1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <strings.h> 27 #include <stdlib.h> 28 #include <smbsrv/codepage.h> 29 #include <smbsrv/oem.h> 30 #include <smbsrv/ctype.h> 31 #include <smbsrv/libsmb.h> 32 33 extern void randomize(char *data, unsigned len); 34 static uint64_t unix_micro_to_nt_time(struct timeval *unix_time); 35 36 /* 37 * smb_auth_qnd_unicode 38 * 39 * Quick and dirty unicode conversion! 40 * Returns the length of dst in bytes. 41 */ 42 int 43 smb_auth_qnd_unicode(mts_wchar_t *dst, const char *src, int length) 44 { 45 int i; 46 47 unsigned int cpid = oem_get_telnet_cpid(); 48 unsigned int count; 49 mts_wchar_t new_char; 50 51 if ((count = oemstounicodes(dst, src, length, cpid)) == 0) { 52 for (i = 0; i < length; ++i) { 53 new_char = (mts_wchar_t)src[i] & 0xff; 54 dst[i] = LE_IN16(&new_char); 55 } 56 dst[i] = 0; 57 count = length; 58 } 59 60 return (count * sizeof (mts_wchar_t)); 61 } 62 63 /* 64 * smb_auth_lmupr 65 * 66 * Converts the given LM password to all uppercase. 67 * The standard strupr cannot 68 * be used here because lm_pwd doesn't have to be 69 * nul terminated. 70 */ 71 static void 72 smb_auth_lmupr(unsigned char *lm_pwd) 73 { 74 unsigned char *p = lm_pwd; 75 int i; 76 77 for (i = 0; (*p) && (i < SMBAUTH_LM_PWD_SZ); i++) { 78 if (mts_isascii(*p)) { 79 *p = codepage_toupper(*p); 80 p++; 81 } 82 } 83 } 84 85 /* 86 * smb_auth_lm_hash 87 * 88 * Source: Implementing CIFS (Chris Hertel) 89 * 90 * 1. The password, as entered by user, is either padded with nulls 91 * or trimmed to 14 bytes. 92 * . Note that the 14-byte result string is not handled as a 93 * nul-terminated string. 94 * . The given password is OEM not Unicode 95 * 96 * 2. The 14-byte password is converted to all uppercase 97 * 98 * 3. The result is used as key to encrypt the KGS magic string to 99 * make a 16-byte hash. 100 */ 101 int 102 smb_auth_lm_hash(const char *password, unsigned char *lm_hash) 103 { 104 unsigned char lm_pwd[SMBAUTH_LM_PWD_SZ]; 105 106 bzero((void *)lm_pwd, SMBAUTH_LM_PWD_SZ); 107 (void) strncpy((char *)lm_pwd, password, SMBAUTH_LM_PWD_SZ); 108 smb_auth_lmupr(lm_pwd); 109 110 return (smb_auth_DES(lm_hash, SMBAUTH_HASH_SZ, lm_pwd, 111 SMBAUTH_LM_PWD_SZ, (unsigned char *)SMBAUTH_LM_MAGIC_STR, 112 sizeof (SMBAUTH_LM_MAGIC_STR))); 113 } 114 115 /* 116 * smb_auth_lm_response 117 * 118 * Create a LM response from the given LM hash and challenge. 119 * 120 * Returns SMBAUTH_FAILURE if any problems occur, SMBAUTH_SUCCESS if 121 * all goes well. 122 */ 123 static int 124 smb_auth_lm_response(unsigned char *hash, 125 unsigned char *challenge, int clen, 126 unsigned char *lm_rsp) 127 { 128 unsigned char S21[21]; 129 130 /* 131 * 14-byte LM Hash should be padded with 5 nul bytes to create 132 * a 21-byte string to be used in producing LM response 133 */ 134 bzero(&S21[SMBAUTH_HASH_SZ], 5); 135 bcopy(hash, S21, SMBAUTH_HASH_SZ); 136 137 /* padded LM Hash -> LM Response */ 138 return (smb_auth_DES(lm_rsp, SMBAUTH_LM_RESP_SZ, S21, 21, 139 challenge, clen)); 140 } 141 142 /* 143 * smb_auth_ntlm_hash 144 * 145 * Make NTLM Hash (using MD4) from the given password. 146 * The result will contain a 16-byte NTLM hash. 147 */ 148 int 149 smb_auth_ntlm_hash(const char *password, unsigned char *hash) 150 { 151 mts_wchar_t *unicode_password; 152 int length; 153 int rc; 154 155 if (password == NULL || hash == NULL) 156 return (SMBAUTH_FAILURE); 157 158 length = strlen(password); 159 unicode_password = (mts_wchar_t *) 160 malloc((length + 1) * sizeof (mts_wchar_t)); 161 162 if (unicode_password == NULL) 163 return (SMBAUTH_FAILURE); 164 165 length = smb_auth_qnd_unicode(unicode_password, password, length); 166 rc = smb_auth_md4(hash, (unsigned char *)unicode_password, length); 167 168 free(unicode_password); 169 return (rc); 170 } 171 172 /* 173 * smb_auth_ntlm_response 174 * 175 * Make LM/NTLM response from the given LM/NTLM Hash and given 176 * challenge. 177 */ 178 static int 179 smb_auth_ntlm_response(unsigned char *hash, 180 unsigned char *challenge, int clen, 181 unsigned char *ntlm_rsp) 182 { 183 unsigned char S21[21]; 184 185 bcopy(hash, S21, SMBAUTH_HASH_SZ); 186 bzero(&S21[SMBAUTH_HASH_SZ], 5); 187 if (smb_auth_DES((unsigned char *)ntlm_rsp, SMBAUTH_LM_RESP_SZ, 188 S21, 21, challenge, clen) == SMBAUTH_FAILURE) 189 return (0); 190 return (SMBAUTH_LM_RESP_SZ); 191 } 192 193 /* 194 * smb_auth_gen_data_blob 195 * 196 * Fill the NTLMv2 data blob structure with information as described in 197 * "Implementing CIFS, The Common Internet File System". (pg. 282) 198 */ 199 static void 200 smb_auth_gen_data_blob(smb_auth_data_blob_t *blob, char *ntdomain) 201 { 202 struct timeval now; 203 204 (void) memset(blob->ndb_signature, 1, 2); 205 (void) memset(&blob->ndb_signature[2], 0, 2); 206 (void) memset(blob->ndb_reserved, 0, sizeof (blob->ndb_reserved)); 207 208 (void) gettimeofday(&now, 0); 209 blob->ndb_timestamp = unix_micro_to_nt_time(&now); 210 randomize((char *)blob->ndb_clnt_challenge, 211 SMBAUTH_V2_CLNT_CHALLENGE_SZ); 212 (void) memset(blob->ndb_unknown, 0, sizeof (blob->ndb_unknown)); 213 blob->ndb_names[0].nne_len = smb_auth_qnd_unicode( 214 blob->ndb_names[0].nne_name, ntdomain, strlen(ntdomain)); 215 blob->ndb_names[0].nne_type = SMBAUTH_NAME_TYPE_DOMAIN_NETBIOS; 216 blob->ndb_names[1].nne_len = 0; 217 blob->ndb_names[1].nne_type = SMBAUTH_NAME_TYPE_LIST_END; 218 *blob->ndb_names[1].nne_name = 0; 219 (void) memset(blob->ndb_unknown2, 0, sizeof (blob->ndb_unknown2)); 220 } 221 222 /* 223 * smb_auth_memcpy 224 * 225 * It increments the pointer to the destination buffer for the easy of 226 * concatenation. 227 */ 228 static void 229 smb_auth_memcpy(unsigned char **dstbuf, 230 unsigned char *srcbuf, 231 int srcbuf_len) 232 { 233 (void) memcpy(*dstbuf, srcbuf, srcbuf_len); 234 *dstbuf += srcbuf_len; 235 } 236 237 /* 238 * smb_auth_blob_to_string 239 * 240 * Prepare the data blob string which will be used in NTLMv2 response 241 * generation. 242 * 243 * Assumption: Caller must allocate big enough buffer to prevent buffer 244 * overrun. 245 * 246 * Returns the len of the data blob string. 247 */ 248 static int 249 smb_auth_blob_to_string(smb_auth_data_blob_t *blob, unsigned char *data_blob) 250 { 251 unsigned char *bufp = data_blob; 252 253 smb_auth_memcpy(&bufp, blob->ndb_signature, 254 sizeof (blob->ndb_signature)); 255 smb_auth_memcpy(&bufp, blob->ndb_reserved, 256 sizeof (blob->ndb_reserved)); 257 smb_auth_memcpy(&bufp, (unsigned char *)&blob->ndb_timestamp, 258 sizeof (blob->ndb_timestamp)); 259 smb_auth_memcpy(&bufp, blob->ndb_clnt_challenge, 260 SMBAUTH_V2_CLNT_CHALLENGE_SZ); 261 smb_auth_memcpy(&bufp, blob->ndb_unknown, sizeof (blob->ndb_unknown)); 262 smb_auth_memcpy(&bufp, (unsigned char *)&blob->ndb_names[0].nne_type, 263 sizeof (blob->ndb_names[0].nne_type)); 264 smb_auth_memcpy(&bufp, (unsigned char *)&blob->ndb_names[0].nne_len, 265 sizeof (blob->ndb_names[0].nne_len)); 266 smb_auth_memcpy(&bufp, (unsigned char *)blob->ndb_names[0].nne_name, 267 blob->ndb_names[0].nne_len); 268 smb_auth_memcpy(&bufp, (unsigned char *)&blob->ndb_names[1].nne_type, 269 sizeof (blob->ndb_names[1].nne_type)); 270 smb_auth_memcpy(&bufp, (unsigned char *)&blob->ndb_names[1].nne_len, 271 sizeof (blob->ndb_names[1].nne_len)); 272 smb_auth_memcpy(&bufp, blob->ndb_unknown2, sizeof (blob->ndb_unknown2)); 273 274 /*LINTED E_PTRDIFF_OVERFLOW*/ 275 return (bufp - data_blob); 276 } 277 278 /* 279 * smb_auth_ntlmv2_hash 280 * 281 * The NTLM v2 hash will be created from the given NTLM hash, username, 282 * and the NETBIOS name of the domain. 283 * 284 * The NTLMv2 hash will be returned via the ntlmv2_hash parameter which 285 * will be used in the calculation of the NTLMv2 and LMv2 responses. 286 */ 287 int 288 smb_auth_ntlmv2_hash(unsigned char *ntlm_hash, 289 char *username, 290 char *ntdomain, 291 unsigned char *ntlmv2_hash) 292 { 293 mts_wchar_t *data; 294 int data_len; 295 unsigned char *buf; 296 int rc; 297 298 if (username == NULL || ntdomain == NULL) 299 return (SMBAUTH_FAILURE); 300 301 (void) utf8_strupr(username); 302 303 data_len = strlen(username) + strlen(ntdomain); 304 buf = (unsigned char *)malloc((data_len + 1) * sizeof (char)); 305 if (buf == NULL) 306 return (SMBAUTH_FAILURE); 307 308 (void) snprintf((char *)buf, data_len + 1, "%s%s", username, ntdomain); 309 data = (mts_wchar_t *)malloc((data_len + 1) * sizeof (mts_wchar_t)); 310 if (data == NULL) { 311 free(buf); 312 return (SMBAUTH_FAILURE); 313 } 314 315 data_len = smb_auth_qnd_unicode(data, (char *)buf, data_len); 316 rc = SMBAUTH_HMACT64((unsigned char *)data, data_len, ntlm_hash, 317 SMBAUTH_HASH_SZ, ntlmv2_hash); 318 319 free(buf); 320 free(data); 321 return (rc); 322 } 323 324 /* 325 * smb_auth_v2_response 326 * 327 * Caculates either the LMv2 or NTLMv2 response. 328 * 329 * Same algorithm is used for calculating both LMv2 or NTLMv2 responses. 330 * This routine will return NTLMv2 response if the data blob information 331 * is passed in as the clnt_data. Otherwise, it will return LMv2 response 332 * with the 8-byte client challenge(a.k.a blip) as the clnt_data. 333 * 334 * (LM/NTLM)v2 response is the hmac-md5 hash of the specified data 335 * (server challenge + NTLMv2 data blob or LMv2 client challenge) 336 * using the NTLMv2 hash as the key. 337 * 338 * Returns the size of the corresponding v2 response upon success. 339 * Otherwise, returns -1 on error. 340 */ 341 static int 342 smb_auth_v2_response( 343 unsigned char *hash, 344 unsigned char *srv_challenge, int slen, 345 unsigned char *clnt_data, int clen, 346 unsigned char *v2_rsp) 347 { 348 unsigned char *hmac_data; 349 350 hmac_data = (unsigned char *)malloc((slen + clen) * sizeof (char)); 351 if (!hmac_data) { 352 return (-1); 353 } 354 355 (void) memcpy(hmac_data, srv_challenge, slen); 356 (void) memcpy(&hmac_data[slen], clnt_data, clen); 357 if (SMBAUTH_HMACT64(hmac_data, slen + clen, (unsigned char *)hash, 358 SMBAUTH_HASH_SZ, (unsigned char *)v2_rsp) != SMBAUTH_SUCCESS) 359 return (-1); 360 (void) memcpy(&v2_rsp[SMBAUTH_HASH_SZ], clnt_data, clen); 361 362 free(hmac_data); 363 return (SMBAUTH_HASH_SZ + clen); 364 } 365 366 /* 367 * smb_auth_set_info 368 * 369 * Fill the smb_auth_info instance with either NTLM or NTLMv2 related 370 * authentication information based on the LMCompatibilityLevel. 371 * 372 * If the LMCompatibilityLevel equals 2, the SMB Redirector will perform 373 * NTLM challenge/response authentication which requires the NTLM hash and 374 * NTLM response. 375 * 376 * If the LMCompatibilityLevel is 3 or above, the SMB Redirector will 377 * perfrom NTLMv2 challenge/response authenticatoin which requires the 378 * NTLM hash, NTLMv2 hash, NTLMv2 response and LMv2 response. 379 * 380 * Returns -1 on error. Otherwise, returns 0 upon success. 381 */ 382 int 383 smb_auth_set_info(char *username, 384 char *password, 385 unsigned char *ntlm_hash, 386 char *domain, 387 unsigned char *srv_challenge_key, 388 int srv_challenge_len, 389 int lmcomp_lvl, 390 smb_auth_info_t *auth) 391 { 392 unsigned short blob_len; 393 unsigned char blob_buf[SMBAUTH_BLOB_MAXLEN]; 394 int rc; 395 char *uppercase_dom; 396 397 auth->lmcompatibility_lvl = lmcomp_lvl; 398 if (lmcomp_lvl == 2) { 399 auth->ci_len = 0; 400 *auth->ci = 0; 401 if (!ntlm_hash) { 402 if (smb_auth_ntlm_hash(password, auth->hash) != 403 SMBAUTH_SUCCESS) 404 return (-1); 405 } else { 406 (void) memcpy(auth->hash, ntlm_hash, SMBAUTH_HASH_SZ); 407 } 408 409 auth->cs_len = smb_auth_ntlm_response(auth->hash, 410 srv_challenge_key, srv_challenge_len, auth->cs); 411 } else { 412 if (!ntlm_hash) { 413 if (smb_auth_ntlm_hash(password, auth->hash) != 414 SMBAUTH_SUCCESS) 415 return (-1); 416 } else { 417 (void) memcpy(auth->hash, ntlm_hash, SMBAUTH_HASH_SZ); 418 } 419 420 if (!domain) 421 return (-1); 422 423 if ((uppercase_dom = strdup(domain)) == NULL) 424 return (-1); 425 426 (void) utf8_strupr(uppercase_dom); 427 428 if (smb_auth_ntlmv2_hash(auth->hash, username, 429 uppercase_dom, auth->hash_v2) != SMBAUTH_SUCCESS) { 430 free(uppercase_dom); 431 return (-1); 432 } 433 434 /* generate data blob */ 435 smb_auth_gen_data_blob(&auth->data_blob, uppercase_dom); 436 free(uppercase_dom); 437 blob_len = smb_auth_blob_to_string(&auth->data_blob, blob_buf); 438 439 /* generate NTLMv2 response */ 440 rc = smb_auth_v2_response(auth->hash_v2, srv_challenge_key, 441 srv_challenge_len, blob_buf, blob_len, auth->cs); 442 443 if (rc < 0) 444 return (-1); 445 446 auth->cs_len = rc; 447 448 /* generate LMv2 response */ 449 rc = smb_auth_v2_response(auth->hash_v2, srv_challenge_key, 450 srv_challenge_len, auth->data_blob.ndb_clnt_challenge, 451 SMBAUTH_V2_CLNT_CHALLENGE_SZ, auth->ci); 452 453 if (rc < 0) 454 return (-1); 455 456 auth->ci_len = rc; 457 } 458 459 return (0); 460 } 461 462 /* 463 * smb_auth_gen_session_key 464 * 465 * Generate the NTLM user session key if LMCompatibilityLevel is 2 or 466 * NTLMv2 user session key if LMCompatibilityLevel is 3 or above. 467 * 468 * NTLM_Session_Key = MD4(NTLM_Hash); 469 * 470 * NTLMv2_Session_Key = HMAC_MD5(NTLMv2Hash, 16, NTLMv2_HMAC, 16) 471 * 472 * Prior to calling this function, the auth instance should be set 473 * via smb_auth_set_info(). 474 * 475 * Returns the appropriate session key. 476 */ 477 int 478 smb_auth_gen_session_key(smb_auth_info_t *auth, unsigned char *session_key) 479 { 480 int rc; 481 482 if (auth->lmcompatibility_lvl == 2) 483 rc = smb_auth_md4(session_key, auth->hash, SMBAUTH_HASH_SZ); 484 else 485 rc = SMBAUTH_HMACT64((unsigned char *)auth->cs, 486 SMBAUTH_HASH_SZ, (unsigned char *)auth->hash_v2, 487 SMBAUTH_SESSION_KEY_SZ, session_key); 488 489 return (rc); 490 } 491 492 /* 100's of ns between 1/1/1970 and 1/1/1601 */ 493 #define NT_TIME_BIAS (134774LL * 24LL * 60LL * 60LL * 10000000LL) 494 495 static uint64_t 496 unix_micro_to_nt_time(struct timeval *unix_time) 497 { 498 uint64_t nt_time; 499 500 nt_time = unix_time->tv_sec; 501 nt_time *= 10000000; /* seconds to 100ns */ 502 nt_time += unix_time->tv_usec * 10; 503 return (nt_time + NT_TIME_BIAS); 504 } 505 506 static boolean_t 507 smb_lm_password_ok( 508 unsigned char *challenge, 509 uint32_t clen, 510 unsigned char *lm_hash, 511 unsigned char *passwd) 512 { 513 unsigned char lm_resp[SMBAUTH_LM_RESP_SZ]; 514 int rc; 515 516 rc = smb_auth_lm_response(lm_hash, challenge, clen, lm_resp); 517 if (rc != SMBAUTH_SUCCESS) 518 return (B_FALSE); 519 520 return (bcmp(lm_resp, passwd, SMBAUTH_LM_RESP_SZ) == 0); 521 } 522 523 static boolean_t 524 smb_ntlm_password_ok( 525 unsigned char *challenge, 526 uint32_t clen, 527 unsigned char *ntlm_hash, 528 unsigned char *passwd, 529 unsigned char *session_key) 530 { 531 unsigned char ntlm_resp[SMBAUTH_LM_RESP_SZ]; 532 int rc; 533 boolean_t ok; 534 535 rc = smb_auth_ntlm_response(ntlm_hash, challenge, clen, ntlm_resp); 536 if (rc != SMBAUTH_LM_RESP_SZ) 537 return (B_FALSE); 538 539 ok = (bcmp(ntlm_resp, passwd, SMBAUTH_LM_RESP_SZ) == 0); 540 if (ok && (session_key)) { 541 rc = smb_auth_md4(session_key, ntlm_hash, SMBAUTH_HASH_SZ); 542 if (rc != SMBAUTH_SUCCESS) 543 ok = B_FALSE; 544 } 545 return (ok); 546 } 547 548 static boolean_t 549 smb_ntlmv2_password_ok( 550 unsigned char *challenge, 551 uint32_t clen, 552 unsigned char *ntlm_hash, 553 unsigned char *passwd, 554 int pwdlen, 555 char *domain, 556 char *username, 557 uchar_t *session_key) 558 { 559 unsigned char *clnt_blob; 560 int clnt_blob_len; 561 unsigned char ntlmv2_hash[SMBAUTH_HASH_SZ]; 562 unsigned char *ntlmv2_resp; 563 boolean_t ok = B_FALSE; 564 char *dest[3]; 565 int i; 566 int rc; 567 568 clnt_blob_len = pwdlen - SMBAUTH_HASH_SZ; 569 clnt_blob = &passwd[SMBAUTH_HASH_SZ]; 570 dest[0] = domain; 571 if ((dest[1] = strdup(domain)) == NULL) 572 return (B_FALSE); 573 (void) utf8_strupr(dest[1]); 574 dest[2] = ""; 575 576 /* 577 * 15.5.2 The NTLMv2 Password Hash, pg. 279, of the "Implementing CIFS" 578 * 579 * The NTLMv2 Hash is created from: 580 * - NTLM hash 581 * - user's username, and 582 * - the name of the logon destination(i.e. the NetBIOS name of either 583 * the SMB server or NT Domain against which the user is trying to 584 * authenticate. 585 * 586 * Experiments show this is not exactly the case. 587 * For Windows Server 2003, the domain name needs to be included and 588 * converted to uppercase. For Vista, the domain name needs to be 589 * included also, but leave the case alone. And in some cases it needs 590 * to be empty. All three variants are tried here. 591 */ 592 593 ntlmv2_resp = (unsigned char *)malloc(SMBAUTH_HASH_SZ + clnt_blob_len); 594 if (ntlmv2_resp == NULL) { 595 free(dest[1]); 596 return (B_FALSE); 597 } 598 599 for (i = 0; i < (sizeof (dest) / sizeof (char *)); i++) { 600 if (smb_auth_ntlmv2_hash(ntlm_hash, username, dest[i], 601 ntlmv2_hash) != SMBAUTH_SUCCESS) 602 break; 603 604 if (smb_auth_v2_response(ntlmv2_hash, challenge, 605 clen, clnt_blob, clnt_blob_len, ntlmv2_resp) < 0) 606 break; 607 608 ok = (bcmp(passwd, ntlmv2_resp, pwdlen) == 0); 609 if (ok && session_key) { 610 rc = SMBAUTH_HMACT64(ntlmv2_resp, 611 SMBAUTH_HASH_SZ, ntlmv2_hash, 612 SMBAUTH_SESSION_KEY_SZ, session_key); 613 if (rc != SMBAUTH_SUCCESS) { 614 ok = B_FALSE; 615 } 616 break; 617 } 618 } 619 620 free(dest[1]); 621 free(ntlmv2_resp); 622 return (ok); 623 } 624 625 static boolean_t 626 smb_lmv2_password_ok( 627 unsigned char *challenge, 628 uint32_t clen, 629 unsigned char *ntlm_hash, 630 unsigned char *passwd, 631 char *domain, 632 char *username) 633 { 634 unsigned char *clnt_challenge; 635 unsigned char ntlmv2_hash[SMBAUTH_HASH_SZ]; 636 unsigned char lmv2_resp[SMBAUTH_LM_RESP_SZ]; 637 boolean_t ok = B_FALSE; 638 char *dest[3]; 639 int i; 640 641 clnt_challenge = &passwd[SMBAUTH_HASH_SZ]; 642 dest[0] = domain; 643 if ((dest[1] = strdup(domain)) == NULL) 644 return (B_FALSE); 645 (void) utf8_strupr(dest[1]); 646 dest[2] = ""; 647 648 /* 649 * 15.5.2 The NTLMv2 Password Hash, pg. 279, of the "Implementing CIFS" 650 * 651 * The NTLMv2 Hash is created from: 652 * - NTLM hash 653 * - user's username, and 654 * - the name of the logon destination(i.e. the NetBIOS name of either 655 * the SMB server or NT Domain against which the suer is trying to 656 * authenticate. 657 * 658 * Experiments show this is not exactly the case. 659 * For Windows Server 2003, the domain name needs to be included and 660 * converted to uppercase. For Vista, the domain name needs to be 661 * included also, but leave the case alone. And in some cases it needs 662 * to be empty. All three variants are tried here. 663 */ 664 665 for (i = 0; i < (sizeof (dest) / sizeof (char *)); i++) { 666 if (smb_auth_ntlmv2_hash(ntlm_hash, username, dest[i], 667 ntlmv2_hash) != SMBAUTH_SUCCESS) 668 break; 669 670 if (smb_auth_v2_response(ntlmv2_hash, challenge, 671 clen, clnt_challenge, SMBAUTH_V2_CLNT_CHALLENGE_SZ, 672 lmv2_resp) < 0) 673 break; 674 675 ok = (bcmp(passwd, lmv2_resp, SMBAUTH_LM_RESP_SZ) == 0); 676 if (ok) 677 break; 678 } 679 680 free(dest[1]); 681 return (ok); 682 } 683 684 /* 685 * smb_auth_validate_lm 686 * 687 * Validates given LM/LMv2 client response, passed in passwd arg, against 688 * stored user's password, passed in smbpw 689 * 690 * If LM level <=3 server accepts LM responses, otherwise LMv2 691 */ 692 boolean_t 693 smb_auth_validate_lm( 694 unsigned char *challenge, 695 uint32_t clen, 696 smb_passwd_t *smbpw, 697 unsigned char *passwd, 698 int pwdlen, 699 char *domain, 700 char *username) 701 { 702 boolean_t ok = B_FALSE; 703 int64_t lmlevel; 704 705 if (pwdlen != SMBAUTH_LM_RESP_SZ) 706 return (B_FALSE); 707 708 if (smb_config_getnum(SMB_CI_LM_LEVEL, &lmlevel) != SMBD_SMF_OK) 709 return (B_FALSE); 710 711 if (lmlevel <= 3) { 712 ok = smb_lm_password_ok(challenge, clen, smbpw->pw_lmhash, 713 passwd); 714 } 715 716 if (!ok) 717 ok = smb_lmv2_password_ok(challenge, clen, smbpw->pw_nthash, 718 passwd, domain, username); 719 720 return (ok); 721 } 722 723 /* 724 * smb_auth_validate_nt 725 * 726 * Validates given NTLM/NTLMv2 client response, passed in passwd arg, against 727 * stored user's password, passed in smbpw 728 * 729 * If LM level <=4 server accepts NTLM/NTLMv2 responses, otherwise only NTLMv2 730 */ 731 boolean_t 732 smb_auth_validate_nt( 733 unsigned char *challenge, 734 uint32_t clen, 735 smb_passwd_t *smbpw, 736 unsigned char *passwd, 737 int pwdlen, 738 char *domain, 739 char *username, 740 uchar_t *session_key) 741 { 742 int64_t lmlevel; 743 boolean_t ok; 744 745 if (smb_config_getnum(SMB_CI_LM_LEVEL, &lmlevel) != SMBD_SMF_OK) 746 return (B_FALSE); 747 748 if ((lmlevel == 5) && (pwdlen <= SMBAUTH_LM_RESP_SZ)) 749 return (B_FALSE); 750 751 if (pwdlen > SMBAUTH_LM_RESP_SZ) 752 ok = smb_ntlmv2_password_ok(challenge, clen, 753 smbpw->pw_nthash, passwd, pwdlen, 754 domain, username, session_key); 755 else 756 ok = smb_ntlm_password_ok(challenge, clen, 757 smbpw->pw_nthash, passwd, session_key); 758 759 return (ok); 760 } 761