source/auth/auth_compat.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Password and authentication handling
   4    Copyright (C) Andrew Bartlett         2001-2002
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 2 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program; if not, write to the Free Software
  18    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  19 */
  20
  21 #include "includes.h"
  22
  23 extern struct auth_context *negprot_global_auth_context;
  24 extern BOOL global_encrypted_passwords_negotiated;
  25
  26 #undef DBGC_CLASS
  27 #define DBGC_CLASS DBGC_AUTH
  28
  29 /****************************************************************************
  30  COMPATIBILITY INTERFACES:
  31  ***************************************************************************/
  32
  33 /****************************************************************************
  34 check if a username/password is OK assuming the password is a 24 byte
  35 SMB hash
  36 return True if the password is correct, False otherwise
  37 ****************************************************************************/
  38
  39 NTSTATUS check_plaintext_password(const char *smb_name, DATA_BLOB plaintext_password, auth_serversupplied_info **server_info)
  40 {
  41         struct auth_context *plaintext_auth_context = NULL;
  42         auth_usersupplied_info *user_info = NULL;
  43         const uint8 *chal;
  44         NTSTATUS nt_status;
  45         if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&plaintext_auth_context))) {
  46                 return nt_status;
  47         }
  48
  49         chal = plaintext_auth_context->get_ntlm_challenge(plaintext_auth_context);
  50
  51         if (!make_user_info_for_reply(&user_info,
  52                                       smb_name, lp_workgroup(), chal,
  53                                       plaintext_password)) {
  54                 return NT_STATUS_NO_MEMORY;
  55         }
  56
  57         nt_status = plaintext_auth_context->check_ntlm_password(plaintext_auth_context,
  58                                                                 user_info, server_info);
  59
  60         (plaintext_auth_context->free)(&plaintext_auth_context);
  61         free_user_info(&user_info);
  62         return nt_status;
  63 }
  64
  65 static NTSTATUS pass_check_smb(const char *smb_name,
  66                                const char *domain,
  67                                DATA_BLOB lm_pwd,
  68                                DATA_BLOB nt_pwd,
  69                                DATA_BLOB plaintext_password,
  70                                BOOL encrypted)
  71
  72 {
  73         NTSTATUS nt_status;
  74         auth_serversupplied_info *server_info = NULL;
  75         if (encrypted) {
  76                 auth_usersupplied_info *user_info = NULL;
  77                 make_user_info_for_reply_enc(&user_info, smb_name,
  78                                              domain,
  79                                              lm_pwd,
  80                                              nt_pwd);
  81                 nt_status = negprot_global_auth_context->check_ntlm_password(negprot_global_auth_context,
  82                                                                              user_info, &server_info);
  83                 free_user_info(&user_info);
  84         } else {
  85                 nt_status = check_plaintext_password(smb_name, plaintext_password, &server_info);
  86         }
  87         TALLOC_FREE(server_info);
  88         return nt_status;
  89 }
  90
  91 /****************************************************************************
  92 check if a username/password pair is ok via the auth subsystem.
  93 return True if the password is correct, False otherwise
  94 ****************************************************************************/
  95
  96 BOOL password_ok(char *smb_name, DATA_BLOB password_blob)
  97 {
  98
  99         DATA_BLOB null_password = data_blob(NULL, 0);
 100         BOOL encrypted = (global_encrypted_passwords_negotiated && (password_blob.length == 24 || password_blob.length > 46));
 101
 102         if (encrypted) {
 103                 /*
 104                  * The password could be either NTLM or plain LM.  Try NTLM first,
 105                  * but fall-through as required.
 106                  * Vista sends NTLMv2 here - we need to try the client given workgroup.
 107                  */
 108                 if (get_session_workgroup()) {
 109                         if (NT_STATUS_IS_OK(pass_check_smb(smb_name, get_session_workgroup(), null_password, password_blob, null_password, encrypted))) {
 110                                 return True;
 111                         }
 112                 }
 113
 114                 if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, password_blob, null_password, encrypted))) {
 115                         return True;
 116                 }
 117
 118                 if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), password_blob, null_password, null_password, encrypted))) {
 119                         return True;
 120                 }
 121         } else {
 122                 if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, null_password, password_blob, encrypted))) {
 123                         return True;
 124                 }
 125         }
 126
 127         return False;
 128 }