Author: abartlet Date: 2005-08-20 05:59:27 +0000 (Sat, 20 Aug 2005) New Revision: 9412
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9412 Log: Simplfy this NTLM authentication code by requiring the caller to supply the user_sess_key and lm_sess_key parameters. Inspired by coverty complaining about inconsistant checking. Also factor out some of this code, where we deal with just NT and LM hashes, or embedded plaintext passwords. Andrew Bartlett Modified: branches/SAMBA_4_0/source/auth/auth_sam.c branches/SAMBA_4_0/source/auth/ntlm_check.c Changeset: Modified: branches/SAMBA_4_0/source/auth/auth_sam.c =================================================================== --- branches/SAMBA_4_0/source/auth/auth_sam.c 2005-08-20 04:42:19 UTC (rev 9411) +++ branches/SAMBA_4_0/source/auth/auth_sam.c 2005-08-20 05:59:27 UTC (rev 9412) @@ -70,14 +70,13 @@ /* NO break */ } case AUTH_PASSWORD_HASH: + *lm_sess_key = data_blob(NULL, 0); + *user_sess_key = data_blob(NULL, 0); status = hash_password_check(mem_ctx, user_info->password.hash.lanman, user_info->password.hash.nt, user_info->mapped.account_name, - user_info->client.account_name, - user_info->client.domain_name, - lm_pwd, nt_pwd, - user_sess_key, lm_sess_key); + lm_pwd, nt_pwd); NT_STATUS_NOT_OK_RETURN(status); break; Modified: branches/SAMBA_4_0/source/auth/ntlm_check.c =================================================================== --- branches/SAMBA_4_0/source/auth/ntlm_check.c 2005-08-20 04:42:19 UTC (rev 9411) +++ branches/SAMBA_4_0/source/auth/ntlm_check.c 2005-08-20 05:59:27 UTC (rev 9412) @@ -221,31 +221,16 @@ const struct samr_Password *client_lanman, const struct samr_Password *client_nt, const char *username, - const char *client_username, - const char *client_domain, const struct samr_Password *stored_lanman, - const struct samr_Password *stored_nt, - DATA_BLOB *user_sess_key, - DATA_BLOB *lm_sess_key) + const struct samr_Password *stored_nt) { if (stored_nt == NULL) { DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", username)); } - if (lm_sess_key) { - *lm_sess_key = data_blob(NULL, 0); - } - if (user_sess_key) { - *user_sess_key = data_blob(NULL, 0); - } - if (client_nt && stored_nt) { if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) { - if (user_sess_key) { - *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16); - SMBsesskeygen_ntv1(stored_nt->hash, user_sess_key->data); - } return NT_STATUS_OK; } else { DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n", @@ -308,56 +293,30 @@ username)); } - if (lm_sess_key) { - *lm_sess_key = data_blob(NULL, 0); - } - if (user_sess_key) { - *user_sess_key = data_blob(NULL, 0); - } + *lm_sess_key = data_blob(NULL, 0); + *user_sess_key = data_blob(NULL, 0); /* Check for cleartext netlogon. Used by Exchange 5.5. */ if (challenge->length == sizeof(zeros) && (memcmp(challenge->data, zeros, challenge->length) == 0 )) { + struct samr_Password client_nt; + struct samr_Password client_lm; + uint8_t dospwd[14]; DEBUG(4,("ntlm_password_check: checking plaintext passwords for user %s\n", username)); - if (stored_nt && nt_response->length) { - uint8_t pwhash[16]; - mdfour(pwhash, nt_response->data, nt_response->length); - if (memcmp(pwhash, stored_nt->hash, sizeof(pwhash)) == 0) { - return NT_STATUS_OK; - } else { - DEBUG(3,("ntlm_password_check: NT (Unicode) plaintext password check failed for user %s\n", - username)); - return NT_STATUS_WRONG_PASSWORD; - } - - } else if (!lp_lanman_auth()) { - DEBUG(3,("ntlm_password_check: (plaintext password check) LANMAN passwords NOT PERMITTED for user %s\n", - username)); - - } else if (stored_lanman && lm_response->length) { - uint8_t dospwd[14]; - uint8_t p16[16]; - ZERO_STRUCT(dospwd); - - memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd))); - /* Only the fisrt 14 chars are considered, password need not be null terminated. */ - - /* we *might* need to upper-case the string here */ - E_P16((const uint8_t *)dospwd, p16); - - if (memcmp(p16, stored_lanman->hash, sizeof(p16)) == 0) { - return NT_STATUS_OK; - } else { - DEBUG(3,("ntlm_password_check: LANMAN (ASCII) plaintext password check failed for user %s\n", - username)); - return NT_STATUS_WRONG_PASSWORD; - } - } else { - DEBUG(3, ("Plaintext authentication for user %s attempted, but neither NT nor LM passwords available\n", username)); - return NT_STATUS_WRONG_PASSWORD; - } + mdfour(client_nt.hash, nt_response->data, nt_response->length); + ZERO_STRUCT(dospwd); + + memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd))); + /* Only the fisrt 14 chars are considered, password need not be null terminated. */ + + /* we *might* need to upper-case the string here */ + E_P16((const uint8_t *)dospwd, client_lm.hash); + + return hash_password_check(mem_ctx, &client_lm, &client_nt, + username, + stored_lanman, stored_nt); } if (nt_response->length != 0 && nt_response->length < 24) { @@ -377,11 +336,9 @@ client_domain, False, user_sess_key)) { - if (lm_sess_key) { - *lm_sess_key = *user_sess_key; - if (user_sess_key->length) { - lm_sess_key->length = 8; - } + *lm_sess_key = *user_sess_key; + if (user_sess_key->length) { + lm_sess_key->length = 8; } return NT_STATUS_OK; } @@ -394,11 +351,9 @@ client_domain, True, user_sess_key)) { - if (lm_sess_key) { - *lm_sess_key = *user_sess_key; - if (user_sess_key->length) { - lm_sess_key->length = 8; - } + *lm_sess_key = *user_sess_key; + if (user_sess_key->length) { + lm_sess_key->length = 8; } return NT_STATUS_OK; } @@ -411,11 +366,9 @@ "", False, user_sess_key)) { - if (lm_sess_key) { - *lm_sess_key = *user_sess_key; - if (user_sess_key->length) { - lm_sess_key->length = 8; - } + *lm_sess_key = *user_sess_key; + if (user_sess_key->length) { + lm_sess_key->length = 8; } return NT_STATUS_OK; } else { @@ -517,15 +470,13 @@ client_domain, False, user_sess_key); - } else if (user_sess_key) { + } else { /* Otherwise, use the LMv2 session key */ *user_sess_key = tmp_sess_key; } - if (user_sess_key && lm_sess_key) { - *lm_sess_key = *user_sess_key; - if (user_sess_key->length) { - lm_sess_key->length = 8; - } + *lm_sess_key = *user_sess_key; + if (user_sess_key->length) { + lm_sess_key->length = 8; } return NT_STATUS_OK; } @@ -550,15 +501,13 @@ client_domain, True, user_sess_key); - } else if (user_sess_key) { + } else { /* Otherwise, use the LMv2 session key */ *user_sess_key = tmp_sess_key; } - if (user_sess_key && lm_sess_key) { - *lm_sess_key = *user_sess_key; - if (user_sess_key->length) { - lm_sess_key->length = 8; - } + *lm_sess_key = *user_sess_key; + if (user_sess_key->length) { + lm_sess_key->length = 8; } return NT_STATUS_OK; } @@ -583,15 +532,13 @@ "", False, user_sess_key); - } else if (user_sess_key) { + } else { /* Otherwise, use the LMv2 session key */ *user_sess_key = tmp_sess_key; } - if (user_sess_key && lm_sess_key) { - *lm_sess_key = *user_sess_key; - if (user_sess_key->length) { - lm_sess_key->length = 8; - } + *lm_sess_key = *user_sess_key; + if (user_sess_key->length) { + lm_sess_key->length = 8; } return NT_STATUS_OK; }
