r23779: Change from v2 or later to v3 or later.

[samba.git] / source3 / utils / ntlm_auth.c
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c

index 1bed7794da1f1a9b4a4efdf7ea5952eb75a78f61..93fc6c9e93d77bb75b13050579b83d03c6aaf034 100644 (file)
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -10,7 +10,7 @@
  
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
+   the Free Software Foundation; either version 3 of the License, or
     (at your option) any later version.
     
     This program is distributed in the hope that it will be useful,
@@ -272,7 +272,7 @@ static BOOL check_plaintext_auth(const char *user, const char *pass,
         fstrcpy(request.data.auth.user, user);
         fstrcpy(request.data.auth.pass, pass);
         if (require_membership_of_sid)
-               fstrcpy(request.data.auth.require_membership_of_sid, require_membership_of_sid);
+               pstrcpy(request.data.auth.require_membership_of_sid, require_membership_of_sid);
  
         result = winbindd_request_response(WINBINDD_PAM_AUTH, &request, &response);
  
@@ -479,7 +479,7 @@ static NTSTATUS contact_winbind_change_pswd_auth_crap(const char *username,
  
  static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) 
  {
-       static const char zeros[16];
+       static const char zeros[16] = { 0, };
         NTSTATUS nt_status;
         char *error_string;
         uint8 lm_key[8]; 
@@ -623,9 +623,7 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(NTLMSSP_STATE **ntlmssp_state)
  }
  
  /*******************************************************************
- Used by firefox to drive NTLM auth to IIS servers. Currently
- requires krb5 enabled in winbindd as only then are the credentials
- cached in memory. This needs fixing in winbindd. JRA.
+ Used by firefox to drive NTLM auth to IIS servers.
  *******************************************************************/
  
  static NTSTATUS do_ccache_ntlm_auth(DATA_BLOB initial_msg, DATA_BLOB challenge_msg,
@@ -706,7 +704,7 @@ static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mod
                 }
                 request = base64_decode_data_blob(buf + 3);
         } else {
-               request = data_blob(NULL, 0);
+               request = data_blob_null;
         }
  
         if ((strncmp(buf, "PW ", 3) == 0)) {
@@ -763,7 +761,7 @@ static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mod
         }
  
         DEBUG(10, ("got NTLMSSP packet:\n"));
-       dump_data(10, (const char *)request.data, request.length);
+       dump_data(10, request.data, request.length);
  
         nt_status = ntlmssp_update(ntlmssp_state, request, &reply);
         
@@ -813,6 +811,11 @@ static void manage_client_ntlmssp_request(enum stdio_helper_mode stdio_helper_mo
         NTSTATUS nt_status;
         BOOL first = False;
         
+       if (!opt_username || !*opt_username) {
+               x_fprintf(x_stderr, "username must be specified!\n\n");
+               exit(1);
+       }
+
         if (strlen(buf) < 2) {
                 DEBUG(1, ("NTLMSSP query [%s] invalid", buf));
                 x_fprintf(x_stdout, "BH\n");
@@ -829,7 +832,7 @@ static void manage_client_ntlmssp_request(enum stdio_helper_mode stdio_helper_mo
                 }
                 request = base64_decode_data_blob(buf + 3);
         } else {
-               request = data_blob(NULL, 0);
+               request = data_blob_null;
         }
  
         if (strncmp(buf, "PW ", 3) == 0) {
@@ -851,7 +854,7 @@ static void manage_client_ntlmssp_request(enum stdio_helper_mode stdio_helper_mo
  
         if (!ntlmssp_state && use_cached_creds) {
                 /* check whether credentials are usable. */
-               DATA_BLOB empty_blob = data_blob(NULL, 0);
+               DATA_BLOB empty_blob = data_blob_null;
  
                 nt_status = do_ccache_ntlm_auth(empty_blob, empty_blob, NULL);
                 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
@@ -907,11 +910,11 @@ static void manage_client_ntlmssp_request(enum stdio_helper_mode stdio_helper_mo
                 }
                 ntlmssp_want_feature_list(ntlmssp_state, want_feature_list);
                 first = True;
-               initial_message = data_blob(NULL, 0);
+               initial_message = data_blob_null;
         }
  
         DEBUG(10, ("got NTLMSSP packet:\n"));
-       dump_data(10, (const char *)request.data, request.length);
+       dump_data(10, request.data, request.length);
  
         if (use_cached_creds && !opt_password && !first) {
                 nt_status = do_ccache_ntlm_auth(initial_message, request, &reply);
@@ -1132,12 +1135,12 @@ static void manage_gss_spnego_request(enum stdio_helper_mode stdio_helper_mode,
                         }
  
                         DEBUG(10, ("got NTLMSSP packet:\n"));
-                       dump_data(10, (const char *)request.negTokenInit.mechToken.data,
+                       dump_data(10, request.negTokenInit.mechToken.data,
                                   request.negTokenInit.mechToken.length);
  
                         response.type = SPNEGO_NEG_TOKEN_TARG;
                         response.negTokenTarg.supportedMech = SMB_STRDUP(OID_NTLMSSP);
-                       response.negTokenTarg.mechListMIC = data_blob(NULL, 0);
+                       response.negTokenTarg.mechListMIC = data_blob_null;
  
                         status = ntlmssp_update(ntlmssp_state,
                                                        request.negTokenInit.mechToken,
@@ -1160,13 +1163,13 @@ static void manage_gss_spnego_request(enum stdio_helper_mode stdio_helper_mode,
  
                         response.type = SPNEGO_NEG_TOKEN_TARG;
                         response.negTokenTarg.supportedMech = SMB_STRDUP(OID_KERBEROS5_OLD);
-                       response.negTokenTarg.mechListMIC = data_blob(NULL, 0);
-                       response.negTokenTarg.responseToken = data_blob(NULL, 0);
+                       response.negTokenTarg.mechListMIC = data_blob_null;
+                       response.negTokenTarg.responseToken = data_blob_null;
  
                         status = ads_verify_ticket(mem_ctx, lp_realm(), 0,
                                                    &request.negTokenInit.mechToken,
                                                    &principal, NULL, &ap_rep,
-                                                  &session_key);
+                                                  &session_key, True);
  
                         talloc_destroy(mem_ctx);
  
@@ -1219,7 +1222,7 @@ static void manage_gss_spnego_request(enum stdio_helper_mode stdio_helper_mode,
  
                 response.type = SPNEGO_NEG_TOKEN_TARG;
                 response.negTokenTarg.supportedMech = SMB_STRDUP(OID_NTLMSSP);
-               response.negTokenTarg.mechListMIC = data_blob(NULL, 0);
+               response.negTokenTarg.mechListMIC = data_blob_null;
  
                 if (NT_STATUS_IS_OK(status)) {
                         user = SMB_STRDUP(ntlmssp_state->user);
@@ -1273,7 +1276,7 @@ static NTLMSSP_STATE *client_ntlmssp_state = NULL;
  static BOOL manage_client_ntlmssp_init(SPNEGO_DATA spnego)
  {
         NTSTATUS status;
-       DATA_BLOB null_blob = data_blob(NULL, 0);
+       DATA_BLOB null_blob = data_blob_null;
         DATA_BLOB to_server;
         char *to_server_base64;
         const char *my_mechs[] = {OID_NTLMSSP, NULL};
@@ -1334,7 +1337,7 @@ static BOOL manage_client_ntlmssp_init(SPNEGO_DATA spnego)
  static void manage_client_ntlmssp_targ(SPNEGO_DATA spnego)
  {
         NTSTATUS status;
-       DATA_BLOB null_blob = data_blob(NULL, 0);
+       DATA_BLOB null_blob = data_blob_null;
         DATA_BLOB request;
         DATA_BLOB to_server;
         char *to_server_base64;
@@ -1344,7 +1347,6 @@ static void manage_client_ntlmssp_targ(SPNEGO_DATA spnego)
         if (client_ntlmssp_state == NULL) {
                 DEBUG(1, ("Got NTLMSSP tArg without a client state\n"));
                 x_fprintf(x_stdout, "BH\n");
-               ntlmssp_end(&client_ntlmssp_state);
                 return;
         }
  
@@ -1396,7 +1398,7 @@ static BOOL manage_client_krb5_init(SPNEGO_DATA spnego)
  {
         char *principal;
         DATA_BLOB tkt, to_server;
-       DATA_BLOB session_key_krb5 = data_blob(NULL, 0);
+       DATA_BLOB session_key_krb5 = data_blob_null;
         SPNEGO_DATA reply;
         char *reply_base64;
         int retval;
@@ -1422,7 +1424,7 @@ static BOOL manage_client_krb5_init(SPNEGO_DATA spnego)
                spnego.negTokenInit.mechListMIC.length);
         principal[spnego.negTokenInit.mechListMIC.length] = '\0';
  
-       retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL);
+       retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL);
  
         if (retval) {
  
@@ -1444,7 +1446,7 @@ static BOOL manage_client_krb5_init(SPNEGO_DATA spnego)
                         return False;
                 }
  
-               retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL);
+               retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL);
  
                 if (retval) {
                         DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval)));
@@ -1460,7 +1462,7 @@ static BOOL manage_client_krb5_init(SPNEGO_DATA spnego)
         reply.negTokenInit.mechTypes = my_mechs;
         reply.negTokenInit.reqFlags = 0;
         reply.negTokenInit.mechToken = tkt;
-       reply.negTokenInit.mechListMIC = data_blob(NULL, 0);
+       reply.negTokenInit.mechListMIC = data_blob_null;
  
         len = write_spnego_data(&to_server, &reply);
         data_blob_free(&tkt);
@@ -1509,6 +1511,11 @@ static void manage_gss_spnego_client_request(enum stdio_helper_mode stdio_helper
         SPNEGO_DATA spnego;
         ssize_t len;
  
+       if (!opt_username || !*opt_username) {
+               x_fprintf(x_stderr, "username must be specified!\n\n");
+               exit(1);
+       }
+
         if (strlen(buf) <= 3) {
                 DEBUG(1, ("SPNEGO query [%s] too short\n", buf));
                 x_fprintf(x_stdout, "BH\n");
@@ -1744,9 +1751,9 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
                         }
                 }
                 /* clear out the state */
-               challenge = data_blob(NULL, 0);
-               nt_response = data_blob(NULL, 0);
-               lm_response = data_blob(NULL, 0);
+               challenge = data_blob_null;
+               nt_response = data_blob_null;
+               lm_response = data_blob_null;
                 SAFE_FREE(full_username);
                 SAFE_FREE(username);
                 SAFE_FREE(domain);
@@ -1793,7 +1800,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
                         x_fprintf(x_stdout, "Error: hex decode of %s failed! (got %d bytes, expected 8)\n.\n", 
                                   parameter,
                                   (int)challenge.length);
-                       challenge = data_blob(NULL, 0);
+                       challenge = data_blob_null;
                 }
         } else if (strequal(request, "NT-Response")) {
                 nt_response = strhex_to_data_blob(NULL, parameter);
@@ -1801,7 +1808,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
                         x_fprintf(x_stdout, "Error: hex decode of %s failed! (only got %d bytes, needed at least 24)\n.\n", 
                                   parameter,
                                   (int)nt_response.length);
-                       nt_response = data_blob(NULL, 0);
+                       nt_response = data_blob_null;
                 }
         } else if (strequal(request, "LANMAN-Response")) {
                 lm_response = strhex_to_data_blob(NULL, parameter);
@@ -1809,7 +1816,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
                         x_fprintf(x_stdout, "Error: hex decode of %s failed! (got %d bytes, expected 24)\n.\n", 
                                   parameter,
                                   (int)lm_response.length);
-                       lm_response = data_blob(NULL, 0);
+                       lm_response = data_blob_null;
                 }
         } else if (strequal(request, "Password")) {
                 plaintext_password = smb_xstrdup(parameter);
@@ -1943,10 +1950,10 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode helper_
                         SAFE_FREE(error_string);
                 }
                 /* clear out the state */
-               new_nt_pswd = data_blob(NULL, 0);
-               old_nt_hash_enc = data_blob(NULL, 0);
-               new_lm_pswd = data_blob(NULL, 0);
-               old_nt_hash_enc = data_blob(NULL, 0);
+               new_nt_pswd = data_blob_null;
+               old_nt_hash_enc = data_blob_null;
+               new_lm_pswd = data_blob_null;
+               old_nt_hash_enc = data_blob_null;
                 SAFE_FREE(full_username);
                 SAFE_FREE(username);
                 SAFE_FREE(domain);
@@ -1992,7 +1999,7 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode helper_
                                   "(got %d bytes, expected 516)\n.\n", 
                                   parameter,
                                   (int)new_nt_pswd.length);
-                       new_nt_pswd = data_blob(NULL, 0);
+                       new_nt_pswd = data_blob_null;
                 }
         } else if (strequal(request, "old-nt-hash-blob")) {
                 old_nt_hash_enc = strhex_to_data_blob(NULL, parameter);
@@ -2001,7 +2008,7 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode helper_
                                   "(got %d bytes, expected 16)\n.\n", 
                                   parameter,
                                   (int)old_nt_hash_enc.length);
-                       old_nt_hash_enc = data_blob(NULL, 0);
+                       old_nt_hash_enc = data_blob_null;
                 }
         } else if (strequal(request, "new-lm-password-blob")) {
                 new_lm_pswd = strhex_to_data_blob(NULL, parameter);
@@ -2010,7 +2017,7 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode helper_
                                   "(got %d bytes, expected 516)\n.\n", 
                                   parameter,
                                   (int)new_lm_pswd.length);
-                       new_lm_pswd = data_blob(NULL, 0);
+                       new_lm_pswd = data_blob_null;
                 }
         }
         else if (strequal(request, "old-lm-hash-blob")) {
@@ -2021,7 +2028,7 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode helper_
                                   "(got %d bytes, expected 16)\n.\n", 
                                   parameter,
                                   (int)old_lm_hash_enc.length);
-                       old_lm_hash_enc = data_blob(NULL, 0);
+                       old_lm_hash_enc = data_blob_null;
                 }
         } else if (strequal(request, "nt-domain")) {
                 domain = smb_xstrdup(parameter);
@@ -2277,6 +2284,34 @@ enum {
                 }
         }
  
+       if (opt_username) {
+               char *domain = SMB_STRDUP(opt_username);
+               char *p = strchr_m(domain, *lp_winbind_separator());
+               if (p) {
+                       opt_username = p+1;
+                       *p = '\0';
+                       if (opt_domain && !strequal(opt_domain, domain)) {
+                               x_fprintf(x_stderr, "Domain specified in username (%s) "
+                                       "doesn't match specified domain (%s)!\n\n",
+                                       domain, opt_domain);
+                               poptPrintHelp(pc, stderr, 0);
+                               exit(1);
+                       }
+                       opt_domain = domain;
+               } else {
+                       SAFE_FREE(domain);
+               }
+       }
+
+       /* Note: if opt_domain is "" then send no domain */
+       if (opt_domain == NULL) {
+               opt_domain = get_winbind_domain();
+       }
+
+       if (opt_workstation == NULL) {
+               opt_workstation = "";
+       }
+
         if (helper_protocol) {
                 int i;
                 for (i=0; i<NUM_HELPER_MODES; i++) {
@@ -2294,20 +2329,12 @@ enum {
                 exit(1);
         }
  
-       if (!opt_username) {
+       if (!opt_username || !*opt_username) {
                 x_fprintf(x_stderr, "username must be specified!\n\n");
                 poptPrintHelp(pc, stderr, 0);
                 exit(1);
         }
  
-       if (opt_domain == NULL) {
-               opt_domain = get_winbind_domain();
-       }
-
-       if (opt_workstation == NULL) {
-               opt_workstation = "";
-       }
-
         if (opt_challenge.length) {
                 if (!check_auth_crap()) {
                         exit(1);