r2294: this fixes the NTLM2 sign+seal combination. I have now tested:

 NTLM sign
 NTLM sign+seal
 NTLM2 sign
 NTLM2 sign+seal

and all of the above both with and without key exchange

the NTLM2 seal case is ugly and involves an extra data copy, which
some API changes in gensec or the ndr layer might avoid in future.
(This used to be commit fce7a4218b3136d880dd1a123e8525e3091bbed8)

3 files changed, 27 insertions, 31 deletions

diff --git a/source4/libcli/auth/ntlmssp_sign.c b/source4/libcli/auth/ntlmssp_sign.c
index 2ab54124e3..2b9659ae52 100644
--- a/source4/libcli/auth/ntlmssp_sign.c
+++ b/source4/libcli/auth/ntlmssp_sign.c
@@ -66,7 +66,7 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat
 					      const uint8_t *data, size_t length, 
 					      const uint8_t *whole_pdu, size_t pdu_length, 
 					      enum ntlmssp_direction direction,
-					      DATA_BLOB *sig, BOOL encrypt_sig) 
+					      DATA_BLOB *sig, BOOL encrypt_sig)
 {
 	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
 
@@ -120,9 +120,7 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat
 		}
 		ntlmssp_state->ntlm_seq_num++;
 
-		if (encrypt_sig) {
-			arcfour_crypt_sbox(ntlmssp_state->ntlmssp_hash, sig->data+4, sig->length-4);
-		}
+		arcfour_crypt_sbox(ntlmssp_state->ntlmssp_hash, sig->data+4, sig->length-4);
 	}
 	dump_data_pw("calculated ntlmssp signature\n", sig->data, sig->length);
 	return NT_STATUS_OK;
@@ -245,13 +243,14 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
 		/* The order of these two operations matters - we must first seal the packet,
 		   then seal the sequence number - this is becouse the send_seal_hash is not
 		   constant, but is is rather updated with each iteration */
-		
-		arcfour_crypt_sbox(ntlmssp_state->send_seal_hash, data, length);
-
 		nt_status = ntlmssp_make_packet_signature(ntlmssp_state, sig_mem_ctx, 
 							  data, length, 
 							  whole_pdu, pdu_length, 
-							  NTLMSSP_SEND, sig, True);
+							  NTLMSSP_SEND, sig, False);
+		arcfour_crypt_sbox(ntlmssp_state->send_seal_hash, data, length);
+		if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
+			arcfour_crypt_sbox(ntlmssp_state->send_seal_hash, sig->data+4, 8);
+		}
 	} else {
 		uint32_t crc;
 		crc = crc32_calc_buffer((const char *)data, length);
@@ -259,12 +258,13 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
 			return NT_STATUS_NO_MEMORY;
 		}
 
-		/* The order of these two operations matters - we must first seal the packet,
-		   then seal the sequence number - this is becouse the ntlmssp_hash is not
-		   constant, but is is rather updated with each iteration */
-		
-		arcfour_crypt_sbox(ntlmssp_state->ntlmssp_hash, data, length);
+		/* The order of these two operations matters - we must
+		   first seal the packet, then seal the sequence
+		   number - this is becouse the ntlmssp_hash is not
+		   constant, but is is rather updated with each
+		   iteration */
 
+		arcfour_crypt_sbox(ntlmssp_state->ntlmssp_hash, data, length);
 		arcfour_crypt_sbox(ntlmssp_state->ntlmssp_hash, sig->data+4, sig->length-4);
 		/* increment counter on send */
 		ntlmssp_state->ntlm_seq_num++;
@@ -297,26 +297,16 @@ NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state,
 
 	dump_data_pw("ntlmssp sealed data\n", data, length);
 	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
-
-		/* We have to pass the data past the arcfour pad in
-		 * the correct order, so we must encrypt the signature
-		 * after we decrypt the main body.  however, the
-		 * signature is calculated over the encrypted data */
+		arcfour_crypt_sbox(ntlmssp_state->recv_seal_hash, data, length);
 
 		nt_status = ntlmssp_make_packet_signature(ntlmssp_state, sig_mem_ctx, 
 							  data, length, 
 							  whole_pdu, pdu_length, 
-							  NTLMSSP_RECEIVE, &local_sig, False);
+							  NTLMSSP_RECEIVE, &local_sig, True);
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			return nt_status;
 		}
 
-		arcfour_crypt_sbox(ntlmssp_state->recv_seal_hash, data, length);
-
-		if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
-			arcfour_crypt_sbox(ntlmssp_state->send_seal_hash,  local_sig.data + 4, 8);
-		}
-
 		if (local_sig.length != sig->length ||
 		    memcmp(local_sig.data, 
 			   sig->data, sig->length) != 0) {
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index c2f691aa09..629edd16d4 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -214,11 +214,14 @@ static NTSTATUS dcerpc_pull_request_sign(struct dcerpc_pipe *p,
 	case DCERPC_AUTH_LEVEL_PRIVACY:
 		status = gensec_unseal_packet(p->security_state.generic_state, 
 					      mem_ctx, 
-					      pkt->u.response.stub_and_verifier.data, 
+					      blob->data + DCERPC_REQUEST_LENGTH,
 					      pkt->u.response.stub_and_verifier.length, 
 					      blob->data,
 					      blob->length - auth.credentials.length,
 					      &auth.credentials);
+		memcpy(pkt->u.response.stub_and_verifier.data,
+		       blob->data + DCERPC_REQUEST_LENGTH,
+		       pkt->u.response.stub_and_verifier.length);
 		break;
 		
 	case DCERPC_AUTH_LEVEL_INTEGRITY:
@@ -327,8 +330,8 @@ static NTSTATUS dcerpc_push_request_sign(struct dcerpc_pipe *p,
 	case DCERPC_AUTH_LEVEL_PRIVACY:
 		status = gensec_seal_packet(p->security_state.generic_state, 
 					    mem_ctx, 
-					    ndr->data + DCERPC_REQUEST_LENGTH, 
-					    ndr->offset - DCERPC_REQUEST_LENGTH,
+					    blob->data + DCERPC_REQUEST_LENGTH, 
+					    pkt->u.request.stub_and_verifier.length+p->security_state.auth_info->auth_pad_length,
 					    blob->data,
 					    blob->length - 
 					    p->security_state.auth_info->credentials.length,
@@ -339,8 +342,8 @@ static NTSTATUS dcerpc_push_request_sign(struct dcerpc_pipe *p,
 	case DCERPC_AUTH_LEVEL_INTEGRITY:
 		status = gensec_sign_packet(p->security_state.generic_state, 
 					    mem_ctx, 
-					    ndr->data + DCERPC_REQUEST_LENGTH, 
-					    ndr->offset - DCERPC_REQUEST_LENGTH,
+					    blob->data + DCERPC_REQUEST_LENGTH, 
+					    pkt->u.request.stub_and_verifier.length,
 					    blob->data,
 					    blob->length - 
 					    p->security_state.auth_info->credentials.length,
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index 20ed496d32..e2a798c1ae 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -240,11 +240,14 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
 	case DCERPC_AUTH_LEVEL_PRIVACY:
 		status = gensec_unseal_packet(dce_conn->auth_state.gensec_security,
 					      call->mem_ctx,
-					      pkt->u.request.stub_and_verifier.data, 
+					      full_packet->data + DCERPC_REQUEST_LENGTH,
 					      pkt->u.request.stub_and_verifier.length, 
 					      full_packet->data,
 					      full_packet->length-auth.credentials.length,
 					      &auth.credentials);
+		memcpy(pkt->u.request.stub_and_verifier.data, 
+		       full_packet->data + DCERPC_REQUEST_LENGTH,
+		       pkt->u.request.stub_and_verifier.length);
 		break;
 
 	case DCERPC_AUTH_LEVEL_INTEGRITY: