diff options
-rw-r--r-- | source4/libcli/auth/ntlmssp.c | 213 | ||||
-rw-r--r-- | source4/libcli/auth/ntlmssp_parse.c | 321 | ||||
-rw-r--r-- | source4/libcli/auth/ntlmssp_sign.c | 32 | ||||
-rw-r--r-- | source4/libcli/config.m4 | 1 | ||||
-rw-r--r-- | source4/libcli/util/smbencrypt.c | 25 | ||||
-rw-r--r-- | source4/librpc/ndr/ndr_basic.c | 301 |
6 files changed, 460 insertions, 433 deletions
diff --git a/source4/libcli/auth/ntlmssp.c b/source4/libcli/auth/ntlmssp.c index 6830db3f90..f72f98d8a0 100644 --- a/source4/libcli/auth/ntlmssp.c +++ b/source4/libcli/auth/ntlmssp.c @@ -1,7 +1,7 @@ /* Unix SMB/Netbios implementation. - Version 3.0 - handle NLTMSSP, server side + + NLTMSSP code Copyright (C) Andrew Tridgell 2001 Copyright (C) Andrew Bartlett 2001-2003 @@ -221,6 +221,7 @@ NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *out_mem_ctx, const DATA_BLOB in, DATA_BLOB *out) { + NTSTATUS nt_status; DATA_BLOB input; uint32_t ntlmssp_command; int i; @@ -257,13 +258,15 @@ NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state, break; } } else { - if (!msrpc_parse(ntlmssp_state->mem_ctx, - &input, "Cd", - "NTLMSSP", - &ntlmssp_command)) { + nt_status = ndr_pull_format_blob(&input, ntlmssp_state->mem_ctx, + "Cd", + "NTLMSSP", + &ntlmssp_command); + + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("Failed to parse NTLMSSP packet, could not extract NTLMSSP command\n")); dump_data(2, (const char *)input.data, input.length); - return NT_STATUS_INVALID_PARAMETER; + return nt_status; } } @@ -442,6 +445,7 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *out_mem_ctx, const DATA_BLOB in, DATA_BLOB *out) { + NTSTATUS nt_status; DATA_BLOB struct_blob; fstring dnsname, dnsdomname; uint32_t neg_flags = 0; @@ -456,16 +460,18 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state, #endif if (in.length) { - if (!msrpc_parse(ntlmssp_state->mem_ctx, - &in, "CddAA", - "NTLMSSP", - &ntlmssp_command, - &neg_flags, - &cliname, - &domname)) { + nt_status = ndr_pull_format_blob(&in, ntlmssp_state->mem_ctx, + "CddAA", + "NTLMSSP", + &ntlmssp_command, + &neg_flags, + &cliname, + &domname); + + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("ntlmssp_server_negotiate: failed to parse NTLMSSP:\n")); dump_data(2, (const char *)in.data, in.length); - return NT_STATUS_INVALID_PARAMETER; + return nt_status; } debug_ntlmssp_flags(neg_flags); @@ -515,13 +521,14 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state, target_name_dns = dnsname; } - msrpc_gen(out_mem_ctx, - &struct_blob, "aaaaa", - NTLMSSP_NAME_TYPE_DOMAIN, target_name, - NTLMSSP_NAME_TYPE_SERVER, ntlmssp_state->get_global_myname(), - NTLMSSP_NAME_TYPE_DOMAIN_DNS, dnsdomname, - NTLMSSP_NAME_TYPE_SERVER_DNS, dnsname, - 0, ""); + /* TODO: do we need to check the result here? --metze */ + ndr_push_format_blob(&struct_blob, out_mem_ctx, + "aaaaa", + NTLMSSP_NAME_TYPE_DOMAIN, target_name, + NTLMSSP_NAME_TYPE_SERVER, ntlmssp_state->get_global_myname(), + NTLMSSP_NAME_TYPE_DOMAIN_DNS, dnsdomname, + NTLMSSP_NAME_TYPE_SERVER_DNS, dnsname, + 0, ""); } else { struct_blob = data_blob(NULL, 0); } @@ -534,16 +541,17 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state, } else { gen_string = "CdAdbddB"; } - - msrpc_gen(out_mem_ctx, - out, gen_string, - "NTLMSSP", - NTLMSSP_CHALLENGE, - target_name, - chal_flags, - cryptkey, 8, - 0, 0, - struct_blob.data, struct_blob.length); + + /* TODO: do we need to check the result here? --metze */ + ndr_push_format_blob(out, out_mem_ctx, + gen_string, + "NTLMSSP", + NTLMSSP_CHALLENGE, + target_name, + chal_flags, + cryptkey, 8, + 0, 0, + struct_blob.data, struct_blob.length); } ntlmssp_state->expected_state = NTLMSSP_AUTH; @@ -591,18 +599,20 @@ static NTSTATUS ntlmssp_server_preauth(struct ntlmssp_state *ntlmssp_state, ntlmssp_state->workstation = NULL; /* now the NTLMSSP encoded auth hashes */ - if (!msrpc_parse(ntlmssp_state->mem_ctx, - &request, parse_string, - "NTLMSSP", - &ntlmssp_command, - &ntlmssp_state->lm_resp, - &ntlmssp_state->nt_resp, - &domain, - &user, - &workstation, - &ntlmssp_state->encrypted_session_key, - &auth_flags)) { - DEBUG(10, ("ntlmssp_server_auth: failed to parse NTLMSSP (nonfatal):\n")); + nt_status = ndr_pull_format_blob(&request, ntlmssp_state->mem_ctx, + parse_string, + "NTLMSSP", + &ntlmssp_command, + &ntlmssp_state->lm_resp, + &ntlmssp_state->nt_resp, + &domain, + &user, + &workstation, + &ntlmssp_state->encrypted_session_key, + &auth_flags); + + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(10, ("ntlmssp_server_preauth: failed to parse NTLMSSP (nonfatal):\n")); dump_data(10, (const char *)request.data, request.length); /* zero this out */ @@ -617,19 +627,20 @@ static NTSTATUS ntlmssp_server_preauth(struct ntlmssp_state *ntlmssp_state, } /* now the NTLMSSP encoded auth hashes */ - if (!msrpc_parse(ntlmssp_state->mem_ctx, - &request, parse_string, - "NTLMSSP", - &ntlmssp_command, - &ntlmssp_state->lm_resp, - &ntlmssp_state->nt_resp, - &domain, - &user, - &workstation)) { - DEBUG(1, ("ntlmssp_server_auth: failed to parse NTLMSSP:\n")); + nt_status = ndr_pull_format_blob(&request, ntlmssp_state->mem_ctx, + parse_string, + "NTLMSSP", + &ntlmssp_command, + &ntlmssp_state->lm_resp, + &ntlmssp_state->nt_resp, + &domain, + &user, + &workstation); + + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("ntlmssp_server_preauth: failed to parse NTLMSSP:\n")); dump_data(2, (const char *)request.data, request.length); - - return NT_STATUS_INVALID_PARAMETER; + return nt_status; } } @@ -958,6 +969,8 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *out_mem_ctx, DATA_BLOB in, DATA_BLOB *out) { + NTSTATUS nt_status; + if (ntlmssp_state->unicode) { ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; } else { @@ -969,13 +982,17 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, } /* generate the ntlmssp negotiate packet */ - msrpc_gen(out_mem_ctx, - out, "CddAA", - "NTLMSSP", - NTLMSSP_NEGOTIATE, - ntlmssp_state->neg_flags, - ntlmssp_state->get_domain(), - ntlmssp_state->get_global_myname()); + nt_status = ndr_push_format_blob(out, out_mem_ctx, + "CddAA", + "NTLMSSP", + NTLMSSP_NEGOTIATE, + ntlmssp_state->neg_flags, + ntlmssp_state->get_domain(), + ntlmssp_state->get_global_myname()); + + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } ntlmssp_state->expected_state = NTLMSSP_CHALLENGE; @@ -1010,16 +1027,17 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB encrypted_session_key = data_blob(NULL, 0); NTSTATUS nt_status; - if (!msrpc_parse(ntlmssp_state->mem_ctx, - &in, "CdBd", - "NTLMSSP", - &ntlmssp_command, - &server_domain_blob, - &chal_flags)) { + nt_status = ndr_pull_format_blob(&in, ntlmssp_state->mem_ctx, + "CdBd", + "NTLMSSP", + &ntlmssp_command, + &server_domain_blob, + &chal_flags); + + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n")); dump_data(2, (const char *)in.data, in.length); - - return NT_STATUS_INVALID_PARAMETER; + return nt_status; } data_blob_free(&server_domain_blob); @@ -1049,18 +1067,20 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, DEBUG(3, ("NTLMSSP: Set final flags:\n")); debug_ntlmssp_flags(ntlmssp_state->neg_flags); - if (!msrpc_parse(ntlmssp_state->mem_ctx, - &in, chal_parse_string, - "NTLMSSP", - &ntlmssp_command, - &server_domain, - &chal_flags, - &challenge_blob, 8, - &unkn1, &unkn2, - &struct_blob)) { + nt_status = ndr_pull_format_blob(&in, ntlmssp_state->mem_ctx, + chal_parse_string, + "NTLMSSP", + &ntlmssp_command, + &server_domain, + &chal_flags, + &challenge_blob, 8, + &unkn1, &unkn2, + &struct_blob); + + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n")); dump_data(2, (const char *)in.data, in.length); - return NT_STATUS_INVALID_PARAMETER; + return nt_status; } ntlmssp_state->server_domain = server_domain; @@ -1216,19 +1236,20 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, } /* this generates the actual auth packet */ - if (!msrpc_gen(out_mem_ctx, - out, auth_gen_string, - "NTLMSSP", - NTLMSSP_AUTH, - lm_response.data, lm_response.length, - nt_response.data, nt_response.length, - ntlmssp_state->domain, - ntlmssp_state->user, - ntlmssp_state->get_global_myname(), - encrypted_session_key.data, encrypted_session_key.length, - ntlmssp_state->neg_flags)) { - - return NT_STATUS_NO_MEMORY; + nt_status = ndr_push_format_blob(out, out_mem_ctx, + auth_gen_string, + "NTLMSSP", + NTLMSSP_AUTH, + lm_response.data, lm_response.length, + nt_response.data, nt_response.length, + ntlmssp_state->domain, + ntlmssp_state->user, + ntlmssp_state->get_global_myname(), + encrypted_session_key.data, encrypted_session_key.length, + ntlmssp_state->neg_flags); + + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; } ntlmssp_state->session_key = session_key; @@ -1242,7 +1263,9 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, ntlmssp_state->expected_state = NTLMSSP_DONE; - if (!NT_STATUS_IS_OK(nt_status = ntlmssp_sign_init(ntlmssp_state))) { + nt_status = ntlmssp_sign_init(ntlmssp_state); + + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", nt_errstr(nt_status))); return nt_status; diff --git a/source4/libcli/auth/ntlmssp_parse.c b/source4/libcli/auth/ntlmssp_parse.c deleted file mode 100644 index 251effd7e1..0000000000 --- a/source4/libcli/auth/ntlmssp_parse.c +++ /dev/null @@ -1,321 +0,0 @@ -/* - Unix SMB/CIFS implementation. - simple kerberos5/SPNEGO routines - Copyright (C) Andrew Tridgell 2001 - Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002 - Copyright (C) Andrew Bartlett 2002-2003 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -/* - this is a tiny msrpc packet generator. I am only using this to - avoid tying this code to a particular varient of our rpc code. This - generator is not general enough for all our rpc needs, its just - enough for the spnego/ntlmssp code - - format specifiers are: - - U = unicode string (input is unix string) - a = address (input is char *unix_string) - (1 byte type, 1 byte length, unicode/ASCII string, all inline) - A = ASCII string (input is unix string) - B = data blob (pointer + length) - b = data blob in header (pointer + length) - D - d = word (4 bytes) - C = constant ascii string - */ -BOOL msrpc_gen(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, - const char *format, ...) -{ - int i, n; - va_list ap; - char *s; - uint8_t *b; - int head_size=0, data_size=0; - int head_ofs, data_ofs; - - /* first scan the format to work out the header and body size */ - va_start(ap, format); - for (i=0; format[i]; i++) { - switch (format[i]) { - case 'U': - s = va_arg(ap, char *); - head_size += 8; - data_size += str_charnum(s) * 2; - break; - case 'A': - s = va_arg(ap, char *); - head_size += 8; - data_size += str_ascii_charnum(s); - break; - case 'a': - n = va_arg(ap, int); - s = va_arg(ap, char *); - data_size += (str_charnum(s) * 2) + 4; - break; - case 'B': - b = va_arg(ap, uint8_t *); - head_size += 8; - data_size += va_arg(ap, int); - break; - case 'b': - b = va_arg(ap, uint8_t *); - head_size += va_arg(ap, int); - break; - case 'd': - n = va_arg(ap, int); - head_size += 4; - break; - case 'C': - s = va_arg(ap, char *); - head_size += str_charnum(s) + 1; - break; - } - } - va_end(ap); - - /* allocate the space, then scan the format again to fill in the values */ - *blob = data_blob_talloc(mem_ctx, NULL, head_size + data_size); - - head_ofs = 0; - data_ofs = head_size; - - va_start(ap, format); - for (i=0; format[i]; i++) { - switch (format[i]) { - case 'U': - s = va_arg(ap, char *); - n = str_charnum(s); - SSVAL(blob->data, head_ofs, n*2); head_ofs += 2; - SSVAL(blob->data, head_ofs, n*2); head_ofs += 2; - SIVAL(blob->data, head_ofs, data_ofs); head_ofs += 4; - push_string(NULL, blob->data+data_ofs, s, n*2, STR_UNICODE|STR_NOALIGN); - data_ofs += n*2; - break; - case 'A': - s = va_arg(ap, char *); - n = str_ascii_charnum(s); - SSVAL(blob->data, head_ofs, n); head_ofs += 2; - SSVAL(blob->data, head_ofs, n); head_ofs += 2; - SIVAL(blob->data, head_ofs, data_ofs); head_ofs += 4; - push_string(NULL, blob->data+data_ofs, s, n, STR_ASCII|STR_NOALIGN); - data_ofs += n; - break; - case 'a': - n = va_arg(ap, int); - SSVAL(blob->data, data_ofs, n); data_ofs += 2; - s = va_arg(ap, char *); - n = str_charnum(s); - SSVAL(blob->data, data_ofs, n*2); data_ofs += 2; - if (0 < n) { - push_string(NULL, blob->data+data_ofs, s, n*2, - STR_UNICODE|STR_NOALIGN); - } - data_ofs += n*2; - break; - - case 'B': - b = va_arg(ap, uint8_t *); - n = va_arg(ap, int); - SSVAL(blob->data, head_ofs, n); head_ofs += 2; - SSVAL(blob->data, head_ofs, n); head_ofs += 2; - SIVAL(blob->data, head_ofs, data_ofs); head_ofs += 4; - if (n && b) /* don't follow null pointers... */ - memcpy(blob->data+data_ofs, b, n); - data_ofs += n; - break; - case 'd': - n = va_arg(ap, int); - SIVAL(blob->data, head_ofs, n); head_ofs += 4; - break; - case 'b': - b = va_arg(ap, uint8_t *); - n = va_arg(ap, int); - memcpy(blob->data + head_ofs, b, n); - head_ofs += n; - break; - case 'C': - s = va_arg(ap, char *); - head_ofs += push_string(NULL, blob->data+head_ofs, s, -1, - STR_ASCII|STR_TERMINATE); - break; - } - } - va_end(ap); - - return True; -} - - -/* a helpful macro to avoid running over the end of our blob */ -#define NEED_DATA(amount) \ -if ((head_ofs + amount) > blob->length) { \ - return False; \ -} - -/* - this is a tiny msrpc packet parser. This the the partner of msrpc_gen - - format specifiers are: - - U = unicode string (output is unix string) - A = ascii string - B = data blob - b = data blob in header - d = word (4 bytes) - C = constant ascii string - */ - -BOOL msrpc_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, - const char *format, ...) -{ - int i; - va_list ap; - const char **ps, *s; - DATA_BLOB *b; - size_t head_ofs = 0; - uint16_t len1, len2; - uint32_t ptr; - uint32_t *v; - pstring p; - - va_start(ap, format); - for (i=0; format[i]; i++) { - switch (format[i]) { - case 'U': - NEED_DATA(8); - len1 = SVAL(blob->data, head_ofs); head_ofs += 2; - len2 = SVAL(blob->data, head_ofs); head_ofs += 2; - ptr = IVAL(blob->data, head_ofs); head_ofs += 4; - - ps = va_arg(ap, char **); - if (len1 == 0 && len2 == 0) { - *ps = ""; - } else { - /* make sure its in the right format - be strict */ - if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { - return False; - } - if (len1 & 1) { - /* if odd length and unicode */ - return False; - } - if (blob->data + ptr < (uint8_t *)ptr || blob->data + ptr < blob->data) - return False; - - if (0 < len1) { - pull_string(NULL, p, blob->data + ptr, sizeof(p), - len1, - STR_UNICODE|STR_NOALIGN); - (*ps) = talloc_strdup(mem_ctx, p); - if (!(*ps)) { - return False; - } - } else { - (*ps) = ""; - } - } - break; - case 'A': - NEED_DATA(8); - len1 = SVAL(blob->data, head_ofs); head_ofs += 2; - len2 = SVAL(blob->data, head_ofs); head_ofs += 2; - ptr = IVAL(blob->data, head_ofs); head_ofs += 4; - - ps = va_arg(ap, char **); - /* make sure its in the right format - be strict */ - if (len1 == 0 && len2 == 0) { - *ps = ""; - } else { - if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { - return False; - } - - if (blob->data + ptr < (uint8_t *)ptr || blob->data + ptr < blob->data) - return False; - - if (0 < len1) { - pull_string(NULL, p, blob->data + ptr, sizeof(p), - len1, - STR_ASCII|STR_NOALIGN); - (*ps) = talloc_strdup(mem_ctx, p); - if (!(*ps)) { - return False; - } - } else { - (*ps) = ""; - } - } - break; - case 'B': - NEED_DATA(8); - len1 = SVAL(blob->data, head_ofs); head_ofs += 2; - len2 = SVAL(blob->data, head_ofs); head_ofs += 2; - ptr = IVAL(blob->data, head_ofs); head_ofs += 4; - - b = (DATA_BLOB *)va_arg(ap, void *); - if (len1 == 0 && len2 == 0) { - *b = data_blob_talloc(mem_ctx, NULL, 0); - } else { - /* make sure its in the right format - be strict */ - if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { - return False; - } - - if (blob->data + ptr < (uint8_t *)ptr || blob->data + ptr < blob->data) - return False; - - *b = data_blob_talloc(mem_ctx, blob->data + ptr, len1); - } - break; - case 'b': - b = (DATA_BLOB *)va_arg(ap, void *); - len1 = va_arg(ap, uint_t); - /* make sure its in the right format - be strict */ - NEED_DATA(len1); - if (blob->data + head_ofs < (uint8_t *)head_ofs || blob->data + head_ofs < blob->data) - return False; - - *b = data_blob_talloc(mem_ctx, blob->data + head_ofs, len1); - head_ofs += len1; - break; - case 'd': - v = va_arg(ap, uint32_t *); - NEED_DATA(4); - *v = IVAL(blob->data, head_ofs); head_ofs += 4; - break; - case 'C': - s = va_arg(ap, char *); - - if (blob->data + head_ofs < (uint8_t *)head_ofs || blob->data + head_ofs < blob->data) - return False; - - head_ofs += pull_string(NULL, p, blob->data+head_ofs, sizeof(p), - blob->length - head_ofs, - STR_ASCII|STR_TERMINATE); - if (strcmp(s, p) != 0) { - return False; - } - break; - } - } - va_end(ap); - - return True; -} diff --git a/source4/libcli/auth/ntlmssp_sign.c b/source4/libcli/auth/ntlmssp_sign.c index d680da9495..385ea18cd2 100644 --- a/source4/libcli/auth/ntlmssp_sign.c +++ b/source4/libcli/auth/ntlmssp_sign.c @@ -117,6 +117,8 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat enum ntlmssp_direction direction, DATA_BLOB *sig) { + NTSTATUS nt_status; + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { HMACMD5Context ctx; @@ -155,9 +157,18 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat } else { uint32_t crc; + crc = crc32_calc_buffer((const char *)data, length); - if (!msrpc_gen(sig_mem_ctx, sig, "dddd", NTLMSSP_SIGN_VERSION, 0, crc, ntlmssp_state->ntlmssp_seq_num)) { - return NT_STATUS_NO_MEMORY; + + nt_status = ndr_push_format_blob(sig, sig_mem_ctx, + "dddd", + NTLMSSP_SIGN_VERSION, + 0, + crc, + ntlmssp_state->ntlmssp_seq_num); + + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; } dump_data_pw("ntlmssp hash:\n", ntlmssp_state->ntlmssp_hash, @@ -264,7 +275,9 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *sig_mem_ctx, uint8_t *data, size_t length, DATA_BLOB *sig) -{ +{ + NTSTATUS nt_status; + if (!ntlmssp_state->session_key.length) { DEBUG(3, ("NO session key, cannot seal packet\n")); return NT_STATUS_NO_USER_SESSION_KEY; @@ -300,9 +313,18 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state, memcpy(sig->data + 12, seq_num, 4); } else { uint32_t crc; + crc = crc32_calc_buffer((const char *)data, length); - if (!msrpc_gen(sig_mem_ctx, sig, "dddd", NTLMSSP_SIGN_VERSION, 0, crc, ntlmssp_state->ntlmssp_seq_num)) { - return NT_STATUS_NO_MEMORY; + + nt_status = ndr_push_format_blob(sig, sig_mem_ctx, + "dddd", + NTLMSSP_SIGN_VERSION, + 0, + crc, + ntlmssp_state->ntlmssp_seq_num); + + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; } /* The order of these two operations matters - we must first seal the packet, diff --git a/source4/libcli/config.m4 b/source4/libcli/config.m4 index 992f84005d..eb23c045af 100644 --- a/source4/libcli/config.m4 +++ b/source4/libcli/config.m4 @@ -44,7 +44,6 @@ SMB_SUBSYSTEM(LIBCLI_AUTH,[], [libcli/auth/spnego.o libcli/auth/spnego_parse.o libcli/auth/ntlmssp.o - libcli/auth/ntlmssp_parse.o libcli/auth/ntlmssp_sign.o libcli/auth/schannel.o libcli/auth/credentials.o diff --git a/source4/libcli/util/smbencrypt.c b/source4/libcli/util/smbencrypt.c index 72c6589097..e2fb033279 100644 --- a/source4/libcli/util/smbencrypt.c +++ b/source4/libcli/util/smbencrypt.c @@ -267,10 +267,12 @@ DATA_BLOB NTLMv2_generate_names_blob(TALLOC_CTX *mem_ctx, { DATA_BLOB names_blob = data_blob_talloc(mem_ctx, NULL, 0); - msrpc_gen(mem_ctx, &names_blob, "aaa", - NTLMSSP_NAME_TYPE_DOMAIN, domain, - NTLMSSP_NAME_TYPE_SERVER, hostname, - 0, ""); + ndr_push_format_blob(&names_blob ,mem_ctx, + "aaa", + NTLMSSP_NAME_TYPE_DOMAIN, domain, + NTLMSSP_NAME_TYPE_SERVER, hostname, + 0, ""); + return names_blob; } @@ -289,13 +291,14 @@ static DATA_BLOB NTLMv2_generate_client_data(TALLOC_CTX *mem_ctx, const DATA_BLO /* See http://www.ubiqx.org/cifs/SMB.html#SMB.8.5 */ - msrpc_gen(mem_ctx, &response, "ddbbdb", - 0x00000101, /* Header */ - 0, /* 'Reserved' */ - long_date, 8, /* Timestamp */ - client_chal, 8, /* client challenge */ - 0, /* Unknown */ - names_blob->data, names_blob->length); /* End of name list */ + ndr_push_format_blob(&response, mem_ctx, + "ddbbdb", + 0x00000101, /* Header */ + 0, /* 'Reserved' */ + long_date, 8, /* Timestamp */ + client_chal, 8, /* client challenge */ + 0, /* Unknown */ + names_blob->data, names_blob->length); /* End of name list */ return response; } diff --git a/source4/librpc/ndr/ndr_basic.c b/source4/librpc/ndr/ndr_basic.c index 5d4ade096f..1adf6ea1d3 100644 --- a/source4/librpc/ndr/ndr_basic.c +++ b/source4/librpc/ndr/ndr_basic.c @@ -972,3 +972,304 @@ NTSTATUS ndr_pull_DATA_BLOB(struct ndr_pull *ndr, DATA_BLOB *blob) ndr->offset += length; return NT_STATUS_OK; } + +/* + this is a tiny ndr packet generator. This + generator is not general enough for all our rpc needs, its just + enough for the ntlmssp code + + format specifiers are: + + U = unicode string (input is unix string) + a = address (input is char *unix_string) + (1 byte type, 1 byte length, unicode/ASCII string, all inline) + A = ASCII string (input is unix string) + B = data blob (pointer + length) + b = data blob in header (pointer + length) + D + d = word (4 bytes) + C = constant ascii string + */ +NTSTATUS ndr_push_format_blob(DATA_BLOB *blob, TALLOC_CTX *mem_ctx, + const char *format, ...) +{ + int i, n; + va_list ap; + char *s; + uint8_t *b; + int head_size=0, data_size=0; + int head_ofs, data_ofs; + + /* first scan the format to work out the header and body size */ + va_start(ap, format); + for (i=0; format[i]; i++) { + switch (format[i]) { + case 'U': + s = va_arg(ap, char *); + head_size += 8; + data_size += str_charnum(s) * 2; + break; + case 'A': + s = va_arg(ap, char *); + head_size += 8; + data_size += str_ascii_charnum(s); + break; + case 'a': + n = va_arg(ap, int); + s = va_arg(ap, char *); + data_size += (str_charnum(s) * 2) + 4; + break; + case 'B': + b = va_arg(ap, uint8_t *); + head_size += 8; + data_size += va_arg(ap, int); + break; + case 'b': + b = va_arg(ap, uint8_t *); + head_size += va_arg(ap, int); + break; + case 'd': + n = va_arg(ap, int); + head_size += 4; + break; + case 'C': + s = va_arg(ap, char *); + head_size += str_charnum(s) + 1; + break; + } + } + va_end(ap); + + /* allocate the space, then scan the format again to fill in the values */ + *blob = data_blob_talloc(mem_ctx, NULL, head_size + data_size); + + if (blob->length != (head_size + data_size)) { + return NT_STATUS_NO_MEMORY; + } + + head_ofs = 0; + data_ofs = head_size; + + va_start(ap, format); + for (i=0; format[i]; i++) { + switch (format[i]) { + case 'U': + s = va_arg(ap, char *); + n = str_charnum(s); + SSVAL(blob->data, head_ofs, n*2); head_ofs += 2; + SSVAL(blob->data, head_ofs, n*2); head_ofs += 2; + SIVAL(blob->data, head_ofs, data_ofs); head_ofs += 4; + push_string(NULL, blob->data+data_ofs, s, n*2, STR_UNICODE|STR_NOALIGN); + data_ofs += n*2; + break; + case 'A': + s = va_arg(ap, char *); + n = str_ascii_charnum(s); + SSVAL(blob->data, head_ofs, n); head_ofs += 2; + SSVAL(blob->data, head_ofs, n); head_ofs += 2; + SIVAL(blob->data, head_ofs, data_ofs); head_ofs += 4; + push_string(NULL, blob->data+data_ofs, s, n, STR_ASCII|STR_NOALIGN); + data_ofs += n; + break; + case 'a': + n = va_arg(ap, int); + SSVAL(blob->data, data_ofs, n); data_ofs += 2; + s = va_arg(ap, char *); + n = str_charnum(s); + SSVAL(blob->data, data_ofs, n*2); data_ofs += 2; + if (0 < n) { + push_string(NULL, blob->data+data_ofs, s, n*2, + STR_UNICODE|STR_NOALIGN); + } + data_ofs += n*2; + break; + + case 'B': + b = va_arg(ap, uint8_t *); + n = va_arg(ap, int); + SSVAL(blob->data, head_ofs, n); head_ofs += 2; + SSVAL(blob->data, head_ofs, n); head_ofs += 2; + SIVAL(blob->data, head_ofs, data_ofs); head_ofs += 4; + if (n && b) /* don't follow null pointers... */ + memcpy(blob->data+data_ofs, b, n); + data_ofs += n; + break; + case 'd': + n = va_arg(ap, int); + SIVAL(blob->data, head_ofs, n); head_ofs += 4; + break; + case 'b': + b = va_arg(ap, uint8_t *); + n = va_arg(ap, int); + memcpy(blob->data + head_ofs, b, n); + head_ofs += n; + break; + case 'C': + s = va_arg(ap, char *); + head_ofs += push_string(NULL, blob->data+head_ofs, s, -1, + STR_ASCII|STR_TERMINATE); + break; + } + } + va_end(ap); + + return NT_STATUS_OK; +} + + +/* a helpful macro to avoid running over the end of our blob */ +#define NEED_DATA(amount) \ +if ((head_ofs + amount) > blob->length) { \ + return NT_STATUS_INVALID_PARAMETER; \ +} + +/* + this is a tiny msrpc packet parser. This the the partner of msrpc_gen + + format specifiers are: + + U = unicode string (output is unix string) + A = ascii string + B = data blob + b = data blob in header + d = word (4 bytes) + C = constant ascii string + */ + +NTSTATUS ndr_pull_format_blob(const DATA_BLOB *blob, TALLOC_CTX *mem_ctx, + const char *format, ...) +{ + int i; + va_list ap; + const char **ps, *s; + DATA_BLOB *b; + size_t head_ofs = 0; + uint16_t len1, len2; + uint32_t ptr; + uint32_t *v; + pstring p; + + va_start(ap, format); + for (i=0; format[i]; i++) { + switch (format[i]) { + case 'U': + NEED_DATA(8); + len1 = SVAL(blob->data, head_ofs); head_ofs += 2; + len2 = SVAL(blob->data, head_ofs); head_ofs += 2; + ptr = IVAL(blob->data, head_ofs); head_ofs += 4; + + ps = va_arg(ap, char **); + if (len1 == 0 && len2 == 0) { + *ps = ""; + } else { + /* make sure its in the right format - be strict */ + if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { + return NT_STATUS_INVALID_PARAMETER; + } + if (len1 & 1) { + /* if odd length and unicode */ + return NT_STATUS_INVALID_PARAMETER; + } + if (blob->data + ptr < (uint8_t *)ptr || blob->data + ptr < blob->data) + return NT_STATUS_INVALID_PARAMETER; + + if (0 < len1) { + pull_string(NULL, p, blob->data + ptr, sizeof(p), + len1, + STR_UNICODE|STR_NOALIGN); + (*ps) = talloc_strdup(mem_ctx, p); + if (!(*ps)) { + return NT_STATUS_NO_MEMORY; + } + } else { + (*ps) = ""; + } + } + break; + case 'A': + NEED_DATA(8); + len1 = SVAL(blob->data, head_ofs); head_ofs += 2; + len2 = SVAL(blob->data, head_ofs); head_ofs += 2; + ptr = IVAL(blob->data, head_ofs); head_ofs += 4; + + ps = va_arg(ap, char **); + /* make sure its in the right format - be strict */ + if (len1 == 0 && len2 == 0) { + *ps = ""; + } else { + if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (blob->data + ptr < (uint8_t *)ptr || blob->data + ptr < blob->data) + return NT_STATUS_INVALID_PARAMETER; + + if (0 < len1) { + pull_string(NULL, p, blob->data + ptr, sizeof(p), + len1, + STR_ASCII|STR_NOALIGN); + (*ps) = talloc_strdup(mem_ctx, p); + if (!(*ps)) { + return NT_STATUS_NO_MEMORY; + } + } else { + (*ps) = ""; + } + } + break; + case 'B': + NEED_DATA(8); + len1 = SVAL(blob->data, head_ofs); head_ofs += 2; + len2 = SVAL(blob->data, head_ofs); head_ofs += 2; + ptr = IVAL(blob->data, head_ofs); head_ofs += 4; + + b = (DATA_BLOB *)va_arg(ap, void *); + if (len1 == 0 && len2 == 0) { + *b = data_blob_talloc(mem_ctx, NULL, 0); + } else { + /* make sure its in the right format - be strict */ + if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (blob->data + ptr < (uint8_t *)ptr || blob->data + ptr < blob->data) + return NT_STATUS_INVALID_PARAMETER; + + *b = data_blob_talloc(mem_ctx, blob->data + ptr, len1); + } + break; + case 'b': + b = (DATA_BLOB *)va_arg(ap, void *); + len1 = va_arg(ap, uint_t); + /* make sure its in the right format - be strict */ + NEED_DATA(len1); + if (blob->data + head_ofs < (uint8_t *)head_ofs || blob->data + head_ofs < blob->data) + return NT_STATUS_INVALID_PARAMETER; + + *b = data_blob_talloc(mem_ctx, blob->data + head_ofs, len1); + head_ofs += len1; + break; + case 'd': + v = va_arg(ap, uint32_t *); + NEED_DATA(4); + *v = IVAL(blob->data, head_ofs); head_ofs += 4; + break; + case 'C': + s = va_arg(ap, char *); + + if (blob->data + head_ofs < (uint8_t *)head_ofs || blob->data + head_ofs < blob->data) + return NT_STATUS_INVALID_PARAMETER; + + head_ofs += pull_string(NULL, p, blob->data+head_ofs, sizeof(p), + blob->length - head_ofs, + STR_ASCII|STR_TERMINATE); + if (strcmp(s, p) != 0) { + return NT_STATUS_INVALID_PARAMETER; + } + break; + } + } + va_end(ap); + + return NT_STATUS_OK; +} |