diff options
-rw-r--r-- | source4/libcli/auth/ntlmssp_sign.c | 40 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc.c | 13 | ||||
-rw-r--r-- | source4/rpc_server/dcesrv_auth.c | 5 |
3 files changed, 27 insertions, 31 deletions
diff --git a/source4/libcli/auth/ntlmssp_sign.c b/source4/libcli/auth/ntlmssp_sign.c index 2ab54124e3..2b9659ae52 100644 --- a/source4/libcli/auth/ntlmssp_sign.c +++ b/source4/libcli/auth/ntlmssp_sign.c @@ -66,7 +66,7 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat const uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, enum ntlmssp_direction direction, - DATA_BLOB *sig, BOOL encrypt_sig) + DATA_BLOB *sig, BOOL encrypt_sig) { if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { @@ -120,9 +120,7 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat } ntlmssp_state->ntlm_seq_num++; - if (encrypt_sig) { - arcfour_crypt_sbox(ntlmssp_state->ntlmssp_hash, sig->data+4, sig->length-4); - } + arcfour_crypt_sbox(ntlmssp_state->ntlmssp_hash, sig->data+4, sig->length-4); } dump_data_pw("calculated ntlmssp signature\n", sig->data, sig->length); return NT_STATUS_OK; @@ -245,13 +243,14 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state, /* The order of these two operations matters - we must first seal the packet, then seal the sequence number - this is becouse the send_seal_hash is not constant, but is is rather updated with each iteration */ - - arcfour_crypt_sbox(ntlmssp_state->send_seal_hash, data, length); - nt_status = ntlmssp_make_packet_signature(ntlmssp_state, sig_mem_ctx, data, length, whole_pdu, pdu_length, - NTLMSSP_SEND, sig, True); + NTLMSSP_SEND, sig, False); + arcfour_crypt_sbox(ntlmssp_state->send_seal_hash, data, length); + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { + arcfour_crypt_sbox(ntlmssp_state->send_seal_hash, sig->data+4, 8); + } } else { uint32_t crc; crc = crc32_calc_buffer((const char *)data, length); @@ -259,12 +258,13 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state, return NT_STATUS_NO_MEMORY; } - /* The order of these two operations matters - we must first seal the packet, - then seal the sequence number - this is becouse the ntlmssp_hash is not - constant, but is is rather updated with each iteration */ - - arcfour_crypt_sbox(ntlmssp_state->ntlmssp_hash, data, length); + /* The order of these two operations matters - we must + first seal the packet, then seal the sequence + number - this is becouse the ntlmssp_hash is not + constant, but is is rather updated with each + iteration */ + arcfour_crypt_sbox(ntlmssp_state->ntlmssp_hash, data, length); arcfour_crypt_sbox(ntlmssp_state->ntlmssp_hash, sig->data+4, sig->length-4); /* increment counter on send */ ntlmssp_state->ntlm_seq_num++; @@ -297,26 +297,16 @@ NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state, dump_data_pw("ntlmssp sealed data\n", data, length); if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { - - /* We have to pass the data past the arcfour pad in - * the correct order, so we must encrypt the signature - * after we decrypt the main body. however, the - * signature is calculated over the encrypted data */ + arcfour_crypt_sbox(ntlmssp_state->recv_seal_hash, data, length); nt_status = ntlmssp_make_packet_signature(ntlmssp_state, sig_mem_ctx, data, length, whole_pdu, pdu_length, - NTLMSSP_RECEIVE, &local_sig, False); + NTLMSSP_RECEIVE, &local_sig, True); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } - arcfour_crypt_sbox(ntlmssp_state->recv_seal_hash, data, length); - - if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { - arcfour_crypt_sbox(ntlmssp_state->send_seal_hash, local_sig.data + 4, 8); - } - if (local_sig.length != sig->length || memcmp(local_sig.data, sig->data, sig->length) != 0) { diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c index c2f691aa09..629edd16d4 100644 --- a/source4/librpc/rpc/dcerpc.c +++ b/source4/librpc/rpc/dcerpc.c @@ -214,11 +214,14 @@ static NTSTATUS dcerpc_pull_request_sign(struct dcerpc_pipe *p, case DCERPC_AUTH_LEVEL_PRIVACY: status = gensec_unseal_packet(p->security_state.generic_state, mem_ctx, - pkt->u.response.stub_and_verifier.data, + blob->data + DCERPC_REQUEST_LENGTH, pkt->u.response.stub_and_verifier.length, blob->data, blob->length - auth.credentials.length, &auth.credentials); + memcpy(pkt->u.response.stub_and_verifier.data, + blob->data + DCERPC_REQUEST_LENGTH, + pkt->u.response.stub_and_verifier.length); break; case DCERPC_AUTH_LEVEL_INTEGRITY: @@ -327,8 +330,8 @@ static NTSTATUS dcerpc_push_request_sign(struct dcerpc_pipe *p, case DCERPC_AUTH_LEVEL_PRIVACY: status = gensec_seal_packet(p->security_state.generic_state, mem_ctx, - ndr->data + DCERPC_REQUEST_LENGTH, - ndr->offset - DCERPC_REQUEST_LENGTH, + blob->data + DCERPC_REQUEST_LENGTH, + pkt->u.request.stub_and_verifier.length+p->security_state.auth_info->auth_pad_length, blob->data, blob->length - p->security_state.auth_info->credentials.length, @@ -339,8 +342,8 @@ static NTSTATUS dcerpc_push_request_sign(struct dcerpc_pipe *p, case DCERPC_AUTH_LEVEL_INTEGRITY: status = gensec_sign_packet(p->security_state.generic_state, mem_ctx, - ndr->data + DCERPC_REQUEST_LENGTH, - ndr->offset - DCERPC_REQUEST_LENGTH, + blob->data + DCERPC_REQUEST_LENGTH, + pkt->u.request.stub_and_verifier.length, blob->data, blob->length - p->security_state.auth_info->credentials.length, diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 20ed496d32..e2a798c1ae 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -240,11 +240,14 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) case DCERPC_AUTH_LEVEL_PRIVACY: status = gensec_unseal_packet(dce_conn->auth_state.gensec_security, call->mem_ctx, - pkt->u.request.stub_and_verifier.data, + full_packet->data + DCERPC_REQUEST_LENGTH, pkt->u.request.stub_and_verifier.length, full_packet->data, full_packet->length-auth.credentials.length, &auth.credentials); + memcpy(pkt->u.request.stub_and_verifier.data, + full_packet->data + DCERPC_REQUEST_LENGTH, + pkt->u.request.stub_and_verifier.length); break; case DCERPC_AUTH_LEVEL_INTEGRITY: |