r6738: My version of the patch by metze that I just reverted (-r 6734).

This also includes other changes to reduce memory use by GENSEC when
not being used for sign/seal operations.  This should lower tridge's K
'per connection' benchmark further.

Andrew Bartlett
(This used to be commit 4a5829401b20c10091185bbd93236477523459b2)

3 files changed, 83 insertions, 56 deletions

diff --git a/source4/auth/ntlmssp/ntlmssp.h b/source4/auth/ntlmssp/ntlmssp.h
index 270beb151f..9d6b827fbc 100644
--- a/source4/auth/ntlmssp/ntlmssp.h
+++ b/source4/auth/ntlmssp/ntlmssp.h
@@ -178,7 +178,7 @@ struct gensec_ntlmssp_state
 			/* internal variables used by NTLM2 */
 			uint8_t session_nonce[16];
 		} ntlm2;
-	};
+	} crypt;
 
 	struct auth_context *auth_context;
 	struct auth_serversupplied_info *server_info;
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c
index c54d30abdc..db169684d6 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -350,11 +350,11 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_ntlmssp_state *gensec_ntlms
 			
 			gensec_ntlmssp_state->doing_ntlm2 = True;
 
-			memcpy(gensec_ntlmssp_state->ntlm2.session_nonce, gensec_ntlmssp_state->internal_chal.data, 8);
-			memcpy(&gensec_ntlmssp_state->ntlm2.session_nonce[8], gensec_ntlmssp_state->lm_resp.data, 8);
+			memcpy(gensec_ntlmssp_state->crypt.ntlm2.session_nonce, gensec_ntlmssp_state->internal_chal.data, 8);
+			memcpy(&gensec_ntlmssp_state->crypt.ntlm2.session_nonce[8], gensec_ntlmssp_state->lm_resp.data, 8);
 			
 			MD5Init(&md5_session_nonce_ctx);
-			MD5Update(&md5_session_nonce_ctx, gensec_ntlmssp_state->ntlm2.session_nonce, 16);
+			MD5Update(&md5_session_nonce_ctx, gensec_ntlmssp_state->crypt.ntlm2.session_nonce, 16);
 			MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
 			
 			gensec_ntlmssp_state->chal = data_blob_talloc(gensec_ntlmssp_state, 
@@ -366,7 +366,7 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_ntlmssp_state *gensec_ntlms
 			/* We changed the effective challenge - set it */
 			if (!NT_STATUS_IS_OK(nt_status = 
 					     gensec_ntlmssp_state->set_challenge(gensec_ntlmssp_state, 
-									  &gensec_ntlmssp_state->chal))) {
+										 &gensec_ntlmssp_state->chal))) {
 				/* zero this out */
 				data_blob_free(&gensec_ntlmssp_state->encrypted_session_key);
 				return nt_status;
@@ -387,10 +387,11 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_ntlmssp_state *gensec_ntlms
  * @return Errors or NT_STATUS_OK. 
  */
 
-static NTSTATUS ntlmssp_server_postauth(struct gensec_ntlmssp_state *gensec_ntlmssp_state,
+static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security, 
 					DATA_BLOB *user_session_key, 
 					DATA_BLOB *lm_session_key) 
 {
+	struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data;
 	NTSTATUS nt_status;
 	DATA_BLOB session_key = data_blob(NULL, 0);
 
@@ -404,8 +405,8 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_ntlmssp_state *gensec_ntlm
 	if (gensec_ntlmssp_state->doing_ntlm2) {
 		if (user_session_key && user_session_key->data && user_session_key->length == 16) {
 			session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16);
-			hmac_md5(user_session_key->data, gensec_ntlmssp_state->ntlm2.session_nonce, 
-				 sizeof(gensec_ntlmssp_state->ntlm2.session_nonce), session_key.data);
+			hmac_md5(user_session_key->data, gensec_ntlmssp_state->crypt.ntlm2.session_nonce, 
+				 sizeof(gensec_ntlmssp_state->crypt.ntlm2.session_nonce), session_key.data);
 			DEBUG(10,("ntlmssp_server_auth: Created NTLM2 session key.\n"));
 			dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
 			
@@ -500,7 +501,12 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_ntlmssp_state *gensec_ntlm
  	/* The server might need us to use a partial-strength session key */
  	ntlmssp_weaken_keys(gensec_ntlmssp_state);
 
-	nt_status = ntlmssp_sign_init(gensec_ntlmssp_state);
+	if ((gensec_security->want_features & GENSEC_FEATURE_SIGN)
+	    || (gensec_security->want_features & GENSEC_FEATURE_SEAL)) {
+		nt_status = ntlmssp_sign_init(gensec_ntlmssp_state);
+	} else {
+		nt_status = NT_STATUS_OK;
+	}
 
 	data_blob_free(&gensec_ntlmssp_state->encrypted_session_key);
 	
@@ -531,7 +537,7 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_ntlmssp_state *gensec_ntlm
 NTSTATUS ntlmssp_server_auth(struct gensec_security *gensec_security, 
 			     TALLOC_CTX *out_mem_ctx, 
 			     const DATA_BLOB in, DATA_BLOB *out) 
-{
+{	
 	struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data;
 	DATA_BLOB user_session_key = data_blob(NULL, 0);
 	DATA_BLOB lm_session_key = data_blob(NULL, 0);
@@ -559,7 +565,7 @@ NTSTATUS ntlmssp_server_auth(struct gensec_security *gensec_security,
 	}
 	
 	if (gensec_ntlmssp_state->server_use_session_keys) {
-		return ntlmssp_server_postauth(gensec_ntlmssp_state, &user_session_key, &lm_session_key);
+		return ntlmssp_server_postauth(gensec_security, &user_session_key, &lm_session_key);
 	} else {
 		gensec_ntlmssp_state->session_key = data_blob(NULL, 0);
 		return NT_STATUS_OK;
diff --git a/source4/auth/ntlmssp/ntlmssp_sign.c b/source4/auth/ntlmssp/ntlmssp_sign.c
index 2a8073ded6..d8a5a0f909 100644
--- a/source4/auth/ntlmssp/ntlmssp_sign.c
+++ b/source4/auth/ntlmssp/ntlmssp_sign.c
@@ -78,16 +78,16 @@ static NTSTATUS ntlmssp_make_packet_signature(struct gensec_ntlmssp_state *gense
 			
 		switch (direction) {
 		case NTLMSSP_SEND:
-			SIVAL(seq_num, 0, gensec_ntlmssp_state->ntlm2.send_seq_num);
-			gensec_ntlmssp_state->ntlm2.send_seq_num++;
-			hmac_md5_init_limK_to_64(gensec_ntlmssp_state->ntlm2.send_sign_key.data, 
-						 gensec_ntlmssp_state->ntlm2.send_sign_key.length, &ctx);
+			SIVAL(seq_num, 0, gensec_ntlmssp_state->crypt.ntlm2.send_seq_num);
+			gensec_ntlmssp_state->crypt.ntlm2.send_seq_num++;
+			hmac_md5_init_limK_to_64(gensec_ntlmssp_state->crypt.ntlm2.send_sign_key.data, 
+						 gensec_ntlmssp_state->crypt.ntlm2.send_sign_key.length, &ctx);
 			break;
 		case NTLMSSP_RECEIVE:
-			SIVAL(seq_num, 0, gensec_ntlmssp_state->ntlm2.recv_seq_num);
-			gensec_ntlmssp_state->ntlm2.recv_seq_num++;
-			hmac_md5_init_limK_to_64(gensec_ntlmssp_state->ntlm2.recv_sign_key.data, 
-						 gensec_ntlmssp_state->ntlm2.recv_sign_key.length, &ctx);
+			SIVAL(seq_num, 0, gensec_ntlmssp_state->crypt.ntlm2.recv_seq_num);
+			gensec_ntlmssp_state->crypt.ntlm2.recv_seq_num++;
+			hmac_md5_init_limK_to_64(gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key.data, 
+						 gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key.length, &ctx);
 			break;
 		}
 		hmac_md5_update(seq_num, sizeof(seq_num), &ctx);
@@ -97,10 +97,10 @@ static NTSTATUS ntlmssp_make_packet_signature(struct gensec_ntlmssp_state *gense
 		if (encrypt_sig && gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
 			switch (direction) {
 			case NTLMSSP_SEND:
-				arcfour_crypt_sbox(gensec_ntlmssp_state->ntlm2.send_seal_arcfour_state, digest, 8);
+				arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state, digest, 8);
 				break;
 			case NTLMSSP_RECEIVE:
-				arcfour_crypt_sbox(gensec_ntlmssp_state->ntlm2.recv_seal_arcfour_state, digest, 8);
+				arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state, digest, 8);
 				break;
 			}
 		}
@@ -112,12 +112,12 @@ static NTSTATUS ntlmssp_make_packet_signature(struct gensec_ntlmssp_state *gense
 	} else {
 		uint32_t crc;
 		crc = crc32_calc_buffer(data, length);
-		if (!msrpc_gen(sig_mem_ctx, sig, "dddd", NTLMSSP_SIGN_VERSION, 0, crc, gensec_ntlmssp_state->ntlm.seq_num)) {
+		if (!msrpc_gen(sig_mem_ctx, sig, "dddd", NTLMSSP_SIGN_VERSION, 0, crc, gensec_ntlmssp_state->crypt.ntlm.seq_num)) {
 			return NT_STATUS_NO_MEMORY;
 		}
-		gensec_ntlmssp_state->ntlm.seq_num++;
+		gensec_ntlmssp_state->crypt.ntlm.seq_num++;
 
-		arcfour_crypt_sbox(gensec_ntlmssp_state->ntlm.arcfour_state, sig->data+4, sig->length-4);
+		arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, sig->data+4, sig->length-4);
 	}
 	dump_data_pw("calculated ntlmssp signature\n", sig->data, sig->length);
 	return NT_STATUS_OK;
@@ -136,6 +136,11 @@ NTSTATUS gensec_ntlmssp_sign_packet(struct gensec_security *gensec_security,
 		return NT_STATUS_NO_USER_SESSION_KEY;
 	}
 	
+	if (!(gensec_security->want_features & GENSEC_FEATURE_SIGN)) {
+		DEBUG(3, ("GENSEC Signing not requested - cannot seal packet!\n"));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	if (!gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
 		DEBUG(3, ("NTLMSSP Signing not negotiated - cannot sign packet!\n"));
 		return NT_STATUS_INVALID_PARAMETER;
@@ -168,6 +173,11 @@ NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security,
 		return NT_STATUS_NO_USER_SESSION_KEY;
 	}
 
+	if (!(gensec_security->want_features & (GENSEC_FEATURE_SEAL|GENSEC_FEATURE_SIGN))) {
+		DEBUG(3, ("GENSEC Signing/Sealing not requested - cannot check packet!\n"));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	if (sig->length < 8) {
 		DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n", 
 			  (unsigned long)sig->length));
@@ -234,11 +244,17 @@ NTSTATUS gensec_ntlmssp_seal_packet(struct gensec_security *gensec_security,
 		return NT_STATUS_NO_USER_SESSION_KEY;
 	}
 
+	if (!(gensec_security->want_features & GENSEC_FEATURE_SEAL)) {
+		DEBUG(3, ("GENSEC Sealing not requested - cannot seal packet!\n"));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	if (!gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
 		DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
+
 	DEBUG(10,("ntlmssp_seal_data: seal\n"));
 	dump_data_pw("ntlmssp clear data\n", data, length);
 	if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
@@ -249,14 +265,14 @@ NTSTATUS gensec_ntlmssp_seal_packet(struct gensec_security *gensec_security,
 							  data, length, 
 							  whole_pdu, pdu_length, 
 							  NTLMSSP_SEND, sig, False);
-		arcfour_crypt_sbox(gensec_ntlmssp_state->ntlm2.send_seal_arcfour_state, data, length);
+		arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state, data, length);
 		if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
-			arcfour_crypt_sbox(gensec_ntlmssp_state->ntlm2.send_seal_arcfour_state, sig->data+4, 8);
+			arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state, sig->data+4, 8);
 		}
 	} else {
 		uint32_t crc;
 		crc = crc32_calc_buffer(data, length);
-		if (!msrpc_gen(sig_mem_ctx, sig, "dddd", NTLMSSP_SIGN_VERSION, 0, crc, gensec_ntlmssp_state->ntlm.seq_num)) {
+		if (!msrpc_gen(sig_mem_ctx, sig, "dddd", NTLMSSP_SIGN_VERSION, 0, crc, gensec_ntlmssp_state->crypt.ntlm.seq_num)) {
 			return NT_STATUS_NO_MEMORY;
 		}
 
@@ -266,10 +282,10 @@ NTSTATUS gensec_ntlmssp_seal_packet(struct gensec_security *gensec_security,
 		   constant, but is is rather updated with each
 		   iteration */
 
-		arcfour_crypt_sbox(gensec_ntlmssp_state->ntlm.arcfour_state, data, length);
-		arcfour_crypt_sbox(gensec_ntlmssp_state->ntlm.arcfour_state, sig->data+4, sig->length-4);
+		arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, data, length);
+		arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, sig->data+4, sig->length-4);
 		/* increment counter on send */
-		gensec_ntlmssp_state->ntlm.seq_num++;
+		gensec_ntlmssp_state->crypt.ntlm.seq_num++;
 		nt_status = NT_STATUS_OK;
 	}
 	dump_data_pw("ntlmssp signature\n", sig->data, sig->length);
@@ -301,9 +317,14 @@ NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security,
 		return NT_STATUS_NO_USER_SESSION_KEY;
 	}
 
+	if (!(gensec_security->want_features & GENSEC_FEATURE_SEAL)) {
+		DEBUG(3, ("GENSEC Sealing not requested - cannot unseal packet!\n"));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	dump_data_pw("ntlmssp sealed data\n", data, length);
 	if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
-		arcfour_crypt_sbox(gensec_ntlmssp_state->ntlm2.recv_seal_arcfour_state, data, length);
+		arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state, data, length);
 
 		nt_status = ntlmssp_make_packet_signature(gensec_ntlmssp_state, sig_mem_ctx, 
 							  data, length, 
@@ -329,7 +350,7 @@ NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security,
 		dump_data_pw("ntlmssp clear data\n", data, length);
 		return NT_STATUS_OK;
 	} else {
-		arcfour_crypt_sbox(gensec_ntlmssp_state->ntlm.arcfour_state, data, length);
+		arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, data, length);
 		dump_data_pw("ntlmssp clear data\n", data, length);
 		return gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
 	}
@@ -379,10 +400,10 @@ NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state)
 			return NT_STATUS_INTERNAL_ERROR;
 		}
 		
-		gensec_ntlmssp_state->ntlm2.send_seal_arcfour_state = talloc(gensec_ntlmssp_state, struct arcfour_state);
-		NT_STATUS_HAVE_NO_MEMORY(gensec_ntlmssp_state->ntlm2.send_seal_arcfour_state);
-		gensec_ntlmssp_state->ntlm2.recv_seal_arcfour_state = talloc(gensec_ntlmssp_state, struct arcfour_state);
-		NT_STATUS_HAVE_NO_MEMORY(gensec_ntlmssp_state->ntlm2.send_seal_arcfour_state);
+		gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state = talloc(gensec_ntlmssp_state, struct arcfour_state);
+		NT_STATUS_HAVE_NO_MEMORY(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state);
+		gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state = talloc(gensec_ntlmssp_state, struct arcfour_state);
+		NT_STATUS_HAVE_NO_MEMORY(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state);
 
 		/**
 		   Weaken NTLMSSP keys to cope with down-level clients, servers and export restrictions.
@@ -404,11 +425,11 @@ NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state)
 
 		/* SEND */
 		calc_ntlmv2_key(gensec_ntlmssp_state, 
-				&gensec_ntlmssp_state->ntlm2.send_sign_key, 
+				&gensec_ntlmssp_state->crypt.ntlm2.send_sign_key, 
 				gensec_ntlmssp_state->session_key, send_sign_const);
 		dump_data_pw("NTLMSSP send sign key:\n",
-			     gensec_ntlmssp_state->ntlm2.send_sign_key.data, 
-			     gensec_ntlmssp_state->ntlm2.send_sign_key.length);
+			     gensec_ntlmssp_state->crypt.ntlm2.send_sign_key.data, 
+			     gensec_ntlmssp_state->crypt.ntlm2.send_sign_key.length);
 		
 		calc_ntlmv2_key(gensec_ntlmssp_state, 
 				&send_seal_key, 
@@ -417,20 +438,20 @@ NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state)
 			     send_seal_key.data, 
 			     send_seal_key.length);
 
-		arcfour_init(gensec_ntlmssp_state->ntlm2.send_seal_arcfour_state, 
+		arcfour_init(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state, 
 			     &send_seal_key);
 
 		dump_data_pw("NTLMSSP send sesl hash:\n", 
-			     gensec_ntlmssp_state->ntlm2.send_seal_arcfour_state->sbox, 
-			     sizeof(gensec_ntlmssp_state->ntlm2.send_seal_arcfour_state->sbox));
+			     gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state->sbox, 
+			     sizeof(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state->sbox));
 
 		/* RECV */
 		calc_ntlmv2_key(gensec_ntlmssp_state, 
-				&gensec_ntlmssp_state->ntlm2.recv_sign_key, 
+				&gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key, 
 				gensec_ntlmssp_state->session_key, recv_sign_const);
 		dump_data_pw("NTLMSSP recv sign key:\n",
-			     gensec_ntlmssp_state->ntlm2.recv_sign_key.data, 
-			     gensec_ntlmssp_state->ntlm2.recv_sign_key.length);
+			     gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key.data, 
+			     gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key.length);
 
 		calc_ntlmv2_key(gensec_ntlmssp_state, 
 				&recv_seal_key, 
@@ -438,28 +459,28 @@ NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state)
 		dump_data_pw("NTLMSSP recv seal key:\n",
 			     recv_seal_key.data, 
 			     recv_seal_key.length);
-		arcfour_init(gensec_ntlmssp_state->ntlm2.recv_seal_arcfour_state, 
+		arcfour_init(gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state, 
 			     &recv_seal_key);
 
 		dump_data_pw("NTLMSSP receive seal hash:\n", 
-			     gensec_ntlmssp_state->ntlm2.recv_seal_arcfour_state->sbox, 
-			     sizeof(gensec_ntlmssp_state->ntlm2.recv_seal_arcfour_state->sbox));
+			     gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state->sbox, 
+			     sizeof(gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state->sbox));
 
-		gensec_ntlmssp_state->ntlm2.send_seq_num = 0;
-		gensec_ntlmssp_state->ntlm2.recv_seq_num = 0;
+		gensec_ntlmssp_state->crypt.ntlm2.send_seq_num = 0;
+		gensec_ntlmssp_state->crypt.ntlm2.recv_seq_num = 0;
 
 	} else {
 		DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n"));
 
-		gensec_ntlmssp_state->ntlm.arcfour_state = talloc(gensec_ntlmssp_state, struct arcfour_state);
-		NT_STATUS_HAVE_NO_MEMORY(gensec_ntlmssp_state->ntlm.arcfour_state);
+		gensec_ntlmssp_state->crypt.ntlm.arcfour_state = talloc(gensec_ntlmssp_state, struct arcfour_state);
+		NT_STATUS_HAVE_NO_MEMORY(gensec_ntlmssp_state->crypt.ntlm.arcfour_state);
 
-		arcfour_init(gensec_ntlmssp_state->ntlm.arcfour_state, 
+		arcfour_init(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, 
 			     &gensec_ntlmssp_state->session_key);
-		dump_data_pw("NTLMSSP hash:\n", gensec_ntlmssp_state->ntlm.arcfour_state->sbox,
-			     sizeof(gensec_ntlmssp_state->ntlm.arcfour_state->sbox));
+		dump_data_pw("NTLMSSP hash:\n", gensec_ntlmssp_state->crypt.ntlm.arcfour_state->sbox,
+			     sizeof(gensec_ntlmssp_state->crypt.ntlm.arcfour_state->sbox));
 
-		gensec_ntlmssp_state->ntlm.seq_num = 0;
+		gensec_ntlmssp_state->crypt.ntlm.seq_num = 0;
 	}
 
 	return NT_STATUS_OK;