Пример #1
0
bool smb_io_rpc_hdr(const char *desc,  RPC_HDR *rpc, prs_struct *ps, int depth)
{
	if (rpc == NULL)
		return False;

	prs_debug(ps, depth, desc, "smb_io_rpc_hdr");
	depth++;

	if(!prs_uint8 ("major     ", ps, depth, &rpc->major))
		return False;

	if(!prs_uint8 ("minor     ", ps, depth, &rpc->minor))
		return False;
	if(!prs_uint8 ("pkt_type  ", ps, depth, &rpc->pkt_type))
		return False;
	if(!prs_uint8 ("flags     ", ps, depth, &rpc->flags))
		return False;

	/* We always marshall in little endian format. */
	if (MARSHALLING(ps))
		rpc->pack_type[0] = 0x10;

	if(!prs_uint8("pack_type0", ps, depth, &rpc->pack_type[0]))
		return False;
	if(!prs_uint8("pack_type1", ps, depth, &rpc->pack_type[1]))
		return False;
	if(!prs_uint8("pack_type2", ps, depth, &rpc->pack_type[2]))
		return False;
	if(!prs_uint8("pack_type3", ps, depth, &rpc->pack_type[3]))
		return False;

	/*
	 * If reading and pack_type[0] == 0 then the data is in big-endian
	 * format. Set the flag in the prs_struct to specify reverse-endainness.
	 */

	if (UNMARSHALLING(ps) && rpc->pack_type[0] == 0) {
		DEBUG(10,("smb_io_rpc_hdr: PDU data format is big-endian. Setting flag.\n"));
		prs_set_endian_data(ps, RPC_BIG_ENDIAN);
	}

	if(!prs_uint16("frag_len  ", ps, depth, &rpc->frag_len))
		return False;
	if(!prs_uint16("auth_len  ", ps, depth, &rpc->auth_len))
		return False;
	if(!prs_uint32("call_id   ", ps, depth, &rpc->call_id))
		return False;
	return True;
}
Пример #2
0
static void process_complete_pdu(pipes_struct *p)
{
    prs_struct rpc_in;
    size_t data_len = p->in_data.pdu_received_len - RPC_HEADER_LEN;
    char *data_p = (char *)&p->in_data.current_in_pdu[RPC_HEADER_LEN];
    bool reply = False;

    if(p->fault_state) {
        DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n",
                  get_pipe_name_from_iface(&p->syntax)));
        set_incoming_fault(p);
        setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
        return;
    }

    prs_init_empty( &rpc_in, p->mem_ctx, UNMARSHALL);

    /*
     * Ensure we're using the corrent endianness for both the
     * RPC header flags and the raw data we will be reading from.
     */

    prs_set_endian_data( &rpc_in, p->endian);
    prs_set_endian_data( &p->in_data.data, p->endian);

    prs_give_memory( &rpc_in, data_p, (uint32)data_len, False);

    DEBUG(10,("process_complete_pdu: processing packet type %u\n",
              (unsigned int)p->hdr.pkt_type ));

    switch (p->hdr.pkt_type) {
    case RPC_REQUEST:
        reply = process_request_pdu(p, &rpc_in);
        break;

    case RPC_PING: /* CL request - ignore... */
        DEBUG(0,("process_complete_pdu: Error. Connectionless packet type %u received on pipe %s.\n",
                 (unsigned int)p->hdr.pkt_type,
                 get_pipe_name_from_iface(&p->syntax)));
        break;

    case RPC_RESPONSE: /* No responses here. */
        DEBUG(0,("process_complete_pdu: Error. RPC_RESPONSE received from client on pipe %s.\n",
                 get_pipe_name_from_iface(&p->syntax)));
        break;

    case RPC_FAULT:
    case RPC_WORKING: /* CL request - reply to a ping when a call in process. */
    case RPC_NOCALL: /* CL - server reply to a ping call. */
    case RPC_REJECT:
    case RPC_ACK:
    case RPC_CL_CANCEL:
    case RPC_FACK:
    case RPC_CANCEL_ACK:
        DEBUG(0,("process_complete_pdu: Error. Connectionless packet type %u received on pipe %s.\n",
                 (unsigned int)p->hdr.pkt_type,
                 get_pipe_name_from_iface(&p->syntax)));
        break;

    case RPC_BIND:
        /*
         * We assume that a pipe bind is only in one pdu.
         */
        if(pipe_init_outgoing_data(p)) {
            reply = api_pipe_bind_req(p, &rpc_in);
        }
        break;

    case RPC_BINDACK:
    case RPC_BINDNACK:
        DEBUG(0,("process_complete_pdu: Error. RPC_BINDACK/RPC_BINDNACK packet type %u received on pipe %s.\n",
                 (unsigned int)p->hdr.pkt_type,
                 get_pipe_name_from_iface(&p->syntax)));
        break;


    case RPC_ALTCONT:
        /*
         * We assume that a pipe bind is only in one pdu.
         */
        if(pipe_init_outgoing_data(p)) {
            reply = api_pipe_alter_context(p, &rpc_in);
        }
        break;

    case RPC_ALTCONTRESP:
        DEBUG(0,("process_complete_pdu: Error. RPC_ALTCONTRESP on pipe %s: Should only be server -> client.\n",
                 get_pipe_name_from_iface(&p->syntax)));
        break;

    case RPC_AUTH3:
        /*
         * The third packet in an NTLMSSP auth exchange.
         */
        if(pipe_init_outgoing_data(p)) {
            reply = api_pipe_bind_auth3(p, &rpc_in);
        }
        break;

    case RPC_SHUTDOWN:
        DEBUG(0,("process_complete_pdu: Error. RPC_SHUTDOWN on pipe %s: Should only be server -> client.\n",
                 get_pipe_name_from_iface(&p->syntax)));
        break;

    case RPC_CO_CANCEL:
        /* For now just free all client data and continue processing. */
        DEBUG(3,("process_complete_pdu: RPC_ORPHANED. Abandoning rpc call.\n"));
        /* As we never do asynchronous RPC serving, we can never cancel a
           call (as far as I know). If we ever did we'd have to send a cancel_ack
           reply. For now, just free all client data and continue processing. */
        reply = True;
        break;
#if 0
        /* Enable this if we're doing async rpc. */
        /* We must check the call-id matches the outstanding callid. */
        if(pipe_init_outgoing_data(p)) {
            /* Send a cancel_ack PDU reply. */
            /* We should probably check the auth-verifier here. */
            reply = setup_cancel_ack_reply(p, &rpc_in);
        }
        break;
#endif

    case RPC_ORPHANED:
        /* We should probably check the auth-verifier here.
           For now just free all client data and continue processing. */
        DEBUG(3,("process_complete_pdu: RPC_ORPHANED. Abandoning rpc call.\n"));
        reply = True;
        break;

    default:
        DEBUG(0,("process_complete_pdu: Unknown rpc type = %u received.\n", (unsigned int)p->hdr.pkt_type ));
        break;
    }

    /* Reset to little endian. Probably don't need this but it won't hurt. */
    prs_set_endian_data( &p->in_data.data, RPC_LITTLE_ENDIAN);

    if (!reply) {
        DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on "
                 "pipe %s\n", get_pipe_name_from_iface(&p->syntax)));
        set_incoming_fault(p);
        setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
        prs_mem_free(&rpc_in);
    } else {
        /*
         * Reset the lengths. We're ready for a new pdu.
         */
        TALLOC_FREE(p->in_data.current_in_pdu);
        p->in_data.pdu_needed_len = 0;
        p->in_data.pdu_received_len = 0;
    }

    prs_mem_free(&rpc_in);
}
Пример #3
0
static ssize_t unmarshall_rpc_header(pipes_struct *p)
{
    /*
     * Unmarshall the header to determine the needed length.
     */

    prs_struct rpc_in;

    if(p->in_data.pdu_received_len != RPC_HEADER_LEN) {
        DEBUG(0,("unmarshall_rpc_header: assert on rpc header length failed.\n"));
        set_incoming_fault(p);
        return -1;
    }

    prs_init_empty( &rpc_in, p->mem_ctx, UNMARSHALL);
    prs_set_endian_data( &rpc_in, p->endian);

    prs_give_memory( &rpc_in, (char *)&p->in_data.current_in_pdu[0],
                     p->in_data.pdu_received_len, False);

    /*
     * Unmarshall the header as this will tell us how much
     * data we need to read to get the complete pdu.
     * This also sets the endian flag in rpc_in.
     */

    if(!smb_io_rpc_hdr("", &p->hdr, &rpc_in, 0)) {
        DEBUG(0,("unmarshall_rpc_header: failed to unmarshall RPC_HDR.\n"));
        set_incoming_fault(p);
        prs_mem_free(&rpc_in);
        return -1;
    }

    /*
     * Validate the RPC header.
     */

    if(p->hdr.major != 5 && p->hdr.minor != 0) {
        DEBUG(0,("unmarshall_rpc_header: invalid major/minor numbers in RPC_HDR.\n"));
        set_incoming_fault(p);
        prs_mem_free(&rpc_in);
        return -1;
    }

    /*
     * If there's not data in the incoming buffer this should be the start of a new RPC.
     */

    if(prs_offset(&p->in_data.data) == 0) {

        /*
         * AS/U doesn't set FIRST flag in a BIND packet it seems.
         */

        if ((p->hdr.pkt_type == RPC_REQUEST) && !(p->hdr.flags & RPC_FLG_FIRST)) {
            /*
             * Ensure that the FIRST flag is set. If not then we have
             * a stream missmatch.
             */

            DEBUG(0,("unmarshall_rpc_header: FIRST flag not set in first PDU !\n"));
            set_incoming_fault(p);
            prs_mem_free(&rpc_in);
            return -1;
        }

        /*
         * If this is the first PDU then set the endianness
         * flag in the pipe. We will need this when parsing all
         * data in this RPC.
         */

        p->endian = rpc_in.bigendian_data;

        DEBUG(5,("unmarshall_rpc_header: using %sendian RPC\n",
                 p->endian == RPC_LITTLE_ENDIAN ? "little-" : "big-" ));

    } else {

        /*
         * If this is *NOT* the first PDU then check the endianness
         * flag in the pipe is the same as that in the PDU.
         */

        if (p->endian != rpc_in.bigendian_data) {
            DEBUG(0,("unmarshall_rpc_header: FIRST endianness flag (%d) different in next PDU !\n", (int)p->endian));
            set_incoming_fault(p);
            prs_mem_free(&rpc_in);
            return -1;
        }
    }

    /*
     * Ensure that the pdu length is sane.
     */

    if((p->hdr.frag_len < RPC_HEADER_LEN) || (p->hdr.frag_len > RPC_MAX_PDU_FRAG_LEN)) {
        DEBUG(0,("unmarshall_rpc_header: assert on frag length failed.\n"));
        set_incoming_fault(p);
        prs_mem_free(&rpc_in);
        return -1;
    }

    DEBUG(10,("unmarshall_rpc_header: type = %u, flags = %u\n", (unsigned int)p->hdr.pkt_type,
              (unsigned int)p->hdr.flags ));

    p->in_data.pdu_needed_len = (uint32)p->hdr.frag_len - RPC_HEADER_LEN;

    prs_mem_free(&rpc_in);

    p->in_data.current_in_pdu = TALLOC_REALLOC_ARRAY(
                                    p, p->in_data.current_in_pdu, uint8_t, p->hdr.frag_len);
    if (p->in_data.current_in_pdu == NULL) {
        DEBUG(0, ("talloc failed\n"));
        set_incoming_fault(p);
        return -1;
    }

    return 0; /* No extra data processed. */
}
Пример #4
0
static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata,
			  uint32 fragment_start, int len, int auth_len, uint8 pkt_type,
			  int *pauth_padding_len)
{
	
	/*
	 * The following is that length of the data we must sign or seal.
	 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
	 * preceeding the auth_data.
	 */

	int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;

	/*
	 * The start of the data to sign/seal is just after the RPC headers.
	 */
	char *reply_data = prs_data_p(rdata) + fragment_start + RPC_HEADER_LEN + RPC_HDR_REQ_LEN;

	RPC_HDR_AUTH rhdr_auth; 

	char *dp = prs_data_p(rdata) + fragment_start + len -
		RPC_HDR_AUTH_LEN - auth_len;
	prs_struct auth_verf;

	*pauth_padding_len = 0;

	if (auth_len == 0) {
		if (cli->pipe_auth_flags == 0) {
			/* move along, nothing to see here */
			return True;
		}

		DEBUG(2, ("No authenticaton header recienved on reply, but this pipe is authenticated\n"));
		return False;
	}

	DEBUG(5,("rpc_auth_pipe: pkt_type: %d len: %d auth_len: %d NTLMSSP %s schannel %s sign %s seal %s \n",
		 pkt_type, len, auth_len, 
		 BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP), 
		 BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_NETSEC), 
		 BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_SIGN), 
		 BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_SEAL)));

	if (dp - prs_data_p(rdata) > prs_data_size(rdata)) {
		DEBUG(0,("rpc_auth_pipe: schannel auth data > data size !\n"));
		return False;
	}

	DEBUG(10,("rpc_auth_pipe: packet:\n"));
	dump_data(100, dp, auth_len);

	prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
	
	/* The endinness must be preserved. JRA. */
	prs_set_endian_data( &auth_verf, rdata->bigendian_data);
	
	/* Point this new parse struct at the auth section of the main 
	   parse struct - rather than copying it.  Avoids needing to
	   free it on every error
	*/
	prs_give_memory(&auth_verf, dp, RPC_HDR_AUTH_LEN + auth_len, False /* not dynamic */);
	prs_set_offset(&auth_verf, 0);

	{
		int auth_type;
		int auth_level;
		if (!smb_io_rpc_hdr_auth("auth_hdr", &rhdr_auth, &auth_verf, 0)) {
			DEBUG(0, ("rpc_auth_pipe: Could not parse auth header\n"));
			return False;
		}

		/* Let the caller know how much padding at the end of the data */
		*pauth_padding_len = rhdr_auth.padding;
		
		/* Check it's the type of reply we were expecting to decode */

		get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
		if (rhdr_auth.auth_type != auth_type) {
			DEBUG(0, ("BAD auth type %d (should be %d)\n",
				  rhdr_auth.auth_type, auth_type));
			return False;
		}
		
		if (rhdr_auth.auth_level != auth_level) {
			DEBUG(0, ("BAD auth level %d (should be %d)\n", 
				  rhdr_auth.auth_level, auth_level));
			return False;
		}
	}

	if (pkt_type == RPC_BINDACK) {
		if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
			/* copy the next auth_len bytes into a buffer for 
			   later use */

			DATA_BLOB ntlmssp_verf = data_blob(NULL, auth_len);
			BOOL store_ok;

			/* save the reply away, for use a little later */
			prs_copy_data_out((char *)ntlmssp_verf.data, &auth_verf, auth_len);

			store_ok = (NT_STATUS_IS_OK(ntlmssp_store_response(cli->ntlmssp_pipe_state, 
									   ntlmssp_verf)));

			data_blob_free(&ntlmssp_verf);
			return store_ok;
		} 
		else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
			/* nothing to do here - we don't seem to be able to 
			   validate the bindack based on VL's comments */
			return True;
		}
	}
	
	if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
		NTSTATUS nt_status;
		DATA_BLOB sig;
		if ((cli->pipe_auth_flags & AUTH_PIPE_SIGN) ||
		    (cli->pipe_auth_flags & AUTH_PIPE_SEAL)) {
			if (auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) {
				DEBUG(0,("rpc_auth_pipe: wrong ntlmssp auth len %d\n", auth_len));
				return False;
			}
			sig = data_blob(NULL, auth_len);
			prs_copy_data_out((char *)sig.data, &auth_verf, auth_len);
		}
	
		/*
		 * Unseal any sealed data in the PDU, not including the
		 * 8 byte auth_header or the auth_data.
		 */

		/*
		 * Now unseal and check the auth verifier in the auth_data at
		 * the end of the packet. 
		 */

		if (cli->pipe_auth_flags & AUTH_PIPE_SEAL) {
			if (data_len < 0) {
				DEBUG(1, ("Can't unseal - data_len < 0!!\n"));
				return False;
			}
			nt_status = ntlmssp_unseal_packet(cli->ntlmssp_pipe_state, 
								 (unsigned char *)reply_data, data_len,
								 &sig);
		} 
		else if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
			nt_status = ntlmssp_check_packet(cli->ntlmssp_pipe_state, 
								(const unsigned char *)reply_data, data_len,
								&sig);
		}

		data_blob_free(&sig);

		if (!NT_STATUS_IS_OK(nt_status)) {
			DEBUG(0, ("rpc_auth_pipe: could not validate "
				  "incoming NTLMSSP packet!\n"));
			return False;
		}
	}

	if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
		RPC_AUTH_NETSEC_CHK chk;

		if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
			DEBUG(0,("rpc_auth_pipe: wrong schannel auth len %d\n", auth_len));
			return False;
		}

		if (!smb_io_rpc_auth_netsec_chk("schannel_auth_sign", 
						&chk, &auth_verf, 0)) {
			DEBUG(0, ("rpc_auth_pipe: schannel unmarshalling "
				  "RPC_AUTH_NETSECK_CHK failed\n"));
			return False;
		}

		if (!netsec_decode(&cli->auth_info,
				   cli->pipe_auth_flags,
				   SENDER_IS_ACCEPTOR,
				   &chk, reply_data, data_len)) {
			DEBUG(0, ("rpc_auth_pipe: Could not decode schannel\n"));
			return False;
		}

		cli->auth_info.seq_num++;

	}
	return True;
}
Пример #5
0
static ssize_t process_complete_pdu(pipes_struct *p)
{
	prs_struct rpc_in;
	size_t data_len = p->in_data.pdu_received_len;
	char *data_p = (char *)&p->in_data.current_in_pdu[0];
	BOOL reply = False;

	if(p->fault_state) {
		DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n",
			p->name ));
		set_incoming_fault(p);
		setup_fault_pdu(p, NT_STATUS(0x1c010002));
		return (ssize_t)data_len;
	}

	prs_init( &rpc_in, 0, p->mem_ctx, UNMARSHALL);

	/*
	 * Ensure we're using the corrent endianness for both the 
	 * RPC header flags and the raw data we will be reading from.
	 */

	prs_set_endian_data( &rpc_in, p->endian);
	prs_set_endian_data( &p->in_data.data, p->endian);

	prs_give_memory( &rpc_in, data_p, (uint32)data_len, False);

	DEBUG(10,("process_complete_pdu: processing packet type %u\n",
			(unsigned int)p->hdr.pkt_type ));

	switch (p->hdr.pkt_type) {
		case RPC_BIND:
		case RPC_ALTCONT:
			/*
			 * We assume that a pipe bind is only in one pdu.
			 */
			if(pipe_init_outgoing_data(p))
				reply = api_pipe_bind_req(p, &rpc_in);
			break;
		case RPC_BINDRESP:
			/*
			 * We assume that a pipe bind_resp is only in one pdu.
			 */
			if(pipe_init_outgoing_data(p))
				reply = api_pipe_bind_auth_resp(p, &rpc_in);
			break;
		case RPC_REQUEST:
			reply = process_request_pdu(p, &rpc_in);
			break;
		default:
			DEBUG(0,("process_complete_pdu: Unknown rpc type = %u received.\n", (unsigned int)p->hdr.pkt_type ));
			break;
	}

	/* Reset to little endian. Probably don't need this but it won't hurt. */
	prs_set_endian_data( &p->in_data.data, RPC_LITTLE_ENDIAN);

	if (!reply) {
		DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on pipe %s\n", p->pipe_srv_name));
		set_incoming_fault(p);
		setup_fault_pdu(p, NT_STATUS(0x1c010002));
		prs_mem_free(&rpc_in);
	} else {
		/*
		 * Reset the lengths. We're ready for a new pdu.
		 */
		p->in_data.pdu_needed_len = 0;
		p->in_data.pdu_received_len = 0;
	}

	prs_mem_free(&rpc_in);
	return (ssize_t)data_len;
}