| blob | 50914acfbde1f2122814e229645629ba8543c50c |
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_RPC_SRV
40 {
45 }
47 }
50 {
52 }
54 /*******************************************************************
55 Generate the next PDU to be returned from the data in p->rdata.
56 Handle NTLMSSP.
57 ********************************************************************/
60 {
61 RPC_HDR_RESP hdr_resp;
63 uint32 data_space_available;
64 uint32 data_len_left;
65 uint32 data_len;
66 NTSTATUS status;
67 DATA_BLOB auth_blob;
68 RPC_HDR_AUTH auth_info;
73 /*
74 * If we're in the fault state, keep returning fault PDU's until
75 * the pipe gets closed. JRA.
76 */
81 }
85 /* Change the incoming request header to a response. */
88 /* Set up rpc header flags. */
93 }
95 /*
96 * Work out how much we can fit in a single PDU.
97 */
101 /*
102 * Ensure there really is data left to send.
103 */
108 }
110 /* Space available - not including padding. */
114 /*
115 * The amount we send is the minimum of the available
116 * space and the amount left to send.
117 */
121 /* Work out any padding alignment requirements. */
126 ss_padding_len ));
127 /* If we're over filling the packet, we need to make space
128 * for the padding at the end of the data. */
131 }
132 }
134 /*
135 * Set up the alloc hint. This should be the data left to
136 * send.
137 */
141 /*
142 * Work out if this PDU will be the last.
143 */
147 }
149 /*
150 * Set up the header lengths.
151 */
159 /*
160 * Init the parse struct to point at the outgoing
161 * data.
162 */
166 /* Store the header in the data stream. */
171 }
177 }
179 /* Copy the data into the PDU. */
183 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
186 }
188 /* Copy the sign/seal padding data. */
194 ss_padding_len)) {
199 }
200 }
203 /* Now write out the auth header and null blob. */
208 }
213 }
222 }
224 /* Generate the sign blob. */
229 /* Data portion is encrypted. */
242 }
245 /* Data is signed. */
258 }
264 }
266 /* Append the auth blob. */
268 NTLMSSP_SIG_SIZE)) {
274 }
277 /*
278 * Setup the counts for this PDU.
279 */
285 }
287 /*******************************************************************
288 Generate the next PDU to be returned from the data in p->rdata.
289 Return an schannel authenticated fragment.
290 ********************************************************************/
293 {
294 RPC_HDR_RESP hdr_resp;
296 uint32 data_len;
297 uint32 data_space_available;
298 uint32 data_len_left;
299 uint32 data_pos;
300 NTSTATUS status;
302 /*
303 * If we're in the fault state, keep returning fault PDU's until
304 * the pipe gets closed. JRA.
305 */
310 }
314 /* Change the incoming request header to a response. */
317 /* Set up rpc header flags. */
322 }
324 /*
325 * Work out how much we can fit in a single PDU.
326 */
330 /*
331 * Ensure there really is data left to send.
332 */
337 }
339 /* Space available - not including padding. */
344 /*
345 * The amount we send is the minimum of the available
346 * space and the amount left to send.
347 */
351 /* Work out any padding alignment requirements. */
356 ss_padding_len ));
357 /* If we're over filling the packet, we need to make space
358 * for the padding at the end of the data. */
361 }
362 }
364 /*
365 * Set up the alloc hint. This should be the data left to
366 * send.
367 */
371 /*
372 * Work out if this PDU will be the last.
373 */
377 }
383 /*
384 * Init the parse struct to point at the outgoing
385 * data.
386 */
390 /* Store the header in the data stream. */
395 }
401 }
403 /* Store the current offset. */
406 /* Copy the data into the PDU. */
410 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
413 }
415 /* Copy the sign/seal padding data. */
420 ss_padding_len)) {
421 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
424 }
425 }
427 {
428 /*
429 * Schannel processing.
430 */
431 RPC_HDR_AUTH auth_info;
432 DATA_BLOB blob;
435 /* Check it's the type of reply we were expecting to decode */
438 DCERPC_AUTH_TYPE_SCHANNEL,
448 }
457 data,
465 data,
472 }
479 }
481 /* Finally marshall the blob. */
485 }
490 }
491 }
493 /*
494 * Setup the counts for this PDU.
495 */
501 }
503 /*******************************************************************
504 Generate the next PDU to be returned from the data in p->rdata.
505 No authentication done.
506 ********************************************************************/
509 {
510 RPC_HDR_RESP hdr_resp;
511 uint32 data_len;
512 uint32 data_space_available;
513 uint32 data_len_left;
515 /*
516 * If we're in the fault state, keep returning fault PDU's until
517 * the pipe gets closed. JRA.
518 */
523 }
527 /* Change the incoming request header to a response. */
530 /* Set up rpc header flags. */
535 }
537 /*
538 * Work out how much we can fit in a single PDU.
539 */
543 /*
544 * Ensure there really is data left to send.
545 */
550 }
555 /*
556 * The amount we send is the minimum of the available
557 * space and the amount left to send.
558 */
562 /*
563 * Set up the alloc hint. This should be the data left to
564 * send.
565 */
569 /*
570 * Work out if this PDU will be the last.
571 */
575 }
577 /*
578 * Set up the header lengths.
579 */
584 /*
585 * Init the parse struct to point at the outgoing
586 * data.
587 */
591 /* Store the header in the data stream. */
596 }
602 }
604 /* Copy the data into the PDU. */
608 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
611 }
613 /*
614 * Setup the counts for this PDU.
615 */
621 }
623 /*******************************************************************
624 Generate the next PDU to be returned from the data in p->rdata.
625 ********************************************************************/
628 {
632 /* This is incorrect for auth level connect. Fixme. JRA */
644 }
645 }
651 }
653 /*******************************************************************
654 Process an NTLMSSP authentication response.
655 If this function succeeds, the user has been authenticated
656 and their domain, name and calling workstation stored in
657 the pipe struct.
658 *******************************************************************/
661 {
663 NTSTATUS status;
672 /* this has to be done as root in order to verify the password */
677 /* Don't generate a reply. */
682 }
684 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
685 ensure the underlying NTLMSSP flags are also set. If not we should
686 refuse the bind. */
695 }
696 }
704 }
705 }
717 DEBUG(0, ("auth_ntlmssp_server_info failed to obtain the server info for authenticated user\n"));
719 }
724 }
726 /*
727 * We're an authenticated bind over smb, so the session key needs to
728 * be set to "SystemLibraryDTC". Weird, but this is what Windows
729 * does. See the RPC-SAMBA3SESSIONKEY.
730 */
735 }
742 }
744 /*******************************************************************
745 The switch table for the pipe names and the functions to handle them.
746 *******************************************************************/
756 };
761 /*******************************************************************
762 This is the "stage3" NTLMSSP response after a bind request and reply.
763 *******************************************************************/
766 {
767 RPC_HDR_AUTH auth_info;
769 DATA_BLOB blob;
779 }
781 /* 4 bytes padding. */
785 }
787 /* Ensure there's enough data for an authenticated request. */
794 }
796 /*
797 * Decode the authentication verifier response.
798 */
800 /* Pull the auth header and the following data into a blob. */
801 /* NB. The offset of the auth_header is relative to the *end*
802 * of the packet, not the start. Also, the length of the
803 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
804 * as the RPC header isn't included in rpc_in_p. */
813 }
819 }
821 /* We must NEVER look at auth_info->auth_pad_len here,
822 * as old Samba client code gets it wrong and sends it
823 * as zero. JRA.
824 */
830 }
838 }
840 /*
841 * The following call actually checks the challenge/response data.
842 * for correctness against the given DOMAIN\user name.
843 */
847 }
855 err:
862 }
864 /*******************************************************************
865 Marshall a bind_nak pdu.
866 *******************************************************************/
869 {
870 RPC_HDR nak_hdr;
873 /* Free any memory in the current return data buffer. */
876 /*
877 * Marshall directly into the outgoing PDU space. We
878 * must do this as we need to set to the bind response
879 * header and are never sending more than one PDU here.
880 */
884 /*
885 * Initialize a bind_nak header.
886 */
891 /*
892 * Marshall the header into the outgoing PDU.
893 */
899 }
901 /*
902 * Now add the reject reason.
903 */
908 }
915 }
921 }
923 /*******************************************************************
924 Marshall a fault pdu.
925 *******************************************************************/
928 {
929 RPC_HDR fault_hdr;
930 RPC_HDR_RESP hdr_resp;
931 RPC_HDR_FAULT fault_resp;
933 /* Free any memory in the current return data buffer. */
936 /*
937 * Marshall directly into the outgoing PDU space. We
938 * must do this as we need to set to the bind response
939 * header and are never sending more than one PDU here.
940 */
944 /*
945 * Initialize a fault header.
946 */
948 init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
951 /*
952 * Initialize the HDR_RESP and FAULT parts of the PDU.
953 */
960 /*
961 * Marshall the header into the outgoing PDU.
962 */
968 }
974 }
980 }
986 }
988 #if 0
989 /*******************************************************************
990 Marshall a cancel_ack pdu.
991 We should probably check the auth-verifier here.
992 *******************************************************************/
995 {
996 prs_struct outgoing_pdu;
997 RPC_HDR ack_reply_hdr;
999 /* Free any memory in the current return data buffer. */
1002 /*
1003 * Marshall directly into the outgoing PDU space. We
1004 * must do this as we need to set to the bind response
1005 * header and are never sending more than one PDU here.
1006 */
1009 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1011 /*
1012 * Initialize a cancel_ack header.
1013 */
1015 init_rpc_hdr(&ack_reply_hdr, DCERPC_PKT_CANCEL_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1018 /*
1019 * Marshall the header into the outgoing PDU.
1020 */
1026 }
1034 }
1035 #endif
1037 /*******************************************************************
1038 Ensure a bind request has the correct abstract & transfer interface.
1039 Used to reject unknown binds from Win2k.
1040 *******************************************************************/
1045 uint32 context_id)
1046 {
1053 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
1062 }
1063 }
1067 }
1073 }
1079 /* add to the list of open contexts */
1084 }
1086 /*******************************************************************
1087 Register commands to an RPC pipe
1088 *******************************************************************/
1093 {
1098 }
1102 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1106 }
1108 /* TODO:
1109 *
1110 * we still need to make sure that don't register the same commands twice!!!
1111 *
1112 * --metze
1113 */
1115 /* We use a temporary variable because this call can fail and
1116 rpc_lookup will still be valid afterwards. It could then succeed if
1117 called again later */
1118 rpc_lookup_size++;
1119 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1121 rpc_lookup_size--;
1126 }
1137 }
1139 /**
1140 * Is a named pipe known?
1141 * @param[in] cli_filename The pipe name requested by the client
1142 * @result Do we want to serve this?
1143 */
1145 {
1148 NTSTATUS status;
1152 }
1156 }
1161 }
1167 }
1168 }
1174 }
1177 /*
1178 * Scan the list again for the interface id
1179 */
1185 }
1186 }
1189 pipename));
1192 }
1194 /*******************************************************************
1195 Handle a SPNEGO krb5 bind auth.
1196 *******************************************************************/
1198 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1200 {
1202 }
1204 /*******************************************************************
1205 Handle the first part of a SPNEGO bind auth.
1206 *******************************************************************/
1211 {
1212 DATA_BLOB blob;
1213 DATA_BLOB secblob;
1214 DATA_BLOB response;
1215 DATA_BLOB chal;
1218 NTSTATUS status;
1221 RPC_HDR_AUTH auth_info;
1227 /* Grab the SPNEGO blob. */
1231 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1234 }
1238 }
1240 /* parse out the OIDs and the first sec blob */
1244 }
1248 }
1253 }
1254 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1261 }
1264 /* Free any previous auth type. */
1266 }
1269 /* Initialize the NTLM engine. */
1273 }
1275 /*
1276 * Pass the first security blob of data to it.
1277 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1278 * which means we need another packet to complete the bind.
1279 */
1286 }
1288 /* Generate the response blob we need for step 2 of the bind. */
1291 /*
1292 * SPNEGO negotiate down to NTLMSSP. The subsequent
1293 * code to process follow-up packets is not complete
1294 * yet. JRA.
1295 */
1297 NT_STATUS_MORE_PROCESSING_REQUIRED,
1298 OID_NTLMSSP);
1299 }
1301 /* auth_pad_len will be handled by the caller */
1303 /* Copy the blob into the pout_auth parse struct */
1309 }
1314 }
1325 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1328 err:
1338 }
1340 /*******************************************************************
1341 Handle the second part of a SPNEGO bind auth.
1342 *******************************************************************/
1347 {
1348 RPC_HDR_AUTH auth_info;
1349 DATA_BLOB spnego_blob;
1350 DATA_BLOB auth_blob;
1351 DATA_BLOB auth_reply;
1352 DATA_BLOB response;
1360 /*
1361 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1362 * fail here as 'a' == NULL.
1363 */
1367 }
1369 /* Grab the SPNEGO blob. */
1373 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1376 }
1381 }
1386 }
1388 /*
1389 * The following call actually checks the challenge/response data.
1390 * for correctness against the given DOMAIN\user name.
1391 */
1395 }
1400 /* Generate the spnego "accept completed" blob - no incoming data. */
1403 /* FIXME - add auth_pad_len here ! */
1405 /* Copy the blob into the pout_auth parse struct */
1411 }
1416 }
1425 err:
1436 }
1438 /*******************************************************************
1439 Handle an schannel bind auth.
1440 *******************************************************************/
1445 {
1446 RPC_HDR_AUTH auth_info;
1450 NTSTATUS status;
1452 DATA_BLOB session_key;
1454 DATA_BLOB blob;
1464 }
1468 }
1473 }
1475 /*
1476 * The neg.oem_netbios_computer.a key here must match the remote computer name
1477 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1478 * operations that use credentials.
1479 */
1487 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1489 }
1495 }
1502 /*
1503 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1504 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1505 * struct of the person who opened the pipe. I need to test this further. JRA.
1506 *
1507 * VL. As we are mapping this to guest set the generic key
1508 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1509 * W2k3, as it does not allow schannel binds against SAMR and LSA
1510 * anymore.
1511 */
1518 }
1527 }
1534 }
1536 /*** SCHANNEL verifier ***/
1541 * this has any meaning
1542 * here - gd */
1549 }
1553 }
1557 }
1562 /* We're finished with this bind - no more packets. */
1569 }
1571 /*******************************************************************
1572 Handle an NTLMSSP bind auth.
1573 *******************************************************************/
1578 {
1579 RPC_HDR_AUTH auth_info;
1580 DATA_BLOB blob;
1581 DATA_BLOB response;
1582 NTSTATUS status;
1588 /* Grab the NTLMSSP blob. */
1595 }
1600 }
1602 /* We have an NTLMSSP blob. */
1608 }
1615 }
1619 /* Copy the blob into the pout_auth parse struct */
1625 }
1630 }
1641 /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1644 err:
1652 }
1654 /*******************************************************************
1655 Respond to a pipe bind request.
1656 *******************************************************************/
1659 {
1660 RPC_HDR_BA hdr_ba;
1661 RPC_HDR_RB hdr_rb;
1662 RPC_HDR_AUTH auth_info;
1663 uint16 assoc_gid;
1664 fstring ack_pipe_name;
1665 prs_struct out_hdr_ba;
1666 prs_struct out_auth;
1672 /* No rebinds on a bound pipe - use alter context. */
1678 }
1682 /*
1683 * Marshall directly into the outgoing PDU space. We
1684 * must do this as we need to set to the bind response
1685 * header and are never sending more than one PDU here.
1686 */
1688 /*
1689 * Setup the memory to marshall the ba header, and the
1690 * auth footers.
1691 */
1697 }
1704 }
1710 /* decode the bind request */
1716 }
1721 }
1723 /*
1724 * Try and find the correct pipe name to ensure
1725 * that this is a pipe name we support.
1726 */
1734 }
1735 }
1738 NTSTATUS status;
1755 }
1764 }
1765 }
1775 }
1776 }
1778 /* name has to be \PIPE\xxxxx */
1786 /*
1787 * Create the bind response struct.
1788 */
1790 /* If the requested abstract synt uuid doesn't match our client pipe,
1791 reject the bind_ack & set the transfer interface synt to all 0's,
1792 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1793 unknown to NT4)
1794 Needed when adding entries to a DACL from NT5 - SK */
1799 RPC_MAX_PDU_FRAG_LEN,
1800 RPC_MAX_PDU_FRAG_LEN,
1801 assoc_gid,
1802 ack_pipe_name,
1806 /* Rejection reason: abstract syntax not supported */
1812 }
1814 /*
1815 * and marshall it.
1816 */
1821 }
1823 /*
1824 * Check if this is an authenticated bind request.
1825 */
1828 /*
1829 * Decode the authentication verifier.
1830 */
1832 /* Work out any padding needed before the auth footer. */
1838 }
1840 /* Quick length check. Won't catch a bad auth footer,
1841 * prevents overrun. */
1849 }
1851 /* Pull the auth header and the following data into a blob. */
1852 /* NB. The offset of the auth_header is relative to the *end*
1853 * of the packet, not the start. Also, the length of the
1854 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
1855 * as the RPC header isn't included in rpc_in_p. */
1864 }
1869 }
1873 /* Work out if we have to sign or seal etc. */
1885 }
1888 }
1895 }
1903 }
1910 }
1914 /* Unauthenticated bind request. */
1915 /* We're finished - no more packets. */
1917 /* We must set the pipe auth_level here also. */
1920 /* The session key was initialized from the SMB
1921 * session in make_internal_rpc_pipe_p */
1928 }
1929 /*
1930 * Create the header, now we know the length.
1931 */
1935 }
1941 auth_len);
1943 /*
1944 * Marshall the header into the outgoing PDU.
1945 */
1950 }
1952 /*
1953 * Now add the RPC_HDR_BA and any auth needed.
1954 */
1959 }
1966 ss_padding_len)) {
1971 }
1972 }
1977 }
1978 }
1980 /*
1981 * Setup the lengths for the initial reply.
1982 */
1992 err_exit:
1998 }
2000 /****************************************************************************
2001 Deal with an alter context call. Can be third part of 3 leg auth request for
2002 SPNEGO calls.
2003 ****************************************************************************/
2006 {
2007 RPC_HDR_BA hdr_ba;
2008 RPC_HDR_RB hdr_rb;
2009 RPC_HDR_AUTH auth_info;
2010 uint16 assoc_gid;
2011 fstring ack_pipe_name;
2012 prs_struct out_hdr_ba;
2013 prs_struct out_auth;
2019 /*
2020 * Marshall directly into the outgoing PDU space. We
2021 * must do this as we need to set to the bind response
2022 * header and are never sending more than one PDU here.
2023 */
2025 /*
2026 * Setup the memory to marshall the ba header, and the
2027 * auth footers.
2028 */
2034 }
2041 }
2047 /* decode the alter context request */
2051 }
2053 /* secondary address CAN be NULL
2054 * as the specs say it's ignored.
2055 * It MUST be NULL to have the spoolss working.
2056 */
2063 /*
2064 * Create the bind response struct.
2065 */
2067 /* If the requested abstract synt uuid doesn't match our client pipe,
2068 reject the bind_ack & set the transfer interface synt to all 0's,
2069 ver 0 (observed when NT5 attempts to bind to abstract interfaces
2070 unknown to NT4)
2071 Needed when adding entries to a DACL from NT5 - SK */
2076 RPC_MAX_PDU_FRAG_LEN,
2077 RPC_MAX_PDU_FRAG_LEN,
2078 assoc_gid,
2079 ack_pipe_name,
2083 /* Rejection reason: abstract syntax not supported */
2089 }
2091 /*
2092 * and marshall it.
2093 */
2098 }
2101 /*
2102 * Check if this is an authenticated alter context request.
2103 */
2106 /*
2107 * Decode the authentication verifier.
2108 */
2110 /* Work out any padding needed before the auth footer. */
2116 }
2118 /* Quick length check. Won't catch a bad auth footer,
2119 * prevents overrun. */
2127 }
2129 /* Pull the auth header and the following data into a blob. */
2130 /* NB. The offset of the auth_header is relative to the *end*
2131 * of the packet, not the start. Also, the length of the
2132 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2133 * as the RPC header isn't included in rpc_in_p. */
2142 }
2147 }
2149 /*
2150 * Currently only the SPNEGO auth type uses the alter ctx
2151 * response in place of the NTLMSSP auth3 type.
2152 */
2155 /* We can only finish if the pipe is unbound. */
2160 }
2163 }
2164 }
2167 }
2168 /*
2169 * Create the header, now we know the length.
2170 */
2174 }
2179 auth_len);
2181 /*
2182 * Marshall the header into the outgoing PDU.
2183 */
2188 }
2190 /*
2191 * Now add the RPC_HDR_BA and any auth needed.
2192 */
2197 }
2204 ss_padding_len)) {
2209 }
2210 }
2215 }
2216 }
2218 /*
2219 * Setup the lengths for the initial reply.
2220 */
2230 err_exit:
2236 }
2238 /****************************************************************************
2239 Deal with NTLMSSP sign & seal processing on an RPC request.
2240 ****************************************************************************/
2244 {
2245 RPC_HDR_AUTH auth_info;
2253 DATA_BLOB auth_blob;
2257 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2259 }
2264 }
2266 /* Ensure there's enough data for an authenticated request. */
2273 }
2275 /*
2276 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2277 * after the RPC header.
2278 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2279 * functions as NTLMv2 checks the rpc headers also.
2280 * Both of these values include any auth_pad_len bytes.
2281 */
2284 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2289 /* Pull the auth header and the following data into a blob. */
2290 /* NB. The offset of the auth_header is relative to the *end*
2291 * of the packet, not the start. Also, the length of the
2292 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2293 * as the RPC header isn't included in rpc_in_p. */
2303 }
2310 }
2312 /* Ensure auth_pad_len fits into the packet. */
2322 }
2329 /* Data is encrypted. */
2332 full_packet_data,
2333 full_packet_data_len,
2337 }
2340 /* Data is signed. */
2343 full_packet_data,
2344 full_packet_data_len,
2348 }
2353 }
2355 /*
2356 * Return the current pointer to the data offset.
2357 */
2364 }
2366 /*
2367 * Remember the padding length. We must remove it from the real data
2368 * stream once the sign/seal is done.
2369 */
2374 }
2376 /****************************************************************************
2377 Deal with schannel processing on an RPC request.
2378 ****************************************************************************/
2381 {
2382 uint32 data_len;
2383 uint32 auth_len;
2385 RPC_HDR_AUTH auth_info;
2386 DATA_BLOB blob;
2387 NTSTATUS status;
2394 RPC_HDR_REQ_LEN +
2395 RPC_HDR_AUTH_LEN +
2396 auth_len) {
2399 }
2401 /*
2402 * The following is that length of the data we must verify or unseal.
2403 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2404 * preceeding the auth_data, but does include the auth_pad_len bytes.
2405 */
2412 }
2419 /* Pull the auth header and the following data into a blob. */
2420 /* NB. The offset of the auth_header is relative to the *end*
2421 * of the packet, not the start. Also, the length of the
2422 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2423 * as the RPC header isn't included in rpc_in_p. */
2432 }
2438 }
2440 /* Ensure auth_pad_len fits into the packet. */
2449 }
2455 }
2461 }
2470 data,
2471 data_len,
2478 data,
2479 data_len,
2485 }
2490 }
2492 /*
2493 * Return the current pointer to the data offset.
2494 */
2500 }
2502 /*
2503 * Remember the padding length. We must remove it from the real data
2504 * stream once the sign/seal is done.
2505 */
2510 }
2512 /****************************************************************************
2513 Find the set of RPC functions associated with this context_id
2514 ****************************************************************************/
2517 {
2523 }
2528 }
2530 }
2532 /****************************************************************************
2533 Memory cleanup.
2534 ****************************************************************************/
2537 {
2545 }
2548 }
2553 /****************************************************************************
2554 Find the correct RPC function to call for this request.
2555 If the pipe is authenticated then become the correct UNIX user
2556 before doing the call.
2557 ****************************************************************************/
2560 {
2571 }
2573 }
2578 /* get the set of RPC functions for this context */
2586 }
2588 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2591 }
2595 }
2598 }
2600 /*******************************************************************
2601 Calls the underlying RPC function for a named pipe.
2602 ********************************************************************/
2606 {
2610 /* interpret the command */
2616 fstring name;
2620 }
2626 }
2627 }
2630 /*
2631 * For an unknown RPC just return a fault PDU but
2632 * return True to allow RPC's on the pipe to continue
2633 * and not put the pipe into fault state. JRA.
2634 */
2638 }
2644 /* do the actual command */
2651 }
2658 }
2665 }
2670 fstring name;
2674 }
2680 /* Check for buffer underflow in rpc parsing */
2691 }
2693 }
2696 }