mirror of
https://github.com/samba-team/samba.git
synced 2025-01-13 13:18:06 +03:00
Merge branch 'master' of /home/tridge/samba/git/combined
This commit is contained in:
Andrew Tridgell
commit
7744283c36
114
lib/crypto/aes.c
Normal file
114
lib/crypto/aes.c
Normal file
@ -0,0 +1,114 @@
|
||||
/*
|
||||
* Copyright (c) 2003 Kungliga Tekniska Högskolan
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* 3. Neither the name of the Institute nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "replace.h"
|
||||
|
||||
#include "rijndael-alg-fst.h"
|
||||
#include "aes.h"
|
||||
|
||||
int
|
||||
AES_set_encrypt_key(const unsigned char *userkey, const int bits, AES_KEY *key)
|
||||
{
|
||||
key->rounds = rijndaelKeySetupEnc(key->key, userkey, bits);
|
||||
if (key->rounds == 0)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
AES_set_decrypt_key(const unsigned char *userkey, const int bits, AES_KEY *key)
|
||||
{
|
||||
key->rounds = rijndaelKeySetupDec(key->key, userkey, bits);
|
||||
if (key->rounds == 0)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
AES_encrypt(const unsigned char *in, unsigned char *out, const AES_KEY *key)
|
||||
{
|
||||
rijndaelEncrypt(key->key, key->rounds, in, out);
|
||||
}
|
||||
|
||||
void
|
||||
AES_decrypt(const unsigned char *in, unsigned char *out, const AES_KEY *key)
|
||||
{
|
||||
rijndaelDecrypt(key->key, key->rounds, in, out);
|
||||
}
|
||||
|
||||
void
|
||||
AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
|
||||
unsigned long size, const AES_KEY *key,
|
||||
unsigned char *iv, int forward_encrypt)
|
||||
{
|
||||
unsigned char tmp[AES_BLOCK_SIZE];
|
||||
int i;
|
||||
|
||||
if (forward_encrypt) {
|
||||
while (size >= AES_BLOCK_SIZE) {
|
||||
for (i = 0; i < AES_BLOCK_SIZE; i++)
|
||||
tmp[i] = in[i] ^ iv[i];
|
||||
AES_encrypt(tmp, out, key);
|
||||
memcpy(iv, out, AES_BLOCK_SIZE);
|
||||
size -= AES_BLOCK_SIZE;
|
||||
in += AES_BLOCK_SIZE;
|
||||
out += AES_BLOCK_SIZE;
|
||||
}
|
||||
if (size) {
|
||||
for (i = 0; i < size; i++)
|
||||
tmp[i] = in[i] ^ iv[i];
|
||||
for (i = size; i < AES_BLOCK_SIZE; i++)
|
||||
tmp[i] = iv[i];
|
||||
AES_encrypt(tmp, out, key);
|
||||
memcpy(iv, out, AES_BLOCK_SIZE);
|
||||
}
|
||||
} else {
|
||||
while (size >= AES_BLOCK_SIZE) {
|
||||
memcpy(tmp, in, AES_BLOCK_SIZE);
|
||||
AES_decrypt(tmp, out, key);
|
||||
for (i = 0; i < AES_BLOCK_SIZE; i++)
|
||||
out[i] ^= iv[i];
|
||||
memcpy(iv, tmp, AES_BLOCK_SIZE);
|
||||
size -= AES_BLOCK_SIZE;
|
||||
in += AES_BLOCK_SIZE;
|
||||
out += AES_BLOCK_SIZE;
|
||||
}
|
||||
if (size) {
|
||||
memcpy(tmp, in, AES_BLOCK_SIZE);
|
||||
AES_decrypt(tmp, out, key);
|
||||
for (i = 0; i < size; i++)
|
||||
out[i] ^= iv[i];
|
||||
memcpy(iv, tmp, AES_BLOCK_SIZE);
|
||||
}
|
||||
}
|
||||
}
|
||||
79
lib/crypto/aes.h
Normal file
79
lib/crypto/aes.h
Normal file
@ -0,0 +1,79 @@
|
||||
/*
|
||||
* Copyright (c) 2003-2004 Kungliga Tekniska Högskolan
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* 3. Neither the name of the Institute nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* $Id$ */
|
||||
|
||||
#ifndef LIB_CRYPTO_AES_H
|
||||
#define LIB_CRYPTO_AES_H 1
|
||||
|
||||
/* symbol renaming */
|
||||
#define AES_set_encrypt_key samba_AES_set_encrypt_key
|
||||
#define AES_set_decrypt_key samba_AES_decrypt_key
|
||||
#define AES_encrypt samba_AES_encrypt
|
||||
#define AES_decrypt samba_AES_decrypt
|
||||
#define AES_cbc_encrypt samba_AES_cbc_encrypt
|
||||
|
||||
/*
|
||||
*
|
||||
*/
|
||||
|
||||
#define AES_BLOCK_SIZE 16
|
||||
#define AES_MAXNR 14
|
||||
|
||||
#define AES_ENCRYPT 1
|
||||
#define AES_DECRYPT 0
|
||||
|
||||
typedef struct aes_key {
|
||||
uint32_t key[(AES_MAXNR+1)*4];
|
||||
int rounds;
|
||||
} AES_KEY;
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
int AES_set_encrypt_key(const unsigned char *, const int, AES_KEY *);
|
||||
int AES_set_decrypt_key(const unsigned char *, const int, AES_KEY *);
|
||||
|
||||
void AES_encrypt(const unsigned char *, unsigned char *, const AES_KEY *);
|
||||
void AES_decrypt(const unsigned char *, unsigned char *, const AES_KEY *);
|
||||
|
||||
void AES_cbc_encrypt(const unsigned char *, unsigned char *,
|
||||
const unsigned long, const AES_KEY *,
|
||||
unsigned char *, int);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif /* LIB_CRYPTO_AES_H */
|
||||
@ -6,7 +6,8 @@
|
||||
|
||||
LIBCRYPTO_OBJ_FILES = $(addprefix $(libcryptosrcdir)/, \
|
||||
crc32.o md5.o hmacmd5.o md4.o \
|
||||
arcfour.o sha256.o hmacsha256.o)
|
||||
arcfour.o sha256.o hmacsha256.o \
|
||||
aes.o rijndael-alg-fst.o)
|
||||
|
||||
[SUBSYSTEM::TORTURE_LIBCRYPTO]
|
||||
PRIVATE_DEPENDENCIES = LIBCRYPTO
|
||||
|
||||
1223
lib/crypto/rijndael-alg-fst.c
Normal file
1223
lib/crypto/rijndael-alg-fst.c
Normal file
File diff suppressed because it is too large
Load Diff
46
lib/crypto/rijndael-alg-fst.h
Normal file
46
lib/crypto/rijndael-alg-fst.h
Normal file
@ -0,0 +1,46 @@
|
||||
/* $NetBSD: rijndael-alg-fst.h,v 1.2 2000/10/02 17:19:15 itojun Exp $ */
|
||||
/* $KAME: rijndael-alg-fst.h,v 1.5 2003/07/15 10:47:16 itojun Exp $ */
|
||||
/**
|
||||
* rijndael-alg-fst.h
|
||||
*
|
||||
* @version 3.0 (December 2000)
|
||||
*
|
||||
* Optimised ANSI C code for the Rijndael cipher (now AES)
|
||||
*
|
||||
* @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
|
||||
* @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
|
||||
* @author Paulo Barreto <paulo.barreto@terra.com.br>
|
||||
*
|
||||
* This code is hereby placed in the public domain.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
|
||||
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
|
||||
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
||||
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
||||
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
|
||||
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
|
||||
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
#ifndef LIB_CRYPTO_RIJNDAEL_ALG_FST_H
|
||||
#define LIB_CRYPTO_RIJNDAEL_ALG_FST_H
|
||||
|
||||
/* symbol renaming */
|
||||
#define rijndaelKeySetupEnc _samba_rijndaelKeySetupEnc
|
||||
#define rijndaelKeySetupDec _samba_rijndaelKeySetupDec
|
||||
#define rijndaelEncrypt _samba_rijndaelEncrypt
|
||||
#define rijndaelDecrypt _samba_rijndaelDecrypt
|
||||
|
||||
#define RIJNDAEL_MAXKC (256/32)
|
||||
#define RIJNDAEL_MAXKB (256/8)
|
||||
#define RIJNDAEL_MAXNR 14
|
||||
|
||||
int rijndaelKeySetupEnc(uint32_t rk[/*4*(Nr + 1)*/], const uint8_t cipherKey[], int keyBits);
|
||||
int rijndaelKeySetupDec(uint32_t rk[/*4*(Nr + 1)*/], const uint8_t cipherKey[], int keyBits);
|
||||
void rijndaelEncrypt(const uint32_t rk[/*4*(Nr + 1)*/], int Nr, const uint8_t pt[16], uint8_t ct[16]);
|
||||
void rijndaelDecrypt(const uint32_t rk[/*4*(Nr + 1)*/], int Nr, const uint8_t ct[16], uint8_t pt[16]);
|
||||
|
||||
#endif /* LIB_CRYPTO_RIJNDAEL_ALG_FST_H */
|
||||
@ -1,4 +1,4 @@
|
||||
/*
|
||||
/*
|
||||
Unix SMB/CIFS implementation.
|
||||
|
||||
dcerpc schannel operations
|
||||
@ -10,19 +10,17 @@
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#include "libcli/auth/libcli_auth.h"
|
||||
#include "auth/gensec/schannel_proto.h"
|
||||
#include "auth/gensec/schannel_state.h"
|
||||
#include "libcli/auth/schannel_state.h"
|
||||
|
||||
enum schannel_position {
|
||||
@ -37,3 +35,4 @@ struct schannel_state {
|
||||
struct netlogon_creds_CredentialState *creds;
|
||||
};
|
||||
|
||||
#include "libcli/auth/schannel_proto.h"
|
||||
42
libcli/auth/schannel_proto.h
Normal file
42
libcli/auth/schannel_proto.h
Normal file
@ -0,0 +1,42 @@
|
||||
/*
|
||||
Unix SMB/CIFS implementation.
|
||||
|
||||
dcerpc schannel operations
|
||||
|
||||
Copyright (C) Andrew Tridgell 2004
|
||||
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#ifndef _LIBCLI_AUTH_SCHANNEL_PROTO_H__
|
||||
#define _LIBCLI_AUTH_SCHANNEL_PROTO_H__
|
||||
|
||||
NTSTATUS schannel_unseal_packet(struct schannel_state *state,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
uint8_t *data, size_t length,
|
||||
const DATA_BLOB *sig);
|
||||
NTSTATUS schannel_check_packet(struct schannel_state *state,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const uint8_t *data, size_t length,
|
||||
const DATA_BLOB *sig);
|
||||
NTSTATUS schannel_seal_packet(struct schannel_state *state,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
uint8_t *data, size_t length,
|
||||
DATA_BLOB *sig);
|
||||
NTSTATUS schannel_sign_packet(struct schannel_state *state,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const uint8_t *data, size_t length,
|
||||
DATA_BLOB *sig);
|
||||
#endif
|
||||
@ -1,30 +1,28 @@
|
||||
/*
|
||||
/*
|
||||
Unix SMB/CIFS implementation.
|
||||
|
||||
schannel library code
|
||||
|
||||
Copyright (C) Andrew Tridgell 2004
|
||||
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
|
||||
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#include "../libcli/auth/schannel.h"
|
||||
#include "../lib/crypto/crypto.h"
|
||||
#include "auth/gensec/gensec.h"
|
||||
#include "auth/gensec/gensec_proto.h"
|
||||
#include "auth/gensec/schannel.h"
|
||||
|
||||
#define NETSEC_SIGN_SIGNATURE { 0x77, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00 }
|
||||
#define NETSEC_SEAL_SIGNATURE { 0x77, 0x00, 0x7a, 0x00, 0xff, 0xff, 0x00, 0x00 }
|
||||
@ -49,11 +47,11 @@ static void netsec_deal_with_seq_num(struct schannel_state *state,
|
||||
|
||||
|
||||
/*******************************************************************
|
||||
Calculate the key with which to encode the data payload
|
||||
Calculate the key with which to encode the data payload
|
||||
********************************************************************/
|
||||
static void netsec_get_sealing_key(const uint8_t session_key[16],
|
||||
const uint8_t seq_num[8],
|
||||
uint8_t sealing_key[16])
|
||||
uint8_t sealing_key[16])
|
||||
{
|
||||
static const uint8_t zeros[4];
|
||||
uint8_t digest2[16];
|
||||
@ -63,26 +61,26 @@ static void netsec_get_sealing_key(const uint8_t session_key[16],
|
||||
for (i = 0; i < 16; i++) {
|
||||
sess_kf0[i] = session_key[i] ^ 0xf0;
|
||||
}
|
||||
|
||||
|
||||
hmac_md5(sess_kf0, zeros, 4, digest2);
|
||||
hmac_md5(digest2, seq_num, 8, sealing_key);
|
||||
}
|
||||
|
||||
|
||||
/*******************************************************************
|
||||
Create a digest over the entire packet (including the data), and
|
||||
Create a digest over the entire packet (including the data), and
|
||||
MD5 it with the session key.
|
||||
********************************************************************/
|
||||
static void schannel_digest(const uint8_t sess_key[16],
|
||||
const uint8_t netsec_sig[8],
|
||||
const uint8_t *confounder,
|
||||
const uint8_t *data, size_t data_len,
|
||||
uint8_t digest_final[16])
|
||||
uint8_t digest_final[16])
|
||||
{
|
||||
uint8_t packet_digest[16];
|
||||
static const uint8_t zeros[4];
|
||||
struct MD5Context ctx;
|
||||
|
||||
|
||||
MD5Init(&ctx);
|
||||
MD5Update(&ctx, zeros, 4);
|
||||
MD5Update(&ctx, netsec_sig, 8);
|
||||
@ -91,7 +89,7 @@ static void schannel_digest(const uint8_t sess_key[16],
|
||||
}
|
||||
MD5Update(&ctx, data, data_len);
|
||||
MD5Final(packet_digest, &ctx);
|
||||
|
||||
|
||||
hmac_md5(sess_key, packet_digest, sizeof(packet_digest), digest_final);
|
||||
}
|
||||
|
||||
@ -99,14 +97,11 @@ static void schannel_digest(const uint8_t sess_key[16],
|
||||
/*
|
||||
unseal a packet
|
||||
*/
|
||||
NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
uint8_t *data, size_t length,
|
||||
const uint8_t *whole_pdu, size_t pdu_length,
|
||||
NTSTATUS schannel_unseal_packet(struct schannel_state *state,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
uint8_t *data, size_t length,
|
||||
const DATA_BLOB *sig)
|
||||
{
|
||||
struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
|
||||
|
||||
uint8_t digest_final[16];
|
||||
uint8_t confounder[8];
|
||||
uint8_t seq_num[8];
|
||||
@ -126,8 +121,8 @@ NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
|
||||
arcfour_crypt(confounder, sealing_key, 8);
|
||||
arcfour_crypt(data, sealing_key, length);
|
||||
|
||||
schannel_digest(state->creds->session_key,
|
||||
netsec_sig, confounder,
|
||||
schannel_digest(state->creds->session_key,
|
||||
netsec_sig, confounder,
|
||||
data, length, digest_final);
|
||||
|
||||
if (memcmp(digest_final, sig->data+16, 8) != 0) {
|
||||
@ -150,14 +145,11 @@ NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
|
||||
/*
|
||||
check the signature on a packet
|
||||
*/
|
||||
NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const uint8_t *data, size_t length,
|
||||
const uint8_t *whole_pdu, size_t pdu_length,
|
||||
NTSTATUS schannel_check_packet(struct schannel_state *state,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const uint8_t *data, size_t length,
|
||||
const DATA_BLOB *sig)
|
||||
{
|
||||
struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
|
||||
|
||||
uint8_t digest_final[16];
|
||||
uint8_t seq_num[8];
|
||||
static const uint8_t netsec_sig[8] = NETSEC_SIGN_SIGNATURE;
|
||||
@ -173,8 +165,8 @@ NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
|
||||
dump_data_pw("seq_num:\n", seq_num, 8);
|
||||
dump_data_pw("sess_key:\n", state->creds->session_key, 16);
|
||||
|
||||
schannel_digest(state->creds->session_key,
|
||||
netsec_sig, NULL,
|
||||
schannel_digest(state->creds->session_key,
|
||||
netsec_sig, NULL,
|
||||
data, length, digest_final);
|
||||
|
||||
netsec_deal_with_seq_num(state, digest_final, seq_num);
|
||||
@ -198,14 +190,11 @@ NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
|
||||
/*
|
||||
seal a packet
|
||||
*/
|
||||
NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
uint8_t *data, size_t length,
|
||||
const uint8_t *whole_pdu, size_t pdu_length,
|
||||
NTSTATUS schannel_seal_packet(struct schannel_state *state,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
uint8_t *data, size_t length,
|
||||
DATA_BLOB *sig)
|
||||
{
|
||||
struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
|
||||
|
||||
uint8_t digest_final[16];
|
||||
uint8_t confounder[8];
|
||||
uint8_t seq_num[8];
|
||||
@ -217,8 +206,8 @@ NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
|
||||
RSIVAL(seq_num, 0, state->seq_num);
|
||||
SIVAL(seq_num, 4, state->initiator?0x80:0);
|
||||
|
||||
schannel_digest(state->creds->session_key,
|
||||
netsec_sig, confounder,
|
||||
schannel_digest(state->creds->session_key,
|
||||
netsec_sig, confounder,
|
||||
data, length, digest_final);
|
||||
|
||||
netsec_get_sealing_key(state->creds->session_key, seq_num, sealing_key);
|
||||
@ -246,14 +235,11 @@ NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
|
||||
/*
|
||||
sign a packet
|
||||
*/
|
||||
NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const uint8_t *data, size_t length,
|
||||
const uint8_t *whole_pdu, size_t pdu_length,
|
||||
NTSTATUS schannel_sign_packet(struct schannel_state *state,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const uint8_t *data, size_t length,
|
||||
DATA_BLOB *sig)
|
||||
{
|
||||
struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
|
||||
|
||||
uint8_t digest_final[16];
|
||||
uint8_t seq_num[8];
|
||||
static const uint8_t netsec_sig[8] = NETSEC_SIGN_SIGNATURE;
|
||||
@ -261,8 +247,8 @@ NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
|
||||
RSIVAL(seq_num, 0, state->seq_num);
|
||||
SIVAL(seq_num, 4, state->initiator?0x80:0);
|
||||
|
||||
schannel_digest(state->creds->session_key,
|
||||
netsec_sig, NULL,
|
||||
schannel_digest(state->creds->session_key,
|
||||
netsec_sig, NULL,
|
||||
data, length, digest_final);
|
||||
|
||||
netsec_deal_with_seq_num(state, digest_final, seq_num);
|
||||
@ -29,6 +29,7 @@
|
||||
#include "auth/auth.h"
|
||||
#include "param/param.h"
|
||||
#include "auth/gensec/schannel_state.h"
|
||||
#include "../libcli/auth/schannel_state_proto.h"
|
||||
|
||||
static struct ldb_val *schannel_dom_sid_ldb_val(TALLOC_CTX *mem_ctx,
|
||||
struct dom_sid *sid)
|
||||
|
||||
@ -372,7 +372,8 @@ UTIL_OBJ = ../lib/util/rbtree.o ../lib/util/signal.o ../lib/util/time.o \
|
||||
CRYPTO_OBJ = ../lib/crypto/crc32.o ../lib/crypto/md5.o \
|
||||
../lib/crypto/hmacmd5.o ../lib/crypto/arcfour.o \
|
||||
../lib/crypto/md4.o \
|
||||
../lib/crypto/sha256.o ../lib/crypto/hmacsha256.o
|
||||
../lib/crypto/sha256.o ../lib/crypto/hmacsha256.o \
|
||||
../lib/crypto/aes.o ../lib/crypto/rijndael-alg-fst.o
|
||||
|
||||
LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) \
|
||||
lib/messages.o librpc/gen_ndr/ndr_messaging.o lib/messages_local.o \
|
||||
@ -495,6 +496,7 @@ CLDAP_OBJ = libads/cldap.o \
|
||||
TLDAP_OBJ = lib/tldap.o lib/tldap_util.o lib/util_tsock.o
|
||||
|
||||
SCHANNEL_OBJ = ../libcli/auth/credentials.o \
|
||||
../libcli/auth/schannel_sign.o \
|
||||
../libcli/auth/schannel_state_tdb.o \
|
||||
../librpc/gen_ndr/ndr_schannel.o \
|
||||
../librpc/ndr/ndr_schannel.o \
|
||||
|
||||
@ -46,9 +46,21 @@ static NTSTATUS netlogond_validate(TALLOC_CTX *mem_ctx,
|
||||
return status;
|
||||
}
|
||||
|
||||
/*
|
||||
* We have to fake a struct dcinfo, so that
|
||||
* rpccli_netlogon_sam_network_logon_ex can decrypt the session keys.
|
||||
*/
|
||||
|
||||
p->dc = netlogon_creds_client_init_session_key(p, schannel_key);
|
||||
if (p->dc == NULL) {
|
||||
DEBUG(0, ("talloc failed\n"));
|
||||
TALLOC_FREE(p);
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
status = rpccli_schannel_bind_data(p, lp_workgroup(),
|
||||
DCERPC_AUTH_LEVEL_PRIVACY,
|
||||
schannel_key, &auth);
|
||||
p->dc, &auth);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(10, ("rpccli_schannel_bind_data failed: %s\n",
|
||||
nt_errstr(status)));
|
||||
@ -64,18 +76,6 @@ static NTSTATUS netlogond_validate(TALLOC_CTX *mem_ctx,
|
||||
return status;
|
||||
}
|
||||
|
||||
/*
|
||||
* We have to fake a struct dcinfo, so that
|
||||
* rpccli_netlogon_sam_network_logon_ex can decrypt the session keys.
|
||||
*/
|
||||
|
||||
p->dc = netlogon_creds_client_init_session_key(p, schannel_key);
|
||||
if (p->dc == NULL) {
|
||||
DEBUG(0, ("talloc failed\n"));
|
||||
TALLOC_FREE(p);
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
status = rpccli_netlogon_sam_network_logon_ex(
|
||||
p, p,
|
||||
user_info->logon_parameters,/* flags such as 'allow
|
||||
|
||||
@ -55,7 +55,7 @@ struct cli_pipe_auth_data {
|
||||
DATA_BLOB user_session_key;
|
||||
|
||||
union {
|
||||
struct schannel_auth_struct *schannel_auth;
|
||||
struct schannel_state *schannel_auth;
|
||||
NTLMSSP_STATE *ntlmssp_state;
|
||||
struct kerberos_auth_struct *kerberos_auth;
|
||||
} a_u;
|
||||
|
||||
@ -150,7 +150,7 @@ struct pipe_auth_data {
|
||||
enum pipe_auth_type auth_type; /* switch for union below. */
|
||||
enum dcerpc_AuthLevel auth_level;
|
||||
union {
|
||||
struct schannel_auth_struct *schannel_auth;
|
||||
struct schannel_state *schannel_auth;
|
||||
AUTH_NTLMSSP_STATE *auth_ntlmssp_state;
|
||||
/* struct kerberos_auth_struct *kerberos_auth; TO BE ADDED... */
|
||||
} a_u;
|
||||
|
||||
@ -5298,7 +5298,7 @@ NTSTATUS rpccli_ntlmssp_bind_data(TALLOC_CTX *mem_ctx,
|
||||
struct cli_pipe_auth_data **presult);
|
||||
NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
|
||||
enum dcerpc_AuthLevel auth_level,
|
||||
const uint8_t sess_key[16],
|
||||
struct netlogon_creds_CredentialState *creds,
|
||||
struct cli_pipe_auth_data **presult);
|
||||
NTSTATUS rpccli_kerberos_bind_data(TALLOC_CTX *mem_ctx,
|
||||
enum dcerpc_AuthLevel auth_level,
|
||||
@ -5706,13 +5706,6 @@ bool prs_uint16s(bool charmode, const char *name, prs_struct *ps, int depth, uin
|
||||
bool prs_uint32s(bool charmode, const char *name, prs_struct *ps, int depth, uint32 *data32s, int len);
|
||||
bool prs_unistr(const char *name, prs_struct *ps, int depth, UNISTR *str);
|
||||
bool prs_string(const char *name, prs_struct *ps, int depth, char *str, int max_buf_size);
|
||||
void schannel_encode(struct schannel_auth_struct *a, enum dcerpc_AuthLevel auth_level,
|
||||
enum schannel_direction direction,
|
||||
struct NL_AUTH_SIGNATURE *verf,
|
||||
char *data, size_t data_len);
|
||||
bool schannel_decode(struct schannel_auth_struct *a, enum dcerpc_AuthLevel auth_level,
|
||||
enum schannel_direction direction,
|
||||
struct NL_AUTH_SIGNATURE *verf, char *data, size_t data_len);
|
||||
bool prs_init_data_blob(prs_struct *prs, DATA_BLOB *blob, TALLOC_CTX *mem_ctx);
|
||||
bool prs_data_blob(prs_struct *prs, DATA_BLOB *blob, TALLOC_CTX *mem_ctx);
|
||||
|
||||
|
||||
@ -916,6 +916,9 @@ static ssize_t streams_xattr_pread(vfs_handle_struct *handle,
|
||||
NTSTATUS status;
|
||||
size_t length, overlap;
|
||||
|
||||
DEBUG(10, ("streams_xattr_pread: offset=%d, size=%d\n",
|
||||
(int)offset, (int)n));
|
||||
|
||||
if (sio == NULL) {
|
||||
return SMB_VFS_NEXT_PREAD(handle, fsp, data, n, offset);
|
||||
}
|
||||
@ -932,10 +935,12 @@ static ssize_t streams_xattr_pread(vfs_handle_struct *handle,
|
||||
|
||||
length = ea.value.length-1;
|
||||
|
||||
DEBUG(10, ("streams_xattr_pread: get_ea_value returned %d bytes\n",
|
||||
(int)length));
|
||||
|
||||
/* Attempt to read past EOF. */
|
||||
if (length <= offset) {
|
||||
errno = EINVAL;
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
overlap = (offset + n) > length ? (length - offset) : n;
|
||||
|
||||
@ -21,6 +21,8 @@
|
||||
#include "../libcli/auth/libcli_auth.h"
|
||||
#include "librpc/gen_ndr/cli_epmapper.h"
|
||||
#include "../librpc/gen_ndr/ndr_schannel.h"
|
||||
#include "../libcli/auth/schannel.h"
|
||||
#include "../libcli/auth/schannel_proto.h"
|
||||
|
||||
#undef DBGC_CLASS
|
||||
#define DBGC_CLASS DBGC_RPC_CLI
|
||||
@ -673,11 +675,12 @@ static NTSTATUS cli_pipe_verify_schannel(struct rpc_pipe_client *cli, RPC_HDR *p
|
||||
struct NL_AUTH_SIGNATURE schannel_chk;
|
||||
uint32 auth_len = prhdr->auth_len;
|
||||
uint32 save_offset = prs_offset(current_pdu);
|
||||
struct schannel_auth_struct *schannel_auth =
|
||||
struct schannel_state *schannel_auth =
|
||||
cli->auth->a_u.schannel_auth;
|
||||
uint32 data_len;
|
||||
enum ndr_err_code ndr_err;
|
||||
DATA_BLOB blob;
|
||||
NTSTATUS status;
|
||||
|
||||
if (cli->auth->auth_level == DCERPC_AUTH_LEVEL_NONE
|
||||
|| cli->auth->auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
|
||||
@ -720,7 +723,7 @@ static NTSTATUS cli_pipe_verify_schannel(struct rpc_pipe_client *cli, RPC_HDR *p
|
||||
return NT_STATUS_BUFFER_TOO_SMALL;
|
||||
}
|
||||
|
||||
blob = data_blob_const(prs_data_p(current_pdu) + prs_offset(current_pdu), data_len);
|
||||
blob = data_blob_const(prs_data_p(current_pdu) + prs_offset(current_pdu), auth_len);
|
||||
|
||||
ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &schannel_chk,
|
||||
(ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_SIGNATURE);
|
||||
@ -733,20 +736,33 @@ static NTSTATUS cli_pipe_verify_schannel(struct rpc_pipe_client *cli, RPC_HDR *p
|
||||
NDR_PRINT_DEBUG(NL_AUTH_SIGNATURE, &schannel_chk);
|
||||
}
|
||||
|
||||
if (!schannel_decode(schannel_auth,
|
||||
cli->auth->auth_level,
|
||||
SENDER_IS_ACCEPTOR,
|
||||
&schannel_chk,
|
||||
prs_data_p(current_pdu)+RPC_HEADER_LEN+RPC_HDR_RESP_LEN,
|
||||
data_len)) {
|
||||
DEBUG(3,("cli_pipe_verify_schannel: failed to decode PDU "
|
||||
"Connection to %s.\n",
|
||||
rpccli_pipe_txt(debug_ctx(), cli)));
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
switch (cli->auth->auth_level) {
|
||||
case DCERPC_AUTH_LEVEL_PRIVACY:
|
||||
status = schannel_unseal_packet(schannel_auth,
|
||||
talloc_tos(),
|
||||
(uint8_t *)prs_data_p(current_pdu)+RPC_HEADER_LEN+RPC_HDR_RESP_LEN,
|
||||
data_len,
|
||||
&blob);
|
||||
break;
|
||||
case DCERPC_AUTH_LEVEL_INTEGRITY:
|
||||
status = schannel_check_packet(schannel_auth,
|
||||
talloc_tos(),
|
||||
(uint8_t *)prs_data_p(current_pdu)+RPC_HEADER_LEN+RPC_HDR_RESP_LEN,
|
||||
data_len,
|
||||
&blob);
|
||||
break;
|
||||
default:
|
||||
status = NT_STATUS_INTERNAL_ERROR;
|
||||
break;
|
||||
}
|
||||
|
||||
/* The sequence number gets incremented on both send and receive. */
|
||||
schannel_auth->seq_num++;
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(3,("cli_pipe_verify_schannel: failed to decode PDU "
|
||||
"Connection to %s (%s).\n",
|
||||
rpccli_pipe_txt(debug_ctx(), cli),
|
||||
nt_errstr(status)));
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
/*
|
||||
* Return the current pointer to the data offset.
|
||||
@ -1915,11 +1931,12 @@ static NTSTATUS add_schannel_auth_footer(struct rpc_pipe_client *cli,
|
||||
{
|
||||
RPC_HDR_AUTH auth_info;
|
||||
struct NL_AUTH_SIGNATURE verf;
|
||||
struct schannel_auth_struct *sas = cli->auth->a_u.schannel_auth;
|
||||
struct schannel_state *sas = cli->auth->a_u.schannel_auth;
|
||||
char *data_p = prs_data_p(outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN;
|
||||
size_t data_and_pad_len = prs_offset(outgoing_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
|
||||
enum ndr_err_code ndr_err;
|
||||
DATA_BLOB blob;
|
||||
NTSTATUS status;
|
||||
|
||||
if (!sas) {
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
@ -1937,29 +1954,35 @@ static NTSTATUS add_schannel_auth_footer(struct rpc_pipe_client *cli,
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
|
||||
sas->seq_num));
|
||||
|
||||
switch (cli->auth->auth_level) {
|
||||
case DCERPC_AUTH_LEVEL_PRIVACY:
|
||||
case DCERPC_AUTH_LEVEL_INTEGRITY:
|
||||
DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
|
||||
sas->seq_num));
|
||||
|
||||
schannel_encode(sas,
|
||||
cli->auth->auth_level,
|
||||
SENDER_IS_INITIATOR,
|
||||
&verf,
|
||||
data_p,
|
||||
data_and_pad_len);
|
||||
|
||||
sas->seq_num++;
|
||||
break;
|
||||
|
||||
default:
|
||||
/* Can't happen. */
|
||||
smb_panic("bad auth level");
|
||||
/* Notreached. */
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
case DCERPC_AUTH_LEVEL_PRIVACY:
|
||||
status = schannel_seal_packet(sas,
|
||||
talloc_tos(),
|
||||
(uint8_t *)data_p,
|
||||
data_and_pad_len,
|
||||
&blob);
|
||||
break;
|
||||
case DCERPC_AUTH_LEVEL_INTEGRITY:
|
||||
status = schannel_sign_packet(sas,
|
||||
talloc_tos(),
|
||||
(uint8_t *)data_p,
|
||||
data_and_pad_len,
|
||||
&blob);
|
||||
break;
|
||||
default:
|
||||
status = NT_STATUS_INTERNAL_ERROR;
|
||||
break;
|
||||
}
|
||||
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1,("add_schannel_auth_footer: failed to process packet: %s\n",
|
||||
nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
#if 0
|
||||
ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &verf,
|
||||
(ndr_push_flags_fn_t)ndr_push_NL_AUTH_SIGNATURE);
|
||||
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
||||
@ -1969,7 +1992,7 @@ static NTSTATUS add_schannel_auth_footer(struct rpc_pipe_client *cli,
|
||||
if (DEBUGLEVEL >= 10) {
|
||||
NDR_PRINT_DEBUG(NL_AUTH_SIGNATURE, &verf);
|
||||
}
|
||||
|
||||
#endif
|
||||
/* Finally marshall the blob. */
|
||||
if (!prs_copy_data_in(outgoing_pdu, (const char *)blob.data, blob.length)) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
@ -3070,7 +3093,7 @@ NTSTATUS rpccli_ntlmssp_bind_data(TALLOC_CTX *mem_ctx,
|
||||
|
||||
NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
|
||||
enum dcerpc_AuthLevel auth_level,
|
||||
const uint8_t sess_key[16],
|
||||
struct netlogon_creds_CredentialState *creds,
|
||||
struct cli_pipe_auth_data **presult)
|
||||
{
|
||||
struct cli_pipe_auth_data *result;
|
||||
@ -3089,15 +3112,15 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
|
||||
goto fail;
|
||||
}
|
||||
|
||||
result->a_u.schannel_auth = talloc(result,
|
||||
struct schannel_auth_struct);
|
||||
result->a_u.schannel_auth = talloc(result, struct schannel_state);
|
||||
if (result->a_u.schannel_auth == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
memcpy(result->a_u.schannel_auth->sess_key, sess_key,
|
||||
sizeof(result->a_u.schannel_auth->sess_key));
|
||||
result->a_u.schannel_auth->state = SCHANNEL_STATE_START;
|
||||
result->a_u.schannel_auth->seq_num = 0;
|
||||
result->a_u.schannel_auth->initiator = true;
|
||||
result->a_u.schannel_auth->creds = creds;
|
||||
|
||||
*presult = result;
|
||||
return NT_STATUS_OK;
|
||||
@ -3904,7 +3927,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
|
||||
}
|
||||
|
||||
status = rpccli_schannel_bind_data(result, domain, auth_level,
|
||||
(*pdc)->session_key, &auth);
|
||||
*pdc, &auth);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
|
||||
nt_errstr(status)));
|
||||
@ -4122,7 +4145,7 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
|
||||
switch (cli->auth->auth_type) {
|
||||
case PIPE_AUTH_TYPE_SCHANNEL:
|
||||
*session_key = data_blob_talloc(mem_ctx,
|
||||
cli->auth->a_u.schannel_auth->sess_key, 16);
|
||||
cli->auth->a_u.schannel_auth->creds->session_key, 16);
|
||||
break;
|
||||
case PIPE_AUTH_TYPE_NTLMSSP:
|
||||
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
|
||||
|
||||
@ -1065,292 +1065,6 @@ bool prs_string(const char *name, prs_struct *ps, int depth, char *str, int max_
|
||||
return True;
|
||||
}
|
||||
|
||||
/*******************************************************************
|
||||
Create a digest over the entire packet (including the data), and
|
||||
MD5 it with the session key.
|
||||
********************************************************************/
|
||||
|
||||
static void schannel_digest(struct schannel_auth_struct *a,
|
||||
enum dcerpc_AuthLevel auth_level,
|
||||
struct NL_AUTH_SIGNATURE *verf,
|
||||
char *data, size_t data_len,
|
||||
uchar digest_final[16])
|
||||
{
|
||||
uchar whole_packet_digest[16];
|
||||
uchar zeros[4];
|
||||
struct MD5Context ctx3;
|
||||
uint8_t sig[8];
|
||||
|
||||
ZERO_STRUCT(zeros);
|
||||
ZERO_STRUCT(sig);
|
||||
|
||||
SSVAL(sig,0,verf->SignatureAlgorithm);
|
||||
SSVAL(sig,2,verf->SealAlgorithm);
|
||||
SSVAL(sig,4,verf->Pad);
|
||||
SSVAL(sig,6,verf->Flags);
|
||||
|
||||
/* verfiy the signature on the packet by MD5 over various bits */
|
||||
MD5Init(&ctx3);
|
||||
/* use our sequence number, which ensures the packet is not
|
||||
out of order */
|
||||
MD5Update(&ctx3, zeros, sizeof(zeros));
|
||||
MD5Update(&ctx3, sig, 8);
|
||||
if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
|
||||
MD5Update(&ctx3, verf->Confounder, sizeof(verf->Confounder));
|
||||
}
|
||||
MD5Update(&ctx3, (const unsigned char *)data, data_len);
|
||||
MD5Final(whole_packet_digest, &ctx3);
|
||||
dump_data_pw("whole_packet_digest:\n", whole_packet_digest, sizeof(whole_packet_digest));
|
||||
|
||||
/* MD5 this result and the session key, to prove that
|
||||
only a valid client could had produced this */
|
||||
hmac_md5(a->sess_key, whole_packet_digest, sizeof(whole_packet_digest), digest_final);
|
||||
}
|
||||
|
||||
/*******************************************************************
|
||||
Calculate the key with which to encode the data payload
|
||||
********************************************************************/
|
||||
|
||||
static void schannel_get_sealing_key(struct schannel_auth_struct *a,
|
||||
struct NL_AUTH_SIGNATURE *verf,
|
||||
uchar sealing_key[16])
|
||||
{
|
||||
uchar zeros[4];
|
||||
uchar digest2[16];
|
||||
uchar sess_kf0[16];
|
||||
int i;
|
||||
|
||||
ZERO_STRUCT(zeros);
|
||||
|
||||
for (i = 0; i < sizeof(sess_kf0); i++) {
|
||||
sess_kf0[i] = a->sess_key[i] ^ 0xf0;
|
||||
}
|
||||
|
||||
dump_data_pw("sess_kf0:\n", sess_kf0, sizeof(sess_kf0));
|
||||
|
||||
/* MD5 of sess_kf0 and 4 zero bytes */
|
||||
hmac_md5(sess_kf0, zeros, 0x4, digest2);
|
||||
dump_data_pw("digest2:\n", digest2, sizeof(digest2));
|
||||
|
||||
/* MD5 of the above result, plus 8 bytes of sequence number */
|
||||
hmac_md5(digest2, verf->SequenceNumber, sizeof(verf->SequenceNumber), sealing_key);
|
||||
dump_data_pw("sealing_key:\n", sealing_key, 16);
|
||||
}
|
||||
|
||||
/*******************************************************************
|
||||
Encode or Decode the sequence number (which is symmetric)
|
||||
********************************************************************/
|
||||
|
||||
static void schannel_deal_with_seq_num(struct schannel_auth_struct *a,
|
||||
struct NL_AUTH_SIGNATURE *verf)
|
||||
{
|
||||
uchar zeros[4];
|
||||
uchar sequence_key[16];
|
||||
uchar digest1[16];
|
||||
|
||||
ZERO_STRUCT(zeros);
|
||||
|
||||
hmac_md5(a->sess_key, zeros, sizeof(zeros), digest1);
|
||||
dump_data_pw("(sequence key) digest1:\n", digest1, sizeof(digest1));
|
||||
|
||||
hmac_md5(digest1, verf->Checksum, 8, sequence_key);
|
||||
|
||||
dump_data_pw("sequence_key:\n", sequence_key, sizeof(sequence_key));
|
||||
|
||||
dump_data_pw("seq_num (before):\n", verf->SequenceNumber, sizeof(verf->SequenceNumber));
|
||||
arcfour_crypt(verf->SequenceNumber, sequence_key, 8);
|
||||
dump_data_pw("seq_num (after):\n", verf->SequenceNumber, sizeof(verf->SequenceNumber));
|
||||
}
|
||||
|
||||
/*******************************************************************
|
||||
Encode a blob of data using the schannel alogrithm, also produceing
|
||||
a checksum over the original data. We currently only support
|
||||
signing and sealing togeather - the signing-only code is close, but not
|
||||
quite compatible with what MS does.
|
||||
********************************************************************/
|
||||
|
||||
void schannel_encode(struct schannel_auth_struct *a, enum dcerpc_AuthLevel auth_level,
|
||||
enum schannel_direction direction,
|
||||
struct NL_AUTH_SIGNATURE *verf,
|
||||
char *data, size_t data_len)
|
||||
{
|
||||
uchar digest_final[16];
|
||||
uchar confounder[8];
|
||||
uchar seq_num[8];
|
||||
static const uchar nullbytes[8] = { 0, };
|
||||
|
||||
DEBUG(10,("SCHANNEL: schannel_encode seq_num=%d data_len=%lu\n", a->seq_num, (unsigned long)data_len));
|
||||
|
||||
/* fill the 'confounder' with random data */
|
||||
generate_random_buffer(confounder, sizeof(confounder));
|
||||
|
||||
dump_data_pw("a->sess_key:\n", a->sess_key, sizeof(a->sess_key));
|
||||
|
||||
RSIVAL(seq_num, 0, a->seq_num);
|
||||
|
||||
switch (direction) {
|
||||
case SENDER_IS_INITIATOR:
|
||||
SIVAL(seq_num, 4, 0x80);
|
||||
break;
|
||||
case SENDER_IS_ACCEPTOR:
|
||||
SIVAL(seq_num, 4, 0x0);
|
||||
break;
|
||||
}
|
||||
|
||||
dump_data_pw("verf->SequenceNumber:\n", verf->SequenceNumber, sizeof(verf->SequenceNumber));
|
||||
|
||||
if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
|
||||
verf->SealAlgorithm = NL_SEAL_RC4;
|
||||
} else {
|
||||
verf->SealAlgorithm = NL_SEAL_NONE;
|
||||
}
|
||||
|
||||
verf->SignatureAlgorithm = NL_SIGN_HMAC_MD5;
|
||||
verf->Pad = 0xffff;
|
||||
verf->Flags = 0x0000;
|
||||
|
||||
memcpy(verf->SequenceNumber, seq_num, sizeof(verf->SequenceNumber));
|
||||
memcpy(verf->Checksum, nullbytes, sizeof(verf->Checksum));
|
||||
memcpy(verf->Confounder, confounder, sizeof(verf->Confounder));
|
||||
|
||||
/* produce a digest of the packet to prove it's legit (before we seal it) */
|
||||
schannel_digest(a, auth_level, verf, data, data_len, digest_final);
|
||||
memcpy(verf->Checksum, digest_final, sizeof(verf->Checksum));
|
||||
|
||||
if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
|
||||
uchar sealing_key[16];
|
||||
|
||||
/* get the key to encode the data with */
|
||||
schannel_get_sealing_key(a, verf, sealing_key);
|
||||
|
||||
/* encode the verification data */
|
||||
dump_data_pw("verf->Confounder:\n", verf->Confounder, sizeof(verf->Confounder));
|
||||
arcfour_crypt(verf->Confounder, sealing_key, 8);
|
||||
|
||||
dump_data_pw("verf->Confounder_enc:\n", verf->Confounder, sizeof(verf->Confounder));
|
||||
|
||||
/* encode the packet payload */
|
||||
dump_data_pw("data:\n", (const unsigned char *)data, data_len);
|
||||
arcfour_crypt((unsigned char *)data, sealing_key, data_len);
|
||||
dump_data_pw("data_enc:\n", (const unsigned char *)data, data_len);
|
||||
}
|
||||
|
||||
/* encode the sequence number (key based on packet digest) */
|
||||
/* needs to be done after the sealing, as the original version
|
||||
is used in the sealing stuff... */
|
||||
schannel_deal_with_seq_num(a, verf);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
/*******************************************************************
|
||||
Decode a blob of data using the schannel alogrithm, also verifiying
|
||||
a checksum over the original data. We currently can verify signed messages,
|
||||
as well as decode sealed messages
|
||||
********************************************************************/
|
||||
|
||||
bool schannel_decode(struct schannel_auth_struct *a, enum dcerpc_AuthLevel auth_level,
|
||||
enum schannel_direction direction,
|
||||
struct NL_AUTH_SIGNATURE *verf, char *data, size_t data_len)
|
||||
{
|
||||
uchar digest_final[16];
|
||||
|
||||
static const uchar schannel_seal_sig[8] = SCHANNEL_SEAL_SIGNATURE;
|
||||
static const uchar schannel_sign_sig[8] = SCHANNEL_SIGN_SIGNATURE;
|
||||
const uchar *schannel_sig = NULL;
|
||||
|
||||
uchar seq_num[8];
|
||||
|
||||
DEBUG(10,("SCHANNEL: schannel_decode seq_num=%d data_len=%lu\n", a->seq_num, (unsigned long)data_len));
|
||||
|
||||
if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
|
||||
schannel_sig = schannel_seal_sig;
|
||||
} else {
|
||||
schannel_sig = schannel_sign_sig;
|
||||
}
|
||||
|
||||
/* Create the expected sequence number for comparison */
|
||||
RSIVAL(seq_num, 0, a->seq_num);
|
||||
|
||||
switch (direction) {
|
||||
case SENDER_IS_INITIATOR:
|
||||
SIVAL(seq_num, 4, 0x80);
|
||||
break;
|
||||
case SENDER_IS_ACCEPTOR:
|
||||
SIVAL(seq_num, 4, 0x0);
|
||||
break;
|
||||
}
|
||||
|
||||
DEBUG(10,("SCHANNEL: schannel_decode seq_num=%d data_len=%lu\n", a->seq_num, (unsigned long)data_len));
|
||||
dump_data_pw("a->sess_key:\n", a->sess_key, sizeof(a->sess_key));
|
||||
|
||||
dump_data_pw("seq_num:\n", seq_num, sizeof(seq_num));
|
||||
|
||||
/* extract the sequence number (key based on supplied packet digest) */
|
||||
/* needs to be done before the sealing, as the original version
|
||||
is used in the sealing stuff... */
|
||||
schannel_deal_with_seq_num(a, verf);
|
||||
|
||||
if (memcmp(verf->SequenceNumber, seq_num, sizeof(seq_num))) {
|
||||
/* don't even bother with the below if the sequence number is out */
|
||||
/* The sequence number is MD5'ed with a key based on the whole-packet
|
||||
digest, as supplied by the client. We check that it's a valid
|
||||
checksum after the decode, below
|
||||
*/
|
||||
DEBUG(2, ("schannel_decode: FAILED: packet sequence number:\n"));
|
||||
dump_data(2, verf->SequenceNumber, sizeof(verf->SequenceNumber));
|
||||
DEBUG(2, ("should be:\n"));
|
||||
dump_data(2, seq_num, sizeof(seq_num));
|
||||
|
||||
return False;
|
||||
}
|
||||
|
||||
if (memcmp(&verf->SignatureAlgorithm, &schannel_sig[0], 2) ||
|
||||
memcmp(&verf->SealAlgorithm, &schannel_sig[2], 2) ||
|
||||
memcmp(&verf->Pad, &schannel_sig[4], 2) ||
|
||||
memcmp(&verf->Flags, &schannel_sig[6], 2)) {
|
||||
/* Validate that the other end sent the expected header */
|
||||
DEBUG(2, ("schannel_decode: FAILED: packet header:\n"));
|
||||
dump_data(2, (const uint8_t *)verf, sizeof(schannel_sig));
|
||||
DEBUG(2, ("should be:\n"));
|
||||
dump_data(2, schannel_sig, sizeof(schannel_sig));
|
||||
return False;
|
||||
}
|
||||
|
||||
if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
|
||||
uchar sealing_key[16];
|
||||
|
||||
/* get the key to extract the data with */
|
||||
schannel_get_sealing_key(a, verf, sealing_key);
|
||||
|
||||
/* extract the verification data */
|
||||
dump_data_pw("verf->Confounder:\n", verf->Confounder,
|
||||
sizeof(verf->Confounder));
|
||||
arcfour_crypt(verf->Confounder, sealing_key, 8);
|
||||
|
||||
dump_data_pw("verf->Confounder_dec:\n", verf->Confounder,
|
||||
sizeof(verf->Confounder));
|
||||
|
||||
/* extract the packet payload */
|
||||
dump_data_pw("data :\n", (const unsigned char *)data, data_len);
|
||||
arcfour_crypt((unsigned char *)data, sealing_key, data_len);
|
||||
dump_data_pw("datadec:\n", (const unsigned char *)data, data_len);
|
||||
}
|
||||
|
||||
/* digest includes 'data' after unsealing */
|
||||
schannel_digest(a, auth_level, verf, data, data_len, digest_final);
|
||||
|
||||
dump_data_pw("Calculated digest:\n", digest_final,
|
||||
sizeof(digest_final));
|
||||
dump_data_pw("verf->Checksum:\n", verf->Checksum,
|
||||
sizeof(verf->Checksum));
|
||||
|
||||
/* compare - if the client got the same result as us, then
|
||||
it must know the session key */
|
||||
return (memcmp(digest_final, verf->Checksum,
|
||||
sizeof(verf->Checksum)) == 0);
|
||||
}
|
||||
|
||||
/*******************************************************************
|
||||
creates a new prs_struct containing a DATA_BLOB
|
||||
********************************************************************/
|
||||
|
||||
@ -27,6 +27,7 @@
|
||||
#include "includes.h"
|
||||
#include "../libcli/auth/libcli_auth.h"
|
||||
#include "../libcli/auth/schannel_state.h"
|
||||
#include "../libcli/auth/schannel.h"
|
||||
|
||||
extern userdom_struct current_user_info;
|
||||
|
||||
@ -1053,7 +1054,7 @@ static NTSTATUS _netr_LogonSamLogon_base(pipes_struct *p,
|
||||
|| (p->auth.a_u.schannel_auth == NULL)) {
|
||||
return NT_STATUS_INVALID_HANDLE;
|
||||
}
|
||||
memcpy(pipe_session_key, p->auth.a_u.schannel_auth->sess_key, 16);
|
||||
memcpy(pipe_session_key, p->auth.a_u.schannel_auth->creds->session_key, 16);
|
||||
}
|
||||
|
||||
switch (r->in.validation_level) {
|
||||
|
||||
@ -30,6 +30,8 @@
|
||||
#include "includes.h"
|
||||
#include "../libcli/auth/libcli_auth.h"
|
||||
#include "../librpc/gen_ndr/ndr_schannel.h"
|
||||
#include "../libcli/auth/schannel.h"
|
||||
#include "../libcli/auth/schannel_proto.h"
|
||||
|
||||
extern struct current_user current_user;
|
||||
|
||||
@ -285,6 +287,7 @@ static bool create_next_pdu_schannel(pipes_struct *p)
|
||||
uint32 data_space_available;
|
||||
uint32 data_len_left;
|
||||
uint32 data_pos;
|
||||
NTSTATUS status;
|
||||
|
||||
/*
|
||||
* If we're in the fault state, keep returning fault PDU's until
|
||||
@ -426,13 +429,36 @@ static bool create_next_pdu_schannel(pipes_struct *p)
|
||||
return False;
|
||||
}
|
||||
|
||||
schannel_encode(p->auth.a_u.schannel_auth,
|
||||
p->auth.auth_level, SENDER_IS_ACCEPTOR, &verf,
|
||||
prs_data_p(&p->out_data.frag) + data_pos,
|
||||
data_len + ss_padding_len);
|
||||
switch (p->auth.auth_level) {
|
||||
case DCERPC_AUTH_LEVEL_PRIVACY:
|
||||
status = schannel_seal_packet(p->auth.a_u.schannel_auth,
|
||||
talloc_tos(),
|
||||
(uint8_t *)prs_data_p(&p->out_data.frag) + data_pos,
|
||||
data_len + ss_padding_len,
|
||||
&blob);
|
||||
break;
|
||||
case DCERPC_AUTH_LEVEL_INTEGRITY:
|
||||
status = schannel_sign_packet(p->auth.a_u.schannel_auth,
|
||||
talloc_tos(),
|
||||
(uint8_t *)prs_data_p(&p->out_data.frag) + data_pos,
|
||||
data_len + ss_padding_len,
|
||||
&blob);
|
||||
break;
|
||||
default:
|
||||
status = NT_STATUS_INTERNAL_ERROR;
|
||||
break;
|
||||
}
|
||||
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
|
||||
nt_errstr(status)));
|
||||
prs_mem_free(&p->out_data.frag);
|
||||
return false;
|
||||
}
|
||||
|
||||
/* Finally marshall the blob. */
|
||||
|
||||
#if 0
|
||||
ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &verf,
|
||||
(ndr_push_flags_fn_t)ndr_push_NL_AUTH_SIGNATURE);
|
||||
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
||||
@ -443,13 +469,11 @@ static bool create_next_pdu_schannel(pipes_struct *p)
|
||||
if (DEBUGLEVEL >= 10) {
|
||||
NDR_PRINT_DEBUG(NL_AUTH_SIGNATURE, &verf);
|
||||
}
|
||||
|
||||
#endif
|
||||
if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
|
||||
prs_mem_free(&p->out_data.frag);
|
||||
return false;
|
||||
}
|
||||
|
||||
p->auth.a_u.schannel_auth->seq_num++;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -1376,7 +1400,7 @@ static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
|
||||
*/
|
||||
|
||||
become_root();
|
||||
status = schannel_fetch_session_key(p->mem_ctx,
|
||||
status = schannel_fetch_session_key(p,
|
||||
neg.oem_netbios_computer.a,
|
||||
&creds);
|
||||
unbecome_root();
|
||||
@ -1386,19 +1410,16 @@ static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
|
||||
return False;
|
||||
}
|
||||
|
||||
p->auth.a_u.schannel_auth = talloc(p, struct schannel_auth_struct);
|
||||
p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
|
||||
if (!p->auth.a_u.schannel_auth) {
|
||||
TALLOC_FREE(creds);
|
||||
return False;
|
||||
}
|
||||
|
||||
memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
|
||||
memcpy(p->auth.a_u.schannel_auth->sess_key, creds->session_key,
|
||||
sizeof(creds->session_key));
|
||||
|
||||
TALLOC_FREE(creds);
|
||||
|
||||
p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
|
||||
p->auth.a_u.schannel_auth->seq_num = 0;
|
||||
p->auth.a_u.schannel_auth->initiator = false;
|
||||
p->auth.a_u.schannel_auth->creds = creds;
|
||||
|
||||
/*
|
||||
* JRA. Should we also copy the schannel session key into the pipe session key p->session_key
|
||||
@ -2152,6 +2173,7 @@ bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss
|
||||
struct NL_AUTH_SIGNATURE schannel_chk;
|
||||
enum ndr_err_code ndr_err;
|
||||
DATA_BLOB blob;
|
||||
NTSTATUS status;
|
||||
|
||||
auth_len = p->hdr.auth_len;
|
||||
|
||||
@ -2213,13 +2235,29 @@ bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss
|
||||
NDR_PRINT_DEBUG(NL_AUTH_SIGNATURE, &schannel_chk);
|
||||
}
|
||||
|
||||
if (!schannel_decode(p->auth.a_u.schannel_auth,
|
||||
p->auth.auth_level,
|
||||
SENDER_IS_INITIATOR,
|
||||
&schannel_chk,
|
||||
prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
|
||||
DEBUG(3,("failed to decode PDU\n"));
|
||||
return False;
|
||||
switch (auth_info.auth_level) {
|
||||
case DCERPC_AUTH_LEVEL_PRIVACY:
|
||||
status = schannel_unseal_packet(p->auth.a_u.schannel_auth,
|
||||
talloc_tos(),
|
||||
(uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN,
|
||||
data_len,
|
||||
&blob);
|
||||
break;
|
||||
case DCERPC_AUTH_LEVEL_INTEGRITY:
|
||||
status = schannel_check_packet(p->auth.a_u.schannel_auth,
|
||||
talloc_tos(),
|
||||
(uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN,
|
||||
data_len,
|
||||
&blob);
|
||||
break;
|
||||
default:
|
||||
status = NT_STATUS_INTERNAL_ERROR;
|
||||
break;
|
||||
}
|
||||
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
|
||||
return false;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -2232,9 +2270,6 @@ bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss
|
||||
return False;
|
||||
}
|
||||
|
||||
/* The sequence number gets incremented on both send and receive. */
|
||||
p->auth.a_u.schannel_auth->seq_num++;
|
||||
|
||||
/*
|
||||
* Remember the padding length. We must remove it from the real data
|
||||
* stream once the sign/seal is done.
|
||||
|
||||
@ -72,7 +72,7 @@ OUTPUT_TYPE = MERGED_OBJ
|
||||
# End MODULE gensec_schannel
|
||||
################################################
|
||||
|
||||
gensec_schannel_OBJ_FILES = $(addprefix $(gensecsrcdir)/, schannel.o schannel_sign.o)
|
||||
gensec_schannel_OBJ_FILES = $(addprefix $(gensecsrcdir)/, schannel.o) ../libcli/auth/schannel_sign.o
|
||||
$(eval $(call proto_header_template,$(gensecsrcdir)/schannel_proto.h,$(gensec_schannel_OBJ_FILES:.o=.c)))
|
||||
|
||||
################################################
|
||||
|
||||
@ -26,7 +26,8 @@
|
||||
#include "auth/credentials/credentials.h"
|
||||
#include "auth/gensec/gensec.h"
|
||||
#include "auth/gensec/gensec_proto.h"
|
||||
#include "auth/gensec/schannel.h"
|
||||
#include "../libcli/auth/schannel.h"
|
||||
#include "auth/gensec/schannel_state.h"
|
||||
#include "librpc/rpc/dcerpc.h"
|
||||
#include "param/param.h"
|
||||
#include "auth/session_proto.h"
|
||||
@ -281,6 +282,49 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
|
||||
return false;
|
||||
}
|
||||
|
||||
static NTSTATUS schannel_seal_packet_wrap(struct gensec_security *gensec_security,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
uint8_t *data, size_t length,
|
||||
const uint8_t *whole_pdu, size_t pdu_length,
|
||||
DATA_BLOB *sig)
|
||||
{
|
||||
struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
|
||||
|
||||
return schannel_seal_packet(state, mem_ctx, data, length, sig);
|
||||
}
|
||||
|
||||
static NTSTATUS schannel_sign_packet_wrap(struct gensec_security *gensec_security,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const uint8_t *data, size_t length,
|
||||
const uint8_t *whole_pdu, size_t pdu_length,
|
||||
DATA_BLOB *sig)
|
||||
{
|
||||
struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
|
||||
|
||||
return schannel_sign_packet(state, mem_ctx, data, length, sig);
|
||||
}
|
||||
|
||||
static NTSTATUS schannel_check_packet_wrap(struct gensec_security *gensec_security,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const uint8_t *data, size_t length,
|
||||
const uint8_t *whole_pdu, size_t pdu_length,
|
||||
const DATA_BLOB *sig)
|
||||
{
|
||||
struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
|
||||
|
||||
return schannel_check_packet(state, mem_ctx, data, length, sig);
|
||||
}
|
||||
|
||||
static NTSTATUS schannel_unseal_packet_wrap(struct gensec_security *gensec_security,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
uint8_t *data, size_t length,
|
||||
const uint8_t *whole_pdu, size_t pdu_length,
|
||||
const DATA_BLOB *sig)
|
||||
{
|
||||
struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
|
||||
|
||||
return schannel_unseal_packet(state, mem_ctx, data, length, sig);
|
||||
}
|
||||
|
||||
static const struct gensec_security_ops gensec_schannel_security_ops = {
|
||||
.name = "schannel",
|
||||
@ -288,10 +332,10 @@ static const struct gensec_security_ops gensec_schannel_security_ops = {
|
||||
.client_start = schannel_client_start,
|
||||
.server_start = schannel_server_start,
|
||||
.update = schannel_update,
|
||||
.seal_packet = schannel_seal_packet,
|
||||
.sign_packet = schannel_sign_packet,
|
||||
.check_packet = schannel_check_packet,
|
||||
.unseal_packet = schannel_unseal_packet,
|
||||
.seal_packet = schannel_seal_packet_wrap,
|
||||
.sign_packet = schannel_sign_packet_wrap,
|
||||
.check_packet = schannel_check_packet_wrap,
|
||||
.unseal_packet = schannel_unseal_packet_wrap,
|
||||
.session_key = schannel_session_key,
|
||||
.session_info = schannel_session_info,
|
||||
.sig_size = schannel_sig_size,
|
||||
|
||||
@ -32,7 +32,8 @@
|
||||
#include "rpc_server/samr/proto.h"
|
||||
#include "../lib/util/util_ldb.h"
|
||||
#include "libcli/auth/libcli_auth.h"
|
||||
#include "auth/gensec/schannel.h"
|
||||
#include "../libcli/auth/schannel.h"
|
||||
#include "auth/gensec/schannel_state.h"
|
||||
#include "libcli/security/security.h"
|
||||
#include "param/param.h"
|
||||
#include "lib/messaging/irpc.h"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user