search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-scripts: Improve update and listing code
[samba4-gss.git] / libcli / auth / proto.h
blob8a9087bb647030506f14ee41bd5f0dc0b58deb2f
1 #ifndef _LIBCLI_AUTH_PROTO_H__
2 #define _LIBCLI_AUTH_PROTO_H__
3
4 #undef _PRINTF_ATTRIBUTE
5 #define _PRINTF_ATTRIBUTE(a1, a2) PRINTF_ATTRIBUTE(a1, a2)
6
7 #include "lib/crypto/gnutls_helpers.h"
8
9 /* this file contains prototypes for functions that are private
10 * to this subsystem or library. These functions should not be
11 * used outside this particular subsystem! */
12
13
14 /* The following definitions come from libcli/auth/credentials.c */
15
16 bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge);
17 void netlogon_creds_random_challenge(struct netr_Credential *challenge);
18
19 NTSTATUS netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds,
20 struct samr_Password *pass);
21 NTSTATUS netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds,
22 struct samr_Password *pass);
23 NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds,
24 uint8_t *data,
25 size_t len);
26 NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds,
27 uint8_t *data,
28 size_t len);
29 NTSTATUS netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds,
30 uint8_t *data,
31 size_t len);
32
33 /* These should not be used directly! */
34 #define netlogon_creds_des_encrypt __DO_NOT_USE_netlogon_creds_des_encrypt
35 #define netlogon_creds_des_decrypt __DO_NOT_USE_netlogon_creds_des_decrypt
36 #define netlogon_creds_arcfour_crypt __DO_NOT_USE_netlogon_creds_arcfour_crypt
37 #define netlogon_creds_aes_encrypt __DO_NOT_USE_netlogon_creds_aes_encrypt
38 #define netlogon_creds_aes_decrypt __DO_NOT_USE_netlogon_creds_aes_decrypt
39
40 struct netlogon_creds_CredentialState *netlogon_creds_kerberos_init(TALLOC_CTX *mem_ctx,
41 const char *client_account,
42 const char *client_computer_name,
43 uint16_t secure_channel_type,
44 uint32_t client_requested_flags,
45 const struct dom_sid *client_sid,
46 uint32_t negotiate_flags);
47
48 /*****************************************************************
49 The above functions are common to the client and server interface
50 next comes the client specific functions
51 ******************************************************************/
52 struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *mem_ctx,
53 const char *client_account,
54 const char *client_computer_name,
55 uint16_t secure_channel_type,
56 const struct netr_Credential *client_challenge,
57 const struct netr_Credential *server_challenge,
58 const struct samr_Password *machine_password,
59 struct netr_Credential *initial_credential,
60 uint32_t client_requested_flags,
61 uint32_t negotiate_flags);
62 NTSTATUS
63 netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds,
64 struct netr_Authenticator *next);
65 NTSTATUS netlogon_creds_client_verify(struct netlogon_creds_CredentialState *creds,
66 const struct netr_Credential *received_credentials,
67 enum dcerpc_AuthType auth_type,
68 enum dcerpc_AuthLevel auth_level);
69 bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds,
70 const struct netr_Credential *received_credentials);
71 struct netlogon_creds_CredentialState *netlogon_creds_copy(
72 TALLOC_CTX *mem_ctx,
73 const struct netlogon_creds_CredentialState *creds_in);
74
75 /*****************************************************************
76 The above functions are common to the client and server interface
77 next comes the server specific functions
78 ******************************************************************/
79 struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *mem_ctx,
80 const char *client_account,
81 const char *client_computer_name,
82 uint16_t secure_channel_type,
83 const struct netr_Credential *client_challenge,
84 const struct netr_Credential *server_challenge,
85 const struct samr_Password *machine_password,
86 const struct netr_Credential *credentials_in,
87 struct netr_Credential *credentials_out,
88 uint32_t client_requested_flags,
89 const struct dom_sid *client_sid,
90 uint32_t negotiate_flags);
91 NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds,
92 const struct netr_Authenticator *received_authenticator,
93 struct netr_Authenticator *return_authenticator,
94 enum dcerpc_AuthType auth_type,
95 enum dcerpc_AuthLevel auth_level);
96 NTSTATUS netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
97 uint16_t validation_level,
98 union netr_Validation *validation,
99 enum dcerpc_AuthType auth_type,
100 enum dcerpc_AuthLevel auth_level);
101 NTSTATUS netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
102 uint16_t validation_level,
103 union netr_Validation *validation,
104 enum dcerpc_AuthType auth_type,
105 enum dcerpc_AuthLevel auth_level);
106 NTSTATUS netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
107 enum netr_LogonInfoClass level,
108 union netr_LogonLevel *logon,
109 enum dcerpc_AuthType auth_type,
110 enum dcerpc_AuthLevel auth_level);
111 NTSTATUS netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
112 enum netr_LogonInfoClass level,
113 union netr_LogonLevel *logon,
114 enum dcerpc_AuthType auth_type,
115 enum dcerpc_AuthLevel auth_level);
116 NTSTATUS netlogon_creds_decrypt_samr_Password(struct netlogon_creds_CredentialState *creds,
117 struct samr_Password *pass,
118 enum dcerpc_AuthType auth_type,
119 enum dcerpc_AuthLevel auth_level);
120 NTSTATUS netlogon_creds_encrypt_samr_Password(struct netlogon_creds_CredentialState *creds,
121 struct samr_Password *pass,
122 enum dcerpc_AuthType auth_type,
123 enum dcerpc_AuthLevel auth_level);
124 NTSTATUS netlogon_creds_decrypt_samr_CryptPassword(struct netlogon_creds_CredentialState *creds,
125 struct samr_CryptPassword *pass,
126 enum dcerpc_AuthType auth_type,
127 enum dcerpc_AuthLevel auth_level);
128 NTSTATUS netlogon_creds_encrypt_samr_CryptPassword(struct netlogon_creds_CredentialState *creds,
129 struct samr_CryptPassword *pass,
130 enum dcerpc_AuthType auth_type,
131 enum dcerpc_AuthLevel auth_level);
132 NTSTATUS netlogon_creds_decrypt_SendToSam(struct netlogon_creds_CredentialState *creds,
133 uint8_t *opaque_data,
134 size_t opaque_length,
135 enum dcerpc_AuthType auth_type,
136 enum dcerpc_AuthLevel auth_level);
137 NTSTATUS netlogon_creds_encrypt_SendToSam(struct netlogon_creds_CredentialState *creds,
138 uint8_t *opaque_data,
139 size_t opaque_length,
140 enum dcerpc_AuthType auth_type,
141 enum dcerpc_AuthLevel auth_level);
142 union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
143 enum netr_LogonInfoClass level,
144 const union netr_LogonLevel *in);
145
146 /* The following definitions come from libcli/auth/session.c */
147
148 int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key,
149 enum samba_gnutls_direction encrypt);
150 DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key);
151 char *sess_decrypt_string(TALLOC_CTX *mem_ctx,
152 DATA_BLOB *blob, const DATA_BLOB *session_key);
153 DATA_BLOB sess_encrypt_blob(TALLOC_CTX *mem_ctx, DATA_BLOB *blob_in, const DATA_BLOB *session_key);
154 NTSTATUS sess_decrypt_blob(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, const DATA_BLOB *session_key,
155 DATA_BLOB *ret);
156
157 /* The following definitions come from libcli/auth/smbencrypt.c */
158
159 int SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24]);
160 bool SMBencrypt(const char *passwd, const uint8_t *c8, uint8_t p24[24]);
161
162 /**
163 * Creates the MD4 Hash of the users password in NT UNICODE.
164 * @param passwd password in 'unix' charset.
165 * @param p16 return password hashed with md4, caller allocated 16 byte buffer
166 */
167 bool E_md4hash(const char *passwd, uint8_t p16[16]);
168
169 /**
170 * Creates the DES forward-only Hash of the users password in DOS ASCII charset
171 * @param passwd password in 'unix' charset.
172 * @param p16 return password hashed with DES, caller allocated 16 byte buffer
173 * @return false if password was > 14 characters, and therefore may be incorrect, otherwise true
174 * @note p16 is filled in regardless
175 */
176 bool E_deshash(const char *passwd, uint8_t p16[16]);
177
178 /**
179 * Creates the MD4 and DES (LM) Hash of the users password.
180 * MD4 is of the NT Unicode, DES is of the DOS UPPERCASE password.
181 * @param passwd password in 'unix' charset.
182 * @param nt_p16 return password hashed with md4, caller allocated 16 byte buffer
183 * @param p16 return password hashed with des, caller allocated 16 byte buffer
184 */
185 void nt_lm_owf_gen(const char *pwd, uint8_t nt_p16[16], uint8_t p16[16]);
186 bool ntv2_owf_gen(const uint8_t owf[16],
187 const char *user_in, const char *domain_in,
188 uint8_t kr_buf[16]);
189 int SMBOWFencrypt(const uint8_t passwd[16], const uint8_t *c8, uint8_t p24[24]);
190 int SMBNTencrypt_hash(const uint8_t nt_hash[16], const uint8_t *c8, uint8_t *p24);
191 int SMBNTencrypt(const char *passwd, const uint8_t *c8, uint8_t *p24);
192 NTSTATUS SMBOWFencrypt_ntv2(const uint8_t kr[16],
193 const DATA_BLOB *srv_chal,
194 const DATA_BLOB *smbcli_chal,
195 uint8_t resp_buf[16]);
196 NTSTATUS SMBsesskeygen_ntv2(const uint8_t kr[16],
197 const uint8_t *nt_resp,
198 uint8_t sess_key[16]);
199 void SMBsesskeygen_ntv1(const uint8_t kr[16], uint8_t sess_key[16]);
200 NTSTATUS SMBsesskeygen_lm_sess_key(const uint8_t lm_hash[16],
201 const uint8_t lm_resp[24], /* only uses 8 */
202 uint8_t sess_key[16]);
203 DATA_BLOB NTLMv2_generate_names_blob(TALLOC_CTX *mem_ctx,
204 const char *hostname,
205 const char *domain);
206 bool SMBNTLMv2encrypt_hash(TALLOC_CTX *mem_ctx,
207 const char *user, const char *domain, const uint8_t nt_hash[16],
208 const DATA_BLOB *server_chal,
209 const NTTIME *server_timestamp,
210 const DATA_BLOB *names_blob,
211 DATA_BLOB *lm_response, DATA_BLOB *nt_response,
212 DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) ;
213 bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx,
214 const char *user, const char *domain,
215 const char *password,
216 const DATA_BLOB *server_chal,
217 const DATA_BLOB *names_blob,
218 DATA_BLOB *lm_response, DATA_BLOB *nt_response,
219 DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) ;
220 NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
221 const char *account_domain,
222 const DATA_BLOB response,
223 const struct netlogon_creds_CredentialState *creds,
224 const char *workgroup);
225
226 /***********************************************************
227 encode a password buffer with a unicode password. The buffer
228 is filled with random data to make it harder to attack.
229 ************************************************************/
230 bool encode_pw_buffer(uint8_t buffer[516], const char *password, int string_flags);
231
232 /***********************************************************
233 decode a password buffer
234 *new_pw_len is the length in bytes of the possibly mulitbyte
235 returned password including termination.
236 ************************************************************/
237 bool decode_pw_buffer(TALLOC_CTX *ctx,
238 uint8_t in_buffer[516],
239 char **pp_new_pwrd,
240 size_t *new_pw_len,
241 charset_t string_charset);
242
243 /**
244 * @brief Encode an password buffer before we encrypt it.
245 *
246 * @param buffer[514] The buffer to encode into.
247 *
248 * @param password The password we want to encode into the buffer.
249 *
250 * @param string_flags String flags for encoding (e.g. STR_UNICODE).
251 *
252 * @return true on success, false otherwise.
253 */
254 bool encode_pwd_buffer514_from_str(uint8_t buffer[514],
255 const char *password,
256 uint32_t string_flags);
257
258 /**
259 * @brief Extract AES password blob from buffer.
260 *
261 * This extracts the password from the in_buffer as a data blob. It should
262 * then contain an UTF-16 encoded password.
263 *
264 * @param mem_ctx The memory context to allowcate the password on.
265 *
266 * @param in_buffer[514] The input buffer to extract the password from.
267 *
268 * @param new_password A pointer to the store the extracted password blob.
269 *
270 * @return true on success, false otherwise.
271 */
272 bool extract_pwd_blob_from_buffer514(TALLOC_CTX *mem_ctx,
273 const uint8_t in_buffer[514],
274 DATA_BLOB *new_password);
275
276 /**
277 * @brief Decode AES password buffer to password in the given charset.
278 *
279 * @param mem_ctx The memory context to allocate the decoded password on.
280 *
281 * @param in_buffer[514] The in buffer with the decrypted password data.
282 *
283 * @param string_charset The charset to decode to.
284 *
285 * @param decoded_password A pointer to store the blob for the decoded password.
286 * It ensures that the password is NULL terminated.
287 *
288 * @return true on success, false otherwise.
289 */
290 bool decode_pwd_string_from_buffer514(TALLOC_CTX *mem_ctx,
291 const uint8_t in_buffer[514],
292 charset_t string_charset,
293 DATA_BLOB *decoded_password);
294
295 /***********************************************************
296 Encode an arc4 password change buffer.
297 ************************************************************/
298 NTSTATUS encode_rc4_passwd_buffer(const char *passwd,
299 const DATA_BLOB *session_key,
300 struct samr_CryptPasswordEx *out_crypt_pwd);
301
302 /***********************************************************
303 Decode an arc4 encrypted password change buffer.
304 ************************************************************/
305 NTSTATUS decode_rc4_passwd_buffer(const DATA_BLOB *psession_key,
306 struct samr_CryptPasswordEx *inout_crypt_pwd);
307
308 /***********************************************************
309 encode a password buffer with an already unicode password. The
310 rest of the buffer is filled with random data to make it harder to attack.
311 ************************************************************/
312 bool set_pw_in_buffer(uint8_t buffer[516], const DATA_BLOB *password);
313
314 /***********************************************************
315 decode a password buffer
316 *new_pw_size is the length in bytes of the extracted unicode password
317 ************************************************************/
318 bool extract_pw_from_buffer(TALLOC_CTX *mem_ctx,
319 uint8_t in_buffer[516], DATA_BLOB *new_pass);
320 struct wkssvc_PasswordBuffer;
321 WERROR encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
322 const char *pwd,
323 DATA_BLOB *session_key,
324 struct wkssvc_PasswordBuffer **pwd_buf);
325 WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
326 struct wkssvc_PasswordBuffer *pwd_buf,
327 DATA_BLOB *session_key,
328 char **pwd);
329
330 /* The following definitions come from libcli/auth/smbdes.c */
331
332 int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], const uint8_t key[7],
333 enum samba_gnutls_direction encrypt);
334 int E_P16(const uint8_t *p14,uint8_t *p16);
335 int E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24);
336 int E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out);
337 int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]);
338 int des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14],
339 enum samba_gnutls_direction encrypt);
340 int des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14],
341 enum samba_gnutls_direction encrypt);
342 int sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out,
343 enum samba_gnutls_direction encrypt);
344 #undef _PRINTF_ATTRIBUTE
345 #define _PRINTF_ATTRIBUTE(a1, a2)
346
347 #endif
348
GSS-enabled samba4