sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-13 13:18:06 +03:00
Code

This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'.(This used to be commit b741abd496)

Browse Source
This commit is contained in:
cvs2svn Import User 2003-01-28 03:37:15 +00:00
commit 2326525950
4 changed files with 1062 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

139
source3/auth/auth_ntlmssp.c Normal file
View File

@ -0,0 +1,139 @@
/*
Unix SMB/Netbios implementation.
Version 3.0
handle NLTMSSP, server side
Copyright (C) Andrew Tridgell 2001
Copyright (C) Andrew Bartlett 2001-2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
static const uint8 *auth_ntlmssp_get_challenge(struct ntlmssp_state *ntlmssp_state)
{
AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context;
return auth_ntlmssp_state->auth_context->get_ntlm_challenge(auth_ntlmssp_state->auth_context);
}
static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state)
{
AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context;
uint32 auth_flags = AUTH_FLAG_NONE;
auth_usersupplied_info *user_info = NULL;
DATA_BLOB plaintext_password = data_blob(NULL, 0);
NTSTATUS nt_status;
if (auth_ntlmssp_state->ntlmssp_state->lm_resp.length) {
auth_flags |= AUTH_FLAG_LM_RESP;
}
if (auth_ntlmssp_state->ntlmssp_state->nt_resp.length == 24) {
auth_flags |= AUTH_FLAG_NTLM_RESP;
} else if (auth_ntlmssp_state->ntlmssp_state->nt_resp.length > 24) {
auth_flags |= AUTH_FLAG_NTLMv2_RESP;
};
/* the client has given us its machine name (which we otherwise would not get on port 445).
we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->workstation);
/* setup the string used by %U */
/* sub_set_smb_name checks for weird internally */
sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
reload_services(True);
nt_status = make_user_info_map(&user_info,
auth_ntlmssp_state->ntlmssp_state->user,
auth_ntlmssp_state->ntlmssp_state->domain,
auth_ntlmssp_state->ntlmssp_state->workstation,
auth_ntlmssp_state->ntlmssp_state->lm_resp,
auth_ntlmssp_state->ntlmssp_state->nt_resp,
plaintext_password,
auth_flags, True);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context, user_info, &auth_ntlmssp_state->server_info);
free_user_info(&user_info);
return nt_status;
}
NTSTATUS auth_ntlmssp_start(AUTH_NTLMSSP_STATE **auth_ntlmssp_state)
{
NTSTATUS nt_status;
TALLOC_CTX *mem_ctx;
mem_ctx = talloc_init("AUTH NTLMSSP context");
*auth_ntlmssp_state = talloc_zero(mem_ctx, sizeof(**auth_ntlmssp_state));
if (!*auth_ntlmssp_state) {
DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
talloc_destroy(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
ZERO_STRUCTP(*auth_ntlmssp_state);
(*auth_ntlmssp_state)->mem_ctx = mem_ctx;
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_server_start(&(*auth_ntlmssp_state)->ntlmssp_state))) {
return nt_status;
}
if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&(*auth_ntlmssp_state)->auth_context))) {
return nt_status;
}
(*auth_ntlmssp_state)->ntlmssp_state->auth_context = (*auth_ntlmssp_state);
(*auth_ntlmssp_state)->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
(*auth_ntlmssp_state)->ntlmssp_state->check_password = auth_ntlmssp_check_password;
(*auth_ntlmssp_state)->ntlmssp_state->server_role = lp_server_role();
return NT_STATUS_OK;
}
NTSTATUS auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state)
{
TALLOC_CTX *mem_ctx = (*auth_ntlmssp_state)->mem_ctx;
if ((*auth_ntlmssp_state)->ntlmssp_state) {
ntlmssp_server_end(&(*auth_ntlmssp_state)->ntlmssp_state);
}
if ((*auth_ntlmssp_state)->auth_context) {
((*auth_ntlmssp_state)->auth_context->free)(&(*auth_ntlmssp_state)->auth_context);
}
if ((*auth_ntlmssp_state)->server_info) {
free_server_info(&(*auth_ntlmssp_state)->server_info);
}
talloc_destroy(mem_ctx);
*auth_ntlmssp_state = NULL;
return NT_STATUS_OK;
}
NTSTATUS auth_ntlmssp_update(AUTH_NTLMSSP_STATE *auth_ntlmssp_state,
DATA_BLOB request, DATA_BLOB *reply)
{
return ntlmssp_server_update(auth_ntlmssp_state->ntlmssp_state, request, reply);
}

92
source3/lib/module.c Normal file
View File

@ -0,0 +1,92 @@
/*
Unix SMB/CIFS implementation.
module loading system
Copyright (C) Jelmer Vernooij 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#ifdef HAVE_DLOPEN
NTSTATUS smb_load_module(const char *module_name)
{
void *handle;
init_module_function *init;
NTSTATUS nt_status;
const char *error;
/* Always try to use LAZY symbol resolving; if the plugin has
* backwards compatibility, there might be symbols in the
* plugin referencing to old (removed) functions
*/
handle = sys_dlopen(module_name, RTLD_LAZY);
if(!handle) {
DEBUG(0, ("Error loading module '%s': %s\n", module_name, sys_dlerror()));
return NT_STATUS_UNSUCCESSFUL;
}
init = sys_dlsym(handle, "init_module");
/* we must check sys_dlerror() to determine if it worked, because
sys_dlsym() can validly return NULL */
error = sys_dlerror();
if (error) {
DEBUG(0, ("Error trying to resolve symbol 'init_module' in %s: %s\n", module_name, error));
return NT_STATUS_UNSUCCESSFUL;
}
nt_status = init();
DEBUG(2, ("Module '%s' loaded\n", module_name));
return nt_status;
}
/* Load all modules in list and return number of
* modules that has been successfully loaded */
int smb_load_modules(const char **modules)
{
int i;
int success = 0;
for(i = 0; modules[i]; i++){
if(NT_STATUS_IS_OK(smb_load_module(modules[i]))) {
success++;
}
}
DEBUG(2, ("%d modules successfully loaded\n", success));
return success;
}
#else /* HAVE_DLOPEN */
NTSTATUS smb_load_module(const char *module_name)
{
DEBUG(0,("This samba executable has not been build with plugin support"));
return NT_STATUS_NOT_SUPPORTED;
}
int smb_load_modules(const char **modules)
{
DEBUG(0,("This samba executable has not been build with plugin support"));
return -1;
}
#endif /* HAVE_DLOPEN */

281
source3/libsmb/ntlmssp.c Normal file
View File

@ -0,0 +1,281 @@
/*
Unix SMB/Netbios implementation.
Version 3.0
handle NLTMSSP, server side
Copyright (C) Andrew Tridgell 2001
Copyright (C) Andrew Bartlett 2001-2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
/**
* Default challange generation code.
*
*/
static const uint8 *get_challenge(struct ntlmssp_state *ntlmssp_state)
{
static uchar chal[8];
generate_random_buffer(chal, sizeof(chal), False);
return chal;
}
NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state)
{
TALLOC_CTX *mem_ctx;
mem_ctx = talloc_init("NTLMSSP context");
*ntlmssp_state = talloc_zero(mem_ctx, sizeof(**ntlmssp_state));
if (!*ntlmssp_state) {
DEBUG(0,("ntlmssp_start: talloc failed!\n"));
talloc_destroy(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
ZERO_STRUCTP(*ntlmssp_state);
(*ntlmssp_state)->mem_ctx = mem_ctx;
(*ntlmssp_state)->get_challenge = get_challenge;
(*ntlmssp_state)->get_global_myname = global_myname;
(*ntlmssp_state)->get_domain = lp_workgroup;
(*ntlmssp_state)->server_role = ROLE_DOMAIN_MEMBER; /* a good default */
return NT_STATUS_OK;
}
NTSTATUS ntlmssp_server_end(NTLMSSP_STATE **ntlmssp_state)
{
TALLOC_CTX *mem_ctx = (*ntlmssp_state)->mem_ctx;
data_blob_free(&(*ntlmssp_state)->chal);
data_blob_free(&(*ntlmssp_state)->lm_resp);
data_blob_free(&(*ntlmssp_state)->nt_resp);
SAFE_FREE((*ntlmssp_state)->user);
SAFE_FREE((*ntlmssp_state)->domain);
SAFE_FREE((*ntlmssp_state)->workstation);
talloc_destroy(mem_ctx);
*ntlmssp_state = NULL;
return NT_STATUS_OK;
}
NTSTATUS ntlmssp_server_update(NTLMSSP_STATE *ntlmssp_state,
DATA_BLOB request, DATA_BLOB *reply)
{
uint32 ntlmssp_command;
*reply = data_blob(NULL, 0);
if (!msrpc_parse(&request, "Cd",
"NTLMSSP",
&ntlmssp_command)) {
return NT_STATUS_LOGON_FAILURE;
}
if (ntlmssp_command == NTLMSSP_NEGOTIATE) {
return ntlmssp_negotiate(ntlmssp_state, request, reply);
} else if (ntlmssp_command == NTLMSSP_AUTH) {
return ntlmssp_auth(ntlmssp_state, request, reply);
} else {
return NT_STATUS_LOGON_FAILURE;
}
}
static const char *ntlmssp_target_name(NTLMSSP_STATE *ntlmssp_state,
uint32 neg_flags, uint32 *chal_flags)
{
if (neg_flags & NTLMSSP_REQUEST_TARGET) {
*chal_flags |= NTLMSSP_CHAL_TARGET_INFO;
*chal_flags |= NTLMSSP_REQUEST_TARGET;
if (ntlmssp_state->server_role == ROLE_STANDALONE) {
*chal_flags |= NTLMSSP_TARGET_TYPE_SERVER;
return ntlmssp_state->get_global_myname();
} else {
*chal_flags |= NTLMSSP_TARGET_TYPE_DOMAIN;
return ntlmssp_state->get_domain();
};
} else {
return "";
}
}
NTSTATUS ntlmssp_negotiate(NTLMSSP_STATE *ntlmssp_state,
DATA_BLOB request, DATA_BLOB *reply)
{
DATA_BLOB struct_blob;
fstring dnsname, dnsdomname;
uint32 ntlmssp_command, neg_flags, chal_flags;
char *cliname=NULL, *domname=NULL;
const uint8 *cryptkey;
const char *target_name;
/* parse the NTLMSSP packet */
#if 0
file_save("ntlmssp_negotiate.dat", request.data, request.length);
#endif
if (!msrpc_parse(&request, "CddAA",
"NTLMSSP",
&ntlmssp_command,
&neg_flags,
&cliname,
&domname)) {
return NT_STATUS_LOGON_FAILURE;
}
SAFE_FREE(cliname);
SAFE_FREE(domname);
debug_ntlmssp_flags(neg_flags);
cryptkey = ntlmssp_state->get_challenge(ntlmssp_state);
data_blob_free(&ntlmssp_state->chal);
ntlmssp_state->chal = data_blob(cryptkey, 8);
/* Give them the challenge. For now, ignore neg_flags and just
return the flags we want. Obviously this is not correct */
chal_flags =
NTLMSSP_NEGOTIATE_128 |
NTLMSSP_NEGOTIATE_NTLM;
if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
chal_flags |= NTLMSSP_NEGOTIATE_UNICODE;
ntlmssp_state->unicode = True;
} else {
chal_flags |= NTLMSSP_NEGOTIATE_OEM;
}
target_name = ntlmssp_target_name(ntlmssp_state,
neg_flags, &chal_flags);
/* This should be a 'netbios domain -> DNS domain' mapping */
dnsdomname[0] = '\0';
get_mydomname(dnsdomname);
strlower(dnsdomname);
dnsname[0] = '\0';
get_myfullname(dnsname);
strlower(dnsname);
if (chal_flags & NTLMSSP_CHAL_TARGET_INFO)
{
const char *target_name_dns = "";
if (chal_flags |= NTLMSSP_TARGET_TYPE_DOMAIN) {
target_name_dns = dnsdomname;
} else if (chal_flags |= NTLMSSP_TARGET_TYPE_SERVER) {
target_name_dns = dnsname;
}
/* the numbers here are the string type flags */
msrpc_gen(&struct_blob, "aaaaa",
ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_DOMAIN, target_name,
ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_SERVER, ntlmssp_state->get_global_myname(),
ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_DOMAIN_DNS, target_name_dns,
ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_SERVER_DNS, dnsdomname,
ntlmssp_state->unicode, 0, "");
} else {
struct_blob = data_blob(NULL, 0);
}
{
const char *gen_string;
if (ntlmssp_state->unicode) {
gen_string = "CdUdbddB";
} else {
gen_string = "CdAdbddB";
}
msrpc_gen(reply, gen_string,
"NTLMSSP",
NTLMSSP_CHALLENGE,
target_name,
chal_flags,
cryptkey, 8,
0, 0,
struct_blob.data, struct_blob.length);
}
data_blob_free(&struct_blob);
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
NTSTATUS ntlmssp_auth(NTLMSSP_STATE *ntlmssp_state,
DATA_BLOB request, DATA_BLOB *reply)
{
DATA_BLOB sess_key;
uint32 ntlmssp_command, neg_flags;
NTSTATUS nt_status;
const char *parse_string;
/* parse the NTLMSSP packet */
#if 0
file_save("ntlmssp_auth.dat", request.data, request.length);
#endif
if (ntlmssp_state->unicode) {
parse_string = "CdBBUUUBd";
} else {
parse_string = "CdBBAAABd";
}
data_blob_free(&ntlmssp_state->lm_resp);
data_blob_free(&ntlmssp_state->nt_resp);
SAFE_FREE(ntlmssp_state->user);
SAFE_FREE(ntlmssp_state->domain);
SAFE_FREE(ntlmssp_state->workstation);
/* now the NTLMSSP encoded auth hashes */
if (!msrpc_parse(&request, parse_string,
"NTLMSSP",
&ntlmssp_command,
&ntlmssp_state->lm_resp,
&ntlmssp_state->nt_resp,
&ntlmssp_state->domain,
&ntlmssp_state->user,
&ntlmssp_state->workstation,
&sess_key,
&neg_flags)) {
return NT_STATUS_LOGON_FAILURE;
}
data_blob_free(&sess_key);
DEBUG(3,("Got user=[%s] domain=[%s] workstation=[%s] len1=%d len2=%d\n",
ntlmssp_state->user, ntlmssp_state->domain, ntlmssp_state->workstation, ntlmssp_state->lm_resp.length, ntlmssp_state->nt_resp.length));
#if 0
file_save("nthash1.dat", &ntlmssp_state->nt_resp.data, &ntlmssp_state->nt_resp.length);
file_save("lmhash1.dat", &ntlmssp_state->lm_resp.data, &ntlmssp_state->lm_resp.length);
#endif
nt_status = ntlmssp_state->check_password(ntlmssp_state);
*reply = data_blob(NULL, 0);
return nt_status;
}

550
source3/utils/ntlm_auth.c Normal file
View File

@ -0,0 +1,550 @@
/*
Unix SMB/CIFS implementation.
Winbind status program.
Copyright (C) Tim Potter 2000-2002
Copyright (C) Andrew Bartlett 2003
Copyright (C) Francesco Chemolli <kinkie@kame.usr.dsi.unimi.it> 2000
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
#define SQUID_BUFFER_SIZE 2010
enum squid_mode {
SQUID_2_4_BASIC,
SQUID_2_5_BASIC,
SQUID_2_5_NTLMSSP
};
extern int winbindd_fd;
static const char *helper_protocol;
static const char *username;
static const char *domain;
static const char *workstation;
static const char *hex_challenge;
static const char *hex_lm_response;
static const char *hex_nt_response;
static unsigned char *challenge;
static size_t challenge_len;
static unsigned char *lm_response;
static size_t lm_response_len;
static unsigned char *nt_response;
static size_t nt_response_len;
static char *password;
static char winbind_separator(void)
{
struct winbindd_response response;
static BOOL got_sep;
static char sep;
if (got_sep)
return sep;
ZERO_STRUCT(response);
/* Send off request */
if (winbindd_request(WINBINDD_INFO, NULL, &response) !=
NSS_STATUS_SUCCESS) {
d_printf("could not obtain winbind separator!\n");
return '\\';
}
sep = response.data.info.winbind_separator;
got_sep = True;
if (!sep) {
d_printf("winbind separator was NULL!\n");
return '\\';
}
return sep;
}
static const char *get_winbind_domain(void)
{
struct winbindd_response response;
static fstring winbind_domain;
if (*winbind_domain) {
return winbind_domain;
}
ZERO_STRUCT(response);
/* Send off request */
if (winbindd_request(WINBINDD_DOMAIN_NAME, NULL, &response) !=
NSS_STATUS_SUCCESS) {
d_printf("could not obtain winbind domain name!\n");
return NULL;
}
fstrcpy(winbind_domain, response.data.domain_name);
return winbind_domain;
}
static const char *get_winbind_netbios_name(void)
{
struct winbindd_response response;
static fstring winbind_netbios_name;
if (*winbind_netbios_name) {
return winbind_netbios_name;
}
ZERO_STRUCT(response);
/* Send off request */
if (winbindd_request(WINBINDD_NETBIOS_NAME, NULL, &response) !=
NSS_STATUS_SUCCESS) {
d_printf("could not obtain winbind netbios name!\n");
return NULL;
}
fstrcpy(winbind_netbios_name, response.data.netbios_name);
return winbind_netbios_name;
}
/* Authenticate a user with a plaintext password */
static BOOL check_plaintext_auth(const char *user, const char *pass, BOOL stdout_diagnostics)
{
struct winbindd_request request;
struct winbindd_response response;
NSS_STATUS result;
/* Send off request */
ZERO_STRUCT(request);
ZERO_STRUCT(response);
fstrcpy(request.data.auth.user, user);
fstrcpy(request.data.auth.pass, pass);
result = winbindd_request(WINBINDD_PAM_AUTH, &request, &response);
/* Display response */
if (stdout_diagnostics) {
if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) {
d_printf("Reading winbind reply failed! (0x01)\n");
}
d_printf("%s (0x%x)\n",
response.data.auth.nt_status_string,
response.data.auth.nt_status);
} else {
if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) {
DEBUG(1, ("Reading winbind reply failed! (0x01)\n"));
}
DEBUG(3, ("%s (0x%x)\n",
response.data.auth.nt_status_string,
response.data.auth.nt_status));
}
return (result == NSS_STATUS_SUCCESS);
}
static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state)
{
struct winbindd_request request;
struct winbindd_response response;
NSS_STATUS result;
/* Send off request */
ZERO_STRUCT(request);
ZERO_STRUCT(response);
fstrcpy(request.data.auth_crap.user, ntlmssp_state->user);
fstrcpy(request.data.auth_crap.domain, ntlmssp_state->domain);
fstrcpy(request.data.auth_crap.workstation, ntlmssp_state->workstation);
memcpy(request.data.auth_crap.chal, ntlmssp_state->chal.data,
MIN(ntlmssp_state->chal.length, 8));
memcpy(request.data.auth_crap.lm_resp, ntlmssp_state->lm_resp.data,
MIN(ntlmssp_state->lm_resp.length, sizeof(request.data.auth_crap.lm_resp)));
memcpy(request.data.auth_crap.nt_resp, ntlmssp_state->lm_resp.data,
MIN(ntlmssp_state->nt_resp.length, sizeof(request.data.auth_crap.nt_resp)));
request.data.auth_crap.lm_resp_len = ntlmssp_state->lm_resp.length;
request.data.auth_crap.nt_resp_len = ntlmssp_state->nt_resp.length;
result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response);
/* Display response */
if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) {
return NT_STATUS_UNSUCCESSFUL;
}
return NT_STATUS(response.data.auth.nt_status);
}
static void manage_squid_ntlmssp_request(enum squid_mode squid_mode,
char *buf, int length)
{
static NTLMSSP_STATE *ntlmssp_state;
DATA_BLOB request, reply;
NTSTATUS nt_status;
if (!ntlmssp_state) {
ntlmssp_server_start(&ntlmssp_state);
ntlmssp_state->check_password = winbind_pw_check;
ntlmssp_state->get_domain = get_winbind_domain;
ntlmssp_state->get_global_myname = get_winbind_netbios_name;
}
if (strlen(buf) < 3) {
x_fprintf(x_stdout, "BH\n");
return;
}
request = base64_decode_data_blob(buf + 3);
DEBUG(0, ("got NTLMSSP packet:\n"));
dump_data(0, request.data, request.length);
nt_status = ntlmssp_server_update(ntlmssp_state, request, &reply);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
char *reply_base64 = base64_encode_data_blob(reply);
x_fprintf(x_stdout, "TT %s\n", reply_base64);
SAFE_FREE(reply_base64);
data_blob_free(&reply);
} else if (!NT_STATUS_IS_OK(nt_status)) {
x_fprintf(x_stdout, "NA %s\n", nt_errstr(nt_status));
} else {
x_fprintf(x_stdout, "AF %s\\%s\n", ntlmssp_state->domain, ntlmssp_state->user);
}
data_blob_free(&request);
}
static void manage_squid_basic_request(enum squid_mode squid_mode,
char *buf, int length)
{
char *user, *pass;
user=buf;
pass=memchr(buf,' ',length);
if (!pass) {
DEBUG(2, ("Password not found. Denying access\n"));
x_fprintf(x_stderr, "ERR\n");
return;
}
*pass='\0';
pass++;
if (squid_mode == SQUID_2_5_BASIC) {
rfc1738_unescape(user);
rfc1738_unescape(pass);
}
if (check_plaintext_auth(user, pass, False)) {
x_fprintf(x_stdout, "OK\n");
} else {
x_fprintf(x_stdout, "ERR\n");
}
}
static void manage_squid_request(enum squid_mode squid_mode)
{
char buf[SQUID_BUFFER_SIZE+1];
int length;
char *c;
static BOOL err;
if (x_fgets(buf, sizeof(buf)-1, x_stdin) == NULL) {
DEBUG(1, ("fgets() failed! dying..... errno=%d (%s)\n", errno,
strerror(errno)));
exit(1); /* BIIG buffer */
}
c=memchr(buf,'\n',sizeof(buf)-1);
if (c) {
*c = '\0';
length = c-buf;
} else {
err = 1;
return;
}
if (err) {
DEBUG(2, ("Oversized message\n"));
x_fprintf(x_stderr, "ERR\n");
err = 0;
return;
}
DEBUG(10, ("Got '%s' from squid (length: %d).\n",buf,length));
if (buf[0] == '\0') {
DEBUG(2, ("Invalid Request\n"));
x_fprintf(x_stderr, "ERR\n");
return;
}
if (squid_mode == SQUID_2_5_BASIC || squid_mode == SQUID_2_4_BASIC) {
manage_squid_basic_request(squid_mode, buf, length);
} else if (squid_mode == SQUID_2_5_NTLMSSP) {
manage_squid_ntlmssp_request(squid_mode, buf, length);
}
}
static void squid_stream(enum squid_mode squid_mode) {
/* initialize FDescs */
x_setbuf(x_stdout, NULL);
x_setbuf(x_stderr, NULL);
while(1) {
manage_squid_request(squid_mode);
}
}
/* Authenticate a user with a challenge/response */
static BOOL check_auth_crap(void)
{
struct winbindd_request request;
struct winbindd_response response;
NSS_STATUS result;
/* Send off request */
ZERO_STRUCT(request);
ZERO_STRUCT(response);
fstrcpy(request.data.auth_crap.user, username);
fstrcpy(request.data.auth_crap.domain, domain);
fstrcpy(request.data.auth_crap.workstation, workstation);
memcpy(request.data.auth_crap.chal, challenge, MIN(challenge_len, 8));
memcpy(request.data.auth_crap.lm_resp, lm_response, MIN(lm_response_len, sizeof(request.data.auth_crap.lm_resp)));
memcpy(request.data.auth_crap.nt_resp, nt_response, MIN(nt_response_len, sizeof(request.data.auth_crap.nt_resp)));
request.data.auth_crap.lm_resp_len = lm_response_len;
request.data.auth_crap.nt_resp_len = nt_response_len;
result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response);
/* Display response */
if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) {
d_printf("Reading winbind reply failed! (0x01)\n");
}
d_printf("%s (0x%x)\n",
response.data.auth.nt_status_string,
response.data.auth.nt_status);
return result == NSS_STATUS_SUCCESS;
}
/* Main program */
enum {
OPT_USERNAME = 1000,
OPT_DOMAIN,
OPT_WORKSTATION,
OPT_CHALLENGE,
OPT_RESPONSE,
OPT_LM,
OPT_NT,
OPT_PASSWORD
};
/*************************************************************
Routine to set hex password characters into an allocated array.
**************************************************************/
static void hex_encode(const unsigned char *buff_in, size_t len, char **out_hex_buffer)
{
int i;
char *hex_buffer;
*out_hex_buffer = smb_xmalloc((len*2)+1);
hex_buffer = *out_hex_buffer;
for (i = 0; i < len; i++)
slprintf(&hex_buffer[i*2], 3, "%02X", buff_in[i]);
}
/*************************************************************
Routine to get the 32 hex characters and turn them
into a 16 byte array.
**************************************************************/
static BOOL hex_decode(const char *hex_buf_in, unsigned char **out_buffer, size_t *size)
{
int i;
size_t hex_buf_in_len = strlen(hex_buf_in);
unsigned char partial_byte_hex;
unsigned char partial_byte;
const char *hexchars = "0123456789ABCDEF";
char *p;
BOOL high = True;
if (!hex_buf_in)
return (False);
*size = (hex_buf_in_len + 1) / 2;
*out_buffer = smb_xmalloc(*size);
for (i = 0; i < hex_buf_in_len; i++) {
partial_byte_hex = toupper(hex_buf_in[i]);
p = strchr(hexchars, partial_byte_hex);
if (!p)
return (False);
partial_byte = PTR_DIFF(p, hexchars);
if (high) {
(*out_buffer)[i / 2] = (partial_byte << 4);
} else {
(*out_buffer)[i / 2] |= partial_byte;
}
high = !high;
}
return (True);
}
int main(int argc, const char **argv)
{
int opt;
poptContext pc;
struct poptOption long_options[] = {
POPT_AUTOHELP
{ "helper-protocol", 0, POPT_ARG_STRING, &helper_protocol, OPT_DOMAIN, "operate as a stdio-based helper", "helper protocol to use"},
{ "username", 0, POPT_ARG_STRING, &username, OPT_USERNAME, "username"},
{ "domain", 0, POPT_ARG_STRING, &domain, OPT_DOMAIN, "domain name"},
{ "workstation", 0, POPT_ARG_STRING, &domain, OPT_WORKSTATION, "workstation"},
{ "challenge", 0, POPT_ARG_STRING, &hex_challenge, OPT_CHALLENGE, "challenge (HEX encoded)"},
{ "lm-response", 0, POPT_ARG_STRING, &hex_lm_response, OPT_LM, "LM Response to the challenge (HEX encoded)"},
{ "nt-response", 0, POPT_ARG_STRING, &hex_nt_response, OPT_NT, "NT or NTLMv2 Response to the challenge (HEX encoded)"},
{ "password", 0, POPT_ARG_STRING, &password, OPT_PASSWORD, "User's plaintext password"},
{ NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_debug },
{ NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_configfile },
{ 0, 0, 0, 0 }
};
/* Samba client initialisation */
dbf = x_stderr;
/* Parse options */
pc = poptGetContext("ntlm_auth", argc, argv, long_options, 0);
/* Parse command line options */
if (argc == 1) {
poptPrintHelp(pc, stderr, 0);
return 1;
}
pc = poptGetContext(NULL, argc, (const char **)argv, long_options,
POPT_CONTEXT_KEEP_FIRST);
while((opt = poptGetNextOpt(pc)) != -1) {
switch (opt) {
case OPT_CHALLENGE:
if (!hex_decode(hex_challenge, &challenge, &challenge_len)) {
fprintf(stderr, "hex decode of %s failed!\n", hex_challenge);
exit(1);
}
break;
case OPT_LM:
if (!hex_decode(hex_lm_response, &lm_response, &lm_response_len)) {
fprintf(stderr, "hex decode of %s failed!\n", lm_response);
exit(1);
}
break;
case OPT_NT:
if (!hex_decode(hex_lm_response, &lm_response, &lm_response_len)) {
fprintf(stderr, "hex decode of %s failed!\n", lm_response);
exit(1);
}
break;
}
}
if (helper_protocol) {
if (strcmp(helper_protocol, "squid-2.5-ntlmssp")== 0) {
squid_stream(SQUID_2_5_NTLMSSP);
} else if (strcmp(helper_protocol, "squid-2.5-basic")== 0) {
squid_stream(SQUID_2_5_BASIC);
} else if (strcmp(helper_protocol, "squid-2.4-basic")== 0) {
squid_stream(SQUID_2_4_BASIC);
} else {
fprintf(stderr, "unknown helper protocol [%s]\n", helper_protocol);
exit(1);
}
}
if (domain == NULL) {
domain = get_winbind_domain();
}
if (workstation == NULL) {
workstation = "";
}
if (challenge) {
if (!check_auth_crap()) {
exit(1);
}
} else if (password) {
fstring user;
snprintf(user, sizeof(user)-1, "%s%c%s", domain, winbind_separator(), username);
if (!check_plaintext_auth(user, password, True)) {
exit(1);
}
}
/* Exit code */
poptFreeContext(pc);
return 0;
}