sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-09-12 13:44:19 +03:00
Code Activity

fixing smbd encrypted rpcs (data lens, alloc hints, sequence nums argh).

Browse Source 
put unicode strings after SAMLOGON query regardless of whether it's
an NT mailslot or a non-NT mailslot, after having observed this behaviour
out of NT machines.
This commit is contained in:
Luke Leighton
-
parent a1c4d8351b
commit c101113ec2
6 changed files with 26 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
source/include/proto.h
View File

@@ -267,6 +267,7 @@ int smb_buflen(char *buf);
char *smb_buf(char *buf); char *smb_buf(char *buf);
int smb_offset(char *p,char *buf); int smb_offset(char *p,char *buf);
char *skip_string(char *buf,int n); char *skip_string(char *buf,int n);
size_t str_charnum(char *s);
BOOL trim_string(char *s,char *front,char *back); BOOL trim_string(char *s,char *front,char *back);
void dos_clean_name(char *s); void dos_clean_name(char *s);
void unix_clean_name(char *s); void unix_clean_name(char *s);
@@ -1594,7 +1595,7 @@ void make_rpc_auth_ntlmssp_resp(RPC_AUTH_NTLMSSP_RESP *rsp,
char *domain, char *user, char *wks, char *domain, char *user, char *wks,
uint32 neg_flags); uint32 neg_flags);
void smb_io_rpc_auth_ntlmssp_resp(char *desc, RPC_AUTH_NTLMSSP_RESP *rsp, prs_struct *ps, int depth); void smb_io_rpc_auth_ntlmssp_resp(char *desc, RPC_AUTH_NTLMSSP_RESP *rsp, prs_struct *ps, int depth);
BOOL rpc_auth_ntlmssp_chk(RPC_AUTH_NTLMSSP_CHK *chk, uint32 crc32, uint32 *seq_num); BOOL rpc_auth_ntlmssp_chk(RPC_AUTH_NTLMSSP_CHK *chk, uint32 crc32, uint32 seq_num);
void make_rpc_auth_ntlmssp_chk(RPC_AUTH_NTLMSSP_CHK *chk, void make_rpc_auth_ntlmssp_chk(RPC_AUTH_NTLMSSP_CHK *chk,
uint32 ver, uint32 crc32, uint32 seq_num); uint32 ver, uint32 crc32, uint32 seq_num);
void smb_io_rpc_auth_ntlmssp_chk(char *desc, RPC_AUTH_NTLMSSP_CHK *chk, prs_struct *ps, int depth); void smb_io_rpc_auth_ntlmssp_chk(char *desc, RPC_AUTH_NTLMSSP_CHK *chk, prs_struct *ps, int depth);

2
source/lib/crc32.c
View File

@@ -65,7 +65,7 @@ uint32 crc32_calc_buffer( uint32 count, char *buffer)
crc = (crc>>8) ^ CRCTable[(buffer[i] ^ crc) & 0xff]; crc = (crc>>8) ^ CRCTable[(buffer[i] ^ crc) & 0xff];
} }
crc^=0xffffffff; crc^=0xffffffff;
DEBUG(10,("crc_32_calc_buffer: %x\n", crc)); DEBUG(10,("crc32_calc_buffer: %x\n", crc));
dump_data(100, buffer, count); dump_data(100, buffer, count);
return crc; return crc;
} }

6
source/nmbd/nmbd_processlogon.c
View File

@@ -55,6 +55,8 @@ void process_logon_packet(struct packet_struct *p,char *buf,int len,
char *unicomp; /* Unicode computer name. */ char *unicomp; /* Unicode computer name. */
struct smb_passwd *smb_pass; /* To check if machine account exists */ struct smb_passwd *smb_pass; /* To check if machine account exists */
memset(outbuf, 0, sizeof(outbuf));
if (!lp_domain_logons()) if (!lp_domain_logons())
{ {
DEBUG(3,("process_logon_packet: Logon packet received from IP %s and domain \ DEBUG(3,("process_logon_packet: Logon packet received from IP %s and domain \
@@ -137,7 +139,9 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
fstrcpy(q, reply_name); fstrcpy(q, reply_name);
q = skip_string(q, 1); /* PDC name */ q = skip_string(q, 1); /* PDC name */
#if 0
if (strcmp(mailslot, NT_LOGON_MAILSLOT)==0) { if (strcmp(mailslot, NT_LOGON_MAILSLOT)==0) {
#endif
q = align2(q, buf); q = align2(q, buf);
PutUniCode(q, my_name); /* PDC name */ PutUniCode(q, my_name); /* PDC name */
@@ -151,7 +155,9 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
q += 2; q += 2;
SSVAL(q, 0, lm20token); SSVAL(q, 0, lm20token);
q += 2; q += 2;
#if 0
} }
#endif
DEBUG(3,("process_logon_packet: GETDC request from %s at IP %s, \ DEBUG(3,("process_logon_packet: GETDC request from %s at IP %s, \
reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n", reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",

3
source/rpc_client/cli_pipe.c
View File

@@ -196,10 +196,11 @@ static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata,
if (auth_verify) if (auth_verify)
{ {
crc32 = crc32_calc_buffer(data_len, reply_data); crc32 = crc32_calc_buffer(data_len, reply_data);
if (!rpc_auth_ntlmssp_chk(&chk, crc32 , &cli->ntlmssp_seq_num)) if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num))
{ {
return False; return False;
} }
cli->ntlmssp_seq_num++;
} }
return True; return True;
} }

16
source/rpc_parse/parse_rpc.c
View File

@@ -559,6 +559,9 @@ void make_rpc_auth_ntlmssp_neg(RPC_AUTH_NTLMSSP_NEG *neg,
/******************************************************************* /*******************************************************************
reads or writes an RPC_AUTH_NTLMSSP_NEG structure. reads or writes an RPC_AUTH_NTLMSSP_NEG structure.
*** lkclXXXX HACK ALERT! ***
********************************************************************/ ********************************************************************/
void smb_io_rpc_auth_ntlmssp_neg(char *desc, RPC_AUTH_NTLMSSP_NEG *neg, prs_struct *ps, int depth) void smb_io_rpc_auth_ntlmssp_neg(char *desc, RPC_AUTH_NTLMSSP_NEG *neg, prs_struct *ps, int depth)
{ {
@@ -582,11 +585,11 @@ void smb_io_rpc_auth_ntlmssp_neg(char *desc, RPC_AUTH_NTLMSSP_NEG *neg, prs_stru
old_offset = ps->offset; old_offset = ps->offset;
ps->offset = neg->hdr_myname .buffer + 0x1c; ps->offset = neg->hdr_myname .buffer + 0x50; /* lkclXXXX HACK! */
prs_uint8s(True , "myname", ps, depth, (uint8*)neg->myname , MIN(neg->hdr_myname .str_str_len, sizeof(neg->myname ))); prs_uint8s(True , "myname", ps, depth, (uint8*)neg->myname , MIN(neg->hdr_myname .str_str_len, sizeof(neg->myname )));
old_offset += neg->hdr_myname .str_str_len; old_offset += neg->hdr_myname .str_str_len;
ps->offset = neg->hdr_domain .buffer + 0x1c; ps->offset = neg->hdr_domain .buffer + 0x50; /* lkclXXXX HACK! */
prs_uint8s(True , "domain", ps, depth, (uint8*)neg->domain , MIN(neg->hdr_domain .str_str_len, sizeof(neg->domain ))); prs_uint8s(True , "domain", ps, depth, (uint8*)neg->domain , MIN(neg->hdr_domain .str_str_len, sizeof(neg->domain )));
old_offset += neg->hdr_domain .str_str_len; old_offset += neg->hdr_domain .str_str_len;
@@ -803,24 +806,23 @@ void smb_io_rpc_auth_ntlmssp_resp(char *desc, RPC_AUTH_NTLMSSP_RESP *rsp, prs_st
/******************************************************************* /*******************************************************************
checks an RPC_AUTH_NTLMSSP_CHK structure. checks an RPC_AUTH_NTLMSSP_CHK structure.
********************************************************************/ ********************************************************************/
BOOL rpc_auth_ntlmssp_chk(RPC_AUTH_NTLMSSP_CHK *chk, uint32 crc32, uint32 *seq_num) BOOL rpc_auth_ntlmssp_chk(RPC_AUTH_NTLMSSP_CHK *chk, uint32 crc32, uint32 seq_num)
{ {
if (chk == NULL || seq_num == NULL) if (chk == NULL)
{ {
return False; return False;
} }
if (chk->crc32 != crc32 || if (chk->crc32 != crc32 ||
chk->ver != NTLMSSP_SIGN_VERSION || chk->ver != NTLMSSP_SIGN_VERSION ||
chk->seq_num != (*seq_num)) chk->seq_num != seq_num)
{ {
DEBUG(5,("verify failed - crc %x ver %x seq %d\n", DEBUG(5,("verify failed - crc %x ver %x seq %d\n",
crc32, NTLMSSP_SIGN_VERSION, (*seq_num)-1)); crc32, NTLMSSP_SIGN_VERSION, seq_num));
DEBUG(5,("verify expect - crc %x ver %x seq %d\n", DEBUG(5,("verify expect - crc %x ver %x seq %d\n",
chk->crc32, chk->ver, chk->seq_num)); chk->crc32, chk->ver, chk->seq_num));
return False; return False;
} }
(*seq_num)++;
return True; return True;
} }

12
source/rpc_server/srv_util.c
View File

@@ -215,7 +215,7 @@ BOOL create_rpc_reply(pipes_struct *p,
if (p->ntlmssp_auth) if (p->ntlmssp_auth)
{ {
p->hdr_resp.alloc_hint -= auth_len - 16; p->hdr_resp.alloc_hint -= auth_len + 8;
} }
if (p->ntlmssp_auth) if (p->ntlmssp_auth)
@@ -252,8 +252,8 @@ BOOL create_rpc_reply(pipes_struct *p,
if (auth_seal) if (auth_seal)
{ {
NTLMSSPcalc(p->ntlmssp_hash, (uchar*)data, data_len);
crc32 = crc32_calc_buffer(data_len, data); crc32 = crc32_calc_buffer(data_len, data);
NTLMSSPcalc(p->ntlmssp_hash, (uchar*)data, data_len);
} }
if (auth_seal || auth_verify) if (auth_seal || auth_verify)
@@ -265,7 +265,8 @@ BOOL create_rpc_reply(pipes_struct *p,
if (auth_verify) if (auth_verify)
{ {
char *auth_data; char *auth_data;
make_rpc_auth_ntlmssp_chk(&p->ntlmssp_chk, NTLMSSP_SIGN_VERSION, crc32, p->ntlmssp_seq_num); p->ntlmssp_seq_num++;
make_rpc_auth_ntlmssp_chk(&p->ntlmssp_chk, NTLMSSP_SIGN_VERSION, crc32, p->ntlmssp_seq_num++);
smb_io_rpc_auth_ntlmssp_chk("auth_sign", &(p->ntlmssp_chk), &p->rverf, 0); smb_io_rpc_auth_ntlmssp_chk("auth_sign", &(p->ntlmssp_chk), &p->rverf, 0);
auth_data = mem_data(&p->rverf.data, 4); auth_data = mem_data(&p->rverf.data, 4);
NTLMSSPcalc(p->ntlmssp_hash, (uchar*)auth_data, 12); NTLMSSPcalc(p->ntlmssp_hash, (uchar*)auth_data, 12);
@@ -624,11 +625,10 @@ static BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *pd)
smb_io_rpc_auth_ntlmssp_chk("auth_sign", &(p->ntlmssp_chk), pd, 0); smb_io_rpc_auth_ntlmssp_chk("auth_sign", &(p->ntlmssp_chk), pd, 0);
if (!rpc_auth_ntlmssp_chk(&(p->ntlmssp_chk), crc32, if (!rpc_auth_ntlmssp_chk(&(p->ntlmssp_chk), crc32,
&(p->ntlmssp_seq_num))) p->ntlmssp_seq_num))
{ {
return False; return False;
} }
p->ntlmssp_seq_num = 0;
} }
pd->offset = old_offset; pd->offset = old_offset;
@@ -777,7 +777,7 @@ BOOL api_rpcTNP(pipes_struct *p, char *rpc_name, struct api_struct *api_rpc_cmds
} }
/* create the rpc header */ /* create the rpc header */
if (!create_rpc_reply(p, 0, p->rdata.offset + (p->ntlmssp_auth ? (16 + 16) : 0))) if (!create_rpc_reply(p, 0, p->rdata.offset + (p->ntlmssp_auth ? (16 + 8) : 0)))
{ {
return False; return False;
} }