From 01de6030843f5f402dee8bf72f564a91ae8437ca Mon Sep 17 00:00:00 2001
From: Luke Leighton <lkcl@samba.org>
Date: Mon, 19 Oct 1998 17:32:10 +0000
Subject: - dce/rpc code

- removed debug info in struni2 and unistr2 (security risk)

- rpc_pipe function was getting pointer to data then calling realloc *dur*

- password check function, the start of "credential checking",
  user, wks, domain, pass as the credentials (not just user,pass which
  is incorrect in a domain context)

- cli_write needs to return ssize_t not size_t, because total can be -1
  if the write fails.

- fixed signed / unsigned warnings (how come i don't get those any more
  when i compile with gcc???)

- nt password change added in smbd.  yes, jeremy, i verified that the
  SMBtrans2 version still works.
(This used to be commit fcfb40d2b0fc565ee4f66b3a3761c246366a2ef3)
---
 source3/rpc_client/cli_pipe.c | 43 +++++++++++++++++++++++++------------------
 1 file changed, 25 insertions(+), 18 deletions(-)

(limited to 'source3/rpc_client')

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index f252c99d97..08b3575733 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -142,7 +142,7 @@ static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata,
 	RPC_AUTH_NTLMSSP_CHK chk;
 	uint32 crc32;
 	int data_len = len - 0x18 - auth_len - 8;
-	char *reply_data = (uchar*)mem_data(&rdata->data, 0x18);
+	char *reply_data = mem_data(&rdata->data, 0x18);
 
 	BOOL auth_verify = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SIGN);
 	BOOL auth_seal   = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL);
@@ -150,13 +150,8 @@ static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata,
 	DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s\n",
 	          len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal)));
 
-/*	RPC_HDR_AUTH         rhdr_auth; 
-	prs_struct auth_req;
-	prs_init(&auth_req , 0x10, 4, 0, True);
-	smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &hdr_auth, 0);
-	prs_mem_free(&auth_req);
+	if (reply_data == NULL) return False;
 
-*/
 	if (auth_seal)
 	{
 		DEBUG(10,("rpc_auth_pipe: seal\n"));
@@ -165,14 +160,32 @@ static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata,
 		dump_data(100, reply_data, data_len);
 	}
 
+	if (auth_verify || auth_seal)
+	{
+		RPC_HDR_AUTH         rhdr_auth; 
+		prs_struct auth_req;
+		char *data = mem_data(&rdata->data, len - auth_len - 8);
+		prs_init(&auth_req , 0x08, 4, 0, True);
+		memcpy(auth_req.data->data, data, 8);
+		smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &auth_req, 0);
+		prs_mem_free(&auth_req);
+
+		if (!rpc_hdr_auth_chk(&rhdr_auth))
+		{
+			return False;
+		}
+	}
+
 	if (auth_verify)
 	{
 		prs_struct auth_verf;
 		char *data = (uchar*)mem_data(&rdata->data, len - auth_len);
-		prs_init(&auth_verf, 0x08, 4, 0, True);
+		if (data == NULL) return False;
+
 		DEBUG(10,("rpc_auth_pipe: verify\n"));
 		dump_data(100, data, auth_len);
-		NTLMSSPcalc(cli->ntlmssp_hash, data + 4, auth_len - 4);
+		NTLMSSPcalc(cli->ntlmssp_hash, (uchar*)(data+4), auth_len - 4);
+		prs_init(&auth_verf, 0x08, 4, 0, True);
 		memcpy(auth_verf.data->data, data, 16);
 		smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0);
 		dump_data(100, data, auth_len);
@@ -182,14 +195,8 @@ static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata,
 	if (auth_verify)
 	{
 		crc32 = crc32_calc_buffer(data_len, reply_data);
-		if (chk.crc32 != crc32 ||
-		    chk.ver   != NTLMSSP_SIGN_VERSION ||
-		    chk.seq_num != cli->ntlmssp_seq_num++)
+		if (!rpc_auth_ntlmssp_chk(&chk, crc32 , &cli->ntlmssp_seq_num))
 		{
-			DEBUG(5,("rpc_auth_pipe: verify failed - crc %x ver %x seq %d\n",
-				crc32, NTLMSSP_SIGN_VERSION, cli->ntlmssp_seq_num));
-			DEBUG(5,("rpc_auth_pipe: verify expect - crc %x ver %x seq %d\n",
-				chk.crc32, chk.ver, chk.seq_num));
 			return False;
 		}
 	}
@@ -585,7 +592,7 @@ BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
 	BOOL ret;
 	BOOL auth_verify;
 	BOOL auth_seal;
-	uint32 crc32 = 0;
+	uint32 crc32;
 
 	auth_verify = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SIGN);
 	auth_seal   = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL);
@@ -915,8 +922,8 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name,
 			pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL);
 			pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL);
 			NTLMSSPOWFencrypt(lm_hash, lm_owf, p24);
-			bzero(lm_hash, sizeof(lm_hash));
 			NTLMSSPhash(cli->ntlmssp_hash, p24);
+			bzero(lm_hash, sizeof(lm_hash));
 
 			/* this is a hack due to limitations in rpc_api_pipe */
 			prs_init(&dataa, mem_buf_len(hdra.data), 4, 0x0, False);
-- 
cgit