From 349677de3f06bb0892862de0e11172adeffda18a Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Sat, 25 Oct 1997 15:49:27 +0000 Subject: got the SAM logon request generated, and received a SAM logon response back. YEAH! need to add: - client-side credential calculation - client-side parsing of the SAM logon response. --- source/client/ntclient.c | 149 ++++++++++++++++++++++++++++++++++++++++++++++- source/include/smb.h | 6 +- source/pipenetlog.c | 8 ++- source/smbparse.c | 43 ++++++++------ 4 files changed, 182 insertions(+), 24 deletions(-) (limited to 'source') diff --git a/source/client/ntclient.c b/source/client/ntclient.c index 9fa64bd2efd..706cf0fa633 100644 --- a/source/client/ntclient.c +++ b/source/client/ntclient.c @@ -26,6 +26,8 @@ #include "includes.h" extern int DEBUGLEVEL; +extern pstring username; +extern pstring workgroup; #define CLIENT_TIMEOUT (30*1000) @@ -182,6 +184,122 @@ static BOOL do_lsa_req_chal(uint16 fnum, return valid_chal; } +/**************************************************************************** +do a LSA SAM Logon +****************************************************************************/ +static BOOL do_lsa_sam_logon(uint16 fnum, + char *logon_srv, char *comp_name, + DOM_CRED *clnt_cred, DOM_CRED *rtn_cred, + uint16 logon_level, uint16 switch_value, DOM_ID_INFO_1 *id1, + DOM_CRED *srv_cred) +{ + char *rparam = NULL; + char *rdata = NULL; + char *p; + int rdrcnt,rprcnt; + pstring data; /* only 1024 bytes */ + uint16 setup[2]; /* only need 2 uint16 setup parameters */ + LSA_Q_SAM_LOGON q_s; + int call_id = 0x1; + BOOL valid_cred = False; + + if (srv_cred == NULL || clnt_cred == NULL || rtn_cred == NULL) return False; + + /* create and send a MSRPC command with api LSA_SAMLOGON */ + + DEBUG(4,("LSA SAM Logon: srv:%s mc:%s clnt %lx %lx %lx rtn: %lx %lx %lx ll: %d\n", + logon_srv, comp_name, + clnt_cred->challenge.data[0], clnt_cred->challenge.data[1], clnt_cred->timestamp.time, + rtn_cred ->challenge.data[0], rtn_cred ->challenge.data[1], rtn_cred ->timestamp.time, + logon_level)); + + /* store the parameters */ + make_sam_info(&(q_s.sam_id), logon_srv, comp_name, + clnt_cred, rtn_cred, logon_level, switch_value, id1); + + /* turn parameters into data stream */ + p = lsa_io_q_sam_logon(False, &q_s, data + 0x18, data, 4, 0); + + /* create the request RPC_HDR _after_ the main data: length is now known */ + create_rpc_request(call_id, LSA_SAMLOGON, data, PTR_DIFF(p, data)); + + /* create setup parameters. */ + SIVAL(setup, 0, 0x0026); /* 0x26 indicates "transact named pipe" */ + SIVAL(setup, 2, fnum); /* file handle, from the SMBcreateX pipe, earlier */ + + /* send the data on \PIPE\ */ + if (cli_call_api("\\PIPE\\", 0, PTR_DIFF(p, data), 2, 1024, + BUFFER_SIZE, + &rprcnt,&rdrcnt, + NULL, data, setup, + &rparam,&rdata)) + { +#if 0 + LSA_R_AUTH_2 r_a; + RPC_HDR hdr; + int hdr_len; + int pkt_len; + + DEBUG(5, ("cli_call_api: return OK\n")); + + p = rdata; + + if (p) p = smb_io_rpc_hdr (True, &hdr, p, rdata, 4, 0); + if (p) p = align_offset(p, rdata, 4); /* oh, what a surprise */ + + hdr_len = PTR_DIFF(p, rdata); + + if (p && hdr_len != hdr.frag_len - hdr.alloc_hint) + { + /* header length not same as calculated header length */ + DEBUG(2,("do_lsa_auth2: hdr_len %x != frag_len-alloc_hint\n", + hdr_len, hdr.frag_len - hdr.alloc_hint)); + p = NULL; + } + + if (p) p = lsa_io_r_auth_2(True, &r_a, p, rdata, 4, 0); + + pkt_len = PTR_DIFF(p, rdata); + + if (p && pkt_len != hdr.frag_len) + { + /* packet data size not same as reported fragment length */ + DEBUG(2,("do_lsa_auth2: pkt_len %x != frag_len \n", + pkt_len, hdr.frag_len)); + p = NULL; + } + + if (p && r_a.status != 0) + { + /* report error code */ + DEBUG(0,("LSA_AUTH2: nt_status error %lx\n", r_a.status)); + p = NULL; + } + + if (p && r_a.srv_flgs.neg_flags != q_a.clnt_flgs.neg_flags) + { + /* report different neg_flags */ + DEBUG(0,("LSA_AUTH2: error neg_flags (q,r) differ - (%lx,%lx)\n", + q_a.clnt_flgs.neg_flags, r_a.srv_flgs.neg_flags)); + p = NULL; + } + + if (p) + { + /* ok, at last: we're happy. return the challenge */ + memcpy(srv_chal, r_a.srv_chal.data, sizeof(srv_chal->data)); + valid_chal = True; + } +#endif + } + + if (rparam) free(rparam); + if (rdata) free(rdata); + + return valid_cred; +} + + /**************************************************************************** do a LSA Authenticate 2 ****************************************************************************/ @@ -303,6 +421,12 @@ BOOL do_nt_login(char *desthost, char *myhostname, DOM_CHAL auth2_clnt_chal; DOM_CHAL auth2_srv_chal; + DOM_CRED sam_log_clnt_cred; + DOM_CRED sam_log_rtn_cred; + DOM_CRED sam_log_srv_cred; + + DOM_ID_INFO_1 id1; + UTIME zerotime; uint32 sess_key[2]; @@ -358,15 +482,20 @@ BOOL do_nt_login(char *desthost, char *myhostname, free(inbuf); free(outbuf); return False; } -#endif + + DEBUG(5,("got nt owf from smbpasswd entry: %s\n", mach_pwd)); +#else { char lm_owf_mach_pwd[16]; nt_lm_owf_gen(mach_pwd, nt_owf_mach_pwd, lm_owf_mach_pwd); DEBUG(5,("generating nt owf from initial machine pwd: %s\n", mach_pwd)); - dump_data(6, nt_owf_mach_pwd, 16); } +#endif + + dump_data(6, nt_owf_mach_pwd, 16); + /* calculate the session key */ cred_session_key(&clnt_chal, &srv_chal, nt_owf_mach_pwd, sess_key); @@ -382,6 +511,22 @@ BOOL do_nt_login(char *desthost, char *myhostname, return False; } + make_id_info1(&id1, workgroup, 0, + getuid(), 0, + username, myhostname, + NULL, NULL); + + /* send client sam-logon challenge; receive a sam-logon challenge */ + if (!do_lsa_sam_logon(fnum, desthost, mach_acct, + &sam_log_clnt_cred, &sam_log_rtn_cred, + 1, 1, &id1, + &sam_log_srv_cred)) + { + cli_smb_close(inbuf, outbuf, Client, cnum, fnum); + free(inbuf); free(outbuf); + return False; + } + #if 0 cli_lsa_sam_logon(); cli_lsa_sam_logoff(); diff --git a/source/include/smb.h b/source/include/smb.h index b6b9d177a1b..b19fbfb4ca4 100644 --- a/source/include/smb.h +++ b/source/include/smb.h @@ -502,12 +502,12 @@ typedef struct id_info_1 uint32 param_ctrl; /* param control */ DOM_LOGON_ID logon_id; /* logon ID */ UNIHDR hdr_user_name; /* user name unicode header */ - UNIHDR hdr_workgroup_name; /* workgroup name unicode header */ + UNIHDR hdr_wksta_name; /* workgroup name unicode header */ ARC4_OWF arc4_lm_owf; /* arc4 LM OWF Password */ ARC4_OWF arc4_nt_owf; /* arc4 NT OWF Password */ UNISTR2 uni_domain_name; /* domain name unicode string */ UNISTR2 uni_user_name; /* user name unicode string */ - UNISTR2 uni_workgroup_name; /* workgroup name unicode string */ + UNISTR2 uni_wksta_name; /* workgroup name unicode string */ } DOM_ID_INFO_1; @@ -522,7 +522,7 @@ typedef struct sam_info union { - DOM_ID_INFO_1 id1; /* auth-level 1 */ + DOM_ID_INFO_1 *id1; /* auth-level 1 */ } auth; diff --git a/source/pipenetlog.c b/source/pipenetlog.c index 30300dec3eb..ea2d326c45c 100644 --- a/source/pipenetlog.c +++ b/source/pipenetlog.c @@ -436,10 +436,16 @@ static void api_lsa_sam_logon( user_struct *vuser, char **rdata, int *rdata_len ) { LSA_Q_SAM_LOGON q_l; + DOM_ID_INFO_1 id1; + LSA_USER_INFO usr_info; DOM_CRED srv_creds; + /* the DOM_ID_INFO_1 structure is a bit big. plus we might want to + dynamically allocate it inside lsa_io_q_sam_logon, at some point */ + q_l.sam_id.auth.id1 = &id1; + lsa_io_q_sam_logon(True, &q_l, data + 0x18, data, 4, 0); /* checks and updates credentials. creates reply credentials */ @@ -465,7 +471,7 @@ static void api_lsa_sam_logon( user_struct *vuser, extern pstring myname; uint32 r_uid; uint32 r_gid; - UNISTR2 *uni_samlogon_user = &(q_l.sam_id.auth.id1.uni_user_name); + UNISTR2 *uni_samlogon_user = &(q_l.sam_id.auth.id1->uni_user_name); dummy_time.low = 0xffffffff; dummy_time.high = 0x7fffffff; diff --git a/source/smbparse.c b/source/smbparse.c index 292cfa1adad..785ae74b179 100644 --- a/source/smbparse.c +++ b/source/smbparse.c @@ -597,7 +597,14 @@ void make_arc4_owf(ARC4_OWF *hash, char data[16]) DEBUG(5,("make_arc4_owf: %d\n", __LINE__)); - memcpy(hash->data, data, sizeof(hash->data)); + if (data != NULL) + { + memcpy(hash->data, data, sizeof(hash->data)); + } + else + { + bzero(hash->data, sizeof(hash->data)); + } } /******************************************************************* @@ -622,12 +629,12 @@ makes a DOM_ID_INFO_1 structure. ********************************************************************/ void make_id_info1(DOM_ID_INFO_1 *id, char *domain_name, uint32 param_ctrl, uint32 log_id_low, uint32 log_id_high, - char *user_name, char *workgroup_name, + char *user_name, char *wksta_name, char arc4_lm_owf[16], char arc4_nt_owf[16]) { - int len_domain_name = strlen(domain_name ); - int len_user_name = strlen(user_name ); - int len_workgroup_name = strlen(workgroup_name); + int len_domain_name = strlen(domain_name); + int len_user_name = strlen(user_name ); + int len_wksta_name = strlen(wksta_name ); if (id == NULL) return; @@ -635,20 +642,20 @@ void make_id_info1(DOM_ID_INFO_1 *id, char *domain_name, id->ptr_id_info1 = 1; - make_uni_hdr(&(id->hdr_domain_name ), len_domain_name , len_domain_name , 4); + make_uni_hdr(&(id->hdr_domain_name), len_domain_name, len_domain_name, 4); id->param_ctrl = param_ctrl; make_logon_id(&(id->logon_id), log_id_low, log_id_high); - make_uni_hdr(&(id->hdr_user_name ), len_user_name , len_user_name , 4); - make_uni_hdr(&(id->hdr_workgroup_name), len_workgroup_name, len_workgroup_name, 4); + make_uni_hdr(&(id->hdr_user_name ), len_user_name , len_user_name , 4); + make_uni_hdr(&(id->hdr_wksta_name ), len_wksta_name , len_wksta_name , 4); make_arc4_owf(&(id->arc4_lm_owf), arc4_lm_owf); make_arc4_owf(&(id->arc4_nt_owf), arc4_nt_owf); - make_unistr2(&(id->uni_domain_name ), domain_name , len_domain_name ); - make_unistr2(&(id->uni_user_name ), user_name , len_user_name ); - make_unistr2(&(id->uni_workgroup_name), workgroup_name, len_workgroup_name); + make_unistr2(&(id->uni_domain_name), domain_name, len_domain_name); + make_unistr2(&(id->uni_user_name ), user_name , len_user_name ); + make_unistr2(&(id->uni_wksta_name ), wksta_name , len_wksta_name ); } /******************************************************************* @@ -667,20 +674,20 @@ char* smb_io_id_info1(BOOL io, DOM_ID_INFO_1 *id, char *q, char *base, int align if (id->ptr_id_info1 != 0) { - q = smb_io_unihdr(io, &(id->hdr_domain_name ), q, base, align, depth); + q = smb_io_unihdr(io, &(id->hdr_domain_name), q, base, align, depth); DBG_RW_IVAL("param_ctrl", depth, base, io, q, id->param_ctrl); q += 4; q = smb_io_logon_id(io, &(id->logon_id), q, base, align, depth); - q = smb_io_unihdr(io, &(id->hdr_user_name ), q, base, align, depth); - q = smb_io_unihdr(io, &(id->hdr_workgroup_name), q, base, align, depth); + q = smb_io_unihdr(io, &(id->hdr_user_name ), q, base, align, depth); + q = smb_io_unihdr(io, &(id->hdr_wksta_name ), q, base, align, depth); q = smb_io_arc4_owf(io, &(id->arc4_lm_owf), q, base, align, depth); q = smb_io_arc4_owf(io, &(id->arc4_nt_owf), q, base, align, depth); - q = smb_io_unistr2(io, &(id->uni_domain_name ), q, base, align, depth); - q = smb_io_unistr2(io, &(id->uni_user_name ), q, base, align, depth); - q = smb_io_unistr2(io, &(id->uni_workgroup_name), q, base, align, depth); + q = smb_io_unistr2(io, &(id->uni_domain_name), q, base, align, depth); + q = smb_io_unistr2(io, &(id->uni_user_name ), q, base, align, depth); + q = smb_io_unistr2(io, &(id->uni_wksta_name ), q, base, align, depth); } return q; @@ -691,7 +698,7 @@ makes a DOM_SAM_INFO structure. ********************************************************************/ void make_sam_info(DOM_SAM_INFO *sam, char *logon_srv, char *comp_name, DOM_CRED *clnt_cred, - DOM_CRED *rtn_cred, uint16 switch_value, uint16 logon_level, + DOM_CRED *rtn_cred, uint16 logon_level, uint16 switch_value, DOM_ID_INFO_1 *id1) { if (sam == NULL) return; -- cgit v1.2.1