fe29cff021e8b45eff8e3ea8b3373827f4c89f55
[samba.git] / source / utils / ntlm_auth.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Winbind status program.
5
6    Copyright (C) Tim Potter      2000-2003
7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8    Copyright (C) Francesco Chemolli <kinkie@kame.usr.dsi.unimi.it> 2000 
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 2 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program; if not, write to the Free Software
22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 #include "includes.h"
26 #include "dynconfig.h"
27 #include "system/filesys.h"
28 #include "system/passwd.h"
29 #include "lib/cmdline/popt_common.h"
30 #include "auth/auth.h"
31 #include "librpc/gen_ndr/ndr_security.h"
32
33 #define SQUID_BUFFER_SIZE 2010
34
35 enum stdio_helper_mode {
36         SQUID_2_4_BASIC,
37         SQUID_2_5_BASIC,
38         SQUID_2_5_NTLMSSP,
39         NTLMSSP_CLIENT_1,
40         GSS_SPNEGO_CLIENT,
41         GSS_SPNEGO_SERVER,
42         NTLM_SERVER_1,
43         NUM_HELPER_MODES
44 };
45
46 #define NTLM_AUTH_FLAG_USER_SESSION_KEY     0x0004
47 #define NTLM_AUTH_FLAG_LMKEY                0x0008
48
49
50 typedef void (*stdio_helper_function)(enum stdio_helper_mode stdio_helper_mode, 
51                                       char *buf, int length, void **private,
52                                       unsigned int mux_id, void **private2);
53
54 static void manage_squid_basic_request (enum stdio_helper_mode stdio_helper_mode, 
55                                         char *buf, int length, void **private,
56                                         unsigned int mux_id, void **private2);
57
58 static void manage_gensec_request (enum stdio_helper_mode stdio_helper_mode, 
59                                    char *buf, int length, void **private,
60                                    unsigned int mux_id, void **private2);
61
62 static void manage_ntlm_server_1_request (enum stdio_helper_mode stdio_helper_mode, 
63                                           char *buf, int length, void **private,
64                                           unsigned int mux_id, void **private2);
65
66 static void manage_squid_request(enum stdio_helper_mode helper_mode, 
67                                  stdio_helper_function fn, void **private2);
68
69 static const struct {
70         enum stdio_helper_mode mode;
71         const char *name;
72         stdio_helper_function fn;
73 } stdio_helper_protocols[] = {
74         { SQUID_2_4_BASIC, "squid-2.4-basic", manage_squid_basic_request},
75         { SQUID_2_5_BASIC, "squid-2.5-basic", manage_squid_basic_request},
76         { SQUID_2_5_NTLMSSP, "squid-2.5-ntlmssp", manage_gensec_request},
77         { GSS_SPNEGO_CLIENT, "gss-spnego-client", manage_gensec_request},
78         { GSS_SPNEGO_SERVER, "gss-spnego", manage_gensec_request},
79         { NTLMSSP_CLIENT_1, "ntlmssp-client-1", manage_gensec_request},
80         { NTLM_SERVER_1, "ntlm-server-1", manage_ntlm_server_1_request},
81         { NUM_HELPER_MODES, NULL, NULL}
82 };
83
84 extern int winbindd_fd;
85
86 static const char *opt_username;
87 static const char *opt_domain;
88 static const char *opt_workstation;
89 static const char *opt_password;
90 static int opt_multiplex;
91
92
93 static void mux_printf(unsigned int mux_id, const char *format, ...) PRINTF_ATTRIBUTE(2, 3);
94
95 static void mux_printf(unsigned int mux_id, const char *format, ...)
96 {
97         va_list ap;
98
99         if (opt_multiplex) {
100                 x_fprintf(x_stdout, "%d ", mux_id);
101         }
102
103         va_start(ap, format);
104         x_vfprintf(x_stdout, format, ap);
105         va_end(ap);
106 }
107
108
109
110 /* Copy of parse_domain_user from winbindd_util.c.  Parse a string of the
111    form DOMAIN/user into a domain and a user */
112
113 static BOOL parse_ntlm_auth_domain_user(const char *domuser, fstring domain, 
114                                         fstring user)
115 {
116
117         char *p = strchr(domuser,*lp_winbind_separator());
118
119         if (!p) {
120                 return False;
121         }
122         
123         fstrcpy(user, p+1);
124         fstrcpy(domain, domuser);
125         domain[PTR_DIFF(p, domuser)] = 0;
126
127         return True;
128 }
129
130 /* Authenticate a user with a plaintext password */
131
132 static BOOL check_plaintext_auth(const char *user, const char *pass, 
133                                  BOOL stdout_diagnostics)
134 {
135         return (strcmp(pass, opt_password) == 0);
136 }
137
138 /* authenticate a user with an encrypted username/password */
139
140 static NTSTATUS local_pw_check_specified(const char *username, 
141                                          const char *domain, 
142                                          const char *workstation,
143                                          const DATA_BLOB *challenge, 
144                                          const DATA_BLOB *lm_response, 
145                                          const DATA_BLOB *nt_response, 
146                                          uint32_t flags, 
147                                          DATA_BLOB *lm_session_key, 
148                                          DATA_BLOB *user_session_key, 
149                                          char **error_string, 
150                                          char **unix_name) 
151 {
152         NTSTATUS nt_status;
153         struct samr_Password lm_pw, nt_pw;
154         struct samr_Password *lm_pwd, *nt_pwd;
155         TALLOC_CTX *mem_ctx = talloc_init("local_pw_check_specified");
156         if (!mem_ctx) {
157                 nt_status = NT_STATUS_NO_MEMORY;
158         } else {
159                 
160                 E_md4hash(opt_password, nt_pw.hash);
161                 if (E_deshash(opt_password, lm_pw.hash)) {
162                         lm_pwd = &lm_pw;
163                 } else {
164                         lm_pwd = NULL;
165                 }
166                 nt_pwd = &nt_pw;
167                 
168                 
169                 nt_status = ntlm_password_check(mem_ctx, 
170                                                 challenge,
171                                                 lm_response,
172                                                 nt_response,
173                                                 username,
174                                                 username,
175                                                 domain,
176                                                 lm_pwd, nt_pwd, user_session_key, lm_session_key);
177                 
178                 if (NT_STATUS_IS_OK(nt_status)) {
179                         if (unix_name) {
180                                 asprintf(unix_name, 
181                                          "%s%c%s", domain,
182                                          *lp_winbind_separator(), 
183                                          username);
184                         }
185                 } else {
186                         DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n", 
187                                   domain, username, workstation, 
188                                   nt_errstr(nt_status)));
189                 }
190                 talloc_free(mem_ctx);
191         }
192         if (error_string) {
193                 *error_string = strdup(nt_errstr(nt_status));
194         }
195         return nt_status;
196         
197         
198 }
199
200 static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, 
201                                        char *buf, int length, void **private,
202                                        unsigned int mux_id, void **private2) 
203 {
204         char *user, *pass;      
205         user=buf;
206         
207         pass=memchr(buf,' ',length);
208         if (!pass) {
209                 DEBUG(2, ("Password not found. Denying access\n"));
210                 mux_printf(mux_id, "ERR\n");
211                 return;
212         }
213         *pass='\0';
214         pass++;
215         
216         if (stdio_helper_mode == SQUID_2_5_BASIC) {
217                 rfc1738_unescape(user);
218                 rfc1738_unescape(pass);
219         }
220         
221         if (check_plaintext_auth(user, pass, False)) {
222                 mux_printf(mux_id, "OK\n");
223         } else {
224                 mux_printf(mux_id, "ERR\n");
225         }
226 }
227
228 /* This is a bit hairy, but the basic idea is to do a password callback
229    to the calling application.  The callback comes from within gensec */
230
231 static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mode, 
232                                          char *buf, int length, void **private,
233                                          unsigned int mux_id, void **password)  
234 {
235         DATA_BLOB in;
236         if (strlen(buf) < 2) {
237                 DEBUG(1, ("query [%s] invalid", buf));
238                 mux_printf(mux_id, "BH\n");
239                 return;
240         }
241
242         if (strlen(buf) > 3) {
243                 in = base64_decode_data_blob(NULL, buf + 3);
244         } else {
245                 in = data_blob(NULL, 0);
246         }
247
248         if (strncmp(buf, "PW ", 3) == 0) {
249
250                 *password = talloc_strndup(*private /* hopefully the right gensec context, useful to use for talloc */,
251                                            (const char *)in.data, in.length);
252                 
253                 if (*password == NULL) {
254                         DEBUG(1, ("Out of memory\n"));
255                         mux_printf(mux_id, "BH\n");
256                         data_blob_free(&in);
257                         return;
258                 }
259
260                 mux_printf(mux_id, "OK\n");
261                 data_blob_free(&in);
262                 return;
263         }
264         DEBUG(1, ("Asked for (and expected) a password\n"));
265         mux_printf(mux_id, "BH\n");
266         data_blob_free(&in);
267 }
268
269 /** 
270  * Callback for password credentails.  This is not async, and when
271  * GENSEC and the credentails code is made async, it will look rather
272  * different.
273  */
274
275 static const char *get_password(struct cli_credentials *credentials) 
276 {
277         char *password = NULL;
278         
279         /* Ask for a password */
280         mux_printf((unsigned int)credentials->priv_data, "PW\n");
281         credentials->priv_data = NULL;
282
283         manage_squid_request(NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, (void **)&password);
284         return password;
285 }
286
287 static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, 
288                                   char *buf, int length, void **private,
289                                   unsigned int mux_id, void **private2) 
290 {
291         DATA_BLOB in;
292         DATA_BLOB out = data_blob(NULL, 0);
293         char *out_base64 = NULL;
294         const char *reply_arg = NULL;
295         struct gensec_ntlm_state {
296                 struct gensec_security *gensec_state;
297                 const char *set_password;
298         };
299         struct gensec_ntlm_state *state;
300
301         NTSTATUS nt_status;
302         BOOL first = False;
303         const char *reply_code;
304         struct cli_credentials *creds;
305
306         TALLOC_CTX *mem_ctx;
307
308         if (*private) {
309                 state = *private;
310         } else {
311                 state = talloc_zero(NULL, struct gensec_ntlm_state);
312                 if (!state) {
313                         mux_printf(mux_id, "BH No Memory\n");
314                         exit(1);
315                 }
316                 *private = state;
317                 if (opt_password) {
318                         state->set_password = opt_password;
319                 }
320         }
321         
322         if (strlen(buf) < 2) {
323                 DEBUG(1, ("query [%s] invalid", buf));
324                 mux_printf(mux_id, "BH\n");
325                 return;
326         }
327
328         if (strlen(buf) > 3) {
329                 in = base64_decode_data_blob(NULL, buf + 3);
330         } else {
331                 in = data_blob(NULL, 0);
332         }
333
334         if (strncmp(buf, "YR", 2) == 0) {
335                 if (state->gensec_state) {
336                         talloc_free(state->gensec_state);
337                         state->gensec_state = NULL;
338                 }
339         } else if ( (strncmp(buf, "OK", 2) == 0)) {
340                 /* do nothing */
341                 data_blob_free(&in);
342                 return;
343         } else if ( (strncmp(buf, "TT ", 3) != 0) &&
344                     (strncmp(buf, "KK ", 3) != 0) &&
345                     (strncmp(buf, "AF ", 3) != 0) &&
346                     (strncmp(buf, "NA ", 3) != 0) && 
347                     (strncmp(buf, "UG", 2) != 0) && 
348                     (strncmp(buf, "PW ", 3) != 0)) {
349                 DEBUG(1, ("SPNEGO request [%s] invalid\n", buf));
350                 mux_printf(mux_id, "BH\n");
351                 data_blob_free(&in);
352                 return;
353         }
354
355         /* setup gensec */
356         if (!(state->gensec_state)) {
357                 switch (stdio_helper_mode) {
358                 case GSS_SPNEGO_CLIENT:
359                 case NTLMSSP_CLIENT_1:
360                         /* setup the client side */
361
362                         nt_status = gensec_client_start(NULL, &state->gensec_state, NULL);
363                         if (!NT_STATUS_IS_OK(nt_status)) {
364                                 exit(1);
365                         }
366
367                         break;
368                 case GSS_SPNEGO_SERVER:
369                 case SQUID_2_5_NTLMSSP:
370                         if (!NT_STATUS_IS_OK(gensec_server_start(NULL, &state->gensec_state, NULL))) {
371                                 exit(1);
372                         }
373                         break;
374                 default:
375                         abort();
376                 }
377
378                 creds = cli_credentials_init(state->gensec_state);
379                 cli_credentials_set_conf(creds);
380                 if (opt_username) {
381                         cli_credentials_set_username(creds, opt_username, CRED_SPECIFIED);
382                 }
383                 if (opt_domain) {
384                         cli_credentials_set_domain(creds, opt_domain, CRED_SPECIFIED);
385                 }
386                 if (state->set_password) {
387                         cli_credentials_set_password(creds, state->set_password, CRED_SPECIFIED);
388                 } else {
389                         cli_credentials_set_password_callback(creds, get_password);
390                         creds->priv_data = (void*)mux_id;
391                 }
392                 if (opt_workstation) {
393                         cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED);
394                 }
395                 gensec_set_credentials(state->gensec_state, creds);
396
397                 switch (stdio_helper_mode) {
398                 case GSS_SPNEGO_CLIENT:
399                 case GSS_SPNEGO_SERVER:
400                         nt_status = gensec_start_mech_by_oid(state->gensec_state, GENSEC_OID_SPNEGO);
401                         if (!in.length) {
402                                 first = True;
403                         }
404                         break;
405                 case NTLMSSP_CLIENT_1:
406                         if (!in.length) {
407                                 first = True;
408                         }
409                 case SQUID_2_5_NTLMSSP:
410                         nt_status = gensec_start_mech_by_oid(state->gensec_state, GENSEC_OID_NTLMSSP);
411                         break;
412                 default:
413                         abort();
414                 }
415
416                 if (!NT_STATUS_IS_OK(nt_status)) {
417                         DEBUG(1, ("GENSEC mech failed to start: %s\n", nt_errstr(nt_status)));
418                         mux_printf(mux_id, "BH\n");
419                         return;
420                 }
421
422         }
423
424         /* update */
425         mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx");
426         
427         if (strncmp(buf, "PW ", 3) == 0) {
428                 state->set_password = talloc_strndup(state,
429                                                      (const char *)in.data, 
430                                                      in.length);
431                 
432                 cli_credentials_set_password(gensec_get_credentials(state->gensec_state),
433                                              state->set_password,
434                                              CRED_SPECIFIED);
435                 mux_printf(mux_id, "OK\n");
436                 data_blob_free(&in);
437                 talloc_free(mem_ctx);
438                 return;
439         }
440
441         if (strncmp(buf, "UG", 2) == 0) {
442                 int i;
443                 char *grouplist = NULL;
444                 struct auth_session_info *session_info;
445
446                 if (!NT_STATUS_IS_OK(gensec_session_info(state->gensec_state, &session_info))) { 
447                         DEBUG(1, ("gensec_session_info failed: %s\n", nt_errstr(nt_status)));
448                         mux_printf(mux_id, "BH %s\n", nt_errstr(nt_status));
449                         data_blob_free(&in);
450                         talloc_free(mem_ctx);
451                         return;
452                 }
453                 
454                 /* get the string onto the context */
455                 grouplist = talloc_strdup(mem_ctx, "");
456                 
457                 for (i=0; i<session_info->security_token->num_sids; i++) {
458                         struct security_token *token = session_info->security_token; 
459                         const char *sidstr = dom_sid_string(session_info, 
460                                                             token->sids[i]);
461                         grouplist = talloc_asprintf_append(grouplist, "%s,", sidstr);
462                 }
463
464                 mux_printf(mux_id, "GL %s\n", grouplist);
465                 talloc_free(session_info);
466                 data_blob_free(&in);
467                 talloc_free(mem_ctx);
468                 return;
469         }
470
471         nt_status = gensec_update(state->gensec_state, mem_ctx, in, &out);
472         
473         /* don't leak 'bad password'/'no such user' info to the network client */
474         nt_status = auth_nt_status_squash(nt_status);
475
476         if (out.length) {
477                 out_base64 = base64_encode_data_blob(mem_ctx, out);
478         } else {
479                 out_base64 = NULL;
480         }
481
482         if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
483                 reply_arg = "*";
484                 if (first) {
485                         reply_code = "YR";
486                 } else if (state->gensec_state->gensec_role == GENSEC_CLIENT) { 
487                         reply_code = "KK";
488                 } else if (state->gensec_state->gensec_role == GENSEC_SERVER) { 
489                         reply_code = "TT";
490                 } else {
491                         abort();
492                 }
493
494
495         } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) {
496                 reply_code = "BH";
497                 reply_arg = nt_errstr(nt_status);
498                 DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status)));
499         } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_UNSUCCESSFUL)) {
500                 reply_code = "BH";
501                 reply_arg = nt_errstr(nt_status);
502                 DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status)));
503         } else if (!NT_STATUS_IS_OK(nt_status)) {
504                 reply_code = "NA";
505                 reply_arg = nt_errstr(nt_status);
506                 DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status)));
507         } else if /* OK */ (state->gensec_state->gensec_role == GENSEC_SERVER) {
508                 struct auth_session_info *session_info;
509
510                 nt_status = gensec_session_info(state->gensec_state, &session_info);
511                 if (!NT_STATUS_IS_OK(nt_status)) {
512                         reply_code = "BH";
513                         reply_arg = nt_errstr(nt_status);
514                         DEBUG(1, ("GENSEC failed to retreive the session info: %s\n", nt_errstr(nt_status)));
515                 } else {
516
517                         reply_code = "AF";
518                         reply_arg = talloc_asprintf(state->gensec_state, 
519                                                     "%s%s%s", session_info->server_info->domain_name, 
520                                                     lp_winbind_separator(), session_info->server_info->account_name);
521                         talloc_free(session_info);
522                 }
523         } else if (state->gensec_state->gensec_role == GENSEC_CLIENT) {
524                 reply_code = "AF";
525                 reply_arg = out_base64;
526         } else {
527                 abort();
528         }
529
530         switch (stdio_helper_mode) {
531         case GSS_SPNEGO_SERVER:
532                 mux_printf(mux_id, "%s %s %s\n", reply_code, 
533                           out_base64 ? out_base64 : "*", 
534                           reply_arg ? reply_arg : "*");
535                 break;
536         default:
537                 if (out_base64) {
538                         mux_printf(mux_id, "%s %s\n", reply_code, out_base64);
539                 } else if (reply_arg) {
540                         mux_printf(mux_id, "%s %s\n", reply_code, reply_arg);
541                 } else {
542                         mux_printf(mux_id, "%s\n", reply_code);
543                 }
544         }
545
546         talloc_free(mem_ctx);
547         return;
548 }
549
550 static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mode, 
551                                          char *buf, int length, void **private,
552                                          unsigned int mux_id, void **private2) 
553 {
554         char *request, *parameter;      
555         static DATA_BLOB challenge;
556         static DATA_BLOB lm_response;
557         static DATA_BLOB nt_response;
558         static char *full_username;
559         static char *username;
560         static char *domain;
561         static char *plaintext_password;
562         static BOOL ntlm_server_1_user_session_key;
563         static BOOL ntlm_server_1_lm_session_key;
564         
565         if (strequal(buf, ".")) {
566                 if (!full_username && !username) {      
567                         mux_printf(mux_id, "Error: No username supplied!\n");
568                 } else if (plaintext_password) {
569                         /* handle this request as plaintext */
570                         if (!full_username) {
571                                 if (asprintf(&full_username, "%s%c%s", domain, *lp_winbind_separator(), username) == -1) {
572                                         mux_printf(mux_id, "Error: Out of memory in asprintf!\n.\n");
573                                         return;
574                                 }
575                         }
576                         if (check_plaintext_auth(full_username, plaintext_password, False)) {
577                                 mux_printf(mux_id, "Authenticated: Yes\n");
578                         } else {
579                                 mux_printf(mux_id, "Authenticated: No\n");
580                         }
581                 } else if (!lm_response.data && !nt_response.data) {
582                         mux_printf(mux_id, "Error: No password supplied!\n");
583                 } else if (!challenge.data) {   
584                         mux_printf(mux_id, "Error: No lanman-challenge supplied!\n");
585                 } else {
586                         char *error_string = NULL;
587                         DATA_BLOB lm_key;
588                         DATA_BLOB user_session_key;
589                         uint32_t flags = 0;
590
591                         if (full_username && !username) {
592                                 fstring fstr_user;
593                                 fstring fstr_domain;
594                                 
595                                 if (!parse_ntlm_auth_domain_user(full_username, fstr_user, fstr_domain)) {
596                                         /* username might be 'tainted', don't print into our new-line deleimianted stream */
597                                         mux_printf(mux_id, "Error: Could not parse into domain and username\n");
598                                 }
599                                 SAFE_FREE(username);
600                                 SAFE_FREE(domain);
601                                 username = smb_xstrdup(fstr_user);
602                                 domain = smb_xstrdup(fstr_domain);
603                         }
604
605                         if (!domain) {
606                                 domain = smb_xstrdup(lp_workgroup());
607                         }
608
609                         if (ntlm_server_1_lm_session_key) 
610                                 flags |= NTLM_AUTH_FLAG_LMKEY;
611                         
612                         if (ntlm_server_1_user_session_key) 
613                                 flags |= NTLM_AUTH_FLAG_USER_SESSION_KEY;
614
615                         if (!NT_STATUS_IS_OK(
616                                     local_pw_check_specified(username, 
617                                                               domain, 
618                                                               lp_netbios_name(),
619                                                               &challenge, 
620                                                               &lm_response, 
621                                                               &nt_response, 
622                                                               flags, 
623                                                               &lm_key, 
624                                                               &user_session_key,
625                                                               &error_string,
626                                                               NULL))) {
627
628                                 mux_printf(mux_id, "Authenticated: No\n");
629                                 mux_printf(mux_id, "Authentication-Error: %s\n.\n", error_string);
630                                 SAFE_FREE(error_string);
631                         } else {
632                                 static char zeros[16];
633                                 char *hex_lm_key;
634                                 char *hex_user_session_key;
635
636                                 mux_printf(mux_id, "Authenticated: Yes\n");
637
638                                 if (ntlm_server_1_lm_session_key 
639                                     && lm_key.length 
640                                     && (memcmp(zeros, lm_key.data, 
641                                                                 lm_key.length) != 0)) {
642                                         hex_encode(lm_key.data,
643                                                    lm_key.length,
644                                                    &hex_lm_key);
645                                         mux_printf(mux_id, "LANMAN-Session-Key: %s\n", hex_lm_key);
646                                         SAFE_FREE(hex_lm_key);
647                                 }
648
649                                 if (ntlm_server_1_user_session_key 
650                                     && user_session_key.length 
651                                     && (memcmp(zeros, user_session_key.data, 
652                                                user_session_key.length) != 0)) {
653                                         hex_encode(user_session_key.data, 
654                                                    user_session_key.length, 
655                                                    &hex_user_session_key);
656                                         mux_printf(mux_id, "User-Session-Key: %s\n", hex_user_session_key);
657                                         SAFE_FREE(hex_user_session_key);
658                                 }
659                         }
660                 }
661                 /* clear out the state */
662                 challenge = data_blob(NULL, 0);
663                 nt_response = data_blob(NULL, 0);
664                 lm_response = data_blob(NULL, 0);
665                 SAFE_FREE(full_username);
666                 SAFE_FREE(username);
667                 SAFE_FREE(domain);
668                 SAFE_FREE(plaintext_password);
669                 ntlm_server_1_user_session_key = False;
670                 ntlm_server_1_lm_session_key = False;
671                 mux_printf(mux_id, ".\n");
672
673                 return;
674         }
675
676         request = buf;
677
678         /* Indicates a base64 encoded structure */
679         parameter = strstr(request, ":: ");
680         if (!parameter) {
681                 parameter = strstr(request, ": ");
682                 
683                 if (!parameter) {
684                         DEBUG(0, ("Parameter not found!\n"));
685                         mux_printf(mux_id, "Error: Parameter not found!\n.\n");
686                         return;
687                 }
688                 
689                 parameter[0] ='\0';
690                 parameter++;
691                 parameter[0] ='\0';
692                 parameter++;
693
694         } else {
695                 parameter[0] ='\0';
696                 parameter++;
697                 parameter[0] ='\0';
698                 parameter++;
699                 parameter[0] ='\0';
700                 parameter++;
701
702                 base64_decode_inplace(parameter);
703         }
704
705         if (strequal(request, "LANMAN-Challenge")) {
706                 challenge = strhex_to_data_blob(parameter);
707                 if (challenge.length != 8) {
708                         mux_printf(mux_id, "Error: hex decode of %s failed! (got %d bytes, expected 8)\n.\n", 
709                                   parameter,
710                                   (int)challenge.length);
711                         challenge = data_blob(NULL, 0);
712                 }
713         } else if (strequal(request, "NT-Response")) {
714                 nt_response = strhex_to_data_blob(parameter);
715                 if (nt_response.length < 24) {
716                         mux_printf(mux_id, "Error: hex decode of %s failed! (only got %d bytes, needed at least 24)\n.\n", 
717                                   parameter,
718                                   (int)nt_response.length);
719                         nt_response = data_blob(NULL, 0);
720                 }
721         } else if (strequal(request, "LANMAN-Response")) {
722                 lm_response = strhex_to_data_blob(parameter);
723                 if (lm_response.length != 24) {
724                         mux_printf(mux_id, "Error: hex decode of %s failed! (got %d bytes, expected 24)\n.\n", 
725                                   parameter,
726                                   (int)lm_response.length);
727                         lm_response = data_blob(NULL, 0);
728                 }
729         } else if (strequal(request, "Password")) {
730                 plaintext_password = smb_xstrdup(parameter);
731         } else if (strequal(request, "NT-Domain")) {
732                 domain = smb_xstrdup(parameter);
733         } else if (strequal(request, "Username")) {
734                 username = smb_xstrdup(parameter);
735         } else if (strequal(request, "Full-Username")) {
736                 full_username = smb_xstrdup(parameter);
737         } else if (strequal(request, "Request-User-Session-Key")) {
738                 ntlm_server_1_user_session_key = strequal(parameter, "Yes");
739         } else if (strequal(request, "Request-LanMan-Session-Key")) {
740                 ntlm_server_1_lm_session_key = strequal(parameter, "Yes");
741         } else {
742                 mux_printf(mux_id, "Error: Unknown request %s\n.\n", request);
743         }
744 }
745
746 static void manage_squid_request(enum stdio_helper_mode helper_mode, 
747                                  stdio_helper_function fn, void **private2) 
748 {
749         char buf[SQUID_BUFFER_SIZE+1];
750         unsigned int mux_id;
751         int length;
752         char *c;
753         static BOOL err;
754         struct mux_private {
755                 unsigned int max_mux;
756                 void **private_pointers;
757         };
758         
759         static struct mux_private *mux_private;
760         static void *normal_private;
761         void **private;
762
763         /* this is not a typo - x_fgets doesn't work too well under squid */
764         if (fgets(buf, sizeof(buf)-1, stdin) == NULL) {
765                 if (ferror(stdin)) {
766                         DEBUG(1, ("fgets() failed! dying..... errno=%d (%s)\n", ferror(stdin),
767                                   strerror(ferror(stdin))));
768                         
769                         exit(1);    /* BIIG buffer */
770                 }
771                 exit(0);
772         }
773     
774         c=memchr(buf,'\n',sizeof(buf)-1);
775         if (c) {
776                 *c = '\0';
777                 length = c-buf;
778         } else {
779                 err = 1;
780                 return;
781         }
782         if (err) {
783                 DEBUG(0, ("Oversized message\n"));
784                 x_fprintf(x_stdout, "ERR\n");
785                 err = 0;
786                 return;
787         }
788
789         DEBUG(10, ("Got '%s' from squid (length: %d).\n",buf,length));
790
791         if (buf[0] == '\0') {
792                 DEBUG(0, ("Invalid Request (empty)\n"));
793                 x_fprintf(x_stdout, "ERR\n");
794                 return;
795         }
796
797         if (opt_multiplex) {
798                 if (sscanf(buf, "%u ", &mux_id) != 1) {
799                         DEBUG(0, ("Invalid Request - no multiplex id\n"));
800                         x_fprintf(x_stdout, "ERR\n");
801                         return;
802                 }
803                 if (!mux_private) {
804                         mux_private = talloc(NULL, struct mux_private);
805                         mux_private->max_mux = 0;
806                         mux_private->private_pointers = NULL;
807                 }
808                 
809                 c=strchr(buf,' ');
810                 if (!c) {
811                         DEBUG(0, ("Invalid Request - no data after multiplex id\n"));
812                         x_fprintf(x_stdout, "ERR\n");
813                         return;
814                 }
815                 c++;
816                 if (mux_id >= mux_private->max_mux) {
817                         unsigned int prev_max = mux_private->max_mux;
818                         mux_private->max_mux = mux_id + 1;
819                         mux_private->private_pointers
820                                 = talloc_realloc(mux_private, 
821                                                    mux_private->private_pointers, 
822                                                    void *, mux_private->max_mux);
823                         memset(&mux_private->private_pointers[prev_max], '\0',  
824                                (sizeof(*mux_private->private_pointers) * (mux_private->max_mux - prev_max))); 
825                 };
826
827                 private = &mux_private->private_pointers[mux_id];
828         } else {
829                 c = buf;
830                 private = &normal_private;
831         }
832         
833         fn(helper_mode, c, length, private, mux_id, private2);
834 }
835
836 static void squid_stream(enum stdio_helper_mode stdio_mode, 
837                          stdio_helper_function fn) {
838         /* initialize FDescs */
839         x_setbuf(x_stdout, NULL);
840         x_setbuf(x_stderr, NULL);
841         while(1) {
842                 manage_squid_request(stdio_mode, fn, NULL);
843         }
844 }
845
846
847 /* Main program */
848
849 enum {
850         OPT_USERNAME = 1000,
851         OPT_DOMAIN,
852         OPT_WORKSTATION,
853         OPT_CHALLENGE,
854         OPT_RESPONSE,
855         OPT_LM,
856         OPT_NT,
857         OPT_PASSWORD,
858         OPT_LM_KEY,
859         OPT_USER_SESSION_KEY,
860         OPT_DIAGNOSTICS,
861         OPT_REQUIRE_MEMBERSHIP,
862         OPT_MULTIPLEX,
863 };
864
865  int main(int argc, const char **argv)
866 {
867         static const char *helper_protocol;
868         int opt;
869
870         poptContext pc;
871
872         /* NOTE: DO NOT change this interface without considering the implications!
873            This is an external interface, which other programs will use to interact 
874            with this helper.
875         */
876
877         /* We do not use single-letter command abbreviations, because they harm future 
878            interface stability. */
879
880         struct poptOption long_options[] = {
881                 POPT_AUTOHELP
882                 { "helper-protocol", 0, POPT_ARG_STRING, &helper_protocol, OPT_DOMAIN, "operate as a stdio-based helper", "helper protocol to use"},
883                 { "domain", 0, POPT_ARG_STRING, &opt_domain, OPT_DOMAIN, "domain name"},
884                 { "workstation", 0, POPT_ARG_STRING, &opt_workstation, OPT_WORKSTATION, "workstation"},
885                 { "username", 0, POPT_ARG_STRING, &opt_username, OPT_PASSWORD, "Username"},             
886                 { "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"},            
887                 { "multiplex", 0, POPT_ARG_NONE, &opt_multiplex, OPT_MULTIPLEX, "Multiplex Mode"},
888                 POPT_COMMON_SAMBA
889                 POPT_COMMON_VERSION
890                 POPT_TABLEEND
891         };
892
893         /* Samba client initialisation */
894
895         setup_logging(NULL, DEBUG_STDERR);
896
897         /* Parse options */
898
899         pc = poptGetContext("ntlm_auth", argc, argv, long_options, 0);
900
901         /* Parse command line options */
902
903         if (argc == 1) {
904                 poptPrintHelp(pc, stderr, 0);
905                 return 1;
906         }
907
908         pc = poptGetContext(NULL, argc, (const char **)argv, long_options, 
909                             POPT_CONTEXT_KEEP_FIRST);
910
911         while((opt = poptGetNextOpt(pc)) != -1) {
912                 if (opt < -1) {
913                         break;
914                 }
915         }
916         if (opt < -1) {
917                 fprintf(stderr, "%s: %s\n",
918                         poptBadOption(pc, POPT_BADOPTION_NOALIAS),
919                         poptStrerror(opt));
920                 return 1;
921         }
922
923         ntlm_auth_init_subsystems;
924
925
926         if (opt_domain == NULL) {
927                 opt_domain = lp_workgroup();
928         }
929
930         if (helper_protocol) {
931                 int i;
932                 for (i=0; i<NUM_HELPER_MODES; i++) {
933                         if (strcmp(helper_protocol, stdio_helper_protocols[i].name) == 0) {
934                                 squid_stream(stdio_helper_protocols[i].mode, stdio_helper_protocols[i].fn);
935                                 exit(0);
936                         }
937                 }
938                 x_fprintf(x_stderr, "unknown helper protocol [%s]\n\nValid helper protools:\n\n", helper_protocol);
939
940                 for (i=0; i<NUM_HELPER_MODES; i++) {
941                         x_fprintf(x_stderr, "%s\n", stdio_helper_protocols[i].name);
942                 }
943
944                 exit(1);
945         }
946
947         if (!opt_username) {
948                 x_fprintf(x_stderr, "username must be specified!\n\n");
949                 poptPrintHelp(pc, stderr, 0);
950                 exit(1);
951         }
952
953         if (opt_workstation == NULL) {
954                 opt_workstation = lp_netbios_name();
955         }
956
957         if (!opt_password) {
958                 opt_password = getpass("password: ");
959         }
960
961         {
962                 char *user;
963
964                 asprintf(&user, "%s%c%s", opt_domain, *lp_winbind_separator(), opt_username);
965                 if (!check_plaintext_auth(user, opt_password, True)) {
966                         return 1;
967                 }
968         }
969
970         /* Exit code */
971
972         poptFreeContext(pc);
973         return 0;
974 }