mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
627aa735fb
same session (TCP connection) as the one the challenge was requested
from.
(This used to be commit 5cb9b99f0f
)
1699 lines
48 KiB
C
1699 lines
48 KiB
C
/*
|
|
* Unix SMB/CIFS implementation.
|
|
* RPC Pipe client / server routines
|
|
* Copyright (C) Andrew Tridgell 1992-1998,
|
|
* Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
|
|
* Copyright (C) Paul Ashton 1998.
|
|
* Copyright (C) Jeremy Allison 1999.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
|
|
#undef DBGC_CLASS
|
|
#define DBGC_CLASS DBGC_RPC_CLI
|
|
|
|
extern struct pipe_id_info pipe_names[];
|
|
|
|
/********************************************************************
|
|
Rpc pipe call id.
|
|
********************************************************************/
|
|
|
|
static uint32 get_rpc_call_id(void)
|
|
{
|
|
static uint32 call_id = 0;
|
|
return ++call_id;
|
|
}
|
|
|
|
/*******************************************************************
|
|
Use SMBreadX to get rest of one fragment's worth of rpc data.
|
|
********************************************************************/
|
|
|
|
static BOOL rpc_read(struct cli_state *cli, prs_struct *rdata, uint32 data_to_read, uint32 *rdata_offset)
|
|
{
|
|
size_t size = (size_t)cli->max_recv_frag;
|
|
int stream_offset = 0;
|
|
int num_read;
|
|
char *pdata;
|
|
int extra_data_size = ((int)*rdata_offset) + ((int)data_to_read) - (int)prs_data_size(rdata);
|
|
|
|
DEBUG(5,("rpc_read: data_to_read: %u rdata offset: %u extra_data_size: %d\n",
|
|
(int)data_to_read, (unsigned int)*rdata_offset, extra_data_size));
|
|
|
|
/*
|
|
* Grow the buffer if needed to accommodate the data to be read.
|
|
*/
|
|
|
|
if (extra_data_size > 0) {
|
|
if(!prs_force_grow(rdata, (uint32)extra_data_size)) {
|
|
DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", extra_data_size ));
|
|
return False;
|
|
}
|
|
DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", extra_data_size, prs_data_size(rdata) ));
|
|
}
|
|
|
|
pdata = prs_data_p(rdata) + *rdata_offset;
|
|
|
|
do /* read data using SMBreadX */
|
|
{
|
|
uint32 ecode;
|
|
uint8 eclass;
|
|
|
|
if (size > (size_t)data_to_read)
|
|
size = (size_t)data_to_read;
|
|
|
|
num_read = (int)cli_read(cli, cli->nt_pipe_fnum, pdata, (off_t)stream_offset, size);
|
|
|
|
DEBUG(5,("rpc_read: num_read = %d, read offset: %d, to read: %d\n",
|
|
num_read, stream_offset, data_to_read));
|
|
|
|
if (cli_is_dos_error(cli)) {
|
|
cli_dos_error(cli, &eclass, &ecode);
|
|
if (eclass != ERRDOS && ecode != ERRmoredata) {
|
|
DEBUG(0,("rpc_read: Error %d/%u in cli_read\n",
|
|
eclass, (unsigned int)ecode));
|
|
return False;
|
|
}
|
|
}
|
|
|
|
data_to_read -= num_read;
|
|
stream_offset += num_read;
|
|
pdata += num_read;
|
|
|
|
} while (num_read > 0 && data_to_read > 0);
|
|
/* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
|
|
|
|
/*
|
|
* Update the current offset into rdata by the amount read.
|
|
*/
|
|
*rdata_offset += stream_offset;
|
|
|
|
return True;
|
|
}
|
|
|
|
/****************************************************************************
|
|
Checks the header. This will set the endian bit in the rdata prs_struct. JRA.
|
|
****************************************************************************/
|
|
|
|
static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr,
|
|
BOOL *first, BOOL *last, uint32 *len)
|
|
{
|
|
DEBUG(5,("rpc_check_hdr: rdata->data_size = %u\n", (uint32)prs_data_size(rdata) ));
|
|
|
|
/* Next call sets endian bit. */
|
|
|
|
if(!smb_io_rpc_hdr("rpc_hdr ", rhdr, rdata, 0)) {
|
|
DEBUG(0,("rpc_check_hdr: Failed to unmarshall RPC_HDR.\n"));
|
|
return False;
|
|
}
|
|
|
|
if (prs_offset(rdata) != RPC_HEADER_LEN) {
|
|
DEBUG(0,("rpc_check_hdr: offset was %x, should be %x.\n", prs_offset(rdata), RPC_HEADER_LEN));
|
|
return False;
|
|
}
|
|
|
|
(*first) = ((rhdr->flags & RPC_FLG_FIRST) != 0);
|
|
(*last) = ((rhdr->flags & RPC_FLG_LAST ) != 0);
|
|
(*len) = (uint32)rhdr->frag_len - prs_data_size(rdata);
|
|
|
|
return (rhdr->pkt_type != RPC_FAULT);
|
|
}
|
|
|
|
static void NTLMSSPcalc_ap( struct cli_state *cli, unsigned char *data, uint32 len)
|
|
{
|
|
unsigned char *hash = cli->ntlmssp_hash;
|
|
unsigned char index_i = hash[256];
|
|
unsigned char index_j = hash[257];
|
|
int ind;
|
|
|
|
for( ind = 0; ind < len; ind++) {
|
|
unsigned char tc;
|
|
unsigned char t;
|
|
|
|
index_i++;
|
|
index_j += hash[index_i];
|
|
|
|
tc = hash[index_i];
|
|
hash[index_i] = hash[index_j];
|
|
hash[index_j] = tc;
|
|
|
|
t = hash[index_i] + hash[index_j];
|
|
data[ind] = data[ind] ^ hash[t];
|
|
}
|
|
|
|
hash[256] = index_i;
|
|
hash[257] = index_j;
|
|
}
|
|
|
|
/****************************************************************************
|
|
Verify data on an rpc pipe.
|
|
The VERIFY & SEAL code is only executed on packets that look like this :
|
|
|
|
Request/Response PDU's look like the following...
|
|
|
|
|<------------------PDU len----------------------------------------------->|
|
|
|<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
|
|
|
|
+------------+-----------------+-------------+---------------+-------------+
|
|
| RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
|
|
+------------+-----------------+-------------+---------------+-------------+
|
|
|
|
Never on bind requests/responses.
|
|
****************************************************************************/
|
|
|
|
static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata,
|
|
uint32 fragment_start, int len, int auth_len, int *pauth_padding_len)
|
|
{
|
|
/*
|
|
* The following is that length of the data we must sign or seal.
|
|
* This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
|
|
* preceeding the auth_data.
|
|
*/
|
|
|
|
int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
|
|
|
|
/*
|
|
* The start of the data to sign/seal is just after the RPC headers.
|
|
*/
|
|
char *reply_data = prs_data_p(rdata) + fragment_start + RPC_HEADER_LEN + RPC_HDR_REQ_LEN;
|
|
|
|
BOOL auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
|
|
BOOL auth_seal = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
|
|
BOOL auth_schannel = (cli->saved_netlogon_pipe_fnum != 0);
|
|
|
|
*pauth_padding_len = 0;
|
|
|
|
DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s schannel %s\n",
|
|
len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal), BOOLSTR(auth_schannel)));
|
|
|
|
/*
|
|
* Unseal any sealed data in the PDU, not including the
|
|
* 8 byte auth_header or the auth_data.
|
|
*/
|
|
|
|
if (auth_seal) {
|
|
DEBUG(10,("rpc_auth_pipe: unseal\n"));
|
|
dump_data(100, reply_data, data_len);
|
|
NTLMSSPcalc_ap(cli, (uchar*)reply_data, data_len);
|
|
dump_data(100, reply_data, data_len);
|
|
}
|
|
|
|
if (auth_verify || auth_seal) {
|
|
RPC_HDR_AUTH rhdr_auth;
|
|
prs_struct auth_req;
|
|
char data[RPC_HDR_AUTH_LEN];
|
|
/*
|
|
* We set dp to be the end of the packet, minus the auth_len
|
|
* and the length of the header that preceeds the auth_data.
|
|
*/
|
|
char *dp = prs_data_p(rdata) + len - auth_len - RPC_HDR_AUTH_LEN;
|
|
|
|
if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
|
|
DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
|
|
return False;
|
|
}
|
|
|
|
memcpy(data, dp, sizeof(data));
|
|
|
|
prs_init(&auth_req , 0, cli->mem_ctx, UNMARSHALL);
|
|
|
|
/* The endianness must be preserved... JRA. */
|
|
|
|
prs_set_endian_data(&auth_req, rdata->bigendian_data);
|
|
|
|
prs_give_memory(&auth_req, data, RPC_HDR_AUTH_LEN, False);
|
|
|
|
/*
|
|
* Unmarshall the 8 byte auth_header that comes before the
|
|
* auth data.
|
|
*/
|
|
|
|
if(!smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &auth_req, 0)) {
|
|
DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_HDR_AUTH failed.\n"));
|
|
return False;
|
|
}
|
|
|
|
if (!rpc_hdr_auth_chk(&rhdr_auth)) {
|
|
DEBUG(0,("rpc_auth_pipe: rpc_hdr_auth_chk failed.\n"));
|
|
return False;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Now unseal and check the auth verifier in the auth_data at
|
|
* then end of the packet. The 4 bytes skipped in the unseal
|
|
* seem to be a buffer pointer preceeding the sealed data.
|
|
*/
|
|
|
|
if (auth_verify) {
|
|
RPC_AUTH_NTLMSSP_CHK chk;
|
|
uint32 crc32;
|
|
prs_struct auth_verf;
|
|
char data[RPC_AUTH_NTLMSSP_CHK_LEN];
|
|
char *dp = prs_data_p(rdata) + len - auth_len;
|
|
|
|
if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
|
|
DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
|
|
return False;
|
|
}
|
|
|
|
DEBUG(10,("rpc_auth_pipe: verify\n"));
|
|
dump_data(100, dp, auth_len);
|
|
NTLMSSPcalc_ap(cli, (uchar*)(dp+4), auth_len - 4);
|
|
|
|
memcpy(data, dp, RPC_AUTH_NTLMSSP_CHK_LEN);
|
|
dump_data(100, data, auth_len);
|
|
|
|
prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
|
|
|
|
/* The endinness must be preserved. JRA. */
|
|
prs_set_endian_data( &auth_verf, rdata->bigendian_data);
|
|
|
|
prs_give_memory(&auth_verf, data, RPC_AUTH_NTLMSSP_CHK_LEN, False);
|
|
|
|
if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0)) {
|
|
DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_AUTH_NTLMSSP_CHK failed.\n"));
|
|
return False;
|
|
}
|
|
|
|
crc32 = crc32_calc_buffer(reply_data, data_len);
|
|
|
|
if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num)) {
|
|
DEBUG(0,("rpc_auth_pipe: rpc_auth_ntlmssp_chk failed.\n"));
|
|
return False;
|
|
}
|
|
cli->ntlmssp_seq_num++;
|
|
}
|
|
|
|
if (auth_schannel) {
|
|
RPC_AUTH_NETSEC_CHK chk;
|
|
RPC_HDR_AUTH rhdr_auth;
|
|
char data[RPC_HDR_AUTH_LEN+RPC_AUTH_NETSEC_CHK_LEN];
|
|
char *dp = prs_data_p(rdata) + fragment_start + len -
|
|
RPC_HDR_AUTH_LEN - RPC_AUTH_NETSEC_CHK_LEN;
|
|
prs_struct auth_verf;
|
|
|
|
if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
|
|
|
|
if ( (auth_len == 12) &&
|
|
(cli->auth_info.seq_num == 0) ) {
|
|
|
|
/* This is the reply to our bind. Ok,
|
|
the sequence number can wrap
|
|
around. But this only means that
|
|
every 4 billion request we
|
|
misdetect a wrong length in a
|
|
reply. This is an error condition
|
|
which will lead to failure anyway
|
|
later.
|
|
|
|
The reply contains a
|
|
RPC_AUTH_VERIFIER with no content
|
|
(12 bytes), so ignore it.
|
|
*/
|
|
return True;
|
|
}
|
|
|
|
DEBUG(0,("rpc_auth_pipe: wrong schannel auth len %d\n", auth_len));
|
|
return False;
|
|
}
|
|
|
|
if (dp - prs_data_p(rdata) > prs_data_size(rdata)) {
|
|
DEBUG(0,("rpc_auth_pipe: schannel auth data > data size !\n"));
|
|
return False;
|
|
}
|
|
|
|
DEBUG(10,("rpc_auth_pipe: schannel verify netsec\n"));
|
|
dump_data(100, dp, auth_len);
|
|
|
|
memcpy(data, dp, sizeof(data));
|
|
dump_data(100, data, sizeof(data));
|
|
|
|
prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
|
|
|
|
/* The endinness must be preserved. JRA. */
|
|
prs_set_endian_data( &auth_verf, rdata->bigendian_data);
|
|
|
|
prs_give_memory(&auth_verf, data, sizeof(data), False);
|
|
|
|
if (!smb_io_rpc_hdr_auth("auth_hdr", &rhdr_auth, &auth_verf, 0)) {
|
|
DEBUG(0, ("rpc_auth_pipe: Could not parse schannel auth header\n"));
|
|
return False;
|
|
}
|
|
|
|
if ((rhdr_auth.auth_type != NETSEC_AUTH_TYPE) ||
|
|
(rhdr_auth.auth_level != NETSEC_AUTH_LEVEL)) {
|
|
DEBUG(0, ("rpc_auth_pipe: Got wrong schannel auth type/level: %d/%d\n",
|
|
rhdr_auth.auth_type, rhdr_auth.auth_level));
|
|
return False;
|
|
}
|
|
|
|
if (!smb_io_rpc_auth_netsec_chk("schannel_auth_sign", &chk, &auth_verf, 0)) {
|
|
DEBUG(0, ("rpc_auth_pipe: schannel unmarshalling "
|
|
"RPC_AUTH_NETSECK_CHK failed\n"));
|
|
return False;
|
|
}
|
|
|
|
cli->auth_info.seq_num++;
|
|
|
|
if (!netsec_decode(&cli->auth_info, &chk, reply_data, data_len)) {
|
|
DEBUG(0, ("rpc_auth_pipe: Could not decode schannel\n"));
|
|
return False;
|
|
}
|
|
*pauth_padding_len = rhdr_auth.padding;
|
|
}
|
|
return True;
|
|
}
|
|
|
|
|
|
/****************************************************************************
|
|
Send data on an rpc pipe via trans, which *must* be the last fragment.
|
|
receive response data from an rpc pipe, which may be large...
|
|
|
|
Read the first fragment: unfortunately have to use SMBtrans for the first
|
|
bit, then SMBreadX for subsequent bits.
|
|
|
|
If first fragment received also wasn't the last fragment, continue
|
|
getting fragments until we _do_ receive the last fragment.
|
|
|
|
Request/Response PDU's look like the following...
|
|
|
|
|<------------------PDU len----------------------------------------------->|
|
|
|<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
|
|
|
|
+------------+-----------------+-------------+---------------+-------------+
|
|
| RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
|
|
+------------+-----------------+-------------+---------------+-------------+
|
|
|
|
Where the presence of the AUTH_HDR and AUTH are dependent on the
|
|
signing & sealing being negotiated.
|
|
|
|
****************************************************************************/
|
|
|
|
static BOOL rpc_api_pipe(struct cli_state *cli, prs_struct *data, prs_struct *rdata)
|
|
{
|
|
uint32 len;
|
|
char *rparam = NULL;
|
|
uint32 rparam_len = 0;
|
|
uint16 setup[2];
|
|
BOOL first = True;
|
|
BOOL last = True;
|
|
RPC_HDR rhdr;
|
|
char *pdata = data ? prs_data_p(data) : NULL;
|
|
uint32 data_len = data ? prs_offset(data) : 0;
|
|
char *prdata = NULL;
|
|
uint32 rdata_len = 0;
|
|
uint32 current_offset = 0;
|
|
uint32 fragment_start = 0;
|
|
uint32 max_data = cli->max_xmit_frag ? cli->max_xmit_frag : 1024;
|
|
|
|
/* Create setup parameters - must be in native byte order. */
|
|
|
|
setup[0] = TRANSACT_DCERPCCMD;
|
|
setup[1] = cli->nt_pipe_fnum; /* Pipe file handle. */
|
|
|
|
DEBUG(5,("rpc_api_pipe: fnum:%x\n", (int)cli->nt_pipe_fnum));
|
|
|
|
/* Send the RPC request and receive a response. For short RPC
|
|
calls (about 1024 bytes or so) the RPC request and response
|
|
appears in a SMBtrans request and response. Larger RPC
|
|
responses are received further on. */
|
|
|
|
if (!cli_api_pipe(cli, "\\PIPE\\",
|
|
setup, 2, 0, /* Setup, length, max */
|
|
NULL, 0, 0, /* Params, length, max */
|
|
pdata, data_len, max_data, /* data, length, max */
|
|
&rparam, &rparam_len, /* return params, len */
|
|
&prdata, &rdata_len)) /* return data, len */
|
|
{
|
|
DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli)));
|
|
return False;
|
|
}
|
|
|
|
/* Throw away returned params - we know we won't use them. */
|
|
|
|
SAFE_FREE(rparam);
|
|
|
|
if (prdata == NULL) {
|
|
DEBUG(0,("rpc_api_pipe: pipe %x failed to return data.\n",
|
|
(int)cli->nt_pipe_fnum));
|
|
return False;
|
|
}
|
|
|
|
/*
|
|
* Give this memory as dynamically allocated to the return parse
|
|
* struct.
|
|
*/
|
|
|
|
prs_give_memory(rdata, prdata, rdata_len, True);
|
|
current_offset = rdata_len;
|
|
|
|
/* This next call sets the endian bit correctly in rdata. */
|
|
|
|
if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) {
|
|
prs_mem_free(rdata);
|
|
return False;
|
|
}
|
|
|
|
if (rhdr.pkt_type == RPC_BINDACK) {
|
|
if (!last && !first) {
|
|
DEBUG(5,("rpc_api_pipe: bug in server (AS/U?), setting fragment first/last ON.\n"));
|
|
first = True;
|
|
last = True;
|
|
}
|
|
}
|
|
|
|
if (rhdr.pkt_type == RPC_RESPONSE) {
|
|
RPC_HDR_RESP rhdr_resp;
|
|
if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0)) {
|
|
DEBUG(5,("rpc_api_pipe: failed to unmarshal RPC_HDR_RESP.\n"));
|
|
prs_mem_free(rdata);
|
|
return False;
|
|
}
|
|
}
|
|
|
|
DEBUG(5,("rpc_api_pipe: len left: %u smbtrans read: %u\n",
|
|
(unsigned int)len, (unsigned int)rdata_len ));
|
|
|
|
/* check if data to be sent back was too large for one SMBtrans */
|
|
/* err status is only informational: the _real_ check is on the
|
|
length */
|
|
|
|
if (len > 0) {
|
|
/* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
|
|
|
|
/* Read the remaining part of the first response fragment */
|
|
|
|
if (!rpc_read(cli, rdata, len, ¤t_offset)) {
|
|
prs_mem_free(rdata);
|
|
return False;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Now we have a complete PDU, check the auth struct if any was sent.
|
|
*/
|
|
|
|
if (rhdr.auth_len != 0) {
|
|
int auth_padding_len = 0;
|
|
|
|
if(!rpc_auth_pipe(cli, rdata, fragment_start, rhdr.frag_len,
|
|
rhdr.auth_len, &auth_padding_len))
|
|
return False;
|
|
/*
|
|
* Drop the auth footers from the current offset.
|
|
* We need this if there are more fragments.
|
|
* The auth footers consist of the auth_data and the
|
|
* preceeding 8 byte auth_header.
|
|
*/
|
|
current_offset -= (auth_padding_len + RPC_HDR_AUTH_LEN + rhdr.auth_len);
|
|
}
|
|
|
|
/*
|
|
* Only one rpc fragment, and it has been read.
|
|
*/
|
|
|
|
if (first && last) {
|
|
DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
|
|
return True;
|
|
}
|
|
|
|
/*
|
|
* Read more fragments using SMBreadX until we get one with the
|
|
* last bit set.
|
|
*/
|
|
|
|
while (!last) {
|
|
RPC_HDR_RESP rhdr_resp;
|
|
int num_read;
|
|
char hdr_data[RPC_HEADER_LEN+RPC_HDR_RESP_LEN];
|
|
prs_struct hps;
|
|
uint8 eclass;
|
|
uint32 ecode;
|
|
|
|
/*
|
|
* First read the header of the next PDU.
|
|
*/
|
|
|
|
prs_init(&hps, 0, cli->mem_ctx, UNMARSHALL);
|
|
prs_give_memory(&hps, hdr_data, sizeof(hdr_data), False);
|
|
|
|
num_read = cli_read(cli, cli->nt_pipe_fnum, hdr_data, 0, RPC_HEADER_LEN+RPC_HDR_RESP_LEN);
|
|
if (cli_is_dos_error(cli)) {
|
|
cli_dos_error(cli, &eclass, &ecode);
|
|
if (eclass != ERRDOS && ecode != ERRmoredata) {
|
|
DEBUG(0,("rpc_api_pipe: cli_read error : %d/%d\n", eclass, ecode));
|
|
return False;
|
|
}
|
|
}
|
|
|
|
DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read));
|
|
|
|
if (num_read != RPC_HEADER_LEN+RPC_HDR_RESP_LEN) {
|
|
DEBUG(0,("rpc_api_pipe: Error : requested %d bytes, got %d.\n",
|
|
RPC_HEADER_LEN+RPC_HDR_RESP_LEN, num_read ));
|
|
return False;
|
|
}
|
|
|
|
/* This call sets the endianness in hps. */
|
|
|
|
if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
|
|
return False;
|
|
|
|
/* Ensure the endianness in rdata is set correctly - must be same as hps. */
|
|
|
|
if (hps.bigendian_data != rdata->bigendian_data) {
|
|
DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
|
|
rdata->bigendian_data ? "big" : "little",
|
|
hps.bigendian_data ? "big" : "little" ));
|
|
return False;
|
|
}
|
|
|
|
if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0)) {
|
|
DEBUG(0,("rpc_api_pipe: Error in unmarshalling RPC_HDR_RESP.\n"));
|
|
return False;
|
|
}
|
|
|
|
if (first) {
|
|
DEBUG(0,("rpc_api_pipe: secondary PDU rpc header has 'first' set !\n"));
|
|
return False;
|
|
}
|
|
|
|
/*
|
|
* Now read the rest of the PDU.
|
|
*/
|
|
|
|
if (!rpc_read(cli, rdata, len, ¤t_offset))
|
|
return False;
|
|
|
|
fragment_start = current_offset - len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
|
|
|
|
/*
|
|
* Verify any authentication footer.
|
|
*/
|
|
|
|
if (rhdr.auth_len != 0 ) {
|
|
int auth_padding_len = 0;
|
|
|
|
if(!rpc_auth_pipe(cli, rdata, fragment_start, rhdr.frag_len,
|
|
rhdr.auth_len, &auth_padding_len))
|
|
return False;
|
|
/*
|
|
* Drop the auth footers from the current offset.
|
|
* The auth footers consist of the auth_data and the
|
|
* preceeding 8 byte auth_header.
|
|
* We need this if there are more fragments.
|
|
*/
|
|
current_offset -= (auth_padding_len + RPC_HDR_AUTH_LEN + rhdr.auth_len);
|
|
}
|
|
}
|
|
|
|
return True;
|
|
}
|
|
|
|
/*******************************************************************
|
|
creates a DCE/RPC bind request
|
|
|
|
- initialises the parse structure.
|
|
- dynamically allocates the header data structure
|
|
- caller is expected to free the header data structure once used.
|
|
|
|
********************************************************************/
|
|
|
|
static BOOL create_rpc_bind_req(prs_struct *rpc_out, BOOL do_auth, BOOL do_netsec, uint32 rpc_call_id,
|
|
RPC_IFACE *abstract, RPC_IFACE *transfer,
|
|
const char *my_name, const char *domain, uint32 neg_flags)
|
|
{
|
|
RPC_HDR hdr;
|
|
RPC_HDR_RB hdr_rb;
|
|
char buffer[4096];
|
|
prs_struct auth_info;
|
|
int auth_len = 0;
|
|
|
|
prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
|
|
|
|
if (do_auth) {
|
|
RPC_HDR_AUTH hdr_auth;
|
|
RPC_AUTH_VERIFIER auth_verifier;
|
|
RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
|
|
|
|
/*
|
|
* Create the auth structs we will marshall.
|
|
*/
|
|
|
|
init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00, 1);
|
|
init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_NEGOTIATE);
|
|
init_rpc_auth_ntlmssp_neg(&ntlmssp_neg, neg_flags, my_name, domain);
|
|
|
|
/*
|
|
* Use the 4k buffer to store the auth info.
|
|
*/
|
|
|
|
prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
|
|
|
|
/*
|
|
* Now marshall the data into the temporary parse_struct.
|
|
*/
|
|
|
|
if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
|
|
DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_AUTH.\n"));
|
|
return False;
|
|
}
|
|
|
|
if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
|
|
DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_VERIFIER.\n"));
|
|
return False;
|
|
}
|
|
|
|
if(!smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, &auth_info, 0)) {
|
|
DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_NTLMSSP_NEG.\n"));
|
|
return False;
|
|
}
|
|
|
|
/* Auth len in the rpc header doesn't include auth_header. */
|
|
auth_len = prs_offset(&auth_info) - RPC_HDR_AUTH_LEN;
|
|
}
|
|
|
|
if (do_netsec) {
|
|
RPC_HDR_AUTH hdr_auth;
|
|
RPC_AUTH_NETSEC_NEG netsec_neg;
|
|
|
|
/*
|
|
* Create the auth structs we will marshall.
|
|
*/
|
|
|
|
init_rpc_hdr_auth(&hdr_auth, NETSEC_AUTH_TYPE, NETSEC_AUTH_LEVEL,
|
|
0x00, 1);
|
|
|
|
/* Use lp_workgroup() if domain not specified */
|
|
|
|
if (!domain || !domain[0])
|
|
domain = lp_workgroup();
|
|
|
|
init_rpc_auth_netsec_neg(&netsec_neg, domain, my_name);
|
|
|
|
/*
|
|
* Use the 4k buffer to store the auth info.
|
|
*/
|
|
|
|
prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
|
|
|
|
/*
|
|
* Now marshall the data into the temporary parse_struct.
|
|
*/
|
|
|
|
if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
|
|
DEBUG(0,("Failed to marshall RPC_HDR_AUTH.\n"));
|
|
return False;
|
|
}
|
|
|
|
if(!smb_io_rpc_auth_netsec_neg("netsec_neg",
|
|
&netsec_neg, &auth_info, 0)) {
|
|
DEBUG(0,("Failed to marshall RPC_AUTH_NETSEC_NEG.\n"));
|
|
return False;
|
|
}
|
|
|
|
/* Auth len in the rpc header doesn't include auth_header. */
|
|
auth_len = prs_offset(&auth_info) - RPC_HDR_AUTH_LEN;
|
|
}
|
|
|
|
/* create the request RPC_HDR */
|
|
init_rpc_hdr(&hdr, RPC_BIND, 0x3, rpc_call_id,
|
|
RPC_HEADER_LEN + RPC_HDR_RB_LEN + prs_offset(&auth_info),
|
|
auth_len);
|
|
|
|
if(!smb_io_rpc_hdr("hdr" , &hdr, rpc_out, 0)) {
|
|
DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR.\n"));
|
|
return False;
|
|
}
|
|
|
|
/* create the bind request RPC_HDR_RB */
|
|
init_rpc_hdr_rb(&hdr_rb, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, 0x0,
|
|
0x1, 0x0, 0x1, abstract, transfer);
|
|
|
|
/* Marshall the bind request data */
|
|
if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) {
|
|
DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_RB.\n"));
|
|
return False;
|
|
}
|
|
|
|
/*
|
|
* Grow the outgoing buffer to store any auth info.
|
|
*/
|
|
|
|
if(hdr.auth_len != 0) {
|
|
if(!prs_append_prs_data( rpc_out, &auth_info)) {
|
|
DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
|
|
return False;
|
|
}
|
|
}
|
|
|
|
return True;
|
|
}
|
|
|
|
/*******************************************************************
|
|
Creates a DCE/RPC bind authentication response.
|
|
This is the packet that is sent back to the server once we
|
|
have received a BIND-ACK, to finish the third leg of
|
|
the authentication handshake.
|
|
********************************************************************/
|
|
|
|
static BOOL create_rpc_bind_resp(struct pwd_info *pwd,
|
|
const char *domain, const char *user_name, const char *my_name,
|
|
uint32 ntlmssp_cli_flgs,
|
|
uint32 rpc_call_id,
|
|
prs_struct *rpc_out)
|
|
{
|
|
unsigned char lm_owf[24];
|
|
unsigned char nt_owf[24];
|
|
RPC_HDR hdr;
|
|
RPC_HDR_AUTHA hdr_autha;
|
|
RPC_AUTH_VERIFIER auth_verifier;
|
|
RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
|
|
char buffer[4096];
|
|
prs_struct auth_info;
|
|
|
|
/*
|
|
* Marshall the variable length data into a temporary parse
|
|
* struct, pointing into a 4k local buffer.
|
|
*/
|
|
prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
|
|
|
|
/*
|
|
* Use the 4k buffer to store the auth info.
|
|
*/
|
|
|
|
prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
|
|
|
|
/*
|
|
* Create the variable length auth_data.
|
|
*/
|
|
|
|
init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH);
|
|
|
|
pwd_get_lm_nt_owf(pwd, lm_owf, nt_owf);
|
|
|
|
init_rpc_auth_ntlmssp_resp(&ntlmssp_resp,
|
|
lm_owf, nt_owf,
|
|
domain, user_name, my_name,
|
|
ntlmssp_cli_flgs);
|
|
|
|
/*
|
|
* Marshall the variable length auth_data into a temp parse_struct.
|
|
*/
|
|
|
|
if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
|
|
DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_VERIFIER.\n"));
|
|
return False;
|
|
}
|
|
|
|
if(!smb_io_rpc_auth_ntlmssp_resp("ntlmssp_resp", &ntlmssp_resp, &auth_info, 0)) {
|
|
DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_NTLMSSP_RESP.\n"));
|
|
return False;
|
|
}
|
|
|
|
/* Create the request RPC_HDR */
|
|
init_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
|
|
RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN + prs_offset(&auth_info),
|
|
prs_offset(&auth_info) );
|
|
|
|
/* Marshall it. */
|
|
if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
|
|
DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR.\n"));
|
|
return False;
|
|
}
|
|
|
|
/* Create the request RPC_HDR_AUTHA */
|
|
init_rpc_hdr_autha(&hdr_autha, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN,
|
|
NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00);
|
|
|
|
if(!smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rpc_out, 0)) {
|
|
DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR_AUTHA.\n"));
|
|
return False;
|
|
}
|
|
|
|
/*
|
|
* Append the auth data to the outgoing buffer.
|
|
*/
|
|
|
|
if(!prs_append_prs_data(rpc_out, &auth_info)) {
|
|
DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
|
|
return False;
|
|
}
|
|
|
|
return True;
|
|
}
|
|
|
|
|
|
/*******************************************************************
|
|
Creates a DCE/RPC request.
|
|
********************************************************************/
|
|
|
|
static uint32 create_rpc_request(prs_struct *rpc_out, uint8 op_num, int data_len, int auth_len, uint8 flags, uint32 oldid, uint32 data_left)
|
|
{
|
|
uint32 alloc_hint;
|
|
RPC_HDR hdr;
|
|
RPC_HDR_REQ hdr_req;
|
|
uint32 callid = oldid ? oldid : get_rpc_call_id();
|
|
|
|
DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", op_num, data_len));
|
|
|
|
/* create the rpc header RPC_HDR */
|
|
init_rpc_hdr(&hdr, RPC_REQUEST, flags,
|
|
callid, data_len, auth_len);
|
|
|
|
/*
|
|
* The alloc hint should be the amount of data, not including
|
|
* RPC headers & footers.
|
|
*/
|
|
|
|
if (auth_len != 0)
|
|
alloc_hint = data_len - RPC_HEADER_LEN - RPC_HDR_AUTH_LEN - auth_len;
|
|
else
|
|
alloc_hint = data_len - RPC_HEADER_LEN;
|
|
|
|
DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
|
|
data_len, auth_len, alloc_hint));
|
|
|
|
/* Create the rpc request RPC_HDR_REQ */
|
|
init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
|
|
|
|
/* stream-time... */
|
|
if(!smb_io_rpc_hdr("hdr ", &hdr, rpc_out, 0))
|
|
return 0;
|
|
|
|
if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, rpc_out, 0))
|
|
return 0;
|
|
|
|
if (prs_offset(rpc_out) != RPC_HEADER_LEN + RPC_HDR_REQ_LEN)
|
|
return 0;
|
|
|
|
return callid;
|
|
}
|
|
|
|
/*******************************************************************
|
|
Puts an NTLMSSP auth header into an rpc request.
|
|
********************************************************************/
|
|
|
|
static BOOL create_ntlmssp_auth_hdr(prs_struct *outgoing_packet, BOOL auth_verify)
|
|
{
|
|
RPC_HDR_AUTH hdr_auth;
|
|
|
|
init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE,
|
|
NTLMSSP_AUTH_LEVEL, 0x08,
|
|
(auth_verify ? 1 : 0));
|
|
if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth,
|
|
outgoing_packet, 0)) {
|
|
DEBUG(0,("create_auth_hdr:Failed to marshal RPC_HDR_AUTH.\n"));
|
|
return False;
|
|
}
|
|
return True;
|
|
}
|
|
|
|
/*******************************************************************
|
|
Puts a NETLOGON schannel auth header into an rpc request.
|
|
********************************************************************/
|
|
|
|
static BOOL create_netsec_auth_hdr(prs_struct *outgoing_packet, int padding)
|
|
{
|
|
RPC_HDR_AUTH hdr_auth;
|
|
|
|
init_rpc_hdr_auth(&hdr_auth, NETSEC_AUTH_TYPE,
|
|
NETSEC_AUTH_LEVEL, padding, 1);
|
|
if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth,
|
|
outgoing_packet, 0)) {
|
|
DEBUG(0,("create_auth_hdr:Failed to marshal RPC_HDR_AUTH.\n"));
|
|
return False;
|
|
}
|
|
return True;
|
|
}
|
|
|
|
/*******************************************************************
|
|
Puts auth data into an rpc request.
|
|
********************************************************************/
|
|
|
|
static BOOL create_auth_data(struct cli_state *cli, uint32 crc32,
|
|
prs_struct *outgoing_packet)
|
|
{
|
|
char *pdata_out = prs_data_p(outgoing_packet);
|
|
RPC_AUTH_NTLMSSP_CHK chk;
|
|
uint32 current_offset = prs_offset(outgoing_packet);
|
|
|
|
init_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION,
|
|
crc32, cli->ntlmssp_seq_num++);
|
|
if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk,
|
|
outgoing_packet, 0)) {
|
|
DEBUG(0,("create_auth_data: Failed to marshal RPC_AUTH_NTLMSSP_CHK.\n"));
|
|
return False;
|
|
}
|
|
NTLMSSPcalc_ap(cli, (unsigned char*)
|
|
&pdata_out[current_offset+4],
|
|
RPC_AUTH_NTLMSSP_CHK_LEN - 4);
|
|
return True;
|
|
}
|
|
|
|
/**
|
|
* Send a request on an RPC pipe and get a response.
|
|
*
|
|
* @param data NDR contents of the request to be sent.
|
|
* @param rdata Unparsed NDR response data.
|
|
**/
|
|
|
|
BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
|
|
prs_struct *data, prs_struct *rdata)
|
|
{
|
|
uint32 auth_len, max_data, data_left, data_sent;
|
|
BOOL ret = False;
|
|
BOOL auth_verify, auth_seal, auth_schannel;
|
|
uint32 callid = 0;
|
|
fstring dump_name;
|
|
|
|
auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
|
|
auth_seal = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
|
|
auth_schannel = (cli->saved_netlogon_pipe_fnum != 0);
|
|
|
|
auth_len = 0;
|
|
|
|
if (auth_verify)
|
|
auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
|
|
|
|
if (auth_schannel)
|
|
auth_len = RPC_AUTH_NETSEC_CHK_LEN;
|
|
|
|
/*
|
|
* calc how much actual data we can send in a PDU fragment
|
|
*/
|
|
max_data = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
|
|
(auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len - 8;
|
|
|
|
for (data_left = prs_offset(data), data_sent = 0; data_left > 0;) {
|
|
prs_struct outgoing_packet;
|
|
uint32 data_len, send_size;
|
|
uint8 flags = 0;
|
|
uint32 crc32 = 0;
|
|
uint32 auth_padding = 0;
|
|
RPC_AUTH_NETSEC_CHK verf;
|
|
|
|
/*
|
|
* how much will we send this time
|
|
*/
|
|
send_size = MIN(data_left, max_data);
|
|
|
|
/*
|
|
* NT expects the data that is sealed to be 8-byte
|
|
* aligned. The padding must be encrypted as well and
|
|
* taken into account when generating the
|
|
* authentication verifier. The amount of padding must
|
|
* be stored in the auth header.
|
|
*/
|
|
|
|
if (auth_schannel) {
|
|
if (send_size % 8)
|
|
auth_padding = 8 - (send_size % 8);
|
|
}
|
|
|
|
data_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + send_size +
|
|
((auth_verify|auth_schannel) ? RPC_HDR_AUTH_LEN : 0) +
|
|
auth_len + auth_padding;
|
|
|
|
/*
|
|
* Malloc parse struct to hold it (and enough for alignments).
|
|
*/
|
|
if(!prs_init(&outgoing_packet, data_len + 8,
|
|
cli->mem_ctx, MARSHALL)) {
|
|
DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len ));
|
|
return False;
|
|
}
|
|
|
|
if (data_left == prs_offset(data))
|
|
flags |= RPC_FLG_FIRST;
|
|
|
|
if (data_left <= max_data)
|
|
flags |= RPC_FLG_LAST;
|
|
/*
|
|
* Write out the RPC header and the request header.
|
|
*/
|
|
if(!(callid = create_rpc_request(&outgoing_packet, op_num,
|
|
data_len, auth_len, flags,
|
|
callid, data_left))) {
|
|
DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n"));
|
|
prs_mem_free(&outgoing_packet);
|
|
return False;
|
|
}
|
|
|
|
/*
|
|
* Seal the outgoing data if requested.
|
|
*/
|
|
if (auth_seal) {
|
|
crc32 = crc32_calc_buffer(prs_data_p(data) + data_sent,
|
|
send_size);
|
|
NTLMSSPcalc_ap(cli, (unsigned char*)prs_data_p(data) +
|
|
data_sent, send_size);
|
|
}
|
|
|
|
/*
|
|
* Now copy the data into the outgoing packet.
|
|
*/
|
|
|
|
if (auth_schannel) {
|
|
static const uchar netsec_sig[8] = NETSEC_SIGNATURE;
|
|
static const uchar nullbytes[8] = { 0,0,0,0,0,0,0,0 };
|
|
uchar sign[8];
|
|
prs_struct netsec_blob;
|
|
|
|
if ((cli->auth_info.seq_num & 1) != 0) {
|
|
DEBUG(0,("SCHANNEL ERROR: seq_num must be even in client (seq_num=%d)\n",
|
|
cli->auth_info.seq_num));
|
|
}
|
|
|
|
DEBUG(10,("SCHANNEL seq_num=%d\n", cli->auth_info.seq_num));
|
|
|
|
RSIVAL(sign, 0, cli->auth_info.seq_num);
|
|
SIVAL(sign, 4, 0x80);
|
|
|
|
if (!prs_init(&netsec_blob, send_size+auth_padding,
|
|
cli->mem_ctx, MARSHALL)) {
|
|
DEBUG(0,("Could not malloc %u bytes",
|
|
send_size+auth_padding));
|
|
prs_mem_free(&outgoing_packet);
|
|
return False;
|
|
}
|
|
|
|
if(!prs_append_some_prs_data(&netsec_blob, data,
|
|
data_sent, send_size)) {
|
|
DEBUG(0,("Failed to append data to netsec blob\n"));
|
|
prs_mem_free(&outgoing_packet);
|
|
return False;
|
|
}
|
|
|
|
netsec_blob.align = 8;
|
|
|
|
if (!prs_align(&netsec_blob)) {
|
|
DEBUG(0,("Could not align netsec blob\n"));
|
|
prs_mem_free(&outgoing_packet);
|
|
return False;
|
|
}
|
|
|
|
init_rpc_auth_netsec_chk(&verf, netsec_sig, nullbytes,
|
|
sign, nullbytes);
|
|
|
|
netsec_encode(&cli->auth_info, &verf,
|
|
prs_data_p(&netsec_blob),
|
|
prs_data_size(&netsec_blob));
|
|
|
|
prs_append_prs_data(&outgoing_packet, &netsec_blob);
|
|
prs_mem_free(&netsec_blob);
|
|
|
|
cli->auth_info.seq_num++;
|
|
|
|
} else {
|
|
if(!prs_append_some_prs_data(&outgoing_packet, data,
|
|
data_sent, send_size)) {
|
|
DEBUG(0,("rpc_api_pipe_req: Failed to append "
|
|
"data to outgoing packet.\n"));
|
|
prs_mem_free(&outgoing_packet);
|
|
return False;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Add a trailing auth_verifier if needed.
|
|
*/
|
|
if (auth_seal || auth_verify) {
|
|
if(!create_ntlmssp_auth_hdr(&outgoing_packet, auth_verify)) {
|
|
prs_mem_free(&outgoing_packet);
|
|
return False;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Finally the auth data itself.
|
|
*/
|
|
if (auth_verify) {
|
|
if (!create_auth_data(cli, crc32, &outgoing_packet)) {
|
|
prs_mem_free(&outgoing_packet);
|
|
return False;
|
|
}
|
|
}
|
|
|
|
if (auth_schannel) {
|
|
|
|
if (!create_netsec_auth_hdr(&outgoing_packet,
|
|
auth_padding)) {
|
|
prs_mem_free(&outgoing_packet);
|
|
return False;
|
|
}
|
|
|
|
if (!smb_io_rpc_auth_netsec_chk("", &verf,
|
|
&outgoing_packet, 0)) {
|
|
prs_mem_free(&outgoing_packet);
|
|
return False;
|
|
}
|
|
}
|
|
|
|
DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len,
|
|
prs_offset(&outgoing_packet)));
|
|
|
|
if (flags & RPC_FLG_LAST)
|
|
ret = rpc_api_pipe(cli, &outgoing_packet, rdata);
|
|
else {
|
|
cli_write(cli, cli->nt_pipe_fnum, 0x0008,
|
|
prs_data_p(&outgoing_packet),
|
|
data_sent, data_len);
|
|
}
|
|
prs_mem_free(&outgoing_packet);
|
|
data_sent += send_size;
|
|
data_left -= send_size;
|
|
}
|
|
/* Also capture received data */
|
|
slprintf(dump_name, sizeof(dump_name) - 1, "reply_%s",
|
|
cli_pipe_get_name(cli));
|
|
prs_dump(dump_name, op_num, rdata);
|
|
|
|
return ret;
|
|
}
|
|
|
|
/****************************************************************************
|
|
Set the handle state.
|
|
****************************************************************************/
|
|
|
|
static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, const char *pipe_name, uint16 device_state)
|
|
{
|
|
BOOL state_set = False;
|
|
char param[2];
|
|
uint16 setup[2]; /* only need 2 uint16 setup parameters */
|
|
char *rparam = NULL;
|
|
char *rdata = NULL;
|
|
uint32 rparam_len, rdata_len;
|
|
|
|
if (pipe_name == NULL)
|
|
return False;
|
|
|
|
DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
|
|
cli->nt_pipe_fnum, pipe_name, device_state));
|
|
|
|
/* create parameters: device state */
|
|
SSVAL(param, 0, device_state);
|
|
|
|
/* create setup parameters. */
|
|
setup[0] = 0x0001;
|
|
setup[1] = cli->nt_pipe_fnum; /* pipe file handle. got this from an SMBOpenX. */
|
|
|
|
/* send the data on \PIPE\ */
|
|
if (cli_api_pipe(cli, "\\PIPE\\",
|
|
setup, 2, 0, /* setup, length, max */
|
|
param, 2, 0, /* param, length, max */
|
|
NULL, 0, 1024, /* data, length, max */
|
|
&rparam, &rparam_len, /* return param, length */
|
|
&rdata, &rdata_len)) /* return data, length */
|
|
{
|
|
DEBUG(5, ("Set Handle state: return OK\n"));
|
|
state_set = True;
|
|
}
|
|
|
|
SAFE_FREE(rparam);
|
|
SAFE_FREE(rdata);
|
|
|
|
return state_set;
|
|
}
|
|
|
|
/****************************************************************************
|
|
check the rpc bind acknowledge response
|
|
****************************************************************************/
|
|
|
|
int get_pipe_index( const char *pipe_name )
|
|
{
|
|
int pipe_idx = 0;
|
|
|
|
while (pipe_names[pipe_idx].client_pipe != NULL) {
|
|
if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe ))
|
|
return pipe_idx;
|
|
pipe_idx++;
|
|
};
|
|
|
|
return -1;
|
|
}
|
|
|
|
|
|
/****************************************************************************
|
|
check the rpc bind acknowledge response
|
|
****************************************************************************/
|
|
|
|
const char* get_pipe_name_from_index( const int pipe_index )
|
|
{
|
|
|
|
if ( (pipe_index < 0) || (pipe_index >= PI_MAX_PIPES) )
|
|
return NULL;
|
|
|
|
return pipe_names[pipe_index].client_pipe;
|
|
}
|
|
|
|
/****************************************************************************
|
|
Check to see if this pipe index points to one of
|
|
the pipes only supported by Win2k
|
|
****************************************************************************/
|
|
|
|
BOOL is_win2k_pipe( const int pipe_idx )
|
|
{
|
|
switch ( pipe_idx )
|
|
{
|
|
case PI_LSARPC_DS:
|
|
return True;
|
|
}
|
|
|
|
return False;
|
|
}
|
|
|
|
/****************************************************************************
|
|
check the rpc bind acknowledge response
|
|
****************************************************************************/
|
|
|
|
static BOOL valid_pipe_name(const int pipe_idx, RPC_IFACE *abstract, RPC_IFACE *transfer)
|
|
{
|
|
if ( pipe_idx >= PI_MAX_PIPES ) {
|
|
DEBUG(0,("valid_pipe_name: Programmer error! Invalid pipe index [%d]\n",
|
|
pipe_idx));
|
|
return False;
|
|
}
|
|
|
|
DEBUG(5,("Bind Abstract Syntax: "));
|
|
dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax),
|
|
sizeof(pipe_names[pipe_idx].abstr_syntax));
|
|
DEBUG(5,("Bind Transfer Syntax: "));
|
|
dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
|
|
sizeof(pipe_names[pipe_idx].trans_syntax));
|
|
|
|
/* copy the required syntaxes out so we can do the right bind */
|
|
|
|
*transfer = pipe_names[pipe_idx].trans_syntax;
|
|
*abstract = pipe_names[pipe_idx].abstr_syntax;
|
|
|
|
return True;
|
|
}
|
|
|
|
/****************************************************************************
|
|
check the rpc bind acknowledge response
|
|
****************************************************************************/
|
|
|
|
static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, const int pipe_idx, RPC_IFACE *transfer)
|
|
{
|
|
int i = 0;
|
|
|
|
if ( hdr_ba->addr.len <= 0)
|
|
return False;
|
|
|
|
if ( !strequal(hdr_ba->addr.str, pipe_names[pipe_idx].server_pipe ))
|
|
{
|
|
DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
|
|
pipe_names[i].server_pipe ,hdr_ba->addr.str));
|
|
return False;
|
|
}
|
|
|
|
DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n", pipe_names[i].server_pipe ));
|
|
|
|
if (pipe_names[pipe_idx].server_pipe == NULL) {
|
|
DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
|
|
return False;
|
|
}
|
|
|
|
/* check the transfer syntax */
|
|
if ((hdr_ba->transfer.version != transfer->version) ||
|
|
(memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
|
|
DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
|
|
return False;
|
|
}
|
|
|
|
/* lkclXXXX only accept one result: check the result(s) */
|
|
if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) {
|
|
DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
|
|
hdr_ba->res.num_results, hdr_ba->res.reason));
|
|
}
|
|
|
|
DEBUG(5,("bind_rpc_pipe: accepted!\n"));
|
|
return True;
|
|
}
|
|
|
|
/****************************************************************************
|
|
Create and send the third packet in an RPC auth.
|
|
****************************************************************************/
|
|
|
|
static BOOL rpc_send_auth_reply(struct cli_state *cli, prs_struct *rdata, uint32 rpc_call_id)
|
|
{
|
|
RPC_HDR_AUTH rhdr_auth;
|
|
RPC_AUTH_VERIFIER rhdr_verf;
|
|
RPC_AUTH_NTLMSSP_CHAL rhdr_chal;
|
|
char buffer[MAX_PDU_FRAG_LEN];
|
|
prs_struct rpc_out;
|
|
ssize_t ret;
|
|
|
|
unsigned char p24[24];
|
|
unsigned char lm_owf[24];
|
|
unsigned char lm_hash[16];
|
|
|
|
if(!smb_io_rpc_hdr_auth("", &rhdr_auth, rdata, 0)) {
|
|
DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_HDR_AUTH.\n"));
|
|
return False;
|
|
}
|
|
if(!smb_io_rpc_auth_verifier("", &rhdr_verf, rdata, 0)) {
|
|
DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_VERIFIER.\n"));
|
|
return False;
|
|
}
|
|
if(!smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, rdata, 0)) {
|
|
DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_NTLMSSP_CHAL.\n"));
|
|
return False;
|
|
}
|
|
|
|
cli->ntlmssp_cli_flgs = rhdr_chal.neg_flags;
|
|
|
|
pwd_make_lm_nt_owf(&cli->pwd, rhdr_chal.challenge);
|
|
|
|
prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
|
|
|
|
prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
|
|
|
|
create_rpc_bind_resp(&cli->pwd, cli->domain,
|
|
cli->user_name, global_myname(),
|
|
cli->ntlmssp_cli_flgs, rpc_call_id,
|
|
&rpc_out);
|
|
|
|
pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL);
|
|
pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL);
|
|
|
|
NTLMSSPOWFencrypt(lm_hash, lm_owf, p24);
|
|
|
|
{
|
|
unsigned char j = 0;
|
|
int ind;
|
|
unsigned char k2[8];
|
|
|
|
memcpy(k2, p24, 5);
|
|
k2[5] = 0xe5;
|
|
k2[6] = 0x38;
|
|
k2[7] = 0xb0;
|
|
|
|
for (ind = 0; ind < 256; ind++)
|
|
cli->ntlmssp_hash[ind] = (unsigned char)ind;
|
|
|
|
for( ind = 0; ind < 256; ind++) {
|
|
unsigned char tc;
|
|
|
|
j += (cli->ntlmssp_hash[ind] + k2[ind%8]);
|
|
|
|
tc = cli->ntlmssp_hash[ind];
|
|
cli->ntlmssp_hash[ind] = cli->ntlmssp_hash[j];
|
|
cli->ntlmssp_hash[j] = tc;
|
|
}
|
|
|
|
cli->ntlmssp_hash[256] = 0;
|
|
cli->ntlmssp_hash[257] = 0;
|
|
}
|
|
|
|
memset((char *)lm_hash, '\0', sizeof(lm_hash));
|
|
|
|
if ((ret = cli_write(cli, cli->nt_pipe_fnum, 0x8, prs_data_p(&rpc_out),
|
|
0, (size_t)prs_offset(&rpc_out))) != (ssize_t)prs_offset(&rpc_out)) {
|
|
DEBUG(0,("rpc_send_auth_reply: cli_write failed. Return was %d\n", (int)ret));
|
|
return False;
|
|
}
|
|
|
|
cli->ntlmssp_srv_flgs = rhdr_chal.neg_flags;
|
|
return True;
|
|
}
|
|
|
|
/****************************************************************************
|
|
Do an rpc bind.
|
|
****************************************************************************/
|
|
|
|
static BOOL rpc_pipe_bind(struct cli_state *cli, int pipe_idx, const char *my_name,
|
|
BOOL do_netsec)
|
|
{
|
|
RPC_IFACE abstract;
|
|
RPC_IFACE transfer;
|
|
prs_struct rpc_out;
|
|
prs_struct rdata;
|
|
BOOL do_auth = (cli->ntlmssp_cli_flgs != 0);
|
|
uint32 rpc_call_id;
|
|
char buffer[MAX_PDU_FRAG_LEN];
|
|
|
|
if ( (pipe_idx < 0) || (pipe_idx >= PI_MAX_PIPES) )
|
|
return False;
|
|
|
|
DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_names[pipe_idx].client_pipe));
|
|
|
|
if (!valid_pipe_name(pipe_idx, &abstract, &transfer))
|
|
return False;
|
|
|
|
prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
|
|
|
|
/*
|
|
* Use the MAX_PDU_FRAG_LEN buffer to store the bind request.
|
|
*/
|
|
|
|
prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
|
|
|
|
rpc_call_id = get_rpc_call_id();
|
|
|
|
/* Marshall the outgoing data. */
|
|
create_rpc_bind_req(&rpc_out, do_auth, do_netsec, rpc_call_id,
|
|
&abstract, &transfer,
|
|
global_myname(), cli->domain, cli->ntlmssp_cli_flgs);
|
|
|
|
/* Initialize the incoming data struct. */
|
|
prs_init(&rdata, 0, cli->mem_ctx, UNMARSHALL);
|
|
|
|
/* send data on \PIPE\. receive a response */
|
|
if (rpc_api_pipe(cli, &rpc_out, &rdata)) {
|
|
RPC_HDR_BA hdr_ba;
|
|
|
|
DEBUG(5, ("rpc_pipe_bind: rpc_api_pipe returned OK.\n"));
|
|
|
|
if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0)) {
|
|
DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
|
|
prs_mem_free(&rdata);
|
|
return False;
|
|
}
|
|
|
|
if(!check_bind_response(&hdr_ba, pipe_idx, &transfer)) {
|
|
DEBUG(2,("rpc_pipe_bind: check_bind_response failed.\n"));
|
|
prs_mem_free(&rdata);
|
|
return False;
|
|
}
|
|
|
|
cli->max_xmit_frag = hdr_ba.bba.max_tsize;
|
|
cli->max_recv_frag = hdr_ba.bba.max_rsize;
|
|
|
|
/*
|
|
* If we're doing NTLMSSP auth we need to send a reply to
|
|
* the bind-ack to complete the 3-way challenge response
|
|
* handshake.
|
|
*/
|
|
|
|
if (do_auth && !rpc_send_auth_reply(cli, &rdata, rpc_call_id)) {
|
|
DEBUG(0,("rpc_pipe_bind: rpc_send_auth_reply failed.\n"));
|
|
prs_mem_free(&rdata);
|
|
return False;
|
|
}
|
|
}
|
|
|
|
prs_mem_free(&rdata);
|
|
return True;
|
|
}
|
|
|
|
/****************************************************************************
|
|
Open a session.
|
|
****************************************************************************/
|
|
|
|
BOOL cli_nt_session_open(struct cli_state *cli, const int pipe_idx)
|
|
{
|
|
int fnum;
|
|
|
|
/* At the moment we can't have more than one pipe open over
|
|
a cli connection. )-: */
|
|
|
|
SMB_ASSERT(cli->nt_pipe_fnum == 0);
|
|
|
|
/* The pipe index must fall within our array */
|
|
|
|
SMB_ASSERT((pipe_idx >= 0) && (pipe_idx < PI_MAX_PIPES));
|
|
|
|
if (cli->capabilities & CAP_NT_SMBS) {
|
|
if ((fnum = cli_nt_create(cli, &pipe_names[pipe_idx].client_pipe[5], DESIRED_ACCESS_PIPE)) == -1) {
|
|
DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s. Error was %s\n",
|
|
&pipe_names[pipe_idx].client_pipe[5], cli->desthost, cli_errstr(cli)));
|
|
return False;
|
|
}
|
|
|
|
cli->nt_pipe_fnum = (uint16)fnum;
|
|
} else {
|
|
if ((fnum = cli_open(cli, pipe_names[pipe_idx].client_pipe, O_CREAT|O_RDWR, DENY_NONE)) == -1) {
|
|
DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s. Error was %s\n",
|
|
pipe_names[pipe_idx].client_pipe, cli->desthost, cli_errstr(cli)));
|
|
return False;
|
|
}
|
|
|
|
cli->nt_pipe_fnum = (uint16)fnum;
|
|
|
|
/**************** Set Named Pipe State ***************/
|
|
if (!rpc_pipe_set_hnd_state(cli, pipe_names[pipe_idx].client_pipe, 0x4300)) {
|
|
DEBUG(0,("cli_nt_session_open: pipe hnd state failed. Error was %s\n",
|
|
cli_errstr(cli)));
|
|
cli_close(cli, cli->nt_pipe_fnum);
|
|
return False;
|
|
}
|
|
}
|
|
|
|
/******************* bind request on pipe *****************/
|
|
|
|
if (!rpc_pipe_bind(cli, pipe_idx, global_myname(), False)) {
|
|
DEBUG(2,("cli_nt_session_open: rpc bind to %s failed\n",
|
|
get_pipe_name_from_index(pipe_idx)));
|
|
cli_close(cli, cli->nt_pipe_fnum);
|
|
return False;
|
|
}
|
|
|
|
/*
|
|
* Setup the remote server name prefixed by \ and the machine account name.
|
|
*/
|
|
|
|
fstrcpy(cli->srv_name_slash, "\\\\");
|
|
fstrcat(cli->srv_name_slash, cli->desthost);
|
|
strupper(cli->srv_name_slash);
|
|
|
|
fstrcpy(cli->clnt_name_slash, "\\\\");
|
|
fstrcat(cli->clnt_name_slash, global_myname());
|
|
strupper(cli->clnt_name_slash);
|
|
|
|
fstrcpy(cli->mach_acct, global_myname());
|
|
fstrcat(cli->mach_acct, "$");
|
|
strupper(cli->mach_acct);
|
|
|
|
/* Remember which pipe we're talking to */
|
|
fstrcpy(cli->pipe_name, pipe_names[pipe_idx].client_pipe);
|
|
|
|
return True;
|
|
}
|
|
|
|
|
|
/****************************************************************************
|
|
Open a session to the NETLOGON pipe using schannel.
|
|
****************************************************************************/
|
|
|
|
NTSTATUS cli_nt_establish_netlogon(struct cli_state *cli, int sec_chan,
|
|
const char *trust_password)
|
|
{
|
|
NTSTATUS result;
|
|
uint32 neg_flags = 0x000001ff;
|
|
int fnum;
|
|
|
|
if (lp_client_schannel() != False)
|
|
neg_flags |= NETLOGON_NEG_SCHANNEL;
|
|
|
|
result = cli_nt_setup_creds(cli, sec_chan, trust_password,
|
|
&neg_flags, 2);
|
|
|
|
if (!NT_STATUS_IS_OK(result)) {
|
|
cli_nt_session_close(cli);
|
|
return result;
|
|
}
|
|
|
|
if ((lp_client_schannel() == True) &&
|
|
((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
|
|
|
|
DEBUG(3, ("Server did not offer schannel\n"));
|
|
cli_nt_session_close(cli);
|
|
return NT_STATUS_UNSUCCESSFUL;
|
|
}
|
|
|
|
if ((lp_client_schannel() == False) ||
|
|
((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
/* Server offered schannel, so try it. */
|
|
|
|
cli->auth_info.seq_num = 0;
|
|
memcpy(cli->auth_info.sess_key, cli->sess_key,
|
|
sizeof(cli->auth_info.sess_key));
|
|
|
|
cli->saved_netlogon_pipe_fnum = cli->nt_pipe_fnum;
|
|
|
|
if (cli->capabilities & CAP_NT_SMBS) {
|
|
|
|
/* The secure channel connection must be opened on the same
|
|
session (TCP connection) as the one the challenge was
|
|
requested from. */
|
|
|
|
if ((fnum = cli_nt_create(cli, PIPE_NETLOGON_PLAIN,
|
|
DESIRED_ACCESS_PIPE)) == -1) {
|
|
DEBUG(0,("cli_nt_create failed to %s machine %s. "
|
|
"Error was %s\n",
|
|
PIPE_NETLOGON, cli->desthost,
|
|
cli_errstr(cli)));
|
|
return NT_STATUS_UNSUCCESSFUL;
|
|
}
|
|
|
|
cli->nt_pipe_fnum = (uint16)fnum;
|
|
} else {
|
|
if ((fnum = cli_open(cli, PIPE_NETLOGON,
|
|
O_CREAT|O_RDWR, DENY_NONE)) == -1) {
|
|
DEBUG(0,("cli_open failed on pipe %s to machine %s. "
|
|
"Error was %s\n",
|
|
PIPE_NETLOGON, cli->desthost,
|
|
cli_errstr(cli)));
|
|
return NT_STATUS_UNSUCCESSFUL;
|
|
}
|
|
|
|
cli->nt_pipe_fnum = (uint16)fnum;
|
|
|
|
/**************** Set Named Pipe State ***************/
|
|
if (!rpc_pipe_set_hnd_state(cli, PIPE_NETLOGON, 0x4300)) {
|
|
DEBUG(0,("Pipe hnd state failed. Error was %s\n",
|
|
cli_errstr(cli)));
|
|
cli_close(cli, cli->nt_pipe_fnum);
|
|
return NT_STATUS_UNSUCCESSFUL;
|
|
}
|
|
}
|
|
|
|
if (!rpc_pipe_bind(cli, PI_NETLOGON, global_myname(), True)) {
|
|
DEBUG(2,("rpc bind to %s failed\n", PIPE_NETLOGON));
|
|
cli_close(cli, cli->nt_pipe_fnum);
|
|
return NT_STATUS_UNSUCCESSFUL;
|
|
}
|
|
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
|
|
const char *cli_pipe_get_name(struct cli_state *cli)
|
|
{
|
|
return cli->pipe_name;
|
|
}
|
|
|
|
|
|
/****************************************************************************
|
|
close the session
|
|
****************************************************************************/
|
|
|
|
void cli_nt_session_close(struct cli_state *cli)
|
|
{
|
|
if (cli->saved_netlogon_pipe_fnum != 0) {
|
|
cli_close(cli, cli->saved_netlogon_pipe_fnum);
|
|
cli->saved_netlogon_pipe_fnum = 0;
|
|
}
|
|
cli_close(cli, cli->nt_pipe_fnum);
|
|
cli->nt_pipe_fnum = 0;
|
|
}
|