1998-03-12 00:11:04 +03:00
/*
2002-01-30 09:08:46 +03:00
Unix SMB / CIFS implementation .
1998-03-12 00:11:04 +03:00
Samba memory buffer functions
1999-12-13 16:27:58 +03:00
Copyright ( C ) Andrew Tridgell 1992 - 1997
Copyright ( C ) Luke Kenneth Casson Leighton 1996 - 1997
2003-10-02 01:18:32 +04:00
Copyright ( C ) Jeremy Allison 1999
Copyright ( C ) Andrew Bartlett 2003.
1998-03-12 00:11:04 +03:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program ; if not , write to the Free Software
Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
# include "includes.h"
2002-07-15 14:35:28 +04:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_RPC_PARSE
2002-01-02 10:48:07 +03:00
/**
* Dump a prs to a file : from the current location through to the end .
* */
2000-05-15 11:17:34 +04:00
void prs_dump ( char * name , int v , prs_struct * ps )
2002-01-02 10:48:07 +03:00
{
prs_dump_region ( name , v , ps , ps - > data_offset , ps - > buffer_size ) ;
}
/**
* Dump from the start of the prs to the current location .
* */
void prs_dump_before ( char * name , int v , prs_struct * ps )
{
prs_dump_region ( name , v , ps , 0 , ps - > data_offset ) ;
}
/**
* Dump everything from the start of the prs up to the current location .
* */
void prs_dump_region ( char * name , int v , prs_struct * ps ,
int from_off , int to_off )
2000-05-12 18:28:46 +04:00
{
2000-05-15 11:17:34 +04:00
int fd , i ;
2000-05-12 18:28:46 +04:00
pstring fname ;
2005-09-30 21:13:37 +04:00
ssize_t sz ;
2000-05-12 18:28:46 +04:00
if ( DEBUGLEVEL < 50 ) return ;
2000-05-15 11:17:34 +04:00
for ( i = 1 ; i < 100 ; i + + ) {
if ( v ! = - 1 ) {
2001-04-09 00:22:39 +04:00
slprintf ( fname , sizeof ( fname ) - 1 , " /tmp/%s_%d.%d.prs " , name , v , i ) ;
2000-05-15 11:17:34 +04:00
} else {
2001-04-09 00:22:39 +04:00
slprintf ( fname , sizeof ( fname ) - 1 , " /tmp/%s.%d.prs " , name , i ) ;
2000-05-15 11:17:34 +04:00
}
fd = open ( fname , O_WRONLY | O_CREAT | O_EXCL , 0644 ) ;
if ( fd ! = - 1 | | errno ! = EEXIST ) break ;
}
2000-05-12 18:28:46 +04:00
if ( fd ! = - 1 ) {
2005-09-30 21:13:37 +04:00
sz = write ( fd , ps - > data_p + from_off , to_off - from_off ) ;
i = close ( fd ) ;
if ( ( sz ! = to_off - from_off ) | | ( i ! = 0 ) ) {
DEBUG ( 0 , ( " Error writing/closing %s: %ld!=%ld %d \n " , fname , ( unsigned long ) sz , ( unsigned long ) to_off - from_off , i ) ) ;
} else {
DEBUG ( 0 , ( " created %s \n " , fname ) ) ;
}
2000-05-12 18:28:46 +04:00
}
}
1998-03-12 00:11:04 +03:00
/*******************************************************************
2005-09-30 21:13:37 +04:00
Debug output for parsing info
1998-03-12 00:11:04 +03:00
2005-09-30 21:13:37 +04:00
XXXX side - effect of this function is to increase the debug depth XXXX .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1998-03-12 00:11:04 +03:00
2003-01-03 11:28:12 +03:00
void prs_debug ( prs_struct * ps , int depth , const char * desc , const char * fn_name )
1998-03-12 00:11:04 +03:00
{
1999-12-13 16:27:58 +03:00
DEBUG ( 5 + depth , ( " %s%06x %s %s \n " , tab_depth ( depth ) , ps - > data_offset , fn_name , desc ) ) ;
1998-03-12 00:11:04 +03:00
}
2001-11-15 09:03:22 +03:00
/**
* Initialise an expandable parse structure .
*
* @ param size Initial buffer size . If > 0 , a new buffer will be
* created with malloc ( ) .
*
* @ return False if allocation fails , otherwise True .
* */
2005-09-30 21:13:37 +04:00
2001-03-10 02:48:58 +03:00
BOOL prs_init ( prs_struct * ps , uint32 size , TALLOC_CTX * ctx , BOOL io )
1999-12-06 03:44:32 +03:00
{
1999-12-13 16:27:58 +03:00
ZERO_STRUCTP ( ps ) ;
ps - > io = io ;
2001-03-10 02:48:58 +03:00
ps - > bigendian_data = RPC_LITTLE_ENDIAN ;
ps - > align = RPC_PARSE_ALIGN ;
1999-12-13 16:27:58 +03:00
ps - > is_dynamic = False ;
ps - > data_offset = 0 ;
ps - > buffer_size = 0 ;
ps - > data_p = NULL ;
2000-07-27 04:47:19 +04:00
ps - > mem_ctx = ctx ;
1999-12-13 16:27:58 +03:00
if ( size ! = 0 ) {
ps - > buffer_size = size ;
2004-12-07 21:25:53 +03:00
if ( ( ps - > data_p = ( char * ) SMB_MALLOC ( ( size_t ) size ) ) = = NULL ) {
1999-12-13 16:27:58 +03:00
DEBUG ( 0 , ( " prs_init: malloc fail for %u bytes. \n " , ( unsigned int ) size ) ) ;
return False ;
}
2002-01-18 03:19:45 +03:00
memset ( ps - > data_p , ' \0 ' , ( size_t ) size ) ;
1999-12-13 16:27:58 +03:00
ps - > is_dynamic = True ; /* We own this memory. */
2005-09-30 21:13:37 +04:00
} else if ( MARSHALLING ( ps ) ) {
/* If size is zero and we're marshalling we should allocate memory on demand. */
ps - > is_dynamic = True ;
1999-12-13 16:27:58 +03:00
}
return True ;
1999-12-06 03:44:32 +03:00
}
1998-03-12 00:11:04 +03:00
/*******************************************************************
1999-12-13 16:27:58 +03:00
Delete the memory in a parse structure - if we own it .
1998-03-12 00:11:04 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
void prs_mem_free ( prs_struct * ps )
1998-03-12 00:11:04 +03:00
{
2001-09-17 14:00:29 +04:00
if ( ps - > is_dynamic )
SAFE_FREE ( ps - > data_p ) ;
1999-12-13 16:27:58 +03:00
ps - > is_dynamic = False ;
ps - > buffer_size = 0 ;
ps - > data_offset = 0 ;
}
1998-03-12 00:11:04 +03:00
2002-01-18 03:36:16 +03:00
/*******************************************************************
Clear the memory in a parse structure .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
void prs_mem_clear ( prs_struct * ps )
{
2003-02-15 01:55:46 +03:00
if ( ps - > buffer_size )
memset ( ps - > data_p , ' \0 ' , ( size_t ) ps - > buffer_size ) ;
2002-01-18 03:36:16 +03:00
}
2000-07-27 04:47:19 +04:00
/*******************************************************************
2001-02-27 05:09:50 +03:00
Allocate memory when unmarshalling . . . Always zero clears .
2000-07-27 04:47:19 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-12-07 21:25:53 +03:00
# if defined(PARANOID_MALLOC_CHECKER)
char * prs_alloc_mem_ ( prs_struct * ps , size_t size , unsigned int count )
# else
char * prs_alloc_mem ( prs_struct * ps , size_t size , unsigned int count )
# endif
2000-07-27 04:47:19 +04:00
{
2003-02-15 01:55:46 +03:00
char * ret = NULL ;
2001-02-27 05:09:50 +03:00
2003-02-15 01:55:46 +03:00
if ( size ) {
2004-12-07 21:25:53 +03:00
/* We can't call the type-safe version here. */
2005-05-03 11:33:49 +04:00
ret = _talloc_zero_array ( ps - > mem_ctx , size , count , " parse_prs " ) ;
2003-02-15 01:55:46 +03:00
}
2001-02-27 05:09:50 +03:00
return ret ;
2000-07-27 04:47:19 +04:00
}
/*******************************************************************
Return the current talloc context we ' re using .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
TALLOC_CTX * prs_get_mem_context ( prs_struct * ps )
{
return ps - > mem_ctx ;
}
1999-12-13 16:27:58 +03:00
/*******************************************************************
Hand some already allocated memory to a prs_struct .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1998-03-12 00:11:04 +03:00
1999-12-13 16:27:58 +03:00
void prs_give_memory ( prs_struct * ps , char * buf , uint32 size , BOOL is_dynamic )
{
ps - > is_dynamic = is_dynamic ;
ps - > data_p = buf ;
ps - > buffer_size = size ;
1998-03-12 00:11:04 +03:00
}
delineation between smb and msrpc more marked. smbd now constructs
pdus, and then feeds them over either a "local" function call or a "remote"
function call to an msrpc service. the "remote" msrpc daemon, on the
other side of a unix socket, then calls the same "local" function that
smbd would, if the msrpc service were being run from inside smbd.
this allows a transition from local msrpc services (inside the same smbd
process) to remote (over a unix socket).
removed reference to pipes_struct in msrpc services. all msrpc processing
functions take rpcsrv_struct which is a structure containing state info
for the msrpc functions to decode and create pdus.
created become_vuser() which does everything not related to connection_struct
that become_user() does.
removed, as best i could, connection_struct dependencies from the nt spoolss
printing code.
todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific
info on a per-connection basis, and if the connection dies then so does
the info, and that's a fairly serious problem.
had to put pretty much everything that is in user_struct into parse_creds.c
to feed unix user info over to the msrpc daemons. why? because it's
expensive to do unix password/group database lookups, and it's definitely
expensive to do nt user profile lookups, not to mention pretty difficult
and if you did either of these it would introduce a complication /
unnecessary interdependency. so, send uid/gid/num_groups/gid_t* +
SID+num_rids+domain_group_rids* + unix username + nt username + nt domain
+ user session key etc. this is the MINIMUM info identified so far that's
actually implemented. missing bits include the called and calling
netbios names etc. (basically, anything that can be loaded into
standard_sub() and standard_sub_basic()...)
(This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
/*******************************************************************
1999-12-13 16:27:58 +03:00
Take some memory back from a prs_struct .
delineation between smb and msrpc more marked. smbd now constructs
pdus, and then feeds them over either a "local" function call or a "remote"
function call to an msrpc service. the "remote" msrpc daemon, on the
other side of a unix socket, then calls the same "local" function that
smbd would, if the msrpc service were being run from inside smbd.
this allows a transition from local msrpc services (inside the same smbd
process) to remote (over a unix socket).
removed reference to pipes_struct in msrpc services. all msrpc processing
functions take rpcsrv_struct which is a structure containing state info
for the msrpc functions to decode and create pdus.
created become_vuser() which does everything not related to connection_struct
that become_user() does.
removed, as best i could, connection_struct dependencies from the nt spoolss
printing code.
todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific
info on a per-connection basis, and if the connection dies then so does
the info, and that's a fairly serious problem.
had to put pretty much everything that is in user_struct into parse_creds.c
to feed unix user info over to the msrpc daemons. why? because it's
expensive to do unix password/group database lookups, and it's definitely
expensive to do nt user profile lookups, not to mention pretty difficult
and if you did either of these it would introduce a complication /
unnecessary interdependency. so, send uid/gid/num_groups/gid_t* +
SID+num_rids+domain_group_rids* + unix username + nt username + nt domain
+ user session key etc. this is the MINIMUM info identified so far that's
actually implemented. missing bits include the called and calling
netbios names etc. (basically, anything that can be loaded into
standard_sub() and standard_sub_basic()...)
(This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
char * prs_take_memory ( prs_struct * ps , uint32 * psize )
delineation between smb and msrpc more marked. smbd now constructs
pdus, and then feeds them over either a "local" function call or a "remote"
function call to an msrpc service. the "remote" msrpc daemon, on the
other side of a unix socket, then calls the same "local" function that
smbd would, if the msrpc service were being run from inside smbd.
this allows a transition from local msrpc services (inside the same smbd
process) to remote (over a unix socket).
removed reference to pipes_struct in msrpc services. all msrpc processing
functions take rpcsrv_struct which is a structure containing state info
for the msrpc functions to decode and create pdus.
created become_vuser() which does everything not related to connection_struct
that become_user() does.
removed, as best i could, connection_struct dependencies from the nt spoolss
printing code.
todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific
info on a per-connection basis, and if the connection dies then so does
the info, and that's a fairly serious problem.
had to put pretty much everything that is in user_struct into parse_creds.c
to feed unix user info over to the msrpc daemons. why? because it's
expensive to do unix password/group database lookups, and it's definitely
expensive to do nt user profile lookups, not to mention pretty difficult
and if you did either of these it would introduce a complication /
unnecessary interdependency. so, send uid/gid/num_groups/gid_t* +
SID+num_rids+domain_group_rids* + unix username + nt username + nt domain
+ user session key etc. this is the MINIMUM info identified so far that's
actually implemented. missing bits include the called and calling
netbios names etc. (basically, anything that can be loaded into
standard_sub() and standard_sub_basic()...)
(This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
{
1999-12-13 16:27:58 +03:00
char * ret = ps - > data_p ;
if ( psize )
* psize = ps - > buffer_size ;
ps - > is_dynamic = False ;
prs_mem_free ( ps ) ;
return ret ;
}
2000-05-17 23:17:16 +04:00
/*******************************************************************
Set a prs_struct to exactly a given size . Will grow or tuncate if neccessary .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL prs_set_buffer_size ( prs_struct * ps , uint32 newsize )
{
if ( newsize > ps - > buffer_size )
return prs_force_grow ( ps , newsize - ps - > buffer_size ) ;
if ( newsize < ps - > buffer_size ) {
2004-12-07 21:25:53 +03:00
char * new_data_p = SMB_REALLOC ( ps - > data_p , newsize ) ;
2000-05-27 02:37:08 +04:00
/* if newsize is zero, Realloc acts like free() & returns NULL*/
if ( new_data_p = = NULL & & newsize ! = 0 ) {
2000-05-17 23:17:16 +04:00
DEBUG ( 0 , ( " prs_set_buffer_size: Realloc failure for size %u. \n " ,
( unsigned int ) newsize ) ) ;
2000-05-27 02:37:08 +04:00
DEBUG ( 0 , ( " prs_set_buffer_size: Reason %s \n " , strerror ( errno ) ) ) ;
2000-05-17 23:17:16 +04:00
return False ;
}
ps - > data_p = new_data_p ;
ps - > buffer_size = newsize ;
}
return True ;
}
1999-12-13 16:27:58 +03:00
/*******************************************************************
Attempt , if needed , to grow a data buffer .
Also depends on the data stream mode ( io ) .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL prs_grow ( prs_struct * ps , uint32 extra_space )
{
uint32 new_size ;
char * new_data ;
2000-05-15 13:58:58 +04:00
ps - > grow_size = MAX ( ps - > grow_size , ps - > data_offset + extra_space ) ;
1999-12-13 16:27:58 +03:00
if ( ps - > data_offset + extra_space < = ps - > buffer_size )
return True ;
/*
* We cannot grow the buffer if we ' re not reading
* into the prs_struct , or if we don ' t own the memory .
*/
if ( UNMARSHALLING ( ps ) | | ! ps - > is_dynamic ) {
DEBUG ( 0 , ( " prs_grow: Buffer overflow - unable to expand buffer by %u bytes. \n " ,
( unsigned int ) extra_space ) ) ;
delineation between smb and msrpc more marked. smbd now constructs
pdus, and then feeds them over either a "local" function call or a "remote"
function call to an msrpc service. the "remote" msrpc daemon, on the
other side of a unix socket, then calls the same "local" function that
smbd would, if the msrpc service were being run from inside smbd.
this allows a transition from local msrpc services (inside the same smbd
process) to remote (over a unix socket).
removed reference to pipes_struct in msrpc services. all msrpc processing
functions take rpcsrv_struct which is a structure containing state info
for the msrpc functions to decode and create pdus.
created become_vuser() which does everything not related to connection_struct
that become_user() does.
removed, as best i could, connection_struct dependencies from the nt spoolss
printing code.
todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific
info on a per-connection basis, and if the connection dies then so does
the info, and that's a fairly serious problem.
had to put pretty much everything that is in user_struct into parse_creds.c
to feed unix user info over to the msrpc daemons. why? because it's
expensive to do unix password/group database lookups, and it's definitely
expensive to do nt user profile lookups, not to mention pretty difficult
and if you did either of these it would introduce a complication /
unnecessary interdependency. so, send uid/gid/num_groups/gid_t* +
SID+num_rids+domain_group_rids* + unix username + nt username + nt domain
+ user session key etc. this is the MINIMUM info identified so far that's
actually implemented. missing bits include the called and calling
netbios names etc. (basically, anything that can be loaded into
standard_sub() and standard_sub_basic()...)
(This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
return False ;
}
2000-02-15 21:07:45 +03:00
1999-12-13 16:27:58 +03:00
/*
* Decide how much extra space we really need .
*/
extra_space - = ( ps - > buffer_size - ps - > data_offset ) ;
if ( ps - > buffer_size = = 0 ) {
/*
* Ensure we have at least a PDU ' s length , or extra_space , whichever
* is greater .
*/
2005-09-30 21:13:37 +04:00
new_size = MAX ( RPC_MAX_PDU_FRAG_LEN , extra_space ) ;
1999-12-13 16:27:58 +03:00
2004-12-07 21:25:53 +03:00
if ( ( new_data = SMB_MALLOC ( new_size ) ) = = NULL ) {
1999-12-13 16:27:58 +03:00
DEBUG ( 0 , ( " prs_grow: Malloc failure for size %u. \n " , ( unsigned int ) new_size ) ) ;
return False ;
}
2002-01-18 03:36:16 +03:00
memset ( new_data , ' \0 ' , ( size_t ) new_size ) ;
1999-12-13 16:27:58 +03:00
} else {
/*
* If the current buffer size is bigger than the space needed , just
* double it , else add extra_space .
*/
2000-02-15 21:07:45 +03:00
new_size = MAX ( ps - > buffer_size * 2 , ps - > buffer_size + extra_space ) ;
1999-12-13 16:27:58 +03:00
2004-12-07 21:25:53 +03:00
if ( ( new_data = SMB_REALLOC ( ps - > data_p , new_size ) ) = = NULL ) {
1999-12-13 16:27:58 +03:00
DEBUG ( 0 , ( " prs_grow: Realloc failure for size %u. \n " ,
( unsigned int ) new_size ) ) ;
return False ;
}
2000-05-17 07:12:56 +04:00
2002-01-18 03:36:16 +03:00
memset ( & new_data [ ps - > buffer_size ] , ' \0 ' , ( size_t ) ( new_size - ps - > buffer_size ) ) ;
1999-12-13 16:27:58 +03:00
}
ps - > buffer_size = new_size ;
ps - > data_p = new_data ;
delineation between smb and msrpc more marked. smbd now constructs
pdus, and then feeds them over either a "local" function call or a "remote"
function call to an msrpc service. the "remote" msrpc daemon, on the
other side of a unix socket, then calls the same "local" function that
smbd would, if the msrpc service were being run from inside smbd.
this allows a transition from local msrpc services (inside the same smbd
process) to remote (over a unix socket).
removed reference to pipes_struct in msrpc services. all msrpc processing
functions take rpcsrv_struct which is a structure containing state info
for the msrpc functions to decode and create pdus.
created become_vuser() which does everything not related to connection_struct
that become_user() does.
removed, as best i could, connection_struct dependencies from the nt spoolss
printing code.
todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific
info on a per-connection basis, and if the connection dies then so does
the info, and that's a fairly serious problem.
had to put pretty much everything that is in user_struct into parse_creds.c
to feed unix user info over to the msrpc daemons. why? because it's
expensive to do unix password/group database lookups, and it's definitely
expensive to do nt user profile lookups, not to mention pretty difficult
and if you did either of these it would introduce a complication /
unnecessary interdependency. so, send uid/gid/num_groups/gid_t* +
SID+num_rids+domain_group_rids* + unix username + nt username + nt domain
+ user session key etc. this is the MINIMUM info identified so far that's
actually implemented. missing bits include the called and calling
netbios names etc. (basically, anything that can be loaded into
standard_sub() and standard_sub_basic()...)
(This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
return True ;
}
1998-03-12 00:11:04 +03:00
/*******************************************************************
1999-12-13 16:27:58 +03:00
Attempt to force a data buffer to grow by len bytes .
This is only used when appending more data onto a prs_struct
when reading an rpc reply , before unmarshalling it .
1998-03-12 00:11:04 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
BOOL prs_force_grow ( prs_struct * ps , uint32 extra_space )
1998-03-12 00:11:04 +03:00
{
1999-12-13 16:27:58 +03:00
uint32 new_size = ps - > buffer_size + extra_space ;
char * new_data ;
if ( ! UNMARSHALLING ( ps ) | | ! ps - > is_dynamic ) {
DEBUG ( 0 , ( " prs_force_grow: Buffer overflow - unable to expand buffer by %u bytes. \n " ,
( unsigned int ) extra_space ) ) ;
return False ;
}
2004-12-07 21:25:53 +03:00
if ( ( new_data = SMB_REALLOC ( ps - > data_p , new_size ) ) = = NULL ) {
1999-12-13 16:27:58 +03:00
DEBUG ( 0 , ( " prs_force_grow: Realloc failure for size %u. \n " ,
( unsigned int ) new_size ) ) ;
return False ;
}
2002-01-18 03:36:16 +03:00
memset ( & new_data [ ps - > buffer_size ] , ' \0 ' , ( size_t ) ( new_size - ps - > buffer_size ) ) ;
2000-05-17 07:12:56 +04:00
1999-12-13 16:27:58 +03:00
ps - > buffer_size = new_size ;
ps - > data_p = new_data ;
return True ;
1998-03-12 00:11:04 +03:00
}
1998-10-07 19:22:49 +04:00
/*******************************************************************
1999-12-13 16:27:58 +03:00
Get the data pointer ( external interface ) .
2003-02-15 01:55:46 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
delineation between smb and msrpc more marked. smbd now constructs
pdus, and then feeds them over either a "local" function call or a "remote"
function call to an msrpc service. the "remote" msrpc daemon, on the
other side of a unix socket, then calls the same "local" function that
smbd would, if the msrpc service were being run from inside smbd.
this allows a transition from local msrpc services (inside the same smbd
process) to remote (over a unix socket).
removed reference to pipes_struct in msrpc services. all msrpc processing
functions take rpcsrv_struct which is a structure containing state info
for the msrpc functions to decode and create pdus.
created become_vuser() which does everything not related to connection_struct
that become_user() does.
removed, as best i could, connection_struct dependencies from the nt spoolss
printing code.
todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific
info on a per-connection basis, and if the connection dies then so does
the info, and that's a fairly serious problem.
had to put pretty much everything that is in user_struct into parse_creds.c
to feed unix user info over to the msrpc daemons. why? because it's
expensive to do unix password/group database lookups, and it's definitely
expensive to do nt user profile lookups, not to mention pretty difficult
and if you did either of these it would introduce a complication /
unnecessary interdependency. so, send uid/gid/num_groups/gid_t* +
SID+num_rids+domain_group_rids* + unix username + nt username + nt domain
+ user session key etc. this is the MINIMUM info identified so far that's
actually implemented. missing bits include the called and calling
netbios names etc. (basically, anything that can be loaded into
standard_sub() and standard_sub_basic()...)
(This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
1999-12-13 16:27:58 +03:00
char * prs_data_p ( prs_struct * ps )
{
return ps - > data_p ;
1998-10-07 19:22:49 +04:00
}
1998-03-12 00:11:04 +03:00
/*******************************************************************
1999-12-13 16:27:58 +03:00
Get the current data size ( external interface ) .
1998-03-12 00:11:04 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
uint32 prs_data_size ( prs_struct * ps )
1998-03-12 00:11:04 +03:00
{
1999-12-13 16:27:58 +03:00
return ps - > buffer_size ;
1998-03-12 00:11:04 +03:00
}
/*******************************************************************
1999-12-13 16:27:58 +03:00
Fetch the current offset ( external interface ) .
1998-03-12 00:11:04 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
uint32 prs_offset ( prs_struct * ps )
1998-03-12 00:11:04 +03:00
{
1999-12-13 16:27:58 +03:00
return ps - > data_offset ;
1998-03-12 00:11:04 +03:00
}
delineation between smb and msrpc more marked. smbd now constructs
pdus, and then feeds them over either a "local" function call or a "remote"
function call to an msrpc service. the "remote" msrpc daemon, on the
other side of a unix socket, then calls the same "local" function that
smbd would, if the msrpc service were being run from inside smbd.
this allows a transition from local msrpc services (inside the same smbd
process) to remote (over a unix socket).
removed reference to pipes_struct in msrpc services. all msrpc processing
functions take rpcsrv_struct which is a structure containing state info
for the msrpc functions to decode and create pdus.
created become_vuser() which does everything not related to connection_struct
that become_user() does.
removed, as best i could, connection_struct dependencies from the nt spoolss
printing code.
todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific
info on a per-connection basis, and if the connection dies then so does
the info, and that's a fairly serious problem.
had to put pretty much everything that is in user_struct into parse_creds.c
to feed unix user info over to the msrpc daemons. why? because it's
expensive to do unix password/group database lookups, and it's definitely
expensive to do nt user profile lookups, not to mention pretty difficult
and if you did either of these it would introduce a complication /
unnecessary interdependency. so, send uid/gid/num_groups/gid_t* +
SID+num_rids+domain_group_rids* + unix username + nt username + nt domain
+ user session key etc. this is the MINIMUM info identified so far that's
actually implemented. missing bits include the called and calling
netbios names etc. (basically, anything that can be loaded into
standard_sub() and standard_sub_basic()...)
(This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
/*******************************************************************
1999-12-13 16:27:58 +03:00
Set the current offset ( external interface ) .
delineation between smb and msrpc more marked. smbd now constructs
pdus, and then feeds them over either a "local" function call or a "remote"
function call to an msrpc service. the "remote" msrpc daemon, on the
other side of a unix socket, then calls the same "local" function that
smbd would, if the msrpc service were being run from inside smbd.
this allows a transition from local msrpc services (inside the same smbd
process) to remote (over a unix socket).
removed reference to pipes_struct in msrpc services. all msrpc processing
functions take rpcsrv_struct which is a structure containing state info
for the msrpc functions to decode and create pdus.
created become_vuser() which does everything not related to connection_struct
that become_user() does.
removed, as best i could, connection_struct dependencies from the nt spoolss
printing code.
todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific
info on a per-connection basis, and if the connection dies then so does
the info, and that's a fairly serious problem.
had to put pretty much everything that is in user_struct into parse_creds.c
to feed unix user info over to the msrpc daemons. why? because it's
expensive to do unix password/group database lookups, and it's definitely
expensive to do nt user profile lookups, not to mention pretty difficult
and if you did either of these it would introduce a complication /
unnecessary interdependency. so, send uid/gid/num_groups/gid_t* +
SID+num_rids+domain_group_rids* + unix username + nt username + nt domain
+ user session key etc. this is the MINIMUM info identified so far that's
actually implemented. missing bits include the called and calling
netbios names etc. (basically, anything that can be loaded into
standard_sub() and standard_sub_basic()...)
(This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
BOOL prs_set_offset ( prs_struct * ps , uint32 offset )
delineation between smb and msrpc more marked. smbd now constructs
pdus, and then feeds them over either a "local" function call or a "remote"
function call to an msrpc service. the "remote" msrpc daemon, on the
other side of a unix socket, then calls the same "local" function that
smbd would, if the msrpc service were being run from inside smbd.
this allows a transition from local msrpc services (inside the same smbd
process) to remote (over a unix socket).
removed reference to pipes_struct in msrpc services. all msrpc processing
functions take rpcsrv_struct which is a structure containing state info
for the msrpc functions to decode and create pdus.
created become_vuser() which does everything not related to connection_struct
that become_user() does.
removed, as best i could, connection_struct dependencies from the nt spoolss
printing code.
todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific
info on a per-connection basis, and if the connection dies then so does
the info, and that's a fairly serious problem.
had to put pretty much everything that is in user_struct into parse_creds.c
to feed unix user info over to the msrpc daemons. why? because it's
expensive to do unix password/group database lookups, and it's definitely
expensive to do nt user profile lookups, not to mention pretty difficult
and if you did either of these it would introduce a complication /
unnecessary interdependency. so, send uid/gid/num_groups/gid_t* +
SID+num_rids+domain_group_rids* + unix username + nt username + nt domain
+ user session key etc. this is the MINIMUM info identified so far that's
actually implemented. missing bits include the called and calling
netbios names etc. (basically, anything that can be loaded into
standard_sub() and standard_sub_basic()...)
(This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
{
1999-12-13 16:27:58 +03:00
if ( offset < = ps - > data_offset ) {
ps - > data_offset = offset ;
return True ;
}
delineation between smb and msrpc more marked. smbd now constructs
pdus, and then feeds them over either a "local" function call or a "remote"
function call to an msrpc service. the "remote" msrpc daemon, on the
other side of a unix socket, then calls the same "local" function that
smbd would, if the msrpc service were being run from inside smbd.
this allows a transition from local msrpc services (inside the same smbd
process) to remote (over a unix socket).
removed reference to pipes_struct in msrpc services. all msrpc processing
functions take rpcsrv_struct which is a structure containing state info
for the msrpc functions to decode and create pdus.
created become_vuser() which does everything not related to connection_struct
that become_user() does.
removed, as best i could, connection_struct dependencies from the nt spoolss
printing code.
todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific
info on a per-connection basis, and if the connection dies then so does
the info, and that's a fairly serious problem.
had to put pretty much everything that is in user_struct into parse_creds.c
to feed unix user info over to the msrpc daemons. why? because it's
expensive to do unix password/group database lookups, and it's definitely
expensive to do nt user profile lookups, not to mention pretty difficult
and if you did either of these it would introduce a complication /
unnecessary interdependency. so, send uid/gid/num_groups/gid_t* +
SID+num_rids+domain_group_rids* + unix username + nt username + nt domain
+ user session key etc. this is the MINIMUM info identified so far that's
actually implemented. missing bits include the called and calling
netbios names etc. (basically, anything that can be loaded into
standard_sub() and standard_sub_basic()...)
(This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
1999-12-13 16:27:58 +03:00
if ( ! prs_grow ( ps , offset - ps - > data_offset ) )
delineation between smb and msrpc more marked. smbd now constructs
pdus, and then feeds them over either a "local" function call or a "remote"
function call to an msrpc service. the "remote" msrpc daemon, on the
other side of a unix socket, then calls the same "local" function that
smbd would, if the msrpc service were being run from inside smbd.
this allows a transition from local msrpc services (inside the same smbd
process) to remote (over a unix socket).
removed reference to pipes_struct in msrpc services. all msrpc processing
functions take rpcsrv_struct which is a structure containing state info
for the msrpc functions to decode and create pdus.
created become_vuser() which does everything not related to connection_struct
that become_user() does.
removed, as best i could, connection_struct dependencies from the nt spoolss
printing code.
todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific
info on a per-connection basis, and if the connection dies then so does
the info, and that's a fairly serious problem.
had to put pretty much everything that is in user_struct into parse_creds.c
to feed unix user info over to the msrpc daemons. why? because it's
expensive to do unix password/group database lookups, and it's definitely
expensive to do nt user profile lookups, not to mention pretty difficult
and if you did either of these it would introduce a complication /
unnecessary interdependency. so, send uid/gid/num_groups/gid_t* +
SID+num_rids+domain_group_rids* + unix username + nt username + nt domain
+ user session key etc. this is the MINIMUM info identified so far that's
actually implemented. missing bits include the called and calling
netbios names etc. (basically, anything that can be loaded into
standard_sub() and standard_sub_basic()...)
(This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
return False ;
1999-12-13 16:27:58 +03:00
ps - > data_offset = offset ;
delineation between smb and msrpc more marked. smbd now constructs
pdus, and then feeds them over either a "local" function call or a "remote"
function call to an msrpc service. the "remote" msrpc daemon, on the
other side of a unix socket, then calls the same "local" function that
smbd would, if the msrpc service were being run from inside smbd.
this allows a transition from local msrpc services (inside the same smbd
process) to remote (over a unix socket).
removed reference to pipes_struct in msrpc services. all msrpc processing
functions take rpcsrv_struct which is a structure containing state info
for the msrpc functions to decode and create pdus.
created become_vuser() which does everything not related to connection_struct
that become_user() does.
removed, as best i could, connection_struct dependencies from the nt spoolss
printing code.
todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific
info on a per-connection basis, and if the connection dies then so does
the info, and that's a fairly serious problem.
had to put pretty much everything that is in user_struct into parse_creds.c
to feed unix user info over to the msrpc daemons. why? because it's
expensive to do unix password/group database lookups, and it's definitely
expensive to do nt user profile lookups, not to mention pretty difficult
and if you did either of these it would introduce a complication /
unnecessary interdependency. so, send uid/gid/num_groups/gid_t* +
SID+num_rids+domain_group_rids* + unix username + nt username + nt domain
+ user session key etc. this is the MINIMUM info identified so far that's
actually implemented. missing bits include the called and calling
netbios names etc. (basically, anything that can be loaded into
standard_sub() and standard_sub_basic()...)
(This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
return True ;
}
1998-03-12 00:11:04 +03:00
/*******************************************************************
1999-12-13 16:27:58 +03:00
Append the data from one parse_struct into another .
1998-03-12 00:11:04 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
BOOL prs_append_prs_data ( prs_struct * dst , prs_struct * src )
1998-03-12 00:11:04 +03:00
{
2003-02-15 01:55:46 +03:00
if ( prs_offset ( src ) = = 0 )
return True ;
2000-05-17 23:17:16 +04:00
if ( ! prs_grow ( dst , prs_offset ( src ) ) )
1999-10-16 00:00:30 +04:00
return False ;
1998-03-12 00:11:04 +03:00
2003-02-15 01:55:46 +03:00
memcpy ( & dst - > data_p [ dst - > data_offset ] , src - > data_p , ( size_t ) prs_offset ( src ) ) ;
1999-12-13 16:27:58 +03:00
dst - > data_offset + = prs_offset ( src ) ;
delineation between smb and msrpc more marked. smbd now constructs
pdus, and then feeds them over either a "local" function call or a "remote"
function call to an msrpc service. the "remote" msrpc daemon, on the
other side of a unix socket, then calls the same "local" function that
smbd would, if the msrpc service were being run from inside smbd.
this allows a transition from local msrpc services (inside the same smbd
process) to remote (over a unix socket).
removed reference to pipes_struct in msrpc services. all msrpc processing
functions take rpcsrv_struct which is a structure containing state info
for the msrpc functions to decode and create pdus.
created become_vuser() which does everything not related to connection_struct
that become_user() does.
removed, as best i could, connection_struct dependencies from the nt spoolss
printing code.
todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific
info on a per-connection basis, and if the connection dies then so does
the info, and that's a fairly serious problem.
had to put pretty much everything that is in user_struct into parse_creds.c
to feed unix user info over to the msrpc daemons. why? because it's
expensive to do unix password/group database lookups, and it's definitely
expensive to do nt user profile lookups, not to mention pretty difficult
and if you did either of these it would introduce a complication /
unnecessary interdependency. so, send uid/gid/num_groups/gid_t* +
SID+num_rids+domain_group_rids* + unix username + nt username + nt domain
+ user session key etc. this is the MINIMUM info identified so far that's
actually implemented. missing bits include the called and calling
netbios names etc. (basically, anything that can be loaded into
standard_sub() and standard_sub_basic()...)
(This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
1998-03-12 00:11:04 +03:00
return True ;
}
2000-02-07 19:25:15 +03:00
/*******************************************************************
Append some data from one parse_struct into another .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2000-02-15 21:07:45 +03:00
BOOL prs_append_some_prs_data ( prs_struct * dst , prs_struct * src , int32 start , uint32 len )
{
2000-06-06 00:55:57 +04:00
if ( len = = 0 )
return True ;
2000-05-17 23:17:16 +04:00
if ( ! prs_grow ( dst , len ) )
2000-02-07 19:25:15 +03:00
return False ;
2000-02-15 21:07:45 +03:00
2003-02-15 01:55:46 +03:00
memcpy ( & dst - > data_p [ dst - > data_offset ] , src - > data_p + start , ( size_t ) len ) ;
2000-02-07 19:25:15 +03:00
dst - > data_offset + = len ;
return True ;
}
1998-03-12 00:11:04 +03:00
/*******************************************************************
1999-12-13 16:27:58 +03:00
Append the data from a buffer into a parse_struct .
1998-03-12 00:11:04 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2005-09-30 21:13:37 +04:00
BOOL prs_copy_data_in ( prs_struct * dst , const char * src , uint32 len )
1998-03-12 00:11:04 +03:00
{
2003-02-15 01:55:46 +03:00
if ( len = = 0 )
return True ;
2000-05-17 23:17:16 +04:00
if ( ! prs_grow ( dst , len ) )
1999-10-16 00:00:30 +04:00
return False ;
1998-03-12 00:11:04 +03:00
1999-12-13 16:27:58 +03:00
memcpy ( & dst - > data_p [ dst - > data_offset ] , src , ( size_t ) len ) ;
dst - > data_offset + = len ;
1998-03-12 00:11:04 +03:00
return True ;
}
2003-02-15 01:55:46 +03:00
/*******************************************************************
Copy some data from a parse_struct into a buffer .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL prs_copy_data_out ( char * dst , prs_struct * src , uint32 len )
{
if ( len = = 0 )
return True ;
if ( ! prs_mem_get ( src , len ) )
return False ;
memcpy ( dst , & src - > data_p [ src - > data_offset ] , ( size_t ) len ) ;
src - > data_offset + = len ;
return True ;
}
/*******************************************************************
Copy all the data from a parse_struct into a buffer .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL prs_copy_all_data_out ( char * dst , prs_struct * src )
{
uint32 len = prs_offset ( src ) ;
if ( ! len )
return True ;
prs_set_offset ( src , 0 ) ;
return prs_copy_data_out ( dst , src , len ) ;
}
1999-07-21 04:32:09 +04:00
/*******************************************************************
2001-03-10 02:48:58 +03:00
Set the data as X - endian ( external interface ) .
1999-07-21 04:32:09 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2001-03-10 02:48:58 +03:00
void prs_set_endian_data ( prs_struct * ps , BOOL endian )
1999-07-21 04:32:09 +04:00
{
2001-03-10 02:48:58 +03:00
ps - > bigendian_data = endian ;
1999-12-13 16:27:58 +03:00
}
/*******************************************************************
Align a the data_len to a multiple of align bytes - filling with
zeros .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL prs_align ( prs_struct * ps )
{
uint32 mod = ps - > data_offset & ( ps - > align - 1 ) ;
if ( ps - > align ! = 0 & & mod ! = 0 ) {
uint32 extra_space = ( ps - > align - mod ) ;
if ( ! prs_grow ( ps , extra_space ) )
return False ;
memset ( & ps - > data_p [ ps - > data_offset ] , ' \0 ' , ( size_t ) extra_space ) ;
ps - > data_offset + = extra_space ;
}
return True ;
}
2002-07-15 14:35:28 +04:00
/******************************************************************
Align on a 2 byte boundary
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL prs_align_uint16 ( prs_struct * ps )
{
BOOL ret ;
uint8 old_align = ps - > align ;
ps - > align = 2 ;
ret = prs_align ( ps ) ;
ps - > align = old_align ;
return ret ;
}
/******************************************************************
Align on a 8 byte boundary
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL prs_align_uint64 ( prs_struct * ps )
{
BOOL ret ;
uint8 old_align = ps - > align ;
ps - > align = 8 ;
ret = prs_align ( ps ) ;
ps - > align = old_align ;
return ret ;
}
2005-10-05 01:56:53 +04:00
/******************************************************************
Align on a specific byte boundary
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL prs_align_custom ( prs_struct * ps , uint8 boundary )
{
BOOL ret ;
uint8 old_align = ps - > align ;
ps - > align = boundary ;
ret = prs_align ( ps ) ;
ps - > align = old_align ;
return ret ;
}
2000-10-13 18:02:01 +04:00
/*******************************************************************
Align only if required ( for the unistr2 string mainly )
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL prs_align_needed ( prs_struct * ps , uint32 needed )
{
if ( needed = = 0 )
return True ;
else
return prs_align ( ps ) ;
}
1999-12-13 16:27:58 +03:00
/*******************************************************************
Ensure we can read / write to a given offset .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
char * prs_mem_get ( prs_struct * ps , uint32 extra_size )
{
if ( UNMARSHALLING ( ps ) ) {
/*
* If reading , ensure that we can read the requested size item .
*/
if ( ps - > data_offset + extra_size > ps - > buffer_size ) {
2005-09-02 04:24:28 +04:00
DEBUG ( 0 , ( " prs_mem_get: reading data of size %u would overrun "
" buffer by %u bytes. \n " ,
( unsigned int ) extra_size ,
( unsigned int ) ( ps - > data_offset + extra_size - ps - > buffer_size ) ) ) ;
1999-12-13 16:27:58 +03:00
return NULL ;
}
} else {
/*
* Writing - grow the buffer if needed .
*/
if ( ! prs_grow ( ps , extra_size ) )
2000-12-11 09:34:12 +03:00
return NULL ;
1999-12-13 16:27:58 +03:00
}
return & ps - > data_p [ ps - > data_offset ] ;
}
2000-02-07 19:25:15 +03:00
/*******************************************************************
Change the struct type .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2000-03-06 14:13:40 +03:00
void prs_switch_type ( prs_struct * ps , BOOL io )
2000-02-07 19:25:15 +03:00
{
if ( ( ps - > io ^ io ) = = True )
ps - > io = io ;
}
/*******************************************************************
Force a prs_struct to be dynamic even when it ' s size is 0.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
void prs_force_dynamic ( prs_struct * ps )
{
ps - > is_dynamic = True ;
}
2005-09-30 21:13:37 +04:00
/*******************************************************************
Associate a session key with a parse struct .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
void prs_set_session_key ( prs_struct * ps , const char sess_key [ 16 ] )
{
ps - > sess_key = sess_key ;
}
1999-12-13 16:27:58 +03:00
/*******************************************************************
Stream a uint8 .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-01-03 11:28:12 +03:00
BOOL prs_uint8 ( const char * name , prs_struct * ps , int depth , uint8 * data8 )
1999-12-13 16:27:58 +03:00
{
2001-03-31 23:06:45 +04:00
char * q = prs_mem_get ( ps , 1 ) ;
1999-10-16 00:00:30 +04:00
if ( q = = NULL )
return False ;
1999-07-21 04:32:09 +04:00
2001-03-31 23:06:45 +04:00
if ( UNMARSHALLING ( ps ) )
* data8 = CVAL ( q , 0 ) ;
else
SCVAL ( q , 0 , * data8 ) ;
DEBUG ( 5 , ( " %s%04x %s: %02x \n " , tab_depth ( depth ) , ps - > data_offset , name , * data8 ) ) ;
ps - > data_offset + = 1 ;
1999-07-21 04:32:09 +04:00
return True ;
}
2005-03-24 02:26:33 +03:00
/*******************************************************************
Stream a uint16 * ( allocate memory if unmarshalling )
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL prs_pointer ( const char * name , prs_struct * ps , int depth ,
void * * data , size_t data_size ,
BOOL ( * prs_fn ) ( const char * , prs_struct * , int , void * ) )
{
uint32 data_p ;
2005-09-30 21:13:37 +04:00
/* output f000baaa to stream if the pointer is non-zero. */
2005-03-24 02:26:33 +03:00
2005-09-30 21:13:37 +04:00
data_p = * data ? 0xf000baaa : 0 ;
2005-03-24 02:26:33 +03:00
if ( ! prs_uint32 ( " ptr " , ps , depth , & data_p ) )
return False ;
/* we're done if there is no data */
if ( ! data_p )
return True ;
if ( UNMARSHALLING ( ps ) ) {
if ( ! ( * data = PRS_ALLOC_MEM_VOID ( ps , data_size ) ) )
return False ;
}
return prs_fn ( name , ps , depth , * data ) ;
}
1998-03-12 00:11:04 +03:00
/*******************************************************************
1999-12-13 16:27:58 +03:00
Stream a uint16 .
1998-03-12 00:11:04 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2003-01-03 11:28:12 +03:00
BOOL prs_uint16 ( const char * name , prs_struct * ps , int depth , uint16 * data16 )
1998-03-12 00:11:04 +03:00
{
1999-12-13 16:27:58 +03:00
char * q = prs_mem_get ( ps , sizeof ( uint16 ) ) ;
1999-10-16 00:00:30 +04:00
if ( q = = NULL )
return False ;
1998-03-12 00:11:04 +03:00
2005-03-24 02:26:33 +03:00
if ( UNMARSHALLING ( ps ) ) {
2001-03-31 23:06:45 +04:00
if ( ps - > bigendian_data )
* data16 = RSVAL ( q , 0 ) ;
else
* data16 = SVAL ( q , 0 ) ;
2005-03-24 02:26:33 +03:00
} else {
2001-03-31 23:06:45 +04:00
if ( ps - > bigendian_data )
RSSVAL ( q , 0 , * data16 ) ;
else
SSVAL ( q , 0 , * data16 ) ;
}
DEBUG ( 5 , ( " %s%04x %s: %04x \n " , tab_depth ( depth ) , ps - > data_offset , name , * data16 ) ) ;
1999-12-13 16:27:58 +03:00
ps - > data_offset + = sizeof ( uint16 ) ;
1998-03-12 00:11:04 +03:00
return True ;
}
1999-12-13 16:27:58 +03:00
/*******************************************************************
Stream a uint32 .
1998-03-12 00:11:04 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2003-01-03 11:28:12 +03:00
BOOL prs_uint32 ( const char * name , prs_struct * ps , int depth , uint32 * data32 )
1998-03-12 00:11:04 +03:00
{
1999-12-13 16:27:58 +03:00
char * q = prs_mem_get ( ps , sizeof ( uint32 ) ) ;
if ( q = = NULL )
1999-10-16 00:00:30 +04:00
return False ;
1998-03-12 00:11:04 +03:00
2001-03-31 23:06:45 +04:00
if ( UNMARSHALLING ( ps ) ) {
if ( ps - > bigendian_data )
* data32 = RIVAL ( q , 0 ) ;
else
* data32 = IVAL ( q , 0 ) ;
} else {
if ( ps - > bigendian_data )
RSIVAL ( q , 0 , * data32 ) ;
else
SIVAL ( q , 0 , * data32 ) ;
}
DEBUG ( 5 , ( " %s%04x %s: %08x \n " , tab_depth ( depth ) , ps - > data_offset , name , * data32 ) ) ;
1999-12-13 16:27:58 +03:00
ps - > data_offset + = sizeof ( uint32 ) ;
1998-03-12 00:11:04 +03:00
return True ;
}
2005-12-03 09:46:46 +03:00
/*******************************************************************
Stream an int32 .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL prs_int32 ( const char * name , prs_struct * ps , int depth , int32 * data32 )
{
char * q = prs_mem_get ( ps , sizeof ( int32 ) ) ;
if ( q = = NULL )
return False ;
if ( UNMARSHALLING ( ps ) ) {
if ( ps - > bigendian_data )
* data32 = RIVALS ( q , 0 ) ;
else
* data32 = IVALS ( q , 0 ) ;
} else {
if ( ps - > bigendian_data )
RSIVALS ( q , 0 , * data32 ) ;
else
SIVALS ( q , 0 , * data32 ) ;
}
DEBUG ( 5 , ( " %s%04x %s: %08x \n " , tab_depth ( depth ) , ps - > data_offset , name , * data32 ) ) ;
ps - > data_offset + = sizeof ( int32 ) ;
return True ;
}
2001-09-04 11:13:01 +04:00
/*******************************************************************
Stream a NTSTATUS
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-01-03 11:28:12 +03:00
BOOL prs_ntstatus ( const char * name , prs_struct * ps , int depth , NTSTATUS * status )
2001-09-04 11:13:01 +04:00
{
char * q = prs_mem_get ( ps , sizeof ( uint32 ) ) ;
if ( q = = NULL )
return False ;
if ( UNMARSHALLING ( ps ) ) {
if ( ps - > bigendian_data )
* status = NT_STATUS ( RIVAL ( q , 0 ) ) ;
else
* status = NT_STATUS ( IVAL ( q , 0 ) ) ;
} else {
if ( ps - > bigendian_data )
RSIVAL ( q , 0 , NT_STATUS_V ( * status ) ) ;
else
SIVAL ( q , 0 , NT_STATUS_V ( * status ) ) ;
}
DEBUG ( 5 , ( " %s%04x %s: %s \n " , tab_depth ( depth ) , ps - > data_offset , name ,
2002-03-17 07:36:35 +03:00
nt_errstr ( * status ) ) ) ;
2001-09-04 11:13:01 +04:00
ps - > data_offset + = sizeof ( uint32 ) ;
return True ;
}
/*******************************************************************
Stream a WERROR
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-01-03 11:28:12 +03:00
BOOL prs_werror ( const char * name , prs_struct * ps , int depth , WERROR * status )
2001-09-04 11:13:01 +04:00
{
char * q = prs_mem_get ( ps , sizeof ( uint32 ) ) ;
if ( q = = NULL )
return False ;
if ( UNMARSHALLING ( ps ) ) {
if ( ps - > bigendian_data )
* status = W_ERROR ( RIVAL ( q , 0 ) ) ;
else
* status = W_ERROR ( IVAL ( q , 0 ) ) ;
} else {
if ( ps - > bigendian_data )
RSIVAL ( q , 0 , W_ERROR_V ( * status ) ) ;
else
SIVAL ( q , 0 , W_ERROR_V ( * status ) ) ;
}
DEBUG ( 5 , ( " %s%04x %s: %s \n " , tab_depth ( depth ) , ps - > data_offset , name ,
2002-03-17 09:04:15 +03:00
dos_errstr ( * status ) ) ) ;
2001-09-04 11:13:01 +04:00
ps - > data_offset + = sizeof ( uint32 ) ;
return True ;
}
1999-04-27 14:43:32 +04:00
/******************************************************************
1999-12-13 16:27:58 +03:00
Stream an array of uint8s . Length is number of uint8s .
1999-04-27 14:43:32 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2003-01-03 11:28:12 +03:00
BOOL prs_uint8s ( BOOL charmode , const char * name , prs_struct * ps , int depth , uint8 * data8s , int len )
1999-04-27 14:43:32 +04:00
{
2001-03-31 23:06:45 +04:00
int i ;
char * q = prs_mem_get ( ps , len ) ;
1999-12-13 16:27:58 +03:00
if ( q = = NULL )
1999-10-16 00:00:30 +04:00
return False ;
1999-04-27 14:43:32 +04:00
2001-03-31 23:06:45 +04:00
if ( UNMARSHALLING ( ps ) ) {
for ( i = 0 ; i < len ; i + + )
data8s [ i ] = CVAL ( q , i ) ;
} else {
for ( i = 0 ; i < len ; i + + )
SCVAL ( q , i , data8s [ i ] ) ;
}
2005-01-08 03:51:12 +03:00
DEBUG ( 5 , ( " %s%04x %s: " , tab_depth ( depth ) , ps - > data_offset , name ) ) ;
if ( charmode )
2001-03-31 23:06:45 +04:00
print_asc ( 5 , ( unsigned char * ) data8s , len ) ;
else {
2005-01-08 03:51:12 +03:00
for ( i = 0 ; i < len ; i + + )
2001-03-31 23:06:45 +04:00
DEBUG ( 5 , ( " %02x " , data8s [ i ] ) ) ;
}
2005-01-08 03:51:12 +03:00
DEBUG ( 5 , ( " \n " ) ) ;
2001-03-31 23:06:45 +04:00
ps - > data_offset + = len ;
1999-04-27 14:43:32 +04:00
return True ;
}
2000-02-07 19:25:15 +03:00
/******************************************************************
Stream an array of uint16s . Length is number of uint16s .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-01-03 11:28:12 +03:00
BOOL prs_uint16s ( BOOL charmode , const char * name , prs_struct * ps , int depth , uint16 * data16s , int len )
2000-02-07 19:25:15 +03:00
{
2001-03-31 23:06:45 +04:00
int i ;
2000-02-07 19:25:15 +03:00
char * q = prs_mem_get ( ps , len * sizeof ( uint16 ) ) ;
if ( q = = NULL )
return False ;
2001-03-31 23:06:45 +04:00
if ( UNMARSHALLING ( ps ) ) {
if ( ps - > bigendian_data ) {
for ( i = 0 ; i < len ; i + + )
data16s [ i ] = RSVAL ( q , 2 * i ) ;
} else {
for ( i = 0 ; i < len ; i + + )
data16s [ i ] = SVAL ( q , 2 * i ) ;
}
} else {
if ( ps - > bigendian_data ) {
for ( i = 0 ; i < len ; i + + )
RSSVAL ( q , 2 * i , data16s [ i ] ) ;
} else {
for ( i = 0 ; i < len ; i + + )
SSVAL ( q , 2 * i , data16s [ i ] ) ;
}
}
DEBUG ( 5 , ( " %s%04x %s: " , tab_depth ( depth ) , ps - > data_offset , name ) ) ;
if ( charmode )
print_asc ( 5 , ( unsigned char * ) data16s , 2 * len ) ;
else {
for ( i = 0 ; i < len ; i + + )
DEBUG ( 5 , ( " %04x " , data16s [ i ] ) ) ;
}
2005-01-08 03:51:12 +03:00
DEBUG ( 5 , ( " \n " ) ) ;
2001-03-31 23:06:45 +04:00
ps - > data_offset + = ( len * sizeof ( uint16 ) ) ;
return True ;
}
/******************************************************************
Start using a function for streaming unicode chars . If unmarshalling ,
output must be little - endian , if marshalling , input must be little - endian .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-01-03 11:28:12 +03:00
static void dbg_rw_punival ( BOOL charmode , const char * name , int depth , prs_struct * ps ,
2001-03-31 23:06:45 +04:00
char * in_buf , char * out_buf , int len )
{
int i ;
if ( UNMARSHALLING ( ps ) ) {
if ( ps - > bigendian_data ) {
for ( i = 0 ; i < len ; i + + )
SSVAL ( out_buf , 2 * i , RSVAL ( in_buf , 2 * i ) ) ;
} else {
for ( i = 0 ; i < len ; i + + )
SSVAL ( out_buf , 2 * i , SVAL ( in_buf , 2 * i ) ) ;
}
} else {
if ( ps - > bigendian_data ) {
for ( i = 0 ; i < len ; i + + )
RSSVAL ( in_buf , 2 * i , SVAL ( out_buf , 2 * i ) ) ;
} else {
for ( i = 0 ; i < len ; i + + )
SSVAL ( in_buf , 2 * i , SVAL ( out_buf , 2 * i ) ) ;
}
}
DEBUG ( 5 , ( " %s%04x %s: " , tab_depth ( depth ) , ps - > data_offset , name ) ) ;
if ( charmode )
print_asc ( 5 , ( unsigned char * ) out_buf , 2 * len ) ;
else {
for ( i = 0 ; i < len ; i + + )
DEBUG ( 5 , ( " %04x " , out_buf [ i ] ) ) ;
}
2005-01-08 03:51:12 +03:00
DEBUG ( 5 , ( " \n " ) ) ;
2001-03-31 23:06:45 +04:00
}
/******************************************************************
Stream a unistr . Always little endian .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-01-03 11:28:12 +03:00
BOOL prs_uint16uni ( BOOL charmode , const char * name , prs_struct * ps , int depth , uint16 * data16s , int len )
2001-03-31 23:06:45 +04:00
{
char * q = prs_mem_get ( ps , len * sizeof ( uint16 ) ) ;
if ( q = = NULL )
return False ;
dbg_rw_punival ( charmode , name , depth , ps , q , ( char * ) data16s , len ) ;
2000-02-07 19:25:15 +03:00
ps - > data_offset + = ( len * sizeof ( uint16 ) ) ;
return True ;
}
1998-03-12 00:11:04 +03:00
/******************************************************************
1999-12-13 16:27:58 +03:00
Stream an array of uint32s . Length is number of uint32s .
1998-03-12 00:11:04 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2003-01-03 11:28:12 +03:00
BOOL prs_uint32s ( BOOL charmode , const char * name , prs_struct * ps , int depth , uint32 * data32s , int len )
1998-03-12 00:11:04 +03:00
{
2001-03-31 23:06:45 +04:00
int i ;
1999-12-13 16:27:58 +03:00
char * q = prs_mem_get ( ps , len * sizeof ( uint32 ) ) ;
if ( q = = NULL )
1999-10-16 00:00:30 +04:00
return False ;
1998-03-12 00:11:04 +03:00
2001-03-31 23:06:45 +04:00
if ( UNMARSHALLING ( ps ) ) {
if ( ps - > bigendian_data ) {
for ( i = 0 ; i < len ; i + + )
data32s [ i ] = RIVAL ( q , 4 * i ) ;
} else {
for ( i = 0 ; i < len ; i + + )
data32s [ i ] = IVAL ( q , 4 * i ) ;
}
} else {
if ( ps - > bigendian_data ) {
for ( i = 0 ; i < len ; i + + )
RSIVAL ( q , 4 * i , data32s [ i ] ) ;
} else {
for ( i = 0 ; i < len ; i + + )
SIVAL ( q , 4 * i , data32s [ i ] ) ;
}
}
DEBUG ( 5 , ( " %s%04x %s: " , tab_depth ( depth ) , ps - > data_offset , name ) ) ;
if ( charmode )
print_asc ( 5 , ( unsigned char * ) data32s , 4 * len ) ;
else {
for ( i = 0 ; i < len ; i + + )
DEBUG ( 5 , ( " %08x " , data32s [ i ] ) ) ;
}
2005-01-08 03:51:12 +03:00
DEBUG ( 5 , ( " \n " ) ) ;
2001-03-31 23:06:45 +04:00
1999-12-13 16:27:58 +03:00
ps - > data_offset + = ( len * sizeof ( uint32 ) ) ;
1998-03-12 00:11:04 +03:00
return True ;
}
2000-12-15 12:31:56 +03:00
/******************************************************************
Stream an array of unicode string , length / buffer specified separately ,
2001-03-31 23:06:45 +04:00
in uint16 chars . The unicode string is already in little - endian format .
2000-12-15 12:31:56 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-01-03 11:28:12 +03:00
BOOL prs_buffer5 ( BOOL charmode , const char * name , prs_struct * ps , int depth , BUFFER5 * str )
2000-12-15 12:31:56 +03:00
{
char * p ;
char * q = prs_mem_get ( ps , str - > buf_len * sizeof ( uint16 ) ) ;
if ( q = = NULL )
return False ;
if ( UNMARSHALLING ( ps ) ) {
2004-12-07 21:25:53 +03:00
str - > buffer = PRS_ALLOC_MEM ( ps , uint16 , str - > buf_len ) ;
2000-12-15 12:31:56 +03:00
if ( str - > buffer = = NULL )
return False ;
}
/* If the string is empty, we don't have anything to stream */
if ( str - > buf_len = = 0 )
return True ;
p = ( char * ) str - > buffer ;
2001-03-31 23:06:45 +04:00
dbg_rw_punival ( charmode , name , depth , ps , q , p , str - > buf_len ) ;
2000-12-15 12:31:56 +03:00
ps - > data_offset + = ( str - > buf_len * sizeof ( uint16 ) ) ;
return True ;
}
1998-03-12 00:11:04 +03:00
/******************************************************************
1999-12-13 16:27:58 +03:00
Stream a " not " unicode string , length / buffer specified separately ,
in byte chars . String is in little - endian format .
1998-03-12 00:11:04 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2005-03-24 02:26:33 +03:00
BOOL prs_regval_buffer ( BOOL charmode , const char * name , prs_struct * ps , int depth , REGVAL_BUFFER * buf )
1998-03-12 00:11:04 +03:00
{
2000-07-27 04:47:19 +04:00
char * p ;
2005-03-24 02:26:33 +03:00
char * q = prs_mem_get ( ps , buf - > buf_len ) ;
1999-12-13 16:27:58 +03:00
if ( q = = NULL )
1999-10-16 00:00:30 +04:00
return False ;
1998-03-12 00:11:04 +03:00
2000-07-27 04:47:19 +04:00
if ( UNMARSHALLING ( ps ) ) {
2005-03-24 02:26:33 +03:00
if ( buf - > buf_len > buf - > buf_max_len ) {
2005-01-08 03:51:12 +03:00
return False ;
}
2005-03-24 02:26:33 +03:00
if ( buf - > buf_max_len ) {
buf - > buffer = PRS_ALLOC_MEM ( ps , uint16 , buf - > buf_max_len ) ;
if ( buf - > buffer = = NULL )
2002-08-17 21:00:51 +04:00
return False ;
}
2000-07-27 04:47:19 +04:00
}
2005-03-24 02:26:33 +03:00
p = ( char * ) buf - > buffer ;
2000-07-27 04:47:19 +04:00
2005-03-24 02:26:33 +03:00
dbg_rw_punival ( charmode , name , depth , ps , q , p , buf - > buf_len / 2 ) ;
ps - > data_offset + = buf - > buf_len ;
1998-03-12 00:11:04 +03:00
return True ;
}
/******************************************************************
1999-12-13 16:27:58 +03:00
Stream a string , length / buffer specified separately ,
1998-03-12 00:11:04 +03:00
in uint8 chars .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2003-01-03 11:28:12 +03:00
BOOL prs_string2 ( BOOL charmode , const char * name , prs_struct * ps , int depth , STRING2 * str )
1998-03-12 00:11:04 +03:00
{
2003-03-18 02:04:03 +03:00
unsigned int i ;
2005-01-08 03:51:12 +03:00
char * q = prs_mem_get ( ps , str - > str_str_len ) ;
1999-12-13 16:27:58 +03:00
if ( q = = NULL )
1999-10-16 00:00:30 +04:00
return False ;
1998-03-12 00:11:04 +03:00
2000-07-27 04:47:19 +04:00
if ( UNMARSHALLING ( ps ) ) {
2005-01-08 03:51:12 +03:00
if ( str - > str_str_len > str - > str_max_len ) {
return False ;
}
2004-12-07 21:25:53 +03:00
str - > buffer = PRS_ALLOC_MEM ( ps , unsigned char , str - > str_max_len ) ;
2000-07-27 04:47:19 +04:00
if ( str - > buffer = = NULL )
return False ;
}
2001-03-31 23:06:45 +04:00
if ( UNMARSHALLING ( ps ) ) {
for ( i = 0 ; i < str - > str_str_len ; i + + )
str - > buffer [ i ] = CVAL ( q , i ) ;
} else {
for ( i = 0 ; i < str - > str_str_len ; i + + )
SCVAL ( q , i , str - > buffer [ i ] ) ;
}
2005-01-08 03:51:12 +03:00
DEBUG ( 5 , ( " %s%04x %s: " , tab_depth ( depth ) , ps - > data_offset , name ) ) ;
if ( charmode )
2001-03-31 23:06:45 +04:00
print_asc ( 5 , ( unsigned char * ) str - > buffer , str - > str_str_len ) ;
else {
2005-01-08 03:51:12 +03:00
for ( i = 0 ; i < str - > str_str_len ; i + + )
2001-03-31 23:06:45 +04:00
DEBUG ( 5 , ( " %02x " , str - > buffer [ i ] ) ) ;
}
2005-01-08 03:51:12 +03:00
DEBUG ( 5 , ( " \n " ) ) ;
2001-03-31 23:06:45 +04:00
ps - > data_offset + = str - > str_str_len ;
1998-03-12 00:11:04 +03:00
return True ;
}
/******************************************************************
1999-12-13 16:27:58 +03:00
Stream a unicode string , length / buffer specified separately ,
2001-03-31 23:06:45 +04:00
in uint16 chars . The unicode string is already in little - endian format .
1998-03-12 00:11:04 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2003-01-03 11:28:12 +03:00
BOOL prs_unistr2 ( BOOL charmode , const char * name , prs_struct * ps , int depth , UNISTR2 * str )
1998-03-12 00:11:04 +03:00
{
2000-07-27 04:47:19 +04:00
char * p ;
1999-12-13 16:27:58 +03:00
char * q = prs_mem_get ( ps , str - > uni_str_len * sizeof ( uint16 ) ) ;
if ( q = = NULL )
1999-10-16 00:00:30 +04:00
return False ;
1998-03-12 00:11:04 +03:00
2001-03-02 22:29:02 +03:00
/* If the string is empty, we don't have anything to stream */
if ( str - > uni_str_len = = 0 )
return True ;
2000-07-27 04:47:19 +04:00
if ( UNMARSHALLING ( ps ) ) {
2005-01-08 03:51:12 +03:00
if ( str - > uni_str_len > str - > uni_max_len ) {
return False ;
}
2004-12-07 21:25:53 +03:00
str - > buffer = PRS_ALLOC_MEM ( ps , uint16 , str - > uni_max_len ) ;
2000-07-27 04:47:19 +04:00
if ( str - > buffer = = NULL )
return False ;
}
p = ( char * ) str - > buffer ;
2001-03-31 23:06:45 +04:00
dbg_rw_punival ( charmode , name , depth , ps , q , p , str - > uni_str_len ) ;
2000-08-16 07:44:04 +04:00
1999-12-13 16:27:58 +03:00
ps - > data_offset + = ( str - > uni_str_len * sizeof ( uint16 ) ) ;
1998-11-10 22:05:00 +03:00
return True ;
}
/******************************************************************
1999-12-13 16:27:58 +03:00
Stream a unicode string , length / buffer specified separately ,
2001-03-31 23:06:45 +04:00
in uint16 chars . The unicode string is already in little - endian format .
1998-11-10 22:05:00 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2003-01-03 11:28:12 +03:00
BOOL prs_unistr3 ( BOOL charmode , const char * name , UNISTR3 * str , prs_struct * ps , int depth )
1998-11-10 22:05:00 +03:00
{
2000-07-27 04:47:19 +04:00
char * p ;
1999-12-13 16:27:58 +03:00
char * q = prs_mem_get ( ps , str - > uni_str_len * sizeof ( uint16 ) ) ;
if ( q = = NULL )
1999-10-16 00:00:30 +04:00
return False ;
1998-11-10 22:05:00 +03:00
2000-07-27 04:47:19 +04:00
if ( UNMARSHALLING ( ps ) ) {
2004-12-07 21:25:53 +03:00
str - > str . buffer = PRS_ALLOC_MEM ( ps , uint16 , str - > uni_str_len ) ;
2000-07-27 04:47:19 +04:00
if ( str - > str . buffer = = NULL )
return False ;
}
p = ( char * ) str - > str . buffer ;
2001-03-31 23:06:45 +04:00
dbg_rw_punival ( charmode , name , depth , ps , q , p , str - > uni_str_len ) ;
1999-12-13 16:27:58 +03:00
ps - > data_offset + = ( str - > uni_str_len * sizeof ( uint16 ) ) ;
1998-03-12 00:11:04 +03:00
return True ;
}
/*******************************************************************
1999-12-13 16:27:58 +03:00
Stream a unicode null - terminated string . As the string is already
in little - endian format then do it as a stream of bytes .
1998-03-12 00:11:04 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2003-01-03 11:28:12 +03:00
BOOL prs_unistr ( const char * name , prs_struct * ps , int depth , UNISTR * str )
2000-07-10 23:55:39 +04:00
{
2003-03-18 02:04:03 +03:00
unsigned int len = 0 ;
2000-07-10 23:55:39 +04:00
unsigned char * p = ( unsigned char * ) str - > buffer ;
uint8 * start ;
char * q ;
2000-08-10 18:00:40 +04:00
uint32 max_len ;
uint16 * ptr ;
2000-07-10 23:55:39 +04:00
if ( MARSHALLING ( ps ) ) {
2000-07-27 04:47:19 +04:00
for ( len = 0 ; str - > buffer [ len ] ! = 0 ; len + + )
2000-07-10 23:55:39 +04:00
;
q = prs_mem_get ( ps , ( len + 1 ) * 2 ) ;
if ( q = = NULL )
return False ;
start = ( uint8 * ) q ;
2005-01-08 03:51:12 +03:00
for ( len = 0 ; str - > buffer [ len ] ! = 0 ; len + + ) {
if ( ps - > bigendian_data ) {
2001-03-31 23:06:45 +04:00
/* swap bytes - p is little endian, q is big endian. */
q [ 0 ] = ( char ) p [ 1 ] ;
q [ 1 ] = ( char ) p [ 0 ] ;
2000-07-10 23:55:39 +04:00
p + = 2 ;
q + = 2 ;
}
else
{
2001-03-31 23:06:45 +04:00
q [ 0 ] = ( char ) p [ 0 ] ;
q [ 1 ] = ( char ) p [ 1 ] ;
p + = 2 ;
q + = 2 ;
2000-07-10 23:55:39 +04:00
}
}
/*
* even if the string is ' empty ' ( only an \ 0 char )
* at this point the leading \ 0 hasn ' t been parsed .
* so parse it now
*/
2001-03-31 23:06:45 +04:00
q [ 0 ] = 0 ;
q [ 1 ] = 0 ;
q + = 2 ;
2000-07-10 23:55:39 +04:00
len + + ;
2002-09-25 19:19:00 +04:00
DEBUG ( 5 , ( " %s%04x %s: " , tab_depth ( depth ) , ps - > data_offset , name ) ) ;
print_asc ( 5 , ( unsigned char * ) start , 2 * len ) ;
DEBUG ( 5 , ( " \n " ) ) ;
2000-07-10 23:55:39 +04:00
}
else { /* unmarshalling */
2000-07-27 04:47:19 +04:00
uint32 alloc_len = 0 ;
2003-02-15 01:55:46 +03:00
q = ps - > data_p + prs_offset ( ps ) ;
2000-07-10 23:55:39 +04:00
2000-07-27 04:47:19 +04:00
/*
* Work out how much space we need and talloc it .
*/
2000-08-10 18:00:40 +04:00
max_len = ( ps - > buffer_size - ps - > data_offset ) / sizeof ( uint16 ) ;
2000-07-27 04:47:19 +04:00
2000-08-12 18:31:29 +04:00
/* the test of the value of *ptr helps to catch the circumstance
where we have an emtpty ( non - existent ) string in the buffer */
2004-06-20 12:37:01 +04:00
for ( ptr = ( uint16 * ) q ; * ptr + + & & ( alloc_len < = max_len ) ; alloc_len + + )
2000-08-12 18:31:29 +04:00
/* do nothing */
2000-08-10 18:00:40 +04:00
;
2000-07-27 04:47:19 +04:00
2004-06-20 12:37:01 +04:00
if ( alloc_len < max_len )
alloc_len + = 1 ;
2000-08-12 18:31:29 +04:00
/* should we allocate anything at all? */
2004-12-07 21:25:53 +03:00
str - > buffer = PRS_ALLOC_MEM ( ps , uint16 , alloc_len ) ;
2000-08-12 18:31:29 +04:00
if ( ( str - > buffer = = NULL ) & & ( alloc_len > 0 ) )
return False ;
p = ( unsigned char * ) str - > buffer ;
2000-07-27 04:47:19 +04:00
2000-08-12 18:31:29 +04:00
len = 0 ;
/* the (len < alloc_len) test is to prevent us from overwriting
memory that is not ours . . . if we get that far , we have a non - null
terminated string in the buffer and have messed up somewhere */
2005-01-08 03:51:12 +03:00
while ( ( len < alloc_len ) & & ( * ( uint16 * ) q ! = 0 ) ) {
2000-08-12 18:31:29 +04:00
if ( ps - > bigendian_data )
2000-07-10 23:55:39 +04:00
{
2001-03-31 23:06:45 +04:00
/* swap bytes - q is big endian, p is little endian. */
p [ 0 ] = ( unsigned char ) q [ 1 ] ;
p [ 1 ] = ( unsigned char ) q [ 0 ] ;
2000-08-12 18:31:29 +04:00
p + = 2 ;
q + = 2 ;
} else {
2000-08-16 07:44:04 +04:00
2001-03-31 23:06:45 +04:00
p [ 0 ] = ( unsigned char ) q [ 0 ] ;
p [ 1 ] = ( unsigned char ) q [ 1 ] ;
p + = 2 ;
q + = 2 ;
2000-08-12 18:31:29 +04:00
}
len + + ;
}
2005-01-08 03:51:12 +03:00
if ( len < alloc_len ) {
2000-08-12 18:31:29 +04:00
/* NULL terminate the UNISTR */
str - > buffer [ len + + ] = ' \0 ' ;
2000-08-10 18:00:40 +04:00
}
2002-09-25 19:19:00 +04:00
DEBUG ( 5 , ( " %s%04x %s: " , tab_depth ( depth ) , ps - > data_offset , name ) ) ;
print_asc ( 5 , ( unsigned char * ) str - > buffer , 2 * len ) ;
DEBUG ( 5 , ( " \n " ) ) ;
2000-07-10 23:55:39 +04:00
}
2000-08-12 18:31:29 +04:00
/* set the offset in the prs_struct; 'len' points to the
terminiating NULL in the UNISTR so we need to go one more
uint16 */
ps - > data_offset + = ( len ) * 2 ;
2000-07-10 23:55:39 +04:00
return True ;
}
1998-03-12 00:11:04 +03:00
/*******************************************************************
1999-12-13 16:27:58 +03:00
Stream a null - terminated string . len is strlen , and therefore does
1998-03-12 00:11:04 +03:00
not include the null - termination character .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2003-04-22 19:54:36 +04:00
BOOL prs_string ( const char * name , prs_struct * ps , int depth , char * str , int max_buf_size )
1998-03-12 00:11:04 +03:00
{
1999-12-13 16:27:58 +03:00
char * q ;
int i ;
2003-04-22 19:54:36 +04:00
int len ;
if ( UNMARSHALLING ( ps ) )
len = strlen ( & ps - > data_p [ ps - > data_offset ] ) ;
else
len = strlen ( str ) ;
1998-03-12 00:11:04 +03:00
1999-12-13 16:27:58 +03:00
len = MIN ( len , ( max_buf_size - 1 ) ) ;
1999-12-09 00:43:03 +03:00
1999-12-13 16:27:58 +03:00
q = prs_mem_get ( ps , len + 1 ) ;
if ( q = = NULL )
return False ;
delineation between smb and msrpc more marked. smbd now constructs
pdus, and then feeds them over either a "local" function call or a "remote"
function call to an msrpc service. the "remote" msrpc daemon, on the
other side of a unix socket, then calls the same "local" function that
smbd would, if the msrpc service were being run from inside smbd.
this allows a transition from local msrpc services (inside the same smbd
process) to remote (over a unix socket).
removed reference to pipes_struct in msrpc services. all msrpc processing
functions take rpcsrv_struct which is a structure containing state info
for the msrpc functions to decode and create pdus.
created become_vuser() which does everything not related to connection_struct
that become_user() does.
removed, as best i could, connection_struct dependencies from the nt spoolss
printing code.
todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific
info on a per-connection basis, and if the connection dies then so does
the info, and that's a fairly serious problem.
had to put pretty much everything that is in user_struct into parse_creds.c
to feed unix user info over to the msrpc daemons. why? because it's
expensive to do unix password/group database lookups, and it's definitely
expensive to do nt user profile lookups, not to mention pretty difficult
and if you did either of these it would introduce a complication /
unnecessary interdependency. so, send uid/gid/num_groups/gid_t* +
SID+num_rids+domain_group_rids* + unix username + nt username + nt domain
+ user session key etc. this is the MINIMUM info identified so far that's
actually implemented. missing bits include the called and calling
netbios names etc. (basically, anything that can be loaded into
standard_sub() and standard_sub_basic()...)
(This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
1999-12-13 16:27:58 +03:00
for ( i = 0 ; i < len ; i + + ) {
2001-03-31 23:06:45 +04:00
if ( UNMARSHALLING ( ps ) )
str [ i ] = q [ i ] ;
else
q [ i ] = str [ i ] ;
1999-12-13 16:27:58 +03:00
}
1998-03-12 00:11:04 +03:00
1999-12-13 16:27:58 +03:00
/* The terminating null. */
str [ i ] = ' \0 ' ;
1998-03-12 00:11:04 +03:00
1999-12-13 16:27:58 +03:00
if ( MARSHALLING ( ps ) ) {
2001-03-31 23:06:45 +04:00
q [ i ] = ' \0 ' ;
1999-12-13 16:27:58 +03:00
}
1999-12-09 00:43:03 +03:00
1999-12-13 16:27:58 +03:00
ps - > data_offset + = len + 1 ;
1998-03-12 00:11:04 +03:00
2001-03-31 23:06:45 +04:00
dump_data ( 5 + depth , q , len ) ;
1998-03-12 00:11:04 +03:00
return True ;
}
2006-02-04 01:19:41 +03:00
BOOL prs_string_alloc ( const char * name , prs_struct * ps , int depth , const char * * str )
{
size_t len ;
char * tmp_str ;
if ( UNMARSHALLING ( ps ) ) {
len = strlen ( & ps - > data_p [ ps - > data_offset ] ) ;
} else {
len = strlen ( * str ) ;
}
tmp_str = PRS_ALLOC_MEM ( ps , char , len + 1 ) ;
if ( tmp_str = = NULL ) {
return False ;
}
if ( MARSHALLING ( ps ) ) {
strncpy ( tmp_str , * str , len ) ;
}
if ( ! prs_string ( name , ps , depth , tmp_str , len + 1 ) ) {
return False ;
}
* str = tmp_str ;
return True ;
}
1998-11-10 22:05:00 +03:00
/*******************************************************************
1999-12-13 16:27:58 +03:00
prs_uint16 wrapper . Call this and it sets up a pointer to where the
uint16 should be stored , or gets the size if reading .
1998-11-10 22:05:00 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2003-01-03 11:28:12 +03:00
BOOL prs_uint16_pre ( const char * name , prs_struct * ps , int depth , uint16 * data16 , uint32 * offset )
1998-11-10 22:05:00 +03:00
{
2000-07-18 23:25:32 +04:00
* offset = ps - > data_offset ;
1999-12-13 16:27:58 +03:00
if ( UNMARSHALLING ( ps ) ) {
1998-11-10 22:05:00 +03:00
/* reading. */
1999-12-13 16:27:58 +03:00
return prs_uint16 ( name , ps , depth , data16 ) ;
} else {
char * q = prs_mem_get ( ps , sizeof ( uint16 ) ) ;
if ( q = = NULL )
return False ;
ps - > data_offset + = sizeof ( uint16 ) ;
1998-11-11 22:22:08 +03:00
}
1998-11-10 22:05:00 +03:00
return True ;
}
/*******************************************************************
prs_uint16 wrapper . call this and it retrospectively stores the size .
does nothing on reading , as that is already handled by . . . . _pre ( )
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2003-01-03 11:28:12 +03:00
BOOL prs_uint16_post ( const char * name , prs_struct * ps , int depth , uint16 * data16 ,
1998-11-10 22:05:00 +03:00
uint32 ptr_uint16 , uint32 start_offset )
{
1999-12-13 16:27:58 +03:00
if ( MARSHALLING ( ps ) ) {
/*
* Writing - temporarily move the offset pointer .
*/
uint16 data_size = ps - > data_offset - start_offset ;
uint32 old_offset = ps - > data_offset ;
ps - > data_offset = ptr_uint16 ;
if ( ! prs_uint16 ( name , ps , depth , & data_size ) ) {
ps - > data_offset = old_offset ;
return False ;
}
ps - > data_offset = old_offset ;
} else {
ps - > data_offset = start_offset + ( uint32 ) ( * data16 ) ;
1998-11-11 22:22:08 +03:00
}
return True ;
}
/*******************************************************************
1999-12-13 16:27:58 +03:00
prs_uint32 wrapper . Call this and it sets up a pointer to where the
uint32 should be stored , or gets the size if reading .
1998-11-11 22:22:08 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2003-01-03 11:28:12 +03:00
BOOL prs_uint32_pre ( const char * name , prs_struct * ps , int depth , uint32 * data32 , uint32 * offset )
1998-11-11 22:22:08 +03:00
{
2000-07-18 23:25:32 +04:00
* offset = ps - > data_offset ;
2000-08-01 00:41:51 +04:00
if ( UNMARSHALLING ( ps ) & & ( data32 ! = NULL ) ) {
1998-11-11 22:22:08 +03:00
/* reading. */
1999-12-13 16:27:58 +03:00
return prs_uint32 ( name , ps , depth , data32 ) ;
} else {
ps - > data_offset + = sizeof ( uint32 ) ;
1998-11-11 22:22:08 +03:00
}
return True ;
}
/*******************************************************************
prs_uint32 wrapper . call this and it retrospectively stores the size .
does nothing on reading , as that is already handled by . . . . _pre ( )
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2003-01-03 11:28:12 +03:00
BOOL prs_uint32_post ( const char * name , prs_struct * ps , int depth , uint32 * data32 ,
1998-11-12 22:21:20 +03:00
uint32 ptr_uint32 , uint32 data_size )
1998-11-11 22:22:08 +03:00
{
1999-12-13 16:27:58 +03:00
if ( MARSHALLING ( ps ) ) {
/*
* Writing - temporarily move the offset pointer .
*/
uint32 old_offset = ps - > data_offset ;
ps - > data_offset = ptr_uint32 ;
if ( ! prs_uint32 ( name , ps , depth , & data_size ) ) {
ps - > data_offset = old_offset ;
return False ;
}
ps - > data_offset = old_offset ;
1998-11-11 22:22:08 +03:00
}
1998-11-10 22:05:00 +03:00
return True ;
}
2000-06-08 05:16:42 +04:00
/* useful function to store a structure in rpc wire format */
int tdb_prs_store ( TDB_CONTEXT * tdb , char * keystr , prs_struct * ps )
{
TDB_DATA kbuf , dbuf ;
kbuf . dptr = keystr ;
kbuf . dsize = strlen ( keystr ) + 1 ;
2003-02-15 01:55:46 +03:00
dbuf . dptr = ps - > data_p ;
2000-06-08 05:16:42 +04:00
dbuf . dsize = prs_offset ( ps ) ;
return tdb_store ( tdb , kbuf , dbuf , TDB_REPLACE ) ;
}
/* useful function to fetch a structure into rpc wire format */
2000-07-27 04:47:19 +04:00
int tdb_prs_fetch ( TDB_CONTEXT * tdb , char * keystr , prs_struct * ps , TALLOC_CTX * mem_ctx )
2000-06-08 05:16:42 +04:00
{
TDB_DATA kbuf , dbuf ;
kbuf . dptr = keystr ;
kbuf . dsize = strlen ( keystr ) + 1 ;
dbuf = tdb_fetch ( tdb , kbuf ) ;
2002-11-23 05:52:36 +03:00
if ( ! dbuf . dptr )
return - 1 ;
2000-06-08 05:16:42 +04:00
2001-03-10 02:48:58 +03:00
prs_init ( ps , 0 , mem_ctx , UNMARSHALL ) ;
2000-06-08 05:16:42 +04:00
prs_give_memory ( ps , dbuf . dptr , dbuf . dsize , True ) ;
return 0 ;
}
2001-09-14 08:36:19 +04:00
/*******************************************************************
hash a stream .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-01-08 03:51:12 +03:00
2005-09-30 21:13:37 +04:00
BOOL prs_hash1 ( prs_struct * ps , uint32 offset , int len )
2001-09-14 08:36:19 +04:00
{
char * q ;
2003-02-15 01:55:46 +03:00
q = ps - > data_p ;
2001-09-14 08:36:19 +04:00
q = & q [ offset ] ;
# ifdef DEBUG_PASSWORD
DEBUG ( 100 , ( " prs_hash1 \n " ) ) ;
2005-09-30 21:13:37 +04:00
dump_data ( 100 , ps - > sess_key , 16 ) ;
2003-05-26 10:59:38 +04:00
dump_data ( 100 , q , len ) ;
2001-09-14 08:36:19 +04:00
# endif
2005-10-18 07:24:00 +04:00
SamOEMhash ( ( uchar * ) q , ( const unsigned char * ) ps - > sess_key , len ) ;
2001-09-14 08:36:19 +04:00
# ifdef DEBUG_PASSWORD
2003-05-26 10:59:38 +04:00
dump_data ( 100 , q , len ) ;
2001-09-14 08:36:19 +04:00
# endif
return True ;
}
2003-04-09 13:31:29 +04:00
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
/*******************************************************************
Create a digest over the entire packet ( including the data ) , and
MD5 it with the session key .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-01-08 03:51:12 +03:00
2005-09-30 21:13:37 +04:00
static void schannel_digest ( struct schannel_auth_struct * a ,
enum pipe_auth_level auth_level ,
RPC_AUTH_SCHANNEL_CHK * verf ,
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
char * data , size_t data_len ,
uchar digest_final [ 16 ] )
2003-04-09 13:31:29 +04:00
{
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
uchar whole_packet_digest [ 16 ] ;
static uchar zeros [ 4 ] ;
struct MD5Context ctx3 ;
/* verfiy the signature on the packet by MD5 over various bits */
MD5Init ( & ctx3 ) ;
/* use our sequence number, which ensures the packet is not
out of order */
MD5Update ( & ctx3 , zeros , sizeof ( zeros ) ) ;
MD5Update ( & ctx3 , verf - > sig , sizeof ( verf - > sig ) ) ;
2005-09-30 21:13:37 +04:00
if ( auth_level = = PIPE_AUTH_LEVEL_PRIVACY ) {
2003-10-02 01:18:32 +04:00
MD5Update ( & ctx3 , verf - > confounder , sizeof ( verf - > confounder ) ) ;
2003-04-09 13:31:29 +04:00
}
2003-08-15 08:42:05 +04:00
MD5Update ( & ctx3 , ( const unsigned char * ) data , data_len ) ;
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
MD5Final ( whole_packet_digest , & ctx3 ) ;
dump_data_pw ( " whole_packet_digest: \n " , whole_packet_digest , sizeof ( whole_packet_digest ) ) ;
/* MD5 this result and the session key, to prove that
only a valid client could had produced this */
hmac_md5 ( a - > sess_key , whole_packet_digest , sizeof ( whole_packet_digest ) , digest_final ) ;
2003-04-09 13:31:29 +04:00
}
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
/*******************************************************************
Calculate the key with which to encode the data payload
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-01-08 03:51:12 +03:00
2005-09-30 21:13:37 +04:00
static void schannel_get_sealing_key ( struct schannel_auth_struct * a ,
RPC_AUTH_SCHANNEL_CHK * verf ,
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
uchar sealing_key [ 16 ] )
2003-04-09 13:31:29 +04:00
{
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
static uchar zeros [ 4 ] ;
uchar digest2 [ 16 ] ;
2003-04-09 13:31:29 +04:00
uchar sess_kf0 [ 16 ] ;
int i ;
2003-04-16 19:39:57 +04:00
for ( i = 0 ; i < sizeof ( sess_kf0 ) ; i + + ) {
2003-04-09 13:31:29 +04:00
sess_kf0 [ i ] = a - > sess_key [ i ] ^ 0xf0 ;
}
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
dump_data_pw ( " sess_kf0: \n " , sess_kf0 , sizeof ( sess_kf0 ) ) ;
2003-08-12 09:01:24 +04:00
/* MD5 of sess_kf0 and 4 zero bytes */
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
hmac_md5 ( sess_kf0 , zeros , 0x4 , digest2 ) ;
dump_data_pw ( " digest2: \n " , digest2 , sizeof ( digest2 ) ) ;
/* MD5 of the above result, plus 8 bytes of sequence number */
hmac_md5 ( digest2 , verf - > seq_num , sizeof ( verf - > seq_num ) , sealing_key ) ;
dump_data_pw ( " sealing_key: \n " , sealing_key , 16 ) ;
}
2003-04-09 13:31:29 +04:00
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
/*******************************************************************
Encode or Decode the sequence number ( which is symmetric )
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-01-08 03:51:12 +03:00
2005-09-30 21:13:37 +04:00
static void schannel_deal_with_seq_num ( struct schannel_auth_struct * a ,
RPC_AUTH_SCHANNEL_CHK * verf )
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
{
static uchar zeros [ 4 ] ;
uchar sequence_key [ 16 ] ;
uchar digest1 [ 16 ] ;
2003-04-09 13:31:29 +04:00
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
hmac_md5 ( a - > sess_key , zeros , sizeof ( zeros ) , digest1 ) ;
dump_data_pw ( " (sequence key) digest1: \n " , digest1 , sizeof ( digest1 ) ) ;
2003-04-09 13:31:29 +04:00
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
hmac_md5 ( digest1 , verf - > packet_digest , 8 , sequence_key ) ;
2003-04-09 13:31:29 +04:00
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
dump_data_pw ( " sequence_key: \n " , sequence_key , sizeof ( sequence_key ) ) ;
2003-04-09 13:31:29 +04:00
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
dump_data_pw ( " seq_num (before): \n " , verf - > seq_num , sizeof ( verf - > seq_num ) ) ;
2003-10-02 01:18:32 +04:00
SamOEMhash ( verf - > seq_num , sequence_key , 8 ) ;
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
dump_data_pw ( " seq_num (after): \n " , verf - > seq_num , sizeof ( verf - > seq_num ) ) ;
}
2003-04-09 13:31:29 +04:00
2003-10-02 01:18:32 +04:00
/*******************************************************************
2005-09-30 21:13:37 +04:00
creates an RPC_AUTH_SCHANNEL_CHK structure .
2003-10-02 01:18:32 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-01-08 03:51:12 +03:00
2005-09-30 21:13:37 +04:00
static BOOL init_rpc_auth_schannel_chk ( RPC_AUTH_SCHANNEL_CHK * chk ,
2003-10-02 01:18:32 +04:00
const uchar sig [ 8 ] ,
const uchar packet_digest [ 8 ] ,
const uchar seq_num [ 8 ] , const uchar confounder [ 8 ] )
{
if ( chk = = NULL )
return False ;
memcpy ( chk - > sig , sig , sizeof ( chk - > sig ) ) ;
memcpy ( chk - > packet_digest , packet_digest , sizeof ( chk - > packet_digest ) ) ;
memcpy ( chk - > seq_num , seq_num , sizeof ( chk - > seq_num ) ) ;
memcpy ( chk - > confounder , confounder , sizeof ( chk - > confounder ) ) ;
return True ;
}
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
/*******************************************************************
2005-09-30 21:13:37 +04:00
Encode a blob of data using the schannel alogrithm , also produceing
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
a checksum over the original data . We currently only support
signing and sealing togeather - the signing - only code is close , but not
quite compatible with what MS does .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-01-08 03:51:12 +03:00
2005-09-30 21:13:37 +04:00
void schannel_encode ( struct schannel_auth_struct * a , enum pipe_auth_level auth_level ,
enum schannel_direction direction ,
RPC_AUTH_SCHANNEL_CHK * verf ,
2003-10-02 01:18:32 +04:00
char * data , size_t data_len )
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
{
uchar digest_final [ 16 ] ;
2003-10-02 01:18:32 +04:00
uchar confounder [ 8 ] ;
uchar seq_num [ 8 ] ;
static const uchar nullbytes [ 8 ] ;
2005-09-30 21:13:37 +04:00
static const uchar schannel_seal_sig [ 8 ] = SCHANNEL_SEAL_SIGNATURE ;
static const uchar schannel_sign_sig [ 8 ] = SCHANNEL_SIGN_SIGNATURE ;
const uchar * schannel_sig = NULL ;
2003-04-09 13:31:29 +04:00
2005-09-30 21:13:37 +04:00
DEBUG ( 10 , ( " SCHANNEL: schannel_encode seq_num=%d data_len=%lu \n " , a - > seq_num , ( unsigned long ) data_len ) ) ;
2003-10-02 01:18:32 +04:00
2005-09-30 21:13:37 +04:00
if ( auth_level = = PIPE_AUTH_LEVEL_PRIVACY ) {
schannel_sig = schannel_seal_sig ;
} else {
schannel_sig = schannel_sign_sig ;
2003-10-02 01:18:32 +04:00
}
/* fill the 'confounder' with random data */
2004-07-14 08:36:01 +04:00
generate_random_buffer ( confounder , sizeof ( confounder ) ) ;
2003-10-02 01:18:32 +04:00
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
dump_data_pw ( " a->sess_key: \n " , a - > sess_key , sizeof ( a - > sess_key ) ) ;
2003-10-02 01:18:32 +04:00
RSIVAL ( seq_num , 0 , a - > seq_num ) ;
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
switch ( direction ) {
case SENDER_IS_INITIATOR :
2003-10-02 01:18:32 +04:00
SIVAL ( seq_num , 4 , 0x80 ) ;
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
break ;
case SENDER_IS_ACCEPTOR :
2003-10-02 01:18:32 +04:00
SIVAL ( seq_num , 4 , 0x0 ) ;
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
break ;
2003-04-09 13:31:29 +04:00
}
2003-10-02 01:18:32 +04:00
dump_data_pw ( " verf->seq_num: \n " , seq_num , sizeof ( verf - > seq_num ) ) ;
2003-04-09 13:31:29 +04:00
2005-09-30 21:13:37 +04:00
init_rpc_auth_schannel_chk ( verf , schannel_sig , nullbytes ,
2003-10-02 01:18:32 +04:00
seq_num , confounder ) ;
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
/* produce a digest of the packet to prove it's legit (before we seal it) */
2005-09-30 21:13:37 +04:00
schannel_digest ( a , auth_level , verf , data , data_len , digest_final ) ;
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
memcpy ( verf - > packet_digest , digest_final , sizeof ( verf - > packet_digest ) ) ;
2003-04-09 13:31:29 +04:00
2005-09-30 21:13:37 +04:00
if ( auth_level = = PIPE_AUTH_LEVEL_PRIVACY ) {
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
uchar sealing_key [ 16 ] ;
2003-04-09 13:31:29 +04:00
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
/* get the key to encode the data with */
2005-09-30 21:13:37 +04:00
schannel_get_sealing_key ( a , verf , sealing_key ) ;
2003-04-09 13:31:29 +04:00
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
/* encode the verification data */
2003-10-02 01:18:32 +04:00
dump_data_pw ( " verf->confounder: \n " , verf - > confounder , sizeof ( verf - > confounder ) ) ;
SamOEMhash ( verf - > confounder , sealing_key , 8 ) ;
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
2003-10-02 01:18:32 +04:00
dump_data_pw ( " verf->confounder_enc: \n " , verf - > confounder , sizeof ( verf - > confounder ) ) ;
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
/* encode the packet payload */
2003-08-15 08:42:05 +04:00
dump_data_pw ( " data: \n " , ( const unsigned char * ) data , data_len ) ;
2003-10-02 01:18:32 +04:00
SamOEMhash ( ( unsigned char * ) data , sealing_key , data_len ) ;
2003-08-15 08:42:05 +04:00
dump_data_pw ( " data_enc: \n " , ( const unsigned char * ) data , data_len ) ;
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
}
/* encode the sequence number (key based on packet digest) */
/* needs to be done after the sealing, as the original version
is used in the sealing stuff . . . */
2005-09-30 21:13:37 +04:00
schannel_deal_with_seq_num ( a , verf ) ;
2003-04-09 13:31:29 +04:00
return ;
}
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
/*******************************************************************
2005-09-30 21:13:37 +04:00
Decode a blob of data using the schannel alogrithm , also verifiying
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
a checksum over the original data . We currently can verify signed messages ,
as well as decode sealed messages
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-09-30 21:13:37 +04:00
BOOL schannel_decode ( struct schannel_auth_struct * a , enum pipe_auth_level auth_level ,
enum schannel_direction direction ,
RPC_AUTH_SCHANNEL_CHK * verf , char * data , size_t data_len )
2003-04-09 13:31:29 +04:00
{
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
uchar digest_final [ 16 ] ;
2005-09-30 21:13:37 +04:00
static const uchar schannel_seal_sig [ 8 ] = SCHANNEL_SEAL_SIGNATURE ;
static const uchar schannel_sign_sig [ 8 ] = SCHANNEL_SIGN_SIGNATURE ;
const uchar * schannel_sig = NULL ;
2003-10-02 01:18:32 +04:00
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
uchar seq_num [ 8 ] ;
2003-10-02 01:18:32 +04:00
2005-09-30 21:13:37 +04:00
DEBUG ( 10 , ( " SCHANNEL: schannel_decode seq_num=%d data_len=%lu \n " , a - > seq_num , ( unsigned long ) data_len ) ) ;
2003-10-02 01:18:32 +04:00
2005-09-30 21:13:37 +04:00
if ( auth_level = = PIPE_AUTH_LEVEL_PRIVACY ) {
schannel_sig = schannel_seal_sig ;
} else {
schannel_sig = schannel_sign_sig ;
2003-10-02 01:18:32 +04:00
}
/* Create the expected sequence number for comparison */
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
RSIVAL ( seq_num , 0 , a - > seq_num ) ;
switch ( direction ) {
case SENDER_IS_INITIATOR :
SIVAL ( seq_num , 4 , 0x80 ) ;
break ;
case SENDER_IS_ACCEPTOR :
SIVAL ( seq_num , 4 , 0x0 ) ;
break ;
2003-04-09 13:31:29 +04:00
}
2005-09-30 21:13:37 +04:00
DEBUG ( 10 , ( " SCHANNEL: schannel_decode seq_num=%d data_len=%lu \n " , a - > seq_num , ( unsigned long ) data_len ) ) ;
2003-04-09 13:31:29 +04:00
dump_data_pw ( " a->sess_key: \n " , a - > sess_key , sizeof ( a - > sess_key ) ) ;
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
dump_data_pw ( " seq_num: \n " , seq_num , sizeof ( seq_num ) ) ;
2003-04-09 13:31:29 +04:00
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
/* extract the sequence number (key based on supplied packet digest) */
/* needs to be done before the sealing, as the original version
is used in the sealing stuff . . . */
2005-09-30 21:13:37 +04:00
schannel_deal_with_seq_num ( a , verf ) ;
2003-04-09 13:31:29 +04:00
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
if ( memcmp ( verf - > seq_num , seq_num , sizeof ( seq_num ) ) ) {
/* don't even bother with the below if the sequence number is out */
/* The sequence number is MD5'ed with a key based on the whole-packet
digest , as supplied by the client . We check that it ' s a valid
checksum after the decode , below
*/
2005-09-30 21:13:37 +04:00
DEBUG ( 2 , ( " schannel_decode: FAILED: packet sequence number: \n " ) ) ;
2004-01-09 17:54:33 +03:00
dump_data ( 2 , ( const char * ) verf - > seq_num , sizeof ( verf - > seq_num ) ) ;
2003-10-02 01:18:32 +04:00
DEBUG ( 2 , ( " should be: \n " ) ) ;
2004-01-09 17:54:33 +03:00
dump_data ( 2 , ( const char * ) seq_num , sizeof ( seq_num ) ) ;
2003-10-02 01:18:32 +04:00
return False ;
}
2005-09-30 21:13:37 +04:00
if ( memcmp ( verf - > sig , schannel_sig , sizeof ( verf - > sig ) ) ) {
2003-10-02 01:18:32 +04:00
/* Validate that the other end sent the expected header */
2005-09-30 21:13:37 +04:00
DEBUG ( 2 , ( " schannel_decode: FAILED: packet header: \n " ) ) ;
2004-01-09 17:54:33 +03:00
dump_data ( 2 , ( const char * ) verf - > sig , sizeof ( verf - > sig ) ) ;
2003-10-02 01:18:32 +04:00
DEBUG ( 2 , ( " should be: \n " ) ) ;
2005-09-30 21:13:37 +04:00
dump_data ( 2 , ( const char * ) schannel_sig , sizeof ( schannel_sig ) ) ;
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
return False ;
}
2003-04-09 13:31:29 +04:00
2005-09-30 21:13:37 +04:00
if ( auth_level = = PIPE_AUTH_LEVEL_PRIVACY ) {
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
uchar sealing_key [ 16 ] ;
/* get the key to extract the data with */
2005-09-30 21:13:37 +04:00
schannel_get_sealing_key ( a , verf , sealing_key ) ;
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
/* extract the verification data */
2003-10-02 01:18:32 +04:00
dump_data_pw ( " verf->confounder: \n " , verf - > confounder ,
sizeof ( verf - > confounder ) ) ;
SamOEMhash ( verf - > confounder , sealing_key , 8 ) ;
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
2003-10-02 01:18:32 +04:00
dump_data_pw ( " verf->confounder_dec: \n " , verf - > confounder ,
sizeof ( verf - > confounder ) ) ;
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
/* extract the packet payload */
2003-08-15 08:42:05 +04:00
dump_data_pw ( " data : \n " , ( const unsigned char * ) data , data_len ) ;
2003-10-02 01:18:32 +04:00
SamOEMhash ( ( unsigned char * ) data , sealing_key , data_len ) ;
2003-08-15 08:42:05 +04:00
dump_data_pw ( " datadec: \n " , ( const unsigned char * ) data , data_len ) ;
2003-04-09 13:31:29 +04:00
}
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
/* digest includes 'data' after unsealing */
2005-09-30 21:13:37 +04:00
schannel_digest ( a , auth_level , verf , data , data_len , digest_final ) ;
2003-04-09 13:31:29 +04:00
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
dump_data_pw ( " Calculated digest: \n " , digest_final ,
sizeof ( digest_final ) ) ;
dump_data_pw ( " verf->packet_digest: \n " , verf - > packet_digest ,
sizeof ( verf - > packet_digest ) ) ;
/* compare - if the client got the same result as us, then
it must know the session key */
return ( memcmp ( digest_final , verf - > packet_digest ,
sizeof ( verf - > packet_digest ) ) = = 0 ) ;
2003-04-09 13:31:29 +04:00
}
