From 9307940876a6c226969e9169d55c0408cd7ab032 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Wed, 21 Oct 1998 01:35:01 +0000 Subject: [PATCH] fixing smbd encrypted rpcs (data lens, alloc hints, sequence nums argh). put unicode strings after SAMLOGON query regardless of whether it's an NT mailslot or a non-NT mailslot, after having observed this behaviour out of NT machines. (This used to be commit c101113ec20ed0ba633e78e4ee45596cdccaf1b5) --- source3/include/proto.h | 3 ++- source3/lib/crc32.c | 2 +- source3/nmbd/nmbd_processlogon.c | 6 ++++++ source3/rpc_client/cli_pipe.c | 3 ++- source3/rpc_parse/parse_rpc.c | 16 +++++++++------- source3/rpc_server/srv_util.c | 12 ++++++------ 6 files changed, 26 insertions(+), 16 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index b177e8d7893..206c1b309a4 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -267,6 +267,7 @@ int smb_buflen(char *buf); char *smb_buf(char *buf); int smb_offset(char *p,char *buf); char *skip_string(char *buf,int n); +size_t str_charnum(char *s); BOOL trim_string(char *s,char *front,char *back); void dos_clean_name(char *s); void unix_clean_name(char *s); @@ -1594,7 +1595,7 @@ void make_rpc_auth_ntlmssp_resp(RPC_AUTH_NTLMSSP_RESP *rsp, char *domain, char *user, char *wks, uint32 neg_flags); void smb_io_rpc_auth_ntlmssp_resp(char *desc, RPC_AUTH_NTLMSSP_RESP *rsp, prs_struct *ps, int depth); -BOOL rpc_auth_ntlmssp_chk(RPC_AUTH_NTLMSSP_CHK *chk, uint32 crc32, uint32 *seq_num); +BOOL rpc_auth_ntlmssp_chk(RPC_AUTH_NTLMSSP_CHK *chk, uint32 crc32, uint32 seq_num); void make_rpc_auth_ntlmssp_chk(RPC_AUTH_NTLMSSP_CHK *chk, uint32 ver, uint32 crc32, uint32 seq_num); void smb_io_rpc_auth_ntlmssp_chk(char *desc, RPC_AUTH_NTLMSSP_CHK *chk, prs_struct *ps, int depth); diff --git a/source3/lib/crc32.c b/source3/lib/crc32.c index 8e687d30e69..9da5b4bfe14 100644 --- a/source3/lib/crc32.c +++ b/source3/lib/crc32.c @@ -65,7 +65,7 @@ uint32 crc32_calc_buffer( uint32 count, char *buffer) crc = (crc>>8) ^ CRCTable[(buffer[i] ^ crc) & 0xff]; } crc^=0xffffffff; - DEBUG(10,("crc_32_calc_buffer: %x\n", crc)); + DEBUG(10,("crc32_calc_buffer: %x\n", crc)); dump_data(100, buffer, count); return crc; } diff --git a/source3/nmbd/nmbd_processlogon.c b/source3/nmbd/nmbd_processlogon.c index 89b7e0e647c..5495697c8f4 100644 --- a/source3/nmbd/nmbd_processlogon.c +++ b/source3/nmbd/nmbd_processlogon.c @@ -55,6 +55,8 @@ void process_logon_packet(struct packet_struct *p,char *buf,int len, char *unicomp; /* Unicode computer name. */ struct smb_passwd *smb_pass; /* To check if machine account exists */ + memset(outbuf, 0, sizeof(outbuf)); + if (!lp_domain_logons()) { DEBUG(3,("process_logon_packet: Logon packet received from IP %s and domain \ @@ -137,7 +139,9 @@ logons are not enabled.\n", inet_ntoa(p->ip) )); fstrcpy(q, reply_name); q = skip_string(q, 1); /* PDC name */ +#if 0 if (strcmp(mailslot, NT_LOGON_MAILSLOT)==0) { +#endif q = align2(q, buf); PutUniCode(q, my_name); /* PDC name */ @@ -151,7 +155,9 @@ logons are not enabled.\n", inet_ntoa(p->ip) )); q += 2; SSVAL(q, 0, lm20token); q += 2; +#if 0 } +#endif DEBUG(3,("process_logon_packet: GETDC request from %s at IP %s, \ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n", diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 1a72f930c5c..12e2cc243c5 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -196,10 +196,11 @@ static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata, if (auth_verify) { crc32 = crc32_calc_buffer(data_len, reply_data); - if (!rpc_auth_ntlmssp_chk(&chk, crc32 , &cli->ntlmssp_seq_num)) + if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num)) { return False; } + cli->ntlmssp_seq_num++; } return True; } diff --git a/source3/rpc_parse/parse_rpc.c b/source3/rpc_parse/parse_rpc.c index 44f95c7e0c4..6b5da0ef56c 100644 --- a/source3/rpc_parse/parse_rpc.c +++ b/source3/rpc_parse/parse_rpc.c @@ -559,6 +559,9 @@ void make_rpc_auth_ntlmssp_neg(RPC_AUTH_NTLMSSP_NEG *neg, /******************************************************************* reads or writes an RPC_AUTH_NTLMSSP_NEG structure. + +*** lkclXXXX HACK ALERT! *** + ********************************************************************/ void smb_io_rpc_auth_ntlmssp_neg(char *desc, RPC_AUTH_NTLMSSP_NEG *neg, prs_struct *ps, int depth) { @@ -582,11 +585,11 @@ void smb_io_rpc_auth_ntlmssp_neg(char *desc, RPC_AUTH_NTLMSSP_NEG *neg, prs_stru old_offset = ps->offset; - ps->offset = neg->hdr_myname .buffer + 0x1c; + ps->offset = neg->hdr_myname .buffer + 0x50; /* lkclXXXX HACK! */ prs_uint8s(True , "myname", ps, depth, (uint8*)neg->myname , MIN(neg->hdr_myname .str_str_len, sizeof(neg->myname ))); old_offset += neg->hdr_myname .str_str_len; - ps->offset = neg->hdr_domain .buffer + 0x1c; + ps->offset = neg->hdr_domain .buffer + 0x50; /* lkclXXXX HACK! */ prs_uint8s(True , "domain", ps, depth, (uint8*)neg->domain , MIN(neg->hdr_domain .str_str_len, sizeof(neg->domain ))); old_offset += neg->hdr_domain .str_str_len; @@ -803,24 +806,23 @@ void smb_io_rpc_auth_ntlmssp_resp(char *desc, RPC_AUTH_NTLMSSP_RESP *rsp, prs_st /******************************************************************* checks an RPC_AUTH_NTLMSSP_CHK structure. ********************************************************************/ -BOOL rpc_auth_ntlmssp_chk(RPC_AUTH_NTLMSSP_CHK *chk, uint32 crc32, uint32 *seq_num) +BOOL rpc_auth_ntlmssp_chk(RPC_AUTH_NTLMSSP_CHK *chk, uint32 crc32, uint32 seq_num) { - if (chk == NULL || seq_num == NULL) + if (chk == NULL) { return False; } if (chk->crc32 != crc32 || chk->ver != NTLMSSP_SIGN_VERSION || - chk->seq_num != (*seq_num)) + chk->seq_num != seq_num) { DEBUG(5,("verify failed - crc %x ver %x seq %d\n", - crc32, NTLMSSP_SIGN_VERSION, (*seq_num)-1)); + crc32, NTLMSSP_SIGN_VERSION, seq_num)); DEBUG(5,("verify expect - crc %x ver %x seq %d\n", chk->crc32, chk->ver, chk->seq_num)); return False; } - (*seq_num)++; return True; } diff --git a/source3/rpc_server/srv_util.c b/source3/rpc_server/srv_util.c index 1c57efc3f4a..fde654bcc4f 100644 --- a/source3/rpc_server/srv_util.c +++ b/source3/rpc_server/srv_util.c @@ -215,7 +215,7 @@ BOOL create_rpc_reply(pipes_struct *p, if (p->ntlmssp_auth) { - p->hdr_resp.alloc_hint -= auth_len - 16; + p->hdr_resp.alloc_hint -= auth_len + 8; } if (p->ntlmssp_auth) @@ -252,8 +252,8 @@ BOOL create_rpc_reply(pipes_struct *p, if (auth_seal) { - NTLMSSPcalc(p->ntlmssp_hash, (uchar*)data, data_len); crc32 = crc32_calc_buffer(data_len, data); + NTLMSSPcalc(p->ntlmssp_hash, (uchar*)data, data_len); } if (auth_seal || auth_verify) @@ -265,7 +265,8 @@ BOOL create_rpc_reply(pipes_struct *p, if (auth_verify) { char *auth_data; - make_rpc_auth_ntlmssp_chk(&p->ntlmssp_chk, NTLMSSP_SIGN_VERSION, crc32, p->ntlmssp_seq_num); + p->ntlmssp_seq_num++; + make_rpc_auth_ntlmssp_chk(&p->ntlmssp_chk, NTLMSSP_SIGN_VERSION, crc32, p->ntlmssp_seq_num++); smb_io_rpc_auth_ntlmssp_chk("auth_sign", &(p->ntlmssp_chk), &p->rverf, 0); auth_data = mem_data(&p->rverf.data, 4); NTLMSSPcalc(p->ntlmssp_hash, (uchar*)auth_data, 12); @@ -624,11 +625,10 @@ static BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *pd) smb_io_rpc_auth_ntlmssp_chk("auth_sign", &(p->ntlmssp_chk), pd, 0); if (!rpc_auth_ntlmssp_chk(&(p->ntlmssp_chk), crc32, - &(p->ntlmssp_seq_num))) + p->ntlmssp_seq_num)) { return False; } - p->ntlmssp_seq_num = 0; } pd->offset = old_offset; @@ -777,7 +777,7 @@ BOOL api_rpcTNP(pipes_struct *p, char *rpc_name, struct api_struct *api_rpc_cmds } /* create the rpc header */ - if (!create_rpc_reply(p, 0, p->rdata.offset + (p->ntlmssp_auth ? (16 + 16) : 0))) + if (!create_rpc_reply(p, 0, p->rdata.offset + (p->ntlmssp_auth ? (16 + 8) : 0))) { return False; } -- 2.34.1