15331Samw /* 25331Samw * CDDL HEADER START 35331Samw * 45331Samw * The contents of this file are subject to the terms of the 55331Samw * Common Development and Distribution License (the "License"). 65331Samw * You may not use this file except in compliance with the License. 75331Samw * 85331Samw * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 95331Samw * or http://www.opensolaris.org/os/licensing. 105331Samw * See the License for the specific language governing permissions 115331Samw * and limitations under the License. 125331Samw * 135331Samw * When distributing Covered Code, include this CDDL HEADER in each 145331Samw * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 155331Samw * If applicable, add the following below this CDDL HEADER, with the 165331Samw * fields enclosed by brackets "[]" replaced with your own identifying 175331Samw * information: Portions Copyright [yyyy] [name of copyright owner] 185331Samw * 195331Samw * CDDL HEADER END 205331Samw */ 215331Samw /* 22*10122SJordan.Brown@Sun.COM * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 235331Samw * Use is subject to license terms. 245331Samw */ 255331Samw 265331Samw /* 275331Samw * NETR challenge/response client functions. 285331Samw * 295331Samw * NT_STATUS_INVALID_PARAMETER 305331Samw * NT_STATUS_NO_TRUST_SAM_ACCOUNT 315331Samw * NT_STATUS_ACCESS_DENIED 325331Samw */ 335331Samw 345331Samw #include <stdio.h> 355331Samw #include <stdlib.h> 365331Samw #include <strings.h> 375331Samw #include <unistd.h> 385331Samw #include <ctype.h> 397052Samw #include <security/cryptoki.h> 407052Samw #include <security/pkcs11.h> 415331Samw 425331Samw #include <smbsrv/libsmb.h> 435521Sas200622 #include <smbsrv/libsmbrdr.h> 446432Sas200622 #include <smbsrv/libsmbns.h> 458334SJose.Borrego@Sun.COM #include <smbsrv/libmlsvc.h> 465331Samw #include <smbsrv/ndl/netlogon.ndl> 475331Samw #include <smbsrv/ntstatus.h> 485331Samw #include <smbsrv/smbinfo.h> 495331Samw #include <smbsrv/netrauth.h> 505331Samw 517052Samw #define NETR_SESSKEY_ZEROBUF_SZ 4 527619SJose.Borrego@Sun.COM /* The DES algorithm uses a 56-bit encryption key. */ 537052Samw #define NETR_DESKEY_LEN 7 547052Samw 555331Samw int netr_setup_authenticator(netr_info_t *, struct netr_authenticator *, 565331Samw struct netr_authenticator *); 575331Samw DWORD netr_validate_chain(netr_info_t *, struct netr_authenticator *); 585331Samw 595331Samw static int netr_server_req_challenge(mlsvc_handle_t *, netr_info_t *); 605331Samw static int netr_server_authenticate2(mlsvc_handle_t *, netr_info_t *); 615331Samw static int netr_gen_password(BYTE *, BYTE *, BYTE *); 625331Samw 635331Samw /* 645331Samw * Shared with netr_logon.c 655331Samw */ 665331Samw netr_info_t netr_global_info; 675331Samw 685331Samw /* 695331Samw * netlogon_auth 705331Samw * 715331Samw * This is the core of the NETLOGON authentication protocol. 725331Samw * Do the challenge response authentication. 735331Samw * 745331Samw * Prior to calling this function, an anonymous session to the NETLOGON 755331Samw * pipe on a domain controller(server) should have already been opened. 766139Sjb150015 * 776139Sjb150015 * Upon a successful NETLOGON credential chain establishment, the 786139Sjb150015 * netlogon sequence number will be set to match the kpasswd sequence 796139Sjb150015 * number. 806139Sjb150015 * 815331Samw */ 825331Samw DWORD 835331Samw netlogon_auth(char *server, mlsvc_handle_t *netr_handle, DWORD flags) 845331Samw { 855331Samw netr_info_t *netr_info; 865331Samw int rc; 875521Sas200622 DWORD leout_rc[2]; 885331Samw 895331Samw netr_info = &netr_global_info; 905331Samw bzero(netr_info, sizeof (netr_info_t)); 915331Samw 925331Samw netr_info->flags |= flags; 935331Samw 947961SNatalie.Li@Sun.COM rc = smb_getnetbiosname(netr_info->hostname, NETBIOS_NAME_SZ); 955331Samw if (rc != 0) 965331Samw return (NT_STATUS_UNSUCCESSFUL); 975331Samw 985331Samw (void) snprintf(netr_info->server, sizeof (netr_info->server), 995331Samw "\\\\%s", server); 1005331Samw 1015521Sas200622 LE_OUT32(&leout_rc[0], random()); 1025521Sas200622 LE_OUT32(&leout_rc[1], random()); 1035521Sas200622 (void) memcpy(&netr_info->client_challenge, leout_rc, 1045331Samw sizeof (struct netr_credential)); 1055331Samw 1065331Samw if ((rc = netr_server_req_challenge(netr_handle, netr_info)) == 0) { 1075331Samw rc = netr_server_authenticate2(netr_handle, netr_info); 1086139Sjb150015 if (rc == 0) { 1096139Sjb150015 smb_update_netlogon_seqnum(); 1105331Samw netr_info->flags |= NETR_FLG_VALID; 1116139Sjb150015 1126139Sjb150015 } 1135331Samw } 1145331Samw 1155331Samw return ((rc) ? NT_STATUS_UNSUCCESSFUL : NT_STATUS_SUCCESS); 1165331Samw } 1175331Samw 1185331Samw /* 1195331Samw * netr_open 1205331Samw * 121*10122SJordan.Brown@Sun.COM * Open an anonymous session to the NETLOGON pipe on a domain controller 122*10122SJordan.Brown@Sun.COM * and bind to the NETR RPC interface. 123*10122SJordan.Brown@Sun.COM * 124*10122SJordan.Brown@Sun.COM * We store the remote server information, which is used to drive Windows 125*10122SJordan.Brown@Sun.COM * version specific behavior. 1265331Samw */ 1275331Samw int 1285331Samw netr_open(char *server, char *domain, mlsvc_handle_t *netr_handle) 1295331Samw { 130*10122SJordan.Brown@Sun.COM srvsvc_server_info_t svinfo; 1315521Sas200622 char *user = smbrdr_ipc_get_user(); 1325331Samw 133*10122SJordan.Brown@Sun.COM if (srvsvc_net_server_getinfo(server, domain, &svinfo) < 0) 134*10122SJordan.Brown@Sun.COM return (-1); 135*10122SJordan.Brown@Sun.COM 1368334SJose.Borrego@Sun.COM if (ndr_rpc_bind(netr_handle, server, domain, user, "NETR") < 0) 1375331Samw return (-1); 1385331Samw 139*10122SJordan.Brown@Sun.COM ndr_rpc_server_setinfo(netr_handle, &svinfo); 140*10122SJordan.Brown@Sun.COM free(svinfo.sv_name); 141*10122SJordan.Brown@Sun.COM free(svinfo.sv_comment); 1425331Samw return (0); 1435331Samw } 1445331Samw 1455331Samw /* 1465331Samw * netr_close 1475331Samw * 1485331Samw * Close a NETLOGON pipe and free the RPC context. 1495331Samw */ 1505331Samw int 1515331Samw netr_close(mlsvc_handle_t *netr_handle) 1525331Samw { 1538334SJose.Borrego@Sun.COM ndr_rpc_unbind(netr_handle); 1545331Samw return (0); 1555331Samw } 1565331Samw 1575331Samw /* 1585331Samw * netr_server_req_challenge 1595331Samw */ 1605331Samw static int 1615331Samw netr_server_req_challenge(mlsvc_handle_t *netr_handle, netr_info_t *netr_info) 1625331Samw { 1635331Samw struct netr_ServerReqChallenge arg; 1645331Samw int opnum; 1655331Samw 1665331Samw bzero(&arg, sizeof (struct netr_ServerReqChallenge)); 1675331Samw opnum = NETR_OPNUM_ServerReqChallenge; 1685331Samw 1695331Samw arg.servername = (unsigned char *)netr_info->server; 1705331Samw arg.hostname = (unsigned char *)netr_info->hostname; 1715331Samw 1725331Samw (void) memcpy(&arg.client_challenge, &netr_info->client_challenge, 1735331Samw sizeof (struct netr_credential)); 1745331Samw 1758334SJose.Borrego@Sun.COM if (ndr_rpc_call(netr_handle, opnum, &arg) != 0) 1768334SJose.Borrego@Sun.COM return (-1); 1778334SJose.Borrego@Sun.COM 1788334SJose.Borrego@Sun.COM if (arg.status != 0) { 1798334SJose.Borrego@Sun.COM ndr_rpc_status(netr_handle, opnum, arg.status); 1808334SJose.Borrego@Sun.COM ndr_rpc_release(netr_handle); 1818334SJose.Borrego@Sun.COM return (-1); 1825331Samw } 1835331Samw 1848334SJose.Borrego@Sun.COM (void) memcpy(&netr_info->server_challenge, &arg.server_challenge, 1858334SJose.Borrego@Sun.COM sizeof (struct netr_credential)); 1868334SJose.Borrego@Sun.COM 1878334SJose.Borrego@Sun.COM ndr_rpc_release(netr_handle); 1888334SJose.Borrego@Sun.COM return (0); 1895331Samw } 1905331Samw 1915331Samw /* 1925331Samw * netr_server_authenticate2 1935331Samw */ 1945331Samw static int 1955331Samw netr_server_authenticate2(mlsvc_handle_t *netr_handle, netr_info_t *netr_info) 1965331Samw { 1975331Samw struct netr_ServerAuthenticate2 arg; 1985331Samw int opnum; 1995331Samw int rc; 2007961SNatalie.Li@Sun.COM char account_name[NETBIOS_NAME_SZ * 2]; 2015331Samw 2025331Samw bzero(&arg, sizeof (struct netr_ServerAuthenticate2)); 2035331Samw opnum = NETR_OPNUM_ServerAuthenticate2; 2045331Samw 2055331Samw (void) snprintf(account_name, sizeof (account_name), "%s$", 2065331Samw netr_info->hostname); 2075331Samw 2087619SJose.Borrego@Sun.COM smb_tracef("server=[%s] account_name=[%s] hostname=[%s]\n", 2097619SJose.Borrego@Sun.COM netr_info->server, account_name, netr_info->hostname); 2107619SJose.Borrego@Sun.COM 2115331Samw arg.servername = (unsigned char *)netr_info->server; 2125331Samw arg.account_name = (unsigned char *)account_name; 2135331Samw arg.account_type = NETR_WKSTA_TRUST_ACCOUNT_TYPE; 2145331Samw arg.hostname = (unsigned char *)netr_info->hostname; 2157619SJose.Borrego@Sun.COM arg.negotiate_flags = NETR_NEGOTIATE_BASE_FLAGS; 2165331Samw 2178334SJose.Borrego@Sun.COM if (ndr_rpc_server_os(netr_handle) != NATIVE_OS_WINNT) { 2187619SJose.Borrego@Sun.COM arg.negotiate_flags |= NETR_NEGOTIATE_STRONGKEY_FLAG; 2197619SJose.Borrego@Sun.COM if (netr_gen_skey128(netr_info) != SMBAUTH_SUCCESS) 2207619SJose.Borrego@Sun.COM return (-1); 2217619SJose.Borrego@Sun.COM } else { 2227619SJose.Borrego@Sun.COM if (netr_gen_skey64(netr_info) != SMBAUTH_SUCCESS) 2237619SJose.Borrego@Sun.COM return (-1); 2247619SJose.Borrego@Sun.COM } 2255331Samw 2267619SJose.Borrego@Sun.COM if (netr_gen_credentials(netr_info->session_key.key, 2277619SJose.Borrego@Sun.COM &netr_info->client_challenge, 0, 2285331Samw &netr_info->client_credential) != SMBAUTH_SUCCESS) { 2295331Samw return (-1); 2305331Samw } 2315331Samw 2327619SJose.Borrego@Sun.COM if (netr_gen_credentials(netr_info->session_key.key, 2337619SJose.Borrego@Sun.COM &netr_info->server_challenge, 0, 2345331Samw &netr_info->server_credential) != SMBAUTH_SUCCESS) { 2355331Samw return (-1); 2365331Samw } 2375331Samw 2385331Samw (void) memcpy(&arg.client_credential, &netr_info->client_credential, 2395331Samw sizeof (struct netr_credential)); 2405331Samw 2418334SJose.Borrego@Sun.COM if (ndr_rpc_call(netr_handle, opnum, &arg) != 0) 2428334SJose.Borrego@Sun.COM return (-1); 2435331Samw 2448334SJose.Borrego@Sun.COM if (arg.status != 0) { 2458334SJose.Borrego@Sun.COM ndr_rpc_status(netr_handle, opnum, arg.status); 2468334SJose.Borrego@Sun.COM ndr_rpc_release(netr_handle); 2478334SJose.Borrego@Sun.COM return (-1); 2485331Samw } 2495331Samw 2508334SJose.Borrego@Sun.COM rc = memcmp(&netr_info->server_credential, &arg.server_credential, 2518334SJose.Borrego@Sun.COM sizeof (struct netr_credential)); 2528334SJose.Borrego@Sun.COM 2538334SJose.Borrego@Sun.COM ndr_rpc_release(netr_handle); 2545331Samw return (rc); 2555331Samw } 2565331Samw 2575331Samw /* 2587619SJose.Borrego@Sun.COM * netr_gen_skey128 2595331Samw * 2607619SJose.Borrego@Sun.COM * Generate a 128-bit session key from the client and server challenges. 2617619SJose.Borrego@Sun.COM * See "Session-Key Computation" section of MS-NRPC document. 2625331Samw */ 2637052Samw int 2647619SJose.Borrego@Sun.COM netr_gen_skey128(netr_info_t *netr_info) 2657052Samw { 2667052Samw unsigned char ntlmhash[SMBAUTH_HASH_SZ]; 2677052Samw int rc = SMBAUTH_FAILURE; 2687052Samw CK_RV rv; 2697052Samw CK_MECHANISM mechanism; 2707052Samw CK_SESSION_HANDLE hSession; 2717052Samw CK_ULONG diglen = MD_DIGEST_LEN; 2727052Samw unsigned char md5digest[MD_DIGEST_LEN]; 2737052Samw unsigned char zerobuf[NETR_SESSKEY_ZEROBUF_SZ]; 2747052Samw 2757052Samw bzero(ntlmhash, SMBAUTH_HASH_SZ); 2767052Samw /* 2777052Samw * We should check (netr_info->flags & NETR_FLG_INIT) and use 2787052Samw * the appropriate password but it isn't working yet. So we 2797052Samw * always use the default one for now. 2807052Samw */ 2817052Samw bzero(netr_info->password, sizeof (netr_info->password)); 2827052Samw rc = smb_config_getstr(SMB_CI_MACHINE_PASSWD, 2837052Samw (char *)netr_info->password, sizeof (netr_info->password)); 2847052Samw 2857052Samw if ((rc != SMBD_SMF_OK) || *netr_info->password == '\0') { 2867052Samw return (SMBAUTH_FAILURE); 2877052Samw } 2887052Samw 2897052Samw rc = smb_auth_ntlm_hash((char *)netr_info->password, ntlmhash); 2907052Samw if (rc != SMBAUTH_SUCCESS) 2917052Samw return (SMBAUTH_FAILURE); 2927052Samw 2937052Samw bzero(zerobuf, NETR_SESSKEY_ZEROBUF_SZ); 2947052Samw 2957052Samw mechanism.mechanism = CKM_MD5; 2967052Samw mechanism.pParameter = 0; 2977052Samw mechanism.ulParameterLen = 0; 2987052Samw 2997052Samw rv = SUNW_C_GetMechSession(mechanism.mechanism, &hSession); 3007052Samw if (rv != CKR_OK) 3017052Samw return (SMBAUTH_FAILURE); 3027052Samw 3037052Samw rv = C_DigestInit(hSession, &mechanism); 3047052Samw if (rv != CKR_OK) 3057052Samw goto cleanup; 3067052Samw 3077052Samw rv = C_DigestUpdate(hSession, (CK_BYTE_PTR)zerobuf, 3087052Samw NETR_SESSKEY_ZEROBUF_SZ); 3097052Samw if (rv != CKR_OK) 3107052Samw goto cleanup; 3117052Samw 3127052Samw rv = C_DigestUpdate(hSession, 3137052Samw (CK_BYTE_PTR)netr_info->client_challenge.data, NETR_CRED_DATA_SZ); 3147052Samw if (rv != CKR_OK) 3157052Samw goto cleanup; 3167052Samw 3177052Samw rv = C_DigestUpdate(hSession, 3187052Samw (CK_BYTE_PTR)netr_info->server_challenge.data, NETR_CRED_DATA_SZ); 3197052Samw if (rv != CKR_OK) 3207052Samw goto cleanup; 3217052Samw 3227052Samw rv = C_DigestFinal(hSession, (CK_BYTE_PTR)md5digest, &diglen); 3237052Samw if (rv != CKR_OK) 3247052Samw goto cleanup; 3257052Samw 3267052Samw rc = smb_auth_hmac_md5(md5digest, diglen, ntlmhash, SMBAUTH_HASH_SZ, 3277619SJose.Borrego@Sun.COM netr_info->session_key.key); 3287052Samw 3297619SJose.Borrego@Sun.COM netr_info->session_key.len = NETR_SESSKEY128_SZ; 3307052Samw cleanup: 3317052Samw (void) C_CloseSession(hSession); 3327052Samw return (rc); 3337052Samw 3347052Samw } 3357619SJose.Borrego@Sun.COM /* 3367619SJose.Borrego@Sun.COM * netr_gen_skey64 3377619SJose.Borrego@Sun.COM * 3387619SJose.Borrego@Sun.COM * Generate a 64-bit session key from the client and server challenges. 3397619SJose.Borrego@Sun.COM * See "Session-Key Computation" section of MS-NRPC document. 3407619SJose.Borrego@Sun.COM * 3417619SJose.Borrego@Sun.COM * The algorithm is a two stage hash. For the first hash, the input is 3427619SJose.Borrego@Sun.COM * the combination of the client and server challenges, the key is 3437619SJose.Borrego@Sun.COM * the first 7 bytes of the password. The initial password is formed 3447619SJose.Borrego@Sun.COM * using the NT password hash on the local hostname in lower case. 3457619SJose.Borrego@Sun.COM * The result is stored in a temporary buffer. 3467619SJose.Borrego@Sun.COM * 3477619SJose.Borrego@Sun.COM * input: challenge 3487619SJose.Borrego@Sun.COM * key: passwd lower 7 bytes 3497619SJose.Borrego@Sun.COM * output: intermediate result 3507619SJose.Borrego@Sun.COM * 3517619SJose.Borrego@Sun.COM * For the second hash, the input is the result of the first hash and 3527619SJose.Borrego@Sun.COM * the key is the last 7 bytes of the password. 3537619SJose.Borrego@Sun.COM * 3547619SJose.Borrego@Sun.COM * input: result of first hash 3557619SJose.Borrego@Sun.COM * key: passwd upper 7 bytes 3567619SJose.Borrego@Sun.COM * output: session_key 3577619SJose.Borrego@Sun.COM * 3587619SJose.Borrego@Sun.COM * The final output should be the session key. 3597619SJose.Borrego@Sun.COM * 3607619SJose.Borrego@Sun.COM * FYI: smb_auth_DES(output, key, input) 3617619SJose.Borrego@Sun.COM * 3627619SJose.Borrego@Sun.COM * If any difficulties occur using the cryptographic framework, the 3637619SJose.Borrego@Sun.COM * function returns SMBAUTH_FAILURE. Otherwise SMBAUTH_SUCCESS is 3647619SJose.Borrego@Sun.COM * returned. 3657619SJose.Borrego@Sun.COM */ 3665331Samw int 3677619SJose.Borrego@Sun.COM netr_gen_skey64(netr_info_t *netr_info) 3685331Samw { 3695331Samw unsigned char md4hash[32]; 3705331Samw unsigned char buffer[8]; 3715331Samw DWORD data[2]; 3725331Samw DWORD *client_challenge; 3735331Samw DWORD *server_challenge; 3745331Samw int rc; 3755521Sas200622 DWORD le_data[2]; 3765331Samw 3775331Samw client_challenge = (DWORD *)(uintptr_t)&netr_info->client_challenge; 3785331Samw server_challenge = (DWORD *)(uintptr_t)&netr_info->server_challenge; 3795331Samw bzero(md4hash, 32); 3805331Samw 3815331Samw /* 3825331Samw * We should check (netr_info->flags & NETR_FLG_INIT) and use 3835331Samw * the appropriate password but it isn't working yet. So we 3845331Samw * always use the default one for now. 3855331Samw */ 3865772Sas200622 bzero(netr_info->password, sizeof (netr_info->password)); 3875772Sas200622 rc = smb_config_getstr(SMB_CI_MACHINE_PASSWD, 3885772Sas200622 (char *)netr_info->password, sizeof (netr_info->password)); 3895331Samw 3905772Sas200622 if ((rc != SMBD_SMF_OK) || *netr_info->password == '\0') { 3917052Samw return (SMBAUTH_FAILURE); 3925331Samw } 3935331Samw 3945772Sas200622 rc = smb_auth_ntlm_hash((char *)netr_info->password, md4hash); 3955331Samw 3965331Samw if (rc != SMBAUTH_SUCCESS) 3975331Samw return (SMBAUTH_FAILURE); 3985331Samw 3995331Samw data[0] = LE_IN32(&client_challenge[0]) + LE_IN32(&server_challenge[0]); 4005331Samw data[1] = LE_IN32(&client_challenge[1]) + LE_IN32(&server_challenge[1]); 4015521Sas200622 LE_OUT32(&le_data[0], data[0]); 4025521Sas200622 LE_OUT32(&le_data[1], data[1]); 4037619SJose.Borrego@Sun.COM rc = smb_auth_DES(buffer, 8, md4hash, NETR_DESKEY_LEN, 4047619SJose.Borrego@Sun.COM (unsigned char *)le_data, 8); 4055331Samw 4065331Samw if (rc != SMBAUTH_SUCCESS) 4075331Samw return (rc); 4085331Samw 4097619SJose.Borrego@Sun.COM netr_info->session_key.len = NETR_SESSKEY64_SZ; 4107619SJose.Borrego@Sun.COM rc = smb_auth_DES(netr_info->session_key.key, 4117619SJose.Borrego@Sun.COM netr_info->session_key.len, &md4hash[9], NETR_DESKEY_LEN, buffer, 4127619SJose.Borrego@Sun.COM 8); 4137619SJose.Borrego@Sun.COM 4145331Samw return (rc); 4155331Samw } 4165331Samw 4175331Samw /* 4185331Samw * netr_gen_credentials 4195331Samw * 4205331Samw * Generate a set of credentials from a challenge and a session key. 4215331Samw * The algorithm is a two stage hash. For the first hash, the 4225331Samw * timestamp is added to the challenge and the result is stored in a 4235331Samw * temporary buffer: 4245331Samw * 4255331Samw * input: challenge (including timestamp) 4265331Samw * key: session_key 4275331Samw * output: intermediate result 4285331Samw * 4295331Samw * For the second hash, the input is the result of the first hash and 4305331Samw * a strange partial key is used: 4315331Samw * 4325331Samw * input: result of first hash 4335331Samw * key: funny partial key 4345331Samw * output: credentiails 4355331Samw * 4365331Samw * The final output should be an encrypted set of credentials. 4375331Samw * 4385331Samw * FYI: smb_auth_DES(output, key, input) 4395331Samw * 4405331Samw * If any difficulties occur using the cryptographic framework, the 4415331Samw * function returns SMBAUTH_FAILURE. Otherwise SMBAUTH_SUCCESS is 4425331Samw * returned. 4435331Samw */ 4445331Samw int 4455331Samw netr_gen_credentials(BYTE *session_key, netr_cred_t *challenge, 4465331Samw DWORD timestamp, netr_cred_t *out_cred) 4475331Samw { 4485331Samw unsigned char buffer[8]; 4495331Samw DWORD data[2]; 4505521Sas200622 DWORD le_data[2]; 4515331Samw DWORD *p; 4525331Samw int rc; 4535331Samw 4545331Samw p = (DWORD *)(uintptr_t)challenge; 4555521Sas200622 data[0] = LE_IN32(&p[0]) + timestamp; 4565521Sas200622 data[1] = LE_IN32(&p[1]); 4575521Sas200622 4585521Sas200622 LE_OUT32(&le_data[0], data[0]); 4595521Sas200622 LE_OUT32(&le_data[1], data[1]); 4605331Samw 4617052Samw if (smb_auth_DES(buffer, 8, session_key, NETR_DESKEY_LEN, 4625521Sas200622 (unsigned char *)le_data, 8) != SMBAUTH_SUCCESS) 4635331Samw return (SMBAUTH_FAILURE); 4645331Samw 4657052Samw rc = smb_auth_DES(out_cred->data, 8, &session_key[NETR_DESKEY_LEN], 4667052Samw NETR_DESKEY_LEN, buffer, 8); 4675331Samw 4685331Samw return (rc); 4695331Samw } 4705331Samw 4715331Samw /* 4725331Samw * netr_server_password_set 4735331Samw * 4745331Samw * Attempt to change the trust account password for this system. 4755331Samw * 4765331Samw * Note that this call may legitimately fail if the registry on the 4775331Samw * domain controller has been setup to deny attempts to change the 4785331Samw * trust account password. In this case we should just continue to 4795331Samw * use the original password. 4805331Samw * 4815331Samw * Possible status values: 4825331Samw * NT_STATUS_ACCESS_DENIED 4835331Samw */ 4845331Samw int 4855331Samw netr_server_password_set(mlsvc_handle_t *netr_handle, netr_info_t *netr_info) 4865331Samw { 4875331Samw struct netr_PasswordSet arg; 4885331Samw int opnum; 4895331Samw BYTE new_password[NETR_OWF_PASSWORD_SZ]; 4907961SNatalie.Li@Sun.COM char account_name[NETBIOS_NAME_SZ * 2]; 4915331Samw 4925331Samw bzero(&arg, sizeof (struct netr_PasswordSet)); 4935331Samw opnum = NETR_OPNUM_ServerPasswordSet; 4945331Samw 4955331Samw (void) snprintf(account_name, sizeof (account_name), "%s$", 4965331Samw netr_info->hostname); 4975331Samw 4985331Samw arg.servername = (unsigned char *)netr_info->server; 4995331Samw arg.account_name = (unsigned char *)account_name; 5005331Samw arg.account_type = NETR_WKSTA_TRUST_ACCOUNT_TYPE; 5015331Samw arg.hostname = (unsigned char *)netr_info->hostname; 5025331Samw 5035331Samw /* 5045331Samw * Set up the client side authenticator. 5055331Samw */ 5065331Samw if (netr_setup_authenticator(netr_info, &arg.auth, 0) != 5075331Samw SMBAUTH_SUCCESS) { 5085331Samw return (-1); 5095331Samw } 5105331Samw 5115331Samw /* 5125331Samw * Generate a new password from the old password. 5135331Samw */ 5147619SJose.Borrego@Sun.COM if (netr_gen_password(netr_info->session_key.key, 5155331Samw netr_info->password, new_password) == SMBAUTH_FAILURE) { 5165331Samw return (-1); 5175331Samw } 5185331Samw 5195331Samw (void) memcpy(&arg.uas_new_password, &new_password, 5205331Samw NETR_OWF_PASSWORD_SZ); 5215331Samw 5228334SJose.Borrego@Sun.COM if (ndr_rpc_call(netr_handle, opnum, &arg) != 0) 5238334SJose.Borrego@Sun.COM return (-1); 5248334SJose.Borrego@Sun.COM 5258334SJose.Borrego@Sun.COM if (arg.status != 0) { 5268334SJose.Borrego@Sun.COM ndr_rpc_status(netr_handle, opnum, arg.status); 5278334SJose.Borrego@Sun.COM ndr_rpc_release(netr_handle); 5285331Samw return (-1); 5295331Samw } 5305331Samw 5315331Samw /* 5325331Samw * Check the returned credentials. The server returns the new 5335331Samw * client credential rather than the new server credentiali, 5345331Samw * as documented elsewhere. 5355331Samw * 5365331Samw * Generate the new seed for the credential chain. Increment 5375331Samw * the timestamp and add it to the client challenge. Then we 5385331Samw * need to copy the challenge to the credential field in 5395331Samw * preparation for the next cycle. 5405331Samw */ 5415331Samw if (netr_validate_chain(netr_info, &arg.auth) == 0) { 5425331Samw /* 5435331Samw * Save the new password. 5445331Samw */ 5455331Samw (void) memcpy(netr_info->password, new_password, 5465331Samw NETR_OWF_PASSWORD_SZ); 5475331Samw } 5485331Samw 5498334SJose.Borrego@Sun.COM ndr_rpc_release(netr_handle); 5505331Samw return (0); 5515331Samw } 5525331Samw 5535331Samw /* 5545331Samw * netr_gen_password 5555331Samw * 5565331Samw * Generate a new pasword from the old password and the session key. 5575331Samw * The algorithm is a two stage hash. The session key is used in the 5585331Samw * first hash but only part of the session key is used in the second 5595331Samw * hash. 5605331Samw * 5615331Samw * If any difficulties occur using the cryptographic framework, the 5625331Samw * function returns SMBAUTH_FAILURE. Otherwise SMBAUTH_SUCCESS is 5635331Samw * returned. 5645331Samw */ 5655331Samw static int 5665331Samw netr_gen_password(BYTE *session_key, BYTE *old_password, BYTE *new_password) 5675331Samw { 5685331Samw int rv; 5695331Samw 5707052Samw rv = smb_auth_DES(new_password, 8, session_key, NETR_DESKEY_LEN, 5717052Samw old_password, 8); 5725331Samw if (rv != SMBAUTH_SUCCESS) 5735331Samw return (rv); 5745331Samw 5757052Samw rv = smb_auth_DES(&new_password[8], 8, &session_key[NETR_DESKEY_LEN], 5767052Samw NETR_DESKEY_LEN, &old_password[8], 8); 5775331Samw return (rv); 5785331Samw } 579