2fdc938f49e9c1ba3aad25ba5cd9d8b68d4d498f
[amitay/samba.git] / source3 / libsmb / ntlmssp.c
1 /*
2    Unix SMB/Netbios implementation.
3    Version 3.0
4    handle NLTMSSP, server side
5
6    Copyright (C) Andrew Tridgell      2001
7    Copyright (C) Andrew Bartlett 2001-2003
8    Copyright (C) Andrew Bartlett 2005 (Updated from gensec).
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "../libcli/auth/ntlmssp.h"
26 #include "../libcli/auth/ntlmssp_private.h"
27 #include "../libcli/auth/libcli_auth.h"
28 #include "../librpc/gen_ndr/ndr_ntlmssp.h"
29 #include "../libcli/auth/ntlmssp_ndr.h"
30 #include "../lib/crypto/md5.h"
31 #include "../lib/crypto/arcfour.h"
32 #include "../lib/crypto/hmacmd5.h"
33
34 static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
35                                        DATA_BLOB reply, DATA_BLOB *next_request);
36 static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
37                                          const DATA_BLOB in, DATA_BLOB *out);
38 static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
39                                          const DATA_BLOB reply, DATA_BLOB *next_request);
40 static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
41                                     const DATA_BLOB request, DATA_BLOB *reply);
42
43 /**
44  * Callbacks for NTLMSSP - for both client and server operating modes
45  *
46  */
47
48 static const struct ntlmssp_callbacks {
49         enum ntlmssp_role role;
50         enum ntlmssp_message_type ntlmssp_command;
51         NTSTATUS (*fn)(struct ntlmssp_state *ntlmssp_state,
52                        DATA_BLOB in, DATA_BLOB *out);
53 } ntlmssp_callbacks[] = {
54         {NTLMSSP_CLIENT, NTLMSSP_INITIAL, ntlmssp_client_initial},
55         {NTLMSSP_SERVER, NTLMSSP_NEGOTIATE, ntlmssp_server_negotiate},
56         {NTLMSSP_CLIENT, NTLMSSP_CHALLENGE, ntlmssp_client_challenge},
57         {NTLMSSP_SERVER, NTLMSSP_AUTH, ntlmssp_server_auth},
58         {NTLMSSP_CLIENT, NTLMSSP_UNKNOWN, NULL},
59         {NTLMSSP_SERVER, NTLMSSP_UNKNOWN, NULL}
60 };
61
62
63 /**
64  * Default challenge generation code.
65  *
66  */
67
68 static NTSTATUS get_challenge(const struct ntlmssp_state *ntlmssp_state,
69                               uint8_t chal[8])
70 {
71         generate_random_buffer(chal, 8);
72         return NT_STATUS_OK;
73 }
74
75 /**
76  * Default 'we can set the challenge to anything we like' implementation
77  *
78  */
79
80 static bool may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
81 {
82         return True;
83 }
84
85 /**
86  * Default 'we can set the challenge to anything we like' implementation
87  *
88  * Does not actually do anything, as the value is always in the structure anyway.
89  *
90  */
91
92 static NTSTATUS set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
93 {
94         SMB_ASSERT(challenge->length == 8);
95         return NT_STATUS_OK;
96 }
97
98 /**
99  * Set a username on an NTLMSSP context - ensures it is talloc()ed
100  *
101  */
102
103 NTSTATUS ntlmssp_set_username(struct ntlmssp_state *ntlmssp_state, const char *user)
104 {
105         ntlmssp_state->user = talloc_strdup(ntlmssp_state, user ? user : "" );
106         if (!ntlmssp_state->user) {
107                 return NT_STATUS_NO_MEMORY;
108         }
109         return NT_STATUS_OK;
110 }
111
112 /**
113  * Store NT and LM hashes on an NTLMSSP context - ensures they are talloc()ed
114  *
115  */
116 NTSTATUS ntlmssp_set_hashes(struct ntlmssp_state *ntlmssp_state,
117                             const uint8_t lm_hash[16],
118                             const uint8_t nt_hash[16])
119 {
120         ntlmssp_state->lm_hash = (uint8_t *)
121                 TALLOC_MEMDUP(ntlmssp_state, lm_hash, 16);
122         ntlmssp_state->nt_hash = (uint8_t *)
123                 TALLOC_MEMDUP(ntlmssp_state, nt_hash, 16);
124         if (!ntlmssp_state->lm_hash || !ntlmssp_state->nt_hash) {
125                 TALLOC_FREE(ntlmssp_state->lm_hash);
126                 TALLOC_FREE(ntlmssp_state->nt_hash);
127                 return NT_STATUS_NO_MEMORY;
128         }
129         return NT_STATUS_OK;
130 }
131
132 /**
133  * Converts a password to the hashes on an NTLMSSP context.
134  *
135  */
136 NTSTATUS ntlmssp_set_password(struct ntlmssp_state *ntlmssp_state, const char *password)
137 {
138         if (!password) {
139                 ntlmssp_state->lm_hash = NULL;
140                 ntlmssp_state->nt_hash = NULL;
141         } else {
142                 uint8_t lm_hash[16];
143                 uint8_t nt_hash[16];
144
145                 E_deshash(password, lm_hash);
146                 E_md4hash(password, nt_hash);
147                 return ntlmssp_set_hashes(ntlmssp_state, lm_hash, nt_hash);
148         }
149         return NT_STATUS_OK;
150 }
151
152 /**
153  * Set a domain on an NTLMSSP context - ensures it is talloc()ed
154  *
155  */
156 NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain)
157 {
158         ntlmssp_state->domain = talloc_strdup(ntlmssp_state,
159                                               domain ? domain : "" );
160         if (!ntlmssp_state->domain) {
161                 return NT_STATUS_NO_MEMORY;
162         }
163         return NT_STATUS_OK;
164 }
165
166 /**
167  * Request features for the NTLMSSP negotiation
168  *
169  * @param ntlmssp_state NTLMSSP state
170  * @param feature_list List of space seperated features requested from NTLMSSP.
171  */
172 void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list)
173 {
174         /*
175          * We need to set this to allow a later SetPassword
176          * via the SAMR pipe to succeed. Strange.... We could
177          * also add  NTLMSSP_NEGOTIATE_SEAL here. JRA.
178          */
179         if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
180                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
181         }
182         if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
183                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
184         }
185         if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
186                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
187         }
188         if (in_list("NTLMSSP_FEATURE_CCACHE", feature_list, true)) {
189                 ntlmssp_state->use_ccache = true;
190         }
191 }
192
193 /**
194  * Request a feature for the NTLMSSP negotiation
195  *
196  * @param ntlmssp_state NTLMSSP state
197  * @param feature Bit flag specifying the requested feature
198  */
199 void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature)
200 {
201         /* As per JRA's comment above */
202         if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
203                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
204         }
205         if (feature & NTLMSSP_FEATURE_SIGN) {
206                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
207         }
208         if (feature & NTLMSSP_FEATURE_SEAL) {
209                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
210         }
211         if (feature & NTLMSSP_FEATURE_CCACHE) {
212                 ntlmssp_state->use_ccache = true;
213         }
214 }
215
216 /**
217  * Next state function for the NTLMSSP state machine
218  *
219  * @param ntlmssp_state NTLMSSP State
220  * @param in The packet in from the NTLMSSP partner, as a DATA_BLOB
221  * @param out The reply, as an allocated DATA_BLOB, caller to free.
222  * @return Errors, NT_STATUS_MORE_PROCESSING_REQUIRED or NT_STATUS_OK.
223  */
224
225 NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state,
226                         const DATA_BLOB input, DATA_BLOB *out)
227 {
228         uint32_t ntlmssp_command;
229         int i;
230
231         if (ntlmssp_state->expected_state == NTLMSSP_DONE) {
232                 /* Called update after negotiations finished. */
233                 DEBUG(1, ("Called NTLMSSP after state machine was 'done'\n"));
234                 return NT_STATUS_INVALID_PARAMETER;
235         }
236
237         *out = data_blob_null;
238
239         if (!input.length) {
240                 switch (ntlmssp_state->role) {
241                 case NTLMSSP_CLIENT:
242                         ntlmssp_command = NTLMSSP_INITIAL;
243                         break;
244                 case NTLMSSP_SERVER:
245                         /* 'datagram' mode - no neg packet */
246                         ntlmssp_command = NTLMSSP_NEGOTIATE;
247                         break;
248                 }
249         } else {
250                 if (!msrpc_parse(ntlmssp_state, &input, "Cd",
251                                  "NTLMSSP",
252                                  &ntlmssp_command)) {
253                         DEBUG(1, ("Failed to parse NTLMSSP packet, could not extract NTLMSSP command\n"));
254                         dump_data(2, input.data, input.length);
255                         return NT_STATUS_INVALID_PARAMETER;
256                 }
257         }
258
259         if (ntlmssp_command != ntlmssp_state->expected_state) {
260                 DEBUG(1, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command, ntlmssp_state->expected_state));
261                 return NT_STATUS_INVALID_PARAMETER;
262         }
263
264         for (i=0; ntlmssp_callbacks[i].fn; i++) {
265                 if (ntlmssp_callbacks[i].role == ntlmssp_state->role
266                     && ntlmssp_callbacks[i].ntlmssp_command == ntlmssp_command) {
267                         return ntlmssp_callbacks[i].fn(ntlmssp_state, input, out);
268                 }
269         }
270
271         DEBUG(1, ("failed to find NTLMSSP callback for NTLMSSP mode %u, command %u\n",
272                   ntlmssp_state->role, ntlmssp_command));
273
274         return NT_STATUS_INVALID_PARAMETER;
275 }
276
277 /**
278  * Next state function for the Negotiate packet
279  *
280  * @param ntlmssp_state NTLMSSP State
281  * @param request The request, as a DATA_BLOB
282  * @param request The reply, as an allocated DATA_BLOB, caller to free.
283  * @return Errors or MORE_PROCESSING_REQUIRED if a reply is sent.
284  */
285
286 static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
287                                          const DATA_BLOB request, DATA_BLOB *reply)
288 {
289         DATA_BLOB struct_blob;
290         uint32_t neg_flags = 0;
291         uint32_t ntlmssp_command, chal_flags;
292         uint8_t cryptkey[8];
293         const char *target_name;
294         NTSTATUS status;
295
296         /* parse the NTLMSSP packet */
297 #if 0
298         file_save("ntlmssp_negotiate.dat", request.data, request.length);
299 #endif
300
301         if (request.length) {
302                 if ((request.length < 16) || !msrpc_parse(ntlmssp_state, &request, "Cdd",
303                                                           "NTLMSSP",
304                                                           &ntlmssp_command,
305                                                           &neg_flags)) {
306                         DEBUG(1, ("ntlmssp_server_negotiate: failed to parse NTLMSSP Negotiate of length %u\n",
307                                 (unsigned int)request.length));
308                         dump_data(2, request.data, request.length);
309                         return NT_STATUS_INVALID_PARAMETER;
310                 }
311                 debug_ntlmssp_flags(neg_flags);
312
313                 if (DEBUGLEVEL >= 10) {
314                         struct NEGOTIATE_MESSAGE *negotiate = talloc(
315                                 talloc_tos(), struct NEGOTIATE_MESSAGE);
316                         if (negotiate != NULL) {
317                                 status = ntlmssp_pull_NEGOTIATE_MESSAGE(
318                                         &request, negotiate, negotiate);
319                                 if (NT_STATUS_IS_OK(status)) {
320                                         NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE,
321                                                         negotiate);
322                                 }
323                                 TALLOC_FREE(negotiate);
324                         }
325                 }
326         }
327
328         ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, ntlmssp_state->allow_lm_key);
329
330         /* Ask our caller what challenge they would like in the packet */
331         status = ntlmssp_state->get_challenge(ntlmssp_state, cryptkey);
332         if (!NT_STATUS_IS_OK(status)) {
333                 DEBUG(1, ("ntlmssp_server_negotiate: backend doesn't give a challenge: %s\n",
334                           nt_errstr(status)));
335                 return status;
336         }
337
338         /* Check if we may set the challenge */
339         if (!ntlmssp_state->may_set_challenge(ntlmssp_state)) {
340                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
341         }
342
343         /* The flags we send back are not just the negotiated flags,
344          * they are also 'what is in this packet'.  Therfore, we
345          * operate on 'chal_flags' from here on
346          */
347
348         chal_flags = ntlmssp_state->neg_flags;
349
350         /* get the right name to fill in as 'target' */
351         target_name = ntlmssp_target_name(ntlmssp_state,
352                                           neg_flags, &chal_flags);
353         if (target_name == NULL)
354                 return NT_STATUS_INVALID_PARAMETER;
355
356         ntlmssp_state->chal = data_blob_talloc(ntlmssp_state, cryptkey, 8);
357         ntlmssp_state->internal_chal = data_blob_talloc(ntlmssp_state,
358                                                         cryptkey, 8);
359
360         /* This creates the 'blob' of names that appears at the end of the packet */
361         if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO)
362         {
363                 msrpc_gen(ntlmssp_state, &struct_blob, "aaaaa",
364                           MsvAvNbDomainName, target_name,
365                           MsvAvNbComputerName, ntlmssp_state->server.netbios_name,
366                           MsvAvDnsDomainName, ntlmssp_state->server.dns_domain,
367                           MsvAvDnsComputerName, ntlmssp_state->server.dns_name,
368                           MsvAvEOL, "");
369         } else {
370                 struct_blob = data_blob_null;
371         }
372
373         {
374                 /* Marshal the packet in the right format, be it unicode or ASCII */
375                 const char *gen_string;
376                 DATA_BLOB version_blob = data_blob_null;
377
378                 if (chal_flags & NTLMSSP_NEGOTIATE_VERSION) {
379                         enum ndr_err_code err;
380                         struct VERSION vers;
381
382                         /* "What Windows returns" as a version number. */
383                         ZERO_STRUCT(vers);
384                         vers.ProductMajorVersion = NTLMSSP_WINDOWS_MAJOR_VERSION_6;
385                         vers.ProductMinorVersion = NTLMSSP_WINDOWS_MINOR_VERSION_1;
386                         vers.ProductBuild = 0;
387                         vers.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
388
389                         err = ndr_push_struct_blob(&version_blob,
390                                                 ntlmssp_state,
391                                                 &vers,
392                                                 (ndr_push_flags_fn_t)ndr_push_VERSION);
393
394                         if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
395                                 return NT_STATUS_NO_MEMORY;
396                         }
397                 }
398
399                 if (ntlmssp_state->unicode) {
400                         gen_string = "CdUdbddBb";
401                 } else {
402                         gen_string = "CdAdbddBb";
403                 }
404
405                 msrpc_gen(ntlmssp_state, reply, gen_string,
406                         "NTLMSSP",
407                         NTLMSSP_CHALLENGE,
408                         target_name,
409                         chal_flags,
410                         cryptkey, 8,
411                         0, 0,
412                         struct_blob.data, struct_blob.length,
413                         version_blob.data, version_blob.length);
414
415                 data_blob_free(&version_blob);
416
417                 if (DEBUGLEVEL >= 10) {
418                         struct CHALLENGE_MESSAGE *challenge = talloc(
419                                 talloc_tos(), struct CHALLENGE_MESSAGE);
420                         if (challenge != NULL) {
421                                 challenge->NegotiateFlags = chal_flags;
422                                 status = ntlmssp_pull_CHALLENGE_MESSAGE(
423                                         reply, challenge, challenge);
424                                 if (NT_STATUS_IS_OK(status)) {
425                                         NDR_PRINT_DEBUG(CHALLENGE_MESSAGE,
426                                                         challenge);
427                                 }
428                                 TALLOC_FREE(challenge);
429                         }
430                 }
431         }
432
433         data_blob_free(&struct_blob);
434
435         ntlmssp_state->expected_state = NTLMSSP_AUTH;
436
437         return NT_STATUS_MORE_PROCESSING_REQUIRED;
438 }
439
440 /**
441  * Next state function for the Authenticate packet
442  *
443  * @param ntlmssp_state NTLMSSP State
444  * @param request The request, as a DATA_BLOB
445  * @param request The reply, as an allocated DATA_BLOB, caller to free.
446  * @return Errors or NT_STATUS_OK.
447  */
448
449 static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
450                                     const DATA_BLOB request, DATA_BLOB *reply)
451 {
452         DATA_BLOB encrypted_session_key = data_blob_null;
453         DATA_BLOB user_session_key = data_blob_null;
454         DATA_BLOB lm_session_key = data_blob_null;
455         DATA_BLOB session_key = data_blob_null;
456         uint32_t ntlmssp_command, auth_flags;
457         NTSTATUS nt_status = NT_STATUS_OK;
458
459         /* used by NTLM2 */
460         bool doing_ntlm2 = False;
461
462         uint8_t session_nonce[16];
463         uint8_t session_nonce_hash[16];
464
465         const char *parse_string;
466
467         /* parse the NTLMSSP packet */
468         *reply = data_blob_null;
469
470 #if 0
471         file_save("ntlmssp_auth.dat", request.data, request.length);
472 #endif
473
474         if (ntlmssp_state->unicode) {
475                 parse_string = "CdBBUUUBd";
476         } else {
477                 parse_string = "CdBBAAABd";
478         }
479
480         data_blob_free(&ntlmssp_state->lm_resp);
481         data_blob_free(&ntlmssp_state->nt_resp);
482
483         ntlmssp_state->user = NULL;
484         ntlmssp_state->domain = NULL;
485
486         /* now the NTLMSSP encoded auth hashes */
487         if (!msrpc_parse(ntlmssp_state, &request, parse_string,
488                          "NTLMSSP",
489                          &ntlmssp_command,
490                          &ntlmssp_state->lm_resp,
491                          &ntlmssp_state->nt_resp,
492                          &ntlmssp_state->domain,
493                          &ntlmssp_state->user,
494                          &ntlmssp_state->client.netbios_name,
495                          &encrypted_session_key,
496                          &auth_flags)) {
497                 auth_flags = 0;
498
499                 /* Try again with a shorter string (Win9X truncates this packet) */
500                 if (ntlmssp_state->unicode) {
501                         parse_string = "CdBBUUU";
502                 } else {
503                         parse_string = "CdBBAAA";
504                 }
505
506                 /* now the NTLMSSP encoded auth hashes */
507                 if (!msrpc_parse(ntlmssp_state, &request, parse_string,
508                                  "NTLMSSP",
509                                  &ntlmssp_command,
510                                  &ntlmssp_state->lm_resp,
511                                  &ntlmssp_state->nt_resp,
512                                  &ntlmssp_state->domain,
513                                  &ntlmssp_state->user,
514                                  &ntlmssp_state->client.netbios_name)) {
515                         DEBUG(1, ("ntlmssp_server_auth: failed to parse NTLMSSP (tried both formats):\n"));
516                         dump_data(2, request.data, request.length);
517
518                         return NT_STATUS_INVALID_PARAMETER;
519                 }
520         }
521
522         if (auth_flags)
523                 ntlmssp_handle_neg_flags(ntlmssp_state, auth_flags, ntlmssp_state->allow_lm_key);
524
525         if (DEBUGLEVEL >= 10) {
526                 struct AUTHENTICATE_MESSAGE *authenticate = talloc(
527                         talloc_tos(), struct AUTHENTICATE_MESSAGE);
528                 if (authenticate != NULL) {
529                         NTSTATUS status;
530                         authenticate->NegotiateFlags = auth_flags;
531                         status = ntlmssp_pull_AUTHENTICATE_MESSAGE(
532                                 &request, authenticate, authenticate);
533                         if (NT_STATUS_IS_OK(status)) {
534                                 NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE,
535                                                 authenticate);
536                         }
537                         TALLOC_FREE(authenticate);
538                 }
539         }
540
541         DEBUG(3,("Got user=[%s] domain=[%s] workstation=[%s] len1=%lu len2=%lu\n",
542                  ntlmssp_state->user, ntlmssp_state->domain,
543                  ntlmssp_state->client.netbios_name,
544                  (unsigned long)ntlmssp_state->lm_resp.length,
545                  (unsigned long)ntlmssp_state->nt_resp.length));
546
547 #if 0
548         file_save("nthash1.dat",  &ntlmssp_state->nt_resp.data,  &ntlmssp_state->nt_resp.length);
549         file_save("lmhash1.dat",  &ntlmssp_state->lm_resp.data,  &ntlmssp_state->lm_resp.length);
550 #endif
551
552         /* NTLM2 uses a 'challenge' that is made of up both the server challenge, and a
553            client challenge
554
555            However, the NTLM2 flag may still be set for the real NTLMv2 logins, be careful.
556         */
557         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
558                 if (ntlmssp_state->nt_resp.length == 24 && ntlmssp_state->lm_resp.length == 24) {
559                         struct MD5Context md5_session_nonce_ctx;
560                         SMB_ASSERT(ntlmssp_state->internal_chal.data && ntlmssp_state->internal_chal.length == 8);
561
562                         doing_ntlm2 = True;
563
564                         memcpy(session_nonce, ntlmssp_state->internal_chal.data, 8);
565                         memcpy(&session_nonce[8], ntlmssp_state->lm_resp.data, 8);
566
567                         MD5Init(&md5_session_nonce_ctx);
568                         MD5Update(&md5_session_nonce_ctx, session_nonce, 16);
569                         MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
570
571                         ntlmssp_state->chal = data_blob_talloc(
572                                 ntlmssp_state, session_nonce_hash, 8);
573
574                         /* LM response is no longer useful */
575                         data_blob_free(&ntlmssp_state->lm_resp);
576
577                         /* We changed the effective challenge - set it */
578                         if (!NT_STATUS_IS_OK(nt_status = ntlmssp_state->set_challenge(ntlmssp_state, &ntlmssp_state->chal))) {
579                                 data_blob_free(&encrypted_session_key);
580                                 return nt_status;
581                         }
582
583                         /* LM Key is incompatible. */
584                         ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
585                 }
586         }
587
588         /*
589          * Note we don't check here for NTLMv2 auth settings. If NTLMv2 auth
590          * is required (by "ntlm auth = no" and "lm auth = no" being set in the
591          * smb.conf file) and no NTLMv2 response was sent then the password check
592          * will fail here. JRA.
593          */
594
595         /* Finally, actually ask if the password is OK */
596
597         if (!NT_STATUS_IS_OK(nt_status = ntlmssp_state->check_password(ntlmssp_state,
598                                                                        &user_session_key, &lm_session_key))) {
599                 data_blob_free(&encrypted_session_key);
600                 return nt_status;
601         }
602
603         dump_data_pw("NT session key:\n", user_session_key.data, user_session_key.length);
604         dump_data_pw("LM first-8:\n", lm_session_key.data, lm_session_key.length);
605
606         /* Handle the different session key derivation for NTLM2 */
607         if (doing_ntlm2) {
608                 if (user_session_key.data && user_session_key.length == 16) {
609                         session_key = data_blob_talloc(ntlmssp_state,
610                                                        NULL, 16);
611                         hmac_md5(user_session_key.data, session_nonce,
612                                  sizeof(session_nonce), session_key.data);
613                         DEBUG(10,("ntlmssp_server_auth: Created NTLM2 session key.\n"));
614                         dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
615
616                 } else {
617                         DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM2 session key.\n"));
618                         session_key = data_blob_null;
619                 }
620         } else if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
621                 /* Ensure we can never get here on NTLMv2 */
622                 && (ntlmssp_state->nt_resp.length == 0 || ntlmssp_state->nt_resp.length == 24)) {
623
624                 if (lm_session_key.data && lm_session_key.length >= 8) {
625                         if (ntlmssp_state->lm_resp.data && ntlmssp_state->lm_resp.length == 24) {
626                                 session_key = data_blob_talloc(ntlmssp_state,
627                                                                NULL, 16);
628                                 if (session_key.data == NULL) {
629                                         return NT_STATUS_NO_MEMORY;
630                                 }
631                                 SMBsesskeygen_lm_sess_key(lm_session_key.data, ntlmssp_state->lm_resp.data,
632                                                           session_key.data);
633                                 DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
634                         } else {
635                                 static const uint8_t zeros[24] = {0, };
636                                 session_key = data_blob_talloc(
637                                         ntlmssp_state, NULL, 16);
638                                 if (session_key.data == NULL) {
639                                         return NT_STATUS_NO_MEMORY;
640                                 }
641                                 SMBsesskeygen_lm_sess_key(zeros, zeros,
642                                                           session_key.data);
643                                 DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
644                         }
645                         dump_data_pw("LM session key:\n", session_key.data,
646                                      session_key.length);
647                 } else {
648                         /* LM Key not selected */
649                         ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
650
651                         DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM session key.\n"));
652                         session_key = data_blob_null;
653                 }
654         } else if (user_session_key.data) {
655                 session_key = user_session_key;
656                 DEBUG(10,("ntlmssp_server_auth: Using unmodified nt session key.\n"));
657                 dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
658
659                 /* LM Key not selected */
660                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
661
662         } else if (lm_session_key.data) {
663                 /* Very weird to have LM key, but no user session key, but anyway.. */
664                 session_key = lm_session_key;
665                 DEBUG(10,("ntlmssp_server_auth: Using unmodified lm session key.\n"));
666                 dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
667
668                 /* LM Key not selected */
669                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
670
671         } else {
672                 DEBUG(10,("ntlmssp_server_auth: Failed to create unmodified session key.\n"));
673                 session_key = data_blob_null;
674
675                 /* LM Key not selected */
676                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
677         }
678
679         /* With KEY_EXCH, the client supplies the proposed session key,
680            but encrypts it with the long-term key */
681         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
682                 if (!encrypted_session_key.data || encrypted_session_key.length != 16) {
683                         data_blob_free(&encrypted_session_key);
684                         DEBUG(1, ("Client-supplied KEY_EXCH session key was of invalid length (%u)!\n",
685                                   (unsigned int)encrypted_session_key.length));
686                         return NT_STATUS_INVALID_PARAMETER;
687                 } else if (!session_key.data || session_key.length != 16) {
688                         DEBUG(5, ("server session key is invalid (len == %u), cannot do KEY_EXCH!\n",
689                                   (unsigned int)session_key.length));
690                         ntlmssp_state->session_key = session_key;
691                 } else {
692                         dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
693                         arcfour_crypt_blob(encrypted_session_key.data,
694                                            encrypted_session_key.length,
695                                            &session_key);
696                         ntlmssp_state->session_key = data_blob_talloc(
697                                 ntlmssp_state, encrypted_session_key.data,
698                                 encrypted_session_key.length);
699                         dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data,
700                                      encrypted_session_key.length);
701                 }
702         } else {
703                 ntlmssp_state->session_key = session_key;
704         }
705
706         if (!NT_STATUS_IS_OK(nt_status)) {
707                 ntlmssp_state->session_key = data_blob_null;
708         } else if (ntlmssp_state->session_key.length) {
709                 nt_status = ntlmssp_sign_init(ntlmssp_state);
710         }
711
712         data_blob_free(&encrypted_session_key);
713
714         /* Only one authentication allowed per server state. */
715         ntlmssp_state->expected_state = NTLMSSP_DONE;
716
717         return nt_status;
718 }
719
720 /**
721  * Create an NTLMSSP state machine
722  *
723  * @param ntlmssp_state NTLMSSP State, allocated by this function
724  */
725
726 NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
727                               bool is_standalone,
728                               const char *netbios_name,
729                               const char *netbios_domain,
730                               const char *dns_name,
731                               const char *dns_domain,
732                               struct ntlmssp_state **_ntlmssp_state)
733 {
734         struct ntlmssp_state *ntlmssp_state;
735
736         if (!netbios_name) {
737                 netbios_name = "";
738         }
739
740         if (!netbios_domain) {
741                 netbios_domain = "";
742         }
743
744         if (!dns_domain) {
745                 dns_domain = "";
746         }
747
748         if (!dns_name) {
749                 dns_name = "";
750         }
751
752         ntlmssp_state = talloc_zero(mem_ctx, struct ntlmssp_state);
753         if (!ntlmssp_state) {
754                 return NT_STATUS_NO_MEMORY;
755         }
756
757         ntlmssp_state->role = NTLMSSP_SERVER;
758
759         ntlmssp_state->get_challenge = get_challenge;
760         ntlmssp_state->set_challenge = set_challenge;
761         ntlmssp_state->may_set_challenge = may_set_challenge;
762
763         ntlmssp_state->server.is_standalone = is_standalone;
764
765         ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
766
767         ntlmssp_state->allow_lm_key = lp_lanman_auth();
768
769         ntlmssp_state->neg_flags =
770                 NTLMSSP_NEGOTIATE_128 |
771                 NTLMSSP_NEGOTIATE_56 |
772                 NTLMSSP_NEGOTIATE_VERSION |
773                 NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
774                 NTLMSSP_NEGOTIATE_NTLM |
775                 NTLMSSP_NEGOTIATE_NTLM2 |
776                 NTLMSSP_NEGOTIATE_KEY_EXCH |
777                 NTLMSSP_NEGOTIATE_SIGN |
778                 NTLMSSP_NEGOTIATE_SEAL;
779
780         ntlmssp_state->server.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
781         if (!ntlmssp_state->server.netbios_name) {
782                 talloc_free(ntlmssp_state);
783                 return NT_STATUS_NO_MEMORY;
784         }
785         ntlmssp_state->server.netbios_domain = talloc_strdup(ntlmssp_state, netbios_domain);
786         if (!ntlmssp_state->server.netbios_domain) {
787                 talloc_free(ntlmssp_state);
788                 return NT_STATUS_NO_MEMORY;
789         }
790         ntlmssp_state->server.dns_name = talloc_strdup(ntlmssp_state, dns_name);
791         if (!ntlmssp_state->server.dns_name) {
792                 talloc_free(ntlmssp_state);
793                 return NT_STATUS_NO_MEMORY;
794         }
795         ntlmssp_state->server.dns_domain = talloc_strdup(ntlmssp_state, dns_domain);
796         if (!ntlmssp_state->server.dns_domain) {
797                 talloc_free(ntlmssp_state);
798                 return NT_STATUS_NO_MEMORY;
799         }
800
801         *_ntlmssp_state = ntlmssp_state;
802         return NT_STATUS_OK;
803 }
804
805 /*********************************************************************
806  Client side NTLMSSP
807 *********************************************************************/
808
809 /**
810  * Next state function for the Initial packet
811  *
812  * @param ntlmssp_state NTLMSSP State
813  * @param request The request, as a DATA_BLOB.  reply.data must be NULL
814  * @param request The reply, as an allocated DATA_BLOB, caller to free.
815  * @return Errors or NT_STATUS_OK.
816  */
817
818 static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
819                                   DATA_BLOB reply, DATA_BLOB *next_request)
820 {
821         if (ntlmssp_state->unicode) {
822                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
823         } else {
824                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
825         }
826
827         if (ntlmssp_state->use_ntlmv2) {
828                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
829         }
830
831         /* generate the ntlmssp negotiate packet */
832         msrpc_gen(ntlmssp_state, next_request, "CddAA",
833                   "NTLMSSP",
834                   NTLMSSP_NEGOTIATE,
835                   ntlmssp_state->neg_flags,
836                   ntlmssp_state->client.netbios_domain,
837                   ntlmssp_state->client.netbios_name);
838
839         if (DEBUGLEVEL >= 10) {
840                 struct NEGOTIATE_MESSAGE *negotiate = talloc(
841                         talloc_tos(), struct NEGOTIATE_MESSAGE);
842                 if (negotiate != NULL) {
843                         NTSTATUS status;
844                         status = ntlmssp_pull_NEGOTIATE_MESSAGE(
845                                 next_request, negotiate, negotiate);
846                         if (NT_STATUS_IS_OK(status)) {
847                                 NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE,
848                                                 negotiate);
849                         }
850                         TALLOC_FREE(negotiate);
851                 }
852         }
853
854         ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
855
856         return NT_STATUS_MORE_PROCESSING_REQUIRED;
857 }
858
859 /**
860  * Next state function for the Challenge Packet.  Generate an auth packet.
861  *
862  * @param ntlmssp_state NTLMSSP State
863  * @param request The request, as a DATA_BLOB.  reply.data must be NULL
864  * @param request The reply, as an allocated DATA_BLOB, caller to free.
865  * @return Errors or NT_STATUS_OK.
866  */
867
868 static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
869                                          const DATA_BLOB reply, DATA_BLOB *next_request)
870 {
871         uint32_t chal_flags, ntlmssp_command, unkn1, unkn2;
872         DATA_BLOB server_domain_blob;
873         DATA_BLOB challenge_blob;
874         DATA_BLOB struct_blob = data_blob_null;
875         char *server_domain;
876         const char *chal_parse_string;
877         const char *auth_gen_string;
878         DATA_BLOB lm_response = data_blob_null;
879         DATA_BLOB nt_response = data_blob_null;
880         DATA_BLOB session_key = data_blob_null;
881         DATA_BLOB encrypted_session_key = data_blob_null;
882         NTSTATUS nt_status = NT_STATUS_OK;
883
884         if (ntlmssp_state->use_ccache) {
885                 struct wbcCredentialCacheParams params;
886                 struct wbcCredentialCacheInfo *info = NULL;
887                 struct wbcAuthErrorInfo *error = NULL;
888                 struct wbcNamedBlob auth_blob;
889                 struct wbcBlob *wbc_next = NULL;
890                 struct wbcBlob *wbc_session_key = NULL;
891                 wbcErr wbc_status;
892                 int i;
893
894                 params.account_name = ntlmssp_state->user;
895                 params.domain_name = ntlmssp_state->domain;
896                 params.level = WBC_CREDENTIAL_CACHE_LEVEL_NTLMSSP;
897
898                 auth_blob.name = "challenge_blob";
899                 auth_blob.flags = 0;
900                 auth_blob.blob.data = reply.data;
901                 auth_blob.blob.length = reply.length;
902                 params.num_blobs = 1;
903                 params.blobs = &auth_blob;
904
905                 wbc_status = wbcCredentialCache(&params, &info, &error);
906                 if (error != NULL) {
907                         wbcFreeMemory(error);
908                 }
909                 if (!WBC_ERROR_IS_OK(wbc_status)) {
910                         goto noccache;
911                 }
912
913                 for (i=0; i<info->num_blobs; i++) {
914                         if (strequal(info->blobs[i].name, "auth_blob")) {
915                                 wbc_next = &info->blobs[i].blob;
916                         }
917                         if (strequal(info->blobs[i].name, "session_key")) {
918                                 wbc_session_key = &info->blobs[i].blob;
919                         }
920                 }
921                 if ((wbc_next == NULL) || (wbc_session_key == NULL)) {
922                         wbcFreeMemory(info);
923                         goto noccache;
924                 }
925
926                 *next_request = data_blob(wbc_next->data, wbc_next->length);
927                 ntlmssp_state->session_key = data_blob(
928                         wbc_session_key->data, wbc_session_key->length);
929
930                 wbcFreeMemory(info);
931                 goto done;
932         }
933
934 noccache:
935
936         if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
937                          "NTLMSSP",
938                          &ntlmssp_command,
939                          &server_domain_blob,
940                          &chal_flags)) {
941                 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
942                 dump_data(2, reply.data, reply.length);
943
944                 return NT_STATUS_INVALID_PARAMETER;
945         }
946
947         if (DEBUGLEVEL >= 10) {
948                 struct CHALLENGE_MESSAGE *challenge = talloc(
949                         talloc_tos(), struct CHALLENGE_MESSAGE);
950                 if (challenge != NULL) {
951                         NTSTATUS status;
952                         challenge->NegotiateFlags = chal_flags;
953                         status = ntlmssp_pull_CHALLENGE_MESSAGE(
954                                 &reply, challenge, challenge);
955                         if (NT_STATUS_IS_OK(status)) {
956                                 NDR_PRINT_DEBUG(CHALLENGE_MESSAGE,
957                                                 challenge);
958                         }
959                         TALLOC_FREE(challenge);
960                 }
961         }
962
963         data_blob_free(&server_domain_blob);
964
965         DEBUG(3, ("Got challenge flags:\n"));
966         debug_ntlmssp_flags(chal_flags);
967
968         ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
969
970         if (ntlmssp_state->unicode) {
971                 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
972                         chal_parse_string = "CdUdbddB";
973                 } else {
974                         chal_parse_string = "CdUdbdd";
975                 }
976                 auth_gen_string = "CdBBUUUBd";
977         } else {
978                 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
979                         chal_parse_string = "CdAdbddB";
980                 } else {
981                         chal_parse_string = "CdAdbdd";
982                 }
983
984                 auth_gen_string = "CdBBAAABd";
985         }
986
987         DEBUG(3, ("NTLMSSP: Set final flags:\n"));
988         debug_ntlmssp_flags(ntlmssp_state->neg_flags);
989
990         if (!msrpc_parse(ntlmssp_state, &reply, chal_parse_string,
991                          "NTLMSSP",
992                          &ntlmssp_command,
993                          &server_domain,
994                          &chal_flags,
995                          &challenge_blob, 8,
996                          &unkn1, &unkn2,
997                          &struct_blob)) {
998                 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n"));
999                 dump_data(2, reply.data, reply.length);
1000                 return NT_STATUS_INVALID_PARAMETER;
1001         }
1002
1003         if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) {
1004                 ntlmssp_state->server.is_standalone = true;
1005         } else {
1006                 ntlmssp_state->server.is_standalone = false;
1007         }
1008         /* TODO: parse struct_blob and fill in the rest */
1009         ntlmssp_state->server.netbios_name = "";
1010         ntlmssp_state->server.netbios_domain = server_domain;
1011         ntlmssp_state->server.dns_name = "";
1012         ntlmssp_state->server.dns_domain = "";
1013
1014         if (challenge_blob.length != 8) {
1015                 data_blob_free(&struct_blob);
1016                 return NT_STATUS_INVALID_PARAMETER;
1017         }
1018
1019         if (!ntlmssp_state->nt_hash || !ntlmssp_state->lm_hash) {
1020                 static const uint8_t zeros[16] = {0, };
1021                 /* do nothing - blobs are zero length */
1022
1023                 /* session key is all zeros */
1024                 session_key = data_blob_talloc(ntlmssp_state, zeros, 16);
1025
1026                 /* not doing NLTM2 without a password */
1027                 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
1028         } else if (ntlmssp_state->use_ntlmv2) {
1029                 if (!struct_blob.length) {
1030                         /* be lazy, match win2k - we can't do NTLMv2 without it */
1031                         DEBUG(1, ("Server did not provide 'target information', required for NTLMv2\n"));
1032                         return NT_STATUS_INVALID_PARAMETER;
1033                 }
1034
1035                 /* TODO: if the remote server is standalone, then we should replace 'domain'
1036                    with the server name as supplied above */
1037
1038                 if (!SMBNTLMv2encrypt_hash(ntlmssp_state,
1039                                            ntlmssp_state->user,
1040                                            ntlmssp_state->domain,
1041                                            ntlmssp_state->nt_hash, &challenge_blob,
1042                                            &struct_blob,
1043                                            &lm_response, &nt_response, NULL,
1044                                            &session_key)) {
1045                         data_blob_free(&challenge_blob);
1046                         data_blob_free(&struct_blob);
1047                         return NT_STATUS_NO_MEMORY;
1048                 }
1049         } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
1050                 struct MD5Context md5_session_nonce_ctx;
1051                 uint8_t session_nonce[16];
1052                 uint8_t session_nonce_hash[16];
1053                 uint8_t user_session_key[16];
1054
1055                 lm_response = data_blob_talloc(ntlmssp_state, NULL, 24);
1056                 generate_random_buffer(lm_response.data, 8);
1057                 memset(lm_response.data+8, 0, 16);
1058
1059                 memcpy(session_nonce, challenge_blob.data, 8);
1060                 memcpy(&session_nonce[8], lm_response.data, 8);
1061
1062                 MD5Init(&md5_session_nonce_ctx);
1063                 MD5Update(&md5_session_nonce_ctx, challenge_blob.data, 8);
1064                 MD5Update(&md5_session_nonce_ctx, lm_response.data, 8);
1065                 MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
1066
1067                 DEBUG(5, ("NTLMSSP challenge set by NTLM2\n"));
1068                 DEBUG(5, ("challenge is: \n"));
1069                 dump_data(5, session_nonce_hash, 8);
1070
1071                 nt_response = data_blob_talloc(ntlmssp_state, NULL, 24);
1072                 SMBNTencrypt_hash(ntlmssp_state->nt_hash,
1073                                   session_nonce_hash,
1074                                   nt_response.data);
1075
1076                 session_key = data_blob_talloc(ntlmssp_state, NULL, 16);
1077
1078                 SMBsesskeygen_ntv1(ntlmssp_state->nt_hash, user_session_key);
1079                 hmac_md5(user_session_key, session_nonce, sizeof(session_nonce), session_key.data);
1080                 dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
1081         } else {
1082                 /* lanman auth is insecure, it may be disabled */
1083                 if (lp_client_lanman_auth()) {
1084                         lm_response = data_blob_talloc(ntlmssp_state,
1085                                                        NULL, 24);
1086                         SMBencrypt_hash(ntlmssp_state->lm_hash,challenge_blob.data,
1087                                    lm_response.data);
1088                 }
1089
1090                 nt_response = data_blob_talloc(ntlmssp_state, NULL, 24);
1091                 SMBNTencrypt_hash(ntlmssp_state->nt_hash,challenge_blob.data,
1092                              nt_response.data);
1093
1094                 session_key = data_blob_talloc(ntlmssp_state, NULL, 16);
1095                 if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
1096                     && lp_client_lanman_auth()) {
1097                         SMBsesskeygen_lm_sess_key(ntlmssp_state->lm_hash, lm_response.data,
1098                                         session_key.data);
1099                         dump_data_pw("LM session key\n", session_key.data, session_key.length);
1100                 } else {
1101                         SMBsesskeygen_ntv1(ntlmssp_state->nt_hash, session_key.data);
1102                         dump_data_pw("NT session key:\n", session_key.data, session_key.length);
1103                 }
1104         }
1105         data_blob_free(&struct_blob);
1106
1107         /* Key exchange encryptes a new client-generated session key with
1108            the password-derived key */
1109         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
1110                 /* Make up a new session key */
1111                 uint8_t client_session_key[16];
1112                 generate_random_buffer(client_session_key, sizeof(client_session_key));
1113
1114                 /* Encrypt the new session key with the old one */
1115                 encrypted_session_key = data_blob(client_session_key, sizeof(client_session_key));
1116                 dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
1117                 arcfour_crypt_blob(encrypted_session_key.data, encrypted_session_key.length, &session_key);
1118                 dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
1119
1120                 /* Mark the new session key as the 'real' session key */
1121                 data_blob_free(&session_key);
1122                 session_key = data_blob_talloc(ntlmssp_state,
1123                                                client_session_key,
1124                                                sizeof(client_session_key));
1125         }
1126
1127         /* this generates the actual auth packet */
1128         if (!msrpc_gen(ntlmssp_state, next_request, auth_gen_string,
1129                        "NTLMSSP",
1130                        NTLMSSP_AUTH,
1131                        lm_response.data, lm_response.length,
1132                        nt_response.data, nt_response.length,
1133                        ntlmssp_state->domain,
1134                        ntlmssp_state->user,
1135                        ntlmssp_state->client.netbios_name,
1136                        encrypted_session_key.data, encrypted_session_key.length,
1137                        ntlmssp_state->neg_flags)) {
1138
1139                 return NT_STATUS_NO_MEMORY;
1140         }
1141
1142         if (DEBUGLEVEL >= 10) {
1143                 struct AUTHENTICATE_MESSAGE *authenticate = talloc(
1144                         talloc_tos(), struct AUTHENTICATE_MESSAGE);
1145                 if (authenticate != NULL) {
1146                         NTSTATUS status;
1147                         authenticate->NegotiateFlags =
1148                                 ntlmssp_state->neg_flags;
1149                         status = ntlmssp_pull_AUTHENTICATE_MESSAGE(
1150                                 next_request, authenticate, authenticate);
1151                         if (NT_STATUS_IS_OK(status)) {
1152                                 NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE,
1153                                                 authenticate);
1154                         }
1155                         TALLOC_FREE(authenticate);
1156                 }
1157         }
1158
1159         data_blob_free(&encrypted_session_key);
1160
1161         data_blob_free(&ntlmssp_state->chal);
1162
1163         ntlmssp_state->session_key = session_key;
1164
1165         ntlmssp_state->chal = challenge_blob;
1166         ntlmssp_state->lm_resp = lm_response;
1167         ntlmssp_state->nt_resp = nt_response;
1168
1169 done:
1170
1171         ntlmssp_state->expected_state = NTLMSSP_DONE;
1172
1173         if (!NT_STATUS_IS_OK(nt_status = ntlmssp_sign_init(ntlmssp_state))) {
1174                 DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", nt_errstr(nt_status)));
1175         }
1176
1177         return nt_status;
1178 }
1179
1180 NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx,
1181                               const char *netbios_name,
1182                               const char *netbios_domain,
1183                               bool use_ntlmv2,
1184                               struct ntlmssp_state **_ntlmssp_state)
1185 {
1186         struct ntlmssp_state *ntlmssp_state;
1187
1188         if (!netbios_name) {
1189                 netbios_name = "";
1190         }
1191
1192         if (!netbios_domain) {
1193                 netbios_domain = "";
1194         }
1195
1196         ntlmssp_state = talloc_zero(mem_ctx, struct ntlmssp_state);
1197         if (!ntlmssp_state) {
1198                 return NT_STATUS_NO_MEMORY;
1199         }
1200
1201         ntlmssp_state->role = NTLMSSP_CLIENT;
1202
1203         ntlmssp_state->unicode = True;
1204
1205         ntlmssp_state->use_ntlmv2 = use_ntlmv2;
1206
1207         ntlmssp_state->expected_state = NTLMSSP_INITIAL;
1208
1209         ntlmssp_state->neg_flags =
1210                 NTLMSSP_NEGOTIATE_128 |
1211                 NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
1212                 NTLMSSP_NEGOTIATE_NTLM |
1213                 NTLMSSP_NEGOTIATE_NTLM2 |
1214                 NTLMSSP_NEGOTIATE_KEY_EXCH |
1215                 NTLMSSP_REQUEST_TARGET;
1216
1217         ntlmssp_state->client.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
1218         if (!ntlmssp_state->client.netbios_name) {
1219                 talloc_free(ntlmssp_state);
1220                 return NT_STATUS_NO_MEMORY;
1221         }
1222         ntlmssp_state->client.netbios_domain = talloc_strdup(ntlmssp_state, netbios_domain);
1223         if (!ntlmssp_state->client.netbios_domain) {
1224                 talloc_free(ntlmssp_state);
1225                 return NT_STATUS_NO_MEMORY;
1226         }
1227
1228         *_ntlmssp_state = ntlmssp_state;
1229         return NT_STATUS_OK;
1230 }