1/*
2   Unix SMB/CIFS implementation.
3   Password and authentication handling
4   Copyright (C) Andrew Bartlett         2001-2002
5
6   This program is free software; you can redistribute it and/or modify
7   it under the terms of the GNU General Public License as published by
8   the Free Software Foundation; either version 2 of the License, or
9   (at your option) any later version.
10
11   This program is distributed in the hope that it will be useful,
12   but WITHOUT ANY WARRANTY; without even the implied warranty of
13   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14   GNU General Public License for more details.
15
16   You should have received a copy of the GNU General Public License
17   along with this program; if not, write to the Free Software
18   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19*/
20
21#include "includes.h"
22
23extern struct auth_context *negprot_global_auth_context;
24extern BOOL global_encrypted_passwords_negotiated;
25
26#undef DBGC_CLASS
27#define DBGC_CLASS DBGC_AUTH
28
29/****************************************************************************
30 COMPATIBILITY INTERFACES:
31 ***************************************************************************/
32
33/****************************************************************************
34check if a username/password is OK assuming the password is a 24 byte
35SMB hash
36return True if the password is correct, False otherwise
37****************************************************************************/
38
39NTSTATUS check_plaintext_password(const char *smb_name, DATA_BLOB plaintext_password, auth_serversupplied_info **server_info)
40{
41	struct auth_context *plaintext_auth_context = NULL;
42	auth_usersupplied_info *user_info = NULL;
43	const uint8 *chal;
44	NTSTATUS nt_status;
45	if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&plaintext_auth_context))) {
46		return nt_status;
47	}
48
49	chal = plaintext_auth_context->get_ntlm_challenge(plaintext_auth_context);
50
51	if (!make_user_info_for_reply(&user_info,
52				      smb_name, lp_workgroup(), chal,
53				      plaintext_password)) {
54		return NT_STATUS_NO_MEMORY;
55	}
56
57	nt_status = plaintext_auth_context->check_ntlm_password(plaintext_auth_context,
58								user_info, server_info);
59
60	(plaintext_auth_context->free)(&plaintext_auth_context);
61	free_user_info(&user_info);
62	return nt_status;
63}
64
65static NTSTATUS pass_check_smb(const char *smb_name,
66			       const char *domain,
67			       DATA_BLOB lm_pwd,
68			       DATA_BLOB nt_pwd,
69			       DATA_BLOB plaintext_password,
70			       BOOL encrypted)
71
72{
73	NTSTATUS nt_status;
74	auth_serversupplied_info *server_info = NULL;
75	if (encrypted) {
76		auth_usersupplied_info *user_info = NULL;
77		make_user_info_for_reply_enc(&user_info, smb_name,
78					     domain,
79					     lm_pwd,
80					     nt_pwd);
81		nt_status = negprot_global_auth_context->check_ntlm_password(negprot_global_auth_context,
82									     user_info, &server_info);
83		free_user_info(&user_info);
84	} else {
85		nt_status = check_plaintext_password(smb_name, plaintext_password, &server_info);
86	}
87	TALLOC_FREE(server_info);
88	return nt_status;
89}
90
91/****************************************************************************
92check if a username/password pair is ok via the auth subsystem.
93return True if the password is correct, False otherwise
94****************************************************************************/
95
96BOOL password_ok(char *smb_name, DATA_BLOB password_blob)
97{
98
99	DATA_BLOB null_password = data_blob(NULL, 0);
100	BOOL encrypted = (global_encrypted_passwords_negotiated && (password_blob.length == 24 || password_blob.length > 46));
101
102	if (encrypted) {
103		/*
104		 * The password could be either NTLM or plain LM.  Try NTLM first,
105		 * but fall-through as required.
106		 * Vista sends NTLMv2 here - we need to try the client given workgroup.
107		 */
108		if (get_session_workgroup()) {
109			if (NT_STATUS_IS_OK(pass_check_smb(smb_name, get_session_workgroup(), null_password, password_blob, null_password, encrypted))) {
110				return True;
111			}
112			if (NT_STATUS_IS_OK(pass_check_smb(smb_name, get_session_workgroup(), password_blob, null_password, null_password, encrypted))) {
113				return True;
114			}
115		}
116
117		if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, password_blob, null_password, encrypted))) {
118			return True;
119		}
120
121		if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), password_blob, null_password, null_password, encrypted))) {
122			return True;
123		}
124	} else {
125		if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, null_password, password_blob, encrypted))) {
126			return True;
127		}
128	}
129
130	return False;
131}
132