svn commit: samba r21267 - in
branches/SAMBA_4_0/source/torture/rpc: .
metze at samba.org
metze at samba.org
Sat Feb 10 09:46:28 GMT 2007
Author: metze
Date: 2007-02-10 09:46:28 +0000 (Sat, 10 Feb 2007)
New Revision: 21267
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21267
Log:
the first 4 bytes in each encrypted attribute is the crc32
checksum over the remaining bytes
metze
Modified:
branches/SAMBA_4_0/source/torture/rpc/dssync.c
Changeset:
Modified: branches/SAMBA_4_0/source/torture/rpc/dssync.c
===================================================================
--- branches/SAMBA_4_0/source/torture/rpc/dssync.c 2007-02-09 23:43:42 UTC (rev 21266)
+++ branches/SAMBA_4_0/source/torture/rpc/dssync.c 2007-02-10 09:46:28 UTC (rev 21267)
@@ -345,6 +345,11 @@
DATA_BLOB enc_key;
DATA_BLOB dec_buffer;
+
+ uint32_t crc32_given;
+ uint32_t crc32_calc;
+ DATA_BLOB checked_buffer;
+
DATA_BLOB plain_buffer;
/*
@@ -382,6 +387,26 @@
}
arcfour_crypt_blob(dec_buffer.data, dec_buffer.length, &enc_key);
+ /*
+ * the first 4 byte are the crc32 checksum
+ * of the remaining bytes
+ */
+ if (dec_buffer.length < 4) {
+ return data_blob_const(NULL, 0);
+ }
+
+ crc32_given = IVAL(dec_buffer.data, 0);
+ crc32_calc = crc32_calc_buffer(dec_buffer.data + 4 , dec_buffer.length - 4);
+ if (crc32_given != crc32_calc) {
+ DEBUG(0,("CRC32: given[0x%08X] calc[0x%08X]\n",
+ crc32_given, crc32_calc));
+ return data_blob_const(NULL, 0);
+ }
+ checked_buffer = data_blob_talloc(mem_ctx, dec_buffer.data + 4, dec_buffer.length - 4);
+ if (!checked_buffer.data) {
+ return data_blob_const(NULL, 0);
+ }
+
/*
* some attributes seem to be in a usable form after this decryption
* (supplementalCredentials, priorValue, currentValue, trustAuthOutgoing,
@@ -393,18 +418,14 @@
* dBCSPwd, unicodePwd, ntPwdHistory, lmPwdHistory
*
* it's the sam_rid_crypt() function, as the value is constant,
- * so it doesn't depend on sessionkeys. But for the unicodePwd attribute
- * which contains the nthash has 20 bytes at this point.
- *
- * the first 4 byte are unknown yet, but the last 16 byte are the
- * rid crypted hash.
+ * so it doesn't depend on sessionkeys.
*/
if (rcrypt) {
- plain_buffer = data_blob_talloc(mem_ctx, dec_buffer.data, dec_buffer.length);
+ plain_buffer = data_blob_talloc(mem_ctx, checked_buffer.data, checked_buffer.length);
if (!plain_buffer.data) {
return data_blob_const(NULL, 0);
}
- if (plain_buffer.length < 20) {
+ if (plain_buffer.length < 16) {
return data_blob_const(NULL, 0);
}
/*
@@ -414,9 +435,9 @@
* for each hash, but here we assume the rid des key is shifted
* by one for each 8 byte block.
*/
- sam_rid_crypt_len(rid, dec_buffer.length - 4, dec_buffer.data + 4, plain_buffer.data + 4, 0);
+ sam_rid_crypt_len(rid, checked_buffer.length, checked_buffer.data, plain_buffer.data, 0);
} else {
- plain_buffer = dec_buffer;
+ plain_buffer = checked_buffer;
}
return plain_buffer;
More information about the samba-cvs
mailing list