Author: jra Date: 2005-08-25 00:27:58 +0000 (Thu, 25 Aug 2005) New Revision: 9598
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9598 Log: Copy the correct session keys for the NTLMSSP auth. Ensure the auth processing code doesn't disturb the current parse offset and also doesn't depend on it. Jeremy. Modified: trunk/source/rpc_server/srv_pipe.c Changeset: Modified: trunk/source/rpc_server/srv_pipe.c =================================================================== --- trunk/source/rpc_server/srv_pipe.c 2005-08-24 22:18:27 UTC (rev 9597) +++ trunk/source/rpc_server/srv_pipe.c 2005-08-25 00:27:58 UTC (rev 9598) @@ -657,14 +657,14 @@ p->pipe_user.gid = a->server_info->gid; /* - * Ok - is this the correct session key to copy ? - * It's used inside the rpc_server/srv_samr_nt.c code - * which works - but if this were an NTLMv2 negotiated - * session I doubt this would be correct. JRA. + * Copy the session key from the ntlmssp state. */ data_blob_free(&p->session_key); - p->session_key = data_blob(a->server_info->lm_session_key.data, a->server_info->lm_session_key.length); + p->session_key = data_blob(a->ntlmssp_state->session_key.data, a->ntlmssp_state->session_key.length); + if (!p->session_key.data) { + return False; + } p->pipe_user.ngroups = a->server_info->n_groups; if (p->pipe_user.ngroups) { @@ -1236,6 +1236,12 @@ p->auth.a_u.schannel_auth->seq_num = 0; + /* + * JRA. Should we also copy the schannel session key into the pipe session key p->session_key + * here ? We do that for NTLMSPP, but the session key is already set up from the vuser + * struct of the person who opened the pipe. I need to test this further. JRA. + */ + /* The client opens a second RPC NETLOGON pipe without doing a auth2. The credentials for the schannel are re-used from the auth2 the client did before. */ @@ -1827,7 +1833,7 @@ { RPC_HDR_AUTH auth_info; uint32 auth_len = p->hdr.auth_len; - uint32 orig_offset = prs_offset(rpc_in); + uint32 save_offset = prs_offset(rpc_in); AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state; unsigned char *data = NULL; size_t data_len; @@ -1869,9 +1875,9 @@ full_packet_data_len = p->hdr.frag_len - auth_len; /* Pull the auth header and the following data into a blob. */ - if(!prs_set_offset(rpc_in, orig_offset + data_len)) { + if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) { DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n", - (unsigned int)orig_offset + data_len )); + (unsigned int)RPC_HDR_REQ_LEN + data_len )); *pstatus = NT_STATUS_INVALID_PARAMETER; return False; } @@ -1917,9 +1923,9 @@ * Return the current pointer to the data offset. */ - if(!prs_set_offset(rpc_in, orig_offset)) { + if(!prs_set_offset(rpc_in, save_offset)) { DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n", - (unsigned int)orig_offset )); + (unsigned int)save_offset )); *pstatus = NT_STATUS_INVALID_PARAMETER; return False; } @@ -1938,7 +1944,7 @@ */ int data_len; int auth_len; - uint32 old_offset; + uint32 save_offset = prs_offset(rpc_in); RPC_HDR_AUTH auth_info; RPC_AUTH_SCHANNEL_CHK schannel_chk; @@ -1960,11 +1966,9 @@ DEBUG(5,("data %d auth %d\n", data_len, auth_len)); - old_offset = prs_offset(rpc_in); - - if(!prs_set_offset(rpc_in, old_offset + data_len)) { + if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) { DEBUG(0,("cannot move offset to %u.\n", - (unsigned int)old_offset + data_len )); + (unsigned int)RPC_HDR_REQ_LEN + data_len )); return False; } @@ -1988,7 +1992,7 @@ p->auth.auth_level, SENDER_IS_INITIATOR, &schannel_chk, - prs_data_p(rpc_in)+old_offset, data_len)) { + prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) { DEBUG(3,("failed to decode PDU\n")); return False; } @@ -1997,9 +2001,9 @@ * Return the current pointer to the data offset. */ - if(!prs_set_offset(rpc_in, old_offset)) { + if(!prs_set_offset(rpc_in, save_offset)) { DEBUG(0,("failed to set offset back to %u\n", - (unsigned int)old_offset )); + (unsigned int)save_offset )); return False; }