From 425797700b24c14c252389c2ff6cf3b569d7ee22 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 9 Apr 2003 09:29:47 +0000 Subject: Put the core schannel functions to parse_prs.c. They are also used by schannel clients. Volker (This used to be commit 41e92409e1c6912db05acc80b6c0d5dccd51859b) --- source3/rpc_parse/parse_prs.c | 182 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 182 insertions(+) (limited to 'source3/rpc_parse') diff --git a/source3/rpc_parse/parse_prs.c b/source3/rpc_parse/parse_prs.c index aeaa42ac92..a22ae1bacd 100644 --- a/source3/rpc_parse/parse_prs.c +++ b/source3/rpc_parse/parse_prs.c @@ -1330,3 +1330,185 @@ BOOL prs_hash1(prs_struct *ps, uint32 offset, uint8 sess_key[16]) return True; } + +static void netsechash(uchar * key, uchar * data, int data_len) +{ + uchar hash[256]; + uchar index_i = 0; + uchar index_j = 0; + uchar j = 0; + int ind; + + for (ind = 0; ind < 256; ind++) + { + hash[ind] = (uchar) ind; + } + + for (ind = 0; ind < 256; ind++) + { + uchar tc; + + j += (hash[ind] + key[ind % 16]); + + tc = hash[ind]; + hash[ind] = hash[j]; + hash[j] = tc; + } + + for (ind = 0; ind < data_len; ind++) + { + uchar tc; + uchar t; + + index_i++; + index_j += hash[index_i]; + + tc = hash[index_i]; + hash[index_i] = hash[index_j]; + hash[index_j] = tc; + + t = hash[index_i] + hash[index_j]; + data[ind] ^= hash[t]; + } +} + +void dump_data_pw(const char *msg, const uchar * data, size_t len) +{ +#ifdef DEBUG_PASSWORD + DEBUG(11, ("%s", msg)); + if (data != NULL && len > 0) + { + dump_data(11, data, len); + } +#endif +} + +void netsec_encode(struct netsec_auth_struct *a, + RPC_AUTH_NETSEC_CHK * verf, char *data, size_t data_len) +{ + uchar dataN[4]; + uchar digest1[16]; + struct MD5Context ctx3; + uchar sess_kf0[16]; + int i; + + /* store the sequence number */ + SIVAL(dataN, 0, a->seq_num); + + for (i = 0; i < sizeof(sess_kf0); i++) + { + sess_kf0[i] = a->sess_key[i] ^ 0xf0; + } + + dump_data_pw("a->sess_key:\n", a->sess_key, sizeof(a->sess_key)); + dump_data_pw("a->seq_num :\n", dataN, sizeof(dataN)); + + MD5Init(&ctx3); + MD5Update(&ctx3, dataN, 0x4); + MD5Update(&ctx3, verf->sig, 8); + + MD5Update(&ctx3, verf->data8, 8); + + dump_data_pw("verf->data8:\n", verf->data8, sizeof(verf->data8)); + dump_data_pw("sess_kf0:\n", sess_kf0, sizeof(sess_kf0)); + + hmac_md5(sess_kf0, dataN, 0x4, digest1); + dump_data_pw("digest1 (ebp-8):\n", digest1, sizeof(digest1)); + hmac_md5(digest1, verf->data3, 8, digest1); + dump_data_pw("netsechashkey:\n", digest1, sizeof(digest1)); + netsechash(digest1, verf->data8, 8); + + dump_data_pw("verf->data8:\n", verf->data8, sizeof(verf->data8)); + + dump_data_pw("data :\n", data, data_len); + MD5Update(&ctx3, data, data_len); + + { + char digest_tmp[16]; + char digest2[16]; + MD5Final(digest_tmp, &ctx3); + hmac_md5(a->sess_key, digest_tmp, 16, digest2); + dump_data_pw("digest_tmp:\n", digest_tmp, sizeof(digest_tmp)); + dump_data_pw("digest:\n", digest2, sizeof(digest2)); + memcpy(verf->data1, digest2, sizeof(verf->data1)); + } + + netsechash(digest1, data, data_len); + dump_data_pw("data:\n", data, data_len); + + hmac_md5(a->sess_key, dataN, 0x4, digest1); + dump_data_pw("ctx:\n", digest1, sizeof(digest1)); + + hmac_md5(digest1, verf->data1, 8, digest1); + + dump_data_pw("netsechashkey:\n", digest1, sizeof(digest1)); + + dump_data_pw("verf->data3:\n", verf->data3, sizeof(verf->data3)); + netsechash(digest1, verf->data3, 8); + dump_data_pw("verf->data3:\n", verf->data3, sizeof(verf->data3)); + + return; +} + +BOOL netsec_decode(struct netsec_auth_struct *a, + RPC_AUTH_NETSEC_CHK * verf, char *data, size_t data_len) +{ + uchar dataN[4]; + uchar digest1[16]; + struct MD5Context ctx3; + uchar sess_kf0[16]; + int i; + + /* store the sequence number */ + SIVAL(dataN, 0, a->seq_num); + + for (i = 0; i < sizeof(sess_kf0); i++) + { + sess_kf0[i] = a->sess_key[i] ^ 0xf0; + } + + dump_data_pw("a->sess_key:\n", a->sess_key, sizeof(a->sess_key)); + dump_data_pw("a->seq_num :\n", dataN, sizeof(dataN)); + hmac_md5(a->sess_key, dataN, 0x4, digest1); + dump_data_pw("ctx:\n", digest1, sizeof(digest1)); + + hmac_md5(digest1, verf->data1, 8, digest1); + + dump_data_pw("netsechashkey:\n", digest1, sizeof(digest1)); + dump_data_pw("verf->data3:\n", verf->data3, sizeof(verf->data3)); + netsechash(digest1, verf->data3, 8); + dump_data_pw("verf->data3_dec:\n", verf->data3, sizeof(verf->data3)); + + MD5Init(&ctx3); + MD5Update(&ctx3, dataN, 0x4); + MD5Update(&ctx3, verf->sig, 8); + + dump_data_pw("sess_kf0:\n", sess_kf0, sizeof(sess_kf0)); + + hmac_md5(sess_kf0, dataN, 0x4, digest1); + dump_data_pw("digest1 (ebp-8):\n", digest1, sizeof(digest1)); + hmac_md5(digest1, verf->data3, 8, digest1); + dump_data_pw("netsechashkey:\n", digest1, sizeof(digest1)); + + dump_data_pw("verf->data8:\n", verf->data8, sizeof(verf->data8)); + netsechash(digest1, verf->data8, 8); + dump_data_pw("verf->data8_dec:\n", verf->data8, sizeof(verf->data8)); + MD5Update(&ctx3, verf->data8, 8); + + dump_data_pw("data :\n", data, data_len); + netsechash(digest1, data, data_len); + dump_data_pw("datadec:\n", data, data_len); + + MD5Update(&ctx3, data, data_len); + { + uchar digest_tmp[16]; + MD5Final(digest_tmp, &ctx3); + hmac_md5(a->sess_key, digest_tmp, 16, digest1); + dump_data_pw("digest_tmp:\n", digest_tmp, sizeof(digest_tmp)); + } + + dump_data_pw("digest:\n", digest1, sizeof(digest1)); + dump_data_pw("verf->data1:\n", verf->data1, sizeof(verf->data1)); + + return memcmp(digest1, verf->data1, sizeof(verf->data1)) == 0; +} -- cgit From d9440df5799a80357bcc51d1a8bf83f71b7f5cd9 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 9 Apr 2003 09:52:57 +0000 Subject: A little clarification in the rpc auth header struct. Volker (This used to be commit 9fc3e4bf9fa7845b5d4a7eb4cacfec586045ebd0) --- source3/rpc_parse/parse_rpc.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) (limited to 'source3/rpc_parse') diff --git a/source3/rpc_parse/parse_rpc.c b/source3/rpc_parse/parse_rpc.c index baa70ae137..700ce8cfd6 100644 --- a/source3/rpc_parse/parse_rpc.c +++ b/source3/rpc_parse/parse_rpc.c @@ -607,15 +607,15 @@ BOOL rpc_hdr_auth_chk(RPC_HDR_AUTH *rai) void init_rpc_hdr_auth(RPC_HDR_AUTH *rai, uint8 auth_type, uint8 auth_level, - uint8 stub_type_len, + uint8 padding, uint32 ptr) { rai->auth_type = auth_type; /* nt lm ssp 0x0a */ rai->auth_level = auth_level; /* 0x06 */ - rai->stub_type_len = stub_type_len; /* 0x00 */ - rai->padding = 0; /* padding 0x00 */ + rai->padding = padding; + rai->reserved = 0; - rai->unknown = ptr; /* non-zero pointer to something */ + rai->auth_context = ptr; /* non-zero pointer to something */ } /******************************************************************* @@ -637,12 +637,11 @@ BOOL smb_io_rpc_hdr_auth(const char *desc, RPC_HDR_AUTH *rai, prs_struct *ps, in return False; if(!prs_uint8 ("auth_level ", ps, depth, &rai->auth_level)) /* 0x06 */ return False; - if(!prs_uint8 ("stub_type_len", ps, depth, &rai->stub_type_len)) - return False; if(!prs_uint8 ("padding ", ps, depth, &rai->padding)) return False; - - if(!prs_uint32("unknown ", ps, depth, &rai->unknown)) /* 0x0014a0c0 */ + if(!prs_uint8 ("reserved ", ps, depth, &rai->reserved)) + return False; + if(!prs_uint32("auth_context ", ps, depth, &rai->auth_context)) return False; return True; -- cgit From 803e23f403bdb38d2523d73fd12083da486bca2f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 9 Apr 2003 15:47:06 +0000 Subject: This is the netlogon schannel client code. Try a rpcclient -S pdc -U% -c "samlogon user password" and it should work with the schannel. Needs testing platforms different from NT4SP6. Volker (This used to be commit ecd0ee4d248e750168597ccf79c389513bb0f740) --- source3/rpc_parse/parse_rpc.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) (limited to 'source3/rpc_parse') diff --git a/source3/rpc_parse/parse_rpc.c b/source3/rpc_parse/parse_rpc.c index 700ce8cfd6..656082e05a 100644 --- a/source3/rpc_parse/parse_rpc.c +++ b/source3/rpc_parse/parse_rpc.c @@ -1128,6 +1128,18 @@ BOOL smb_io_rpc_auth_ntlmssp_chk(const char *desc, RPC_AUTH_NTLMSSP_CHK *chk, pr return True; } +/******************************************************************* +creates an RPC_AUTH_NETSEC_NEG structure. +********************************************************************/ +void init_rpc_auth_netsec_neg(RPC_AUTH_NETSEC_NEG *neg, + const char *domain, const char *myname) +{ + neg->unknown1 = 0; + neg->unknown2 = 0x13; + fstrcpy(neg->domain, domain); + fstrcpy(neg->myname, myname); +} + /******************************************************************* Reads or writes an RPC_AUTH_NETSEC_NEG structure. ********************************************************************/ @@ -1148,11 +1160,11 @@ BOOL smb_io_rpc_auth_netsec_neg(const char *desc, RPC_AUTH_NETSEC_NEG *neg, return False; if(!prs_uint32("unknown2", ps, depth, &neg->unknown2)) return False; - if(!prs_string("domain ", ps, depth, neg->domain, - strlen(&ps->data_p[ps->data_offset]), sizeof(neg->domain))) - return False; if(!prs_string("myname ", ps, depth, neg->myname, - strlen(&ps->data_p[ps->data_offset]), sizeof(neg->myname))) + strlen(neg->myname), sizeof(neg->myname))) + return False; + if(!prs_string("domain ", ps, depth, neg->domain, + strlen(neg->domain), sizeof(neg->domain))) return False; return True; -- cgit From 065561932c660be13f80fefa2a310a51b0c07f9c Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 11 Apr 2003 04:09:14 +0000 Subject: A new RPC pipe! The \pipe\echo named pipe is for testing large RPC requests and responses and is only compiled in when --enable-developer is passed to configure. It includes server and client side code for generating and responding to functions on this pipe. The functions are: - AddOne: add one to the uint32 argument and return ig - EchoData: echo back a variable sized char array to the caller - SourceData: request a variable sized char array - SinkData: send a variable sized char array and throw it away There's a win32 implementation of the client and server in the junkcode CVS repository in the rpcecho-win32 subdirectory. (This used to be commit 4ccd34ef836eba05f81dc2da73fd7cfaac201798) --- source3/rpc_parse/parse_echo.c | 166 +++++++++++++++++++++++++++++++++++++++++ source3/rpc_parse/parse_rpc.c | 10 +++ 2 files changed, 176 insertions(+) create mode 100644 source3/rpc_parse/parse_echo.c (limited to 'source3/rpc_parse') diff --git a/source3/rpc_parse/parse_echo.c b/source3/rpc_parse/parse_echo.c new file mode 100644 index 0000000000..67f9ad772e --- /dev/null +++ b/source3/rpc_parse/parse_echo.c @@ -0,0 +1,166 @@ +/* + * Unix SMB/CIFS implementation. + * + * RPC Pipe client / server routines + * + * Copyright (C) Tim Potter 2003 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" +#include "nterr.h" +#include "rpc_parse.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_RPC_PARSE + +void init_echo_q_add_one(ECHO_Q_ADD_ONE *q_d, uint32 request) +{ + q_d->request = request; +} + +BOOL echo_io_q_add_one(const char *desc, ECHO_Q_ADD_ONE *q_d, + prs_struct *ps, int depth) +{ + if (!prs_uint32("request", ps, 0, &q_d->request)) + return False; + + return True; +} + +BOOL echo_io_r_add_one(const char *desc, ECHO_R_ADD_ONE *q_d, + prs_struct *ps, int depth) +{ + if (!prs_uint32("response", ps, 0, &q_d->response)) + return False; + + return True; +} + + +void init_echo_q_echo_data(ECHO_Q_ECHO_DATA *q_d, uint32 size, char *data) +{ + q_d->size = size; + q_d->data = data; +} + +BOOL echo_io_q_echo_data(const char *desc, ECHO_Q_ECHO_DATA *q_d, + prs_struct *ps, int depth) +{ + if (!prs_uint32("size", ps, depth, &q_d->size)) + return False; + + if (!prs_uint32("size", ps, depth, &q_d->size)) + return False; + + if (UNMARSHALLING(ps)) { + q_d->data = prs_alloc_mem(ps, q_d->size); + + if (!q_d->data) + return False; + } + + if (!prs_uint8s(False, "data", ps, depth, q_d->data, q_d->size)) + return False; + + return True; +} + +BOOL echo_io_r_echo_data(const char *desc, ECHO_R_ECHO_DATA *q_d, + prs_struct *ps, int depth) +{ + if (!prs_uint32("size", ps, 0, &q_d->size)) + return False; + + if (UNMARSHALLING(ps)) { + q_d->data = prs_alloc_mem(ps, q_d->size); + + if (!q_d->data) + return False; + } + + if (!prs_uint8s(False, "data", ps, depth, q_d->data, q_d->size)) + return False; + + return True; +} + +void init_echo_q_sink_data(ECHO_Q_SINK_DATA *q_d, uint32 size, char *data) +{ + q_d->size = size; + q_d->data = data; +} + +BOOL echo_io_q_sink_data(const char *desc, ECHO_Q_SINK_DATA *q_d, + prs_struct *ps, int depth) +{ + if (!prs_uint32("size", ps, depth, &q_d->size)) + return False; + + if (!prs_uint32("size", ps, depth, &q_d->size)) + return False; + + if (UNMARSHALLING(ps)) { + q_d->data = prs_alloc_mem(ps, q_d->size); + + if (!q_d->data) + return False; + } + + if (!prs_uint8s(False, "data", ps, depth, q_d->data, q_d->size)) + return False; + + return True; +} + +BOOL echo_io_r_sink_data(const char *desc, ECHO_R_SINK_DATA *q_d, + prs_struct *ps, int depth) +{ + return True; +} + +void init_echo_q_source_data(ECHO_Q_SOURCE_DATA *q_d, uint32 size) +{ + q_d->size = size; +} + +BOOL echo_io_q_source_data(const char *desc, ECHO_Q_SOURCE_DATA *q_d, + prs_struct *ps, int depth) +{ + if (!prs_uint32("size", ps, depth, &q_d->size)) + return False; + + return True; +} + +BOOL echo_io_r_source_data(const char *desc, ECHO_R_SOURCE_DATA *q_d, + prs_struct *ps, int depth) +{ + if (!prs_uint32("size", ps, 0, &q_d->size)) + return False; + + if (UNMARSHALLING(ps)) { + q_d->data = prs_alloc_mem(ps, q_d->size); + + if (!q_d->data) + return False; + } + + if (!prs_uint8s(False, "data", ps, depth, q_d->data, q_d->size)) + return False; + + return True; +} diff --git a/source3/rpc_parse/parse_rpc.c b/source3/rpc_parse/parse_rpc.c index 656082e05a..30909c6910 100644 --- a/source3/rpc_parse/parse_rpc.c +++ b/source3/rpc_parse/parse_rpc.c @@ -138,6 +138,15 @@ interface/version dce/rpc pipe identification }, 0x03 \ } +#define SYNT_ECHO_V1 \ +{ \ + { \ + 0x60a15ec5, 0x4de8, 0x11d7, \ + { 0xa6, 0x37, 0x00, 0x50, \ + 0x56, 0xa2, 0x01, 0x82 } \ + }, 0x01 \ +} + /* * IMPORTANT!! If you update this structure, make sure to * update the index #defines in smb.h. @@ -155,6 +164,7 @@ const struct pipe_id_info pipe_names [] = { PIPE_WINREG , SYNT_WINREG_V1 , PIPE_WINREG , TRANS_SYNT_V2 }, { PIPE_SPOOLSS , SYNT_SPOOLSS_V1 , PIPE_SPOOLSS , TRANS_SYNT_V2 }, { PIPE_NETDFS , SYNT_NETDFS_V3 , PIPE_NETDFS , TRANS_SYNT_V2 }, + { PIPE_ECHO , SYNT_ECHO_V1 , PIPE_ECHO , TRANS_SYNT_V2 }, { NULL , SYNT_NONE_V0 , NULL , SYNT_NONE_V0 } }; -- cgit