULL, user_sess_key->data);
202                         }
203                         return NT_STATUS_OK;
204                 } else {
205                         DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
206                                  username));
207                         return NT_STATUS_WRONG_PASSWORD;
208                 }
209
210         } else if (lm_interactive_pwd && lm_interactive_pwd->length && lm_pw) { 
211                 if (lm_interactive_pwd->length != 16) {
212                         DEBUG(3,("ntlm_password_check: Interactive logon: Invalid LANMAN password length (%d) supplied for user %s\n", (int)lm_interactive_pwd->length,
213                                  username));
214                         return NT_STATUS_WRONG_PASSWORD;
215                 }
216
217                 if (!lp_lanman_auth()) {
218                         DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
219                                  username));
220                         return NT_STATUS_WRONG_PASSWORD;
221                 }
222
223                 if (memcmp(lm_interactive_pwd->data, lm_pw, 16) == 0) {
224                         return NT_STATUS_OK;
225                 } else {
226                         DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",
227                                  username));
228                         return NT_STATUS_WRONG_PASSWORD;
229                 }
230         }
231
232         /* Check for cleartext netlogon. Used by Exchange 5.5. */
233         if (challenge->length == sizeof(zeros) && 
234             (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
235
236                 DEBUG(4,("ntlm_password_check: checking plaintext passwords for user %s\n",
237                          username));
238                 if (nt_pw && nt_response->length) {
239                         unsigned char pwhash[16];
240                         mdfour(pwhash, nt_response->data, nt_response->length);
241                         if (memcmp(pwhash, nt_pw, sizeof(pwhash)) == 0) {
242                                 return NT_STATUS_OK;
243                         } else {
244                                 DEBUG(3,("ntlm_password_check: NT (Unicode) plaintext password check failed for user %s\n",
245                                          username));
246                                 return NT_STATUS_WRONG_PASSWORD;
247                         }
248
249                 } else if (!lp_lanman_auth()) {
250                         DEBUG(3,("ntlm_password_check: (plaintext password check) LANMAN passwords NOT PERMITTED for user %s\n",
251                                  username));
252
253                 } else if (lm_pw && lm_response->length) {
254                         uchar dospwd[14]; 
255                         uchar p16[16]; 
256                         ZERO_STRUCT(dospwd);
257                         
258                         memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd)));
259                         /* Only the fisrt 14 chars are considered, password need not be null terminated. */
260
261                         /* we *might* need to upper-case the string here */
262                         E_P16((const unsigned char *)dospwd, p16);
263
264                         if (memcmp(p16, lm_pw, sizeof(p16)) == 0) {
265                                 return NT_STATUS_OK;
266                         } else {
267                                 DEBUG(3,("ntlm_password_check: LANMAN (ASCII) plaintext password check failed for user %s\n",
268                                          username));
269                                 return NT_STATUS_WRONG_PASSWORD;
270                         }
271                 } else {
272                         DEBUG(3, ("Plaintext authentication for user %s attempted, but neither NT nor LM passwords available\n", username));
273                         return NT_STATUS_WRONG_PASSWORD;
274                 }
275         }
276
277         if (nt_response->length != 0 && nt_response->length < 24) {
278                 DEBUG(2,("ntlm_password_check: invalid NT password length (%lu) for user %s\n", 
279                          (unsigned long)nt_response->length, username));                
280         }
281         
282         if (nt_response->length >= 24 && nt_pw) {
283                 if (nt_response->length > 24) {
284                         /* We have the NT MD4 hash challenge available - see if we can
285                            use it 
286                         */
287                         DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with domain [%s]\n", client_domain));
288                         if (smb_pwd_check_ntlmv2( nt_response, 
289                                                   nt_pw, challenge, 
290                                                   client_username, 
291                                                   client_domain,
292                                                   False,
293                                                   user_sess_key)) {
294                                 return NT_STATUS_OK;
295                         }
296                         
297                         DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [%s]\n", client_domain));
298                         if (smb_pwd_check_ntlmv2( nt_response, 
299                                                   nt_pw, challenge, 
300                                                   client_username, 
301                                                   client_domain,
302                                                   True,
303                                                   user_sess_key)) {
304                                 return NT_STATUS_OK;
305                         }
306                         
307                         DEBUG(4,("ntlm_password_check: Checking NTLMv2 password without a domain\n"));
308                         if (smb_pwd_check_ntlmv2( nt_response, 
309                                                   nt_pw, challenge, 
310                                                   client_username, 
311                                                   "",
312                                                   False,
313                                                   user_sess_key)) {
314                                 return NT_STATUS_OK;
315                         } else {
316                                 DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n"));
317                                 return NT_STATUS_WRONG_PASSWORD;
318                         }
319                 }
320
321                 if (lp_ntlm_auth()) {           
322                         /* We have the NT MD4 hash challenge available - see if we can
323                            use it (ie. does it exist in the smbpasswd file).
324                         */
325                         DEBUG(4,("ntlm_password_check: Checking NT MD4 password\n"));
326                         if (smb_pwd_check_ntlmv1(nt_response, 
327                                                  nt_pw, challenge,
328                                                  user_sess_key)) {
329                                 /* The LM session key for this response is not very secure, 
330                                    so use it only if we otherwise allow LM authentication */
331
332                                 if (lp_lanman_auth() && lm_pw) {
333                                         uint8 first_8_lm_hash[16];
334                                         memcpy(first_8_lm_hash, lm_pw, 8);
335                                         memset(first_8_lm_hash + 8, '\0', 8);
336                                         if (lm_sess_key) {
337                                                 *lm_sess_key = data_blob(first_8_lm_hash, 16);
338                                         }
339                                 }
340                                 return NT_STATUS_OK;
341                         } else {
342                                 DEBUG(3,("ntlm_password_check: NT MD4 password check failed for user %s\n",
343                                          username));
344                                 return NT_STATUS_WRONG_PASSWORD;
345                         }
346                 } else {
347                         DEBUG(2,("ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user %s\n",
348                                  username));                    
349                         /* no return, becouse we might pick up LMv2 in the LM field */
350                 }
351         }
352         
353         if (lm_response->length == 0) {
354                 DEBUG(3,("ntlm_password_check: NEITHER LanMan nor NT password supplied for user %s\n",
355                          username));
356                 return NT_STATUS_WRONG_PASSWORD;
357         }
358         
359         if (lm_response->length < 24) {
360                 DEBUG(2,("ntlm_password_check: invalid LanMan password length (%lu) for user %s\n", 
361                          (unsigned long)nt_response->length, username));                
362                 return NT_STATUS_WRONG_PASSWORD;
363         }
364                 
365         if (!lp_lanman_auth()) {
366                 DEBUG(3,("ntlm_password_check: Lanman passwords NOT PERMITTED for user %s\n",
367                          username));
368         } else if (!lm_pw) {
369                 DEBUG(3,("ntlm_password_check: NO LanMan password set for user %s (and no NT password supplied)\n",
370                          username));
371         } else {
372                 DEBUG(4,("ntlm_password_check: Checking LM password\n"));
373                 if (smb_pwd_check_ntlmv1(lm_response, 
374                                          lm_pw, challenge,
375                                          NULL)) {
376                         uint8 first_8_lm_hash[16];
377                         memcpy(first_8_lm_hash, lm_pw, 8);
378                         memset(first_8_lm_hash + 8, '\0', 8);
379                         if (user_sess_key) {
380                                 *user_sess_key = data_blob(first_8_lm_hash, 16);
381                         }
382
383                         if (lm_sess_key) {
384                                 *lm_sess_key = data_blob(first_8_lm_hash, 16);
385                         }
386                         return NT_STATUS_OK;
387                 }
388         }
389         
390         if (!nt_pw) {
391                 DEBUG(4,("ntlm_password_check: LM password check failed for user, no NT password %s\n",username));
392                 return NT_STATUS_WRONG_PASSWORD;
393         }
394         
395         /* This is for 'LMv2' authentication.  almost NTLMv2 but limited to 24 bytes.
396            - related to Win9X, legacy NAS pass-though authentication
397         */
398         DEBUG(4,("ntlm_password_check: Checking LMv2 password with domain %s\n", client_domain));
399         if (smb_pwd_check_ntlmv2( lm_response, 
400                                   nt_pw, challenge, 
401                                   client_username,
402                                   client_domain,
403                                   False,
404                                   NULL)) {
405                 return NT_STATUS_OK;
406         }
407         
408         DEBUG(4,("ntlm_password_check: Checking LMv2 password with upper-cased version of domain %s\n", client_domain));
409         if (smb_pwd_check_ntlmv2( lm_response, 
410                                   nt_pw, challenge, 
411                                   client_username,
412                                   client_domain,
413                                   True,
414                                   NULL)) {
415                 return NT_STATUS_OK;
416         }
417         
418         DEBUG(4,("ntlm_password_check: Checking LMv2 password without a domain\n"));
419         if (smb_pwd_check_ntlmv2( lm_response, 
420                                   nt_pw, challenge, 
421                                   client_username,
422                                   "",
423                                   False,
424                                   NULL)) {
425                 return NT_STATUS_OK;
426         }
427
428         /* Apparently NT accepts NT responses in the LM field
429            - I think this is related to Win9X pass-though authentication
430         */
431         DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
432         if (lp_ntlm_auth()) {
433                 if (smb_pwd_check_ntlmv1(lm_response, 
434                                          nt_pw, challenge,
435                                          NULL)) {
436                         /* The session key for this response is still very odd.  
437                            It not very secure, so use it only if we otherwise 
438                            allow LM authentication */
439
440                         if (lp_lanman_auth() && lm_pw) {
441                                 uint8 first_8_lm_hash[16];
442                                 memcpy(first_8_lm_hash, lm_pw, 8);
443                                 memset(first_8_lm_hash + 8, '\0', 8);
444                                 if (user_sess_key) {
445                                         *user_sess_key = data_blob(first_8_lm_hash, 16);
446                                 }
447
448                                 if (lm_sess_key) {
449                                         *lm_sess_key = data_blob(first_8_lm_hash, 16);
450                                 }
451                         }
452                         return NT_STATUS_OK;
453                 }
454                 DEBUG(3,("ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",username));
455         } else {
456                 DEBUG(3,("ntlm_password_check: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username));
457         }
458         return NT_STATUS_WRONG_PASSWORD;
459 }
460