summaryrefslogtreecommitdiff
path: root/source3/rpc_server/srv_pipe.c
AgeCommit message (Collapse)AuthorFilesLines
2010-02-18More fixes for bug #7146 - Samba miss-parses authenticated RPC packets.Jeremy Allison1-16/+31
Alignment space calculations are tricky :-). Jeremy.
2010-02-18More fixes for bug #7146 - Samba miss-parses authenticated RPC packets.Jeremy Allison1-14/+16
Ensure we calculate the space correctly (including the ss_padding_len) when constructing reply packets. Jeremy.
2010-02-17Fix bug #7146 - Samba miss-parses authenticated RPC packets.Jeremy Allison1-120/+311
Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2009-12-22s3:ntlmssp: only include ntlmssp.h where actually neededAndrew Bartlett1-0/+1
Andrew Bartlett
2009-11-26s3-rpc: running minimal_includes.pl on rpc_client and rpc_server.Günther Deschner1-2/+0
Guenther
2009-11-08Revert "s3: Consolidate getting the name out of a pipes_struct"Volker Lendecke1-15/+29
This reverts commit 9621306351cdb469ef393a6d8cbeea456bc4bd9f.
2009-11-08Revert "s3: Do not reference ndr_table when calling rpc_srv_register"Volker Lendecke1-7/+2
This reverts commit 494b2aff8826947e3bd556aecb175746163da485.
2009-11-08s3: Do not reference ndr_table when calling rpc_srv_registerVolker Lendecke1-2/+7
2009-11-08s3: Consolidate getting the name out of a pipes_structVolker Lendecke1-29/+15
2009-11-07s3: get_pipe_name_from_iface -> get_pipe_name_from_syntaxVolker Lendecke1-17/+27
2009-10-13s3:rpc: Fix is_known_pipename for dynamically loaded pipesVolker Lendecke1-1/+22
2009-09-17spnego: share spnego_parse.Günther Deschner1-0/+1
Guenther
2009-09-16libcli/auth: rewrite schannel sign/seal code to be more genericStefan Metzmacher1-17/+27
This prepares support for HMAC-SHA256/AES. metze
2009-09-16s3-dcerpc: remove more obsolete or duplicate headers.Günther Deschner1-15/+15
Guenther
2009-09-16s3-schannel: add dump_NL_AUTH_SIGNATURE.Günther Deschner1-23/+3
Guenther
2009-09-16schannel: fully share schannel sign/seal between s3 and 4.Günther Deschner1-25/+60
Guenther
2009-09-15s3-dcerpc: really fix remaining old auth level constants. sorry...Günther Deschner1-2/+2
Guenther
2009-09-15s3-dcerpc: fix remaining old auth level constants.Günther Deschner1-13/+13
Guenther
2009-09-15s3-dcerpc: remove duplicate RPC_AUTH_LEVEL flags.Günther Deschner1-5/+5
Guenther
2009-09-15s3-dcerpc: use dcerpc_AuthLevel and remove duplicate set of flags.Günther Deschner1-15/+15
Guenther
2009-09-13s3-schannel: fix api_pipe_schannel_process(), was using incorrect buffer length.Günther Deschner1-1/+3
Found by RPC-SCHANNEL torture test. Guenther
2009-09-11s3-schannel: use NL_AUTH_SIGNATURE for schannel sign & seal (client & server).Günther Deschner1-8/+31
Guenther
2009-09-11s3-schannel: use NL_AUTH_MESSAGE for schannel bind reply.Günther Deschner1-10/+17
Guenther
2009-09-08s3-rpc_server: use NL_AUTH_MESSAGE in pipe_schannel_auth_bind().Günther Deschner1-6/+23
Guenther
2009-08-27s3-netlogon: use shared credential and schannel storage infrastructure for ↵Günther Deschner1-7/+11
netlogon server. Guenther
2009-07-05Use null_ndr_syntax_id instead of zeroing null_interface manuallyVolker Lendecke1-6/+2
2009-07-05Remove "typedef struct ndr_syntax_id RPC_IFACE;"Volker Lendecke1-4/+6
2009-07-05Make check_bind_req static to rpc_server/srv_pipe.cVolker Lendecke1-2/+2
2009-03-05Get the sense of the integer wrap test the right way around. Sorry.Jeremy Allison1-1/+1
Jeremy.
2009-03-05Now we're allowing a lower bound for auth_len, ensure weJeremy Allison1-1/+5
also check for an upper one (integer wrap). Jeremy.
2009-03-05Complete the fix for bug 6100Volker Lendecke1-1/+1
According to [MS-RPCE].pdf, section 2.2.2.11: ---- A client or a server that (during composing of a PDU) has allocated more space for the authentication token than the security provider fills in SHOULD fill in the rest of the allocated space with zero octets. These zero octets are still considered to belong to the authentication token part of the PDU.<36> ---- RPC implementations are allowed to send padding bytes at the end of an auth footer. Windows 7 makes use of this. Thanks to Nick Meier <nmeier@microsoft.com> Volker
2009-02-08Make prs_struct->out_data.current_pdu dynamically allocatedVolker Lendecke1-113/+98
Another 4k per open pipe
2009-02-01Add two new parameters to control how we verify kerberos tickets. Removes ↵Dan Sledz1-1/+1
lp_use_kerberos_keytab parameter. The first is "kerberos method" and replaces the "use kerberos keytab" with an enum. Valid options are: secrets only - use only the secrets for ticket verification (default) system keytab - use only the system keytab for ticket verification dedicated keytab - use a dedicated keytab for ticket verification. secrets and keytab - use the secrets.tdb first, then the system keytab For existing installs: "use kerberos keytab = yes" corresponds to secrets and keytab "use kerberos keytab = no" corresponds to secrets only The major difference between "system keytab" and "dedicated keytab" is that the latter method relies on kerberos to find the correct keytab entry instead of filtering based on expected principals. The second parameter is "dedicated keytab file", which is the keytab to use when in "dedicated keytab" mode. This keytab is only used in ads_verify_ticket.
2009-02-01Replace pipe names in pipes_struct by ndr_syntax_idVolker Lendecke1-29/+52
This was mainly used for debugging output
2009-01-21Memory leaks and other fixes found by Coveritytodd stecher1-1/+3
2009-01-09Remove the rpc_srv_register wrapper around rpc_pipe_register_commandsVolker Lendecke1-15/+4
2009-01-09Pass the full ndr_interface_table into the s3 rpcserver when registeringVolker Lendecke1-0/+10
2009-01-09Simplify find_pipe_fns_by_context slightlyVolker Lendecke1-8/+4
2009-01-09Fix some nonempty blank linesVolker Lendecke1-17/+17
2008-11-24Get rid of pipes_struct->pipe_user, we have server_info now --- YESSS!Volker Lendecke1-49/+1
2008-10-22s3: use shared asn1 code.Günther Deschner1-1/+1
Guenther
2008-07-26Make api_rpcTNP static to srv_pipe.cVolker Lendecke1-2/+5
(This used to be commit 256c93a8b3d4d9a4e52a656c91b89a043a087066)
2008-07-19Introduce is_known_pipenameVolker Lendecke1-0/+33
This scans the list of pipes registered via rpc_pipe_register_commands instead of using static tables. (This used to be commit 283e6039989adea1c8921b3600b410cb67b6492a)
2008-07-18Simplify the RPC servers: remove get_pipe_fnsVolker Lendecke1-97/+25
The per-server xxx_get_pipe_fns functions can go once all the RPC servers are converted (This used to be commit 6aa2391cbe1cbda8269ded767117f53d83b243e1)
2008-07-16In api_pipe_bind_req(), check for the iface id, not the pipe nameVolker Lendecke1-3/+14
This requires to store the rpc_interface in "struct rpc_table" (This used to be commit 654f8de8497aff29f9b1f1822b6a8e734ff329e0)
2008-07-16In api_pipe_bind_req(), decode the bind request before checking the pipeVolker Lendecke1-8/+10
(This used to be commit 8be41382ed9bb4fb44a1846fff2c7652388e4f28)
2008-06-26Now that we have p->server_info, use p->server_info->user_session_keyVolker Lendecke1-18/+29
(This used to be commit aefad64e3a5c86d2f988d47e6215ed2085b8fc47)
2008-06-26Fix typoVolker Lendecke1-1/+1
(This used to be commit 41d2daeaa5a87da82a0debc4c9cfe14976215bd8)
2008-06-26Add server_info to pipes_structVolker Lendecke1-0/+10
(This used to be commit d621867bb8767e1c4236d28dd9294a61db6cbb10)
2008-06-21Make pipes_struct its own talloc ctxVolker Lendecke1-1/+1
(This used to be commit 829b1ad4697f2f1ea008377d591456722dccd025)