[SCM] Samba Shared Repository - branch master updated -
4d3eb32a1a1c70a183733771994b4b2868801a66
Jelmer Vernooij
jelmer at samba.org
Sat Nov 1 17:50:49 GMT 2008
The branch, master has been updated
via 4d3eb32a1a1c70a183733771994b4b2868801a66 (commit)
via 434ca5fc3373e0079c07749fda04d915c1794f8a (commit)
via 8c4e2eb49deec55485e86330ddddc26e584d8e1b (commit)
from 7ec720af714fab17fcbba3febff0c162775c8186 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4d3eb32a1a1c70a183733771994b4b2868801a66
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Sat Nov 1 18:50:06 2008 +0100
ntlm_check.c: Sync some changes from Samba 4.
commit 434ca5fc3373e0079c07749fda04d915c1794f8a
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Sat Nov 1 17:59:25 2008 +0100
Use standardized types in ntlm_check.c.
commit 8c4e2eb49deec55485e86330ddddc26e584d8e1b
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Sat Nov 1 17:55:57 2008 +0100
Remove use of lp_*() from ntlm_check.c.
-----------------------------------------------------------------------
Summary of changes:
source3/libsmb/ntlm_check.c | 65 ++++++++++++++++++++++------------------
source4/auth/ntlm/auth_sam.c | 5 ++-
source4/auth/ntlm/ntlm_check.c | 24 +++++++-------
source4/auth/ntlm/ntlm_check.h | 5 ++-
source4/utils/ntlm_auth.c | 3 +-
5 files changed, 56 insertions(+), 46 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libsmb/ntlm_check.c b/source3/libsmb/ntlm_check.c
index ae10d73..9380a83 100644
--- a/source3/libsmb/ntlm_check.c
+++ b/source3/libsmb/ntlm_check.c
@@ -40,19 +40,19 @@ static bool smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response,
if (part_passwd == NULL) {
DEBUG(10,("No password set - DISALLOWING access\n"));
/* No password set - always false ! */
- return False;
+ return false;
}
if (sec_blob->length != 8) {
DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%lu)\n",
(unsigned long)sec_blob->length));
- return False;
+ return false;
}
if (nt_response->length != 24) {
DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%lu)\n",
(unsigned long)nt_response->length));
- return False;
+ return false;
}
SMBOWFencrypt(part_passwd, sec_blob->data, p24);
@@ -62,7 +62,7 @@ static bool smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response,
}
-#ifdef DEBUG_PASSWORD
+#if DEBUG_PASSWORD
DEBUG(100,("Part password (P16) was |\n"));
dump_data(100, part_passwd, 16);
DEBUGADD(100,("Password from client was |\n"));
@@ -80,30 +80,31 @@ static bool smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response,
Note: The same code works with both NTLMv2 and LMv2.
****************************************************************************/
-static bool smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
- const uchar *part_passwd,
+static bool smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx,
+ const DATA_BLOB *ntv2_response,
+ const uint8_t *part_passwd,
const DATA_BLOB *sec_blob,
const char *user, const char *domain,
bool upper_case_domain, /* should the domain be transformed into upper case? */
DATA_BLOB *user_sess_key)
{
/* Finish the encryption of part_passwd. */
- uchar kr[16];
- uchar value_from_encryption[16];
- uchar client_response[16];
+ uint8_t kr[16];
+ uint8_t value_from_encryption[16];
+ uint8_t client_response[16];
DATA_BLOB client_key_data;
bool res;
if (part_passwd == NULL) {
DEBUG(10,("No password set - DISALLOWING access\n"));
- /* No password set - always False */
- return False;
+ /* No password set - always false */
+ return false;
}
if (sec_blob->length != 8) {
DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect challenge size (%lu)\n",
(unsigned long)sec_blob->length));
- return False;
+ return false;
}
if (ntv2_response->length < 24) {
@@ -112,10 +113,10 @@ static bool smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
for LMv2, let alone NTLMv2. */
DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%lu)\n",
(unsigned long)ntv2_response->length));
- return False;
+ return false;
}
- client_key_data = data_blob(ntv2_response->data+16, ntv2_response->length-16);
+ client_key_data = data_blob_talloc(mem_ctx, ntv2_response->data+16, ntv2_response->length-16);
/*
todo: should we be checking this for anything? We can't for LMv2,
but for NTLMv2 it is meant to contain the current time etc.
@@ -124,7 +125,7 @@ static bool smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
memcpy(client_response, ntv2_response->data, sizeof(client_response));
if (!ntv2_owf_gen(part_passwd, user, domain, upper_case_domain, kr)) {
- return False;
+ return false;
}
SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
@@ -178,7 +179,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
const char *username,
const char *client_username,
const char *client_domain,
- const uint8 *lm_pw, const uint8 *nt_pw,
+ const uint8_t *lm_pw, const uint8_t *nt_pw,
DATA_BLOB *user_sess_key,
DATA_BLOB *lm_sess_key)
{
@@ -288,7 +289,8 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
use it
*/
DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with domain [%s]\n", client_domain));
- if (smb_pwd_check_ntlmv2( nt_response,
+ if (smb_pwd_check_ntlmv2(mem_ctx,
+ nt_response,
nt_pw, challenge,
client_username,
client_domain,
@@ -298,17 +300,19 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
}
DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [%s]\n", client_domain));
- if (smb_pwd_check_ntlmv2( nt_response,
+ if (smb_pwd_check_ntlmv2(mem_ctx,
+ nt_response,
nt_pw, challenge,
client_username,
client_domain,
- True,
+ true,
user_sess_key)) {
return NT_STATUS_OK;
}
DEBUG(4,("ntlm_password_check: Checking NTLMv2 password without a domain\n"));
- if (smb_pwd_check_ntlmv2( nt_response,
+ if (smb_pwd_check_ntlmv2(mem_ctx,
+ nt_response,
nt_pw, challenge,
client_username,
"",
@@ -333,7 +337,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
so use it only if we otherwise allow LM authentication */
if (lp_lanman_auth() && lm_pw) {
- uint8 first_8_lm_hash[16];
+ uint8_t first_8_lm_hash[16];
memcpy(first_8_lm_hash, lm_pw, 8);
memset(first_8_lm_hash + 8, '\0', 8);
if (lm_sess_key) {
@@ -376,7 +380,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
if (smb_pwd_check_ntlmv1(lm_response,
lm_pw, challenge,
NULL)) {
- uint8 first_8_lm_hash[16];
+ uint8_t first_8_lm_hash[16];
memcpy(first_8_lm_hash, lm_pw, 8);
memset(first_8_lm_hash + 8, '\0', 8);
if (user_sess_key) {
@@ -399,31 +403,34 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
- related to Win9X, legacy NAS pass-though authentication
*/
DEBUG(4,("ntlm_password_check: Checking LMv2 password with domain %s\n", client_domain));
- if (smb_pwd_check_ntlmv2( lm_response,
+ if (smb_pwd_check_ntlmv2(mem_ctx,
+ lm_response,
nt_pw, challenge,
client_username,
client_domain,
- False,
+ false,
NULL)) {
return NT_STATUS_OK;
}
DEBUG(4,("ntlm_password_check: Checking LMv2 password with upper-cased version of domain %s\n", client_domain));
- if (smb_pwd_check_ntlmv2( lm_response,
+ if (smb_pwd_check_ntlmv2(mem_ctx,
+ lm_response,
nt_pw, challenge,
client_username,
client_domain,
- True,
+ true,
NULL)) {
return NT_STATUS_OK;
}
DEBUG(4,("ntlm_password_check: Checking LMv2 password without a domain\n"));
- if (smb_pwd_check_ntlmv2( lm_response,
+ if (smb_pwd_check_ntlmv2(mem_ctx,
+ lm_response,
nt_pw, challenge,
client_username,
"",
- False,
+ false,
NULL)) {
return NT_STATUS_OK;
}
@@ -441,7 +448,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
allow LM authentication */
if (lp_lanman_auth() && lm_pw) {
- uint8 first_8_lm_hash[16];
+ uint8_t first_8_lm_hash[16];
memcpy(first_8_lm_hash, lm_pw, 8);
memset(first_8_lm_hash + 8, '\0', 8);
if (user_sess_key) {
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 7842910..d1be5b6 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -185,7 +185,7 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
*lm_sess_key = data_blob(NULL, 0);
*user_sess_key = data_blob(NULL, 0);
status = hash_password_check(mem_ctx,
- auth_context->lp_ctx,
+ lp_lanman_auth(auth_context->lp_ctx),
user_info->password.hash.lanman,
user_info->password.hash.nt,
user_info->mapped.account_name,
@@ -195,7 +195,8 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
case AUTH_PASSWORD_RESPONSE:
status = ntlm_password_check(mem_ctx,
- auth_context->lp_ctx,
+ lp_lanman_auth(auth_context->lp_ctx),
+ lp_ntlm_auth(auth_context->lp_ctx),
user_info->logon_parameters,
&auth_context->challenge.data,
&user_info->password.response.lanman,
diff --git a/source4/auth/ntlm/ntlm_check.c b/source4/auth/ntlm/ntlm_check.c
index b43190c..a3ac7f3 100644
--- a/source4/auth/ntlm/ntlm_check.c
+++ b/source4/auth/ntlm/ntlm_check.c
@@ -23,7 +23,6 @@
#include "../lib/crypto/crypto.h"
#include "librpc/gen_ndr/netlogon.h"
#include "libcli/auth/libcli_auth.h"
-#include "param/param.h"
#include "auth/ntlm/ntlm_check.h"
/****************************************************************************
@@ -220,7 +219,7 @@ static bool smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx,
*/
NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
- struct loadparm_context *lp_ctx,
+ bool lanman_auth,
const struct samr_Password *client_lanman,
const struct samr_Password *client_nt,
const char *username,
@@ -242,7 +241,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
}
} else if (client_lanman && stored_lanman) {
- if (!lp_lanman_auth(lp_ctx)) {
+ if (!lanman_auth) {
DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
username));
return NT_STATUS_WRONG_PASSWORD;
@@ -283,7 +282,8 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
*/
NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
- struct loadparm_context *lp_ctx,
+ bool lanman_auth,
+ bool ntlm_auth,
uint32_t logon_parameters,
const DATA_BLOB *challenge,
const DATA_BLOB *lm_response,
@@ -321,7 +321,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
mdfour(client_nt.hash, nt_response->data, nt_response->length);
if (lm_response->length &&
- (convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(lp_ctx), CH_DOS, CH_UNIX,
+ (convert_string_talloc(mem_ctx, CH_DOS, CH_UNIX,
lm_response->data, lm_response->length,
(void **)&unix_pw) != -1)) {
if (E_deshash(unix_pw, client_lm.hash)) {
@@ -333,7 +333,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
lm_ok = false;
}
return hash_password_check(mem_ctx,
- lp_ctx,
+ lanman_auth,
lm_ok ? &client_lm : NULL,
nt_response->length ? &client_nt : NULL,
username,
@@ -396,7 +396,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n"));
}
} else if (nt_response->length == 24 && stored_nt) {
- if (lp_ntlm_auth(lp_ctx)) {
+ if (ntlm_auth) {
/* We have the NT MD4 hash challenge available - see if we can
use it (ie. does it exist in the smbpasswd file).
*/
@@ -408,7 +408,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
/* The LM session key for this response is not very secure,
so use it only if we otherwise allow LM authentication */
- if (lp_lanman_auth(lp_ctx) && stored_lanman) {
+ if (lanman_auth && stored_lanman) {
*lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, 8);
}
return NT_STATUS_OK;
@@ -436,7 +436,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
return NT_STATUS_WRONG_PASSWORD;
}
- if (!lp_lanman_auth(lp_ctx)) {
+ if (!lanman_auth) {
DEBUG(3,("ntlm_password_check: Lanman passwords NOT PERMITTED for user %s\n",
username));
} else if (!stored_lanman) {
@@ -455,7 +455,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
It not very secure, so use it only if we otherwise
allow LM authentication */
- if (lp_lanman_auth(lp_ctx) && stored_lanman) {
+ if (lanman_auth && stored_lanman) {
uint8_t first_8_lm_hash[16];
memcpy(first_8_lm_hash, stored_lanman->hash, 8);
memset(first_8_lm_hash + 8, '\0', 8);
@@ -571,7 +571,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
- I think this is related to Win9X pass-though authentication
*/
DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
- if (lp_ntlm_auth(lp_ctx)) {
+ if (ntlm_auth) {
if (smb_pwd_check_ntlmv1(mem_ctx,
lm_response,
stored_nt->hash, challenge,
@@ -580,7 +580,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
It not very secure, so use it only if we otherwise
allow LM authentication */
- if (lp_lanman_auth(lp_ctx) && stored_lanman) {
+ if (lanman_auth && stored_lanman) {
uint8_t first_8_lm_hash[16];
memcpy(first_8_lm_hash, stored_lanman->hash, 8);
memset(first_8_lm_hash + 8, '\0', 8);
diff --git a/source4/auth/ntlm/ntlm_check.h b/source4/auth/ntlm/ntlm_check.h
index eb115b7..df11f7d 100644
--- a/source4/auth/ntlm/ntlm_check.h
+++ b/source4/auth/ntlm/ntlm_check.h
@@ -36,7 +36,7 @@
*/
NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
- struct loadparm_context *lp_ctx,
+ bool lanman_auth,
const struct samr_Password *client_lanman,
const struct samr_Password *client_nt,
const char *username,
@@ -61,7 +61,8 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
*/
NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
- struct loadparm_context *lp_ctx,
+ bool lanman_auth,
+ bool ntlm_auth,
uint32_t logon_parameters,
const DATA_BLOB *challenge,
const DATA_BLOB *lm_response,
diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
index c91d90c..99fb3e8 100644
--- a/source4/utils/ntlm_auth.c
+++ b/source4/utils/ntlm_auth.c
@@ -212,7 +212,8 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx,
nt_status = ntlm_password_check(mem_ctx,
- lp_ctx,
+ lp_lanman_auth(lp_ctx),
+ lp_ntlm_auth(lp_ctx),
MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
challenge,
--
Samba Shared Repository
More information about the samba-cvs
mailing list