diff options
-rw-r--r-- | source4/libcli/auth/session.c | 133 | ||||
-rw-r--r-- | source4/libcli/config.m4 | 5 | ||||
-rw-r--r-- | source4/libcli/util/dom_sid.c | 90 | ||||
-rw-r--r-- | source4/libcli/util/smbdes.c | 2 | ||||
-rw-r--r-- | source4/librpc/idl/lsa.idl | 25 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_util.c | 22 | ||||
-rw-r--r-- | source4/torture/rpc/lsa.c | 150 |
7 files changed, 352 insertions, 75 deletions
diff --git a/source4/libcli/auth/session.c b/source4/libcli/auth/session.c new file mode 100644 index 0000000000..946b0fe62f --- /dev/null +++ b/source4/libcli/auth/session.c @@ -0,0 +1,133 @@ +/* + Unix SMB/CIFS implementation. + + code to encrypt/decrypt data using the user session key + + Copyright (C) Andrew Tridgell 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +/* + encrypt or decrypt a blob of data using the user session key + as used in lsa_SetSecret + + before calling, the out blob must be initialised to be the same size + as the in blob +*/ +void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const uint8 session_key[16], + BOOL forward) +{ + int i, k; + + for (i=0,k=0; + i<in->length; + i += 8, k += 7) { + uint8 bin[8], bout[8], key[7]; + + memset(bin, 0, 8); + memcpy(bin, &in->data[i], MIN(8, in->length-i)); + + if (k + 7 > 16) { + k = (16 - k); + } + memcpy(key, &session_key[k], 7); + + smbhash(bout, bin, key, forward?1:0); + + memcpy(&out->data[i], bout, MIN(8, in->length-i)); + } +} + + +/* + a convenient wrapper around sess_crypt_blob() for strings, using the LSA convention + + note that we round the length to a multiple of 8. This seems to be needed for + compatibility with windows + + caller should free using data_blob_free() +*/ +DATA_BLOB sess_encrypt_string(const char *str, const uint8 session_key[16]) +{ + DATA_BLOB ret, src; + int slen = strlen(str); + int dlen = (slen+7) & ~7; + + src = data_blob(NULL, 8+dlen); + if (!src.data) { + return data_blob(NULL, 0); + } + + ret = data_blob(NULL, 8+dlen); + if (!ret.data) { + data_blob_free(&src); + return data_blob(NULL, 0); + } + + SIVAL(src.data, 0, slen); + SIVAL(src.data, 4, 1); + memset(src.data+8, 0, dlen); + memcpy(src.data+8, str, slen); + + sess_crypt_blob(&ret, &src, session_key, True); + + data_blob_free(&src); + + return ret; +} + +/* + a convenient wrapper around sess_crypt_blob() for strings, using the LSA convention + + caller should free the returned string +*/ +char *sess_decrypt_string(DATA_BLOB *blob, const uint8 session_key[16]) +{ + DATA_BLOB out; + int slen; + char *ret; + + if (blob->length < 8) { + return NULL; + } + + out = data_blob(NULL, blob->length); + if (!out.data) { + return NULL; + } + + sess_crypt_blob(&out, blob, session_key, False); + + slen = IVAL(out.data, 0); + if (slen > blob->length - 8) { + DEBUG(0,("Invalid crypt length %d\n", slen)); + return NULL; + } + + if (IVAL(out.data, 4) != 1) { + DEBUG(0,("Unexpected revision number %d in session crypted string\n", + IVAL(out.data, 4))); + return NULL; + } + + ret = strndup(out.data+8, slen); + + data_blob_free(&out); + + return ret; +} diff --git a/source4/libcli/config.m4 b/source4/libcli/config.m4 index 7176f83ebc..ac8e7cbabb 100644 --- a/source4/libcli/config.m4 +++ b/source4/libcli/config.m4 @@ -18,13 +18,14 @@ SMB_SUBSYSTEM(LIBCLI_UTILS,[], libcli/util/smberr.o \ libcli/util/doserr.o libcli/util/errormap.o \ libcli/util/pwd_cache.o libcli/util/clierror.o libcli/util/cliutil.o \ - libcli/util/nterr.o libcli/util/smbdes.o libcli/util/smbencrypt.o], + libcli/util/nterr.o libcli/util/smbdes.o libcli/util/smbencrypt.o \ + libcli/util/dom_sid.o], libcli/util/libcli_utils_public_proto.h) SMB_SUBSYSTEM(LIBCLI_AUTH,[], [libcli/auth/ntlmssp.o libcli/auth/ntlmssp_parse.o \ libcli/auth/ntlmssp_sign.o libcli/auth/schannel.o \ - libcli/auth/credentials.o], + libcli/auth/credentials.o libcli/auth/session.o], libcli/auth/libcli_auth_public_proto.h) SMB_SUBSYSTEM(LIBCLI_NMB,[], diff --git a/source4/libcli/util/dom_sid.c b/source4/libcli/util/dom_sid.c new file mode 100644 index 0000000000..652f17a6b6 --- /dev/null +++ b/source4/libcli/util/dom_sid.c @@ -0,0 +1,90 @@ +/* + Unix SMB/CIFS implementation. + + routines to manipulate a "struct dom_sid" + + Copyright (C) Andrew Tridgell 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +/* + convert a string to a dom_sid, returning a talloc'd dom_sid +*/ +struct dom_sid *dom_sid_parse_talloc(TALLOC_CTX *mem_ctx, const char *sidstr) +{ + struct dom_sid *ret; + unsigned int rev, ia, num_sub_auths, i; + char *p; + + if (strncasecmp(sidstr, "S-", 2)) { + return NULL; + } + + sidstr += 2; + + rev = strtol(sidstr, &p, 10); + if (*p != '-') { + return NULL; + } + sidstr = p+1; + + ia = strtol(sidstr, &p, 10); + if (*p != '-') { + return NULL; + } + sidstr = p+1; + + num_sub_auths = 0; + for (i=0;sidstr[i];i++) { + if (sidstr[i] == '-') num_sub_auths++; + } + + ret = talloc_p(mem_ctx, struct dom_sid); + if (!ret) { + return NULL; + } + + ret->sub_auths = talloc_array_p(mem_ctx, uint32, num_sub_auths); + if (!ret->sub_auths) { + return NULL; + } + + ret->sid_rev_num = rev; + ret->id_auth[0] = 0; + ret->id_auth[0] = 0; + ret->id_auth[1] = 0; + ret->id_auth[2] = ia >> 24; + ret->id_auth[3] = ia >> 16; + ret->id_auth[4] = ia >> 8; + ret->id_auth[5] = ia; + ret->num_auths = num_sub_auths; + + for (i=0;i<num_sub_auths;i++) { + ret->sub_auths[i] = strtol(sidstr, &p, 10); + if (p == sidstr) { + return NULL; + } + if (*p != '-' && i < num_sub_auths-1) { + return NULL; + } + sidstr = p+1; + } + + return ret; +} + diff --git a/source4/libcli/util/smbdes.c b/source4/libcli/util/smbdes.c index e5c4c6f3f1..d282b0135a 100644 --- a/source4/libcli/util/smbdes.c +++ b/source4/libcli/util/smbdes.c @@ -276,7 +276,7 @@ static void str_to_key(const unsigned char *str,unsigned char *key) } -static void smbhash(unsigned char *out, const unsigned char *in, const unsigned char *key, int forw) +void smbhash(unsigned char *out, const unsigned char *in, const unsigned char *key, int forw) { int i; char outb[64]; diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl index d8c6389bb3..2e3049ac78 100644 --- a/source4/librpc/idl/lsa.idl +++ b/source4/librpc/idl/lsa.idl @@ -411,9 +411,30 @@ ); /* Function: 0x1d */ - NTSTATUS SETSECRET (); + typedef [flag(NDR_PAHEX)] struct { + uint32 length; + uint32 size; + [size_is(size),length_is(length)] uint8 *data; + } lsa_DATA_BUF; + + NTSTATUS lsa_SetSecret( + [in,ref] policy_handle *handle, + [in] lsa_DATA_BUF *new_val, + [in] lsa_DATA_BUF *old_val + ); + + typedef struct { + lsa_DATA_BUF *buf; + } lsa_DATA_BUF_PTR; + /* Function: 0x1e */ - NTSTATUS QUERYSECRET (); + NTSTATUS lsa_QuerySecret ( + [in,ref] policy_handle *handle, + [in,out] lsa_DATA_BUF_PTR *new_val, + [in,out] NTTIME *new_mtime, + [in,out] lsa_DATA_BUF_PTR *old_val, + [in,out] NTTIME *old_mtime + ); /* Function: 0x1f */ NTSTATUS LOOKUPPRIVVALUE (); diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c index ba61f28c95..b52631670b 100644 --- a/source4/librpc/rpc/dcerpc_util.c +++ b/source4/librpc/rpc/dcerpc_util.c @@ -666,3 +666,25 @@ NTSTATUS dcerpc_secondary_smb(struct dcerpc_pipe *p, struct dcerpc_pipe **p2, return NT_STATUS_OK; } + + +/* + fetch the user session key for the underlying transport. Currently + only works for the ncacn_np transport +*/ +NTSTATUS dcerpc_fetch_session_key(struct dcerpc_pipe *p, + uint8 session_key[16]) +{ + struct cli_tree *tree; + + tree = dcerpc_smb_tree(p); + if (!tree) { + return NT_STATUS_INVALID_PARAMETER; + } + + memcpy(session_key, + tree->session->transport->negotiate.user_session_key, + 16); + + return NT_STATUS_OK; +} diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c index 5aab8b366a..0b5f825ac2 100644 --- a/source4/torture/rpc/lsa.c +++ b/source4/torture/rpc/lsa.c @@ -252,73 +252,16 @@ static BOOL test_Delete(struct dcerpc_pipe *p, } -static BOOL find_domain_sid(struct dcerpc_pipe *p, - TALLOC_CTX *mem_ctx, - struct policy_handle *handle, - struct dom_sid2 **sid) -{ - struct lsa_QueryInfoPolicy r; - NTSTATUS status; - - r.in.handle = handle; - r.in.level = LSA_POLICY_INFO_DOMAIN; - - status = dcerpc_lsa_QueryInfoPolicy(p, mem_ctx, &r); - - if (!NT_STATUS_IS_OK(status)) { - printf("LSA_POLICY_INFO_DOMAIN failed - %s\n", nt_errstr(status)); - return False; - } - - *sid = r.out.info->domain.sid; - - return True; -} - -static struct dom_sid *sid_add_auth(TALLOC_CTX *mem_ctx, - const struct dom_sid *sid, - uint32 sub_auth) -{ - struct dom_sid *ret; - - ret = talloc_p(mem_ctx, struct dom_sid); - if (!ret) { - return NULL; - } - - *ret = *sid; - - ret->sub_auths = talloc_array_p(mem_ctx, uint32, ret->num_auths+1); - if (!ret->sub_auths) { - return NULL; - } - - memcpy(ret->sub_auths, sid->sub_auths, - ret->num_auths * sizeof(sid->sub_auths[0])); - ret->sub_auths[ret->num_auths] = sub_auth; - ret->num_auths++; - - return ret; -} - static BOOL test_CreateAccount(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct policy_handle *handle) { NTSTATUS status; struct lsa_CreateAccount r; - struct dom_sid2 *domsid, *newsid; + struct dom_sid2 *newsid; struct policy_handle acct_handle; - if (!find_domain_sid(p, mem_ctx, handle, &domsid)) { - return False; - } - - newsid = sid_add_auth(mem_ctx, domsid, 0x1234abcd); - if (!newsid) { - printf("Failed to create newsid\n"); - return False; - } + newsid = dom_sid_parse_talloc(mem_ctx, "S-1-5-12349876-4321-2854"); printf("Testing CreateAccount\n"); @@ -353,11 +296,7 @@ static BOOL test_CreateTrustedDomain(struct dcerpc_pipe *p, printf("Testing CreateTrustedDomain\n"); - if (!find_domain_sid(p, mem_ctx, handle, &domsid)) { - return False; - } - - domsid->sub_auths[domsid->num_auths-1] ^= 0xF0F0F0F0; + domsid = dom_sid_parse_talloc(mem_ctx, "S-1-5-697-97398-3797956"); trustinfo.sid = domsid; init_lsa_Name(&trustinfo.name, "torturedomain"); @@ -387,12 +326,26 @@ static BOOL test_CreateSecret(struct dcerpc_pipe *p, NTSTATUS status; struct lsa_CreateSecret r; struct lsa_OpenSecret r2; + struct lsa_SetSecret r3; + struct lsa_QuerySecret r4; struct policy_handle sec_handle, sec_handle2; struct lsa_Delete d; + struct lsa_DATA_BUF buf1; + struct lsa_DATA_BUF_PTR bufp1; + DATA_BLOB enc_key; + BOOL ret = True; + uint8 session_key[16]; + NTTIME old_mtime, new_mtime; + DATA_BLOB blob1, blob2; + const char *secret1 = "abcdef12345699qwerty"; + char *secret2; + char *secname; printf("Testing CreateSecret\n"); - init_lsa_Name(&r.in.name, "torturesecret"); + asprintf(&secname, "torturesecret-%u", (unsigned)random()); + + init_lsa_Name(&r.in.name, secname); r.in.handle = handle; r.in.desired_access = SEC_RIGHTS_MAXIMUM_ALLOWED; @@ -406,7 +359,7 @@ static BOOL test_CreateSecret(struct dcerpc_pipe *p, r2.in.handle = handle; r2.in.desired_access = SEC_RIGHTS_MAXIMUM_ALLOWED; - init_lsa_Name(&r2.in.name, "torturesecret"); + r2.in.name = r.in.name; r2.out.sec_handle = &sec_handle2; printf("Testing OpenSecret\n"); @@ -414,21 +367,78 @@ static BOOL test_CreateSecret(struct dcerpc_pipe *p, status = dcerpc_lsa_OpenSecret(p, mem_ctx, &r2); if (!NT_STATUS_IS_OK(status)) { printf("OpenSecret failed - %s\n", nt_errstr(status)); - return False; + ret = False; + } + + status = dcerpc_fetch_session_key(p, session_key); + if (!NT_STATUS_IS_OK(status)) { + printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status)); + ret = False; + } + + enc_key = sess_encrypt_string(secret1, session_key); + + r3.in.handle = &sec_handle; + r3.in.new_val = &buf1; + r3.in.old_val = NULL; + r3.in.new_val->data = enc_key.data; + r3.in.new_val->length = enc_key.length; + r3.in.new_val->size = enc_key.length; + + printf("Testing SetSecret\n"); + + status = dcerpc_lsa_SetSecret(p, mem_ctx, &r3); + if (!NT_STATUS_IS_OK(status)) { + printf("SetSecret failed - %s\n", nt_errstr(status)); + ret = False; + } + + data_blob_free(&enc_key); + + ZERO_STRUCT(new_mtime); + ZERO_STRUCT(old_mtime); + + /* fetch the secret back again */ + r4.in.handle = &sec_handle; + r4.in.new_val = &bufp1; + r4.in.new_mtime = &new_mtime; + r4.in.old_val = NULL; + r4.in.old_mtime = NULL; + + bufp1.buf = NULL; + + status = dcerpc_lsa_QuerySecret(p, mem_ctx, &r4); + if (!NT_STATUS_IS_OK(status)) { + printf("QuerySecret failed - %s\n", nt_errstr(status)); + ret = False; + } + + blob1.data = r4.out.new_val->buf->data; + blob1.length = r4.out.new_val->buf->length; + + blob2 = data_blob(NULL, blob1.length); + + secret2 = sess_decrypt_string(&blob1, session_key); + + printf("returned secret '%s'\n", secret2); + + if (strcmp(secret1, secret2) != 0) { + printf("Returned secret doesn't match\n"); + ret = False; } if (!test_Delete(p, mem_ctx, &sec_handle)) { - return False; + ret = False; } d.in.handle = &sec_handle2; status = dcerpc_lsa_Delete(p, mem_ctx, &d); if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) { printf("Second delete expected INVALID_HANDLE - %s\n", nt_errstr(status)); - return False; + ret = False; } - return True; + return ret; } static BOOL test_EnumAccountRights(struct dcerpc_pipe *p, |