fixing smbd encrypted rpcs (data lens, alloc hints, sequence nums argh).

author Luke Leighton <lkcl@samba.org>

Wed, 21 Oct 1998 01:35:01 +0000 (01:35 +0000)

committer Luke Leighton <lkcl@samba.org>

Wed, 21 Oct 1998 01:35:01 +0000 (01:35 +0000)
author Luke Leighton <lkcl@samba.org>
Wed, 21 Oct 1998 01:35:01 +0000 (01:35 +0000)
committer Luke Leighton <lkcl@samba.org>
Wed, 21 Oct 1998 01:35:01 +0000 (01:35 +0000)
diff --git a/source3/include/proto.h b/source3/include/proto.h

index b177e8d7893acb5efc939b436c3f333380ac2f48..206c1b309a42a7204283ed90976cbbdedd7b7a23 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -267,6 +267,7 @@ int smb_buflen(char *buf);
  char *smb_buf(char *buf);
  int smb_offset(char *p,char *buf);
  char *skip_string(char *buf,int n);
+size_t str_charnum(char *s);
  BOOL trim_string(char *s,char *front,char *back);
  void dos_clean_name(char *s);
  void unix_clean_name(char *s);
@@ -1594,7 +1595,7 @@ void make_rpc_auth_ntlmssp_resp(RPC_AUTH_NTLMSSP_RESP *rsp,
                                 char *domain, char *user, char *wks,
                                 uint32 neg_flags);
  void smb_io_rpc_auth_ntlmssp_resp(char *desc, RPC_AUTH_NTLMSSP_RESP *rsp, prs_struct *ps, int depth);
-BOOL rpc_auth_ntlmssp_chk(RPC_AUTH_NTLMSSP_CHK *chk, uint32 crc32, uint32 *seq_num);
+BOOL rpc_auth_ntlmssp_chk(RPC_AUTH_NTLMSSP_CHK *chk, uint32 crc32, uint32 seq_num);
  void make_rpc_auth_ntlmssp_chk(RPC_AUTH_NTLMSSP_CHK *chk,
                                 uint32 ver, uint32 crc32, uint32 seq_num);
  void smb_io_rpc_auth_ntlmssp_chk(char *desc, RPC_AUTH_NTLMSSP_CHK *chk, prs_struct *ps, int depth);
diff --git a/source3/lib/crc32.c b/source3/lib/crc32.c

index 8e687d30e696129b6fe5e0741710fca64fd5a2d2..9da5b4bfe14bf54011144a66b9bbd7f56dbc8c6b 100644 (file)
--- a/source3/lib/crc32.c
+++ b/source3/lib/crc32.c
@@ -65,7 +65,7 @@ uint32 crc32_calc_buffer( uint32 count, char *buffer)
                  crc = (crc>>8) ^ CRCTable[(buffer[i] ^ crc) & 0xff];
         }
          crc^=0xffffffff;
-       DEBUG(10,("crc_32_calc_buffer: %x\n", crc));
+       DEBUG(10,("crc32_calc_buffer: %x\n", crc));
         dump_data(100, buffer, count);
          return crc;
  }
diff --git a/source3/nmbd/nmbd_processlogon.c b/source3/nmbd/nmbd_processlogon.c

index 89b7e0e647c9af1a110bcb7509134101d85bc819..5495697c8f4570e0fde6edee3ae756f8bd347752 100644 (file)
--- a/source3/nmbd/nmbd_processlogon.c
+++ b/source3/nmbd/nmbd_processlogon.c
@@ -55,6 +55,8 @@ void process_logon_packet(struct packet_struct *p,char *buf,int len,
    char *unicomp; /* Unicode computer name. */
    struct smb_passwd *smb_pass; /* To check if machine account exists */
  
+  memset(outbuf, 0, sizeof(outbuf));
+
    if (!lp_domain_logons())
    {
      DEBUG(3,("process_logon_packet: Logon packet received from IP %s and domain \
@@ -137,7 +139,9 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
        fstrcpy(q, reply_name);
        q = skip_string(q, 1); /* PDC name */
  
+#if 0
        if (strcmp(mailslot, NT_LOGON_MAILSLOT)==0) {
+#endif
          q = align2(q, buf);
  
          PutUniCode(q, my_name); /* PDC name */
@@ -151,7 +155,9 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
          q += 2;
          SSVAL(q, 0, lm20token);
          q += 2;
+#if 0
        }
+#endif
  
        DEBUG(3,("process_logon_packet: GETDC request from %s at IP %s, \
  reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c

index 1a72f930c5c5243688e1f0a641a869c338c30dbe..12e2cc243c5917c771b06bf3ddf97834b467a3e7 100644 (file)
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -196,10 +196,11 @@ static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata,
         if (auth_verify)
         {
                 crc32 = crc32_calc_buffer(data_len, reply_data);
-               if (!rpc_auth_ntlmssp_chk(&chk, crc32 , &cli->ntlmssp_seq_num))
+               if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num))
                 {
                         return False;
                 }
+               cli->ntlmssp_seq_num++;
         }
         return True;
  }
diff --git a/source3/rpc_parse/parse_rpc.c b/source3/rpc_parse/parse_rpc.c

index 44f95c7e0c4a7651fce4d960dcc8c31f01e0fa88..6b5da0ef56cf0f86d7cb552c872eba1f643c8453 100644 (file)
--- a/source3/rpc_parse/parse_rpc.c
+++ b/source3/rpc_parse/parse_rpc.c
@@ -559,6 +559,9 @@ void make_rpc_auth_ntlmssp_neg(RPC_AUTH_NTLMSSP_NEG *neg,
  
  /*******************************************************************
  reads or writes an RPC_AUTH_NTLMSSP_NEG structure.
+
+*** lkclXXXX HACK ALERT! ***
+
  ********************************************************************/
  void smb_io_rpc_auth_ntlmssp_neg(char *desc, RPC_AUTH_NTLMSSP_NEG *neg, prs_struct *ps, int depth)
  {
@@ -582,11 +585,11 @@ void smb_io_rpc_auth_ntlmssp_neg(char *desc, RPC_AUTH_NTLMSSP_NEG *neg, prs_stru
  
                 old_offset = ps->offset;
  
-               ps->offset = neg->hdr_myname  .buffer + 0x1c;
+               ps->offset = neg->hdr_myname  .buffer + 0x50; /* lkclXXXX HACK! */
                 prs_uint8s(True , "myname", ps, depth, (uint8*)neg->myname  , MIN(neg->hdr_myname  .str_str_len, sizeof(neg->myname  ))); 
                 old_offset += neg->hdr_myname  .str_str_len;
  
-               ps->offset = neg->hdr_domain  .buffer + 0x1c;
+               ps->offset = neg->hdr_domain  .buffer + 0x50; /* lkclXXXX HACK! */
                 prs_uint8s(True , "domain", ps, depth, (uint8*)neg->domain  , MIN(neg->hdr_domain  .str_str_len, sizeof(neg->domain  ))); 
                 old_offset += neg->hdr_domain  .str_str_len;
  
@@ -803,24 +806,23 @@ void smb_io_rpc_auth_ntlmssp_resp(char *desc, RPC_AUTH_NTLMSSP_RESP *rsp, prs_st
  /*******************************************************************
  checks an RPC_AUTH_NTLMSSP_CHK structure.
  ********************************************************************/
-BOOL rpc_auth_ntlmssp_chk(RPC_AUTH_NTLMSSP_CHK *chk, uint32 crc32, uint32 *seq_num)
+BOOL rpc_auth_ntlmssp_chk(RPC_AUTH_NTLMSSP_CHK *chk, uint32 crc32, uint32 seq_num)
  {
-       if (chk == NULL || seq_num == NULL)
+       if (chk == NULL)
         {
                 return False;
         }
  
         if (chk->crc32 != crc32 ||
             chk->ver   != NTLMSSP_SIGN_VERSION ||
-           chk->seq_num != (*seq_num))
+           chk->seq_num != seq_num)
         {
                 DEBUG(5,("verify failed - crc %x ver %x seq %d\n",
-                       crc32, NTLMSSP_SIGN_VERSION, (*seq_num)-1));
+                       crc32, NTLMSSP_SIGN_VERSION, seq_num));
                 DEBUG(5,("verify expect - crc %x ver %x seq %d\n",
                         chk->crc32, chk->ver, chk->seq_num));
                 return False;
         }
-       (*seq_num)++;
         return True;
  }
  
diff --git a/source3/rpc_server/srv_util.c b/source3/rpc_server/srv_util.c

index 1c57efc3f4abe1fcca3db2ef3d21b7c1e037257e..fde654bcc4fbc6fc96a597af9c72eb08b7234a66 100644 (file)
--- a/source3/rpc_server/srv_util.c
+++ b/source3/rpc_server/srv_util.c
@@ -215,7 +215,7 @@ BOOL create_rpc_reply(pipes_struct *p,
  
         if (p->ntlmssp_auth)
         {
-               p->hdr_resp.alloc_hint -= auth_len - 16;
+               p->hdr_resp.alloc_hint -= auth_len + 8;
         }
  
         if (p->ntlmssp_auth)
@@ -252,8 +252,8 @@ BOOL create_rpc_reply(pipes_struct *p,
  
                 if (auth_seal)
                 {
-                       NTLMSSPcalc(p->ntlmssp_hash, (uchar*)data, data_len);
                         crc32 = crc32_calc_buffer(data_len, data);
+                       NTLMSSPcalc(p->ntlmssp_hash, (uchar*)data, data_len);
                 }
  
                 if (auth_seal || auth_verify)
@@ -265,7 +265,8 @@ BOOL create_rpc_reply(pipes_struct *p,
                 if (auth_verify)
                 {
                         char *auth_data;
-                       make_rpc_auth_ntlmssp_chk(&p->ntlmssp_chk, NTLMSSP_SIGN_VERSION, crc32, p->ntlmssp_seq_num);
+                       p->ntlmssp_seq_num++;
+                       make_rpc_auth_ntlmssp_chk(&p->ntlmssp_chk, NTLMSSP_SIGN_VERSION, crc32, p->ntlmssp_seq_num++);
                         smb_io_rpc_auth_ntlmssp_chk("auth_sign", &(p->ntlmssp_chk), &p->rverf, 0);
                         auth_data = mem_data(&p->rverf.data, 4);
                         NTLMSSPcalc(p->ntlmssp_hash, (uchar*)auth_data, 12);
@@ -624,11 +625,10 @@ static BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *pd)
                 smb_io_rpc_auth_ntlmssp_chk("auth_sign", &(p->ntlmssp_chk), pd, 0);
  
                 if (!rpc_auth_ntlmssp_chk(&(p->ntlmssp_chk), crc32,
-                                         &(p->ntlmssp_seq_num)))
+                                         p->ntlmssp_seq_num))
                 {
                         return False;
                 }
-               p->ntlmssp_seq_num = 0;
         }
  
         pd->offset = old_offset;
@@ -777,7 +777,7 @@ BOOL api_rpcTNP(pipes_struct *p, char *rpc_name, struct api_struct *api_rpc_cmds
         }
  
         /* create the rpc header */
-       if (!create_rpc_reply(p, 0, p->rdata.offset + (p->ntlmssp_auth ? (16 + 16) : 0)))
+       if (!create_rpc_reply(p, 0, p->rdata.offset + (p->ntlmssp_auth ? (16 + 8) : 0)))
         {
                 return False;
         }
author	Luke Leighton <lkcl@samba.org>
	Wed, 21 Oct 1998 01:35:01 +0000 (01:35 +0000)
committer	Luke Leighton <lkcl@samba.org>
	Wed, 21 Oct 1998 01:35:01 +0000 (01:35 +0000)
source3/include/proto.h		patch \| blob \| history
source3/lib/crc32.c		patch \| blob \| history
source3/nmbd/nmbd_processlogon.c		patch \| blob \| history
source3/rpc_client/cli_pipe.c		patch \| blob \| history
source3/rpc_parse/parse_rpc.c		patch \| blob \| history
source3/rpc_server/srv_util.c		patch \| blob \| history