search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r25068: Older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for every opcode on the
[Samba.git] / source / rpc_server / srv_pipe.c
blob8aab80db726baafda582110905eacaea9461cd5d
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 */
20
21 /* this module apparently provides an implementation of DCE/RPC over a
22 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
23 * documentation are available (in on-line form) from the X-Open group.
24 *
25 * this module should provide a level of abstraction between SMB
26 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
27 * data copies, and network traffic.
28 *
29 */
30
31 #include "includes.h"
32
33 extern struct pipe_id_info pipe_names[];
34 extern struct current_user current_user;
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_RPC_SRV
38
39 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
40 {
41 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
42
43 if (a) {
44 auth_ntlmssp_end(&a);
45 }
46 auth->a_u.auth_ntlmssp_state = NULL;
47 }
48
49 static DATA_BLOB generic_session_key(void)
50 {
51 return data_blob("SystemLibraryDTC", 16);
52 }
53
54 /*******************************************************************
55 Generate the next PDU to be returned from the data in p->rdata.
56 Handle NTLMSSP.
57 ********************************************************************/
58
59 static BOOL create_next_pdu_ntlmssp(pipes_struct *p)
60 {
61 RPC_HDR_RESP hdr_resp;
62 uint32 ss_padding_len = 0;
63 uint32 data_space_available;
64 uint32 data_len_left;
65 uint32 data_len;
66 prs_struct outgoing_pdu;
67 NTSTATUS status;
68 DATA_BLOB auth_blob;
69 RPC_HDR_AUTH auth_info;
70 uint8 auth_type, auth_level;
71 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
72
73 /*
74 * If we're in the fault state, keep returning fault PDU's until
75 * the pipe gets closed. JRA.
76 */
77
78 if(p->fault_state) {
79 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
80 return True;
81 }
82
83 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
84
85 /* Change the incoming request header to a response. */
86 p->hdr.pkt_type = RPC_RESPONSE;
87
88 /* Set up rpc header flags. */
89 if (p->out_data.data_sent_length == 0) {
90 p->hdr.flags = RPC_FLG_FIRST;
91 } else {
92 p->hdr.flags = 0;
93 }
94
95 /*
96 * Work out how much we can fit in a single PDU.
97 */
98
99 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
100
101 /*
102 * Ensure there really is data left to send.
103 */
104
105 if(!data_len_left) {
106 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
107 return False;
108 }
109
110 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
111 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
112
113 /*
114 * The amount we send is the minimum of the available
115 * space and the amount left to send.
116 */
117
118 data_len = MIN(data_len_left, data_space_available);
119
120 /*
121 * Set up the alloc hint. This should be the data left to
122 * send.
123 */
124
125 hdr_resp.alloc_hint = data_len_left;
126
127 /*
128 * Work out if this PDU will be the last.
129 */
130
131 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
132 p->hdr.flags |= RPC_FLG_LAST;
133 if (data_len_left % 8) {
134 ss_padding_len = 8 - (data_len_left % 8);
135 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
136 ss_padding_len ));
137 }
138 }
139
140 /*
141 * Set up the header lengths.
142 */
143
144 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
145 data_len + ss_padding_len +
146 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
147 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
148
149
150 /*
151 * Init the parse struct to point at the outgoing
152 * data.
153 */
154
155 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
156 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
157
158 /* Store the header in the data stream. */
159 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
160 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
161 prs_mem_free(&outgoing_pdu);
162 return False;
163 }
164
165 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
166 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
167 prs_mem_free(&outgoing_pdu);
168 return False;
169 }
170
171 /* Copy the data into the PDU. */
172
173 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
174 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
175 prs_mem_free(&outgoing_pdu);
176 return False;
177 }
178
179 /* Copy the sign/seal padding data. */
180 if (ss_padding_len) {
181 char pad[8];
182
183 memset(pad, '\0', 8);
184 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
185 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
186 (unsigned int)ss_padding_len));
187 prs_mem_free(&outgoing_pdu);
188 return False;
189 }
190 }
191
192
193 /* Now write out the auth header and null blob. */
194 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
195 auth_type = RPC_NTLMSSP_AUTH_TYPE;
196 } else {
197 auth_type = RPC_SPNEGO_AUTH_TYPE;
198 }
199 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
200 auth_level = RPC_AUTH_LEVEL_PRIVACY;
201 } else {
202 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
203 }
204
205 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
206 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
207 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
208 prs_mem_free(&outgoing_pdu);
209 return False;
210 }
211
212 /* Generate the sign blob. */
213
214 switch (p->auth.auth_level) {
215 case PIPE_AUTH_LEVEL_PRIVACY:
216 /* Data portion is encrypted. */
217 status = ntlmssp_seal_packet(a->ntlmssp_state,
218 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
219 data_len + ss_padding_len,
220 (unsigned char *)prs_data_p(&outgoing_pdu),
221 (size_t)prs_offset(&outgoing_pdu),
222 &auth_blob);
223 if (!NT_STATUS_IS_OK(status)) {
224 data_blob_free(&auth_blob);
225 prs_mem_free(&outgoing_pdu);
226 return False;
227 }
228 break;
229 case PIPE_AUTH_LEVEL_INTEGRITY:
230 /* Data is signed. */
231 status = ntlmssp_sign_packet(a->ntlmssp_state,
232 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
233 data_len + ss_padding_len,
234 (unsigned char *)prs_data_p(&outgoing_pdu),
235 (size_t)prs_offset(&outgoing_pdu),
236 &auth_blob);
237 if (!NT_STATUS_IS_OK(status)) {
238 data_blob_free(&auth_blob);
239 prs_mem_free(&outgoing_pdu);
240 return False;
241 }
242 break;
243 default:
244 prs_mem_free(&outgoing_pdu);
245 return False;
246 }
247
248 /* Append the auth blob. */
249 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
250 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
251 (unsigned int)NTLMSSP_SIG_SIZE));
252 data_blob_free(&auth_blob);
253 prs_mem_free(&outgoing_pdu);
254 return False;
255 }
256
257 data_blob_free(&auth_blob);
258
259 /*
260 * Setup the counts for this PDU.
261 */
262
263 p->out_data.data_sent_length += data_len;
264 p->out_data.current_pdu_len = p->hdr.frag_len;
265 p->out_data.current_pdu_sent = 0;
266
267 prs_mem_free(&outgoing_pdu);
268 return True;
269 }
270
271 /*******************************************************************
272 Generate the next PDU to be returned from the data in p->rdata.
273 Return an schannel authenticated fragment.
274 ********************************************************************/
275
276 static BOOL create_next_pdu_schannel(pipes_struct *p)
277 {
278 RPC_HDR_RESP hdr_resp;
279 uint32 ss_padding_len = 0;
280 uint32 data_len;
281 uint32 data_space_available;
282 uint32 data_len_left;
283 prs_struct outgoing_pdu;
284 uint32 data_pos;
285
286 /*
287 * If we're in the fault state, keep returning fault PDU's until
288 * the pipe gets closed. JRA.
289 */
290
291 if(p->fault_state) {
292 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
293 return True;
294 }
295
296 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
297
298 /* Change the incoming request header to a response. */
299 p->hdr.pkt_type = RPC_RESPONSE;
300
301 /* Set up rpc header flags. */
302 if (p->out_data.data_sent_length == 0) {
303 p->hdr.flags = RPC_FLG_FIRST;
304 } else {
305 p->hdr.flags = 0;
306 }
307
308 /*
309 * Work out how much we can fit in a single PDU.
310 */
311
312 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
313
314 /*
315 * Ensure there really is data left to send.
316 */
317
318 if(!data_len_left) {
319 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
320 return False;
321 }
322
323 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
324 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
325
326 /*
327 * The amount we send is the minimum of the available
328 * space and the amount left to send.
329 */
330
331 data_len = MIN(data_len_left, data_space_available);
332
333 /*
334 * Set up the alloc hint. This should be the data left to
335 * send.
336 */
337
338 hdr_resp.alloc_hint = data_len_left;
339
340 /*
341 * Work out if this PDU will be the last.
342 */
343
344 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
345 p->hdr.flags |= RPC_FLG_LAST;
346 if (data_len_left % 8) {
347 ss_padding_len = 8 - (data_len_left % 8);
348 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
349 ss_padding_len ));
350 }
351 }
352
353 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
354 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
355 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
356
357 /*
358 * Init the parse struct to point at the outgoing
359 * data.
360 */
361
362 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
363 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
364
365 /* Store the header in the data stream. */
366 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
367 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
368 prs_mem_free(&outgoing_pdu);
369 return False;
370 }
371
372 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
373 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
374 prs_mem_free(&outgoing_pdu);
375 return False;
376 }
377
378 /* Store the current offset. */
379 data_pos = prs_offset(&outgoing_pdu);
380
381 /* Copy the data into the PDU. */
382
383 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
384 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
385 prs_mem_free(&outgoing_pdu);
386 return False;
387 }
388
389 /* Copy the sign/seal padding data. */
390 if (ss_padding_len) {
391 char pad[8];
392 memset(pad, '\0', 8);
393 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
394 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
395 prs_mem_free(&outgoing_pdu);
396 return False;
397 }
398 }
399
400 {
401 /*
402 * Schannel processing.
403 */
404 char *data;
405 RPC_HDR_AUTH auth_info;
406 RPC_AUTH_SCHANNEL_CHK verf;
407
408 data = prs_data_p(&outgoing_pdu) + data_pos;
409 /* Check it's the type of reply we were expecting to decode */
410
411 init_rpc_hdr_auth(&auth_info,
412 RPC_SCHANNEL_AUTH_TYPE,
413 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
414 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
415 ss_padding_len, 1);
416
417 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
418 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
419 prs_mem_free(&outgoing_pdu);
420 return False;
421 }
422
423 schannel_encode(p->auth.a_u.schannel_auth,
424 p->auth.auth_level,
425 SENDER_IS_ACCEPTOR,
426 &verf, data, data_len + ss_padding_len);
427
428 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
429 &verf, &outgoing_pdu, 0)) {
430 prs_mem_free(&outgoing_pdu);
431 return False;
432 }
433
434 p->auth.a_u.schannel_auth->seq_num++;
435 }
436
437 /*
438 * Setup the counts for this PDU.
439 */
440
441 p->out_data.data_sent_length += data_len;
442 p->out_data.current_pdu_len = p->hdr.frag_len;
443 p->out_data.current_pdu_sent = 0;
444
445 prs_mem_free(&outgoing_pdu);
446 return True;
447 }
448
449 /*******************************************************************
450 Generate the next PDU to be returned from the data in p->rdata.
451 No authentication done.
452 ********************************************************************/
453
454 static BOOL create_next_pdu_noauth(pipes_struct *p)
455 {
456 RPC_HDR_RESP hdr_resp;
457 uint32 data_len;
458 uint32 data_space_available;
459 uint32 data_len_left;
460 prs_struct outgoing_pdu;
461
462 /*
463 * If we're in the fault state, keep returning fault PDU's until
464 * the pipe gets closed. JRA.
465 */
466
467 if(p->fault_state) {
468 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
469 return True;
470 }
471
472 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
473
474 /* Change the incoming request header to a response. */
475 p->hdr.pkt_type = RPC_RESPONSE;
476
477 /* Set up rpc header flags. */
478 if (p->out_data.data_sent_length == 0) {
479 p->hdr.flags = RPC_FLG_FIRST;
480 } else {
481 p->hdr.flags = 0;
482 }
483
484 /*
485 * Work out how much we can fit in a single PDU.
486 */
487
488 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
489
490 /*
491 * Ensure there really is data left to send.
492 */
493
494 if(!data_len_left) {
495 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
496 return False;
497 }
498
499 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
500
501 /*
502 * The amount we send is the minimum of the available
503 * space and the amount left to send.
504 */
505
506 data_len = MIN(data_len_left, data_space_available);
507
508 /*
509 * Set up the alloc hint. This should be the data left to
510 * send.
511 */
512
513 hdr_resp.alloc_hint = data_len_left;
514
515 /*
516 * Work out if this PDU will be the last.
517 */
518
519 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
520 p->hdr.flags |= RPC_FLG_LAST;
521 }
522
523 /*
524 * Set up the header lengths.
525 */
526
527 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
528 p->hdr.auth_len = 0;
529
530 /*
531 * Init the parse struct to point at the outgoing
532 * data.
533 */
534
535 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
536 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
537
538 /* Store the header in the data stream. */
539 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
540 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
541 prs_mem_free(&outgoing_pdu);
542 return False;
543 }
544
545 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
546 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
547 prs_mem_free(&outgoing_pdu);
548 return False;
549 }
550
551 /* Copy the data into the PDU. */
552
553 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
554 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
555 prs_mem_free(&outgoing_pdu);
556 return False;
557 }
558
559 /*
560 * Setup the counts for this PDU.
561 */
562
563 p->out_data.data_sent_length += data_len;
564 p->out_data.current_pdu_len = p->hdr.frag_len;
565 p->out_data.current_pdu_sent = 0;
566
567 prs_mem_free(&outgoing_pdu);
568 return True;
569 }
570
571 /*******************************************************************
572 Generate the next PDU to be returned from the data in p->rdata.
573 ********************************************************************/
574
575 BOOL create_next_pdu(pipes_struct *p)
576 {
577 switch(p->auth.auth_level) {
578 case PIPE_AUTH_LEVEL_NONE:
579 case PIPE_AUTH_LEVEL_CONNECT:
580 /* This is incorrect for auth level connect. Fixme. JRA */
581 return create_next_pdu_noauth(p);
582
583 default:
584 switch(p->auth.auth_type) {
585 case PIPE_AUTH_TYPE_NTLMSSP:
586 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
587 return create_next_pdu_ntlmssp(p);
588 case PIPE_AUTH_TYPE_SCHANNEL:
589 return create_next_pdu_schannel(p);
590 default:
591 break;
592 }
593 }
594
595 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
596 (unsigned int)p->auth.auth_level,
597 (unsigned int)p->auth.auth_type));
598 return False;
599 }
600
601 /*******************************************************************
602 Process an NTLMSSP authentication response.
603 If this function succeeds, the user has been authenticated
604 and their domain, name and calling workstation stored in
605 the pipe struct.
606 *******************************************************************/
607
608 static BOOL pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
609 {
610 DATA_BLOB reply;
611 NTSTATUS status;
612 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
613
614 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
615
616 ZERO_STRUCT(reply);
617
618 /* this has to be done as root in order to verify the password */
619 become_root();
620 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
621 unbecome_root();
622
623 /* Don't generate a reply. */
624 data_blob_free(&reply);
625
626 if (!NT_STATUS_IS_OK(status)) {
627 return False;
628 }
629
630 if (a->server_info->ptok == NULL) {
631 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
632 p->pipe_user.nt_user_token = NULL;
633 return False;
634 }
635
636 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
637 ensure the underlying NTLMSSP flags are also set. If not we should
638 refuse the bind. */
639
640 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
641 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
642 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
643 "but client declined signing.\n",
644 p->name ));
645 return False;
646 }
647 }
648 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
649 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
650 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
651 "but client declined sealing.\n",
652 p->name ));
653 return False;
654 }
655 }
656
657 DEBUG(5,("pipe_ntlmssp_verify_final: OK: user: %s domain: %s workstation: %s\n",
658 a->ntlmssp_state->user, a->ntlmssp_state->domain,
659 a->ntlmssp_state->workstation));
660
661 /*
662 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
663 */
664
665 p->pipe_user.ut.uid = a->server_info->uid;
666 p->pipe_user.ut.gid = a->server_info->gid;
667
668 /*
669 * We're an authenticated bind over smb, so the session key needs to
670 * be set to "SystemLibraryDTC". Weird, but this is what Windows
671 * does. See the RPC-SAMBA3SESSIONKEY.
672 */
673
674 data_blob_free(&p->session_key);
675 p->session_key = generic_session_key();
676 if (!p->session_key.data) {
677 return False;
678 }
679
680 p->pipe_user.ut.ngroups = a->server_info->n_groups;
681 if (p->pipe_user.ut.ngroups) {
682 if (!(p->pipe_user.ut.groups = (gid_t *)
683 memdup(a->server_info->groups,
684 sizeof(gid_t) * p->pipe_user.ut.ngroups))) {
685 DEBUG(0,("pipe_ntlmssp_verify_final: failed to memdup group list to p->pipe_user.groups\n"));
686 data_blob_free(&p->session_key);
687 return False;
688 }
689 }
690
691 if (!a->server_info->ptok) {
692 DEBUG(1,("pipe_ntlmssp_verify_final: Error: Authmodule failed to provide nt_user_token\n"));
693 data_blob_free(&p->session_key);
694 SAFE_FREE(p->pipe_user.ut.groups);
695 return False;
696 }
697
698 p->pipe_user.nt_user_token = dup_nt_token(NULL, a->server_info->ptok);
699 if (!p->pipe_user.nt_user_token) {
700 DEBUG(1,("pipe_ntlmssp_verify_final: dup_nt_token failed.\n"));
701 data_blob_free(&p->session_key);
702 SAFE_FREE(p->pipe_user.ut.groups);
703 return False;
704 }
705
706 return True;
707 }
708
709 /*******************************************************************
710 The switch table for the pipe names and the functions to handle them.
711 *******************************************************************/
712
713 struct rpc_table {
714 struct {
715 const char *clnt;
716 const char *srv;
717 } pipe;
718 struct api_struct *cmds;
719 int n_cmds;
720 };
721
722 static struct rpc_table *rpc_lookup;
723 static int rpc_lookup_size;
724
725 /*******************************************************************
726 This is the "stage3" NTLMSSP response after a bind request and reply.
727 *******************************************************************/
728
729 BOOL api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
730 {
731 RPC_HDR_AUTH auth_info;
732 uint32 pad;
733 DATA_BLOB blob;
734
735 ZERO_STRUCT(blob);
736
737 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
738
739 if (p->hdr.auth_len == 0) {
740 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
741 goto err;
742 }
743
744 /* 4 bytes padding. */
745 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
746 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
747 goto err;
748 }
749
750 /*
751 * Decode the authentication verifier response.
752 */
753
754 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
755 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
756 goto err;
757 }
758
759 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
760 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
761 (unsigned int)auth_info.auth_type ));
762 return False;
763 }
764
765 blob = data_blob(NULL,p->hdr.auth_len);
766
767 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
768 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
769 (unsigned int)p->hdr.auth_len ));
770 goto err;
771 }
772
773 /*
774 * The following call actually checks the challenge/response data.
775 * for correctness against the given DOMAIN\user name.
776 */
777
778 if (!pipe_ntlmssp_verify_final(p, &blob)) {
779 goto err;
780 }
781
782 data_blob_free(&blob);
783
784 p->pipe_bound = True;
785
786 return True;
787
788 err:
789
790 data_blob_free(&blob);
791 free_pipe_ntlmssp_auth_data(&p->auth);
792 p->auth.a_u.auth_ntlmssp_state = NULL;
793
794 return False;
795 }
796
797 /*******************************************************************
798 Marshall a bind_nak pdu.
799 *******************************************************************/
800
801 static BOOL setup_bind_nak(pipes_struct *p)
802 {
803 prs_struct outgoing_rpc;
804 RPC_HDR nak_hdr;
805 uint16 zero = 0;
806
807 /* Free any memory in the current return data buffer. */
808 prs_mem_free(&p->out_data.rdata);
809
810 /*
811 * Marshall directly into the outgoing PDU space. We
812 * must do this as we need to set to the bind response
813 * header and are never sending more than one PDU here.
814 */
815
816 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
817 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
818
819 /*
820 * Initialize a bind_nak header.
821 */
822
823 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
824 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
825
826 /*
827 * Marshall the header into the outgoing PDU.
828 */
829
830 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
831 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
832 prs_mem_free(&outgoing_rpc);
833 return False;
834 }
835
836 /*
837 * Now add the reject reason.
838 */
839
840 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
841 prs_mem_free(&outgoing_rpc);
842 return False;
843 }
844
845 p->out_data.data_sent_length = 0;
846 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
847 p->out_data.current_pdu_sent = 0;
848
849 if (p->auth.auth_data_free_func) {
850 (*p->auth.auth_data_free_func)(&p->auth);
851 }
852 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
853 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
854 p->pipe_bound = False;
855
856 return True;
857 }
858
859 /*******************************************************************
860 Marshall a fault pdu.
861 *******************************************************************/
862
863 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
864 {
865 prs_struct outgoing_pdu;
866 RPC_HDR fault_hdr;
867 RPC_HDR_RESP hdr_resp;
868 RPC_HDR_FAULT fault_resp;
869
870 /* Free any memory in the current return data buffer. */
871 prs_mem_free(&p->out_data.rdata);
872
873 /*
874 * Marshall directly into the outgoing PDU space. We
875 * must do this as we need to set to the bind response
876 * header and are never sending more than one PDU here.
877 */
878
879 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
880 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
881
882 /*
883 * Initialize a fault header.
884 */
885
886 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
887 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
888
889 /*
890 * Initialize the HDR_RESP and FAULT parts of the PDU.
891 */
892
893 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
894
895 fault_resp.status = status;
896 fault_resp.reserved = 0;
897
898 /*
899 * Marshall the header into the outgoing PDU.
900 */
901
902 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
903 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
904 prs_mem_free(&outgoing_pdu);
905 return False;
906 }
907
908 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
909 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
910 prs_mem_free(&outgoing_pdu);
911 return False;
912 }
913
914 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
915 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
916 prs_mem_free(&outgoing_pdu);
917 return False;
918 }
919
920 p->out_data.data_sent_length = 0;
921 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
922 p->out_data.current_pdu_sent = 0;
923
924 prs_mem_free(&outgoing_pdu);
925 return True;
926 }
927
928 #if 0
929 /*******************************************************************
930 Marshall a cancel_ack pdu.
931 We should probably check the auth-verifier here.
932 *******************************************************************/
933
934 BOOL setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
935 {
936 prs_struct outgoing_pdu;
937 RPC_HDR ack_reply_hdr;
938
939 /* Free any memory in the current return data buffer. */
940 prs_mem_free(&p->out_data.rdata);
941
942 /*
943 * Marshall directly into the outgoing PDU space. We
944 * must do this as we need to set to the bind response
945 * header and are never sending more than one PDU here.
946 */
947
948 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
949 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
950
951 /*
952 * Initialize a cancel_ack header.
953 */
954
955 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
956 p->hdr.call_id, RPC_HEADER_LEN, 0);
957
958 /*
959 * Marshall the header into the outgoing PDU.
960 */
961
962 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
963 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
964 prs_mem_free(&outgoing_pdu);
965 return False;
966 }
967
968 p->out_data.data_sent_length = 0;
969 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
970 p->out_data.current_pdu_sent = 0;
971
972 prs_mem_free(&outgoing_pdu);
973 return True;
974 }
975 #endif
976
977 /*******************************************************************
978 Ensure a bind request has the correct abstract & transfer interface.
979 Used to reject unknown binds from Win2k.
980 *******************************************************************/
981
982 BOOL check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
983 RPC_IFACE* transfer, uint32 context_id)
984 {
985 char *pipe_name = p->name;
986 int i=0;
987 fstring pname;
988
989 fstrcpy(pname,"\\PIPE\\");
990 fstrcat(pname,pipe_name);
991
992 DEBUG(3,("check_bind_req for %s\n", pname));
993
994 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
995
996 for ( i=0; pipe_names[i].client_pipe; i++ ) {
997 DEBUG(10,("checking %s\n", pipe_names[i].client_pipe));
998 if ( strequal(pipe_names[i].client_pipe, pname)
999 && (abstract->version == pipe_names[i].abstr_syntax.version)
1000 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct GUID)) == 0)
1001 && (transfer->version == pipe_names[i].trans_syntax.version)
1002 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(struct GUID)) == 0) ) {
1003 struct api_struct *fns = NULL;
1004 int n_fns = 0;
1005 PIPE_RPC_FNS *context_fns;
1006
1007 if ( !(context_fns = SMB_MALLOC_P(PIPE_RPC_FNS)) ) {
1008 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1009 return False;
1010 }
1011
1012 /* save the RPC function table associated with this bind */
1013
1014 get_pipe_fns(i, &fns, &n_fns);
1015
1016 context_fns->cmds = fns;
1017 context_fns->n_cmds = n_fns;
1018 context_fns->context_id = context_id;
1019
1020 /* add to the list of open contexts */
1021
1022 DLIST_ADD( p->contexts, context_fns );
1023
1024 break;
1025 }
1026 }
1027
1028 if(pipe_names[i].client_pipe == NULL) {
1029 return False;
1030 }
1031
1032 return True;
1033 }
1034
1035 /*******************************************************************
1036 Register commands to an RPC pipe
1037 *******************************************************************/
1038
1039 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
1040 {
1041 struct rpc_table *rpc_entry;
1042
1043 if (!clnt || !srv || !cmds) {
1044 return NT_STATUS_INVALID_PARAMETER;
1045 }
1046
1047 if (version != SMB_RPC_INTERFACE_VERSION) {
1048 DEBUG(0,("Can't register rpc commands!\n"
1049 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1050 ", while this version of samba uses version %d!\n",
1051 version,SMB_RPC_INTERFACE_VERSION));
1052 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1053 }
1054
1055 /* TODO:
1056 *
1057 * we still need to make sure that don't register the same commands twice!!!
1058 *
1059 * --metze
1060 */
1061
1062 /* We use a temporary variable because this call can fail and
1063 rpc_lookup will still be valid afterwards. It could then succeed if
1064 called again later */
1065 rpc_lookup_size++;
1066 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1067 if (NULL == rpc_entry) {
1068 rpc_lookup_size--;
1069 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1070 return NT_STATUS_NO_MEMORY;
1071 } else {
1072 rpc_lookup = rpc_entry;
1073 }
1074
1075 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1076 ZERO_STRUCTP(rpc_entry);
1077 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1078 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1079 rpc_entry->cmds = SMB_REALLOC_ARRAY(rpc_entry->cmds, struct api_struct, rpc_entry->n_cmds + size);
1080 if (!rpc_entry->cmds) {
1081 return NT_STATUS_NO_MEMORY;
1082 }
1083 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds, size * sizeof(struct api_struct));
1084 rpc_entry->n_cmds += size;
1085
1086 return NT_STATUS_OK;
1087 }
1088
1089 /*******************************************************************
1090 Handle a SPNEGO krb5 bind auth.
1091 *******************************************************************/
1092
1093 static BOOL pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1094 DATA_BLOB *psecblob, prs_struct *pout_auth)
1095 {
1096 return False;
1097 }
1098
1099 /*******************************************************************
1100 Handle the first part of a SPNEGO bind auth.
1101 *******************************************************************/
1102
1103 static BOOL pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1104 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1105 {
1106 DATA_BLOB blob;
1107 DATA_BLOB secblob;
1108 DATA_BLOB response;
1109 DATA_BLOB chal;
1110 char *OIDs[ASN1_MAX_OIDS];
1111 int i;
1112 NTSTATUS status;
1113 BOOL got_kerberos_mechanism = False;
1114 AUTH_NTLMSSP_STATE *a = NULL;
1115 RPC_HDR_AUTH auth_info;
1116
1117 ZERO_STRUCT(secblob);
1118 ZERO_STRUCT(chal);
1119 ZERO_STRUCT(response);
1120
1121 /* Grab the SPNEGO blob. */
1122 blob = data_blob(NULL,p->hdr.auth_len);
1123
1124 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1125 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1126 (unsigned int)p->hdr.auth_len ));
1127 goto err;
1128 }
1129
1130 if (blob.data[0] != ASN1_APPLICATION(0)) {
1131 goto err;
1132 }
1133
1134 /* parse out the OIDs and the first sec blob */
1135 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1136 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1137 goto err;
1138 }
1139
1140 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1141 got_kerberos_mechanism = True;
1142 }
1143
1144 for (i=0;OIDs[i];i++) {
1145 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1146 SAFE_FREE(OIDs[i]);
1147 }
1148 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1149
1150 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1151 BOOL ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1152 data_blob_free(&secblob);
1153 data_blob_free(&blob);
1154 return ret;
1155 }
1156
1157 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1158 /* Free any previous auth type. */
1159 free_pipe_ntlmssp_auth_data(&p->auth);
1160 }
1161
1162 /* Initialize the NTLM engine. */
1163 status = auth_ntlmssp_start(&a);
1164 if (!NT_STATUS_IS_OK(status)) {
1165 goto err;
1166 }
1167
1168 /*
1169 * Pass the first security blob of data to it.
1170 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1171 * which means we need another packet to complete the bind.
1172 */
1173
1174 status = auth_ntlmssp_update(a, secblob, &chal);
1175
1176 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1177 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1178 goto err;
1179 }
1180
1181 /* Generate the response blob we need for step 2 of the bind. */
1182 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1183
1184 /* Copy the blob into the pout_auth parse struct */
1185 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1186 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1187 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1188 goto err;
1189 }
1190
1191 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1192 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1193 goto err;
1194 }
1195
1196 p->auth.a_u.auth_ntlmssp_state = a;
1197 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1198 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1199
1200 data_blob_free(&blob);
1201 data_blob_free(&secblob);
1202 data_blob_free(&chal);
1203 data_blob_free(&response);
1204
1205 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1206 return True;
1207
1208 err:
1209
1210 data_blob_free(&blob);
1211 data_blob_free(&secblob);
1212 data_blob_free(&chal);
1213 data_blob_free(&response);
1214
1215 p->auth.a_u.auth_ntlmssp_state = NULL;
1216
1217 return False;
1218 }
1219
1220 /*******************************************************************
1221 Handle the second part of a SPNEGO bind auth.
1222 *******************************************************************/
1223
1224 static BOOL pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1225 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1226 {
1227 RPC_HDR_AUTH auth_info;
1228 DATA_BLOB spnego_blob;
1229 DATA_BLOB auth_blob;
1230 DATA_BLOB auth_reply;
1231 DATA_BLOB response;
1232 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1233
1234 ZERO_STRUCT(spnego_blob);
1235 ZERO_STRUCT(auth_blob);
1236 ZERO_STRUCT(auth_reply);
1237 ZERO_STRUCT(response);
1238
1239 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1240 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1241 goto err;
1242 }
1243
1244 /* Grab the SPNEGO blob. */
1245 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1246
1247 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1248 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1249 (unsigned int)p->hdr.auth_len ));
1250 goto err;
1251 }
1252
1253 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1254 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1255 goto err;
1256 }
1257
1258 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1259 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1260 goto err;
1261 }
1262
1263 /*
1264 * The following call actually checks the challenge/response data.
1265 * for correctness against the given DOMAIN\user name.
1266 */
1267
1268 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1269 goto err;
1270 }
1271
1272 data_blob_free(&spnego_blob);
1273 data_blob_free(&auth_blob);
1274
1275 /* Generate the spnego "accept completed" blob - no incoming data. */
1276 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1277
1278 /* Copy the blob into the pout_auth parse struct */
1279 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1280 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1281 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1282 goto err;
1283 }
1284
1285 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1286 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1287 goto err;
1288 }
1289
1290 data_blob_free(&auth_reply);
1291 data_blob_free(&response);
1292
1293 p->pipe_bound = True;
1294
1295 return True;
1296
1297 err:
1298
1299 data_blob_free(&spnego_blob);
1300 data_blob_free(&auth_blob);
1301 data_blob_free(&auth_reply);
1302 data_blob_free(&response);
1303
1304 free_pipe_ntlmssp_auth_data(&p->auth);
1305 p->auth.a_u.auth_ntlmssp_state = NULL;
1306
1307 return False;
1308 }
1309
1310 /*******************************************************************
1311 Handle an schannel bind auth.
1312 *******************************************************************/
1313
1314 static BOOL pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1315 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1316 {
1317 RPC_HDR_AUTH auth_info;
1318 RPC_AUTH_SCHANNEL_NEG neg;
1319 RPC_AUTH_VERIFIER auth_verifier;
1320 BOOL ret;
1321 struct dcinfo *pdcinfo;
1322 uint32 flags;
1323
1324 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1325 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1326 return False;
1327 }
1328
1329 /*
1330 * The neg.myname key here must match the remote computer name
1331 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1332 * operations that use credentials.
1333 */
1334
1335 become_root();
1336 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1337 unbecome_root();
1338
1339 if (!ret) {
1340 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1341 return False;
1342 }
1343
1344 p->auth.a_u.schannel_auth = TALLOC_P(p->pipe_state_mem_ctx, struct schannel_auth_struct);
1345 if (!p->auth.a_u.schannel_auth) {
1346 TALLOC_FREE(pdcinfo);
1347 return False;
1348 }
1349
1350 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1351 memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1352 sizeof(pdcinfo->sess_key));
1353
1354 TALLOC_FREE(pdcinfo);
1355
1356 p->auth.a_u.schannel_auth->seq_num = 0;
1357
1358 /*
1359 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1360 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1361 * struct of the person who opened the pipe. I need to test this further. JRA.
1362 *
1363 * VL. As we are mapping this to guest set the generic key
1364 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1365 * W2k3, as it does not allow schannel binds against SAMR and LSA
1366 * anymore.
1367 */
1368
1369 data_blob_free(&p->session_key);
1370 p->session_key = generic_session_key();
1371 if (p->session_key.data == NULL) {
1372 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1373 " key\n"));
1374 return False;
1375 }
1376
1377 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1378 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1379 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1380 return False;
1381 }
1382
1383 /*** SCHANNEL verifier ***/
1384
1385 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1386 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1387 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1388 return False;
1389 }
1390
1391 prs_align(pout_auth);
1392
1393 flags = 5;
1394 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1395 return False;
1396 }
1397
1398 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1399 neg.domain, neg.myname));
1400
1401 /* We're finished with this bind - no more packets. */
1402 p->auth.auth_data_free_func = NULL;
1403 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1404
1405 if (!set_current_user_guest(&p->pipe_user)) {
1406 DEBUG(1, ("pipe_schannel_auth_bind: Could not set guest "
1407 "token\n"));
1408 return False;
1409 }
1410
1411 p->pipe_bound = True;
1412
1413 return True;
1414 }
1415
1416 /*******************************************************************
1417 Handle an NTLMSSP bind auth.
1418 *******************************************************************/
1419
1420 static BOOL pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1421 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1422 {
1423 RPC_HDR_AUTH auth_info;
1424 DATA_BLOB blob;
1425 DATA_BLOB response;
1426 NTSTATUS status;
1427 AUTH_NTLMSSP_STATE *a = NULL;
1428
1429 ZERO_STRUCT(blob);
1430 ZERO_STRUCT(response);
1431
1432 /* Grab the NTLMSSP blob. */
1433 blob = data_blob(NULL,p->hdr.auth_len);
1434
1435 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1436 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1437 (unsigned int)p->hdr.auth_len ));
1438 goto err;
1439 }
1440
1441 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1442 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1443 goto err;
1444 }
1445
1446 /* We have an NTLMSSP blob. */
1447 status = auth_ntlmssp_start(&a);
1448 if (!NT_STATUS_IS_OK(status)) {
1449 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1450 nt_errstr(status) ));
1451 goto err;
1452 }
1453
1454 status = auth_ntlmssp_update(a, blob, &response);
1455 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1456 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1457 nt_errstr(status) ));
1458 goto err;
1459 }
1460
1461 data_blob_free(&blob);
1462
1463 /* Copy the blob into the pout_auth parse struct */
1464 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1465 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1466 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1467 goto err;
1468 }
1469
1470 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1471 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1472 goto err;
1473 }
1474
1475 p->auth.a_u.auth_ntlmssp_state = a;
1476 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1477 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1478
1479 data_blob_free(&blob);
1480 data_blob_free(&response);
1481
1482 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1483
1484 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1485 return True;
1486
1487 err:
1488
1489 data_blob_free(&blob);
1490 data_blob_free(&response);
1491
1492 free_pipe_ntlmssp_auth_data(&p->auth);
1493 p->auth.a_u.auth_ntlmssp_state = NULL;
1494 return False;
1495 }
1496
1497 /*******************************************************************
1498 Respond to a pipe bind request.
1499 *******************************************************************/
1500
1501 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1502 {
1503 RPC_HDR_BA hdr_ba;
1504 RPC_HDR_RB hdr_rb;
1505 RPC_HDR_AUTH auth_info;
1506 uint16 assoc_gid;
1507 fstring ack_pipe_name;
1508 prs_struct out_hdr_ba;
1509 prs_struct out_auth;
1510 prs_struct outgoing_rpc;
1511 int i = 0;
1512 int auth_len = 0;
1513 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1514
1515 /* No rebinds on a bound pipe - use alter context. */
1516 if (p->pipe_bound) {
1517 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1518 return setup_bind_nak(p);
1519 }
1520
1521 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1522
1523 /*
1524 * Marshall directly into the outgoing PDU space. We
1525 * must do this as we need to set to the bind response
1526 * header and are never sending more than one PDU here.
1527 */
1528
1529 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1530
1531 /*
1532 * Setup the memory to marshall the ba header, and the
1533 * auth footers.
1534 */
1535
1536 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1537 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1538 prs_mem_free(&outgoing_rpc);
1539 return False;
1540 }
1541
1542 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1543 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1544 prs_mem_free(&outgoing_rpc);
1545 prs_mem_free(&out_hdr_ba);
1546 return False;
1547 }
1548
1549 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1550
1551 /*
1552 * Try and find the correct pipe name to ensure
1553 * that this is a pipe name we support.
1554 */
1555
1556
1557 for (i = 0; i < rpc_lookup_size; i++) {
1558 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1559 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1560 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1561 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1562 break;
1563 }
1564 }
1565
1566 if (i == rpc_lookup_size) {
1567 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1568 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1569 p->name ));
1570 prs_mem_free(&outgoing_rpc);
1571 prs_mem_free(&out_hdr_ba);
1572 prs_mem_free(&out_auth);
1573
1574 return setup_bind_nak(p);
1575 }
1576
1577 for (i = 0; i < rpc_lookup_size; i++) {
1578 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1579 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1580 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1581 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1582 break;
1583 }
1584 }
1585
1586 if (i == rpc_lookup_size) {
1587 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1588 goto err_exit;
1589 }
1590 }
1591
1592 /* decode the bind request */
1593 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1594 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
1595 goto err_exit;
1596 }
1597
1598 /* name has to be \PIPE\xxxxx */
1599 fstrcpy(ack_pipe_name, "\\PIPE\\");
1600 fstrcat(ack_pipe_name, p->pipe_srv_name);
1601
1602 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1603
1604 /*
1605 * Check if this is an authenticated bind request.
1606 */
1607
1608 if (p->hdr.auth_len) {
1609 /*
1610 * Decode the authentication verifier.
1611 */
1612
1613 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1614 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1615 goto err_exit;
1616 }
1617
1618 auth_type = auth_info.auth_type;
1619
1620 /* Work out if we have to sign or seal etc. */
1621 switch (auth_info.auth_level) {
1622 case RPC_AUTH_LEVEL_INTEGRITY:
1623 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1624 break;
1625 case RPC_AUTH_LEVEL_PRIVACY:
1626 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1627 break;
1628 default:
1629 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1630 (unsigned int)auth_info.auth_level ));
1631 goto err_exit;
1632 }
1633 } else {
1634 ZERO_STRUCT(auth_info);
1635 }
1636
1637 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1638
1639 switch(auth_type) {
1640 case RPC_NTLMSSP_AUTH_TYPE:
1641 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1642 goto err_exit;
1643 }
1644 assoc_gid = 0x7a77;
1645 break;
1646
1647 case RPC_SCHANNEL_AUTH_TYPE:
1648 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1649 goto err_exit;
1650 }
1651 break;
1652
1653 case RPC_SPNEGO_AUTH_TYPE:
1654 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1655 goto err_exit;
1656 }
1657 break;
1658
1659 case RPC_ANONYMOUS_AUTH_TYPE:
1660 /* Unauthenticated bind request. */
1661 /* Get the authenticated pipe user from current_user */
1662 if (!copy_current_user(&p->pipe_user, &current_user)) {
1663 DEBUG(10, ("Could not copy current user\n"));
1664 goto err_exit;
1665 }
1666 /* We're finished - no more packets. */
1667 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1668 /* We must set the pipe auth_level here also. */
1669 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1670 p->pipe_bound = True;
1671 /* The session key was initialized from the SMB
1672 * session in make_internal_rpc_pipe_p */
1673 break;
1674
1675 default:
1676 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1677 goto err_exit;
1678 }
1679
1680 /*
1681 * Create the bind response struct.
1682 */
1683
1684 /* If the requested abstract synt uuid doesn't match our client pipe,
1685 reject the bind_ack & set the transfer interface synt to all 0's,
1686 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1687 unknown to NT4)
1688 Needed when adding entries to a DACL from NT5 - SK */
1689
1690 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1691 hdr_rb.rpc_context[0].context_id )) {
1692 init_rpc_hdr_ba(&hdr_ba,
1693 RPC_MAX_PDU_FRAG_LEN,
1694 RPC_MAX_PDU_FRAG_LEN,
1695 assoc_gid,
1696 ack_pipe_name,
1697 0x1, 0x0, 0x0,
1698 &hdr_rb.rpc_context[0].transfer[0]);
1699 } else {
1700 RPC_IFACE null_interface;
1701 ZERO_STRUCT(null_interface);
1702 /* Rejection reason: abstract syntax not supported */
1703 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1704 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1705 ack_pipe_name, 0x1, 0x2, 0x1,
1706 &null_interface);
1707 p->pipe_bound = False;
1708 }
1709
1710 /*
1711 * and marshall it.
1712 */
1713
1714 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1715 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1716 goto err_exit;
1717 }
1718
1719 /*
1720 * Create the header, now we know the length.
1721 */
1722
1723 if (prs_offset(&out_auth)) {
1724 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1725 }
1726
1727 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1728 p->hdr.call_id,
1729 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1730 auth_len);
1731
1732 /*
1733 * Marshall the header into the outgoing PDU.
1734 */
1735
1736 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1737 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1738 goto err_exit;
1739 }
1740
1741 /*
1742 * Now add the RPC_HDR_BA and any auth needed.
1743 */
1744
1745 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1746 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1747 goto err_exit;
1748 }
1749
1750 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1751 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1752 goto err_exit;
1753 }
1754
1755 /*
1756 * Setup the lengths for the initial reply.
1757 */
1758
1759 p->out_data.data_sent_length = 0;
1760 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1761 p->out_data.current_pdu_sent = 0;
1762
1763 prs_mem_free(&out_hdr_ba);
1764 prs_mem_free(&out_auth);
1765
1766 return True;
1767
1768 err_exit:
1769
1770 prs_mem_free(&outgoing_rpc);
1771 prs_mem_free(&out_hdr_ba);
1772 prs_mem_free(&out_auth);
1773 return setup_bind_nak(p);
1774 }
1775
1776 /****************************************************************************
1777 Deal with an alter context call. Can be third part of 3 leg auth request for
1778 SPNEGO calls.
1779 ****************************************************************************/
1780
1781 BOOL api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1782 {
1783 RPC_HDR_BA hdr_ba;
1784 RPC_HDR_RB hdr_rb;
1785 RPC_HDR_AUTH auth_info;
1786 uint16 assoc_gid;
1787 fstring ack_pipe_name;
1788 prs_struct out_hdr_ba;
1789 prs_struct out_auth;
1790 prs_struct outgoing_rpc;
1791 int auth_len = 0;
1792
1793 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1794
1795 /*
1796 * Marshall directly into the outgoing PDU space. We
1797 * must do this as we need to set to the bind response
1798 * header and are never sending more than one PDU here.
1799 */
1800
1801 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1802
1803 /*
1804 * Setup the memory to marshall the ba header, and the
1805 * auth footers.
1806 */
1807
1808 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1809 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1810 prs_mem_free(&outgoing_rpc);
1811 return False;
1812 }
1813
1814 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1815 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1816 prs_mem_free(&outgoing_rpc);
1817 prs_mem_free(&out_hdr_ba);
1818 return False;
1819 }
1820
1821 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1822
1823 /* decode the alter context request */
1824 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1825 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1826 goto err_exit;
1827 }
1828
1829 /* secondary address CAN be NULL
1830 * as the specs say it's ignored.
1831 * It MUST be NULL to have the spoolss working.
1832 */
1833 fstrcpy(ack_pipe_name,"");
1834
1835 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1836
1837 /*
1838 * Check if this is an authenticated alter context request.
1839 */
1840
1841 if (p->hdr.auth_len != 0) {
1842 /*
1843 * Decode the authentication verifier.
1844 */
1845
1846 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1847 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1848 goto err_exit;
1849 }
1850
1851 /*
1852 * Currently only the SPNEGO auth type uses the alter ctx
1853 * response in place of the NTLMSSP auth3 type.
1854 */
1855
1856 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1857 /* We can only finish if the pipe is unbound. */
1858 if (!p->pipe_bound) {
1859 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1860 goto err_exit;
1861 }
1862 } else {
1863 goto err_exit;
1864 }
1865 }
1866 } else {
1867 ZERO_STRUCT(auth_info);
1868 }
1869
1870 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1871
1872 /*
1873 * Create the bind response struct.
1874 */
1875
1876 /* If the requested abstract synt uuid doesn't match our client pipe,
1877 reject the bind_ack & set the transfer interface synt to all 0's,
1878 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1879 unknown to NT4)
1880 Needed when adding entries to a DACL from NT5 - SK */
1881
1882 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1883 hdr_rb.rpc_context[0].context_id )) {
1884 init_rpc_hdr_ba(&hdr_ba,
1885 RPC_MAX_PDU_FRAG_LEN,
1886 RPC_MAX_PDU_FRAG_LEN,
1887 assoc_gid,
1888 ack_pipe_name,
1889 0x1, 0x0, 0x0,
1890 &hdr_rb.rpc_context[0].transfer[0]);
1891 } else {
1892 RPC_IFACE null_interface;
1893 ZERO_STRUCT(null_interface);
1894 /* Rejection reason: abstract syntax not supported */
1895 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1896 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1897 ack_pipe_name, 0x1, 0x2, 0x1,
1898 &null_interface);
1899 p->pipe_bound = False;
1900 }
1901
1902 /*
1903 * and marshall it.
1904 */
1905
1906 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1907 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1908 goto err_exit;
1909 }
1910
1911 /*
1912 * Create the header, now we know the length.
1913 */
1914
1915 if (prs_offset(&out_auth)) {
1916 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1917 }
1918
1919 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1920 p->hdr.call_id,
1921 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1922 auth_len);
1923
1924 /*
1925 * Marshall the header into the outgoing PDU.
1926 */
1927
1928 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1929 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1930 goto err_exit;
1931 }
1932
1933 /*
1934 * Now add the RPC_HDR_BA and any auth needed.
1935 */
1936
1937 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1938 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1939 goto err_exit;
1940 }
1941
1942 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1943 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1944 goto err_exit;
1945 }
1946
1947 /*
1948 * Setup the lengths for the initial reply.
1949 */
1950
1951 p->out_data.data_sent_length = 0;
1952 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1953 p->out_data.current_pdu_sent = 0;
1954
1955 prs_mem_free(&out_hdr_ba);
1956 prs_mem_free(&out_auth);
1957
1958 return True;
1959
1960 err_exit:
1961
1962 prs_mem_free(&outgoing_rpc);
1963 prs_mem_free(&out_hdr_ba);
1964 prs_mem_free(&out_auth);
1965 return setup_bind_nak(p);
1966 }
1967
1968 /****************************************************************************
1969 Deal with NTLMSSP sign & seal processing on an RPC request.
1970 ****************************************************************************/
1971
1972 BOOL api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1973 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1974 {
1975 RPC_HDR_AUTH auth_info;
1976 uint32 auth_len = p->hdr.auth_len;
1977 uint32 save_offset = prs_offset(rpc_in);
1978 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1979 unsigned char *data = NULL;
1980 size_t data_len;
1981 unsigned char *full_packet_data = NULL;
1982 size_t full_packet_data_len;
1983 DATA_BLOB auth_blob;
1984
1985 *pstatus = NT_STATUS_OK;
1986
1987 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
1988 return True;
1989 }
1990
1991 if (!a) {
1992 *pstatus = NT_STATUS_INVALID_PARAMETER;
1993 return False;
1994 }
1995
1996 /* Ensure there's enough data for an authenticated request. */
1997 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
1998 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
1999 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2000 (unsigned int)auth_len ));
2001 *pstatus = NT_STATUS_INVALID_PARAMETER;
2002 return False;
2003 }
2004
2005 /*
2006 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2007 * after the RPC header.
2008 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2009 * functions as NTLMv2 checks the rpc headers also.
2010 */
2011
2012 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2013 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2014
2015 full_packet_data = p->in_data.current_in_pdu;
2016 full_packet_data_len = p->hdr.frag_len - auth_len;
2017
2018 /* Pull the auth header and the following data into a blob. */
2019 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2020 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2021 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2022 *pstatus = NT_STATUS_INVALID_PARAMETER;
2023 return False;
2024 }
2025
2026 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2027 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2028 *pstatus = NT_STATUS_INVALID_PARAMETER;
2029 return False;
2030 }
2031
2032 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2033 auth_blob.length = auth_len;
2034
2035 switch (p->auth.auth_level) {
2036 case PIPE_AUTH_LEVEL_PRIVACY:
2037 /* Data is encrypted. */
2038 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2039 data, data_len,
2040 full_packet_data,
2041 full_packet_data_len,
2042 &auth_blob);
2043 if (!NT_STATUS_IS_OK(*pstatus)) {
2044 return False;
2045 }
2046 break;
2047 case PIPE_AUTH_LEVEL_INTEGRITY:
2048 /* Data is signed. */
2049 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2050 data, data_len,
2051 full_packet_data,
2052 full_packet_data_len,
2053 &auth_blob);
2054 if (!NT_STATUS_IS_OK(*pstatus)) {
2055 return False;
2056 }
2057 break;
2058 default:
2059 *pstatus = NT_STATUS_INVALID_PARAMETER;
2060 return False;
2061 }
2062
2063 /*
2064 * Return the current pointer to the data offset.
2065 */
2066
2067 if(!prs_set_offset(rpc_in, save_offset)) {
2068 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2069 (unsigned int)save_offset ));
2070 *pstatus = NT_STATUS_INVALID_PARAMETER;
2071 return False;
2072 }
2073
2074 /*
2075 * Remember the padding length. We must remove it from the real data
2076 * stream once the sign/seal is done.
2077 */
2078
2079 *p_ss_padding_len = auth_info.auth_pad_len;
2080
2081 return True;
2082 }
2083
2084 /****************************************************************************
2085 Deal with schannel processing on an RPC request.
2086 ****************************************************************************/
2087
2088 BOOL api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2089 {
2090 uint32 data_len;
2091 uint32 auth_len;
2092 uint32 save_offset = prs_offset(rpc_in);
2093 RPC_HDR_AUTH auth_info;
2094 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2095
2096 auth_len = p->hdr.auth_len;
2097
2098 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2099 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2100 return False;
2101 }
2102
2103 /*
2104 * The following is that length of the data we must verify or unseal.
2105 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2106 * preceeding the auth_data.
2107 */
2108
2109 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2110 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2111 (unsigned int)p->hdr.frag_len,
2112 (unsigned int)auth_len ));
2113 return False;
2114 }
2115
2116 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2117 RPC_HDR_AUTH_LEN - auth_len;
2118
2119 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2120
2121 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2122 DEBUG(0,("cannot move offset to %u.\n",
2123 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2124 return False;
2125 }
2126
2127 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2128 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2129 return False;
2130 }
2131
2132 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2133 DEBUG(0,("Invalid auth info %d on schannel\n",
2134 auth_info.auth_type));
2135 return False;
2136 }
2137
2138 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2139 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2140 return False;
2141 }
2142
2143 if (!schannel_decode(p->auth.a_u.schannel_auth,
2144 p->auth.auth_level,
2145 SENDER_IS_INITIATOR,
2146 &schannel_chk,
2147 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2148 DEBUG(3,("failed to decode PDU\n"));
2149 return False;
2150 }
2151
2152 /*
2153 * Return the current pointer to the data offset.
2154 */
2155
2156 if(!prs_set_offset(rpc_in, save_offset)) {
2157 DEBUG(0,("failed to set offset back to %u\n",
2158 (unsigned int)save_offset ));
2159 return False;
2160 }
2161
2162 /* The sequence number gets incremented on both send and receive. */
2163 p->auth.a_u.schannel_auth->seq_num++;
2164
2165 /*
2166 * Remember the padding length. We must remove it from the real data
2167 * stream once the sign/seal is done.
2168 */
2169
2170 *p_ss_padding_len = auth_info.auth_pad_len;
2171
2172 return True;
2173 }
2174
2175 /****************************************************************************
2176 Find the set of RPC functions associated with this context_id
2177 ****************************************************************************/
2178
2179 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2180 {
2181 PIPE_RPC_FNS *fns = NULL;
2182 PIPE_RPC_FNS *tmp = NULL;
2183
2184 if ( !list ) {
2185 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2186 return NULL;
2187 }
2188
2189 for (tmp=list; tmp; tmp=tmp->next ) {
2190 if ( tmp->context_id == context_id )
2191 break;
2192 }
2193
2194 fns = tmp;
2195
2196 return fns;
2197 }
2198
2199 /****************************************************************************
2200 Memory cleanup.
2201 ****************************************************************************/
2202
2203 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2204 {
2205 PIPE_RPC_FNS *tmp = list;
2206 PIPE_RPC_FNS *tmp2;
2207
2208 while (tmp) {
2209 tmp2 = tmp->next;
2210 SAFE_FREE(tmp);
2211 tmp = tmp2;
2212 }
2213
2214 return;
2215 }
2216
2217 /****************************************************************************
2218 Find the correct RPC function to call for this request.
2219 If the pipe is authenticated then become the correct UNIX user
2220 before doing the call.
2221 ****************************************************************************/
2222
2223 BOOL api_pipe_request(pipes_struct *p)
2224 {
2225 BOOL ret = False;
2226 BOOL changed_user = False;
2227 PIPE_RPC_FNS *pipe_fns;
2228
2229 if (p->pipe_bound) {
2230 if(!become_authenticated_pipe_user(p)) {
2231 prs_mem_free(&p->out_data.rdata);
2232 return False;
2233 }
2234 changed_user = True;
2235 }
2236
2237 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2238
2239 /* get the set of RPC functions for this context */
2240
2241 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2242
2243 if ( pipe_fns ) {
2244 set_current_rpc_talloc(p->mem_ctx);
2245 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2246 set_current_rpc_talloc(NULL);
2247 }
2248 else {
2249 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2250 p->hdr_req.context_id, p->name));
2251 }
2252
2253 if (changed_user) {
2254 unbecome_authenticated_pipe_user();
2255 }
2256
2257 return ret;
2258 }
2259
2260 /*******************************************************************
2261 Calls the underlying RPC function for a named pipe.
2262 ********************************************************************/
2263
2264 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
2265 const struct api_struct *api_rpc_cmds, int n_cmds)
2266 {
2267 int fn_num;
2268 fstring name;
2269 uint32 offset1, offset2;
2270
2271 /* interpret the command */
2272 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2273
2274 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2275 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2276
2277 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2278 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2279 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2280 break;
2281 }
2282 }
2283
2284 if (fn_num == n_cmds) {
2285 /*
2286 * For an unknown RPC just return a fault PDU but
2287 * return True to allow RPC's on the pipe to continue
2288 * and not put the pipe into fault state. JRA.
2289 */
2290 DEBUG(4, ("unknown\n"));
2291 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2292 return True;
2293 }
2294
2295 offset1 = prs_offset(&p->out_data.rdata);
2296
2297 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2298 fn_num, api_rpc_cmds[fn_num].fn));
2299 /* do the actual command */
2300 if(!api_rpc_cmds[fn_num].fn(p)) {
2301 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2302 prs_mem_free(&p->out_data.rdata);
2303 return False;
2304 }
2305
2306 if (p->bad_handle_fault_state) {
2307 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2308 p->bad_handle_fault_state = False;
2309 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2310 return True;
2311 }
2312
2313 if (p->rng_fault_state) {
2314 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2315 p->rng_fault_state = False;
2316 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2317 return True;
2318 }
2319
2320 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2321 offset2 = prs_offset(&p->out_data.rdata);
2322 prs_set_offset(&p->out_data.rdata, offset1);
2323 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2324 prs_set_offset(&p->out_data.rdata, offset2);
2325
2326 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2327
2328 /* Check for buffer underflow in rpc parsing */
2329
2330 if ((DEBUGLEVEL >= 10) &&
2331 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2332 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2333 char *data = (char *)SMB_MALLOC(data_len);
2334
2335 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2336 if (data) {
2337 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2338 SAFE_FREE(data);
2339 }
2340
2341 }
2342
2343 return True;
2344 }
2345
2346 /*******************************************************************
2347 *******************************************************************/
2348
2349 void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
2350 {
2351 struct api_struct *cmds = NULL;
2352 int n_cmds = 0;
2353
2354 switch ( idx ) {
2355 case PI_LSARPC:
2356 lsa_get_pipe_fns( &cmds, &n_cmds );
2357 break;
2358 case PI_LSARPC_DS:
2359 lsa_ds_get_pipe_fns( &cmds, &n_cmds );
2360 break;
2361 case PI_SAMR:
2362 samr_get_pipe_fns( &cmds, &n_cmds );
2363 break;
2364 case PI_NETLOGON:
2365 netlog_get_pipe_fns( &cmds, &n_cmds );
2366 break;
2367 case PI_SRVSVC:
2368 srvsvc_get_pipe_fns( &cmds, &n_cmds );
2369 break;
2370 case PI_WKSSVC:
2371 wkssvc_get_pipe_fns( &cmds, &n_cmds );
2372 break;
2373 case PI_WINREG:
2374 winreg_get_pipe_fns( &cmds, &n_cmds );
2375 break;
2376 case PI_SPOOLSS:
2377 spoolss_get_pipe_fns( &cmds, &n_cmds );
2378 break;
2379 case PI_NETDFS:
2380 netdfs_get_pipe_fns( &cmds, &n_cmds );
2381 break;
2382 case PI_SVCCTL:
2383 svcctl2_get_pipe_fns( &cmds, &n_cmds );
2384 break;
2385 case PI_EVENTLOG:
2386 eventlog2_get_pipe_fns( &cmds, &n_cmds );
2387 break;
2388 case PI_UNIXINFO:
2389 unixinfo_get_pipe_fns( &cmds, &n_cmds );
2390 break;
2391 case PI_NTSVCS:
2392 ntsvcs_get_pipe_fns( &cmds, &n_cmds );
2393 break;
2394 #ifdef DEVELOPER
2395 case PI_RPCECHO:
2396 rpcecho_get_pipe_fns( &cmds, &n_cmds );
2397 break;
2398 #endif
2399 case PI_EPMAPPER:
2400 epmapper_get_pipe_fns( &cmds, &n_cmds );
2401 break;
2402 default:
2403 DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));
2404 }
2405
2406 *fns = cmds;
2407 *n_fns = n_cmds;
2408
2409 return;
2410 }
Samba GIT mirror