1/* 2 Unix SMB/CIFS implementation. 3 Password and authentication handling 4 Copyright (C) Andrew Bartlett 2001-2002 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License as published by 8 the Free Software Foundation; either version 2 of the License, or 9 (at your option) any later version. 10 11 This program is distributed in the hope that it will be useful, 12 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 GNU General Public License for more details. 15 16 You should have received a copy of the GNU General Public License 17 along with this program; if not, write to the Free Software 18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 19*/ 20 21#include "includes.h" 22 23extern struct auth_context *negprot_global_auth_context; 24extern BOOL global_encrypted_passwords_negotiated; 25 26#undef DBGC_CLASS 27#define DBGC_CLASS DBGC_AUTH 28 29/**************************************************************************** 30 COMPATIBILITY INTERFACES: 31 ***************************************************************************/ 32 33/**************************************************************************** 34check if a username/password is OK assuming the password is a 24 byte 35SMB hash 36return True if the password is correct, False otherwise 37****************************************************************************/ 38 39NTSTATUS check_plaintext_password(const char *smb_name, DATA_BLOB plaintext_password, auth_serversupplied_info **server_info) 40{ 41 struct auth_context *plaintext_auth_context = NULL; 42 auth_usersupplied_info *user_info = NULL; 43 const uint8 *chal; 44 NTSTATUS nt_status; 45 if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&plaintext_auth_context))) { 46 return nt_status; 47 } 48 49 chal = plaintext_auth_context->get_ntlm_challenge(plaintext_auth_context); 50 51 if (!make_user_info_for_reply(&user_info, 52 smb_name, lp_workgroup(), chal, 53 plaintext_password)) { 54 return NT_STATUS_NO_MEMORY; 55 } 56 57 nt_status = plaintext_auth_context->check_ntlm_password(plaintext_auth_context, 58 user_info, server_info); 59 60 (plaintext_auth_context->free)(&plaintext_auth_context); 61 free_user_info(&user_info); 62 return nt_status; 63} 64 65static NTSTATUS pass_check_smb(const char *smb_name, 66 const char *domain, 67 DATA_BLOB lm_pwd, 68 DATA_BLOB nt_pwd, 69 DATA_BLOB plaintext_password, 70 BOOL encrypted) 71 72{ 73 NTSTATUS nt_status; 74 auth_serversupplied_info *server_info = NULL; 75 if (encrypted) { 76 auth_usersupplied_info *user_info = NULL; 77 make_user_info_for_reply_enc(&user_info, smb_name, 78 domain, 79 lm_pwd, 80 nt_pwd); 81 nt_status = negprot_global_auth_context->check_ntlm_password(negprot_global_auth_context, 82 user_info, &server_info); 83 free_user_info(&user_info); 84 } else { 85 nt_status = check_plaintext_password(smb_name, plaintext_password, &server_info); 86 } 87 TALLOC_FREE(server_info); 88 return nt_status; 89} 90 91/**************************************************************************** 92check if a username/password pair is ok via the auth subsystem. 93return True if the password is correct, False otherwise 94****************************************************************************/ 95 96BOOL password_ok(char *smb_name, DATA_BLOB password_blob) 97{ 98 99 DATA_BLOB null_password = data_blob(NULL, 0); 100 BOOL encrypted = (global_encrypted_passwords_negotiated && (password_blob.length == 24 || password_blob.length > 46)); 101 102 if (encrypted) { 103 /* 104 * The password could be either NTLM or plain LM. Try NTLM first, 105 * but fall-through as required. 106 * Vista sends NTLMv2 here - we need to try the client given workgroup. 107 */ 108 if (get_session_workgroup()) { 109 if (NT_STATUS_IS_OK(pass_check_smb(smb_name, get_session_workgroup(), null_password, password_blob, null_password, encrypted))) { 110 return True; 111 } 112 if (NT_STATUS_IS_OK(pass_check_smb(smb_name, get_session_workgroup(), password_blob, null_password, null_password, encrypted))) { 113 return True; 114 } 115 } 116 117 if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, password_blob, null_password, encrypted))) { 118 return True; 119 } 120 121 if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), password_blob, null_password, null_password, encrypted))) { 122 return True; 123 } 124 } else { 125 if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, null_password, password_blob, encrypted))) { 126 return True; 127 } 128 } 129 130 return False; 131} 132