summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/libcli/auth/ntlmssp_sign.c40
-rw-r--r--source4/librpc/rpc/dcerpc.c13
-rw-r--r--source4/rpc_server/dcesrv_auth.c5
3 files changed, 27 insertions, 31 deletions
diff --git a/source4/libcli/auth/ntlmssp_sign.c b/source4/libcli/auth/ntlmssp_sign.c
index 2ab54124e3..2b9659ae52 100644
--- a/source4/libcli/auth/ntlmssp_sign.c
+++ b/source4/libcli/auth/ntlmssp_sign.c
@@ -66,7 +66,7 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat
const uint8_t *data, size_t length,
const uint8_t *whole_pdu, size_t pdu_length,
enum ntlmssp_direction direction,
- DATA_BLOB *sig, BOOL encrypt_sig)
+ DATA_BLOB *sig, BOOL encrypt_sig)
{
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
@@ -120,9 +120,7 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat
}
ntlmssp_state->ntlm_seq_num++;
- if (encrypt_sig) {
- arcfour_crypt_sbox(ntlmssp_state->ntlmssp_hash, sig->data+4, sig->length-4);
- }
+ arcfour_crypt_sbox(ntlmssp_state->ntlmssp_hash, sig->data+4, sig->length-4);
}
dump_data_pw("calculated ntlmssp signature\n", sig->data, sig->length);
return NT_STATUS_OK;
@@ -245,13 +243,14 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
/* The order of these two operations matters - we must first seal the packet,
then seal the sequence number - this is becouse the send_seal_hash is not
constant, but is is rather updated with each iteration */
-
- arcfour_crypt_sbox(ntlmssp_state->send_seal_hash, data, length);
-
nt_status = ntlmssp_make_packet_signature(ntlmssp_state, sig_mem_ctx,
data, length,
whole_pdu, pdu_length,
- NTLMSSP_SEND, sig, True);
+ NTLMSSP_SEND, sig, False);
+ arcfour_crypt_sbox(ntlmssp_state->send_seal_hash, data, length);
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
+ arcfour_crypt_sbox(ntlmssp_state->send_seal_hash, sig->data+4, 8);
+ }
} else {
uint32_t crc;
crc = crc32_calc_buffer((const char *)data, length);
@@ -259,12 +258,13 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
return NT_STATUS_NO_MEMORY;
}
- /* The order of these two operations matters - we must first seal the packet,
- then seal the sequence number - this is becouse the ntlmssp_hash is not
- constant, but is is rather updated with each iteration */
-
- arcfour_crypt_sbox(ntlmssp_state->ntlmssp_hash, data, length);
+ /* The order of these two operations matters - we must
+ first seal the packet, then seal the sequence
+ number - this is becouse the ntlmssp_hash is not
+ constant, but is is rather updated with each
+ iteration */
+ arcfour_crypt_sbox(ntlmssp_state->ntlmssp_hash, data, length);
arcfour_crypt_sbox(ntlmssp_state->ntlmssp_hash, sig->data+4, sig->length-4);
/* increment counter on send */
ntlmssp_state->ntlm_seq_num++;
@@ -297,26 +297,16 @@ NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state,
dump_data_pw("ntlmssp sealed data\n", data, length);
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
-
- /* We have to pass the data past the arcfour pad in
- * the correct order, so we must encrypt the signature
- * after we decrypt the main body. however, the
- * signature is calculated over the encrypted data */
+ arcfour_crypt_sbox(ntlmssp_state->recv_seal_hash, data, length);
nt_status = ntlmssp_make_packet_signature(ntlmssp_state, sig_mem_ctx,
data, length,
whole_pdu, pdu_length,
- NTLMSSP_RECEIVE, &local_sig, False);
+ NTLMSSP_RECEIVE, &local_sig, True);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
- arcfour_crypt_sbox(ntlmssp_state->recv_seal_hash, data, length);
-
- if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
- arcfour_crypt_sbox(ntlmssp_state->send_seal_hash, local_sig.data + 4, 8);
- }
-
if (local_sig.length != sig->length ||
memcmp(local_sig.data,
sig->data, sig->length) != 0) {
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index c2f691aa09..629edd16d4 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -214,11 +214,14 @@ static NTSTATUS dcerpc_pull_request_sign(struct dcerpc_pipe *p,
case DCERPC_AUTH_LEVEL_PRIVACY:
status = gensec_unseal_packet(p->security_state.generic_state,
mem_ctx,
- pkt->u.response.stub_and_verifier.data,
+ blob->data + DCERPC_REQUEST_LENGTH,
pkt->u.response.stub_and_verifier.length,
blob->data,
blob->length - auth.credentials.length,
&auth.credentials);
+ memcpy(pkt->u.response.stub_and_verifier.data,
+ blob->data + DCERPC_REQUEST_LENGTH,
+ pkt->u.response.stub_and_verifier.length);
break;
case DCERPC_AUTH_LEVEL_INTEGRITY:
@@ -327,8 +330,8 @@ static NTSTATUS dcerpc_push_request_sign(struct dcerpc_pipe *p,
case DCERPC_AUTH_LEVEL_PRIVACY:
status = gensec_seal_packet(p->security_state.generic_state,
mem_ctx,
- ndr->data + DCERPC_REQUEST_LENGTH,
- ndr->offset - DCERPC_REQUEST_LENGTH,
+ blob->data + DCERPC_REQUEST_LENGTH,
+ pkt->u.request.stub_and_verifier.length+p->security_state.auth_info->auth_pad_length,
blob->data,
blob->length -
p->security_state.auth_info->credentials.length,
@@ -339,8 +342,8 @@ static NTSTATUS dcerpc_push_request_sign(struct dcerpc_pipe *p,
case DCERPC_AUTH_LEVEL_INTEGRITY:
status = gensec_sign_packet(p->security_state.generic_state,
mem_ctx,
- ndr->data + DCERPC_REQUEST_LENGTH,
- ndr->offset - DCERPC_REQUEST_LENGTH,
+ blob->data + DCERPC_REQUEST_LENGTH,
+ pkt->u.request.stub_and_verifier.length,
blob->data,
blob->length -
p->security_state.auth_info->credentials.length,
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index 20ed496d32..e2a798c1ae 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -240,11 +240,14 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
case DCERPC_AUTH_LEVEL_PRIVACY:
status = gensec_unseal_packet(dce_conn->auth_state.gensec_security,
call->mem_ctx,
- pkt->u.request.stub_and_verifier.data,
+ full_packet->data + DCERPC_REQUEST_LENGTH,
pkt->u.request.stub_and_verifier.length,
full_packet->data,
full_packet->length-auth.credentials.length,
&auth.credentials);
+ memcpy(pkt->u.request.stub_and_verifier.data,
+ full_packet->data + DCERPC_REQUEST_LENGTH,
+ pkt->u.request.stub_and_verifier.length);
break;
case DCERPC_AUTH_LEVEL_INTEGRITY: