From 7e56b5a173df10acfad9c99d59211a0432b2a28e Mon Sep 17 00:00:00 2001
From: Luke Leighton <lkcl@samba.org>
Date: Sat, 25 Oct 1997 17:38:37 +0000
Subject: added correct client-side credential generation / checking to the LSA
 SAM Logon query.  i think i even got the client-side checking of the response
 credentials right! (This used to be commit
 f14c111835e18e361468cc6a1666a02654afe743)

---
 source3/client/ntclient.c | 122 ++++++++++++++++++++++++++++++----------------
 1 file changed, 80 insertions(+), 42 deletions(-)

(limited to 'source3/client/ntclient.c')

diff --git a/source3/client/ntclient.c b/source3/client/ntclient.c
index 706cf0fa63..f92fab9032 100644
--- a/source3/client/ntclient.c
+++ b/source3/client/ntclient.c
@@ -185,13 +185,11 @@ static BOOL do_lsa_req_chal(uint16 fnum,
 }
 
 /****************************************************************************
-do a LSA SAM Logon
+do a LSA Authenticate 2
 ****************************************************************************/
-static BOOL do_lsa_sam_logon(uint16 fnum,
-		char *logon_srv, char *comp_name,
-        DOM_CRED *clnt_cred, DOM_CRED *rtn_cred,
-		uint16 logon_level, uint16 switch_value, DOM_ID_INFO_1 *id1,
-		DOM_CRED *srv_cred)
+static BOOL do_lsa_auth2(uint16 fnum,
+		char *logon_srv, char *acct_name, uint16 sec_chan, char *comp_name,
+        DOM_CHAL *clnt_chal, uint32 neg_flags, DOM_CHAL *srv_chal)
 {
 	char *rparam = NULL;
 	char *rdata = NULL;
@@ -199,29 +197,27 @@ static BOOL do_lsa_sam_logon(uint16 fnum,
 	int rdrcnt,rprcnt;
 	pstring data; /* only 1024 bytes */
 	uint16 setup[2]; /* only need 2 uint16 setup parameters */
-	LSA_Q_SAM_LOGON q_s;
+	LSA_Q_AUTH_2 q_a;
 	int call_id = 0x1;
-    BOOL valid_cred = False;
+    BOOL valid_chal = False;
 
-	if (srv_cred == NULL || clnt_cred == NULL || rtn_cred == NULL) return False;
+	if (srv_chal == NULL || clnt_chal == NULL) return False;
 
-	/* create and send a MSRPC command with api LSA_SAMLOGON */
+	/* create and send a MSRPC command with api LSA_AUTH2 */
 
-	DEBUG(4,("LSA SAM Logon: srv:%s mc:%s clnt %lx %lx %lx rtn: %lx %lx %lx ll: %d\n",
-	          logon_srv, comp_name,
-	          clnt_cred->challenge.data[0], clnt_cred->challenge.data[1], clnt_cred->timestamp.time,
-	          rtn_cred ->challenge.data[0], rtn_cred ->challenge.data[1], rtn_cred ->timestamp.time,
-	          logon_level));
+	DEBUG(4,("LSA Authenticate 2: srv:%s acct:%s sc:%x mc: %s chal %lx %lx neg: %lx\n",
+	          logon_srv, acct_name, sec_chan, comp_name,
+	          clnt_chal->data[0], clnt_chal->data[1], neg_flags));
 
 	/* store the parameters */
-	make_sam_info(&(q_s.sam_id), logon_srv, comp_name,
-	             clnt_cred, rtn_cred, logon_level, switch_value, id1);
+	make_q_auth_2(&q_a, logon_srv, acct_name, sec_chan, comp_name,
+	             clnt_chal, neg_flags);
 
 	/* turn parameters into data stream */
-	p = lsa_io_q_sam_logon(False, &q_s, data + 0x18, data, 4, 0);
+	p = lsa_io_q_auth_2(False, &q_a, data + 0x18, data, 4, 0);
 
 	/* create the request RPC_HDR _after_ the main data: length is now known */
-	create_rpc_request(call_id, LSA_SAMLOGON, data, PTR_DIFF(p, data));
+	create_rpc_request(call_id, LSA_AUTH2, data, PTR_DIFF(p, data));
 
 	/* create setup parameters. */
 	SIVAL(setup, 0, 0x0026); /* 0x26 indicates "transact named pipe" */
@@ -234,7 +230,6 @@ static BOOL do_lsa_sam_logon(uint16 fnum,
 				NULL, data, setup,
 				&rparam,&rdata))
 	{
-#if 0
 		LSA_R_AUTH_2 r_a;
 		RPC_HDR hdr;
 		int hdr_len;
@@ -290,22 +285,22 @@ static BOOL do_lsa_sam_logon(uint16 fnum,
 			memcpy(srv_chal, r_a.srv_chal.data, sizeof(srv_chal->data));
 			valid_chal = True;
 		}
-#endif
 	}
 
 	if (rparam) free(rparam);
 	if (rdata) free(rdata);
 
-	return valid_cred;
+	return valid_chal;
 }
 
-
 /****************************************************************************
-do a LSA Authenticate 2
+do a LSA SAM Logon
 ****************************************************************************/
-static BOOL do_lsa_auth2(uint16 fnum,
-		char *logon_srv, char *acct_name, uint16 sec_chan, char *comp_name,
-        DOM_CHAL *clnt_chal, uint32 neg_flags, DOM_CHAL *srv_chal)
+static BOOL do_lsa_sam_logon(uint16 fnum, uint32 sess_key[2], DOM_CHAL *clnt_chal,
+		char *logon_srv, char *comp_name,
+        DOM_CRED *clnt_cred, DOM_CRED *rtn_cred,
+		uint16 logon_level, uint16 switch_value, DOM_ID_INFO_1 *id1,
+		DOM_CRED *srv_cred)
 {
 	char *rparam = NULL;
 	char *rdata = NULL;
@@ -313,27 +308,29 @@ static BOOL do_lsa_auth2(uint16 fnum,
 	int rdrcnt,rprcnt;
 	pstring data; /* only 1024 bytes */
 	uint16 setup[2]; /* only need 2 uint16 setup parameters */
-	LSA_Q_AUTH_2 q_a;
+	LSA_Q_SAM_LOGON q_s;
 	int call_id = 0x1;
-    BOOL valid_chal = False;
+    BOOL valid_cred = False;
 
-	if (srv_chal == NULL || clnt_chal == NULL) return False;
+	if (srv_cred == NULL || clnt_cred == NULL || rtn_cred == NULL) return False;
 
-	/* create and send a MSRPC command with api LSA_AUTH2 */
+	/* create and send a MSRPC command with api LSA_SAMLOGON */
 
-	DEBUG(4,("LSA Authenticate 2: srv:%s acct:%s sc:%x mc: %s chal %lx %lx neg: %lx\n",
-	          logon_srv, acct_name, sec_chan, comp_name,
-	          clnt_chal->data[0], clnt_chal->data[1], neg_flags));
+	DEBUG(4,("LSA SAM Logon: srv:%s mc:%s clnt %lx %lx %lx rtn: %lx %lx %lx ll: %d\n",
+	          logon_srv, comp_name,
+	          clnt_cred->challenge.data[0], clnt_cred->challenge.data[1], clnt_cred->timestamp.time,
+	          rtn_cred ->challenge.data[0], rtn_cred ->challenge.data[1], rtn_cred ->timestamp.time,
+	          logon_level));
 
 	/* store the parameters */
-	make_q_auth_2(&q_a, logon_srv, acct_name, sec_chan, comp_name,
-	             clnt_chal, neg_flags);
+	make_sam_info(&(q_s.sam_id), logon_srv, comp_name,
+	             clnt_cred, rtn_cred, logon_level, switch_value, id1);
 
 	/* turn parameters into data stream */
-	p = lsa_io_q_auth_2(False, &q_a, data + 0x18, data, 4, 0);
+	p = lsa_io_q_sam_logon(False, &q_s, data + 0x18, data, 4, 0);
 
 	/* create the request RPC_HDR _after_ the main data: length is now known */
-	create_rpc_request(call_id, LSA_AUTH2, data, PTR_DIFF(p, data));
+	create_rpc_request(call_id, LSA_SAMLOGON, data, PTR_DIFF(p, data));
 
 	/* create setup parameters. */
 	SIVAL(setup, 0, 0x0026); /* 0x26 indicates "transact named pipe" */
@@ -346,11 +343,32 @@ static BOOL do_lsa_auth2(uint16 fnum,
 				NULL, data, setup,
 				&rparam,&rdata))
 	{
+		DOM_CRED clnt_cred1;
+
+		DEBUG(5, ("cli_call_api: return OK\n"));
+
+		clnt_cred1.timestamp.time = clnt_cred->timestamp.time + 1;
+
+		/* calculate sam logon credentials at time+1, just like server does */
+		cred_create(sess_key, clnt_chal, clnt_cred1.timestamp,
+	                                     &(clnt_cred1.challenge));
+
+#if 0
 		LSA_R_AUTH_2 r_a;
 		RPC_HDR hdr;
 		int hdr_len;
 		int pkt_len;
 
+		/* check sam logon credentials at time+1, just like server does */
+		if (cred_assert(r_s....creds, sess_key, clnt_chal, clnt_cred->timestamp + 1))
+		{
+			DEBUG(5, ("do_lsa_sam_logon: server credential check OK\n"));
+		}
+		else
+		{
+			DEBUG(5, ("do_lsa_sam_logon: server credential check failed\n"));
+		}
+
 		DEBUG(5, ("cli_call_api: return OK\n"));
 
 		p = rdata;
@@ -401,12 +419,13 @@ static BOOL do_lsa_auth2(uint16 fnum,
 			memcpy(srv_chal, r_a.srv_chal.data, sizeof(srv_chal->data));
 			valid_chal = True;
 		}
+#endif
 	}
 
 	if (rparam) free(rparam);
 	if (rdata) free(rdata);
 
-	return valid_chal;
+	return valid_cred;
 }
 
 /****************************************************************************
@@ -448,13 +467,16 @@ BOOL do_nt_login(char *desthost, char *myhostname,
 		return False;
 	}
 	
-	/* open the \PIPE\NETLOGON file */
+	/******************* open the \PIPE\NETLOGON file *****************/
+
 	if ((fnum = open_rpc_pipe(inbuf, outbuf, PIPE_NETLOGON, Client, cnum)) == 0xffff)
 	{
 		free(inbuf); free(outbuf);
 		return False;
 	}
 
+	/******************* Request Challenge ********************/
+
 	fstrcpy(mach_acct, myhostname);
 	strlower(mach_pwd);
 
@@ -472,6 +494,7 @@ BOOL do_nt_login(char *desthost, char *myhostname,
 		return False;
 	}
 
+	/************ Long-term Session key (default) **********/
 
 #if 0
 	/* DAMN!  can't get the machine password - need become_root() to do it! */
@@ -499,6 +522,9 @@ BOOL do_nt_login(char *desthost, char *myhostname,
 	/* calculate the session key */
 	cred_session_key(&clnt_chal, &srv_chal, nt_owf_mach_pwd, sess_key);
 
+
+	/******************* Authenticate 2 ********************/
+
 	/* calculate auth-2 credentials */
 	cred_create(sess_key, &clnt_chal, zerotime, &auth2_clnt_chal);
 
@@ -511,13 +537,26 @@ BOOL do_nt_login(char *desthost, char *myhostname,
 		return False;
 	}
 
+
+	/*********************** SAM Info ***********************/
+
+	/* this is used in both the SAM Logon and the SAM Logoff */
 	make_id_info1(&id1, workgroup, 0,
 	              getuid(), 0,
 	              username, myhostname,
 	              NULL, NULL);
 
+	/*********************** SAM Logon **********************/
+
+	sam_log_clnt_cred.timestamp.time = time(NULL);
+
+	/* calculate sam logon credentials, using the auth2 client challenge */
+	cred_create(sess_key, &auth2_clnt_chal, sam_log_clnt_cred.timestamp,
+	                                  &(sam_log_clnt_cred.challenge));
+
 	/* send client sam-logon challenge; receive a sam-logon challenge */
-	if (!do_lsa_sam_logon(fnum, desthost, mach_acct, 
+	if (!do_lsa_sam_logon(fnum, sess_key, &auth2_clnt_chal, 
+	                  desthost, mach_acct, 
 	                  &sam_log_clnt_cred, &sam_log_rtn_cred,
 	                  1, 1, &id1,
 	                  &sam_log_srv_cred))
@@ -528,7 +567,6 @@ BOOL do_nt_login(char *desthost, char *myhostname,
 	}
 
 #if 0
-	cli_lsa_sam_logon();
 	cli_lsa_sam_logoff();
 #endif
 
-- 
cgit