search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libcli: Fix a signed/unsigned comparison warning
[samba4-gss.git] / libcli / auth / proto.h
blobd396baeebe0699fc430e245702e22bcc1e5c4787
1 #ifndef _LIBCLI_AUTH_PROTO_H__
2 #define _LIBCLI_AUTH_PROTO_H__
3
4 #undef _PRINTF_ATTRIBUTE
5 #define _PRINTF_ATTRIBUTE(a1, a2) PRINTF_ATTRIBUTE(a1, a2)
6
7 #include "lib/crypto/gnutls_helpers.h"
8
9 /* this file contains prototypes for functions that are private
10 * to this subsystem or library. These functions should not be
11 * used outside this particular subsystem! */
12
13
14 /* The following definitions come from libcli/auth/credentials.c */
15
16 bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge);
17 void netlogon_creds_random_challenge(struct netr_Credential *challenge);
18
19 NTSTATUS netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds,
20 struct samr_Password *pass);
21 NTSTATUS netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds,
22 struct samr_Password *pass);
23 NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds,
24 uint8_t *data,
25 size_t len);
26 NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds,
27 uint8_t *data,
28 size_t len);
29 NTSTATUS netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds,
30 uint8_t *data,
31 size_t len);
32
33 /* These should not be used directly! */
34 #define netlogon_creds_des_encrypt __DO_NOT_USE_netlogon_creds_des_encrypt
35 #define netlogon_creds_des_decrypt __DO_NOT_USE_netlogon_creds_des_decrypt
36 #define netlogon_creds_arcfour_crypt __DO_NOT_USE_netlogon_creds_arcfour_crypt
37 #define netlogon_creds_aes_encrypt __DO_NOT_USE_netlogon_creds_aes_encrypt
38 #define netlogon_creds_aes_decrypt __DO_NOT_USE_netlogon_creds_aes_decrypt
39
40 /*****************************************************************
41 The above functions are common to the client and server interface
42 next comes the client specific functions
43 ******************************************************************/
44 struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *mem_ctx,
45 const char *client_account,
46 const char *client_computer_name,
47 uint16_t secure_channel_type,
48 const struct netr_Credential *client_challenge,
49 const struct netr_Credential *server_challenge,
50 const struct samr_Password *machine_password,
51 struct netr_Credential *initial_credential,
52 uint32_t client_requested_flags,
53 uint32_t negotiate_flags);
54 NTSTATUS
55 netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds,
56 struct netr_Authenticator *next);
57 NTSTATUS netlogon_creds_client_verify(struct netlogon_creds_CredentialState *creds,
58 const struct netr_Credential *received_credentials,
59 enum dcerpc_AuthType auth_type,
60 enum dcerpc_AuthLevel auth_level);
61 bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds,
62 const struct netr_Credential *received_credentials);
63 struct netlogon_creds_CredentialState *netlogon_creds_copy(
64 TALLOC_CTX *mem_ctx,
65 const struct netlogon_creds_CredentialState *creds_in);
66
67 /*****************************************************************
68 The above functions are common to the client and server interface
69 next comes the server specific functions
70 ******************************************************************/
71 struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *mem_ctx,
72 const char *client_account,
73 const char *client_computer_name,
74 uint16_t secure_channel_type,
75 const struct netr_Credential *client_challenge,
76 const struct netr_Credential *server_challenge,
77 const struct samr_Password *machine_password,
78 const struct netr_Credential *credentials_in,
79 struct netr_Credential *credentials_out,
80 uint32_t client_requested_flags,
81 const struct dom_sid *client_sid,
82 uint32_t negotiate_flags);
83 NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds,
84 const struct netr_Authenticator *received_authenticator,
85 struct netr_Authenticator *return_authenticator,
86 enum dcerpc_AuthType auth_type,
87 enum dcerpc_AuthLevel auth_level);
88 NTSTATUS netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
89 uint16_t validation_level,
90 union netr_Validation *validation,
91 enum dcerpc_AuthType auth_type,
92 enum dcerpc_AuthLevel auth_level);
93 NTSTATUS netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
94 uint16_t validation_level,
95 union netr_Validation *validation,
96 enum dcerpc_AuthType auth_type,
97 enum dcerpc_AuthLevel auth_level);
98 NTSTATUS netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
99 enum netr_LogonInfoClass level,
100 union netr_LogonLevel *logon,
101 enum dcerpc_AuthType auth_type,
102 enum dcerpc_AuthLevel auth_level);
103 NTSTATUS netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
104 enum netr_LogonInfoClass level,
105 union netr_LogonLevel *logon,
106 enum dcerpc_AuthType auth_type,
107 enum dcerpc_AuthLevel auth_level);
108 NTSTATUS netlogon_creds_decrypt_samr_Password(struct netlogon_creds_CredentialState *creds,
109 struct samr_Password *pass,
110 enum dcerpc_AuthType auth_type,
111 enum dcerpc_AuthLevel auth_level);
112 NTSTATUS netlogon_creds_encrypt_samr_Password(struct netlogon_creds_CredentialState *creds,
113 struct samr_Password *pass,
114 enum dcerpc_AuthType auth_type,
115 enum dcerpc_AuthLevel auth_level);
116 NTSTATUS netlogon_creds_decrypt_samr_CryptPassword(struct netlogon_creds_CredentialState *creds,
117 struct samr_CryptPassword *pass,
118 enum dcerpc_AuthType auth_type,
119 enum dcerpc_AuthLevel auth_level);
120 NTSTATUS netlogon_creds_encrypt_samr_CryptPassword(struct netlogon_creds_CredentialState *creds,
121 struct samr_CryptPassword *pass,
122 enum dcerpc_AuthType auth_type,
123 enum dcerpc_AuthLevel auth_level);
124 NTSTATUS netlogon_creds_decrypt_SendToSam(struct netlogon_creds_CredentialState *creds,
125 uint8_t *opaque_data,
126 size_t opaque_length,
127 enum dcerpc_AuthType auth_type,
128 enum dcerpc_AuthLevel auth_level);
129 NTSTATUS netlogon_creds_encrypt_SendToSam(struct netlogon_creds_CredentialState *creds,
130 uint8_t *opaque_data,
131 size_t opaque_length,
132 enum dcerpc_AuthType auth_type,
133 enum dcerpc_AuthLevel auth_level);
134 union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
135 enum netr_LogonInfoClass level,
136 const union netr_LogonLevel *in);
137
138 /* The following definitions come from libcli/auth/session.c */
139
140 int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key,
141 enum samba_gnutls_direction encrypt);
142 DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key);
143 char *sess_decrypt_string(TALLOC_CTX *mem_ctx,
144 DATA_BLOB *blob, const DATA_BLOB *session_key);
145 DATA_BLOB sess_encrypt_blob(TALLOC_CTX *mem_ctx, DATA_BLOB *blob_in, const DATA_BLOB *session_key);
146 NTSTATUS sess_decrypt_blob(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, const DATA_BLOB *session_key,
147 DATA_BLOB *ret);
148
149 /* The following definitions come from libcli/auth/smbencrypt.c */
150
151 int SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24]);
152 bool SMBencrypt(const char *passwd, const uint8_t *c8, uint8_t p24[24]);
153
154 /**
155 * Creates the MD4 Hash of the users password in NT UNICODE.
156 * @param passwd password in 'unix' charset.
157 * @param p16 return password hashed with md4, caller allocated 16 byte buffer
158 */
159 bool E_md4hash(const char *passwd, uint8_t p16[16]);
160
161 /**
162 * Creates the DES forward-only Hash of the users password in DOS ASCII charset
163 * @param passwd password in 'unix' charset.
164 * @param p16 return password hashed with DES, caller allocated 16 byte buffer
165 * @return false if password was > 14 characters, and therefore may be incorrect, otherwise true
166 * @note p16 is filled in regardless
167 */
168 bool E_deshash(const char *passwd, uint8_t p16[16]);
169
170 /**
171 * Creates the MD4 and DES (LM) Hash of the users password.
172 * MD4 is of the NT Unicode, DES is of the DOS UPPERCASE password.
173 * @param passwd password in 'unix' charset.
174 * @param nt_p16 return password hashed with md4, caller allocated 16 byte buffer
175 * @param p16 return password hashed with des, caller allocated 16 byte buffer
176 */
177 void nt_lm_owf_gen(const char *pwd, uint8_t nt_p16[16], uint8_t p16[16]);
178 bool ntv2_owf_gen(const uint8_t owf[16],
179 const char *user_in, const char *domain_in,
180 uint8_t kr_buf[16]);
181 int SMBOWFencrypt(const uint8_t passwd[16], const uint8_t *c8, uint8_t p24[24]);
182 int SMBNTencrypt_hash(const uint8_t nt_hash[16], const uint8_t *c8, uint8_t *p24);
183 int SMBNTencrypt(const char *passwd, const uint8_t *c8, uint8_t *p24);
184 NTSTATUS SMBOWFencrypt_ntv2(const uint8_t kr[16],
185 const DATA_BLOB *srv_chal,
186 const DATA_BLOB *smbcli_chal,
187 uint8_t resp_buf[16]);
188 NTSTATUS SMBsesskeygen_ntv2(const uint8_t kr[16],
189 const uint8_t *nt_resp,
190 uint8_t sess_key[16]);
191 void SMBsesskeygen_ntv1(const uint8_t kr[16], uint8_t sess_key[16]);
192 NTSTATUS SMBsesskeygen_lm_sess_key(const uint8_t lm_hash[16],
193 const uint8_t lm_resp[24], /* only uses 8 */
194 uint8_t sess_key[16]);
195 DATA_BLOB NTLMv2_generate_names_blob(TALLOC_CTX *mem_ctx,
196 const char *hostname,
197 const char *domain);
198 bool SMBNTLMv2encrypt_hash(TALLOC_CTX *mem_ctx,
199 const char *user, const char *domain, const uint8_t nt_hash[16],
200 const DATA_BLOB *server_chal,
201 const NTTIME *server_timestamp,
202 const DATA_BLOB *names_blob,
203 DATA_BLOB *lm_response, DATA_BLOB *nt_response,
204 DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) ;
205 bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx,
206 const char *user, const char *domain,
207 const char *password,
208 const DATA_BLOB *server_chal,
209 const DATA_BLOB *names_blob,
210 DATA_BLOB *lm_response, DATA_BLOB *nt_response,
211 DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) ;
212 NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
213 const char *account_domain,
214 const DATA_BLOB response,
215 const struct netlogon_creds_CredentialState *creds,
216 const char *workgroup);
217
218 /***********************************************************
219 encode a password buffer with a unicode password. The buffer
220 is filled with random data to make it harder to attack.
221 ************************************************************/
222 bool encode_pw_buffer(uint8_t buffer[516], const char *password, int string_flags);
223
224 /***********************************************************
225 decode a password buffer
226 *new_pw_len is the length in bytes of the possibly mulitbyte
227 returned password including termination.
228 ************************************************************/
229 bool decode_pw_buffer(TALLOC_CTX *ctx,
230 uint8_t in_buffer[516],
231 char **pp_new_pwrd,
232 size_t *new_pw_len,
233 charset_t string_charset);
234
235 /**
236 * @brief Encode an password buffer before we encrypt it.
237 *
238 * @param buffer[514] The buffer to encode into.
239 *
240 * @param password The password we want to encode into the buffer.
241 *
242 * @param string_flags String flags for encoding (e.g. STR_UNICODE).
243 *
244 * @return true on success, false otherwise.
245 */
246 bool encode_pwd_buffer514_from_str(uint8_t buffer[514],
247 const char *password,
248 uint32_t string_flags);
249
250 /**
251 * @brief Extract AES password blob from buffer.
252 *
253 * This extracts the password from the in_buffer as a data blob. It should
254 * then contain an UTF-16 encoded password.
255 *
256 * @param mem_ctx The memory context to allowcate the password on.
257 *
258 * @param in_buffer[514] The input buffer to extract the password from.
259 *
260 * @param new_password A pointer to the store the extracted password blob.
261 *
262 * @return true on success, false otherwise.
263 */
264 bool extract_pwd_blob_from_buffer514(TALLOC_CTX *mem_ctx,
265 const uint8_t in_buffer[514],
266 DATA_BLOB *new_password);
267
268 /**
269 * @brief Decode AES password buffer to password in the given charset.
270 *
271 * @param mem_ctx The memory context to allocate the decoded password on.
272 *
273 * @param in_buffer[514] The in buffer with the decrypted password data.
274 *
275 * @param string_charset The charset to decode to.
276 *
277 * @param decoded_password A pointer to store the blob for the decoded password.
278 * It ensures that the password is NULL terminated.
279 *
280 * @return true on success, false otherwise.
281 */
282 bool decode_pwd_string_from_buffer514(TALLOC_CTX *mem_ctx,
283 const uint8_t in_buffer[514],
284 charset_t string_charset,
285 DATA_BLOB *decoded_password);
286
287 /***********************************************************
288 Encode an arc4 password change buffer.
289 ************************************************************/
290 NTSTATUS encode_rc4_passwd_buffer(const char *passwd,
291 const DATA_BLOB *session_key,
292 struct samr_CryptPasswordEx *out_crypt_pwd);
293
294 /***********************************************************
295 Decode an arc4 encrypted password change buffer.
296 ************************************************************/
297 NTSTATUS decode_rc4_passwd_buffer(const DATA_BLOB *psession_key,
298 struct samr_CryptPasswordEx *inout_crypt_pwd);
299
300 /***********************************************************
301 encode a password buffer with an already unicode password. The
302 rest of the buffer is filled with random data to make it harder to attack.
303 ************************************************************/
304 bool set_pw_in_buffer(uint8_t buffer[516], const DATA_BLOB *password);
305
306 /***********************************************************
307 decode a password buffer
308 *new_pw_size is the length in bytes of the extracted unicode password
309 ************************************************************/
310 bool extract_pw_from_buffer(TALLOC_CTX *mem_ctx,
311 uint8_t in_buffer[516], DATA_BLOB *new_pass);
312 struct wkssvc_PasswordBuffer;
313 WERROR encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
314 const char *pwd,
315 DATA_BLOB *session_key,
316 struct wkssvc_PasswordBuffer **pwd_buf);
317 WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
318 struct wkssvc_PasswordBuffer *pwd_buf,
319 DATA_BLOB *session_key,
320 char **pwd);
321
322 /* The following definitions come from libcli/auth/smbdes.c */
323
324 int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], const uint8_t key[7],
325 enum samba_gnutls_direction encrypt);
326 int E_P16(const uint8_t *p14,uint8_t *p16);
327 int E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24);
328 int E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out);
329 int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]);
330 int des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14],
331 enum samba_gnutls_direction encrypt);
332 int des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14],
333 enum samba_gnutls_direction encrypt);
334 int sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out,
335 enum samba_gnutls_direction encrypt);
336 #undef _PRINTF_ATTRIBUTE
337 #define _PRINTF_ATTRIBUTE(a1, a2)
338
339 #endif
340
GSS-enabled samba4