diff options
Diffstat (limited to 'source3/rpc_client/cli_netlogon.c')
| -rw-r--r-- | source3/rpc_client/cli_netlogon.c | 109 |
1 files changed, 96 insertions, 13 deletions
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 58ba32eb2e..eaee3c26e7 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -152,6 +152,83 @@ password ?).\n", cli->desthost )); return result; } +/**************************************************************************** +LSA Authenticate 3 + +Send the client credential, receive back a server credential. +Ensure that the server credential returned matches the session key +encrypt of the server challenge originally received. JRA. +****************************************************************************/ + +NTSTATUS cli_net_auth3(struct cli_state *cli, + uint16 sec_chan, + uint32 *neg_flags, DOM_CHAL *srv_chal) +{ + prs_struct qbuf, rbuf; + NET_Q_AUTH_3 q; + NET_R_AUTH_3 r; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + extern pstring global_myname; + + prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL); + prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); + + /* create and send a MSRPC command with api NET_AUTH2 */ + + DEBUG(4,("cli_net_auth3: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", + cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, + credstr(cli->clnt_cred.challenge.data), *neg_flags)); + + /* store the parameters */ + init_q_auth_3(&q, cli->srv_name_slash, cli->mach_acct, + sec_chan, global_myname, &cli->clnt_cred.challenge, + *neg_flags); + + /* turn parameters into data stream */ + + if (!net_io_q_auth_3("", &q, &qbuf, 0) || + !rpc_api_pipe_req(cli, NET_AUTH3, &qbuf, &rbuf)) { + goto done; + } + + /* Unmarshall response */ + + if (!net_io_r_auth_3("", &r, &rbuf, 0)) { + goto done; + } + + result = r.status; + *neg_flags = r.srv_flgs.neg_flags; + + if (NT_STATUS_IS_OK(result)) { + UTIME zerotime; + + /* + * Check the returned value using the initial + * server received challenge. + */ + + zerotime.time = 0; + if (cred_assert( &r.srv_chal, cli->sess_key, srv_chal, + zerotime) == 0) { + + /* + * Server replied with bad credential. Fail. + */ + DEBUG(0,("cli_net_auth3: server %s replied with bad credential (bad machine \ +password ?).\n", cli->desthost )); + result = NT_STATUS_ACCESS_DENIED; + goto done; + } + } + + done: + prs_mem_free(&qbuf); + prs_mem_free(&rbuf); + + return result; +} + /* Return the secure channel type depending on the server role. */ uint16 get_sec_chan(void) @@ -174,7 +251,7 @@ uint16 get_sec_chan(void) NTSTATUS cli_nt_setup_creds(struct cli_state *cli, uint16 sec_chan, - const unsigned char mach_pwd[16]) + const unsigned char mach_pwd[16], uint32 *neg_flags, int level) { DOM_CHAL clnt_chal; DOM_CHAL srv_chal; @@ -200,24 +277,30 @@ NTSTATUS cli_nt_setup_creds(struct cli_state *cli, cli->sess_key); memset((char *)cli->sess_key+8, '\0', 8); - /******************* Authenticate 2 ********************/ + /******************* Authenticate 2/3 ********************/ - /* calculate auth-2 credentials */ + /* calculate auth-2/3 credentials */ zerotime.time = 0; - cred_create(cli->sess_key, &clnt_chal, zerotime, - &cli->clnt_cred.challenge); + cred_create(cli->sess_key, &clnt_chal, zerotime, &cli->clnt_cred.challenge); /* - * Send client auth-2 challenge. - * Receive an auth-2 challenge response and check it. + * Send client auth-2/3 challenge. + * Receive an auth-2/3 challenge response and check it. */ - - result = cli_net_auth2(cli, sec_chan, 0x000001ff, &srv_chal); + switch (level) { + case 2: + result = cli_net_auth2(cli, sec_chan, *neg_flags, &srv_chal); + break; + case 3: + result = cli_net_auth3(cli, sec_chan, neg_flags, &srv_chal); + break; + default: + DEBUG(1,("cli_nt_setup_creds: unsupported auth level: %d\n", level)); + break; + } - if (!NT_STATUS_IS_OK(result)) { - DEBUG(1,("cli_nt_setup_creds: auth2 challenge failed %s\n", - nt_errstr(result))); - } + if (!NT_STATUS_IS_OK(result)) + DEBUG(1,("cli_nt_setup_creds: auth%d challenge failed %s\n", level, nt_errstr(result))); return result; } |