1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
samba-mirror/source3/rpc_server/srv_pipe.c

2578 lines
70 KiB
C
Raw Normal View History

/*
* Unix SMB/CIFS implementation.
* RPC Pipe client / server routines
* Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
/* this module apparently provides an implementation of DCE/RPC over a
* named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
* documentation are available (in on-line form) from the X-Open group.
*
* this module should provide a level of abstraction between SMB
* and DCE/RPC, while minimising the amount of mallocs, unnecessary
* data copies, and network traffic.
*
*/
#include "includes.h"
#include "srv_pipe_internal.h"
#include "../librpc/gen_ndr/ndr_schannel.h"
#include "../libcli/auth/schannel.h"
2009-09-17 02:21:01 +04:00
#include "../libcli/auth/spnego.h"
#include "../libcli/auth/ntlmssp.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
{
struct auth_ntlmssp_state *a = auth->a_u.auth_ntlmssp_state;
if (a) {
auth_ntlmssp_end(&a);
}
auth->a_u.auth_ntlmssp_state = NULL;
}
static DATA_BLOB generic_session_key(void)
{
return data_blob("SystemLibraryDTC", 16);
}
delineation between smb and msrpc more marked. smbd now constructs pdus, and then feeds them over either a "local" function call or a "remote" function call to an msrpc service. the "remote" msrpc daemon, on the other side of a unix socket, then calls the same "local" function that smbd would, if the msrpc service were being run from inside smbd. this allows a transition from local msrpc services (inside the same smbd process) to remote (over a unix socket). removed reference to pipes_struct in msrpc services. all msrpc processing functions take rpcsrv_struct which is a structure containing state info for the msrpc functions to decode and create pdus. created become_vuser() which does everything not related to connection_struct that become_user() does. removed, as best i could, connection_struct dependencies from the nt spoolss printing code. todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific info on a per-connection basis, and if the connection dies then so does the info, and that's a fairly serious problem. had to put pretty much everything that is in user_struct into parse_creds.c to feed unix user info over to the msrpc daemons. why? because it's expensive to do unix password/group database lookups, and it's definitely expensive to do nt user profile lookups, not to mention pretty difficult and if you did either of these it would introduce a complication / unnecessary interdependency. so, send uid/gid/num_groups/gid_t* + SID+num_rids+domain_group_rids* + unix username + nt username + nt domain + user session key etc. this is the MINIMUM info identified so far that's actually implemented. missing bits include the called and calling netbios names etc. (basically, anything that can be loaded into standard_sub() and standard_sub_basic()...) (This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
/*******************************************************************
Generate the next PDU to be returned from the data in p->rdata.
Handle NTLMSSP.
delineation between smb and msrpc more marked. smbd now constructs pdus, and then feeds them over either a "local" function call or a "remote" function call to an msrpc service. the "remote" msrpc daemon, on the other side of a unix socket, then calls the same "local" function that smbd would, if the msrpc service were being run from inside smbd. this allows a transition from local msrpc services (inside the same smbd process) to remote (over a unix socket). removed reference to pipes_struct in msrpc services. all msrpc processing functions take rpcsrv_struct which is a structure containing state info for the msrpc functions to decode and create pdus. created become_vuser() which does everything not related to connection_struct that become_user() does. removed, as best i could, connection_struct dependencies from the nt spoolss printing code. todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific info on a per-connection basis, and if the connection dies then so does the info, and that's a fairly serious problem. had to put pretty much everything that is in user_struct into parse_creds.c to feed unix user info over to the msrpc daemons. why? because it's expensive to do unix password/group database lookups, and it's definitely expensive to do nt user profile lookups, not to mention pretty difficult and if you did either of these it would introduce a complication / unnecessary interdependency. so, send uid/gid/num_groups/gid_t* + SID+num_rids+domain_group_rids* + unix username + nt username + nt domain + user session key etc. this is the MINIMUM info identified so far that's actually implemented. missing bits include the called and calling netbios names etc. (basically, anything that can be loaded into standard_sub() and standard_sub_basic()...) (This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
********************************************************************/
static bool create_next_pdu_ntlmssp(pipes_struct *p)
{
RPC_HDR_RESP hdr_resp;
uint32 ss_padding_len = 0;
uint32 data_space_available;
uint32 data_len_left;
uint32 data_len;
NTSTATUS status;
DATA_BLOB auth_blob;
RPC_HDR_AUTH auth_info;
uint8 auth_type, auth_level;
struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
TALLOC_CTX *frame;
/*
* If we're in the fault state, keep returning fault PDU's until
* the pipe gets closed. JRA.
*/
if(p->fault_state) {
setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
return True;
}
memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
/* Change the incoming request header to a response. */
p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
/* Set up rpc header flags. */
if (p->out_data.data_sent_length == 0) {
p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
} else {
p->hdr.flags = 0;
}
/*
* Work out how much we can fit in a single PDU.
*/
data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
/*
* Ensure there really is data left to send.
*/
if(!data_len_left) {
DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
return False;
}
/* Space available - not including padding. */
data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN -
RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
/*
* The amount we send is the minimum of the available
* space and the amount left to send.
*/
data_len = MIN(data_len_left, data_space_available);
/* Work out any padding alignment requirements. */
if ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE) {
ss_padding_len = SERVER_NDR_PADDING_SIZE -
((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE);
DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
ss_padding_len ));
/* If we're over filling the packet, we need to make space
* for the padding at the end of the data. */
if (data_len + ss_padding_len > data_space_available) {
data_len -= SERVER_NDR_PADDING_SIZE;
}
}
/*
* Set up the alloc hint. This should be the data left to
* send.
*/
hdr_resp.alloc_hint = data_len_left;
/*
* Work out if this PDU will be the last.
*/
if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
}
/*
* Set up the header lengths.
*/
p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
data_len + ss_padding_len +
RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
p->hdr.auth_len = NTLMSSP_SIG_SIZE;
/*
* Init the parse struct to point at the outgoing
* data.
*/
prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
/* Store the header in the data stream. */
if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
prs_mem_free(&p->out_data.frag);
return False;
}
if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
prs_mem_free(&p->out_data.frag);
return False;
}
/* Copy the data into the PDU. */
if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
p->out_data.data_sent_length, data_len)) {
DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
prs_mem_free(&p->out_data.frag);
return False;
}
/* Copy the sign/seal padding data. */
if (ss_padding_len) {
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
char pad[SERVER_NDR_PADDING_SIZE];
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
if (!prs_copy_data_in(&p->out_data.frag, pad,
ss_padding_len)) {
DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
(unsigned int)ss_padding_len));
prs_mem_free(&p->out_data.frag);
return False;
}
}
/* Now write out the auth header and null blob. */
if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
} else {
auth_type = DCERPC_AUTH_TYPE_SPNEGO;
}
if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
} else {
auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
}
init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
&p->out_data.frag, 0)) {
DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
prs_mem_free(&p->out_data.frag);
return False;
}
/* Generate the sign blob. */
frame = talloc_stackframe();
switch (p->auth.auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
/* Data portion is encrypted. */
status = auth_ntlmssp_seal_packet(
a, frame,
(uint8_t *)prs_data_p(&p->out_data.frag)
+ RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
data_len + ss_padding_len,
(unsigned char *)prs_data_p(&p->out_data.frag),
(size_t)prs_offset(&p->out_data.frag),
&auth_blob);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(frame);
prs_mem_free(&p->out_data.frag);
return False;
}
break;
case DCERPC_AUTH_LEVEL_INTEGRITY:
/* Data is signed. */
status = auth_ntlmssp_sign_packet(
a, frame,
(unsigned char *)prs_data_p(&p->out_data.frag)
+ RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
data_len + ss_padding_len,
(unsigned char *)prs_data_p(&p->out_data.frag),
(size_t)prs_offset(&p->out_data.frag),
&auth_blob);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(frame);
prs_mem_free(&p->out_data.frag);
return False;
}
break;
default:
talloc_free(frame);
prs_mem_free(&p->out_data.frag);
return False;
}
/* Append the auth blob. */
if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
NTLMSSP_SIG_SIZE)) {
DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
(unsigned int)NTLMSSP_SIG_SIZE));
talloc_free(frame);
prs_mem_free(&p->out_data.frag);
return False;
}
talloc_free(frame);
/*
* Setup the counts for this PDU.
*/
p->out_data.data_sent_length += data_len;
p->out_data.current_pdu_sent = 0;
return True;
}
/*******************************************************************
Generate the next PDU to be returned from the data in p->rdata.
Return an schannel authenticated fragment.
********************************************************************/
static bool create_next_pdu_schannel(pipes_struct *p)
{
RPC_HDR_RESP hdr_resp;
uint32 ss_padding_len = 0;
uint32 data_len;
uint32 data_space_available;
uint32 data_len_left;
uint32 data_pos;
NTSTATUS status;
/*
* If we're in the fault state, keep returning fault PDU's until
* the pipe gets closed. JRA.
*/
if(p->fault_state) {
setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
return True;
}
memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
/* Change the incoming request header to a response. */
p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
/* Set up rpc header flags. */
if (p->out_data.data_sent_length == 0) {
p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
} else {
p->hdr.flags = 0;
}
/*
* Work out how much we can fit in a single PDU.
*/
data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
/*
* Ensure there really is data left to send.
*/
if(!data_len_left) {
DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
return False;
}
/* Space available - not including padding. */
data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
- RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
- RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
/*
* The amount we send is the minimum of the available
* space and the amount left to send.
*/
data_len = MIN(data_len_left, data_space_available);
/* Work out any padding alignment requirements. */
if ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE) {
ss_padding_len = SERVER_NDR_PADDING_SIZE -
((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE);
DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
ss_padding_len ));
/* If we're over filling the packet, we need to make space
* for the padding at the end of the data. */
if (data_len + ss_padding_len > data_space_available) {
data_len -= SERVER_NDR_PADDING_SIZE;
}
}
/*
* Set up the alloc hint. This should be the data left to
* send.
*/
hdr_resp.alloc_hint = data_len_left;
/*
* Work out if this PDU will be the last.
*/
if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
}
Large commit which restructures the local password storage API. Currently the only backend which works is smbpasswd (tdb, LDAP, and NIS+) are broken, but they were somewhat broken before. :) The following functions implement the storage manipulation interface /*The following definitions come from passdb/pdb_smbpasswd.c */ BOOL pdb_setsampwent (BOOL update); void pdb_endsampwent (void); SAM_ACCOUNT* pdb_getsampwent (void); SAM_ACCOUNT* pdb_getsampwnam (char *username); SAM_ACCOUNT* pdb_getsampwuid (uid_t uid); SAM_ACCOUNT* pdb_getsampwrid (uint32 rid); BOOL pdb_add_sam_account (SAM_ACCOUNT *sampass); BOOL pdb_update_sam_account (SAM_ACCOUNT *sampass, BOOL override); BOOL pdb_delete_sam_account (char* username); There is also a host of pdb_set..() and pdb_get..() functions for manipulating SAM_ACCOUNT struct members. Note that the struct passdb_ops {} has gone away. Also notice that struct smb_passwd (formally in smb.h) has been moved to passdb/pdb_smbpasswd.c and is not accessed outisde of static internal functions in this file. All local password searches should make use of the the SAM_ACCOUNT struct and the previously mentioned functions. I'll write some documentation for this later. The next step is to fix the TDB passdb backend, then work on spliting the backends out into share libraries, and finally get the LDAP backend going. What works and may not: o domain logons from Win9x works o domain logons from WinNT 4 works o user and group enumeration as implemented by Tim works o file and print access works o changing password from Win9x & NT ummm...i'll fix this tonight :) If I broke anything else, just yell and I'll fix it. I think it should be fairly quite. -- jerry (This used to be commit 0b92d0838ebdbe24f34f17e313ecbf61a0301389)
2000-11-14 02:03:34 +03:00
p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
/*
* Init the parse struct to point at the outgoing
* data.
*/
prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
/* Store the header in the data stream. */
if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
prs_mem_free(&p->out_data.frag);
return False;
}
if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
prs_mem_free(&p->out_data.frag);
return False;
}
/* Store the current offset. */
data_pos = prs_offset(&p->out_data.frag);
/* Copy the data into the PDU. */
if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
p->out_data.data_sent_length, data_len)) {
DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
prs_mem_free(&p->out_data.frag);
return False;
}
/* Copy the sign/seal padding data. */
if (ss_padding_len) {
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
char pad[SERVER_NDR_PADDING_SIZE];
memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
if (!prs_copy_data_in(&p->out_data.frag, pad,
ss_padding_len)) {
DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
prs_mem_free(&p->out_data.frag);
return False;
}
}
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request the schannel code, but I've included that anyway. :-) This patch revives the client-side NTLMSSP support for RPC named pipes in Samba, and cleans up the client and server schannel code. The use of the new code is enabled by the 'sign', 'seal' and 'schannel' commands in rpcclient. The aim was to prove that our separate NTLMSSP client library actually implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation, in the hope that knowing this will assist us in correctly implementing NTLMSSP signing for SMB packets. (Still not yet functional) This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with calls to libsmb/ntlmssp.c. In the process, we have gained the ability to use the more secure NT password, and the ability to sign-only, instead of having to seal the pipe connection. (Previously we were limited to sealing, and could only use the LM-password derived key). Our new client-side NTLMSSP code also needed alteration to cope with our comparatively simple server-side implementation. A future step is to replace it with calls to the same NTLMSSP library. Also included in this patch is the schannel 'sign only' patch I submitted to the team earlier. While not enabled (and not functional, at this stage) the work in this patch makes the code paths *much* easier to follow. I have also included similar hooks in rpccleint to allow the use of schannel on *any* pipe. rpcclient now defaults to not using schannel (or any other extra per-pipe authenticiation) for any connection. The 'schannel' command enables schannel for all pipes until disabled. This code is also much more secure than the previous code, as changes to our cli_pipe routines ensure that the authentication footer cannot be removed by an attacker, and more error states are correctly handled. (The same needs to be done to our server) Andrew Bartlett (This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
{
/*
* Schannel processing.
*/
RPC_HDR_AUTH auth_info;
DATA_BLOB blob;
uint8_t *data;
/* Check it's the type of reply we were expecting to decode */
init_rpc_hdr_auth(&auth_info,
DCERPC_AUTH_TYPE_SCHANNEL,
p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
ss_padding_len, 1);
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
&p->out_data.frag, 0)) {
DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
prs_mem_free(&p->out_data.frag);
return False;
}
data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos;
switch (p->auth.auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
talloc_tos(),
true,
data,
data_len + ss_padding_len,
&blob);
break;
case DCERPC_AUTH_LEVEL_INTEGRITY:
status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
talloc_tos(),
false,
data,
data_len + ss_padding_len,
&blob);
break;
default:
status = NT_STATUS_INTERNAL_ERROR;
break;
}
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
nt_errstr(status)));
prs_mem_free(&p->out_data.frag);
return false;
}
/* Finally marshall the blob. */
if (DEBUGLEVEL >= 10) {
dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
}
if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
prs_mem_free(&p->out_data.frag);
return false;
}
}
/*
* Setup the counts for this PDU.
*/
p->out_data.data_sent_length += data_len;
p->out_data.current_pdu_sent = 0;
return True;
}
/*******************************************************************
Generate the next PDU to be returned from the data in p->rdata.
No authentication done.
********************************************************************/
static bool create_next_pdu_noauth(pipes_struct *p)
{
RPC_HDR_RESP hdr_resp;
uint32 data_len;
uint32 data_space_available;
uint32 data_len_left;
/*
* If we're in the fault state, keep returning fault PDU's until
* the pipe gets closed. JRA.
*/
if(p->fault_state) {
setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
return True;
}
memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
/* Change the incoming request header to a response. */
p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
/* Set up rpc header flags. */
if (p->out_data.data_sent_length == 0) {
p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
} else {
p->hdr.flags = 0;
}
/*
* Work out how much we can fit in a single PDU.
*/
data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
/*
* Ensure there really is data left to send.
*/
if(!data_len_left) {
DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
return False;
}
data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
- RPC_HDR_RESP_LEN;
/*
* The amount we send is the minimum of the available
* space and the amount left to send.
*/
data_len = MIN(data_len_left, data_space_available);
/*
* Set up the alloc hint. This should be the data left to
* send.
*/
hdr_resp.alloc_hint = data_len_left;
/*
* Work out if this PDU will be the last.
*/
if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
}
/*
* Set up the header lengths.
*/
p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
p->hdr.auth_len = 0;
/*
* Init the parse struct to point at the outgoing
* data.
*/
prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
/* Store the header in the data stream. */
if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
prs_mem_free(&p->out_data.frag);
return False;
}
if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
prs_mem_free(&p->out_data.frag);
return False;
}
/* Copy the data into the PDU. */
if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
p->out_data.data_sent_length, data_len)) {
DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
prs_mem_free(&p->out_data.frag);
return False;
}
/*
* Setup the counts for this PDU.
*/
p->out_data.data_sent_length += data_len;
p->out_data.current_pdu_sent = 0;
return True;
}
/*******************************************************************
Generate the next PDU to be returned from the data in p->rdata.
********************************************************************/
bool create_next_pdu(pipes_struct *p)
{
switch(p->auth.auth_level) {
case DCERPC_AUTH_LEVEL_NONE:
case DCERPC_AUTH_LEVEL_CONNECT:
/* This is incorrect for auth level connect. Fixme. JRA */
return create_next_pdu_noauth(p);
2009-01-06 13:32:07 +03:00
default:
switch(p->auth.auth_type) {
case PIPE_AUTH_TYPE_NTLMSSP:
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
return create_next_pdu_ntlmssp(p);
case PIPE_AUTH_TYPE_SCHANNEL:
return create_next_pdu_schannel(p);
default:
break;
}
}
DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
(unsigned int)p->auth.auth_level,
(unsigned int)p->auth.auth_type));
return False;
}
/*******************************************************************
Process an NTLMSSP authentication response.
If this function succeeds, the user has been authenticated
and their domain, name and calling workstation stored in
the pipe struct.
*******************************************************************/
static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
{
DATA_BLOB session_key, reply;
NTSTATUS status;
struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
bool ret;
DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
ZERO_STRUCT(reply);
/* this has to be done as root in order to verify the password */
become_root();
status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
unbecome_root();
/* Don't generate a reply. */
data_blob_free(&reply);
if (!NT_STATUS_IS_OK(status)) {
return False;
}
/* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
ensure the underlying NTLMSSP flags are also set. If not we should
refuse the bind. */
if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
if (!auth_ntlmssp_negotiated_sign(a)) {
DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
"but client declined signing.\n",
get_pipe_name_from_syntax(talloc_tos(),
&p->syntax)));
return False;
}
}
if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
if (!auth_ntlmssp_negotiated_seal(a)) {
DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
"but client declined sealing.\n",
get_pipe_name_from_syntax(talloc_tos(),
&p->syntax)));
return False;
}
}
DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
"workstation: %s\n",
auth_ntlmssp_get_username(a),
auth_ntlmssp_get_domain(a),
auth_ntlmssp_get_client(a)));
TALLOC_FREE(p->server_info);
p->server_info = auth_ntlmssp_server_info(p, a);
if (p->server_info == NULL) {
DEBUG(0, ("auth_ntlmssp_server_info failed to obtain the server info for authenticated user\n"));
return false;
}
if (p->server_info->ptok == NULL) {
DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
return False;
}
/*
* We're an authenticated bind over smb, so the session key needs to
* be set to "SystemLibraryDTC". Weird, but this is what Windows
* does. See the RPC-SAMBA3SESSIONKEY.
*/
session_key = generic_session_key();
if (session_key.data == NULL) {
return False;
}
ret = server_info_set_session_key(p->server_info, session_key);
data_blob_free(&session_key);
return True;
}
/*******************************************************************
This is the "stage3" NTLMSSP response after a bind request and reply.
*******************************************************************/
bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
{
RPC_HDR_AUTH auth_info;
uint32 pad = 0;
DATA_BLOB blob;
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
uint32_t auth_len = p->hdr.auth_len;
ZERO_STRUCT(blob);
DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
if (auth_len == 0) {
DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
goto err;
}
/* 4 bytes padding. */
if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
goto err;
}
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
/* Ensure there's enough data for an authenticated request. */
if (RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + auth_len >
p->hdr.frag_len) {
DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
"%u is too large.\n",
(unsigned int)auth_len ));
goto err;
}
/*
* Decode the authentication verifier response.
*/
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
/* Pull the auth header and the following data into a blob. */
/* NB. The offset of the auth_header is relative to the *end*
* of the packet, not the start. Also, the length of the
* data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
* as the RPC header isn't included in rpc_in_p. */
if(!prs_set_offset(rpc_in_p,
p->hdr.frag_len - RPC_HEADER_LEN -
RPC_HDR_AUTH_LEN - auth_len)) {
DEBUG(0,("api_pipe_bind_auth3: cannot move "
"offset to %u.\n",
(unsigned int)(p->hdr.frag_len -
RPC_HDR_AUTH_LEN - auth_len) ));
goto err;
}
if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in_p, 0)) {
DEBUG(0,("api_pipe_bind_auth3: failed to "
"unmarshall RPC_HDR_AUTH.\n"));
goto err;
}
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
/* We must NEVER look at auth_info->auth_pad_len here,
* as old Samba client code gets it wrong and sends it
* as zero. JRA.
*/
if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
(unsigned int)auth_info.auth_type ));
return False;
}
blob = data_blob(NULL,p->hdr.auth_len);
if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
(unsigned int)p->hdr.auth_len ));
goto err;
}
/*
* The following call actually checks the challenge/response data.
* for correctness against the given DOMAIN\user name.
*/
2009-01-06 13:32:07 +03:00
if (!pipe_ntlmssp_verify_final(p, &blob)) {
goto err;
}
data_blob_free(&blob);
p->pipe_bound = True;
return True;
err:
data_blob_free(&blob);
free_pipe_ntlmssp_auth_data(&p->auth);
p->auth.a_u.auth_ntlmssp_state = NULL;
return False;
}
/*******************************************************************
Marshall a bind_nak pdu.
*******************************************************************/
static bool setup_bind_nak(pipes_struct *p)
{
NTSTATUS status;
union dcerpc_payload u;
DATA_BLOB blob;
/* Free any memory in the current return data buffer. */
prs_mem_free(&p->out_data.rdata);
/*
* Marshall directly into the outgoing PDU space. We
* must do this as we need to set to the bind response
* header and are never sending more than one PDU here.
*/
prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
/*
* Initialize a bind_nak header.
*/
ZERO_STRUCT(u);
u.bind_nak.reject_reason = 0;
status = dcerpc_push_ncacn_packet(p->mem_ctx,
DCERPC_PKT_BIND_NAK,
DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
RPC_HEADER_LEN + sizeof(uint16_t) /* FIXME - gd */,
0,
p->hdr.call_id,
u,
&blob);
if (!NT_STATUS_IS_OK(status)) {
prs_mem_free(&p->out_data.frag);
return False;
}
if (!prs_copy_data_in(&p->out_data.frag,
(char *)blob.data, blob.length)) {
prs_mem_free(&p->out_data.frag);
return False;
}
p->out_data.data_sent_length = 0;
p->out_data.current_pdu_sent = 0;
if (p->auth.auth_data_free_func) {
(*p->auth.auth_data_free_func)(&p->auth);
}
p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
p->pipe_bound = False;
return True;
delineation between smb and msrpc more marked. smbd now constructs pdus, and then feeds them over either a "local" function call or a "remote" function call to an msrpc service. the "remote" msrpc daemon, on the other side of a unix socket, then calls the same "local" function that smbd would, if the msrpc service were being run from inside smbd. this allows a transition from local msrpc services (inside the same smbd process) to remote (over a unix socket). removed reference to pipes_struct in msrpc services. all msrpc processing functions take rpcsrv_struct which is a structure containing state info for the msrpc functions to decode and create pdus. created become_vuser() which does everything not related to connection_struct that become_user() does. removed, as best i could, connection_struct dependencies from the nt spoolss printing code. todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific info on a per-connection basis, and if the connection dies then so does the info, and that's a fairly serious problem. had to put pretty much everything that is in user_struct into parse_creds.c to feed unix user info over to the msrpc daemons. why? because it's expensive to do unix password/group database lookups, and it's definitely expensive to do nt user profile lookups, not to mention pretty difficult and if you did either of these it would introduce a complication / unnecessary interdependency. so, send uid/gid/num_groups/gid_t* + SID+num_rids+domain_group_rids* + unix username + nt username + nt domain + user session key etc. this is the MINIMUM info identified so far that's actually implemented. missing bits include the called and calling netbios names etc. (basically, anything that can be loaded into standard_sub() and standard_sub_basic()...) (This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
}
/*******************************************************************
Marshall a fault pdu.
*******************************************************************/
bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
{
RPC_HDR fault_hdr;
RPC_HDR_RESP hdr_resp;
RPC_HDR_FAULT fault_resp;
/* Free any memory in the current return data buffer. */
prs_mem_free(&p->out_data.rdata);
/*
* Marshall directly into the outgoing PDU space. We
* must do this as we need to set to the bind response
* header and are never sending more than one PDU here.
*/
prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
/*
* Initialize a fault header.
*/
init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
/*
* Initialize the HDR_RESP and FAULT parts of the PDU.
*/
memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
fault_resp.status = status;
fault_resp.reserved = 0;
/*
* Marshall the header into the outgoing PDU.
*/
if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
prs_mem_free(&p->out_data.frag);
return False;
}
if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
prs_mem_free(&p->out_data.frag);
return False;
}
if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
prs_mem_free(&p->out_data.frag);
return False;
}
p->out_data.data_sent_length = 0;
p->out_data.current_pdu_sent = 0;
return True;
}
/*******************************************************************
Ensure a bind request has the correct abstract & transfer interface.
Used to reject unknown binds from Win2k.
*******************************************************************/
static bool check_bind_req(struct pipes_struct *p,
struct ndr_syntax_id* abstract,
struct ndr_syntax_id* transfer,
uint32 context_id)
{
struct pipe_rpc_fns *context_fns;
DEBUG(3,("check_bind_req for %s\n",
get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
/* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
if (rpc_srv_pipe_exists_by_id(abstract) &&
ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) {
DEBUG(3, ("check_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
rpc_srv_get_pipe_cli_name(abstract),
rpc_srv_get_pipe_srv_name(abstract)));
} else {
return false;
}
context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
if (context_fns == NULL) {
DEBUG(0,("check_bind_req: malloc() failed!\n"));
return False;
}
context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
context_fns->context_id = context_id;
/* add to the list of open contexts */
DLIST_ADD( p->contexts, context_fns );
return True;
}
/**
* Is a named pipe known?
* @param[in] cli_filename The pipe name requested by the client
* @result Do we want to serve this?
*/
bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
{
const char *pipename = cli_filename;
NTSTATUS status;
if (strnequal(pipename, "\\PIPE\\", 6)) {
pipename += 5;
}
if (*pipename == '\\') {
pipename += 1;
}
if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
DEBUG(10, ("refusing spoolss access\n"));
return false;
}
if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
return true;
}
status = smb_probe_module("rpc", pipename);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
return false;
}
DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
/*
* Scan the list again for the interface id
*/
if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
return true;
}
DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
pipename));
return false;
}
/*******************************************************************
Handle a SPNEGO krb5 bind auth.
*******************************************************************/
static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
DATA_BLOB *psecblob, prs_struct *pout_auth)
{
return False;
}
/*******************************************************************
Handle the first part of a SPNEGO bind auth.
*******************************************************************/
static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
uint32_t ss_padding_len,
RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
{
DATA_BLOB blob;
DATA_BLOB secblob;
DATA_BLOB response;
DATA_BLOB chal;
char *OIDs[ASN1_MAX_OIDS];
int i;
NTSTATUS status;
bool got_kerberos_mechanism = false;
struct auth_ntlmssp_state *a = NULL;
RPC_HDR_AUTH auth_info;
ZERO_STRUCT(secblob);
ZERO_STRUCT(chal);
ZERO_STRUCT(response);
/* Grab the SPNEGO blob. */
blob = data_blob(NULL,p->hdr.auth_len);
if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
(unsigned int)p->hdr.auth_len ));
goto err;
}
if (blob.data[0] != ASN1_APPLICATION(0)) {
goto err;
}
/* parse out the OIDs and the first sec blob */
if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
goto err;
}
if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
got_kerberos_mechanism = true;
}
for (i=0;OIDs[i];i++) {
DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
2008-10-22 16:06:08 +04:00
TALLOC_FREE(OIDs[i]);
}
DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
data_blob_free(&secblob);
data_blob_free(&blob);
return ret;
}
if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
/* Free any previous auth type. */
free_pipe_ntlmssp_auth_data(&p->auth);
}
if (!got_kerberos_mechanism) {
/* Initialize the NTLM engine. */
status = auth_ntlmssp_start(&a);
if (!NT_STATUS_IS_OK(status)) {
goto err;
}
switch (pauth_info->auth_level) {
case DCERPC_AUTH_LEVEL_INTEGRITY:
auth_ntlmssp_want_sign(a);
break;
case DCERPC_AUTH_LEVEL_PRIVACY:
auth_ntlmssp_want_seal(a);
break;
default:
break;
}
/*
* Pass the first security blob of data to it.
* This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
* which means we need another packet to complete the bind.
*/
status = auth_ntlmssp_update(a, secblob, &chal);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
goto err;
}
/* Generate the response blob we need for step 2 of the bind. */
response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
} else {
/*
* SPNEGO negotiate down to NTLMSSP. The subsequent
* code to process follow-up packets is not complete
* yet. JRA.
*/
response = spnego_gen_auth_response(NULL,
NT_STATUS_MORE_PROCESSING_REQUIRED,
OID_NTLMSSP);
}
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
/* auth_pad_len will be handled by the caller */
/* Copy the blob into the pout_auth parse struct */
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO,
pauth_info->auth_level, ss_padding_len, 1);
if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
goto err;
}
if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
goto err;
}
p->auth.a_u.auth_ntlmssp_state = a;
p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
data_blob_free(&blob);
data_blob_free(&secblob);
data_blob_free(&chal);
data_blob_free(&response);
/* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
return True;
err:
data_blob_free(&blob);
data_blob_free(&secblob);
data_blob_free(&chal);
data_blob_free(&response);
p->auth.a_u.auth_ntlmssp_state = NULL;
return False;
}
/*******************************************************************
Handle the second part of a SPNEGO bind auth.
*******************************************************************/
static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
uint32_t ss_padding_len,
RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
{
RPC_HDR_AUTH auth_info;
DATA_BLOB spnego_blob;
DATA_BLOB auth_blob;
DATA_BLOB auth_reply;
DATA_BLOB response;
struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
ZERO_STRUCT(spnego_blob);
ZERO_STRUCT(auth_blob);
ZERO_STRUCT(auth_reply);
ZERO_STRUCT(response);
/*
* NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
* fail here as 'a' == NULL.
*/
if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
goto err;
}
/* Grab the SPNEGO blob. */
spnego_blob = data_blob(NULL,p->hdr.auth_len);
if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
(unsigned int)p->hdr.auth_len ));
goto err;
}
if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
goto err;
}
if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
goto err;
}
/*
* The following call actually checks the challenge/response data.
* for correctness against the given DOMAIN\user name.
*/
if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
goto err;
}
data_blob_free(&spnego_blob);
data_blob_free(&auth_blob);
/* Generate the spnego "accept completed" blob - no incoming data. */
response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
/* FIXME - add auth_pad_len here ! */
/* Copy the blob into the pout_auth parse struct */
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO,
pauth_info->auth_level, ss_padding_len, 1);
if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
goto err;
}
if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
goto err;
}
data_blob_free(&auth_reply);
data_blob_free(&response);
p->pipe_bound = True;
return True;
err:
data_blob_free(&spnego_blob);
data_blob_free(&auth_blob);
data_blob_free(&auth_reply);
data_blob_free(&response);
free_pipe_ntlmssp_auth_data(&p->auth);
p->auth.a_u.auth_ntlmssp_state = NULL;
return False;
}
/*******************************************************************
Handle an schannel bind auth.
*******************************************************************/
static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
uint32_t ss_padding_len,
RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
{
RPC_HDR_AUTH auth_info;
struct NL_AUTH_MESSAGE neg;
struct NL_AUTH_MESSAGE reply;
bool ret;
NTSTATUS status;
struct netlogon_creds_CredentialState *creds;
DATA_BLOB session_key;
enum ndr_err_code ndr_err;
DATA_BLOB blob;
blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
prs_data_size(rpc_in_p));
2010-05-10 02:42:06 +04:00
ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), &neg,
(ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
return false;
}
if (DEBUGLEVEL >= 10) {
NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
}
if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
return false;
}
/*
* The neg.oem_netbios_computer.a key here must match the remote computer name
* given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
* operations that use credentials.
*/
become_root();
2010-05-10 02:42:06 +04:00
status = schannel_get_creds_state(p, lp_private_dir(),
neg.oem_netbios_computer.a, &creds);
unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
return False;
}
p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
if (!p->auth.a_u.schannel_auth) {
TALLOC_FREE(creds);
return False;
}
p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
p->auth.a_u.schannel_auth->seq_num = 0;
p->auth.a_u.schannel_auth->initiator = false;
p->auth.a_u.schannel_auth->creds = creds;
/*
* JRA. Should we also copy the schannel session key into the pipe session key p->session_key
* here ? We do that for NTLMSSP, but the session key is already set up from the vuser
* struct of the person who opened the pipe. I need to test this further. JRA.
*
* VL. As we are mapping this to guest set the generic key
* "SystemLibraryDTC" key here. It's a bit difficult to test against
* W2k3, as it does not allow schannel binds against SAMR and LSA
* anymore.
*/
session_key = generic_session_key();
if (session_key.data == NULL) {
DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
" key\n"));
return false;
}
ret = server_info_set_session_key(p->server_info, session_key);
data_blob_free(&session_key);
if (!ret) {
DEBUG(0, ("server_info_set_session_key failed\n"));
return false;
}
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL,
pauth_info->auth_level, ss_padding_len, 1);
if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
return False;
}
/*** SCHANNEL verifier ***/
reply.MessageType = NL_NEGOTIATE_RESPONSE;
reply.Flags = 0;
reply.Buffer.dummy = 5; /* ??? actually I don't think
* this has any meaning
* here - gd */
2010-05-10 02:42:06 +04:00
ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), &reply,
(ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
return false;
}
if (DEBUGLEVEL >= 10) {
NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
}
if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
return false;
}
DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
/* We're finished with this bind - no more packets. */
p->auth.auth_data_free_func = NULL;
p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
p->pipe_bound = True;
return True;
}
/*******************************************************************
Handle an NTLMSSP bind auth.
*******************************************************************/
static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
uint32_t ss_padding_len,
RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
{
RPC_HDR_AUTH auth_info;
DATA_BLOB blob;
DATA_BLOB response;
NTSTATUS status;
struct auth_ntlmssp_state *a = NULL;
ZERO_STRUCT(blob);
ZERO_STRUCT(response);
/* Grab the NTLMSSP blob. */
blob = data_blob(NULL,p->hdr.auth_len);
if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
(unsigned int)p->hdr.auth_len ));
goto err;
}
if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
goto err;
}
/* We have an NTLMSSP blob. */
status = auth_ntlmssp_start(&a);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
nt_errstr(status) ));
goto err;
}
switch (pauth_info->auth_level) {
case DCERPC_AUTH_LEVEL_INTEGRITY:
auth_ntlmssp_want_sign(a);
break;
case DCERPC_AUTH_LEVEL_PRIVACY:
auth_ntlmssp_want_seal(a);
break;
default:
break;
}
status = auth_ntlmssp_update(a, blob, &response);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
nt_errstr(status) ));
goto err;
}
data_blob_free(&blob);
/* Copy the blob into the pout_auth parse struct */
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP,
pauth_info->auth_level, ss_padding_len, 1);
if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
goto err;
}
if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
goto err;
}
p->auth.a_u.auth_ntlmssp_state = a;
p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
data_blob_free(&blob);
data_blob_free(&response);
DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
/* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
return True;
err:
data_blob_free(&blob);
data_blob_free(&response);
free_pipe_ntlmssp_auth_data(&p->auth);
p->auth.a_u.auth_ntlmssp_state = NULL;
return False;
}
/*******************************************************************
Respond to a pipe bind request.
*******************************************************************/
bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
{
RPC_HDR_BA hdr_ba;
RPC_HDR_RB hdr_rb;
RPC_HDR_AUTH auth_info;
uint16 assoc_gid;
fstring ack_pipe_name;
prs_struct out_hdr_ba;
prs_struct out_auth;
int auth_len = 0;
unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
uint32_t ss_padding_len = 0;
NTSTATUS status;
struct ndr_syntax_id id;
/* No rebinds on a bound pipe - use alter context. */
if (p->pipe_bound) {
DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
"pipe %s.\n",
get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
return setup_bind_nak(p);
}
prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
/*
* Marshall directly into the outgoing PDU space. We
* must do this as we need to set to the bind response
* header and are never sending more than one PDU here.
*/
/*
* Setup the memory to marshall the ba header, and the
* auth footers.
*/
if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
prs_mem_free(&p->out_data.frag);
return False;
}
if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
prs_mem_free(&p->out_data.frag);
prs_mem_free(&out_hdr_ba);
return False;
}
DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
ZERO_STRUCT(hdr_rb);
/* decode the bind request */
if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
"struct.\n"));
goto err_exit;
}
if (hdr_rb.num_contexts == 0) {
DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
goto err_exit;
}
/*
* Try and find the correct pipe name to ensure
* that this is a pipe name we support.
*/
id = hdr_rb.rpc_context[0].abstract;
if (rpc_srv_pipe_exists_by_id(&id)) {
DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
rpc_srv_get_pipe_cli_name(&id),
rpc_srv_get_pipe_srv_name(&id)));
} else {
status = smb_probe_module(
"rpc", get_pipe_name_from_syntax(
talloc_tos(),
&hdr_rb.rpc_context[0].abstract));
if (NT_STATUS_IS_ERR(status)) {
DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
get_pipe_name_from_syntax(
talloc_tos(),
&hdr_rb.rpc_context[0].abstract)));
prs_mem_free(&p->out_data.frag);
prs_mem_free(&out_hdr_ba);
prs_mem_free(&out_auth);
return setup_bind_nak(p);
}
if (rpc_srv_get_pipe_interface_by_cli_name(
get_pipe_name_from_syntax(talloc_tos(),
&p->syntax),
&id)) {
DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
rpc_srv_get_pipe_cli_name(&id),
rpc_srv_get_pipe_srv_name(&id)));
} else {
DEBUG(0, ("module %s doesn't provide functions for "
"pipe %s!\n",
get_pipe_name_from_syntax(talloc_tos(),
&p->syntax),
get_pipe_name_from_syntax(talloc_tos(),
&p->syntax)));
goto err_exit;
}
}
/* name has to be \PIPE\xxxxx */
fstrcpy(ack_pipe_name, "\\PIPE\\");
fstrcat(ack_pipe_name, rpc_srv_get_pipe_srv_name(&id));
DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
/*
* Create the bind response struct.
*/
/* If the requested abstract synt uuid doesn't match our client pipe,
reject the bind_ack & set the transfer interface synt to all 0's,
ver 0 (observed when NT5 attempts to bind to abstract interfaces
unknown to NT4)
Needed when adding entries to a DACL from NT5 - SK */
if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
hdr_rb.rpc_context[0].context_id )) {
init_rpc_hdr_ba(&hdr_ba,
RPC_MAX_PDU_FRAG_LEN,
RPC_MAX_PDU_FRAG_LEN,
assoc_gid,
ack_pipe_name,
0x1, 0x0, 0x0,
&hdr_rb.rpc_context[0].transfer[0]);
} else {
/* Rejection reason: abstract syntax not supported */
init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
RPC_MAX_PDU_FRAG_LEN, assoc_gid,
ack_pipe_name, 0x1, 0x2, 0x1,
&null_ndr_syntax_id);
p->pipe_bound = False;
}
/*
* and marshall it.
*/
if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
goto err_exit;
}
/*
* Check if this is an authenticated bind request.
*/
if (p->hdr.auth_len) {
/*
* Decode the authentication verifier.
*/
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
/* Work out any padding needed before the auth footer. */
if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
ss_padding_len = SERVER_NDR_PADDING_SIZE -
((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
DEBUG(10,("api_pipe_bind_req: auth pad_len = %u\n",
(unsigned int)ss_padding_len ));
}
/* Quick length check. Won't catch a bad auth footer,
* prevents overrun. */
if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
"too long for fragment %u.\n",
(unsigned int)p->hdr.auth_len,
(unsigned int)p->hdr.frag_len ));
goto err_exit;
}
/* Pull the auth header and the following data into a blob. */
/* NB. The offset of the auth_header is relative to the *end*
* of the packet, not the start. Also, the length of the
* data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
* as the RPC header isn't included in rpc_in_p. */
if(!prs_set_offset(rpc_in_p,
p->hdr.frag_len - RPC_HEADER_LEN -
RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
DEBUG(0,("api_pipe_bind_req: cannot move "
"offset to %u.\n",
(unsigned int)(p->hdr.frag_len -
RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
goto err_exit;
}
if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
goto err_exit;
}
auth_type = auth_info.auth_type;
/* Work out if we have to sign or seal etc. */
switch (auth_info.auth_level) {
case DCERPC_AUTH_LEVEL_INTEGRITY:
p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
break;
case DCERPC_AUTH_LEVEL_PRIVACY:
p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
break;
default:
DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
(unsigned int)auth_info.auth_level ));
goto err_exit;
}
} else {
ZERO_STRUCT(auth_info);
}
switch(auth_type) {
case DCERPC_AUTH_TYPE_NTLMSSP:
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
if (!pipe_ntlmssp_auth_bind(p, rpc_in_p,
ss_padding_len, &auth_info, &out_auth)) {
goto err_exit;
}
assoc_gid = 0x7a77;
break;
case DCERPC_AUTH_TYPE_SCHANNEL:
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
if (!pipe_schannel_auth_bind(p, rpc_in_p,
ss_padding_len, &auth_info, &out_auth)) {
goto err_exit;
}
break;
case DCERPC_AUTH_TYPE_SPNEGO:
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p,
ss_padding_len, &auth_info, &out_auth)) {
goto err_exit;
}
break;
case DCERPC_AUTH_TYPE_NONE:
/* Unauthenticated bind request. */
/* We're finished - no more packets. */
p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
/* We must set the pipe auth_level here also. */
p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
p->pipe_bound = True;
/* The session key was initialized from the SMB
* session in make_internal_rpc_pipe_p */
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
ss_padding_len = 0;
break;
default:
DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
goto err_exit;
}
/*
* Create the header, now we know the length.
*/
if (prs_offset(&out_auth)) {
auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
}
init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
p->hdr.call_id,
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
RPC_HEADER_LEN + prs_offset(&out_hdr_ba) +
ss_padding_len + prs_offset(&out_auth),
auth_len);
/*
* Marshall the header into the outgoing PDU.
*/
if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
goto err_exit;
}
/*
* Now add the RPC_HDR_BA and any auth needed.
*/
if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
goto err_exit;
}
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
if (auth_len) {
if (ss_padding_len) {
char pad[SERVER_NDR_PADDING_SIZE];
memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
if (!prs_copy_data_in(&p->out_data.frag, pad,
ss_padding_len)) {
DEBUG(0,("api_pipe_bind_req: failed to add %u "
"bytes of pad data.\n",
(unsigned int)ss_padding_len));
goto err_exit;
}
}
if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
goto err_exit;
}
}
/*
* Setup the lengths for the initial reply.
*/
p->out_data.data_sent_length = 0;
p->out_data.current_pdu_sent = 0;
prs_mem_free(&out_hdr_ba);
prs_mem_free(&out_auth);
return True;
err_exit:
prs_mem_free(&p->out_data.frag);
prs_mem_free(&out_hdr_ba);
prs_mem_free(&out_auth);
return setup_bind_nak(p);
}
/****************************************************************************
Deal with an alter context call. Can be third part of 3 leg auth request for
SPNEGO calls.
****************************************************************************/
bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
{
RPC_HDR_BA hdr_ba;
RPC_HDR_RB hdr_rb;
RPC_HDR_AUTH auth_info;
uint16 assoc_gid;
fstring ack_pipe_name;
prs_struct out_hdr_ba;
prs_struct out_auth;
int auth_len = 0;
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
uint32_t ss_padding_len = 0;
prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
/*
* Marshall directly into the outgoing PDU space. We
* must do this as we need to set to the bind response
* header and are never sending more than one PDU here.
*/
/*
* Setup the memory to marshall the ba header, and the
* auth footers.
*/
if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
prs_mem_free(&p->out_data.frag);
return False;
}
if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
prs_mem_free(&p->out_data.frag);
prs_mem_free(&out_hdr_ba);
return False;
}
ZERO_STRUCT(hdr_rb);
DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
/* decode the alter context request */
if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
goto err_exit;
}
/* secondary address CAN be NULL
* as the specs say it's ignored.
* It MUST be NULL to have the spoolss working.
*/
fstrcpy(ack_pipe_name,"");
DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
/*
* Create the bind response struct.
*/
/* If the requested abstract synt uuid doesn't match our client pipe,
reject the bind_ack & set the transfer interface synt to all 0's,
ver 0 (observed when NT5 attempts to bind to abstract interfaces
unknown to NT4)
Needed when adding entries to a DACL from NT5 - SK */
if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
hdr_rb.rpc_context[0].context_id )) {
init_rpc_hdr_ba(&hdr_ba,
RPC_MAX_PDU_FRAG_LEN,
RPC_MAX_PDU_FRAG_LEN,
assoc_gid,
ack_pipe_name,
0x1, 0x0, 0x0,
&hdr_rb.rpc_context[0].transfer[0]);
} else {
/* Rejection reason: abstract syntax not supported */
init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
RPC_MAX_PDU_FRAG_LEN, assoc_gid,
ack_pipe_name, 0x1, 0x2, 0x1,
&null_ndr_syntax_id);
p->pipe_bound = False;
}
/*
* and marshall it.
*/
if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
goto err_exit;
}
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
/*
* Check if this is an authenticated alter context request.
*/
if (p->hdr.auth_len != 0) {
/*
* Decode the authentication verifier.
*/
/* Work out any padding needed before the auth footer. */
if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
ss_padding_len = SERVER_NDR_PADDING_SIZE -
((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
DEBUG(10,("api_pipe_alter_context: auth pad_len = %u\n",
(unsigned int)ss_padding_len ));
}
/* Quick length check. Won't catch a bad auth footer,
* prevents overrun. */
if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
"too long for fragment %u.\n",
(unsigned int)p->hdr.auth_len,
(unsigned int)p->hdr.frag_len ));
goto err_exit;
}
/* Pull the auth header and the following data into a blob. */
/* NB. The offset of the auth_header is relative to the *end*
* of the packet, not the start. Also, the length of the
* data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
* as the RPC header isn't included in rpc_in_p. */
if(!prs_set_offset(rpc_in_p,
p->hdr.frag_len - RPC_HEADER_LEN -
RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
DEBUG(0,("api_alter_context: cannot move "
"offset to %u.\n",
(unsigned int)(p->hdr.frag_len -
RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
goto err_exit;
}
if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
goto err_exit;
}
/*
* Currently only the SPNEGO auth type uses the alter ctx
* response in place of the NTLMSSP auth3 type.
*/
if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
/* We can only finish if the pipe is unbound. */
if (!p->pipe_bound) {
if (!pipe_spnego_auth_bind_continue(p, rpc_in_p,
ss_padding_len, &auth_info, &out_auth)) {
goto err_exit;
}
} else {
goto err_exit;
}
}
} else {
ZERO_STRUCT(auth_info);
}
/*
* Create the header, now we know the length.
*/
if (prs_offset(&out_auth)) {
auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
}
init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
p->hdr.call_id,
RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
auth_len);
/*
* Marshall the header into the outgoing PDU.
*/
if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
goto err_exit;
}
/*
* Now add the RPC_HDR_BA and any auth needed.
*/
if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
goto err_exit;
}
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
if (auth_len) {
if (ss_padding_len) {
char pad[SERVER_NDR_PADDING_SIZE];
memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
if (!prs_copy_data_in(&p->out_data.frag, pad,
ss_padding_len)) {
DEBUG(0,("api_pipe_alter_context: failed to add %u "
"bytes of pad data.\n",
(unsigned int)ss_padding_len));
goto err_exit;
}
}
if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
goto err_exit;
}
}
/*
* Setup the lengths for the initial reply.
*/
p->out_data.data_sent_length = 0;
p->out_data.current_pdu_sent = 0;
prs_mem_free(&out_hdr_ba);
prs_mem_free(&out_auth);
return True;
err_exit:
prs_mem_free(&p->out_data.frag);
prs_mem_free(&out_hdr_ba);
prs_mem_free(&out_auth);
return setup_bind_nak(p);
}
/****************************************************************************
Deal with NTLMSSP sign & seal processing on an RPC request.
****************************************************************************/
bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
uint32 *p_ss_padding_len, NTSTATUS *pstatus)
{
RPC_HDR_AUTH auth_info;
uint32 auth_len = p->hdr.auth_len;
uint32 save_offset = prs_offset(rpc_in);
struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
unsigned char *data = NULL;
size_t data_len;
unsigned char *full_packet_data = NULL;
size_t full_packet_data_len;
DATA_BLOB auth_blob;
2009-01-06 13:32:07 +03:00
*pstatus = NT_STATUS_OK;
if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
return True;
}
if (!a) {
*pstatus = NT_STATUS_INVALID_PARAMETER;
return False;
}
/* Ensure there's enough data for an authenticated request. */
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN
+ auth_len > p->hdr.frag_len) {
DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
(unsigned int)auth_len ));
*pstatus = NT_STATUS_INVALID_PARAMETER;
return False;
}
/*
* We need the full packet data + length (minus auth stuff) as well as the packet data + length
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
* after the RPC header.
* We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
* functions as NTLMv2 checks the rpc headers also.
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
* Both of these values include any auth_pad_len bytes.
*/
data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
full_packet_data = p->in_data.current_in_pdu;
full_packet_data_len = p->hdr.frag_len - auth_len;
Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request the schannel code, but I've included that anyway. :-) This patch revives the client-side NTLMSSP support for RPC named pipes in Samba, and cleans up the client and server schannel code. The use of the new code is enabled by the 'sign', 'seal' and 'schannel' commands in rpcclient. The aim was to prove that our separate NTLMSSP client library actually implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation, in the hope that knowing this will assist us in correctly implementing NTLMSSP signing for SMB packets. (Still not yet functional) This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with calls to libsmb/ntlmssp.c. In the process, we have gained the ability to use the more secure NT password, and the ability to sign-only, instead of having to seal the pipe connection. (Previously we were limited to sealing, and could only use the LM-password derived key). Our new client-side NTLMSSP code also needed alteration to cope with our comparatively simple server-side implementation. A future step is to replace it with calls to the same NTLMSSP library. Also included in this patch is the schannel 'sign only' patch I submitted to the team earlier. While not enabled (and not functional, at this stage) the work in this patch makes the code paths *much* easier to follow. I have also included similar hooks in rpccleint to allow the use of schannel on *any* pipe. rpcclient now defaults to not using schannel (or any other extra per-pipe authenticiation) for any connection. The 'schannel' command enables schannel for all pipes until disabled. This code is also much more secure than the previous code, as changes to our cli_pipe routines ensure that the authentication footer cannot be removed by an attacker, and more error states are correctly handled. (The same needs to be done to our server) Andrew Bartlett (This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14 12:46:32 +04:00
/* Pull the auth header and the following data into a blob. */
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
/* NB. The offset of the auth_header is relative to the *end*
* of the packet, not the start. Also, the length of the
* data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
* as the RPC header isn't included in rpc_in_p. */
if(!prs_set_offset(rpc_in,
p->hdr.frag_len - RPC_HEADER_LEN -
RPC_HDR_AUTH_LEN - auth_len)) {
DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move "
"offset to %u.\n",
(unsigned int)(p->hdr.frag_len -
RPC_HDR_AUTH_LEN - auth_len) ));
*pstatus = NT_STATUS_INVALID_PARAMETER;
return False;
}
if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to "
"unmarshall RPC_HDR_AUTH.\n"));
*pstatus = NT_STATUS_INVALID_PARAMETER;
return False;
}
/* Ensure auth_pad_len fits into the packet. */
if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_info.auth_pad_len "
"too large (%u), auth_len (%u), frag_len = (%u).\n",
(unsigned int)auth_info.auth_pad_len,
(unsigned int)auth_len,
(unsigned int)p->hdr.frag_len ));
*pstatus = NT_STATUS_INVALID_PARAMETER;
return False;
}
auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
auth_blob.length = auth_len;
2009-01-06 13:32:07 +03:00
switch (p->auth.auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
/* Data is encrypted. */
*pstatus = auth_ntlmssp_unseal_packet(a,
data, data_len,
full_packet_data,
full_packet_data_len,
&auth_blob);
if (!NT_STATUS_IS_OK(*pstatus)) {
return False;
}
break;
case DCERPC_AUTH_LEVEL_INTEGRITY:
/* Data is signed. */
*pstatus = auth_ntlmssp_check_packet(a,
data, data_len,
full_packet_data,
full_packet_data_len,
&auth_blob);
if (!NT_STATUS_IS_OK(*pstatus)) {
return False;
}
break;
default:
*pstatus = NT_STATUS_INVALID_PARAMETER;
return False;
}
/*
* Return the current pointer to the data offset.
*/
if(!prs_set_offset(rpc_in, save_offset)) {
DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
(unsigned int)save_offset ));
*pstatus = NT_STATUS_INVALID_PARAMETER;
return False;
}
/*
* Remember the padding length. We must remove it from the real data
* stream once the sign/seal is done.
*/
*p_ss_padding_len = auth_info.auth_pad_len;
return True;
}
/****************************************************************************
Deal with schannel processing on an RPC request.
****************************************************************************/
bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
{
uint32 data_len;
uint32 auth_len;
uint32 save_offset = prs_offset(rpc_in);
RPC_HDR_AUTH auth_info;
DATA_BLOB blob;
NTSTATUS status;
uint8_t *data;
auth_len = p->hdr.auth_len;
if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
auth_len > RPC_HEADER_LEN +
RPC_HDR_REQ_LEN +
RPC_HDR_AUTH_LEN +
auth_len) {
DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
return False;
}
/*
* The following is that length of the data we must verify or unseal.
* This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
* preceeding the auth_data, but does include the auth_pad_len bytes.
*/
if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
DEBUG(0,("Incorrect frag %u, auth %u.\n",
(unsigned int)p->hdr.frag_len,
(unsigned int)auth_len ));
return False;
}
data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
RPC_HDR_AUTH_LEN - auth_len;
2009-01-06 13:32:07 +03:00
DEBUG(5,("data %d auth %d\n", data_len, auth_len));
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
/* Pull the auth header and the following data into a blob. */
/* NB. The offset of the auth_header is relative to the *end*
* of the packet, not the start. Also, the length of the
* data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
* as the RPC header isn't included in rpc_in_p. */
if(!prs_set_offset(rpc_in,
p->hdr.frag_len - RPC_HEADER_LEN -
RPC_HDR_AUTH_LEN - auth_len)) {
DEBUG(0,("api_pipe_schannel_process: cannot move "
"offset to %u.\n",
(unsigned int)(p->hdr.frag_len -
RPC_HDR_AUTH_LEN - auth_len) ));
return False;
}
if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
Fix bug #7146 - Samba miss-parses authenticated RPC packets. Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-18 02:27:59 +03:00
DEBUG(0,("api_pipe_schannel_process: failed to "
"unmarshall RPC_HDR_AUTH.\n"));
return False;
}
/* Ensure auth_pad_len fits into the packet. */
if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
DEBUG(0,("api_pipe_schannel_process: auth_info.auth_pad_len "
"too large (%u), auth_len (%u), frag_len = (%u).\n",
(unsigned int)auth_info.auth_pad_len,
(unsigned int)auth_len,
(unsigned int)p->hdr.frag_len ));
return False;
}
if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
DEBUG(0,("Invalid auth info %d on schannel\n",
auth_info.auth_type));
return False;
}
blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
if (DEBUGLEVEL >= 10) {
dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
}
data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN;
switch (auth_info.auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
talloc_tos(),
true,
data,
data_len,
&blob);
break;
case DCERPC_AUTH_LEVEL_INTEGRITY:
status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
talloc_tos(),
false,
data,
data_len,
&blob);
break;
default:
status = NT_STATUS_INTERNAL_ERROR;
break;
}
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
return false;
}
/*
* Return the current pointer to the data offset.
*/
if(!prs_set_offset(rpc_in, save_offset)) {
DEBUG(0,("failed to set offset back to %u\n",
(unsigned int)save_offset ));
return False;
}
/*
* Remember the padding length. We must remove it from the real data
* stream once the sign/seal is done.
*/
*p_ss_padding_len = auth_info.auth_pad_len;
return True;
}
/****************************************************************************
Find the set of RPC functions associated with this context_id
****************************************************************************/
static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
{
PIPE_RPC_FNS *fns = NULL;
2009-01-06 13:32:07 +03:00
if ( !list ) {
DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
return NULL;
}
2009-01-06 13:32:07 +03:00
for (fns=list; fns; fns=fns->next ) {
if ( fns->context_id == context_id )
return fns;
}
return NULL;
}
/****************************************************************************
Memory cleanup.
****************************************************************************/
void free_pipe_rpc_context( PIPE_RPC_FNS *list )
{
PIPE_RPC_FNS *tmp = list;
PIPE_RPC_FNS *tmp2;
2009-01-06 13:32:07 +03:00
while (tmp) {
tmp2 = tmp->next;
SAFE_FREE(tmp);
tmp = tmp2;
}
return;
}
static bool api_rpcTNP(pipes_struct *p,
const struct api_struct *api_rpc_cmds, int n_cmds);
/****************************************************************************
Find the correct RPC function to call for this request.
If the pipe is authenticated then become the correct UNIX user
before doing the call.
****************************************************************************/
bool api_pipe_request(pipes_struct *p)
delineation between smb and msrpc more marked. smbd now constructs pdus, and then feeds them over either a "local" function call or a "remote" function call to an msrpc service. the "remote" msrpc daemon, on the other side of a unix socket, then calls the same "local" function that smbd would, if the msrpc service were being run from inside smbd. this allows a transition from local msrpc services (inside the same smbd process) to remote (over a unix socket). removed reference to pipes_struct in msrpc services. all msrpc processing functions take rpcsrv_struct which is a structure containing state info for the msrpc functions to decode and create pdus. created become_vuser() which does everything not related to connection_struct that become_user() does. removed, as best i could, connection_struct dependencies from the nt spoolss printing code. todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific info on a per-connection basis, and if the connection dies then so does the info, and that's a fairly serious problem. had to put pretty much everything that is in user_struct into parse_creds.c to feed unix user info over to the msrpc daemons. why? because it's expensive to do unix password/group database lookups, and it's definitely expensive to do nt user profile lookups, not to mention pretty difficult and if you did either of these it would introduce a complication / unnecessary interdependency. so, send uid/gid/num_groups/gid_t* + SID+num_rids+domain_group_rids* + unix username + nt username + nt domain + user session key etc. this is the MINIMUM info identified so far that's actually implemented. missing bits include the called and calling netbios names etc. (basically, anything that can be loaded into standard_sub() and standard_sub_basic()...) (This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
{
bool ret = False;
bool changed_user = False;
PIPE_RPC_FNS *pipe_fns;
2009-01-06 13:32:07 +03:00
if (p->pipe_bound &&
((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
(p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
if(!become_authenticated_pipe_user(p)) {
prs_mem_free(&p->out_data.rdata);
return False;
}
changed_user = True;
}
DEBUG(5, ("Requested \\PIPE\\%s\n",
get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2009-01-06 13:32:07 +03:00
/* get the set of RPC functions for this context */
2009-01-06 13:32:07 +03:00
pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2009-01-06 13:32:07 +03:00
if ( pipe_fns ) {
TALLOC_CTX *frame = talloc_stackframe();
ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
TALLOC_FREE(frame);
}
else {
DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
p->hdr_req.context_id,
get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
}
if (changed_user) {
unbecome_authenticated_pipe_user();
}
return ret;
}
/*******************************************************************
Calls the underlying RPC function for a named pipe.
********************************************************************/
static bool api_rpcTNP(pipes_struct *p,
const struct api_struct *api_rpc_cmds, int n_cmds)
{
int fn_num;
uint32 offset1, offset2;
2009-01-06 13:32:07 +03:00
/* interpret the command */
DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
p->hdr_req.opnum));
if (DEBUGLEVEL >= 50) {
fstring name;
slprintf(name, sizeof(name)-1, "in_%s",
get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
}
for (fn_num = 0; fn_num < n_cmds; fn_num++) {
if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
break;
}
}
if (fn_num == n_cmds) {
/*
* For an unknown RPC just return a fault PDU but
* return True to allow RPC's on the pipe to continue
* and not put the pipe into fault state. JRA.
*/
DEBUG(4, ("unknown\n"));
setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
return True;
}
offset1 = prs_offset(&p->out_data.rdata);
DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
fn_num, api_rpc_cmds[fn_num].fn));
/* do the actual command */
if(!api_rpc_cmds[fn_num].fn(p)) {
DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
api_rpc_cmds[fn_num].name));
prs_mem_free(&p->out_data.rdata);
return False;
}
if (p->bad_handle_fault_state) {
DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
p->bad_handle_fault_state = False;
setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
return True;
}
if (p->rng_fault_state) {
DEBUG(4, ("api_rpcTNP: rng fault return\n"));
p->rng_fault_state = False;
setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
return True;
}
offset2 = prs_offset(&p->out_data.rdata);
prs_set_offset(&p->out_data.rdata, offset1);
if (DEBUGLEVEL >= 50) {
fstring name;
slprintf(name, sizeof(name)-1, "out_%s",
get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
}
prs_set_offset(&p->out_data.rdata, offset2);
DEBUG(5,("api_rpcTNP: called %s successfully\n",
get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
/* Check for buffer underflow in rpc parsing */
if ((DEBUGLEVEL >= 10) &&
(prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
char *data = (char *)SMB_MALLOC(data_len);
DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
if (data) {
prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
SAFE_FREE(data);
}
}
return True;
}