Context Navigation

source: branches/samba-3.0/source/utils/ntlm_auth.c

Visit:

Last change on this file was 165, checked in by Paul Smedley, 16 years ago
Add 'missing' 3.0.34 diffs
File size: 65.1 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3
4	Winbind status program.
5
6	Copyright (C) Tim Potter 2000-2003
7	Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8	Copyright (C) Francesco Chemolli <kinkie@kame.usr.dsi.unimi.it> 2000
9	Copyright (C) Robert O'Callahan 2006 (added cached credential code).
10
11	This program is free software; you can redistribute it and/or modify
12	it under the terms of the GNU General Public License as published by
13	the Free Software Foundation; either version 2 of the License, or
14	(at your option) any later version.
15
16	This program is distributed in the hope that it will be useful,
17	but WITHOUT ANY WARRANTY; without even the implied warranty of
18	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19	GNU General Public License for more details.
20
21	You should have received a copy of the GNU General Public License
22	along with this program; if not, write to the Free Software
23	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24	*/
25
26	#include "includes.h"
27	#include "utils/ntlm_auth.h"
28
29	#undef DBGC_CLASS
30	#define DBGC_CLASS DBGC_WINBIND
31
32	#define SQUID_BUFFER_SIZE 2010
33
34	enum stdio_helper_mode {
35	SQUID_2_4_BASIC,
36	SQUID_2_5_BASIC,
37	SQUID_2_5_NTLMSSP,
38	NTLMSSP_CLIENT_1,
39	GSS_SPNEGO,
40	GSS_SPNEGO_CLIENT,
41	NTLM_SERVER_1,
42	NTLM_CHANGE_PASSWORD_1,
43	NUM_HELPER_MODES
44	};
45
46	typedef void (*stdio_helper_function)(enum stdio_helper_mode stdio_helper_mode,
47	char *buf, int length);
48
49	static void manage_squid_basic_request (enum stdio_helper_mode stdio_helper_mode,
50	char *buf, int length);
51
52	static void manage_squid_ntlmssp_request (enum stdio_helper_mode stdio_helper_mode,
53	char *buf, int length);
54
55	static void manage_client_ntlmssp_request (enum stdio_helper_mode stdio_helper_mode,
56	char *buf, int length);
57
58	static void manage_gss_spnego_request (enum stdio_helper_mode stdio_helper_mode,
59	char *buf, int length);
60
61	static void manage_gss_spnego_client_request (enum stdio_helper_mode stdio_helper_mode,
62	char *buf, int length);
63
64	static void manage_ntlm_server_1_request (enum stdio_helper_mode stdio_helper_mode,
65	char *buf, int length);
66
67	static void manage_ntlm_change_password_1_request(enum stdio_helper_mode helper_mode, char *buf, int length);
68
69	static const struct {
70	enum stdio_helper_mode mode;
71	const char *name;
72	stdio_helper_function fn;
73	} stdio_helper_protocols[] = {
74	{ SQUID_2_4_BASIC, "squid-2.4-basic", manage_squid_basic_request},
75	{ SQUID_2_5_BASIC, "squid-2.5-basic", manage_squid_basic_request},
76	{ SQUID_2_5_NTLMSSP, "squid-2.5-ntlmssp", manage_squid_ntlmssp_request},
77	{ NTLMSSP_CLIENT_1, "ntlmssp-client-1", manage_client_ntlmssp_request},
78	{ GSS_SPNEGO, "gss-spnego", manage_gss_spnego_request},
79	{ GSS_SPNEGO_CLIENT, "gss-spnego-client", manage_gss_spnego_client_request},
80	{ NTLM_SERVER_1, "ntlm-server-1", manage_ntlm_server_1_request},
81	{ NTLM_CHANGE_PASSWORD_1, "ntlm-change-password-1", manage_ntlm_change_password_1_request},
82	{ NUM_HELPER_MODES, NULL, NULL}
83	};
84
85	extern int winbindd_fd;
86
87	const char *opt_username;
88	const char *opt_domain;
89	const char *opt_workstation;
90	const char *opt_password;
91	static DATA_BLOB opt_challenge;
92	static DATA_BLOB opt_lm_response;
93	static DATA_BLOB opt_nt_response;
94	static int request_lm_key;
95	static int request_user_session_key;
96	static int use_cached_creds;
97
98	static const char *require_membership_of;
99	static const char *require_membership_of_sid;
100
101	static char winbind_separator(void)
102	{
103	struct winbindd_response response;
104	static BOOL got_sep;
105	static char sep;
106
107	if (got_sep)
108	return sep;
109
110	ZERO_STRUCT(response);
111
112	/* Send off request */
113
114	if (winbindd_request_response(WINBINDD_INFO, NULL, &response) !=
115	NSS_STATUS_SUCCESS) {
116	d_printf("could not obtain winbind separator!\n");
117	return *lp_winbind_separator();
118	}
119
120	sep = response.data.info.winbind_separator;
121	got_sep = True;
122
123	if (!sep) {
124	d_printf("winbind separator was NULL!\n");
125	return *lp_winbind_separator();
126	}
127
128	return sep;
129	}
130
131	const char *get_winbind_domain(void)
132	{
133	struct winbindd_response response;
134
135	static fstring winbind_domain;
136	if (*winbind_domain) {
137	return winbind_domain;
138	}
139
140	ZERO_STRUCT(response);
141
142	/* Send off request */
143
144	if (winbindd_request_response(WINBINDD_DOMAIN_NAME, NULL, &response) !=
145	NSS_STATUS_SUCCESS) {
146	DEBUG(0, ("could not obtain winbind domain name!\n"));
147	return lp_workgroup();
148	}
149
150	fstrcpy(winbind_domain, response.data.domain_name);
151
152	return winbind_domain;
153
154	}
155
156	const char *get_winbind_netbios_name(void)
157	{
158	struct winbindd_response response;
159
160	static fstring winbind_netbios_name;
161
162	if (*winbind_netbios_name) {
163	return winbind_netbios_name;
164	}
165
166	ZERO_STRUCT(response);
167
168	/* Send off request */
169
170	if (winbindd_request_response(WINBINDD_NETBIOS_NAME, NULL, &response) !=
171	NSS_STATUS_SUCCESS) {
172	DEBUG(0, ("could not obtain winbind netbios name!\n"));
173	return global_myname();
174	}
175
176	fstrcpy(winbind_netbios_name, response.data.netbios_name);
177
178	return winbind_netbios_name;
179
180	}
181
182	DATA_BLOB get_challenge(void)
183	{
184	static DATA_BLOB chal;
185	if (opt_challenge.length)
186	return opt_challenge;
187
188	chal = data_blob(NULL, 8);
189
190	generate_random_buffer(chal.data, chal.length);
191	return chal;
192	}
193
194	/* Copy of parse_domain_user from winbindd_util.c. Parse a string of the
195	form DOMAIN/user into a domain and a user */
196
197	static BOOL parse_ntlm_auth_domain_user(const char *domuser, fstring domain,
198	fstring user)
199	{
200
201	char *p = strchr(domuser,winbind_separator());
202
203	if (!p) {
204	return False;
205	}
206
207	fstrcpy(user, p+1);
208	fstrcpy(domain, domuser);
209	domain[PTR_DIFF(p, domuser)] = 0;
210	strupper_m(domain);
211
212	return True;
213	}
214
215	static BOOL get_require_membership_sid(void) {
216	struct winbindd_request request;
217	struct winbindd_response response;
218
219	if (!require_membership_of) {
220	return True;
221	}
222
223	if (require_membership_of_sid) {
224	return True;
225	}
226
227	/* Otherwise, ask winbindd for the name->sid request */
228
229	ZERO_STRUCT(request);
230	ZERO_STRUCT(response);
231
232	if (!parse_ntlm_auth_domain_user(require_membership_of,
233	request.data.name.dom_name,
234	request.data.name.name)) {
235	DEBUG(0, ("Could not parse %s into seperate domain/name parts!\n",
236	require_membership_of));
237	return False;
238	}
239
240	if (winbindd_request_response(WINBINDD_LOOKUPNAME, &request, &response) !=
241	NSS_STATUS_SUCCESS) {
242	DEBUG(0, ("Winbindd lookupname failed to resolve %s into a SID!\n",
243	require_membership_of));
244	return False;
245	}
246
247	require_membership_of_sid = SMB_STRDUP(response.data.sid.sid);
248
249	if (require_membership_of_sid)
250	return True;
251
252	return False;
253	}
254	/* Authenticate a user with a plaintext password */
255
256	static BOOL check_plaintext_auth(const char user, const char pass,
257	BOOL stdout_diagnostics)
258	{
259	struct winbindd_request request;
260	struct winbindd_response response;
261	NSS_STATUS result;
262
263	if (!get_require_membership_sid()) {
264	return False;
265	}
266
267	/* Send off request */
268
269	ZERO_STRUCT(request);
270	ZERO_STRUCT(response);
271
272	fstrcpy(request.data.auth.user, user);
273	fstrcpy(request.data.auth.pass, pass);
274	if (require_membership_of_sid)
275	pstrcpy(request.data.auth.require_membership_of_sid, require_membership_of_sid);
276
277	result = winbindd_request_response(WINBINDD_PAM_AUTH, &request, &response);
278
279	/* Display response */
280
281	if (stdout_diagnostics) {
282	if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) {
283	d_printf("Reading winbind reply failed! (0x01)\n");
284	}
285
286	d_printf("%s: %s (0x%x)\n",
287	response.data.auth.nt_status_string,
288	response.data.auth.error_string,
289	response.data.auth.nt_status);
290	} else {
291	if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) {
292	DEBUG(1, ("Reading winbind reply failed! (0x01)\n"));
293	}
294
295	DEBUG(3, ("%s: %s (0x%x)\n",
296	response.data.auth.nt_status_string,
297	response.data.auth.error_string,
298	response.data.auth.nt_status));
299	}
300
301	return (result == NSS_STATUS_SUCCESS);
302	}
303
304	/* authenticate a user with an encrypted username/password */
305
306	NTSTATUS contact_winbind_auth_crap(const char *username,
307	const char *domain,
308	const char *workstation,
309	const DATA_BLOB *challenge,
310	const DATA_BLOB *lm_response,
311	const DATA_BLOB *nt_response,
312	uint32 flags,
313	uint8 lm_key[8],
314	uint8 user_session_key[16],
315	char **error_string,
316	char **unix_name)
317	{
318	NTSTATUS nt_status;
319	NSS_STATUS result;
320	struct winbindd_request request;
321	struct winbindd_response response;
322
323	if (!get_require_membership_sid()) {
324	return NT_STATUS_INVALID_PARAMETER;
325	}
326
327	ZERO_STRUCT(request);
328	ZERO_STRUCT(response);
329
330	request.flags = flags;
331
332	request.data.auth_crap.logon_parameters = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT \| MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
333
334	if (require_membership_of_sid)
335	fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid);
336
337	fstrcpy(request.data.auth_crap.user, username);
338	fstrcpy(request.data.auth_crap.domain, domain);
339
340	fstrcpy(request.data.auth_crap.workstation,
341	workstation);
342
343	memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8));
344
345	if (lm_response && lm_response->length) {
346	memcpy(request.data.auth_crap.lm_resp,
347	lm_response->data,
348	MIN(lm_response->length, sizeof(request.data.auth_crap.lm_resp)));
349	request.data.auth_crap.lm_resp_len = lm_response->length;
350	}
351
352	if (nt_response && nt_response->length) {
353	if (nt_response->length > sizeof(request.data.auth_crap.nt_resp)) {
354	request.flags = request.flags \| WBFLAG_BIG_NTLMV2_BLOB;
355	request.extra_len = nt_response->length;
356	request.extra_data.data = SMB_MALLOC_ARRAY(char, request.extra_len);
357	if (request.extra_data.data == NULL) {
358	return NT_STATUS_NO_MEMORY;
359	}
360	memcpy(request.extra_data.data, nt_response->data,
361	nt_response->length);
362
363	} else {
364	memcpy(request.data.auth_crap.nt_resp,
365	nt_response->data, nt_response->length);
366	}
367	request.data.auth_crap.nt_resp_len = nt_response->length;
368	}
369
370	result = winbindd_request_response(WINBINDD_PAM_AUTH_CRAP, &request, &response);
371	SAFE_FREE(request.extra_data.data);
372
373	/* Display response */
374
375	if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) {
376	nt_status = NT_STATUS_UNSUCCESSFUL;
377	if (error_string)
378	*error_string = smb_xstrdup("Reading winbind reply failed!");
379	free_response(&response);
380	return nt_status;
381	}
382
383	nt_status = (NT_STATUS(response.data.auth.nt_status));
384	if (!NT_STATUS_IS_OK(nt_status)) {
385	if (error_string)
386	*error_string = smb_xstrdup(response.data.auth.error_string);
387	free_response(&response);
388	return nt_status;
389	}
390
391	if ((flags & WBFLAG_PAM_LMKEY) && lm_key) {
392	memcpy(lm_key, response.data.auth.first_8_lm_hash,
393	sizeof(response.data.auth.first_8_lm_hash));
394	}
395	if ((flags & WBFLAG_PAM_USER_SESSION_KEY) && user_session_key) {
396	memcpy(user_session_key, response.data.auth.user_session_key,
397	sizeof(response.data.auth.user_session_key));
398	}
399
400	if (flags & WBFLAG_PAM_UNIX_NAME) {
401	unix_name = SMB_STRDUP((char )response.extra_data.data);
402	if (!*unix_name) {
403	free_response(&response);
404	return NT_STATUS_NO_MEMORY;
405	}
406	}
407
408	free_response(&response);
409	return nt_status;
410	}
411
412	/* contact server to change user password using auth crap */
413	static NTSTATUS contact_winbind_change_pswd_auth_crap(const char *username,
414	const char *domain,
415	const DATA_BLOB new_nt_pswd,
416	const DATA_BLOB old_nt_hash_enc,
417	const DATA_BLOB new_lm_pswd,
418	const DATA_BLOB old_lm_hash_enc,
419	char **error_string)
420	{
421	NTSTATUS nt_status;
422	NSS_STATUS result;
423	struct winbindd_request request;
424	struct winbindd_response response;
425
426	if (!get_require_membership_sid())
427	{
428	if(error_string)
429	*error_string = smb_xstrdup("Can't get membership sid.");
430	return NT_STATUS_INVALID_PARAMETER;
431	}
432
433	ZERO_STRUCT(request);
434	ZERO_STRUCT(response);
435
436	if(username != NULL)
437	fstrcpy(request.data.chng_pswd_auth_crap.user, username);
438	if(domain != NULL)
439	fstrcpy(request.data.chng_pswd_auth_crap.domain,domain);
440
441	if(new_nt_pswd.length)
442	{
443	memcpy(request.data.chng_pswd_auth_crap.new_nt_pswd, new_nt_pswd.data, sizeof(request.data.chng_pswd_auth_crap.new_nt_pswd));
444	request.data.chng_pswd_auth_crap.new_nt_pswd_len = new_nt_pswd.length;
445	}
446
447	if(old_nt_hash_enc.length)
448	{
449	memcpy(request.data.chng_pswd_auth_crap.old_nt_hash_enc, old_nt_hash_enc.data, sizeof(request.data.chng_pswd_auth_crap.old_nt_hash_enc));
450	request.data.chng_pswd_auth_crap.old_nt_hash_enc_len = old_nt_hash_enc.length;
451	}
452
453	if(new_lm_pswd.length)
454	{
455	memcpy(request.data.chng_pswd_auth_crap.new_lm_pswd, new_lm_pswd.data, sizeof(request.data.chng_pswd_auth_crap.new_lm_pswd));
456	request.data.chng_pswd_auth_crap.new_lm_pswd_len = new_lm_pswd.length;
457	}
458
459	if(old_lm_hash_enc.length)
460	{
461	memcpy(request.data.chng_pswd_auth_crap.old_lm_hash_enc, old_lm_hash_enc.data, sizeof(request.data.chng_pswd_auth_crap.old_lm_hash_enc));
462	request.data.chng_pswd_auth_crap.old_lm_hash_enc_len = old_lm_hash_enc.length;
463	}
464
465	result = winbindd_request_response(WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP, &request, &response);
466
467	/* Display response */
468
469	if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0))
470	{
471	nt_status = NT_STATUS_UNSUCCESSFUL;
472	if (error_string)
473	*error_string = smb_xstrdup("Reading winbind reply failed!");
474	free_response(&response);
475	return nt_status;
476	}
477
478	nt_status = (NT_STATUS(response.data.auth.nt_status));
479	if (!NT_STATUS_IS_OK(nt_status))
480	{
481	if (error_string)
482	*error_string = smb_xstrdup(response.data.auth.error_string);
483	free_response(&response);
484	return nt_status;
485	}
486
487	free_response(&response);
488
489	return nt_status;
490	}
491
492	static NTSTATUS winbind_pw_check(struct ntlmssp_state ntlmssp_state, DATA_BLOB user_session_key, DATA_BLOB *lm_session_key)
493	{
494	static const char zeros[16] = { 0, };
495	NTSTATUS nt_status;
496	char *error_string;
497	uint8 lm_key[8];
498	uint8 user_sess_key[16];
499	char *unix_name;
500
501	nt_status = contact_winbind_auth_crap(ntlmssp_state->user, ntlmssp_state->domain,
502	ntlmssp_state->workstation,
503	&ntlmssp_state->chal,
504	&ntlmssp_state->lm_resp,
505	&ntlmssp_state->nt_resp,
506	WBFLAG_PAM_LMKEY \| WBFLAG_PAM_USER_SESSION_KEY \| WBFLAG_PAM_UNIX_NAME,
507	lm_key, user_sess_key,
508	&error_string, &unix_name);
509
510	if (NT_STATUS_IS_OK(nt_status)) {
511	if (memcmp(lm_key, zeros, 8) != 0) {
512	*lm_session_key = data_blob(NULL, 16);
513	memcpy(lm_session_key->data, lm_key, 8);
514	memset(lm_session_key->data+8, '\0', 8);
515	}
516
517	if (memcmp(user_sess_key, zeros, 16) != 0) {
518	*user_session_key = data_blob(user_sess_key, 16);
519	}
520	ntlmssp_state->auth_context = talloc_strdup(ntlmssp_state->mem_ctx, unix_name);
521	SAFE_FREE(unix_name);
522	} else {
523	DEBUG(NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED) ? 0 : 3,
524	("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n",
525	ntlmssp_state->domain, ntlmssp_state->user,
526	ntlmssp_state->workstation,
527	error_string ? error_string : "unknown error (NULL)"));
528	ntlmssp_state->auth_context = NULL;
529	}
530	return nt_status;
531	}
532
533	static NTSTATUS local_pw_check(struct ntlmssp_state ntlmssp_state, DATA_BLOB user_session_key, DATA_BLOB *lm_session_key)
534	{
535	NTSTATUS nt_status;
536	uint8 lm_pw[16], nt_pw[16];
537
538	nt_lm_owf_gen (opt_password, nt_pw, lm_pw);
539
540	nt_status = ntlm_password_check(ntlmssp_state->mem_ctx,
541	&ntlmssp_state->chal,
542	&ntlmssp_state->lm_resp,
543	&ntlmssp_state->nt_resp,
544	NULL, NULL,
545	ntlmssp_state->user,
546	ntlmssp_state->user,
547	ntlmssp_state->domain,
548	lm_pw, nt_pw, user_session_key, lm_session_key);
549
550	if (NT_STATUS_IS_OK(nt_status)) {
551	ntlmssp_state->auth_context = talloc_asprintf(ntlmssp_state->mem_ctx,
552	"%s%c%s", ntlmssp_state->domain,
553	*lp_winbind_separator(),
554	ntlmssp_state->user);
555	} else {
556	DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n",
557	ntlmssp_state->domain, ntlmssp_state->user, ntlmssp_state->workstation,
558	nt_errstr(nt_status)));
559	ntlmssp_state->auth_context = NULL;
560	}
561	return nt_status;
562	}
563
564	static NTSTATUS ntlm_auth_start_ntlmssp_client(NTLMSSP_STATE **client_ntlmssp_state)
565	{
566	NTSTATUS status;
567	if ( (opt_username == NULL) \|\| (opt_domain == NULL) ) {
568	status = NT_STATUS_UNSUCCESSFUL;
569	DEBUG(1, ("Need username and domain for NTLMSSP\n"));
570	return NT_STATUS_INVALID_PARAMETER;
571	}
572
573	status = ntlmssp_client_start(client_ntlmssp_state);
574
575	if (!NT_STATUS_IS_OK(status)) {
576	DEBUG(1, ("Could not start NTLMSSP client: %s\n",
577	nt_errstr(status)));
578	ntlmssp_end(client_ntlmssp_state);
579	return status;
580	}
581
582	status = ntlmssp_set_username(*client_ntlmssp_state, opt_username);
583
584	if (!NT_STATUS_IS_OK(status)) {
585	DEBUG(1, ("Could not set username: %s\n",
586	nt_errstr(status)));
587	ntlmssp_end(client_ntlmssp_state);
588	return status;
589	}
590
591	status = ntlmssp_set_domain(*client_ntlmssp_state, opt_domain);
592
593	if (!NT_STATUS_IS_OK(status)) {
594	DEBUG(1, ("Could not set domain: %s\n",
595	nt_errstr(status)));
596	ntlmssp_end(client_ntlmssp_state);
597	return status;
598	}
599
600	if (opt_password) {
601	status = ntlmssp_set_password(*client_ntlmssp_state, opt_password);
602
603	if (!NT_STATUS_IS_OK(status)) {
604	DEBUG(1, ("Could not set password: %s\n",
605	nt_errstr(status)));
606	ntlmssp_end(client_ntlmssp_state);
607	return status;
608	}
609	}
610
611	return NT_STATUS_OK;
612	}
613
614	static NTSTATUS ntlm_auth_start_ntlmssp_server(NTLMSSP_STATE **ntlmssp_state)
615	{
616	NTSTATUS status = ntlmssp_server_start(ntlmssp_state);
617
618	if (!NT_STATUS_IS_OK(status)) {
619	DEBUG(1, ("Could not start NTLMSSP server: %s\n",
620	nt_errstr(status)));
621	return status;
622	}
623
624	/* Have we been given a local password, or should we ask winbind? */
625	if (opt_password) {
626	(*ntlmssp_state)->check_password = local_pw_check;
627	(*ntlmssp_state)->get_domain = lp_workgroup;
628	(*ntlmssp_state)->get_global_myname = global_myname;
629	} else {
630	(*ntlmssp_state)->check_password = winbind_pw_check;
631	(*ntlmssp_state)->get_domain = get_winbind_domain;
632	(*ntlmssp_state)->get_global_myname = get_winbind_netbios_name;
633	}
634	return NT_STATUS_OK;
635	}
636
637	/*******************************************************************
638	Used by firefox to drive NTLM auth to IIS servers.
639	*******************************************************************/
640
641	static NTSTATUS do_ccache_ntlm_auth(DATA_BLOB initial_msg, DATA_BLOB challenge_msg,
642	DATA_BLOB *reply)
643	{
644	struct winbindd_request wb_request;
645	struct winbindd_response wb_response;
646	NSS_STATUS result;
647
648	/* get winbindd to do the ntlmssp step on our behalf */
649	ZERO_STRUCT(wb_request);
650	ZERO_STRUCT(wb_response);
651
652	fstr_sprintf(wb_request.data.ccache_ntlm_auth.user,
653	"%s%c%s", opt_domain, winbind_separator(), opt_username);
654	wb_request.data.ccache_ntlm_auth.uid = geteuid();
655	wb_request.data.ccache_ntlm_auth.initial_blob_len = initial_msg.length;
656	wb_request.data.ccache_ntlm_auth.challenge_blob_len = challenge_msg.length;
657	wb_request.extra_len = initial_msg.length + challenge_msg.length;
658
659	if (wb_request.extra_len > 0) {
660	wb_request.extra_data.data = SMB_MALLOC_ARRAY(char, wb_request.extra_len);
661	if (wb_request.extra_data.data == NULL) {
662	return NT_STATUS_NO_MEMORY;
663	}
664
665	memcpy(wb_request.extra_data.data, initial_msg.data, initial_msg.length);
666	memcpy(wb_request.extra_data.data + initial_msg.length,
667	challenge_msg.data, challenge_msg.length);
668	}
669
670	result = winbindd_request_response(WINBINDD_CCACHE_NTLMAUTH, &wb_request, &wb_response);
671	SAFE_FREE(wb_request.extra_data.data);
672
673	if (result != NSS_STATUS_SUCCESS) {
674	free_response(&wb_response);
675	return NT_STATUS_UNSUCCESSFUL;
676	}
677
678	if (reply) {
679	*reply = data_blob(wb_response.extra_data.data,
680	wb_response.data.ccache_ntlm_auth.auth_blob_len);
681	if (wb_response.data.ccache_ntlm_auth.auth_blob_len > 0 &&
682	reply->data == NULL) {
683	free_response(&wb_response);
684	return NT_STATUS_NO_MEMORY;
685	}
686	}
687
688	free_response(&wb_response);
689	return NT_STATUS_MORE_PROCESSING_REQUIRED;
690	}
691
692	static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mode,
693	char *buf, int length)
694	{
695	static NTLMSSP_STATE *ntlmssp_state = NULL;
696	static char* want_feature_list = NULL;
697	static uint32 neg_flags = 0;
698	static BOOL have_session_key = False;
699	static DATA_BLOB session_key;
700	DATA_BLOB request, reply;
701	NTSTATUS nt_status;
702
703	if (strlen(buf) < 2) {
704	DEBUG(1, ("NTLMSSP query [%s] invalid", buf));
705	x_fprintf(x_stdout, "BH NTLMSSP query invalid\n");
706	return;
707	}
708
709	if (strlen(buf) > 3) {
710	if(strncmp(buf, "SF ", 3) == 0){
711	DEBUG(10, ("Setting flags to negotioate\n"));
712	SAFE_FREE(want_feature_list);
713	want_feature_list = SMB_STRNDUP(buf+3, strlen(buf)-3);
714	x_fprintf(x_stdout, "OK\n");
715	return;
716	}
717	request = base64_decode_data_blob(buf + 3);
718	} else {
719	request = data_blob(NULL, 0);
720	}
721
722	if ((strncmp(buf, "PW ", 3) == 0)) {
723	/* The calling application wants us to use a local password (rather than winbindd) */
724
725	opt_password = SMB_STRNDUP((const char *)request.data, request.length);
726
727	if (opt_password == NULL) {
728	DEBUG(1, ("Out of memory\n"));
729	x_fprintf(x_stdout, "BH Out of memory\n");
730	data_blob_free(&request);
731	return;
732	}
733
734	x_fprintf(x_stdout, "OK\n");
735	data_blob_free(&request);
736	return;
737	}
738
739	if (strncmp(buf, "YR", 2) == 0) {
740	if (ntlmssp_state)
741	ntlmssp_end(&ntlmssp_state);
742	} else if (strncmp(buf, "KK", 2) == 0) {
743
744	} else if (strncmp(buf, "GF", 2) == 0) {
745	DEBUG(10, ("Requested negotiated NTLMSSP flags\n"));
746	x_fprintf(x_stdout, "GF 0x%08lx\n", have_session_key?neg_flags:0l);
747	data_blob_free(&request);
748	return;
749	} else if (strncmp(buf, "GK", 2) == 0) {
750	DEBUG(10, ("Requested NTLMSSP session key\n"));
751	if(have_session_key) {
752	char *key64 = base64_encode_data_blob(session_key);
753	x_fprintf(x_stdout, "GK %s\n", key64?key64:"<NULL>");
754	SAFE_FREE(key64);
755	} else {
756	x_fprintf(x_stdout, "BH No session key available\n");
757	}
758
759	data_blob_free(&request);
760	return;
761	} else {
762	DEBUG(1, ("NTLMSSP query [%s] invalid", buf));
763	x_fprintf(x_stdout, "BH NTLMSSP query invalid\n");
764	return;
765	}
766
767	if (!ntlmssp_state) {
768	if (!NT_STATUS_IS_OK(nt_status = ntlm_auth_start_ntlmssp_server(&ntlmssp_state))) {
769	x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
770	return;
771	}
772	ntlmssp_want_feature_list(ntlmssp_state, want_feature_list);
773	}
774
775	DEBUG(10, ("got NTLMSSP packet:\n"));
776	dump_data(10, (const char *)request.data, request.length);
777
778	nt_status = ntlmssp_update(ntlmssp_state, request, &reply);
779
780	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
781	char *reply_base64 = base64_encode_data_blob(reply);
782	x_fprintf(x_stdout, "TT %s\n", reply_base64);
783	SAFE_FREE(reply_base64);
784	data_blob_free(&reply);
785	DEBUG(10, ("NTLMSSP challenge\n"));
786	} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) {
787	x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
788	DEBUG(0, ("NTLMSSP BH: %s\n", nt_errstr(nt_status)));
789
790	ntlmssp_end(&ntlmssp_state);
791	} else if (!NT_STATUS_IS_OK(nt_status)) {
792	x_fprintf(x_stdout, "NA %s\n", nt_errstr(nt_status));
793	DEBUG(10, ("NTLMSSP %s\n", nt_errstr(nt_status)));
794	} else {
795	x_fprintf(x_stdout, "AF %s\n", (char *)ntlmssp_state->auth_context);
796	DEBUG(10, ("NTLMSSP OK!\n"));
797
798	if(have_session_key)
799	data_blob_free(&session_key);
800	session_key = data_blob(ntlmssp_state->session_key.data,
801	ntlmssp_state->session_key.length);
802	neg_flags = ntlmssp_state->neg_flags;
803	have_session_key = True;
804	}
805
806	data_blob_free(&request);
807	}
808
809	static void manage_client_ntlmssp_request(enum stdio_helper_mode stdio_helper_mode,
810	char *buf, int length)
811	{
812	/* The statics here are HORRIBLE and this entire concept
813	needs to be rewritten. Essentially it's using these statics
814	as the state in a state machine. BLEEEGH ! JRA. */
815
816	static NTLMSSP_STATE *ntlmssp_state = NULL;
817	static DATA_BLOB initial_message;
818	static char* want_feature_list = NULL;
819	static uint32 neg_flags = 0;
820	static BOOL have_session_key = False;
821	static DATA_BLOB session_key;
822	DATA_BLOB request, reply;
823	NTSTATUS nt_status;
824	BOOL first = False;
825
826	if (!opt_username \|\| !*opt_username) {
827	x_fprintf(x_stderr, "username must be specified!\n\n");
828	exit(1);
829	}
830
831	if (strlen(buf) < 2) {
832	DEBUG(1, ("NTLMSSP query [%s] invalid", buf));
833	x_fprintf(x_stdout, "BH NTLMSSP query invalid\n");
834	return;
835	}
836
837	if (strlen(buf) > 3) {
838	if(strncmp(buf, "SF ", 3) == 0) {
839	DEBUG(10, ("Looking for flags to negotiate\n"));
840	SAFE_FREE(want_feature_list);
841	want_feature_list = SMB_STRNDUP(buf+3, strlen(buf)-3);
842	x_fprintf(x_stdout, "OK\n");
843	return;
844	}
845	request = base64_decode_data_blob(buf + 3);
846	} else {
847	request = data_blob(NULL, 0);
848	}
849
850	if (strncmp(buf, "PW ", 3) == 0) {
851	/* We asked for a password and obviously got it :-) */
852
853	opt_password = SMB_STRNDUP((const char *)request.data, request.length);
854
855	if (opt_password == NULL) {
856	DEBUG(1, ("Out of memory\n"));
857	x_fprintf(x_stdout, "BH Out of memory\n");
858	data_blob_free(&request);
859	return;
860	}
861
862	x_fprintf(x_stdout, "OK\n");
863	data_blob_free(&request);
864	return;
865	}
866
867	if (!ntlmssp_state && use_cached_creds) {
868	/* check whether credentials are usable. */
869	DATA_BLOB empty_blob = data_blob(NULL, 0);
870
871	nt_status = do_ccache_ntlm_auth(empty_blob, empty_blob, NULL);
872	if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
873	/* failed to use cached creds */
874	use_cached_creds = False;
875	}
876	}
877
878	if (opt_password == NULL && !use_cached_creds) {
879
880	/* Request a password from the calling process. After
881	sending it, the calling process should retry asking for the negotiate. */
882
883	DEBUG(10, ("Requesting password\n"));
884	x_fprintf(x_stdout, "PW\n");
885	return;
886	}
887
888	if (strncmp(buf, "YR", 2) == 0) {
889	if (ntlmssp_state)
890	ntlmssp_end(&ntlmssp_state);
891	} else if (strncmp(buf, "TT", 2) == 0) {
892
893	} else if (strncmp(buf, "GF", 2) == 0) {
894	DEBUG(10, ("Requested negotiated NTLMSSP flags\n"));
895	x_fprintf(x_stdout, "GF 0x%08lx\n", have_session_key?neg_flags:0l);
896	data_blob_free(&request);
897	return;
898	} else if (strncmp(buf, "GK", 2) == 0 ) {
899	DEBUG(10, ("Requested session key\n"));
900
901	if(have_session_key) {
902	char *key64 = base64_encode_data_blob(session_key);
903	x_fprintf(x_stdout, "GK %s\n", key64?key64:"<NULL>");
904	SAFE_FREE(key64);
905	}
906	else {
907	x_fprintf(x_stdout, "BH No session key available\n");
908	}
909
910	data_blob_free(&request);
911	return;
912	} else {
913	DEBUG(1, ("NTLMSSP query [%s] invalid", buf));
914	x_fprintf(x_stdout, "BH NTLMSSP query invalid\n");
915	return;
916	}
917
918	if (!ntlmssp_state) {
919	if (!NT_STATUS_IS_OK(nt_status = ntlm_auth_start_ntlmssp_client(&ntlmssp_state))) {
920	x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
921	return;
922	}
923	ntlmssp_want_feature_list(ntlmssp_state, want_feature_list);
924	first = True;
925	initial_message = data_blob(NULL, 0);
926	}
927
928	DEBUG(10, ("got NTLMSSP packet:\n"));
929	dump_data(10, (const char *)request.data, request.length);
930
931	if (use_cached_creds && !opt_password && !first) {
932	nt_status = do_ccache_ntlm_auth(initial_message, request, &reply);
933	} else {
934	nt_status = ntlmssp_update(ntlmssp_state, request, &reply);
935	}
936
937	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
938	char *reply_base64 = base64_encode_data_blob(reply);
939	if (first) {
940	x_fprintf(x_stdout, "YR %s\n", reply_base64);
941	} else {
942	x_fprintf(x_stdout, "KK %s\n", reply_base64);
943	}
944	SAFE_FREE(reply_base64);
945	if (first) {
946	initial_message = reply;
947	} else {
948	data_blob_free(&reply);
949	}
950	DEBUG(10, ("NTLMSSP challenge\n"));
951	} else if (NT_STATUS_IS_OK(nt_status)) {
952	char *reply_base64 = base64_encode_data_blob(reply);
953	x_fprintf(x_stdout, "AF %s\n", reply_base64);
954	SAFE_FREE(reply_base64);
955
956	if(have_session_key)
957	data_blob_free(&session_key);
958
959	session_key = data_blob(ntlmssp_state->session_key.data,
960	ntlmssp_state->session_key.length);
961	neg_flags = ntlmssp_state->neg_flags;
962	have_session_key = True;
963
964	DEBUG(10, ("NTLMSSP OK!\n"));
965	if (ntlmssp_state)
966	ntlmssp_end(&ntlmssp_state);
967	} else {
968	x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
969	DEBUG(0, ("NTLMSSP BH: %s\n", nt_errstr(nt_status)));
970	if (ntlmssp_state)
971	ntlmssp_end(&ntlmssp_state);
972	}
973
974	data_blob_free(&request);
975	}
976
977	static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode,
978	char *buf, int length)
979	{
980	char user, pass;
981	user=buf;
982
983	pass=(char *)memchr(buf,' ',length);
984	if (!pass) {
985	DEBUG(2, ("Password not found. Denying access\n"));
986	x_fprintf(x_stdout, "ERR\n");
987	return;
988	}
989	*pass='\0';
990	pass++;
991
992	if (stdio_helper_mode == SQUID_2_5_BASIC) {
993	rfc1738_unescape(user);
994	rfc1738_unescape(pass);
995	}
996
997	if (check_plaintext_auth(user, pass, False)) {
998	x_fprintf(x_stdout, "OK\n");
999	} else {
1000	x_fprintf(x_stdout, "ERR\n");
1001	}
1002	}
1003
1004	static void offer_gss_spnego_mechs(void) {
1005
1006	DATA_BLOB token;
1007	SPNEGO_DATA spnego;
1008	ssize_t len;
1009	char *reply_base64;
1010
1011	pstring principal;
1012	pstring myname_lower;
1013
1014	ZERO_STRUCT(spnego);
1015
1016	pstrcpy(myname_lower, global_myname());
1017	strlower_m(myname_lower);
1018
1019	pstr_sprintf(principal, "%s$@%s", myname_lower, lp_realm());
1020
1021	/* Server negTokenInit (mech offerings) */
1022	spnego.type = SPNEGO_NEG_TOKEN_INIT;
1023	spnego.negTokenInit.mechTypes = SMB_XMALLOC_ARRAY(const char *, 2);
1024	#ifdef HAVE_KRB5
1025	spnego.negTokenInit.mechTypes[0] = smb_xstrdup(OID_KERBEROS5_OLD);
1026	spnego.negTokenInit.mechTypes[1] = smb_xstrdup(OID_NTLMSSP);
1027	spnego.negTokenInit.mechTypes[2] = NULL;
1028	#else
1029	spnego.negTokenInit.mechTypes[0] = smb_xstrdup(OID_NTLMSSP);
1030	spnego.negTokenInit.mechTypes[1] = NULL;
1031	#endif
1032
1033
1034	spnego.negTokenInit.mechListMIC = data_blob(principal,
1035	strlen(principal));
1036
1037	len = write_spnego_data(&token, &spnego);
1038	free_spnego_data(&spnego);
1039
1040	if (len == -1) {
1041	DEBUG(1, ("Could not write SPNEGO data blob\n"));
1042	x_fprintf(x_stdout, "BH Could not write SPNEGO data blob\n");
1043	return;
1044	}
1045
1046	reply_base64 = base64_encode_data_blob(token);
1047	x_fprintf(x_stdout, "TT %s *\n", reply_base64);
1048
1049	SAFE_FREE(reply_base64);
1050	data_blob_free(&token);
1051	DEBUG(10, ("sent SPNEGO negTokenInit\n"));
1052	return;
1053	}
1054
1055	static void manage_gss_spnego_request(enum stdio_helper_mode stdio_helper_mode,
1056	char *buf, int length)
1057	{
1058	static NTLMSSP_STATE *ntlmssp_state = NULL;
1059	SPNEGO_DATA request, response;
1060	DATA_BLOB token;
1061	NTSTATUS status;
1062	ssize_t len;
1063
1064	char *user = NULL;
1065	char *domain = NULL;
1066
1067	const char *reply_code;
1068	char *reply_base64;
1069	pstring reply_argument;
1070
1071	if (strlen(buf) < 2) {
1072	DEBUG(1, ("SPENGO query [%s] invalid", buf));
1073	x_fprintf(x_stdout, "BH SPENGO query invalid\n");
1074	return;
1075	}
1076
1077	if (strncmp(buf, "YR", 2) == 0) {
1078	if (ntlmssp_state)
1079	ntlmssp_end(&ntlmssp_state);
1080	} else if (strncmp(buf, "KK", 2) == 0) {
1081
1082	} else {
1083	DEBUG(1, ("SPENGO query [%s] invalid", buf));
1084	x_fprintf(x_stdout, "BH SPENGO query invalid\n");
1085	return;
1086	}
1087
1088	if ( (strlen(buf) == 2)) {
1089
1090	/* no client data, get the negTokenInit offering
1091	mechanisms */
1092
1093	offer_gss_spnego_mechs();
1094	return;
1095	}
1096
1097	/* All subsequent requests have a blob. This might be negTokenInit or negTokenTarg */
1098
1099	if (strlen(buf) <= 3) {
1100	DEBUG(1, ("GSS-SPNEGO query [%s] invalid\n", buf));
1101	x_fprintf(x_stdout, "BH GSS-SPNEGO query invalid\n");
1102	return;
1103	}
1104
1105	token = base64_decode_data_blob(buf + 3);
1106	len = read_spnego_data(token, &request);
1107	data_blob_free(&token);
1108
1109	if (len == -1) {
1110	DEBUG(1, ("GSS-SPNEGO query [%s] invalid", buf));
1111	x_fprintf(x_stdout, "BH GSS-SPNEGO query invalid\n");
1112	return;
1113	}
1114
1115	if (request.type == SPNEGO_NEG_TOKEN_INIT) {
1116
1117	/* Second request from Client. This is where the
1118	client offers its mechanism to use. */
1119
1120	if ( (request.negTokenInit.mechTypes == NULL) \|\|
1121	(request.negTokenInit.mechTypes[0] == NULL) ) {
1122	DEBUG(1, ("Client did not offer any mechanism"));
1123	x_fprintf(x_stdout, "BH Client did not offer any mechanism\n");
1124	return;
1125	}
1126
1127	status = NT_STATUS_UNSUCCESSFUL;
1128	if (strcmp(request.negTokenInit.mechTypes[0], OID_NTLMSSP) == 0) {
1129
1130	if ( request.negTokenInit.mechToken.data == NULL ) {
1131	DEBUG(1, ("Client did not provide NTLMSSP data\n"));
1132	x_fprintf(x_stdout, "BH Client did not provide NTLMSSP data\n");
1133	return;
1134	}
1135
1136	if ( ntlmssp_state != NULL ) {
1137	DEBUG(1, ("Client wants a new NTLMSSP challenge, but "
1138	"already got one\n"));
1139	x_fprintf(x_stdout, "BH Client wants a new NTLMSSP challenge, but already got one\n");
1140	ntlmssp_end(&ntlmssp_state);
1141	return;
1142	}
1143
1144	if (!NT_STATUS_IS_OK(status = ntlm_auth_start_ntlmssp_server(&ntlmssp_state))) {
1145	x_fprintf(x_stdout, "BH %s\n", nt_errstr(status));
1146	return;
1147	}
1148
1149	DEBUG(10, ("got NTLMSSP packet:\n"));
1150	dump_data(10, (const char *)request.negTokenInit.mechToken.data,
1151	request.negTokenInit.mechToken.length);
1152
1153	response.type = SPNEGO_NEG_TOKEN_TARG;
1154	response.negTokenTarg.supportedMech = SMB_STRDUP(OID_NTLMSSP);
1155	response.negTokenTarg.mechListMIC = data_blob(NULL, 0);
1156
1157	status = ntlmssp_update(ntlmssp_state,
1158	request.negTokenInit.mechToken,
1159	&response.negTokenTarg.responseToken);
1160	}
1161
1162	#ifdef HAVE_KRB5
1163	if (strcmp(request.negTokenInit.mechTypes[0], OID_KERBEROS5_OLD) == 0) {
1164
1165	TALLOC_CTX *mem_ctx = talloc_init("manage_gss_spnego_request");
1166	char *principal;
1167	DATA_BLOB ap_rep;
1168	DATA_BLOB session_key;
1169
1170	if ( request.negTokenInit.mechToken.data == NULL ) {
1171	DEBUG(1, ("Client did not provide Kerberos data\n"));
1172	x_fprintf(x_stdout, "BH Client did not provide Kerberos data\n");
1173	return;
1174	}
1175
1176	response.type = SPNEGO_NEG_TOKEN_TARG;
1177	response.negTokenTarg.supportedMech = SMB_STRDUP(OID_KERBEROS5_OLD);
1178	response.negTokenTarg.mechListMIC = data_blob(NULL, 0);
1179	response.negTokenTarg.responseToken = data_blob(NULL, 0);
1180
1181	status = ads_verify_ticket(mem_ctx, lp_realm(), 0,
1182	&request.negTokenInit.mechToken,
1183	&principal, NULL, &ap_rep,
1184	&session_key);
1185
1186	talloc_destroy(mem_ctx);
1187
1188	/* Now in "principal" we have the name we are
1189	authenticated as. */
1190
1191	if (NT_STATUS_IS_OK(status)) {
1192
1193	domain = strchr_m(principal, '@');
1194
1195	if (domain == NULL) {
1196	DEBUG(1, ("Did not get a valid principal "
1197	"from ads_verify_ticket\n"));
1198	x_fprintf(x_stdout, "BH Did not get a valid principal from ads_verify_ticket\n");
1199	return;
1200	}
1201
1202	*domain++ = '\0';
1203	domain = SMB_STRDUP(domain);
1204	user = SMB_STRDUP(principal);
1205
1206	data_blob_free(&ap_rep);
1207
1208	SAFE_FREE(principal);
1209	}
1210	}
1211	#endif
1212
1213	} else {
1214
1215	if ( (request.negTokenTarg.supportedMech == NULL) \|\|
1216	( strcmp(request.negTokenTarg.supportedMech, OID_NTLMSSP) != 0 ) ) {
1217	/* Kerberos should never send a negTokenTarg, OID_NTLMSSP
1218	is the only one we support that sends this stuff */
1219	DEBUG(1, ("Got a negTokenTarg for something non-NTLMSSP: %s\n",
1220	request.negTokenTarg.supportedMech));
1221	x_fprintf(x_stdout, "BH Got a negTokenTarg for something non-NTLMSSP\n");
1222	return;
1223	}
1224
1225	if (request.negTokenTarg.responseToken.data == NULL) {
1226	DEBUG(1, ("Got a negTokenTarg without a responseToken!\n"));
1227	x_fprintf(x_stdout, "BH Got a negTokenTarg without a responseToken!\n");
1228	return;
1229	}
1230
1231	status = ntlmssp_update(ntlmssp_state,
1232	request.negTokenTarg.responseToken,
1233	&response.negTokenTarg.responseToken);
1234
1235	response.type = SPNEGO_NEG_TOKEN_TARG;
1236	response.negTokenTarg.supportedMech = SMB_STRDUP(OID_NTLMSSP);
1237	response.negTokenTarg.mechListMIC = data_blob(NULL, 0);
1238
1239	if (NT_STATUS_IS_OK(status)) {
1240	user = SMB_STRDUP(ntlmssp_state->user);
1241	domain = SMB_STRDUP(ntlmssp_state->domain);
1242	ntlmssp_end(&ntlmssp_state);
1243	}
1244	}
1245
1246	free_spnego_data(&request);
1247
1248	if (NT_STATUS_IS_OK(status)) {
1249	response.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
1250	reply_code = "AF";
1251	pstr_sprintf(reply_argument, "%s\\%s", domain, user);
1252	} else if (NT_STATUS_EQUAL(status,
1253	NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1254	response.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
1255	reply_code = "TT";
1256	pstr_sprintf(reply_argument, "*");
1257	} else {
1258	response.negTokenTarg.negResult = SPNEGO_REJECT;
1259	reply_code = "NA";
1260	pstrcpy(reply_argument, nt_errstr(status));
1261	}
1262
1263	SAFE_FREE(user);
1264	SAFE_FREE(domain);
1265
1266	len = write_spnego_data(&token, &response);
1267	free_spnego_data(&response);
1268
1269	if (len == -1) {
1270	DEBUG(1, ("Could not write SPNEGO data blob\n"));
1271	x_fprintf(x_stdout, "BH Could not write SPNEGO data blob\n");
1272	return;
1273	}
1274
1275	reply_base64 = base64_encode_data_blob(token);
1276
1277	x_fprintf(x_stdout, "%s %s %s\n",
1278	reply_code, reply_base64, reply_argument);
1279
1280	SAFE_FREE(reply_base64);
1281	data_blob_free(&token);
1282
1283	return;
1284	}
1285
1286	static NTLMSSP_STATE *client_ntlmssp_state = NULL;
1287
1288	static BOOL manage_client_ntlmssp_init(SPNEGO_DATA spnego)
1289	{
1290	NTSTATUS status;
1291	DATA_BLOB null_blob = data_blob(NULL, 0);
1292	DATA_BLOB to_server;
1293	char *to_server_base64;
1294	const char *my_mechs[] = {OID_NTLMSSP, NULL};
1295
1296	DEBUG(10, ("Got spnego negTokenInit with NTLMSSP\n"));
1297
1298	if (client_ntlmssp_state != NULL) {
1299	DEBUG(1, ("Request for initial SPNEGO request where "
1300	"we already have a state\n"));
1301	return False;
1302	}
1303
1304	if (!client_ntlmssp_state) {
1305	if (!NT_STATUS_IS_OK(status = ntlm_auth_start_ntlmssp_client(&client_ntlmssp_state))) {
1306	x_fprintf(x_stdout, "BH %s\n", nt_errstr(status));
1307	return False;
1308	}
1309	}
1310
1311
1312	if (opt_password == NULL) {
1313
1314	/* Request a password from the calling process. After
1315	sending it, the calling process should retry with
1316	the negTokenInit. */
1317
1318	DEBUG(10, ("Requesting password\n"));
1319	x_fprintf(x_stdout, "PW\n");
1320	return True;
1321	}
1322
1323	spnego.type = SPNEGO_NEG_TOKEN_INIT;
1324	spnego.negTokenInit.mechTypes = my_mechs;
1325	spnego.negTokenInit.reqFlags = 0;
1326	spnego.negTokenInit.mechListMIC = null_blob;
1327
1328	status = ntlmssp_update(client_ntlmssp_state, null_blob,
1329	&spnego.negTokenInit.mechToken);
1330
1331	if ( !(NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) \|\|
1332	NT_STATUS_IS_OK(status)) ) {
1333	DEBUG(1, ("Expected OK or MORE_PROCESSING_REQUIRED, got: %s\n",
1334	nt_errstr(status)));
1335	ntlmssp_end(&client_ntlmssp_state);
1336	return False;
1337	}
1338
1339	write_spnego_data(&to_server, &spnego);
1340	data_blob_free(&spnego.negTokenInit.mechToken);
1341
1342	to_server_base64 = base64_encode_data_blob(to_server);
1343	data_blob_free(&to_server);
1344	x_fprintf(x_stdout, "KK %s\n", to_server_base64);
1345	SAFE_FREE(to_server_base64);
1346	return True;
1347	}
1348
1349	static void manage_client_ntlmssp_targ(SPNEGO_DATA spnego)
1350	{
1351	NTSTATUS status;
1352	DATA_BLOB null_blob = data_blob(NULL, 0);
1353	DATA_BLOB request;
1354	DATA_BLOB to_server;
1355	char *to_server_base64;
1356
1357	DEBUG(10, ("Got spnego negTokenTarg with NTLMSSP\n"));
1358
1359	if (client_ntlmssp_state == NULL) {
1360	DEBUG(1, ("Got NTLMSSP tArg without a client state\n"));
1361	x_fprintf(x_stdout, "BH Got NTLMSSP tArg without a client state\n");
1362	return;
1363	}
1364
1365	if (spnego.negTokenTarg.negResult == SPNEGO_REJECT) {
1366	x_fprintf(x_stdout, "NA\n");
1367	ntlmssp_end(&client_ntlmssp_state);
1368	return;
1369	}
1370
1371	if (spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_COMPLETED) {
1372	x_fprintf(x_stdout, "AF\n");
1373	ntlmssp_end(&client_ntlmssp_state);
1374	return;
1375	}
1376
1377	status = ntlmssp_update(client_ntlmssp_state,
1378	spnego.negTokenTarg.responseToken,
1379	&request);
1380
1381	if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1382	DEBUG(1, ("Expected MORE_PROCESSING_REQUIRED from "
1383	"ntlmssp_client_update, got: %s\n",
1384	nt_errstr(status)));
1385	x_fprintf(x_stdout, "BH Expected MORE_PROCESSING_REQUIRED from ntlmssp_client_update\n");
1386	data_blob_free(&request);
1387	ntlmssp_end(&client_ntlmssp_state);
1388	return;
1389	}
1390
1391	spnego.type = SPNEGO_NEG_TOKEN_TARG;
1392	spnego.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
1393	spnego.negTokenTarg.supportedMech = (char *)OID_NTLMSSP;
1394	spnego.negTokenTarg.responseToken = request;
1395	spnego.negTokenTarg.mechListMIC = null_blob;
1396
1397	write_spnego_data(&to_server, &spnego);
1398	data_blob_free(&request);
1399
1400	to_server_base64 = base64_encode_data_blob(to_server);
1401	data_blob_free(&to_server);
1402	x_fprintf(x_stdout, "KK %s\n", to_server_base64);
1403	SAFE_FREE(to_server_base64);
1404	return;
1405	}
1406
1407	#ifdef HAVE_KRB5
1408
1409	static BOOL manage_client_krb5_init(SPNEGO_DATA spnego)
1410	{
1411	char *principal;
1412	DATA_BLOB tkt, to_server;
1413	DATA_BLOB session_key_krb5 = data_blob(NULL, 0);
1414	SPNEGO_DATA reply;
1415	char *reply_base64;
1416	int retval;
1417
1418	const char *my_mechs[] = {OID_KERBEROS5_OLD, NULL};
1419	ssize_t len;
1420
1421	if ( (spnego.negTokenInit.mechListMIC.data == NULL) \|\|
1422	(spnego.negTokenInit.mechListMIC.length == 0) ) {
1423	DEBUG(1, ("Did not get a principal for krb5\n"));
1424	return False;
1425	}
1426
1427	principal = (char *)SMB_MALLOC(
1428	spnego.negTokenInit.mechListMIC.length+1);
1429
1430	if (principal == NULL) {
1431	DEBUG(1, ("Could not malloc principal\n"));
1432	return False;
1433	}
1434
1435	memcpy(principal, spnego.negTokenInit.mechListMIC.data,
1436	spnego.negTokenInit.mechListMIC.length);
1437	principal[spnego.negTokenInit.mechListMIC.length] = '\0';
1438
1439	retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL);
1440
1441	if (retval) {
1442
1443	pstring user;
1444
1445	/* Let's try to first get the TGT, for that we need a
1446	password. */
1447
1448	if (opt_password == NULL) {
1449	DEBUG(10, ("Requesting password\n"));
1450	x_fprintf(x_stdout, "PW\n");
1451	return True;
1452	}
1453
1454	pstr_sprintf(user, "%s@%s", opt_username, opt_domain);
1455
1456	if ((retval = kerberos_kinit_password(user, opt_password, 0, NULL))) {
1457	DEBUG(10, ("Requesting TGT failed: %s\n", error_message(retval)));
1458	return False;
1459	}
1460
1461	retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL);
1462
1463	if (retval) {
1464	DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval)));
1465	return False;
1466	}
1467	}
1468
1469	data_blob_free(&session_key_krb5);
1470
1471	ZERO_STRUCT(reply);
1472
1473	reply.type = SPNEGO_NEG_TOKEN_INIT;
1474	reply.negTokenInit.mechTypes = my_mechs;
1475	reply.negTokenInit.reqFlags = 0;
1476	reply.negTokenInit.mechToken = tkt;
1477	reply.negTokenInit.mechListMIC = data_blob(NULL, 0);
1478
1479	len = write_spnego_data(&to_server, &reply);
1480	data_blob_free(&tkt);
1481
1482	if (len == -1) {
1483	DEBUG(1, ("Could not write SPNEGO data blob\n"));
1484	return False;
1485	}
1486
1487	reply_base64 = base64_encode_data_blob(to_server);
1488	x_fprintf(x_stdout, "KK %s *\n", reply_base64);
1489
1490	SAFE_FREE(reply_base64);
1491	data_blob_free(&to_server);
1492	DEBUG(10, ("sent GSS-SPNEGO KERBEROS5 negTokenInit\n"));
1493	return True;
1494	}
1495
1496	static void manage_client_krb5_targ(SPNEGO_DATA spnego)
1497	{
1498	switch (spnego.negTokenTarg.negResult) {
1499	case SPNEGO_ACCEPT_INCOMPLETE:
1500	DEBUG(1, ("Got a Kerberos negTokenTarg with ACCEPT_INCOMPLETE\n"));
1501	x_fprintf(x_stdout, "BH Got a Kerberos negTokenTarg with ACCEPT_INCOMPLETE\n");
1502	break;
1503	case SPNEGO_ACCEPT_COMPLETED:
1504	DEBUG(10, ("Accept completed\n"));
1505	x_fprintf(x_stdout, "AF\n");
1506	break;
1507	case SPNEGO_REJECT:
1508	DEBUG(10, ("Rejected\n"));
1509	x_fprintf(x_stdout, "NA\n");
1510	break;
1511	default:
1512	DEBUG(1, ("Got an invalid negTokenTarg\n"));
1513	x_fprintf(x_stdout, "AF\n");
1514	}
1515	}
1516
1517	#endif
1518
1519	static void manage_gss_spnego_client_request(enum stdio_helper_mode stdio_helper_mode,
1520	char *buf, int length)
1521	{
1522	DATA_BLOB request;
1523	SPNEGO_DATA spnego;
1524	ssize_t len;
1525
1526	if (!opt_username \|\| !*opt_username) {
1527	x_fprintf(x_stderr, "username must be specified!\n\n");
1528	exit(1);
1529	}
1530
1531	if (strlen(buf) <= 3) {
1532	DEBUG(1, ("SPNEGO query [%s] too short\n", buf));
1533	x_fprintf(x_stdout, "BH SPNEGO query too short\n");
1534	return;
1535	}
1536
1537	request = base64_decode_data_blob(buf+3);
1538
1539	if (strncmp(buf, "PW ", 3) == 0) {
1540
1541	/* We asked for a password and obviously got it :-) */
1542
1543	opt_password = SMB_STRNDUP((const char *)request.data, request.length);
1544
1545	if (opt_password == NULL) {
1546	DEBUG(1, ("Out of memory\n"));
1547	x_fprintf(x_stdout, "BH Out of memory\n");
1548	data_blob_free(&request);
1549	return;
1550	}
1551
1552	x_fprintf(x_stdout, "OK\n");
1553	data_blob_free(&request);
1554	return;
1555	}
1556
1557	if ( (strncmp(buf, "TT ", 3) != 0) &&
1558	(strncmp(buf, "AF ", 3) != 0) &&
1559	(strncmp(buf, "NA ", 3) != 0) ) {
1560	DEBUG(1, ("SPNEGO request [%s] invalid\n", buf));
1561	x_fprintf(x_stdout, "BH SPNEGO request invalid\n");
1562	data_blob_free(&request);
1563	return;
1564	}
1565
1566	/* So we got a server challenge to generate a SPNEGO
1567	client-to-server request... */
1568
1569	len = read_spnego_data(request, &spnego);
1570	data_blob_free(&request);
1571
1572	if (len == -1) {
1573	DEBUG(1, ("Could not read SPNEGO data for [%s]\n", buf));
1574	x_fprintf(x_stdout, "BH Could not read SPNEGO data\n");
1575	return;
1576	}
1577
1578	if (spnego.type == SPNEGO_NEG_TOKEN_INIT) {
1579
1580	/* The server offers a list of mechanisms */
1581
1582	const char mechType = (const char )spnego.negTokenInit.mechTypes;
1583
1584	while (*mechType != NULL) {
1585
1586	#ifdef HAVE_KRB5
1587	if ( (strcmp(*mechType, OID_KERBEROS5_OLD) == 0) \|\|
1588	(strcmp(*mechType, OID_KERBEROS5) == 0) ) {
1589	if (manage_client_krb5_init(spnego))
1590	goto out;
1591	}
1592	#endif
1593
1594	if (strcmp(*mechType, OID_NTLMSSP) == 0) {
1595	if (manage_client_ntlmssp_init(spnego))
1596	goto out;
1597	}
1598
1599	mechType++;
1600	}
1601
1602	DEBUG(1, ("Server offered no compatible mechanism\n"));
1603	x_fprintf(x_stdout, "BH Server offered no compatible mechanism\n");
1604	return;
1605	}
1606
1607	if (spnego.type == SPNEGO_NEG_TOKEN_TARG) {
1608
1609	if (spnego.negTokenTarg.supportedMech == NULL) {
1610	/* On accept/reject Windows does not send the
1611	mechanism anymore. Handle that here and
1612	shut down the mechanisms. */
1613
1614	switch (spnego.negTokenTarg.negResult) {
1615	case SPNEGO_ACCEPT_COMPLETED:
1616	x_fprintf(x_stdout, "AF\n");
1617	break;
1618	case SPNEGO_REJECT:
1619	x_fprintf(x_stdout, "NA\n");
1620	break;
1621	default:
1622	DEBUG(1, ("Got a negTokenTarg with no mech and an "
1623	"unknown negResult: %d\n",
1624	spnego.negTokenTarg.negResult));
1625	x_fprintf(x_stdout, "BH Got a negTokenTarg with no mech and an unknown negResult\n");
1626	}
1627
1628	ntlmssp_end(&client_ntlmssp_state);
1629	goto out;
1630	}
1631
1632	if (strcmp(spnego.negTokenTarg.supportedMech,
1633	OID_NTLMSSP) == 0) {
1634	manage_client_ntlmssp_targ(spnego);
1635	goto out;
1636	}
1637
1638	#if HAVE_KRB5
1639	if (strcmp(spnego.negTokenTarg.supportedMech,
1640	OID_KERBEROS5_OLD) == 0) {
1641	manage_client_krb5_targ(spnego);
1642	goto out;
1643	}
1644	#endif
1645
1646	}
1647
1648	DEBUG(1, ("Got an SPNEGO token I could not handle [%s]!\n", buf));
1649	x_fprintf(x_stdout, "BH Got an SPNEGO token I could not handle\n");
1650	return;
1651
1652	out:
1653	free_spnego_data(&spnego);
1654	return;
1655	}
1656
1657	static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mode,
1658	char *buf, int length)
1659	{
1660	char request, parameter;
1661	static DATA_BLOB challenge;
1662	static DATA_BLOB lm_response;
1663	static DATA_BLOB nt_response;
1664	static char *full_username;
1665	static char *username;
1666	static char *domain;
1667	static char *plaintext_password;
1668	static BOOL ntlm_server_1_user_session_key;
1669	static BOOL ntlm_server_1_lm_session_key;
1670
1671	if (strequal(buf, ".")) {
1672	if (!full_username && !username) {
1673	x_fprintf(x_stdout, "Error: No username supplied!\n");
1674	} else if (plaintext_password) {
1675	/* handle this request as plaintext */
1676	if (!full_username) {
1677	if (asprintf(&full_username, "%s%c%s", domain, winbind_separator(), username) == -1) {
1678	x_fprintf(x_stdout, "Error: Out of memory in asprintf!\n.\n");
1679	return;
1680	}
1681	}
1682	if (check_plaintext_auth(full_username, plaintext_password, False)) {
1683	x_fprintf(x_stdout, "Authenticated: Yes\n");
1684	} else {
1685	x_fprintf(x_stdout, "Authenticated: No\n");
1686	}
1687	} else if (!lm_response.data && !nt_response.data) {
1688	x_fprintf(x_stdout, "Error: No password supplied!\n");
1689	} else if (!challenge.data) {
1690	x_fprintf(x_stdout, "Error: No lanman-challenge supplied!\n");
1691	} else {
1692	char *error_string = NULL;
1693	uchar lm_key[8];
1694	uchar user_session_key[16];
1695	uint32 flags = 0;
1696
1697	if (full_username && !username) {
1698	fstring fstr_user;
1699	fstring fstr_domain;
1700
1701	if (!parse_ntlm_auth_domain_user(full_username, fstr_user, fstr_domain)) {
1702	/* username might be 'tainted', don't print into our new-line deleimianted stream */
1703	x_fprintf(x_stdout, "Error: Could not parse into domain and username\n");
1704	}
1705	SAFE_FREE(username);
1706	SAFE_FREE(domain);
1707	username = smb_xstrdup(fstr_user);
1708	domain = smb_xstrdup(fstr_domain);
1709	}
1710
1711	if (!domain) {
1712	domain = smb_xstrdup(get_winbind_domain());
1713	}
1714
1715	if (ntlm_server_1_lm_session_key)
1716	flags \|= WBFLAG_PAM_LMKEY;
1717
1718	if (ntlm_server_1_user_session_key)
1719	flags \|= WBFLAG_PAM_USER_SESSION_KEY;
1720
1721	if (!NT_STATUS_IS_OK(
1722	contact_winbind_auth_crap(username,
1723	domain,
1724	global_myname(),
1725	&challenge,
1726	&lm_response,
1727	&nt_response,
1728	flags,
1729	lm_key,
1730	user_session_key,
1731	&error_string,
1732	NULL))) {
1733
1734	x_fprintf(x_stdout, "Authenticated: No\n");
1735	x_fprintf(x_stdout, "Authentication-Error: %s\n.\n", error_string);
1736	SAFE_FREE(error_string);
1737	} else {
1738	static char zeros[16];
1739	char *hex_lm_key;
1740	char *hex_user_session_key;
1741
1742	x_fprintf(x_stdout, "Authenticated: Yes\n");
1743
1744	if (ntlm_server_1_lm_session_key
1745	&& (memcmp(zeros, lm_key,
1746	sizeof(lm_key)) != 0)) {
1747	hex_lm_key = hex_encode(NULL,
1748	(const unsigned char *)lm_key,
1749	sizeof(lm_key));
1750	x_fprintf(x_stdout, "LANMAN-Session-Key: %s\n", hex_lm_key);
1751	TALLOC_FREE(hex_lm_key);
1752	}
1753
1754	if (ntlm_server_1_user_session_key
1755	&& (memcmp(zeros, user_session_key,
1756	sizeof(user_session_key)) != 0)) {
1757	hex_user_session_key = hex_encode(NULL,
1758	(const unsigned char *)user_session_key,
1759	sizeof(user_session_key));
1760	x_fprintf(x_stdout, "User-Session-Key: %s\n", hex_user_session_key);
1761	TALLOC_FREE(hex_user_session_key);
1762	}
1763	}
1764	}
1765	/* clear out the state */
1766	challenge = data_blob(NULL, 0);
1767	nt_response = data_blob(NULL, 0);
1768	lm_response = data_blob(NULL, 0);
1769	SAFE_FREE(full_username);
1770	SAFE_FREE(username);
1771	SAFE_FREE(domain);
1772	SAFE_FREE(plaintext_password);
1773	ntlm_server_1_user_session_key = False;
1774	ntlm_server_1_lm_session_key = False;
1775	x_fprintf(x_stdout, ".\n");
1776
1777	return;
1778	}
1779
1780	request = buf;
1781
1782	/* Indicates a base64 encoded structure */
1783	parameter = strstr_m(request, ":: ");
1784	if (!parameter) {
1785	parameter = strstr_m(request, ": ");
1786
1787	if (!parameter) {
1788	DEBUG(0, ("Parameter not found!\n"));
1789	x_fprintf(x_stdout, "Error: Parameter not found!\n.\n");
1790	return;
1791	}
1792
1793	parameter[0] ='\0';
1794	parameter++;
1795	parameter[0] ='\0';
1796	parameter++;
1797
1798	} else {
1799	parameter[0] ='\0';
1800	parameter++;
1801	parameter[0] ='\0';
1802	parameter++;
1803	parameter[0] ='\0';
1804	parameter++;
1805
1806	base64_decode_inplace(parameter);
1807	}
1808
1809	if (strequal(request, "LANMAN-Challenge")) {
1810	challenge = strhex_to_data_blob(NULL, parameter);
1811	if (challenge.length != 8) {
1812	x_fprintf(x_stdout, "Error: hex decode of %s failed! (got %d bytes, expected 8)\n.\n",
1813	parameter,
1814	(int)challenge.length);
1815	challenge = data_blob(NULL, 0);
1816	}
1817	} else if (strequal(request, "NT-Response")) {
1818	nt_response = strhex_to_data_blob(NULL, parameter);
1819	if (nt_response.length < 24) {
1820	x_fprintf(x_stdout, "Error: hex decode of %s failed! (only got %d bytes, needed at least 24)\n.\n",
1821	parameter,
1822	(int)nt_response.length);
1823	nt_response = data_blob(NULL, 0);
1824	}
1825	} else if (strequal(request, "LANMAN-Response")) {
1826	lm_response = strhex_to_data_blob(NULL, parameter);
1827	if (lm_response.length != 24) {
1828	x_fprintf(x_stdout, "Error: hex decode of %s failed! (got %d bytes, expected 24)\n.\n",
1829	parameter,
1830	(int)lm_response.length);
1831	lm_response = data_blob(NULL, 0);
1832	}
1833	} else if (strequal(request, "Password")) {
1834	plaintext_password = smb_xstrdup(parameter);
1835	} else if (strequal(request, "NT-Domain")) {
1836	domain = smb_xstrdup(parameter);
1837	} else if (strequal(request, "Username")) {
1838	username = smb_xstrdup(parameter);
1839	} else if (strequal(request, "Full-Username")) {
1840	full_username = smb_xstrdup(parameter);
1841	} else if (strequal(request, "Request-User-Session-Key")) {
1842	ntlm_server_1_user_session_key = strequal(parameter, "Yes");
1843	} else if (strequal(request, "Request-LanMan-Session-Key")) {
1844	ntlm_server_1_lm_session_key = strequal(parameter, "Yes");
1845	} else {
1846	x_fprintf(x_stdout, "Error: Unknown request %s\n.\n", request);
1847	}
1848	}
1849
1850	static void manage_ntlm_change_password_1_request(enum stdio_helper_mode helper_mode, char *buf, int length)
1851	{
1852	char request, parameter;
1853	static DATA_BLOB new_nt_pswd;
1854	static DATA_BLOB old_nt_hash_enc;
1855	static DATA_BLOB new_lm_pswd;
1856	static DATA_BLOB old_lm_hash_enc;
1857	static char *full_username = NULL;
1858	static char *username = NULL;
1859	static char *domain = NULL;
1860	static char *newpswd = NULL;
1861	static char *oldpswd = NULL;
1862
1863	if (strequal(buf, ".")) {
1864	if(newpswd && oldpswd) {
1865	uchar old_nt_hash[16];
1866	uchar old_lm_hash[16];
1867	uchar new_nt_hash[16];
1868	uchar new_lm_hash[16];
1869
1870	new_nt_pswd = data_blob(NULL, 516);
1871	old_nt_hash_enc = data_blob(NULL, 16);
1872
1873	/* Calculate the MD4 hash (NT compatible) of the
1874	* password */
1875	E_md4hash(oldpswd, old_nt_hash);
1876	E_md4hash(newpswd, new_nt_hash);
1877
1878	/* E_deshash returns false for 'long'
1879	passwords (> 14 DOS chars).
1880
1881	Therefore, don't send a buffer
1882	encrypted with the truncated hash
1883	(it could allow an even easier
1884	attack on the password)
1885
1886	Likewise, obey the admin's restriction
1887	*/
1888
1889	if (lp_client_lanman_auth() &&
1890	E_deshash(newpswd, new_lm_hash) &&
1891	E_deshash(oldpswd, old_lm_hash)) {
1892	new_lm_pswd = data_blob(NULL, 516);
1893	old_lm_hash_enc = data_blob(NULL, 16);
1894	encode_pw_buffer(new_lm_pswd.data, newpswd,
1895	STR_UNICODE);
1896
1897	SamOEMhash(new_lm_pswd.data, old_nt_hash, 516);
1898	E_old_pw_hash(new_nt_hash, old_lm_hash,
1899	old_lm_hash_enc.data);
1900	} else {
1901	new_lm_pswd.data = NULL;
1902	new_lm_pswd.length = 0;
1903	old_lm_hash_enc.data = NULL;
1904	old_lm_hash_enc.length = 0;
1905	}
1906
1907	encode_pw_buffer(new_nt_pswd.data, newpswd,
1908	STR_UNICODE);
1909
1910	SamOEMhash(new_nt_pswd.data, old_nt_hash, 516);
1911	E_old_pw_hash(new_nt_hash, old_nt_hash,
1912	old_nt_hash_enc.data);
1913	}
1914
1915	if (!full_username && !username) {
1916	x_fprintf(x_stdout, "Error: No username supplied!\n");
1917	} else if ((!new_nt_pswd.data \|\| !old_nt_hash_enc.data) &&
1918	(!new_lm_pswd.data \|\| old_lm_hash_enc.data) ) {
1919	x_fprintf(x_stdout, "Error: No NT or LM password "
1920	"blobs supplied!\n");
1921	} else {
1922	char *error_string = NULL;
1923
1924	if (full_username && !username) {
1925	fstring fstr_user;
1926	fstring fstr_domain;
1927
1928	if (!parse_ntlm_auth_domain_user(full_username,
1929	fstr_user,
1930	fstr_domain)) {
1931	/* username might be 'tainted', don't
1932	* print into our new-line
1933	* deleimianted stream */
1934	x_fprintf(x_stdout, "Error: Could not "
1935	"parse into domain and "
1936	"username\n");
1937	SAFE_FREE(username);
1938	username = smb_xstrdup(full_username);
1939	} else {
1940	SAFE_FREE(username);
1941	SAFE_FREE(domain);
1942	username = smb_xstrdup(fstr_user);
1943	domain = smb_xstrdup(fstr_domain);
1944	}
1945
1946	}
1947
1948	if(!NT_STATUS_IS_OK(contact_winbind_change_pswd_auth_crap(
1949	username, domain,
1950	new_nt_pswd,
1951	old_nt_hash_enc,
1952	new_lm_pswd,
1953	old_lm_hash_enc,
1954	&error_string))) {
1955	x_fprintf(x_stdout, "Password-Change: No\n");
1956	x_fprintf(x_stdout, "Password-Change-Error: "
1957	"%s\n.\n", error_string);
1958	} else {
1959	x_fprintf(x_stdout, "Password-Change: Yes\n");
1960	}
1961
1962	SAFE_FREE(error_string);
1963	}
1964	/* clear out the state */
1965	new_nt_pswd = data_blob(NULL, 0);
1966	old_nt_hash_enc = data_blob(NULL, 0);
1967	new_lm_pswd = data_blob(NULL, 0);
1968	old_nt_hash_enc = data_blob(NULL, 0);
1969	SAFE_FREE(full_username);
1970	SAFE_FREE(username);
1971	SAFE_FREE(domain);
1972	SAFE_FREE(newpswd);
1973	SAFE_FREE(oldpswd);
1974	x_fprintf(x_stdout, ".\n");
1975
1976	return;
1977	}
1978
1979	request = buf;
1980
1981	/* Indicates a base64 encoded structure */
1982	parameter = strstr_m(request, ":: ");
1983	if (!parameter) {
1984	parameter = strstr_m(request, ": ");
1985
1986	if (!parameter) {
1987	DEBUG(0, ("Parameter not found!\n"));
1988	x_fprintf(x_stdout, "Error: Parameter not found!\n.\n");
1989	return;
1990	}
1991
1992	parameter[0] ='\0';
1993	parameter++;
1994	parameter[0] ='\0';
1995	parameter++;
1996	} else {
1997	parameter[0] ='\0';
1998	parameter++;
1999	parameter[0] ='\0';
2000	parameter++;
2001	parameter[0] ='\0';
2002	parameter++;
2003
2004	base64_decode_inplace(parameter);
2005	}
2006
2007	if (strequal(request, "new-nt-password-blob")) {
2008	new_nt_pswd = strhex_to_data_blob(NULL, parameter);
2009	if (new_nt_pswd.length != 516) {
2010	x_fprintf(x_stdout, "Error: hex decode of %s failed! "
2011	"(got %d bytes, expected 516)\n.\n",
2012	parameter,
2013	(int)new_nt_pswd.length);
2014	new_nt_pswd = data_blob(NULL, 0);
2015	}
2016	} else if (strequal(request, "old-nt-hash-blob")) {
2017	old_nt_hash_enc = strhex_to_data_blob(NULL, parameter);
2018	if (old_nt_hash_enc.length != 16) {
2019	x_fprintf(x_stdout, "Error: hex decode of %s failed! "
2020	"(got %d bytes, expected 16)\n.\n",
2021	parameter,
2022	(int)old_nt_hash_enc.length);
2023	old_nt_hash_enc = data_blob(NULL, 0);
2024	}
2025	} else if (strequal(request, "new-lm-password-blob")) {
2026	new_lm_pswd = strhex_to_data_blob(NULL, parameter);
2027	if (new_lm_pswd.length != 516) {
2028	x_fprintf(x_stdout, "Error: hex decode of %s failed! "
2029	"(got %d bytes, expected 516)\n.\n",
2030	parameter,
2031	(int)new_lm_pswd.length);
2032	new_lm_pswd = data_blob(NULL, 0);
2033	}
2034	}
2035	else if (strequal(request, "old-lm-hash-blob")) {
2036	old_lm_hash_enc = strhex_to_data_blob(NULL, parameter);
2037	if (old_lm_hash_enc.length != 16)
2038	{
2039	x_fprintf(x_stdout, "Error: hex decode of %s failed! "
2040	"(got %d bytes, expected 16)\n.\n",
2041	parameter,
2042	(int)old_lm_hash_enc.length);
2043	old_lm_hash_enc = data_blob(NULL, 0);
2044	}
2045	} else if (strequal(request, "nt-domain")) {
2046	domain = smb_xstrdup(parameter);
2047	} else if(strequal(request, "username")) {
2048	username = smb_xstrdup(parameter);
2049	} else if(strequal(request, "full-username")) {
2050	username = smb_xstrdup(parameter);
2051	} else if(strequal(request, "new-password")) {
2052	newpswd = smb_xstrdup(parameter);
2053	} else if (strequal(request, "old-password")) {
2054	oldpswd = smb_xstrdup(parameter);
2055	} else {
2056	x_fprintf(x_stdout, "Error: Unknown request %s\n.\n", request);
2057	}
2058	}
2059
2060	static void manage_squid_request(enum stdio_helper_mode helper_mode, stdio_helper_function fn)
2061	{
2062	char buf[SQUID_BUFFER_SIZE+1];
2063	int length;
2064	char *c;
2065	static BOOL err;
2066
2067	/* this is not a typo - x_fgets doesn't work too well under squid */
2068	if (fgets(buf, sizeof(buf)-1, stdin) == NULL) {
2069	if (ferror(stdin)) {
2070	DEBUG(1, ("fgets() failed! dying..... errno=%d (%s)\n", ferror(stdin),
2071	strerror(ferror(stdin))));
2072
2073	exit(1); /* BIIG buffer */
2074	}
2075	exit(0);
2076	}
2077
2078	c=(char *)memchr(buf,'\n',sizeof(buf)-1);
2079	if (c) {
2080	*c = '\0';
2081	length = c-buf;
2082	} else {
2083	err = 1;
2084	return;
2085	}
2086	if (err) {
2087	DEBUG(2, ("Oversized message\n"));
2088	x_fprintf(x_stderr, "ERR\n");
2089	err = 0;
2090	return;
2091	}
2092
2093	DEBUG(10, ("Got '%s' from squid (length: %d).\n",buf,length));
2094
2095	if (buf[0] == '\0') {
2096	DEBUG(2, ("Invalid Request\n"));
2097	x_fprintf(x_stderr, "ERR\n");
2098	return;
2099	}
2100
2101	fn(helper_mode, buf, length);
2102	}
2103
2104
2105	static void squid_stream(enum stdio_helper_mode stdio_mode, stdio_helper_function fn) {
2106	/* initialize FDescs */
2107	x_setbuf(x_stdout, NULL);
2108	x_setbuf(x_stderr, NULL);
2109	while(1) {
2110	manage_squid_request(stdio_mode, fn);
2111	}
2112	}
2113
2114
2115	/* Authenticate a user with a challenge/response */
2116
2117	static BOOL check_auth_crap(void)
2118	{
2119	NTSTATUS nt_status;
2120	uint32 flags = 0;
2121	char lm_key[8];
2122	char user_session_key[16];
2123	char *hex_lm_key;
2124	char *hex_user_session_key;
2125	char *error_string;
2126	static uint8 zeros[16];
2127
2128	x_setbuf(x_stdout, NULL);
2129
2130	if (request_lm_key)
2131	flags \|= WBFLAG_PAM_LMKEY;
2132
2133	if (request_user_session_key)
2134	flags \|= WBFLAG_PAM_USER_SESSION_KEY;
2135
2136	flags \|= WBFLAG_PAM_NT_STATUS_SQUASH;
2137
2138	nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
2139	opt_workstation,
2140	&opt_challenge,
2141	&opt_lm_response,
2142	&opt_nt_response,
2143	flags,
2144	(unsigned char *)lm_key,
2145	(unsigned char *)user_session_key,
2146	&error_string, NULL);
2147
2148	if (!NT_STATUS_IS_OK(nt_status)) {
2149	x_fprintf(x_stdout, "%s (0x%x)\n",
2150	error_string,
2151	NT_STATUS_V(nt_status));
2152	SAFE_FREE(error_string);
2153	return False;
2154	}
2155
2156	if (request_lm_key
2157	&& (memcmp(zeros, lm_key,
2158	sizeof(lm_key)) != 0)) {
2159	hex_lm_key = hex_encode(NULL, (const unsigned char *)lm_key,
2160	sizeof(lm_key));
2161	x_fprintf(x_stdout, "LM_KEY: %s\n", hex_lm_key);
2162	TALLOC_FREE(hex_lm_key);
2163	}
2164	if (request_user_session_key
2165	&& (memcmp(zeros, user_session_key,
2166	sizeof(user_session_key)) != 0)) {
2167	hex_user_session_key = hex_encode(NULL, (const unsigned char *)user_session_key,
2168	sizeof(user_session_key));
2169	x_fprintf(x_stdout, "NT_KEY: %s\n", hex_user_session_key);
2170	TALLOC_FREE(hex_user_session_key);
2171	}
2172
2173	return True;
2174	}
2175
2176	/* Main program */
2177
2178	enum {
2179	OPT_USERNAME = 1000,
2180	OPT_DOMAIN,
2181	OPT_WORKSTATION,
2182	OPT_CHALLENGE,
2183	OPT_RESPONSE,
2184	OPT_LM,
2185	OPT_NT,
2186	OPT_PASSWORD,
2187	OPT_LM_KEY,
2188	OPT_USER_SESSION_KEY,
2189	OPT_DIAGNOSTICS,
2190	OPT_REQUIRE_MEMBERSHIP,
2191	OPT_USE_CACHED_CREDS
2192	};
2193
2194	int main(int argc, const char **argv)
2195	{
2196	int opt;
2197	static const char *helper_protocol;
2198	static int diagnostics;
2199
2200	static const char *hex_challenge;
2201	static const char *hex_lm_response;
2202	static const char *hex_nt_response;
2203
2204	poptContext pc;
2205
2206	/* NOTE: DO NOT change this interface without considering the implications!
2207	This is an external interface, which other programs will use to interact
2208	with this helper.
2209	*/
2210
2211	/* We do not use single-letter command abbreviations, because they harm future
2212	interface stability. */
2213
2214	struct poptOption long_options[] = {
2215	POPT_AUTOHELP
2216	{ "helper-protocol", 0, POPT_ARG_STRING, &helper_protocol, OPT_DOMAIN, "operate as a stdio-based helper", "helper protocol to use"},
2217	{ "username", 0, POPT_ARG_STRING, &opt_username, OPT_USERNAME, "username"},
2218	{ "domain", 0, POPT_ARG_STRING, &opt_domain, OPT_DOMAIN, "domain name"},
2219	{ "workstation", 0, POPT_ARG_STRING, &opt_workstation, OPT_WORKSTATION, "workstation"},
2220	{ "challenge", 0, POPT_ARG_STRING, &hex_challenge, OPT_CHALLENGE, "challenge (HEX encoded)"},
2221	{ "lm-response", 0, POPT_ARG_STRING, &hex_lm_response, OPT_LM, "LM Response to the challenge (HEX encoded)"},
2222	{ "nt-response", 0, POPT_ARG_STRING, &hex_nt_response, OPT_NT, "NT or NTLMv2 Response to the challenge (HEX encoded)"},
2223	{ "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"},
2224	{ "request-lm-key", 0, POPT_ARG_NONE, &request_lm_key, OPT_LM_KEY, "Retrieve LM session key"},
2225	{ "request-nt-key", 0, POPT_ARG_NONE, &request_user_session_key, OPT_USER_SESSION_KEY, "Retrieve User (NT) session key"},
2226	{ "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "Use cached credentials if no password is given"},
2227	{ "diagnostics", 0, POPT_ARG_NONE, &diagnostics, OPT_DIAGNOSTICS, "Perform diagnostics on the authentictaion chain"},
2228	{ "require-membership-of", 0, POPT_ARG_STRING, &require_membership_of, OPT_REQUIRE_MEMBERSHIP, "Require that a user be a member of this group (either name or SID) for authentication to succeed" },
2229	POPT_COMMON_SAMBA
2230	POPT_TABLEEND
2231	};
2232
2233	/* Samba client initialisation */
2234	load_case_tables();
2235
2236	dbf = x_stderr;
2237
2238	/* Samba client initialisation */
2239
2240	if (!lp_load(dyn_CONFIGFILE, True, False, False, True)) {
2241	d_fprintf(stderr, "ntlm_auth: error opening config file %s. Error was %s\n",
2242	dyn_CONFIGFILE, strerror(errno));
2243	exit(1);
2244	}
2245
2246	/* Parse options */
2247
2248	pc = poptGetContext("ntlm_auth", argc, argv, long_options, 0);
2249
2250	/* Parse command line options */
2251
2252	if (argc == 1) {
2253	poptPrintHelp(pc, stderr, 0);
2254	return 1;
2255	}
2256
2257	pc = poptGetContext(NULL, argc, (const char **)argv, long_options,
2258	POPT_CONTEXT_KEEP_FIRST);
2259
2260	while((opt = poptGetNextOpt(pc)) != -1) {
2261	switch (opt) {
2262	case OPT_CHALLENGE:
2263	opt_challenge = strhex_to_data_blob(NULL, hex_challenge);
2264	if (opt_challenge.length != 8) {
2265	x_fprintf(x_stderr, "hex decode of %s failed! (only got %d bytes)\n",
2266	hex_challenge,
2267	(int)opt_challenge.length);
2268	exit(1);
2269	}
2270	break;
2271	case OPT_LM:
2272	opt_lm_response = strhex_to_data_blob(NULL, hex_lm_response);
2273	if (opt_lm_response.length != 24) {
2274	x_fprintf(x_stderr, "hex decode of %s failed! (only got %d bytes)\n",
2275	hex_lm_response,
2276	(int)opt_lm_response.length);
2277	exit(1);
2278	}
2279	break;
2280
2281	case OPT_NT:
2282	opt_nt_response = strhex_to_data_blob(NULL, hex_nt_response);
2283	if (opt_nt_response.length < 24) {
2284	x_fprintf(x_stderr, "hex decode of %s failed! (only got %d bytes)\n",
2285	hex_nt_response,
2286	(int)opt_nt_response.length);
2287	exit(1);
2288	}
2289	break;
2290
2291	case OPT_REQUIRE_MEMBERSHIP:
2292	if (StrnCaseCmp("S-", require_membership_of, 2) == 0) {
2293	require_membership_of_sid = require_membership_of;
2294	}
2295	break;
2296	}
2297	}
2298
2299	if (opt_username) {
2300	char *domain = SMB_STRDUP(opt_username);
2301	char p = strchr_m(domain, lp_winbind_separator());
2302	if (p) {
2303	opt_username = p+1;
2304	*p = '\0';
2305	if (opt_domain && !strequal(opt_domain, domain)) {
2306	x_fprintf(x_stderr, "Domain specified in username (%s) "
2307	"doesn't match specified domain (%s)!\n\n",
2308	domain, opt_domain);
2309	poptPrintHelp(pc, stderr, 0);
2310	exit(1);
2311	}
2312	opt_domain = domain;
2313	} else {
2314	SAFE_FREE(domain);
2315	}
2316	}
2317
2318	/* Note: if opt_domain is "" then send no domain */
2319	if (opt_domain == NULL) {
2320	opt_domain = get_winbind_domain();
2321	}
2322
2323	if (opt_workstation == NULL) {
2324	opt_workstation = "";
2325	}
2326
2327	if (helper_protocol) {
2328	int i;
2329	for (i=0; i<NUM_HELPER_MODES; i++) {
2330	if (strcmp(helper_protocol, stdio_helper_protocols[i].name) == 0) {
2331	squid_stream(stdio_helper_protocols[i].mode, stdio_helper_protocols[i].fn);
2332	exit(0);
2333	}
2334	}
2335	x_fprintf(x_stderr, "unknown helper protocol [%s]\n\nValid helper protools:\n\n", helper_protocol);
2336
2337	for (i=0; i<NUM_HELPER_MODES; i++) {
2338	x_fprintf(x_stderr, "%s\n", stdio_helper_protocols[i].name);
2339	}
2340
2341	exit(1);
2342	}
2343
2344	if (!opt_username \|\| !*opt_username) {
2345	x_fprintf(x_stderr, "username must be specified!\n\n");
2346	poptPrintHelp(pc, stderr, 0);
2347	exit(1);
2348	}
2349
2350	if (opt_challenge.length) {
2351	if (!check_auth_crap()) {
2352	exit(1);
2353	}
2354	exit(0);
2355	}
2356
2357	if (!opt_password) {
2358	opt_password = getpass("password: ");
2359	}
2360
2361	if (diagnostics) {
2362	if (!diagnose_ntlm_auth()) {
2363	return 1;
2364	}
2365	} else {
2366	fstring user;
2367
2368	fstr_sprintf(user, "%s%c%s", opt_domain, winbind_separator(), opt_username);
2369	if (!check_plaintext_auth(user, opt_password, True)) {
2370	return 1;
2371	}
2372	}
2373
2374	/* Exit code */
2375
2376	poptFreeContext(pc);
2377	return 0;
2378	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: