root/source3/utils/ntlm_auth.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. winbind_separator
  2. get_winbind_domain
  3. get_winbind_netbios_name
  4. get_challenge
  5. parse_ntlm_auth_domain_user
  6. get_require_membership_sid
  7. check_plaintext_auth
  8. contact_winbind_auth_crap
  9. contact_winbind_change_pswd_auth_crap
  10. winbind_pw_check
  11. local_pw_check
  12. ntlm_auth_start_ntlmssp_client
  13. ntlm_auth_start_ntlmssp_server
  14. do_ccache_ntlm_auth
  15. manage_squid_ntlmssp_request
  16. manage_client_ntlmssp_request
  17. manage_squid_basic_request
  18. offer_gss_spnego_mechs
  19. manage_gss_spnego_request
  20. manage_client_ntlmssp_init
  21. manage_client_ntlmssp_targ
  22. manage_client_krb5_init
  23. manage_client_krb5_targ
  24. manage_gss_spnego_client_request
  25. manage_ntlm_server_1_request
  26. manage_ntlm_change_password_1_request
  27. manage_squid_request
  28. squid_stream
  29. check_auth_crap
  30. main

   1 /*
   2    Unix SMB/CIFS implementation.
   3 
   4    Winbind status program.
   5 
   6    Copyright (C) Tim Potter      2000-2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
   8    Copyright (C) Francesco Chemolli <kinkie@kame.usr.dsi.unimi.it> 2000
   9    Copyright (C) Robert O'Callahan 2006 (added cached credential code).
  10    Copyright (C) Kai Blin <kai@samba.org> 2008
  11 
  12    This program is free software; you can redistribute it and/or modify
  13    it under the terms of the GNU General Public License as published by
  14    the Free Software Foundation; either version 3 of the License, or
  15    (at your option) any later version.
  16 
  17    This program is distributed in the hope that it will be useful,
  18    but WITHOUT ANY WARRANTY; without even the implied warranty of
  19    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  20    GNU General Public License for more details.
  21 
  22    You should have received a copy of the GNU General Public License
  23    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  24 */
  25 
  26 #include "includes.h"
  27 #include "utils/ntlm_auth.h"
  28 
  29 #undef DBGC_CLASS
  30 #define DBGC_CLASS DBGC_WINBIND
  31 
  32 #define INITIAL_BUFFER_SIZE 300
  33 #define MAX_BUFFER_SIZE 630000
  34 
  35 enum stdio_helper_mode {
  36         SQUID_2_4_BASIC,
  37         SQUID_2_5_BASIC,
  38         SQUID_2_5_NTLMSSP,
  39         NTLMSSP_CLIENT_1,
  40         GSS_SPNEGO,
  41         GSS_SPNEGO_CLIENT,
  42         NTLM_SERVER_1,
  43         NTLM_CHANGE_PASSWORD_1,
  44         NUM_HELPER_MODES
  45 };
  46 
  47 enum ntlm_auth_cli_state {
  48         CLIENT_INITIAL = 0,
  49         CLIENT_RESPONSE,
  50         CLIENT_FINISHED,
  51         CLIENT_ERROR
  52 };
  53 
  54 enum ntlm_auth_svr_state {
  55         SERVER_INITIAL = 0,
  56         SERVER_CHALLENGE,
  57         SERVER_FINISHED,
  58         SERVER_ERROR
  59 };
  60 
  61 struct ntlm_auth_state {
  62         TALLOC_CTX *mem_ctx;
  63         enum stdio_helper_mode helper_mode;
  64         enum ntlm_auth_cli_state cli_state;
  65         enum ntlm_auth_svr_state svr_state;
  66         struct ntlmssp_state *ntlmssp_state;
  67         uint32_t neg_flags;
  68         char *want_feature_list;
  69         bool have_session_key;
  70         DATA_BLOB session_key;
  71         DATA_BLOB initial_message;
  72 };
  73 
  74 typedef void (*stdio_helper_function)(struct ntlm_auth_state *state, char *buf,
  75                                         int length);
  76 
  77 static void manage_squid_basic_request (struct ntlm_auth_state *state,
  78                                         char *buf, int length);
  79 
  80 static void manage_squid_ntlmssp_request (struct ntlm_auth_state *state,
  81                                         char *buf, int length);
  82 
  83 static void manage_client_ntlmssp_request (struct ntlm_auth_state *state,
  84                                         char *buf, int length);
  85 
  86 static void manage_gss_spnego_request (struct ntlm_auth_state *state,
  87                                         char *buf, int length);
  88 
  89 static void manage_gss_spnego_client_request (struct ntlm_auth_state *state,
  90                                         char *buf, int length);
  91 
  92 static void manage_ntlm_server_1_request (struct ntlm_auth_state *state,
  93                                         char *buf, int length);
  94 
  95 static void manage_ntlm_change_password_1_request(struct ntlm_auth_state *state,
  96                                         char *buf, int length);
  97 
  98 static const struct {
  99         enum stdio_helper_mode mode;
 100         const char *name;
 101         stdio_helper_function fn;
 102 } stdio_helper_protocols[] = {
 103         { SQUID_2_4_BASIC, "squid-2.4-basic", manage_squid_basic_request},
 104         { SQUID_2_5_BASIC, "squid-2.5-basic", manage_squid_basic_request},
 105         { SQUID_2_5_NTLMSSP, "squid-2.5-ntlmssp", manage_squid_ntlmssp_request},
 106         { NTLMSSP_CLIENT_1, "ntlmssp-client-1", manage_client_ntlmssp_request},
 107         { GSS_SPNEGO, "gss-spnego", manage_gss_spnego_request},
 108         { GSS_SPNEGO_CLIENT, "gss-spnego-client", manage_gss_spnego_client_request},
 109         { NTLM_SERVER_1, "ntlm-server-1", manage_ntlm_server_1_request},
 110         { NTLM_CHANGE_PASSWORD_1, "ntlm-change-password-1", manage_ntlm_change_password_1_request},
 111         { NUM_HELPER_MODES, NULL, NULL}
 112 };
 113 
 114 const char *opt_username;
 115 const char *opt_domain;
 116 const char *opt_workstation;
 117 const char *opt_password;
 118 static DATA_BLOB opt_challenge;
 119 static DATA_BLOB opt_lm_response;
 120 static DATA_BLOB opt_nt_response;
 121 static int request_lm_key;
 122 static int request_user_session_key;
 123 static int use_cached_creds;
 124 
 125 static const char *require_membership_of;
 126 static const char *require_membership_of_sid;
 127 
 128 static char winbind_separator(void)
     /* [<][>][^][v][top][bottom][index][help] */
 129 {
 130         struct winbindd_response response;
 131         static bool got_sep;
 132         static char sep;
 133 
 134         if (got_sep)
 135                 return sep;
 136 
 137         ZERO_STRUCT(response);
 138 
 139         /* Send off request */
 140 
 141         if (winbindd_request_response(WINBINDD_INFO, NULL, &response) !=
 142             NSS_STATUS_SUCCESS) {
 143                 d_printf("could not obtain winbind separator!\n");
 144                 return *lp_winbind_separator();
 145         }
 146 
 147         sep = response.data.info.winbind_separator;
 148         got_sep = True;
 149 
 150         if (!sep) {
 151                 d_printf("winbind separator was NULL!\n");
 152                 return *lp_winbind_separator();
 153         }
 154 
 155         return sep;
 156 }
 157 
 158 const char *get_winbind_domain(void)
     /* [<][>][^][v][top][bottom][index][help] */
 159 {
 160         struct winbindd_response response;
 161 
 162         static fstring winbind_domain;
 163         if (*winbind_domain) {
 164                 return winbind_domain;
 165         }
 166 
 167         ZERO_STRUCT(response);
 168 
 169         /* Send off request */
 170 
 171         if (winbindd_request_response(WINBINDD_DOMAIN_NAME, NULL, &response) !=
 172             NSS_STATUS_SUCCESS) {
 173                 DEBUG(0, ("could not obtain winbind domain name!\n"));
 174                 return lp_workgroup();
 175         }
 176 
 177         fstrcpy(winbind_domain, response.data.domain_name);
 178 
 179         return winbind_domain;
 180 
 181 }
 182 
 183 const char *get_winbind_netbios_name(void)
     /* [<][>][^][v][top][bottom][index][help] */
 184 {
 185         struct winbindd_response response;
 186 
 187         static fstring winbind_netbios_name;
 188 
 189         if (*winbind_netbios_name) {
 190                 return winbind_netbios_name;
 191         }
 192 
 193         ZERO_STRUCT(response);
 194 
 195         /* Send off request */
 196 
 197         if (winbindd_request_response(WINBINDD_NETBIOS_NAME, NULL, &response) !=
 198             NSS_STATUS_SUCCESS) {
 199                 DEBUG(0, ("could not obtain winbind netbios name!\n"));
 200                 return global_myname();
 201         }
 202 
 203         fstrcpy(winbind_netbios_name, response.data.netbios_name);
 204 
 205         return winbind_netbios_name;
 206 
 207 }
 208 
 209 DATA_BLOB get_challenge(void) 
     /* [<][>][^][v][top][bottom][index][help] */
 210 {
 211         static DATA_BLOB chal;
 212         if (opt_challenge.length)
 213                 return opt_challenge;
 214         
 215         chal = data_blob(NULL, 8);
 216 
 217         generate_random_buffer(chal.data, chal.length);
 218         return chal;
 219 }
 220 
 221 /* Copy of parse_domain_user from winbindd_util.c.  Parse a string of the
 222    form DOMAIN/user into a domain and a user */
 223 
 224 static bool parse_ntlm_auth_domain_user(const char *domuser, fstring domain, 
     /* [<][>][^][v][top][bottom][index][help] */
 225                                      fstring user)
 226 {
 227 
 228         char *p = strchr(domuser,winbind_separator());
 229 
 230         if (!p) {
 231                 return False;
 232         }
 233         
 234         fstrcpy(user, p+1);
 235         fstrcpy(domain, domuser);
 236         domain[PTR_DIFF(p, domuser)] = 0;
 237         strupper_m(domain);
 238 
 239         return True;
 240 }
 241 
 242 static bool get_require_membership_sid(void) {
     /* [<][>][^][v][top][bottom][index][help] */
 243         struct winbindd_request request;
 244         struct winbindd_response response;
 245 
 246         if (!require_membership_of) {
 247                 return True;
 248         }
 249 
 250         if (require_membership_of_sid) {
 251                 return True;
 252         }
 253 
 254         /* Otherwise, ask winbindd for the name->sid request */
 255 
 256         ZERO_STRUCT(request);
 257         ZERO_STRUCT(response);
 258 
 259         if (!parse_ntlm_auth_domain_user(require_membership_of, 
 260                                          request.data.name.dom_name, 
 261                                          request.data.name.name)) {
 262                 DEBUG(0, ("Could not parse %s into seperate domain/name parts!\n", 
 263                           require_membership_of));
 264                 return False;
 265         }
 266 
 267         if (winbindd_request_response(WINBINDD_LOOKUPNAME, &request, &response) !=
 268             NSS_STATUS_SUCCESS) {
 269                 DEBUG(0, ("Winbindd lookupname failed to resolve %s into a SID!\n", 
 270                           require_membership_of));
 271                 return False;
 272         }
 273 
 274         require_membership_of_sid = SMB_STRDUP(response.data.sid.sid);
 275 
 276         if (require_membership_of_sid)
 277                 return True;
 278 
 279         return False;
 280 }
 281 /* Authenticate a user with a plaintext password */
 282 
 283 static bool check_plaintext_auth(const char *user, const char *pass,
     /* [<][>][^][v][top][bottom][index][help] */
 284                                  bool stdout_diagnostics)
 285 {
 286         struct winbindd_request request;
 287         struct winbindd_response response;
 288         NSS_STATUS result;
 289 
 290         if (!get_require_membership_sid()) {
 291                 return False;
 292         }
 293 
 294         /* Send off request */
 295 
 296         ZERO_STRUCT(request);
 297         ZERO_STRUCT(response);
 298 
 299         fstrcpy(request.data.auth.user, user);
 300         fstrcpy(request.data.auth.pass, pass);
 301         if (require_membership_of_sid) {
 302                 strlcpy(request.data.auth.require_membership_of_sid,
 303                         require_membership_of_sid,
 304                         sizeof(request.data.auth.require_membership_of_sid));
 305         }
 306 
 307         result = winbindd_request_response(WINBINDD_PAM_AUTH, &request, &response);
 308 
 309         /* Display response */
 310 
 311         if (stdout_diagnostics) {
 312                 if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) {
 313                         d_printf("Reading winbind reply failed! (0x01)\n");
 314                 }
 315 
 316                 d_printf("%s: %s (0x%x)\n",
 317                          response.data.auth.nt_status_string,
 318                          response.data.auth.error_string,
 319                          response.data.auth.nt_status);
 320         } else {
 321                 if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) {
 322                         DEBUG(1, ("Reading winbind reply failed! (0x01)\n"));
 323                 }
 324 
 325                 DEBUG(3, ("%s: %s (0x%x)\n",
 326                           response.data.auth.nt_status_string,
 327                           response.data.auth.error_string,
 328                           response.data.auth.nt_status));
 329         }
 330 
 331         return (result == NSS_STATUS_SUCCESS);
 332 }
 333 
 334 /* authenticate a user with an encrypted username/password */
 335 
 336 NTSTATUS contact_winbind_auth_crap(const char *username,
     /* [<][>][^][v][top][bottom][index][help] */
 337                                    const char *domain,
 338                                    const char *workstation,
 339                                    const DATA_BLOB *challenge,
 340                                    const DATA_BLOB *lm_response,
 341                                    const DATA_BLOB *nt_response,
 342                                    uint32 flags,
 343                                    uint8 lm_key[8],
 344                                    uint8 user_session_key[16],
 345                                    char **error_string,
 346                                    char **unix_name)
 347 {
 348         NTSTATUS nt_status;
 349         NSS_STATUS result;
 350         struct winbindd_request request;
 351         struct winbindd_response response;
 352 
 353         if (!get_require_membership_sid()) {
 354                 return NT_STATUS_INVALID_PARAMETER;
 355         }
 356 
 357         ZERO_STRUCT(request);
 358         ZERO_STRUCT(response);
 359 
 360         request.flags = flags;
 361 
 362         request.data.auth_crap.logon_parameters = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
 363 
 364         if (require_membership_of_sid)
 365                 fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid);
 366 
 367         fstrcpy(request.data.auth_crap.user, username);
 368         fstrcpy(request.data.auth_crap.domain, domain);
 369 
 370         fstrcpy(request.data.auth_crap.workstation, 
 371                 workstation);
 372 
 373         memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8));
 374 
 375         if (lm_response && lm_response->length) {
 376                 memcpy(request.data.auth_crap.lm_resp, 
 377                        lm_response->data, 
 378                        MIN(lm_response->length, sizeof(request.data.auth_crap.lm_resp)));
 379                 request.data.auth_crap.lm_resp_len = lm_response->length;
 380         }
 381 
 382         if (nt_response && nt_response->length) {
 383                 if (nt_response->length > sizeof(request.data.auth_crap.nt_resp)) {
 384                         request.flags = request.flags | WBFLAG_BIG_NTLMV2_BLOB;
 385                         request.extra_len = nt_response->length;
 386                         request.extra_data.data = SMB_MALLOC_ARRAY(char, request.extra_len);
 387                         if (request.extra_data.data == NULL) {
 388                                 return NT_STATUS_NO_MEMORY;
 389                         }
 390                         memcpy(request.extra_data.data, nt_response->data,
 391                                nt_response->length);
 392 
 393                 } else {
 394                         memcpy(request.data.auth_crap.nt_resp,
 395                                nt_response->data, nt_response->length);
 396                 }
 397                 request.data.auth_crap.nt_resp_len = nt_response->length;
 398         }
 399         
 400         result = winbindd_request_response(WINBINDD_PAM_AUTH_CRAP, &request, &response);
 401         SAFE_FREE(request.extra_data.data);
 402 
 403         /* Display response */
 404 
 405         if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) {
 406                 nt_status = NT_STATUS_UNSUCCESSFUL;
 407                 if (error_string)
 408                         *error_string = smb_xstrdup("Reading winbind reply failed!");
 409                 winbindd_free_response(&response);
 410                 return nt_status;
 411         }
 412         
 413         nt_status = (NT_STATUS(response.data.auth.nt_status));
 414         if (!NT_STATUS_IS_OK(nt_status)) {
 415                 if (error_string) 
 416                         *error_string = smb_xstrdup(response.data.auth.error_string);
 417                 winbindd_free_response(&response);
 418                 return nt_status;
 419         }
 420 
 421         if ((flags & WBFLAG_PAM_LMKEY) && lm_key) {
 422                 memcpy(lm_key, response.data.auth.first_8_lm_hash, 
 423                        sizeof(response.data.auth.first_8_lm_hash));
 424         }
 425         if ((flags & WBFLAG_PAM_USER_SESSION_KEY) && user_session_key) {
 426                 memcpy(user_session_key, response.data.auth.user_session_key, 
 427                         sizeof(response.data.auth.user_session_key));
 428         }
 429 
 430         if (flags & WBFLAG_PAM_UNIX_NAME) {
 431                 *unix_name = SMB_STRDUP(response.data.auth.unix_username);
 432                 if (!*unix_name) {
 433                         winbindd_free_response(&response);
 434                         return NT_STATUS_NO_MEMORY;
 435                 }
 436         }
 437 
 438         winbindd_free_response(&response);
 439         return nt_status;
 440 }
 441 
 442 /* contact server to change user password using auth crap */
 443 static NTSTATUS contact_winbind_change_pswd_auth_crap(const char *username,
     /* [<][>][^][v][top][bottom][index][help] */
 444                                                       const char *domain,
 445                                                       const DATA_BLOB new_nt_pswd,
 446                                                       const DATA_BLOB old_nt_hash_enc,
 447                                                       const DATA_BLOB new_lm_pswd,
 448                                                       const DATA_BLOB old_lm_hash_enc,
 449                                                       char  **error_string)
 450 {
 451         NTSTATUS nt_status;
 452         NSS_STATUS result;
 453         struct winbindd_request request;
 454         struct winbindd_response response;
 455 
 456         if (!get_require_membership_sid())
 457         {
 458                 if(error_string)
 459                         *error_string = smb_xstrdup("Can't get membership sid.");
 460                 return NT_STATUS_INVALID_PARAMETER;
 461         }
 462 
 463         ZERO_STRUCT(request);
 464         ZERO_STRUCT(response);
 465 
 466         if(username != NULL)
 467                 fstrcpy(request.data.chng_pswd_auth_crap.user, username);
 468         if(domain != NULL)
 469                 fstrcpy(request.data.chng_pswd_auth_crap.domain,domain);
 470 
 471         if(new_nt_pswd.length)
 472         {
 473                 memcpy(request.data.chng_pswd_auth_crap.new_nt_pswd, new_nt_pswd.data, sizeof(request.data.chng_pswd_auth_crap.new_nt_pswd));
 474                 request.data.chng_pswd_auth_crap.new_nt_pswd_len = new_nt_pswd.length;
 475         }
 476 
 477         if(old_nt_hash_enc.length)
 478         {
 479                 memcpy(request.data.chng_pswd_auth_crap.old_nt_hash_enc, old_nt_hash_enc.data, sizeof(request.data.chng_pswd_auth_crap.old_nt_hash_enc));
 480                 request.data.chng_pswd_auth_crap.old_nt_hash_enc_len = old_nt_hash_enc.length;
 481         }
 482 
 483         if(new_lm_pswd.length)
 484         {
 485                 memcpy(request.data.chng_pswd_auth_crap.new_lm_pswd, new_lm_pswd.data, sizeof(request.data.chng_pswd_auth_crap.new_lm_pswd));
 486                 request.data.chng_pswd_auth_crap.new_lm_pswd_len = new_lm_pswd.length;
 487         }
 488 
 489         if(old_lm_hash_enc.length)
 490         {
 491                 memcpy(request.data.chng_pswd_auth_crap.old_lm_hash_enc, old_lm_hash_enc.data, sizeof(request.data.chng_pswd_auth_crap.old_lm_hash_enc));
 492                 request.data.chng_pswd_auth_crap.old_lm_hash_enc_len = old_lm_hash_enc.length;
 493         }
 494         
 495         result = winbindd_request_response(WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP, &request, &response);
 496 
 497         /* Display response */
 498 
 499         if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0))
 500         {
 501                 nt_status = NT_STATUS_UNSUCCESSFUL;
 502                 if (error_string)
 503                         *error_string = smb_xstrdup("Reading winbind reply failed!");
 504                 winbindd_free_response(&response);
 505                 return nt_status;
 506         }
 507         
 508         nt_status = (NT_STATUS(response.data.auth.nt_status));
 509         if (!NT_STATUS_IS_OK(nt_status))
 510         {
 511                 if (error_string) 
 512                         *error_string = smb_xstrdup(response.data.auth.error_string);
 513                 winbindd_free_response(&response);
 514                 return nt_status;
 515         }
 516 
 517         winbindd_free_response(&response);
 518         
 519     return nt_status;
 520 }
 521 
 522 static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) 
     /* [<][>][^][v][top][bottom][index][help] */
 523 {
 524         static const char zeros[16] = { 0, };
 525         NTSTATUS nt_status;
 526         char *error_string = NULL;
 527         uint8 lm_key[8]; 
 528         uint8 user_sess_key[16]; 
 529         char *unix_name = NULL;
 530 
 531         nt_status = contact_winbind_auth_crap(ntlmssp_state->user, ntlmssp_state->domain,
 532                                               ntlmssp_state->workstation,
 533                                               &ntlmssp_state->chal,
 534                                               &ntlmssp_state->lm_resp,
 535                                               &ntlmssp_state->nt_resp, 
 536                                               WBFLAG_PAM_LMKEY | WBFLAG_PAM_USER_SESSION_KEY | WBFLAG_PAM_UNIX_NAME,
 537                                               lm_key, user_sess_key, 
 538                                               &error_string, &unix_name);
 539 
 540         if (NT_STATUS_IS_OK(nt_status)) {
 541                 if (memcmp(lm_key, zeros, 8) != 0) {
 542                         *lm_session_key = data_blob(NULL, 16);
 543                         memcpy(lm_session_key->data, lm_key, 8);
 544                         memset(lm_session_key->data+8, '\0', 8);
 545                 }
 546                 
 547                 if (memcmp(user_sess_key, zeros, 16) != 0) {
 548                         *user_session_key = data_blob(user_sess_key, 16);
 549                 }
 550                 ntlmssp_state->auth_context = talloc_strdup(ntlmssp_state,
 551                                                             unix_name);
 552         } else {
 553                 DEBUG(NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED) ? 0 : 3, 
 554                       ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n", 
 555                        ntlmssp_state->domain, ntlmssp_state->user, 
 556                        ntlmssp_state->workstation, 
 557                        error_string ? error_string : "unknown error (NULL)"));
 558                 ntlmssp_state->auth_context = NULL;
 559         }
 560 
 561         SAFE_FREE(error_string);
 562         SAFE_FREE(unix_name);
 563         return nt_status;
 564 }
 565 
 566 static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) 
     /* [<][>][^][v][top][bottom][index][help] */
 567 {
 568         NTSTATUS nt_status;
 569         uint8 lm_pw[16], nt_pw[16];
 570 
 571         nt_lm_owf_gen (opt_password, nt_pw, lm_pw);
 572         
 573         nt_status = ntlm_password_check(ntlmssp_state,
 574                                         &ntlmssp_state->chal,
 575                                         &ntlmssp_state->lm_resp,
 576                                         &ntlmssp_state->nt_resp, 
 577                                         NULL, NULL,
 578                                         ntlmssp_state->user, 
 579                                         ntlmssp_state->user, 
 580                                         ntlmssp_state->domain,
 581                                         lm_pw, nt_pw, user_session_key, lm_session_key);
 582         
 583         if (NT_STATUS_IS_OK(nt_status)) {
 584                 ntlmssp_state->auth_context = talloc_asprintf(ntlmssp_state,
 585                                                               "%s%c%s", ntlmssp_state->domain, 
 586                                                               *lp_winbind_separator(), 
 587                                                               ntlmssp_state->user);
 588         } else {
 589                 DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n", 
 590                           ntlmssp_state->domain, ntlmssp_state->user, ntlmssp_state->workstation, 
 591                           nt_errstr(nt_status)));
 592                 ntlmssp_state->auth_context = NULL;
 593         }
 594         return nt_status;
 595 }
 596 
 597 static NTSTATUS ntlm_auth_start_ntlmssp_client(NTLMSSP_STATE **client_ntlmssp_state) 
     /* [<][>][^][v][top][bottom][index][help] */
 598 {
 599         NTSTATUS status;
 600         if ( (opt_username == NULL) || (opt_domain == NULL) ) {
 601                 status = NT_STATUS_UNSUCCESSFUL;
 602                 DEBUG(1, ("Need username and domain for NTLMSSP\n"));
 603                 return NT_STATUS_INVALID_PARAMETER;
 604         }
 605 
 606         status = ntlmssp_client_start(client_ntlmssp_state);
 607 
 608         if (!NT_STATUS_IS_OK(status)) {
 609                 DEBUG(1, ("Could not start NTLMSSP client: %s\n",
 610                           nt_errstr(status)));
 611                 ntlmssp_end(client_ntlmssp_state);
 612                 return status;
 613         }
 614 
 615         status = ntlmssp_set_username(*client_ntlmssp_state, opt_username);
 616 
 617         if (!NT_STATUS_IS_OK(status)) {
 618                 DEBUG(1, ("Could not set username: %s\n",
 619                           nt_errstr(status)));
 620                 ntlmssp_end(client_ntlmssp_state);
 621                 return status;
 622         }
 623 
 624         status = ntlmssp_set_domain(*client_ntlmssp_state, opt_domain);
 625 
 626         if (!NT_STATUS_IS_OK(status)) {
 627                 DEBUG(1, ("Could not set domain: %s\n",
 628                           nt_errstr(status)));
 629                 ntlmssp_end(client_ntlmssp_state);
 630                 return status;
 631         }
 632 
 633         if (opt_password) {
 634                 status = ntlmssp_set_password(*client_ntlmssp_state, opt_password);
 635         
 636                 if (!NT_STATUS_IS_OK(status)) {
 637                         DEBUG(1, ("Could not set password: %s\n",
 638                                   nt_errstr(status)));
 639                         ntlmssp_end(client_ntlmssp_state);
 640                         return status;
 641                 }
 642         }
 643 
 644         return NT_STATUS_OK;
 645 }
 646 
 647 static NTSTATUS ntlm_auth_start_ntlmssp_server(NTLMSSP_STATE **ntlmssp_state) 
     /* [<][>][^][v][top][bottom][index][help] */
 648 {
 649         NTSTATUS status = ntlmssp_server_start(ntlmssp_state);
 650         
 651         if (!NT_STATUS_IS_OK(status)) {
 652                 DEBUG(1, ("Could not start NTLMSSP server: %s\n",
 653                           nt_errstr(status)));
 654                 return status;
 655         }
 656 
 657         /* Have we been given a local password, or should we ask winbind? */
 658         if (opt_password) {
 659                 (*ntlmssp_state)->check_password = local_pw_check;
 660                 (*ntlmssp_state)->get_domain = lp_workgroup;
 661                 (*ntlmssp_state)->get_global_myname = global_myname;
 662         } else {
 663                 (*ntlmssp_state)->check_password = winbind_pw_check;
 664                 (*ntlmssp_state)->get_domain = get_winbind_domain;
 665                 (*ntlmssp_state)->get_global_myname = get_winbind_netbios_name;
 666         }
 667         return NT_STATUS_OK;
 668 }
 669 
 670 /*******************************************************************
 671  Used by firefox to drive NTLM auth to IIS servers.
 672 *******************************************************************/
 673 
 674 static NTSTATUS do_ccache_ntlm_auth(DATA_BLOB initial_msg, DATA_BLOB challenge_msg,
     /* [<][>][^][v][top][bottom][index][help] */
 675                                 DATA_BLOB *reply)
 676 {
 677         struct winbindd_request wb_request;
 678         struct winbindd_response wb_response;
 679         NSS_STATUS result;
 680 
 681         /* get winbindd to do the ntlmssp step on our behalf */
 682         ZERO_STRUCT(wb_request);
 683         ZERO_STRUCT(wb_response);
 684 
 685         fstr_sprintf(wb_request.data.ccache_ntlm_auth.user,
 686                 "%s%c%s", opt_domain, winbind_separator(), opt_username);
 687         wb_request.data.ccache_ntlm_auth.uid = geteuid();
 688         wb_request.data.ccache_ntlm_auth.initial_blob_len = initial_msg.length;
 689         wb_request.data.ccache_ntlm_auth.challenge_blob_len = challenge_msg.length;
 690         wb_request.extra_len = initial_msg.length + challenge_msg.length;
 691 
 692         if (wb_request.extra_len > 0) {
 693                 wb_request.extra_data.data = SMB_MALLOC_ARRAY(char, wb_request.extra_len);
 694                 if (wb_request.extra_data.data == NULL) {
 695                         return NT_STATUS_NO_MEMORY;
 696                 }
 697 
 698                 memcpy(wb_request.extra_data.data, initial_msg.data, initial_msg.length);
 699                 memcpy(wb_request.extra_data.data + initial_msg.length,
 700                         challenge_msg.data, challenge_msg.length);
 701         }
 702 
 703         result = winbindd_request_response(WINBINDD_CCACHE_NTLMAUTH, &wb_request, &wb_response);
 704         SAFE_FREE(wb_request.extra_data.data);
 705 
 706         if (result != NSS_STATUS_SUCCESS) {
 707                 winbindd_free_response(&wb_response);
 708                 return NT_STATUS_UNSUCCESSFUL;
 709         }
 710 
 711         if (reply) {
 712                 *reply = data_blob(wb_response.extra_data.data,
 713                                 wb_response.data.ccache_ntlm_auth.auth_blob_len);
 714                 if (wb_response.data.ccache_ntlm_auth.auth_blob_len > 0 &&
 715                                 reply->data == NULL) {
 716                         winbindd_free_response(&wb_response);
 717                         return NT_STATUS_NO_MEMORY;
 718                 }
 719         }
 720 
 721         winbindd_free_response(&wb_response);
 722         return NT_STATUS_MORE_PROCESSING_REQUIRED;
 723 }
 724 
 725 static void manage_squid_ntlmssp_request(struct ntlm_auth_state *state,
     /* [<][>][^][v][top][bottom][index][help] */
 726                                                 char *buf, int length)
 727 {
 728         DATA_BLOB request, reply;
 729         NTSTATUS nt_status;
 730 
 731         if (strlen(buf) < 2) {
 732                 DEBUG(1, ("NTLMSSP query [%s] invalid", buf));
 733                 x_fprintf(x_stdout, "BH NTLMSSP query invalid\n");
 734                 return;
 735         }
 736 
 737         if (strlen(buf) > 3) {
 738                 if(strncmp(buf, "SF ", 3) == 0){
 739                         DEBUG(10, ("Setting flags to negotioate\n"));
 740                         TALLOC_FREE(state->want_feature_list);
 741                         state->want_feature_list = talloc_strdup(state->mem_ctx,
 742                                         buf+3);
 743                         x_fprintf(x_stdout, "OK\n");
 744                         return;
 745                 }
 746                 request = base64_decode_data_blob(buf + 3);
 747         } else {
 748                 request = data_blob_null;
 749         }
 750 
 751         if ((strncmp(buf, "PW ", 3) == 0)) {
 752                 /* The calling application wants us to use a local password
 753                  * (rather than winbindd) */
 754 
 755                 opt_password = SMB_STRNDUP((const char *)request.data,
 756                                 request.length);
 757 
 758                 if (opt_password == NULL) {
 759                         DEBUG(1, ("Out of memory\n"));
 760                         x_fprintf(x_stdout, "BH Out of memory\n");
 761                         data_blob_free(&request);
 762                         return;
 763                 }
 764 
 765                 x_fprintf(x_stdout, "OK\n");
 766                 data_blob_free(&request);
 767                 return;
 768         }
 769 
 770         if (strncmp(buf, "YR", 2) == 0) {
 771                 if (state->ntlmssp_state)
 772                         ntlmssp_end(&state->ntlmssp_state);
 773                 state->svr_state = SERVER_INITIAL;
 774         } else if (strncmp(buf, "KK", 2) == 0) {
 775                 /* No special preprocessing required */
 776         } else if (strncmp(buf, "GF", 2) == 0) {
 777                 DEBUG(10, ("Requested negotiated NTLMSSP flags\n"));
 778 
 779                 if (state->svr_state == SERVER_FINISHED) {
 780                         x_fprintf(x_stdout, "GF 0x%08x\n", state->neg_flags);
 781                 }
 782                 else {
 783                         x_fprintf(x_stdout, "BH\n");
 784                 }
 785                 data_blob_free(&request);
 786                 return;
 787         } else if (strncmp(buf, "GK", 2) == 0) {
 788                 DEBUG(10, ("Requested NTLMSSP session key\n"));
 789                 if(state->have_session_key) {
 790                         char *key64 = base64_encode_data_blob(state->mem_ctx,
 791                                         state->session_key);
 792                         x_fprintf(x_stdout, "GK %s\n", key64?key64:"<NULL>");
 793                         TALLOC_FREE(key64);
 794                 } else {
 795                         x_fprintf(x_stdout, "BH\n");
 796                 }
 797 
 798                 data_blob_free(&request);
 799                 return;
 800         } else {
 801                 DEBUG(1, ("NTLMSSP query [%s] invalid", buf));
 802                 x_fprintf(x_stdout, "BH NTLMSSP query invalid\n");
 803                 return;
 804         }
 805 
 806         if (!state->ntlmssp_state) {
 807                 nt_status = ntlm_auth_start_ntlmssp_server(
 808                                 &state->ntlmssp_state);
 809                 if (!NT_STATUS_IS_OK(nt_status)) {
 810                         x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
 811                         return;
 812                 }
 813                 ntlmssp_want_feature_list(state->ntlmssp_state,
 814                                 state->want_feature_list);
 815         }
 816 
 817         DEBUG(10, ("got NTLMSSP packet:\n"));
 818         dump_data(10, request.data, request.length);
 819 
 820         nt_status = ntlmssp_update(state->ntlmssp_state, request, &reply);
 821 
 822         if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 823                 char *reply_base64 = base64_encode_data_blob(state->mem_ctx,
 824                                 reply);
 825                 x_fprintf(x_stdout, "TT %s\n", reply_base64);
 826                 TALLOC_FREE(reply_base64);
 827                 data_blob_free(&reply);
 828                 state->svr_state = SERVER_CHALLENGE;
 829                 DEBUG(10, ("NTLMSSP challenge\n"));
 830         } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) {
 831                 x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
 832                 DEBUG(0, ("NTLMSSP BH: %s\n", nt_errstr(nt_status)));
 833 
 834                 ntlmssp_end(&state->ntlmssp_state);
 835         } else if (!NT_STATUS_IS_OK(nt_status)) {
 836                 x_fprintf(x_stdout, "NA %s\n", nt_errstr(nt_status));
 837                 DEBUG(10, ("NTLMSSP %s\n", nt_errstr(nt_status)));
 838         } else {
 839                 x_fprintf(x_stdout, "AF %s\n",
 840                                 (char *)state->ntlmssp_state->auth_context);
 841                 DEBUG(10, ("NTLMSSP OK!\n"));
 842 
 843                 if(state->have_session_key)
 844                         data_blob_free(&state->session_key);
 845                 state->session_key = data_blob(
 846                                 state->ntlmssp_state->session_key.data,
 847                                 state->ntlmssp_state->session_key.length);
 848                 state->neg_flags = state->ntlmssp_state->neg_flags;
 849                 state->have_session_key = true;
 850                 state->svr_state = SERVER_FINISHED;
 851         }
 852 
 853         data_blob_free(&request);
 854 }
 855 
 856 static void manage_client_ntlmssp_request(struct ntlm_auth_state *state,
     /* [<][>][^][v][top][bottom][index][help] */
 857                                                 char *buf, int length)
 858 {
 859         DATA_BLOB request, reply;
 860         NTSTATUS nt_status;
 861 
 862         if (!opt_username || !*opt_username) {
 863                 x_fprintf(x_stderr, "username must be specified!\n\n");
 864                 exit(1);
 865         }
 866 
 867         if (strlen(buf) < 2) {
 868                 DEBUG(1, ("NTLMSSP query [%s] invalid", buf));
 869                 x_fprintf(x_stdout, "BH NTLMSSP query invalid\n");
 870                 return;
 871         }
 872 
 873         if (strlen(buf) > 3) {
 874                 if(strncmp(buf, "SF ", 3) == 0) {
 875                         DEBUG(10, ("Looking for flags to negotiate\n"));
 876                         talloc_free(state->want_feature_list);
 877                         state->want_feature_list = talloc_strdup(state->mem_ctx,
 878                                         buf+3);
 879                         x_fprintf(x_stdout, "OK\n");
 880                         return;
 881                 }
 882                 request = base64_decode_data_blob(buf + 3);
 883         } else {
 884                 request = data_blob_null;
 885         }
 886 
 887         if (strncmp(buf, "PW ", 3) == 0) {
 888                 /* We asked for a password and obviously got it :-) */
 889 
 890                 opt_password = SMB_STRNDUP((const char *)request.data,
 891                                 request.length);
 892 
 893                 if (opt_password == NULL) {
 894                         DEBUG(1, ("Out of memory\n"));
 895                         x_fprintf(x_stdout, "BH Out of memory\n");
 896                         data_blob_free(&request);
 897                         return;
 898                 }
 899 
 900                 x_fprintf(x_stdout, "OK\n");
 901                 data_blob_free(&request);
 902                 return;
 903         }
 904 
 905         if (!state->ntlmssp_state && use_cached_creds) {
 906                 /* check whether cached credentials are usable. */
 907                 DATA_BLOB empty_blob = data_blob_null;
 908 
 909                 nt_status = do_ccache_ntlm_auth(empty_blob, empty_blob, NULL);
 910                 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 911                         /* failed to use cached creds */
 912                         use_cached_creds = False;
 913                 }
 914         }
 915 
 916         if (opt_password == NULL && !use_cached_creds) {
 917                 /* Request a password from the calling process.  After
 918                    sending it, the calling process should retry asking for the
 919                    negotiate. */
 920 
 921                 DEBUG(10, ("Requesting password\n"));
 922                 x_fprintf(x_stdout, "PW\n");
 923                 return;
 924         }
 925 
 926         if (strncmp(buf, "YR", 2) == 0) {
 927                 if (state->ntlmssp_state)
 928                         ntlmssp_end(&state->ntlmssp_state);
 929                 state->cli_state = CLIENT_INITIAL;
 930         } else if (strncmp(buf, "TT", 2) == 0) {
 931                 /* No special preprocessing required */
 932         } else if (strncmp(buf, "GF", 2) == 0) {
 933                 DEBUG(10, ("Requested negotiated NTLMSSP flags\n"));
 934 
 935                 if(state->cli_state == CLIENT_FINISHED) {
 936                         x_fprintf(x_stdout, "GF 0x%08x\n", state->neg_flags);
 937                 }
 938                 else {
 939                         x_fprintf(x_stdout, "BH\n");
 940                 }
 941 
 942                 data_blob_free(&request);
 943                 return;
 944         } else if (strncmp(buf, "GK", 2) == 0 ) {
 945                 DEBUG(10, ("Requested session key\n"));
 946 
 947                 if(state->cli_state == CLIENT_FINISHED) {
 948                         char *key64 = base64_encode_data_blob(state->mem_ctx,
 949                                         state->session_key);
 950                         x_fprintf(x_stdout, "GK %s\n", key64?key64:"<NULL>");
 951                         TALLOC_FREE(key64);
 952                 }
 953                 else {
 954                         x_fprintf(x_stdout, "BH\n");
 955                 }
 956 
 957                 data_blob_free(&request);
 958                 return;
 959         } else {
 960                 DEBUG(1, ("NTLMSSP query [%s] invalid", buf));
 961                 x_fprintf(x_stdout, "BH NTLMSSP query invalid\n");
 962                 return;
 963         }
 964 
 965         if (!state->ntlmssp_state) {
 966                 nt_status = ntlm_auth_start_ntlmssp_client(
 967                                 &state->ntlmssp_state);
 968                 if (!NT_STATUS_IS_OK(nt_status)) {
 969                         x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
 970                         return;
 971                 }
 972                 ntlmssp_want_feature_list(state->ntlmssp_state,
 973                                 state->want_feature_list);
 974                 state->initial_message = data_blob_null;
 975         }
 976 
 977         DEBUG(10, ("got NTLMSSP packet:\n"));
 978         dump_data(10, request.data, request.length);
 979 
 980         if (use_cached_creds && !opt_password &&
 981                         (state->cli_state == CLIENT_RESPONSE)) {
 982                 nt_status = do_ccache_ntlm_auth(state->initial_message, request,
 983                                 &reply);
 984         } else {
 985                 nt_status = ntlmssp_update(state->ntlmssp_state, request,
 986                                 &reply);
 987         }
 988 
 989         if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 990                 char *reply_base64 = base64_encode_data_blob(state->mem_ctx,
 991                                 reply);
 992                 if (state->cli_state == CLIENT_INITIAL) {
 993                         x_fprintf(x_stdout, "YR %s\n", reply_base64);
 994                         state->initial_message = reply;
 995                         state->cli_state = CLIENT_RESPONSE;
 996                 } else {
 997                         x_fprintf(x_stdout, "KK %s\n", reply_base64);
 998                         data_blob_free(&reply);
 999                 }
1000                 TALLOC_FREE(reply_base64);
1001                 DEBUG(10, ("NTLMSSP challenge\n"));
1002         } else if (NT_STATUS_IS_OK(nt_status)) {
1003                 char *reply_base64 = base64_encode_data_blob(talloc_tos(),
1004                                 reply);
1005                 x_fprintf(x_stdout, "AF %s\n", reply_base64);
1006                 TALLOC_FREE(reply_base64);
1007 
1008                 if(state->have_session_key)
1009                         data_blob_free(&state->session_key);
1010 
1011                 state->session_key = data_blob(
1012                                 state->ntlmssp_state->session_key.data,
1013                                 state->ntlmssp_state->session_key.length);
1014                 state->neg_flags = state->ntlmssp_state->neg_flags;
1015                 state->have_session_key = true;
1016 
1017                 DEBUG(10, ("NTLMSSP OK!\n"));
1018                 state->cli_state = CLIENT_FINISHED;
1019                 if (state->ntlmssp_state)
1020                         ntlmssp_end(&state->ntlmssp_state);
1021         } else {
1022                 x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
1023                 DEBUG(0, ("NTLMSSP BH: %s\n", nt_errstr(nt_status)));
1024                 state->cli_state = CLIENT_ERROR;
1025                 if (state->ntlmssp_state)
1026                         ntlmssp_end(&state->ntlmssp_state);
1027         }
1028 
1029         data_blob_free(&request);
1030 }
1031 
1032 static void manage_squid_basic_request(struct ntlm_auth_state *state,
     /* [<][>][^][v][top][bottom][index][help] */
1033                                         char *buf, int length)
1034 {
1035         char *user, *pass;      
1036         user=buf;
1037         
1038         pass=(char *)memchr(buf,' ',length);
1039         if (!pass) {
1040                 DEBUG(2, ("Password not found. Denying access\n"));
1041                 x_fprintf(x_stdout, "ERR\n");
1042                 return;
1043         }
1044         *pass='\0';
1045         pass++;
1046         
1047         if (state->helper_mode == SQUID_2_5_BASIC) {
1048                 rfc1738_unescape(user);
1049                 rfc1738_unescape(pass);
1050         }
1051         
1052         if (check_plaintext_auth(user, pass, False)) {
1053                 x_fprintf(x_stdout, "OK\n");
1054         } else {
1055                 x_fprintf(x_stdout, "ERR\n");
1056         }
1057 }
1058 
1059 static void offer_gss_spnego_mechs(void) {
     /* [<][>][^][v][top][bottom][index][help] */
1060 
1061         DATA_BLOB token;
1062         SPNEGO_DATA spnego;
1063         ssize_t len;
1064         char *reply_base64;
1065         TALLOC_CTX *ctx = talloc_tos();
1066         char *principal;
1067         char *myname_lower;
1068 
1069         ZERO_STRUCT(spnego);
1070 
1071         myname_lower = talloc_strdup(ctx, global_myname());
1072         if (!myname_lower) {
1073                 return;
1074         }
1075         strlower_m(myname_lower);
1076 
1077         principal = talloc_asprintf(ctx, "%s$@%s", myname_lower, lp_realm());
1078         if (!principal) {
1079                 return;
1080         }
1081 
1082         /* Server negTokenInit (mech offerings) */
1083         spnego.type = SPNEGO_NEG_TOKEN_INIT;
1084         spnego.negTokenInit.mechTypes = SMB_XMALLOC_ARRAY(const char *, 2);
1085 #ifdef HAVE_KRB5
1086         spnego.negTokenInit.mechTypes[0] = smb_xstrdup(OID_KERBEROS5_OLD);
1087         spnego.negTokenInit.mechTypes[1] = smb_xstrdup(OID_NTLMSSP);
1088         spnego.negTokenInit.mechTypes[2] = NULL;
1089 #else
1090         spnego.negTokenInit.mechTypes[0] = smb_xstrdup(OID_NTLMSSP);
1091         spnego.negTokenInit.mechTypes[1] = NULL;
1092 #endif
1093 
1094 
1095         spnego.negTokenInit.mechListMIC = data_blob(principal,
1096                                                     strlen(principal));
1097 
1098         len = write_spnego_data(&token, &spnego);
1099         free_spnego_data(&spnego);
1100 
1101         if (len == -1) {
1102                 DEBUG(1, ("Could not write SPNEGO data blob\n"));
1103                 x_fprintf(x_stdout, "BH Could not write SPNEGO data blob\n");
1104                 return;
1105         }
1106 
1107         reply_base64 = base64_encode_data_blob(talloc_tos(), token);
1108         x_fprintf(x_stdout, "TT %s *\n", reply_base64);
1109 
1110         TALLOC_FREE(reply_base64);
1111         data_blob_free(&token);
1112         DEBUG(10, ("sent SPNEGO negTokenInit\n"));
1113         return;
1114 }
1115 
1116 static void manage_gss_spnego_request(struct ntlm_auth_state *state,
     /* [<][>][^][v][top][bottom][index][help] */
1117                                         char *buf, int length)
1118 {
1119         static NTLMSSP_STATE *ntlmssp_state = NULL;
1120         SPNEGO_DATA request, response;
1121         DATA_BLOB token;
1122         NTSTATUS status;
1123         ssize_t len;
1124         TALLOC_CTX *ctx = talloc_tos();
1125 
1126         char *user = NULL;
1127         char *domain = NULL;
1128 
1129         const char *reply_code;
1130         char       *reply_base64;
1131         char *reply_argument = NULL;
1132 
1133         if (strlen(buf) < 2) {
1134                 DEBUG(1, ("SPENGO query [%s] invalid", buf));
1135                 x_fprintf(x_stdout, "BH SPENGO query invalid\n");
1136                 return;
1137         }
1138 
1139         if (strncmp(buf, "YR", 2) == 0) {
1140                 if (ntlmssp_state)
1141                         ntlmssp_end(&ntlmssp_state);
1142         } else if (strncmp(buf, "KK", 2) == 0) {
1143                 ;
1144         } else {
1145                 DEBUG(1, ("SPENGO query [%s] invalid", buf));
1146                 x_fprintf(x_stdout, "BH SPENGO query invalid\n");
1147                 return;
1148         }
1149 
1150         if ( (strlen(buf) == 2)) {
1151 
1152                 /* no client data, get the negTokenInit offering
1153                    mechanisms */
1154 
1155                 offer_gss_spnego_mechs();
1156                 return;
1157         }
1158 
1159         /* All subsequent requests have a blob. This might be negTokenInit or negTokenTarg */
1160 
1161         if (strlen(buf) <= 3) {
1162                 DEBUG(1, ("GSS-SPNEGO query [%s] invalid\n", buf));
1163                 x_fprintf(x_stdout, "BH GSS-SPNEGO query invalid\n");
1164                 return;
1165         }
1166 
1167         token = base64_decode_data_blob(buf + 3);
1168         len = read_spnego_data(talloc_tos(), token, &request);
1169         data_blob_free(&token);
1170 
1171         if (len == -1) {
1172                 DEBUG(1, ("GSS-SPNEGO query [%s] invalid", buf));
1173                 x_fprintf(x_stdout, "BH GSS-SPNEGO query invalid\n");
1174                 return;
1175         }
1176 
1177         if (request.type == SPNEGO_NEG_TOKEN_INIT) {
1178 
1179                 /* Second request from Client. This is where the
1180                    client offers its mechanism to use. */
1181 
1182                 if ( (request.negTokenInit.mechTypes == NULL) ||
1183                      (request.negTokenInit.mechTypes[0] == NULL) ) {
1184                         DEBUG(1, ("Client did not offer any mechanism"));
1185                         x_fprintf(x_stdout, "BH Client did not offer any "
1186                                             "mechanism\n");
1187                         return;
1188                 }
1189 
1190                 status = NT_STATUS_UNSUCCESSFUL;
1191                 if (strcmp(request.negTokenInit.mechTypes[0], OID_NTLMSSP) == 0) {
1192 
1193                         if ( request.negTokenInit.mechToken.data == NULL ) {
1194                                 DEBUG(1, ("Client did not provide NTLMSSP data\n"));
1195                                 x_fprintf(x_stdout, "BH Client did not provide "
1196                                                     "NTLMSSP data\n");
1197                                 return;
1198                         }
1199 
1200                         if ( ntlmssp_state != NULL ) {
1201                                 DEBUG(1, ("Client wants a new NTLMSSP challenge, but "
1202                                           "already got one\n"));
1203                                 x_fprintf(x_stdout, "BH Client wants a new "
1204                                                     "NTLMSSP challenge, but "
1205                                                     "already got one\n");
1206                                 ntlmssp_end(&ntlmssp_state);
1207                                 return;
1208                         }
1209 
1210                         if (!NT_STATUS_IS_OK(status = ntlm_auth_start_ntlmssp_server(&ntlmssp_state))) {
1211                                 x_fprintf(x_stdout, "BH %s\n", nt_errstr(status));
1212                                 return;
1213                         }
1214 
1215                         DEBUG(10, ("got NTLMSSP packet:\n"));
1216                         dump_data(10, request.negTokenInit.mechToken.data,
1217                                   request.negTokenInit.mechToken.length);
1218 
1219                         response.type = SPNEGO_NEG_TOKEN_TARG;
1220                         response.negTokenTarg.supportedMech = SMB_STRDUP(OID_NTLMSSP);
1221                         response.negTokenTarg.mechListMIC = data_blob_null;
1222 
1223                         status = ntlmssp_update(ntlmssp_state,
1224                                                        request.negTokenInit.mechToken,
1225                                                        &response.negTokenTarg.responseToken);
1226                 }
1227 
1228 #ifdef HAVE_KRB5
1229                 if (strcmp(request.negTokenInit.mechTypes[0], OID_KERBEROS5_OLD) == 0) {
1230 
1231                         TALLOC_CTX *mem_ctx = talloc_init("manage_gss_spnego_request");
1232                         char *principal;
1233                         DATA_BLOB ap_rep;
1234                         DATA_BLOB session_key;
1235                         struct PAC_DATA *pac_data = NULL;
1236 
1237                         if ( request.negTokenInit.mechToken.data == NULL ) {
1238                                 DEBUG(1, ("Client did not provide Kerberos data\n"));
1239                                 x_fprintf(x_stdout, "BH Client did not provide "
1240                                                     "Kerberos data\n");
1241                                 return;
1242                         }
1243 
1244                         response.type = SPNEGO_NEG_TOKEN_TARG;
1245                         response.negTokenTarg.supportedMech = SMB_STRDUP(OID_KERBEROS5_OLD);
1246                         response.negTokenTarg.mechListMIC = data_blob_null;
1247                         response.negTokenTarg.responseToken = data_blob_null;
1248 
1249                         status = ads_verify_ticket(mem_ctx, lp_realm(), 0,
1250                                                    &request.negTokenInit.mechToken,
1251                                                    &principal, &pac_data, &ap_rep,
1252                                                    &session_key, True);
1253 
1254                         /* Now in "principal" we have the name we are
1255                            authenticated as. */
1256 
1257                         if (NT_STATUS_IS_OK(status)) {
1258 
1259                                 domain = strchr_m(principal, '@');
1260 
1261                                 if (domain == NULL) {
1262                                         DEBUG(1, ("Did not get a valid principal "
1263                                                   "from ads_verify_ticket\n"));
1264                                         x_fprintf(x_stdout, "BH Did not get a "
1265                                                   "valid principal from "
1266                                                   "ads_verify_ticket\n");
1267                                         return;
1268                                 }
1269 
1270                                 *domain++ = '\0';
1271                                 domain = SMB_STRDUP(domain);
1272                                 user = SMB_STRDUP(principal);
1273 
1274                                 data_blob_free(&ap_rep);
1275                         }
1276 
1277                         TALLOC_FREE(mem_ctx);
1278                 }
1279 #endif
1280 
1281         } else {
1282 
1283                 if ( (request.negTokenTarg.supportedMech == NULL) ||
1284                      ( strcmp(request.negTokenTarg.supportedMech, OID_NTLMSSP) != 0 ) ) {
1285                         /* Kerberos should never send a negTokenTarg, OID_NTLMSSP
1286                            is the only one we support that sends this stuff */
1287                         DEBUG(1, ("Got a negTokenTarg for something non-NTLMSSP: %s\n",
1288                                   request.negTokenTarg.supportedMech));
1289                         x_fprintf(x_stdout, "BH Got a negTokenTarg for "
1290                                             "something non-NTLMSSP\n");
1291                         return;
1292                 }
1293 
1294                 if (request.negTokenTarg.responseToken.data == NULL) {
1295                         DEBUG(1, ("Got a negTokenTarg without a responseToken!\n"));
1296                         x_fprintf(x_stdout, "BH Got a negTokenTarg without a "
1297                                             "responseToken!\n");
1298                         return;
1299                 }
1300 
1301                 status = ntlmssp_update(ntlmssp_state,
1302                                                request.negTokenTarg.responseToken,
1303                                                &response.negTokenTarg.responseToken);
1304 
1305                 response.type = SPNEGO_NEG_TOKEN_TARG;
1306                 response.negTokenTarg.supportedMech = SMB_STRDUP(OID_NTLMSSP);
1307                 response.negTokenTarg.mechListMIC = data_blob_null;
1308 
1309                 if (NT_STATUS_IS_OK(status)) {
1310                         user = SMB_STRDUP(ntlmssp_state->user);
1311                         domain = SMB_STRDUP(ntlmssp_state->domain);
1312                         ntlmssp_end(&ntlmssp_state);
1313                 }
1314         }
1315 
1316         free_spnego_data(&request);
1317 
1318         if (NT_STATUS_IS_OK(status)) {
1319                 response.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
1320                 reply_code = "AF";
1321                 reply_argument = talloc_asprintf(ctx, "%s\\%s", domain, user);
1322         } else if (NT_STATUS_EQUAL(status,
1323                                    NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1324                 response.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
1325                 reply_code = "TT";
1326                 reply_argument = talloc_strdup(ctx, "*");
1327         } else {
1328                 response.negTokenTarg.negResult = SPNEGO_REJECT;
1329                 reply_code = "NA";
1330                 reply_argument = talloc_strdup(ctx, nt_errstr(status));
1331         }
1332 
1333         if (!reply_argument) {
1334                 DEBUG(1, ("Could not write SPNEGO data blob\n"));
1335                 x_fprintf(x_stdout, "BH Could not write SPNEGO data blob\n");
1336                 return;
1337         }
1338 
1339         SAFE_FREE(user);
1340         SAFE_FREE(domain);
1341 
1342         len = write_spnego_data(&token, &response);
1343         free_spnego_data(&response);
1344 
1345         if (len == -1) {
1346                 DEBUG(1, ("Could not write SPNEGO data blob\n"));
1347                 x_fprintf(x_stdout, "BH Could not write SPNEGO data blob\n");
1348                 return;
1349         }
1350 
1351         reply_base64 = base64_encode_data_blob(talloc_tos(), token);
1352 
1353         x_fprintf(x_stdout, "%s %s %s\n",
1354                   reply_code, reply_base64, reply_argument);
1355 
1356         TALLOC_FREE(reply_base64);
1357         data_blob_free(&token);
1358 
1359         return;
1360 }
1361 
1362 static NTLMSSP_STATE *client_ntlmssp_state = NULL;
1363 
1364 static bool manage_client_ntlmssp_init(SPNEGO_DATA spnego)
     /* [<][>][^][v][top][bottom][index][help] */
1365 {
1366         NTSTATUS status;
1367         DATA_BLOB null_blob = data_blob_null;
1368         DATA_BLOB to_server;
1369         char *to_server_base64;
1370         const char *my_mechs[] = {OID_NTLMSSP, NULL};
1371 
1372         DEBUG(10, ("Got spnego negTokenInit with NTLMSSP\n"));
1373 
1374         if (client_ntlmssp_state != NULL) {
1375                 DEBUG(1, ("Request for initial SPNEGO request where "
1376                           "we already have a state\n"));
1377                 return False;
1378         }
1379 
1380         if (!client_ntlmssp_state) {
1381                 if (!NT_STATUS_IS_OK(status = ntlm_auth_start_ntlmssp_client(&client_ntlmssp_state))) {
1382                         x_fprintf(x_stdout, "BH %s\n", nt_errstr(status));
1383                         return False;
1384                 }
1385         }
1386 
1387 
1388         if (opt_password == NULL) {
1389 
1390                 /* Request a password from the calling process.  After
1391                    sending it, the calling process should retry with
1392                    the negTokenInit. */
1393 
1394                 DEBUG(10, ("Requesting password\n"));
1395                 x_fprintf(x_stdout, "PW\n");
1396                 return True;
1397         }
1398 
1399         spnego.type = SPNEGO_NEG_TOKEN_INIT;
1400         spnego.negTokenInit.mechTypes = my_mechs;
1401         spnego.negTokenInit.reqFlags = 0;
1402         spnego.negTokenInit.mechListMIC = null_blob;
1403 
1404         status = ntlmssp_update(client_ntlmssp_state, null_blob,
1405                                        &spnego.negTokenInit.mechToken);
1406 
1407         if ( !(NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) ||
1408                         NT_STATUS_IS_OK(status)) ) {
1409                 DEBUG(1, ("Expected OK or MORE_PROCESSING_REQUIRED, got: %s\n",
1410                           nt_errstr(status)));
1411                 ntlmssp_end(&client_ntlmssp_state);
1412                 return False;
1413         }
1414 
1415         write_spnego_data(&to_server, &spnego);
1416         data_blob_free(&spnego.negTokenInit.mechToken);
1417 
1418         to_server_base64 = base64_encode_data_blob(talloc_tos(), to_server);
1419         data_blob_free(&to_server);
1420         x_fprintf(x_stdout, "KK %s\n", to_server_base64);
1421         TALLOC_FREE(to_server_base64);
1422         return True;
1423 }
1424 
1425 static void manage_client_ntlmssp_targ(SPNEGO_DATA spnego)
     /* [<][>][^][v][top][bottom][index][help] */
1426 {
1427         NTSTATUS status;
1428         DATA_BLOB null_blob = data_blob_null;
1429         DATA_BLOB request;
1430         DATA_BLOB to_server;
1431         char *to_server_base64;
1432 
1433         DEBUG(10, ("Got spnego negTokenTarg with NTLMSSP\n"));
1434 
1435         if (client_ntlmssp_state == NULL) {
1436                 DEBUG(1, ("Got NTLMSSP tArg without a client state\n"));
1437                 x_fprintf(x_stdout, "BH Got NTLMSSP tArg without a client state\n");
1438                 return;
1439         }
1440 
1441         if (spnego.negTokenTarg.negResult == SPNEGO_REJECT) {
1442                 x_fprintf(x_stdout, "NA\n");
1443                 ntlmssp_end(&client_ntlmssp_state);
1444                 return;
1445         }
1446 
1447         if (spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_COMPLETED) {
1448                 x_fprintf(x_stdout, "AF\n");
1449                 ntlmssp_end(&client_ntlmssp_state);
1450                 return;
1451         }
1452 
1453         status = ntlmssp_update(client_ntlmssp_state,
1454                                        spnego.negTokenTarg.responseToken,
1455                                        &request);
1456                 
1457         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1458                 DEBUG(1, ("Expected MORE_PROCESSING_REQUIRED from "
1459                           "ntlmssp_client_update, got: %s\n",
1460                           nt_errstr(status)));
1461                 x_fprintf(x_stdout, "BH Expected MORE_PROCESSING_REQUIRED from "
1462                                     "ntlmssp_client_update\n");
1463                 data_blob_free(&request);
1464                 ntlmssp_end(&client_ntlmssp_state);
1465                 return;
1466         }
1467 
1468         spnego.type = SPNEGO_NEG_TOKEN_TARG;
1469         spnego.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
1470         spnego.negTokenTarg.supportedMech = (char *)OID_NTLMSSP;
1471         spnego.negTokenTarg.responseToken = request;
1472         spnego.negTokenTarg.mechListMIC = null_blob;
1473         
1474         write_spnego_data(&to_server, &spnego);
1475         data_blob_free(&request);
1476 
1477         to_server_base64 = base64_encode_data_blob(talloc_tos(), to_server);
1478         data_blob_free(&to_server);
1479         x_fprintf(x_stdout, "KK %s\n", to_server_base64);
1480         TALLOC_FREE(to_server_base64);
1481         return;
1482 }
1483 
1484 #ifdef HAVE_KRB5
1485 
1486 static bool manage_client_krb5_init(SPNEGO_DATA spnego)
     /* [<][>][^][v][top][bottom][index][help] */
1487 {
1488         char *principal;
1489         DATA_BLOB tkt, to_server;
1490         DATA_BLOB session_key_krb5 = data_blob_null;
1491         SPNEGO_DATA reply;
1492         char *reply_base64;
1493         int retval;
1494 
1495         const char *my_mechs[] = {OID_KERBEROS5_OLD, NULL};
1496         ssize_t len;
1497 
1498         if ( (spnego.negTokenInit.mechListMIC.data == NULL) ||
1499              (spnego.negTokenInit.mechListMIC.length == 0) ) {
1500                 DEBUG(1, ("Did not get a principal for krb5\n"));
1501                 return False;
1502         }
1503 
1504         principal = (char *)SMB_MALLOC(
1505                 spnego.negTokenInit.mechListMIC.length+1);
1506 
1507         if (principal == NULL) {
1508                 DEBUG(1, ("Could not malloc principal\n"));
1509                 return False;
1510         }
1511 
1512         memcpy(principal, spnego.negTokenInit.mechListMIC.data,
1513                spnego.negTokenInit.mechListMIC.length);
1514         principal[spnego.negTokenInit.mechListMIC.length] = '\0';
1515 
1516         retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL);
1517 
1518         if (retval) {
1519                 char *user = NULL;
1520 
1521                 /* Let's try to first get the TGT, for that we need a
1522                    password. */
1523 
1524                 if (opt_password == NULL) {
1525                         DEBUG(10, ("Requesting password\n"));
1526                         x_fprintf(x_stdout, "PW\n");
1527                         return True;
1528                 }
1529 
1530                 user = talloc_asprintf(talloc_tos(), "%s@%s", opt_username, opt_domain);
1531                 if (!user) {
1532                         return false;
1533                 }
1534 
1535                 if ((retval = kerberos_kinit_password(user, opt_password, 0, NULL))) {
1536                         DEBUG(10, ("Requesting TGT failed: %s\n", error_message(retval)));
1537                         return False;
1538                 }
1539 
1540                 retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL);
1541 
1542                 if (retval) {
1543                         DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval)));
1544                         return False;
1545                 }
1546         }
1547 
1548         data_blob_free(&session_key_krb5);
1549 
1550         ZERO_STRUCT(reply);
1551 
1552         reply.type = SPNEGO_NEG_TOKEN_INIT;
1553         reply.negTokenInit.mechTypes = my_mechs;
1554         reply.negTokenInit.reqFlags = 0;
1555         reply.negTokenInit.mechToken = tkt;
1556         reply.negTokenInit.mechListMIC = data_blob_null;
1557 
1558         len = write_spnego_data(&to_server, &reply);
1559         data_blob_free(&tkt);
1560 
1561         if (len == -1) {
1562                 DEBUG(1, ("Could not write SPNEGO data blob\n"));
1563                 return False;
1564         }
1565 
1566         reply_base64 = base64_encode_data_blob(talloc_tos(), to_server);
1567         x_fprintf(x_stdout, "KK %s *\n", reply_base64);
1568 
1569         TALLOC_FREE(reply_base64);
1570         data_blob_free(&to_server);
1571         DEBUG(10, ("sent GSS-SPNEGO KERBEROS5 negTokenInit\n"));
1572         return True;
1573 }
1574 
1575 static void manage_client_krb5_targ(SPNEGO_DATA spnego)
     /* [<][>][^][v][top][bottom][index][help] */
1576 {
1577         switch (spnego.negTokenTarg.negResult) {
1578         case SPNEGO_ACCEPT_INCOMPLETE:
1579                 DEBUG(1, ("Got a Kerberos negTokenTarg with ACCEPT_INCOMPLETE\n"));
1580                 x_fprintf(x_stdout, "BH Got a Kerberos negTokenTarg with "
1581                                     "ACCEPT_INCOMPLETE\n");
1582                 break;
1583         case SPNEGO_ACCEPT_COMPLETED:
1584                 DEBUG(10, ("Accept completed\n"));
1585                 x_fprintf(x_stdout, "AF\n");
1586                 break;
1587         case SPNEGO_REJECT:
1588                 DEBUG(10, ("Rejected\n"));
1589                 x_fprintf(x_stdout, "NA\n");
1590                 break;
1591         default:
1592                 DEBUG(1, ("Got an invalid negTokenTarg\n"));
1593                 x_fprintf(x_stdout, "AF\n");
1594         }
1595 }
1596 
1597 #endif
1598 
1599 static void manage_gss_spnego_client_request(struct ntlm_auth_state *state,
     /* [<][>][^][v][top][bottom][index][help] */
1600                                                 char *buf, int length)
1601 {
1602         DATA_BLOB request;
1603         SPNEGO_DATA spnego;
1604         ssize_t len;
1605 
1606         if (!opt_username || !*opt_username) {
1607                 x_fprintf(x_stderr, "username must be specified!\n\n");
1608                 exit(1);
1609         }
1610 
1611         if (strlen(buf) <= 3) {
1612                 DEBUG(1, ("SPNEGO query [%s] too short\n", buf));
1613                 x_fprintf(x_stdout, "BH SPNEGO query too short\n");
1614                 return;
1615         }
1616 
1617         request = base64_decode_data_blob(buf+3);
1618 
1619         if (strncmp(buf, "PW ", 3) == 0) {
1620 
1621                 /* We asked for a password and obviously got it :-) */
1622 
1623                 opt_password = SMB_STRNDUP((const char *)request.data, request.length);
1624                 
1625                 if (opt_password == NULL) {
1626                         DEBUG(1, ("Out of memory\n"));
1627                         x_fprintf(x_stdout, "BH Out of memory\n");
1628                         data_blob_free(&request);
1629                         return;
1630                 }
1631 
1632                 x_fprintf(x_stdout, "OK\n");
1633                 data_blob_free(&request);
1634                 return;
1635         }
1636 
1637         if ( (strncmp(buf, "TT ", 3) != 0) &&
1638              (strncmp(buf, "AF ", 3) != 0) &&
1639              (strncmp(buf, "NA ", 3) != 0) ) {
1640                 DEBUG(1, ("SPNEGO request [%s] invalid\n", buf));
1641                 x_fprintf(x_stdout, "BH SPNEGO request invalid\n");
1642                 data_blob_free(&request);
1643                 return;
1644         }
1645 
1646         /* So we got a server challenge to generate a SPNEGO
1647            client-to-server request... */
1648 
1649         len = read_spnego_data(talloc_tos(), request, &spnego);
1650         data_blob_free(&request);
1651 
1652         if (len == -1) {
1653                 DEBUG(1, ("Could not read SPNEGO data for [%s]\n", buf));
1654                 x_fprintf(x_stdout, "BH Could not read SPNEGO data\n");
1655                 return;
1656         }
1657 
1658         if (spnego.type == SPNEGO_NEG_TOKEN_INIT) {
1659 
1660                 /* The server offers a list of mechanisms */
1661 
1662                 const char **mechType = (const char **)spnego.negTokenInit.mechTypes;
1663 
1664                 while (*mechType != NULL) {
1665 
1666 #ifdef HAVE_KRB5
1667                         if ( (strcmp(*mechType, OID_KERBEROS5_OLD) == 0) ||
1668                              (strcmp(*mechType, OID_KERBEROS5) == 0) ) {
1669                                 if (manage_client_krb5_init(spnego))
1670                                         goto out;
1671                         }
1672 #endif
1673 
1674                         if (strcmp(*mechType, OID_NTLMSSP) == 0) {
1675                                 if (manage_client_ntlmssp_init(spnego))
1676                                         goto out;
1677                         }
1678 
1679                         mechType++;
1680                 }
1681 
1682                 DEBUG(1, ("Server offered no compatible mechanism\n"));
1683                 x_fprintf(x_stdout, "BH Server offered no compatible mechanism\n");
1684                 return;
1685         }
1686 
1687         if (spnego.type == SPNEGO_NEG_TOKEN_TARG) {
1688 
1689                 if (spnego.negTokenTarg.supportedMech == NULL) {
1690                         /* On accept/reject Windows does not send the
1691                            mechanism anymore. Handle that here and
1692                            shut down the mechanisms. */
1693 
1694                         switch (spnego.negTokenTarg.negResult) {
1695                         case SPNEGO_ACCEPT_COMPLETED:
1696                                 x_fprintf(x_stdout, "AF\n");
1697                                 break;
1698                         case SPNEGO_REJECT:
1699                                 x_fprintf(x_stdout, "NA\n");
1700                                 break;
1701                         default:
1702                                 DEBUG(1, ("Got a negTokenTarg with no mech and an "
1703                                           "unknown negResult: %d\n",
1704                                           spnego.negTokenTarg.negResult));
1705                                 x_fprintf(x_stdout, "BH Got a negTokenTarg with"
1706                                                     " no mech and an unknown "
1707                                                     "negResult\n");
1708                         }
1709 
1710                         ntlmssp_end(&client_ntlmssp_state);
1711                         goto out;
1712                 }
1713 
1714                 if (strcmp(spnego.negTokenTarg.supportedMech,
1715                            OID_NTLMSSP) == 0) {
1716                         manage_client_ntlmssp_targ(spnego);
1717                         goto out;
1718                 }
1719 
1720 #if HAVE_KRB5
1721                 if (strcmp(spnego.negTokenTarg.supportedMech,
1722                            OID_KERBEROS5_OLD) == 0) {
1723                         manage_client_krb5_targ(spnego);
1724                         goto out;
1725                 }
1726 #endif
1727 
1728         }
1729 
1730         DEBUG(1, ("Got an SPNEGO token I could not handle [%s]!\n", buf));
1731         x_fprintf(x_stdout, "BH Got an SPNEGO token I could not handle\n");
1732         return;
1733 
1734  out:
1735         free_spnego_data(&spnego);
1736         return;
1737 }
1738 
1739 static void manage_ntlm_server_1_request(struct ntlm_auth_state *state,
     /* [<][>][^][v][top][bottom][index][help] */
1740                                                 char *buf, int length)
1741 {
1742         char *request, *parameter;      
1743         static DATA_BLOB challenge;
1744         static DATA_BLOB lm_response;
1745         static DATA_BLOB nt_response;
1746         static char *full_username;
1747         static char *username;
1748         static char *domain;
1749         static char *plaintext_password;
1750         static bool ntlm_server_1_user_session_key;
1751         static bool ntlm_server_1_lm_session_key;
1752         
1753         if (strequal(buf, ".")) {
1754                 if (!full_username && !username) {      
1755                         x_fprintf(x_stdout, "Error: No username supplied!\n");
1756                 } else if (plaintext_password) {
1757                         /* handle this request as plaintext */
1758                         if (!full_username) {
1759                                 if (asprintf(&full_username, "%s%c%s", domain, winbind_separator(), username) == -1) {
1760                                         x_fprintf(x_stdout, "Error: Out of memory in asprintf!\n.\n");
1761                                         return;
1762                                 }
1763                         }
1764                         if (check_plaintext_auth(full_username, plaintext_password, False)) {
1765                                 x_fprintf(x_stdout, "Authenticated: Yes\n");
1766                         } else {
1767                                 x_fprintf(x_stdout, "Authenticated: No\n");
1768                         }
1769                 } else if (!lm_response.data && !nt_response.data) {
1770                         x_fprintf(x_stdout, "Error: No password supplied!\n");
1771                 } else if (!challenge.data) {   
1772                         x_fprintf(x_stdout, "Error: No lanman-challenge supplied!\n");
1773                 } else {
1774                         char *error_string = NULL;
1775                         uchar lm_key[8];
1776                         uchar user_session_key[16];
1777                         uint32 flags = 0;
1778 
1779                         if (full_username && !username) {
1780                                 fstring fstr_user;
1781                                 fstring fstr_domain;
1782                                 
1783                                 if (!parse_ntlm_auth_domain_user(full_username, fstr_user, fstr_domain)) {
1784                                         /* username might be 'tainted', don't print into our new-line deleimianted stream */
1785                                         x_fprintf(x_stdout, "Error: Could not parse into domain and username\n");
1786                                 }
1787                                 SAFE_FREE(username);
1788                                 SAFE_FREE(domain);
1789                                 username = smb_xstrdup(fstr_user);
1790                                 domain = smb_xstrdup(fstr_domain);
1791                         }
1792 
1793                         if (!domain) {
1794                                 domain = smb_xstrdup(get_winbind_domain());
1795                         }
1796 
1797                         if (ntlm_server_1_lm_session_key) 
1798                                 flags |= WBFLAG_PAM_LMKEY;
1799                         
1800                         if (ntlm_server_1_user_session_key) 
1801                                 flags |= WBFLAG_PAM_USER_SESSION_KEY;
1802 
1803                         if (!NT_STATUS_IS_OK(
1804                                     contact_winbind_auth_crap(username, 
1805                                                               domain, 
1806                                                               global_myname(),
1807                                                               &challenge, 
1808                                                               &lm_response, 
1809                                                               &nt_response, 
1810                                                               flags, 
1811                                                               lm_key, 
1812                                                               user_session_key,
1813                                                               &error_string,
1814                                                               NULL))) {
1815 
1816                                 x_fprintf(x_stdout, "Authenticated: No\n");
1817                                 x_fprintf(x_stdout, "Authentication-Error: %s\n.\n", error_string);
1818                         } else {
1819                                 static char zeros[16];
1820                                 char *hex_lm_key;
1821                                 char *hex_user_session_key;
1822 
1823                                 x_fprintf(x_stdout, "Authenticated: Yes\n");
1824 
1825                                 if (ntlm_server_1_lm_session_key 
1826                                     && (memcmp(zeros, lm_key, 
1827                                                sizeof(lm_key)) != 0)) {
1828                                         hex_lm_key = hex_encode_talloc(NULL,
1829                                                                 (const unsigned char *)lm_key,
1830                                                                 sizeof(lm_key));
1831                                         x_fprintf(x_stdout, "LANMAN-Session-Key: %s\n", hex_lm_key);
1832                                         TALLOC_FREE(hex_lm_key);
1833                                 }
1834 
1835                                 if (ntlm_server_1_user_session_key 
1836                                     && (memcmp(zeros, user_session_key, 
1837                                                sizeof(user_session_key)) != 0)) {
1838                                         hex_user_session_key = hex_encode_talloc(NULL,
1839                                                                           (const unsigned char *)user_session_key, 
1840                                                                           sizeof(user_session_key));
1841                                         x_fprintf(x_stdout, "User-Session-Key: %s\n", hex_user_session_key);
1842                                         TALLOC_FREE(hex_user_session_key);
1843                                 }
1844                         }
1845                         SAFE_FREE(error_string);
1846                 }
1847                 /* clear out the state */
1848                 challenge = data_blob_null;
1849                 nt_response = data_blob_null;
1850                 lm_response = data_blob_null;
1851                 SAFE_FREE(full_username);
1852                 SAFE_FREE(username);
1853                 SAFE_FREE(domain);
1854                 SAFE_FREE(plaintext_password);
1855                 ntlm_server_1_user_session_key = False;
1856                 ntlm_server_1_lm_session_key = False;
1857                 x_fprintf(x_stdout, ".\n");
1858 
1859                 return;
1860         }
1861 
1862         request = buf;
1863 
1864         /* Indicates a base64 encoded structure */
1865         parameter = strstr_m(request, ":: ");
1866         if (!parameter) {
1867                 parameter = strstr_m(request, ": ");
1868                 
1869                 if (!parameter) {
1870                         DEBUG(0, ("Parameter not found!\n"));
1871                         x_fprintf(x_stdout, "Error: Parameter not found!\n.\n");
1872                         return;
1873                 }
1874                 
1875                 parameter[0] ='\0';
1876                 parameter++;
1877                 parameter[0] ='\0';
1878                 parameter++;
1879 
1880         } else {
1881                 parameter[0] ='\0';
1882                 parameter++;
1883                 parameter[0] ='\0';
1884                 parameter++;
1885                 parameter[0] ='\0';
1886                 parameter++;
1887 
1888                 base64_decode_inplace(parameter);
1889         }
1890 
1891         if (strequal(request, "LANMAN-Challenge")) {
1892                 challenge = strhex_to_data_blob(NULL, parameter);
1893                 if (challenge.length != 8) {
1894                         x_fprintf(x_stdout, "Error: hex decode of %s failed! (got %d bytes, expected 8)\n.\n", 
1895                                   parameter,
1896                                   (int)challenge.length);
1897                         challenge = data_blob_null;
1898                 }
1899         } else if (strequal(request, "NT-Response")) {
1900                 nt_response = strhex_to_data_blob(NULL, parameter);
1901                 if (nt_response.length < 24) {
1902                         x_fprintf(x_stdout, "Error: hex decode of %s failed! (only got %d bytes, needed at least 24)\n.\n", 
1903                                   parameter,
1904                                   (int)nt_response.length);
1905                         nt_response = data_blob_null;
1906                 }
1907         } else if (strequal(request, "LANMAN-Response")) {
1908                 lm_response = strhex_to_data_blob(NULL, parameter);
1909                 if (lm_response.length != 24) {
1910                         x_fprintf(x_stdout, "Error: hex decode of %s failed! (got %d bytes, expected 24)\n.\n", 
1911                                   parameter,
1912                                   (int)lm_response.length);
1913                         lm_response = data_blob_null;
1914                 }
1915         } else if (strequal(request, "Password")) {
1916                 plaintext_password = smb_xstrdup(parameter);
1917         } else if (strequal(request, "NT-Domain")) {
1918                 domain = smb_xstrdup(parameter);
1919         } else if (strequal(request, "Username")) {
1920                 username = smb_xstrdup(parameter);
1921         } else if (strequal(request, "Full-Username")) {
1922                 full_username = smb_xstrdup(parameter);
1923         } else if (strequal(request, "Request-User-Session-Key")) {
1924                 ntlm_server_1_user_session_key = strequal(parameter, "Yes");
1925         } else if (strequal(request, "Request-LanMan-Session-Key")) {
1926                 ntlm_server_1_lm_session_key = strequal(parameter, "Yes");
1927         } else {
1928                 x_fprintf(x_stdout, "Error: Unknown request %s\n.\n", request);
1929         }
1930 }
1931 
1932 static void manage_ntlm_change_password_1_request(struct ntlm_auth_state *state,
     /* [<][>][^][v][top][bottom][index][help] */
1933                                                         char *buf, int length)
1934 {
1935         char *request, *parameter;      
1936         static DATA_BLOB new_nt_pswd;
1937         static DATA_BLOB old_nt_hash_enc;
1938         static DATA_BLOB new_lm_pswd;
1939         static DATA_BLOB old_lm_hash_enc;
1940         static char *full_username = NULL;
1941         static char *username = NULL;
1942         static char *domain = NULL;
1943         static char *newpswd =  NULL;
1944         static char *oldpswd = NULL;
1945 
1946         if (strequal(buf, ".")) {
1947                 if(newpswd && oldpswd) {
1948                         uchar old_nt_hash[16];
1949                         uchar old_lm_hash[16];
1950                         uchar new_nt_hash[16];
1951                         uchar new_lm_hash[16];
1952 
1953                         new_nt_pswd = data_blob(NULL, 516);
1954                         old_nt_hash_enc = data_blob(NULL, 16);
1955                         
1956                         /* Calculate the MD4 hash (NT compatible) of the
1957                          * password */
1958                         E_md4hash(oldpswd, old_nt_hash);
1959                         E_md4hash(newpswd, new_nt_hash);
1960 
1961                         /* E_deshash returns false for 'long'
1962                            passwords (> 14 DOS chars).  
1963                            
1964                            Therefore, don't send a buffer
1965                            encrypted with the truncated hash
1966                            (it could allow an even easier
1967                            attack on the password)
1968 
1969                            Likewise, obey the admin's restriction
1970                         */
1971 
1972                         if (lp_client_lanman_auth() &&
1973                             E_deshash(newpswd, new_lm_hash) &&
1974                             E_deshash(oldpswd, old_lm_hash)) {
1975                                 new_lm_pswd = data_blob(NULL, 516);
1976                                 old_lm_hash_enc = data_blob(NULL, 16);
1977                                 encode_pw_buffer(new_lm_pswd.data, newpswd,
1978                                                  STR_UNICODE);
1979 
1980                                 SamOEMhash(new_lm_pswd.data, old_nt_hash, 516);
1981                                 E_old_pw_hash(new_nt_hash, old_lm_hash,
1982                                               old_lm_hash_enc.data);
1983                         } else {
1984                                 new_lm_pswd.data = NULL;
1985                                 new_lm_pswd.length = 0;
1986                                 old_lm_hash_enc.data = NULL;
1987                                 old_lm_hash_enc.length = 0;
1988                         }
1989 
1990                         encode_pw_buffer(new_nt_pswd.data, newpswd,
1991                                          STR_UNICODE);
1992         
1993                         SamOEMhash(new_nt_pswd.data, old_nt_hash, 516);
1994                         E_old_pw_hash(new_nt_hash, old_nt_hash,
1995                                       old_nt_hash_enc.data);
1996                 }
1997                 
1998                 if (!full_username && !username) {      
1999                         x_fprintf(x_stdout, "Error: No username supplied!\n");
2000                 } else if ((!new_nt_pswd.data || !old_nt_hash_enc.data) &&
2001                            (!new_lm_pswd.data || old_lm_hash_enc.data) ) {
2002                         x_fprintf(x_stdout, "Error: No NT or LM password "
2003                                   "blobs supplied!\n");
2004                 } else {
2005                         char *error_string = NULL;
2006                         
2007                         if (full_username && !username) {
2008                                 fstring fstr_user;
2009                                 fstring fstr_domain;
2010                                 
2011                                 if (!parse_ntlm_auth_domain_user(full_username,
2012                                                                  fstr_user,
2013                                                                  fstr_domain)) {
2014                                         /* username might be 'tainted', don't
2015                                          * print into our new-line
2016                                          * deleimianted stream */
2017                                         x_fprintf(x_stdout, "Error: Could not "
2018                                                   "parse into domain and "
2019                                                   "username\n");
2020                                         SAFE_FREE(username);
2021                                         username = smb_xstrdup(full_username);
2022                                 } else {
2023                                         SAFE_FREE(username);
2024                                         SAFE_FREE(domain);
2025                                         username = smb_xstrdup(fstr_user);
2026                                         domain = smb_xstrdup(fstr_domain);
2027                                 }
2028                                 
2029                         }
2030 
2031                         if(!NT_STATUS_IS_OK(contact_winbind_change_pswd_auth_crap(
2032                                                     username, domain,
2033                                                     new_nt_pswd,
2034                                                     old_nt_hash_enc,
2035                                                     new_lm_pswd,
2036                                                     old_lm_hash_enc,
2037                                                     &error_string))) {
2038                                 x_fprintf(x_stdout, "Password-Change: No\n");
2039                                 x_fprintf(x_stdout, "Password-Change-Error: "
2040                                           "%s\n.\n", error_string);
2041                         } else {
2042                                 x_fprintf(x_stdout, "Password-Change: Yes\n");
2043                         }
2044 
2045                         SAFE_FREE(error_string);
2046                 }
2047                 /* clear out the state */
2048                 new_nt_pswd = data_blob_null;
2049                 old_nt_hash_enc = data_blob_null;
2050                 new_lm_pswd = data_blob_null;
2051                 old_nt_hash_enc = data_blob_null;
2052                 SAFE_FREE(full_username);
2053                 SAFE_FREE(username);
2054                 SAFE_FREE(domain);
2055                 SAFE_FREE(newpswd);
2056                 SAFE_FREE(oldpswd);
2057                 x_fprintf(x_stdout, ".\n");
2058 
2059                 return;
2060         }
2061 
2062         request = buf;
2063 
2064         /* Indicates a base64 encoded structure */
2065         parameter = strstr_m(request, ":: ");
2066         if (!parameter) {
2067                 parameter = strstr_m(request, ": ");
2068                 
2069                 if (!parameter) {
2070                         DEBUG(0, ("Parameter not found!\n"));
2071                         x_fprintf(x_stdout, "Error: Parameter not found!\n.\n");
2072                         return;
2073                 }
2074                 
2075                 parameter[0] ='\0';
2076                 parameter++;
2077                 parameter[0] ='\0';
2078                 parameter++;
2079         } else {
2080                 parameter[0] ='\0';
2081                 parameter++;
2082                 parameter[0] ='\0';
2083                 parameter++;
2084                 parameter[0] ='\0';
2085                 parameter++;
2086 
2087                 base64_decode_inplace(parameter);
2088         }
2089 
2090         if (strequal(request, "new-nt-password-blob")) {
2091                 new_nt_pswd = strhex_to_data_blob(NULL, parameter);
2092                 if (new_nt_pswd.length != 516) {
2093                         x_fprintf(x_stdout, "Error: hex decode of %s failed! "
2094                                   "(got %d bytes, expected 516)\n.\n", 
2095                                   parameter,
2096                                   (int)new_nt_pswd.length);
2097                         new_nt_pswd = data_blob_null;
2098                 }
2099         } else if (strequal(request, "old-nt-hash-blob")) {
2100                 old_nt_hash_enc = strhex_to_data_blob(NULL, parameter);
2101                 if (old_nt_hash_enc.length != 16) {
2102                         x_fprintf(x_stdout, "Error: hex decode of %s failed! "
2103                                   "(got %d bytes, expected 16)\n.\n", 
2104                                   parameter,
2105                                   (int)old_nt_hash_enc.length);
2106                         old_nt_hash_enc = data_blob_null;
2107                 }
2108         } else if (strequal(request, "new-lm-password-blob")) {
2109                 new_lm_pswd = strhex_to_data_blob(NULL, parameter);
2110                 if (new_lm_pswd.length != 516) {
2111                         x_fprintf(x_stdout, "Error: hex decode of %s failed! "
2112                                   "(got %d bytes, expected 516)\n.\n", 
2113                                   parameter,
2114                                   (int)new_lm_pswd.length);
2115                         new_lm_pswd = data_blob_null;
2116                 }
2117         }
2118         else if (strequal(request, "old-lm-hash-blob")) {
2119                 old_lm_hash_enc = strhex_to_data_blob(NULL, parameter);
2120                 if (old_lm_hash_enc.length != 16)
2121                 {
2122                         x_fprintf(x_stdout, "Error: hex decode of %s failed! "
2123                                   "(got %d bytes, expected 16)\n.\n", 
2124                                   parameter,
2125                                   (int)old_lm_hash_enc.length);
2126                         old_lm_hash_enc = data_blob_null;
2127                 }
2128         } else if (strequal(request, "nt-domain")) {
2129                 domain = smb_xstrdup(parameter);
2130         } else if(strequal(request, "username")) {
2131                 username = smb_xstrdup(parameter);
2132         } else if(strequal(request, "full-username")) {
2133                 username = smb_xstrdup(parameter);
2134         } else if(strequal(request, "new-password")) {
2135                 newpswd = smb_xstrdup(parameter);
2136         } else if (strequal(request, "old-password")) {
2137                 oldpswd = smb_xstrdup(parameter);
2138         } else {
2139                 x_fprintf(x_stdout, "Error: Unknown request %s\n.\n", request);
2140         }
2141 }
2142 
2143 static void manage_squid_request(struct ntlm_auth_state *state,
     /* [<][>][^][v][top][bottom][index][help] */
2144                 stdio_helper_function fn)
2145 {
2146         char *buf;
2147         char tmp[INITIAL_BUFFER_SIZE+1];
2148         int length, buf_size = 0;
2149         char *c;
2150 
2151         buf = talloc_strdup(state->mem_ctx, "");
2152         if (!buf) {
2153                 DEBUG(0, ("Failed to allocate input buffer.\n"));
2154                 x_fprintf(x_stderr, "ERR\n");
2155                 exit(1);
2156         }
2157 
2158         do {
2159 
2160                 /* this is not a typo - x_fgets doesn't work too well under
2161                  * squid */
2162                 if (fgets(tmp, sizeof(tmp)-1, stdin) == NULL) {
2163                         if (ferror(stdin)) {
2164                                 DEBUG(1, ("fgets() failed! dying..... errno=%d "
2165                                           "(%s)\n", ferror(stdin),
2166                                           strerror(ferror(stdin))));
2167 
2168                                 exit(1);
2169                         }
2170                         exit(0);
2171                 }
2172 
2173                 buf = talloc_strdup_append_buffer(buf, tmp);
2174                 buf_size += INITIAL_BUFFER_SIZE;
2175 
2176                 if (buf_size > MAX_BUFFER_SIZE) {
2177                         DEBUG(2, ("Oversized message\n"));
2178                         x_fprintf(x_stderr, "ERR\n");
2179                         talloc_free(buf);
2180                         return;
2181                 }
2182 
2183                 c = strchr(buf, '\n');
2184         } while (c == NULL);
2185 
2186         *c = '\0';
2187         length = c-buf;
2188 
2189         DEBUG(10, ("Got '%s' from squid (length: %d).\n",buf,length));
2190 
2191         if (buf[0] == '\0') {
2192                 DEBUG(2, ("Invalid Request\n"));
2193                 x_fprintf(x_stderr, "ERR\n");
2194                 talloc_free(buf);
2195                 return;
2196         }
2197 
2198         fn(state, buf, length);
2199         talloc_free(buf);
2200 }
2201 
2202 
2203 static void squid_stream(enum stdio_helper_mode stdio_mode, stdio_helper_function fn) {
     /* [<][>][^][v][top][bottom][index][help] */
2204         TALLOC_CTX *mem_ctx;
2205         struct ntlm_auth_state *state;
2206 
2207         /* initialize FDescs */
2208         x_setbuf(x_stdout, NULL);
2209         x_setbuf(x_stderr, NULL);
2210 
2211         mem_ctx = talloc_init("ntlm_auth");
2212         if (!mem_ctx) {
2213                 DEBUG(0, ("squid_stream: Failed to create talloc context\n"));
2214                 x_fprintf(x_stderr, "ERR\n");
2215                 exit(1);
2216         }
2217 
2218         state = talloc_zero(mem_ctx, struct ntlm_auth_state);
2219         if (!state) {
2220                 DEBUG(0, ("squid_stream: Failed to talloc ntlm_auth_state\n"));
2221                 x_fprintf(x_stderr, "ERR\n");
2222                 exit(1);
2223         }
2224 
2225         state->mem_ctx = mem_ctx;
2226         state->helper_mode = stdio_mode;
2227 
2228         while(1) {
2229                 manage_squid_request(state, fn);
2230         }
2231 }
2232 
2233 
2234 /* Authenticate a user with a challenge/response */
2235 
2236 static bool check_auth_crap(void)
     /* [<][>][^][v][top][bottom][index][help] */
2237 {
2238         NTSTATUS nt_status;
2239         uint32 flags = 0;
2240         char lm_key[8];
2241         char user_session_key[16];
2242         char *hex_lm_key;
2243         char *hex_user_session_key;
2244         char *error_string;
2245         static uint8 zeros[16];
2246 
2247         x_setbuf(x_stdout, NULL);
2248 
2249         if (request_lm_key) 
2250                 flags |= WBFLAG_PAM_LMKEY;
2251 
2252         if (request_user_session_key) 
2253                 flags |= WBFLAG_PAM_USER_SESSION_KEY;
2254 
2255         flags |= WBFLAG_PAM_NT_STATUS_SQUASH;
2256 
2257         nt_status = contact_winbind_auth_crap(opt_username, opt_domain, 
2258                                               opt_workstation,
2259                                               &opt_challenge, 
2260                                               &opt_lm_response, 
2261                                               &opt_nt_response, 
2262                                               flags,
2263                                               (unsigned char *)lm_key, 
2264                                               (unsigned char *)user_session_key, 
2265                                               &error_string, NULL);
2266 
2267         if (!NT_STATUS_IS_OK(nt_status)) {
2268                 x_fprintf(x_stdout, "%s (0x%x)\n", 
2269                           error_string,
2270                           NT_STATUS_V(nt_status));
2271                 SAFE_FREE(error_string);
2272                 return False;
2273         }
2274 
2275         if (request_lm_key 
2276             && (memcmp(zeros, lm_key, 
2277                        sizeof(lm_key)) != 0)) {
2278                 hex_lm_key = hex_encode_talloc(NULL, (const unsigned char *)lm_key,
2279                                         sizeof(lm_key));
2280                 x_fprintf(x_stdout, "LM_KEY: %s\n", hex_lm_key);
2281                 TALLOC_FREE(hex_lm_key);
2282         }
2283         if (request_user_session_key 
2284             && (memcmp(zeros, user_session_key, 
2285                        sizeof(user_session_key)) != 0)) {
2286                 hex_user_session_key = hex_encode_talloc(NULL, (const unsigned char *)user_session_key, 
2287                                                   sizeof(user_session_key));
2288                 x_fprintf(x_stdout, "NT_KEY: %s\n", hex_user_session_key);
2289                 TALLOC_FREE(hex_user_session_key);
2290         }
2291 
2292         return True;
2293 }
2294 
2295 /* Main program */
2296 
2297 enum {
2298         OPT_USERNAME = 1000,
2299         OPT_DOMAIN,
2300         OPT_WORKSTATION,
2301         OPT_CHALLENGE,
2302         OPT_RESPONSE,
2303         OPT_LM,
2304         OPT_NT,
2305         OPT_PASSWORD,
2306         OPT_LM_KEY,
2307         OPT_USER_SESSION_KEY,
2308         OPT_DIAGNOSTICS,
2309         OPT_REQUIRE_MEMBERSHIP,
2310         OPT_USE_CACHED_CREDS
2311 };
2312 
2313  int main(int argc, const char **argv)
     /* [<][>][^][v][top][bottom][index][help] */
2314 {
2315         TALLOC_CTX *frame = talloc_stackframe();
2316         int opt;
2317         static const char *helper_protocol;
2318         static int diagnostics;
2319 
2320         static const char *hex_challenge;
2321         static const char *hex_lm_response;
2322         static const char *hex_nt_response;
2323 
2324         poptContext pc;
2325 
2326         /* NOTE: DO NOT change this interface without considering the implications!
2327            This is an external interface, which other programs will use to interact 
2328            with this helper.
2329         */
2330 
2331         /* We do not use single-letter command abbreviations, because they harm future 
2332            interface stability. */
2333 
2334         struct poptOption long_options[] = {
2335                 POPT_AUTOHELP
2336                 { "helper-protocol", 0, POPT_ARG_STRING, &helper_protocol, OPT_DOMAIN, "operate as a stdio-based helper", "helper protocol to use"},
2337                 { "username", 0, POPT_ARG_STRING, &opt_username, OPT_USERNAME, "username"},
2338                 { "domain", 0, POPT_ARG_STRING, &opt_domain, OPT_DOMAIN, "domain name"},
2339                 { "workstation", 0, POPT_ARG_STRING, &opt_workstation, OPT_WORKSTATION, "workstation"},
2340                 { "challenge", 0, POPT_ARG_STRING, &hex_challenge, OPT_CHALLENGE, "challenge (HEX encoded)"},
2341                 { "lm-response", 0, POPT_ARG_STRING, &hex_lm_response, OPT_LM, "LM Response to the challenge (HEX encoded)"},
2342                 { "nt-response", 0, POPT_ARG_STRING, &hex_nt_response, OPT_NT, "NT or NTLMv2 Response to the challenge (HEX encoded)"},
2343                 { "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"},            
2344                 { "request-lm-key", 0, POPT_ARG_NONE, &request_lm_key, OPT_LM_KEY, "Retrieve LM session key"},
2345                 { "request-nt-key", 0, POPT_ARG_NONE, &request_user_session_key, OPT_USER_SESSION_KEY, "Retrieve User (NT) session key"},
2346                 { "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "Use cached credentials if no password is given"},
2347                 { "diagnostics", 0, POPT_ARG_NONE, &diagnostics, OPT_DIAGNOSTICS, "Perform diagnostics on the authentictaion chain"},
2348                 { "require-membership-of", 0, POPT_ARG_STRING, &require_membership_of, OPT_REQUIRE_MEMBERSHIP, "Require that a user be a member of this group (either name or SID) for authentication to succeed" },
2349                 POPT_COMMON_CONFIGFILE
2350                 POPT_COMMON_VERSION
2351                 POPT_TABLEEND
2352         };
2353 
2354         /* Samba client initialisation */
2355         load_case_tables();
2356 
2357         dbf = x_stderr;
2358 
2359         /* Parse options */
2360 
2361         pc = poptGetContext("ntlm_auth", argc, argv, long_options, 0);
2362 
2363         /* Parse command line options */
2364 
2365         if (argc == 1) {
2366                 poptPrintHelp(pc, stderr, 0);
2367                 return 1;
2368         }
2369 
2370         while((opt = poptGetNextOpt(pc)) != -1) {
2371                 /* Get generic config options like --configfile */
2372         }
2373 
2374         poptFreeContext(pc);
2375 
2376         if (!lp_load(get_dyn_CONFIGFILE(), True, False, False, True)) {
2377                 d_fprintf(stderr, "ntlm_auth: error opening config file %s. Error was %s\n",
2378                         get_dyn_CONFIGFILE(), strerror(errno));
2379                 exit(1);
2380         }
2381 
2382         pc = poptGetContext(NULL, argc, (const char **)argv, long_options, 
2383                             POPT_CONTEXT_KEEP_FIRST);
2384 
2385         while((opt = poptGetNextOpt(pc)) != -1) {
2386                 switch (opt) {
2387                 case OPT_CHALLENGE:
2388                         opt_challenge = strhex_to_data_blob(NULL, hex_challenge);
2389                         if (opt_challenge.length != 8) {
2390                                 x_fprintf(x_stderr, "hex decode of %s failed! (only got %d bytes)\n", 
2391                                           hex_challenge,
2392                                           (int)opt_challenge.length);
2393                                 exit(1);
2394                         }
2395                         break;
2396                 case OPT_LM: 
2397                         opt_lm_response = strhex_to_data_blob(NULL, hex_lm_response);
2398                         if (opt_lm_response.length != 24) {
2399                                 x_fprintf(x_stderr, "hex decode of %s failed! (only got %d bytes)\n", 
2400                                           hex_lm_response,
2401                                           (int)opt_lm_response.length);
2402                                 exit(1);
2403                         }
2404                         break;
2405 
2406                 case OPT_NT: 
2407                         opt_nt_response = strhex_to_data_blob(NULL, hex_nt_response);
2408                         if (opt_nt_response.length < 24) {
2409                                 x_fprintf(x_stderr, "hex decode of %s failed! (only got %d bytes)\n", 
2410                                           hex_nt_response,
2411                                           (int)opt_nt_response.length);
2412                                 exit(1);
2413                         }
2414                         break;
2415 
2416                 case OPT_REQUIRE_MEMBERSHIP:
2417                         if (StrnCaseCmp("S-", require_membership_of, 2) == 0) {
2418                                 require_membership_of_sid = require_membership_of;
2419                         }
2420                         break;
2421                 }
2422         }
2423 
2424         if (opt_username) {
2425                 char *domain = SMB_STRDUP(opt_username);
2426                 char *p = strchr_m(domain, *lp_winbind_separator());
2427                 if (p) {
2428                         opt_username = p+1;
2429                         *p = '\0';
2430                         if (opt_domain && !strequal(opt_domain, domain)) {
2431                                 x_fprintf(x_stderr, "Domain specified in username (%s) "
2432                                         "doesn't match specified domain (%s)!\n\n",
2433                                         domain, opt_domain);
2434                                 poptPrintHelp(pc, stderr, 0);
2435                                 exit(1);
2436                         }
2437                         opt_domain = domain;
2438                 } else {
2439                         SAFE_FREE(domain);
2440                 }
2441         }
2442 
2443         /* Note: if opt_domain is "" then send no domain */
2444         if (opt_domain == NULL) {
2445                 opt_domain = get_winbind_domain();
2446         }
2447 
2448         if (opt_workstation == NULL) {
2449                 opt_workstation = "";
2450         }
2451 
2452         if (helper_protocol) {
2453                 int i;
2454                 for (i=0; i<NUM_HELPER_MODES; i++) {
2455                         if (strcmp(helper_protocol, stdio_helper_protocols[i].name) == 0) {
2456                                 squid_stream(stdio_helper_protocols[i].mode, stdio_helper_protocols[i].fn);
2457                                 exit(0);
2458                         }
2459                 }
2460                 x_fprintf(x_stderr, "unknown helper protocol [%s]\n\nValid helper protools:\n\n", helper_protocol);
2461 
2462                 for (i=0; i<NUM_HELPER_MODES; i++) {
2463                         x_fprintf(x_stderr, "%s\n", stdio_helper_protocols[i].name);
2464                 }
2465 
2466                 exit(1);
2467         }
2468 
2469         if (!opt_username || !*opt_username) {
2470                 x_fprintf(x_stderr, "username must be specified!\n\n");
2471                 poptPrintHelp(pc, stderr, 0);
2472                 exit(1);
2473         }
2474 
2475         if (opt_challenge.length) {
2476                 if (!check_auth_crap()) {
2477                         exit(1);
2478                 }
2479                 exit(0);
2480         } 
2481 
2482         if (!opt_password) {
2483                 opt_password = getpass("password: ");
2484         }
2485 
2486         if (diagnostics) {
2487                 if (!diagnose_ntlm_auth()) {
2488                         return 1;
2489                 }
2490         } else {
2491                 fstring user;
2492 
2493                 fstr_sprintf(user, "%s%c%s", opt_domain, winbind_separator(), opt_username);
2494                 if (!check_plaintext_auth(user, opt_password, True)) {
2495                         return 1;
2496                 }
2497         }
2498 
2499         /* Exit code */
2500 
2501         poptFreeContext(pc);
2502         TALLOC_FREE(frame);
2503         return 0;
2504 }

/* [<][>][^][v][top][bottom][index][help] */