search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-dcerpc do not pass pipes_struct to dcesrv_auth_request()
[Samba.git] / source3 / rpc_server / srv_pipe.c
blob98dc52d100c46f6847b062aac163ca1294bb6b57
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31 #include "srv_pipe_internal.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33 #include "../libcli/auth/schannel.h"
34 #include "../libcli/auth/spnego.h"
35 #include "../libcli/auth/ntlmssp.h"
36 #include "ntlmssp_wrap.h"
37 #include "rpc_server.h"
38
39 #undef DBGC_CLASS
40 #define DBGC_CLASS DBGC_RPC_SRV
41
42 /**
43 * Dump everything from the start of the end up of the provided data
44 * into a file, but only at debug level >= 50
45 **/
46 static void dump_pdu_region(const char *name, int v,
47 DATA_BLOB *data, size_t start, size_t end)
48 {
49 int fd, i;
50 char *fname = NULL;
51 ssize_t sz;
52
53 if (DEBUGLEVEL < 50) return;
54
55 if (start > data->length || end > data->length || start > end) return;
56
57 for (i = 1; i < 100; i++) {
58 if (v != -1) {
59 fname = talloc_asprintf(talloc_tos(),
60 "/tmp/%s_%d.%d.prs",
61 name, v, i);
62 } else {
63 fname = talloc_asprintf(talloc_tos(),
64 "/tmp/%s_%d.prs",
65 name, i);
66 }
67 if (!fname) {
68 return;
69 }
70 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
71 if (fd != -1 || errno != EEXIST) break;
72 }
73 if (fd != -1) {
74 sz = write(fd, data->data + start, end - start);
75 i = close(fd);
76 if ((sz != end - start) || (i != 0) ) {
77 DEBUG(0, ("Error writing/closing %s: %ld!=%ld %d\n",
78 fname, (unsigned long)sz,
79 (unsigned long)end - start, i));
80 } else {
81 DEBUG(0,("created %s\n", fname));
82 }
83 }
84 TALLOC_FREE(fname);
85 }
86
87 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
88 {
89 TALLOC_FREE(auth->a_u.auth_ntlmssp_state);
90 }
91
92 static void free_pipe_schannel_auth_data(struct pipe_auth_data *auth)
93 {
94 TALLOC_FREE(auth->a_u.schannel_auth);
95 }
96
97 static void free_pipe_auth_data(struct pipe_auth_data *auth)
98 {
99 if (auth->auth_data_free_func) {
100 (*auth->auth_data_free_func)(auth);
101 auth->auth_data_free_func = NULL;
102 }
103 }
104
105 static DATA_BLOB generic_session_key(void)
106 {
107 return data_blob("SystemLibraryDTC", 16);
108 }
109
110 /*******************************************************************
111 Generate the next PDU to be returned from the data.
112 ********************************************************************/
113
114 static bool create_next_packet(struct pipes_struct *p,
115 enum dcerpc_AuthType auth_type,
116 enum dcerpc_AuthLevel auth_level,
117 size_t auth_length,
118 size_t *_pad_len)
119 {
120 union dcerpc_payload u;
121 uint8_t pfc_flags;
122 size_t data_len_left;
123 size_t data_len;
124 size_t max_len;
125 size_t pad_len = 0;
126 NTSTATUS status;
127
128 ZERO_STRUCT(u.response);
129
130 /* Set up rpc packet pfc flags. */
131 if (p->out_data.data_sent_length == 0) {
132 pfc_flags = DCERPC_PFC_FLAG_FIRST;
133 } else {
134 pfc_flags = 0;
135 }
136
137 /* Work out how much we can fit in a single PDU. */
138 data_len_left = p->out_data.rdata.length -
139 p->out_data.data_sent_length;
140
141 /* Ensure there really is data left to send. */
142 if (!data_len_left) {
143 DEBUG(0, ("No data left to send !\n"));
144 return false;
145 }
146
147 /* Max space available - not including padding. */
148 if (auth_length) {
149 max_len = RPC_MAX_PDU_FRAG_LEN
150 - DCERPC_RESPONSE_LENGTH
151 - DCERPC_AUTH_TRAILER_LENGTH
152 - auth_length;
153 } else {
154 max_len = RPC_MAX_PDU_FRAG_LEN - DCERPC_RESPONSE_LENGTH;
155 }
156
157 /*
158 * The amount we send is the minimum of the max_len
159 * and the amount left to send.
160 */
161 data_len = MIN(data_len_left, max_len);
162
163 if (auth_length) {
164 /* Work out any padding alignment requirements. */
165 pad_len = (DCERPC_RESPONSE_LENGTH + data_len) %
166 SERVER_NDR_PADDING_SIZE;
167 if (pad_len) {
168 pad_len = SERVER_NDR_PADDING_SIZE - pad_len;
169 DEBUG(10, ("Padding size is: %d\n", (int)pad_len));
170 /* If we're over filling the packet, we need to make
171 * space for the padding at the end of the data. */
172 if (data_len + pad_len > max_len) {
173 data_len -= SERVER_NDR_PADDING_SIZE;
174 }
175 }
176 }
177
178 /* Set up the alloc hint. This should be the data left to send. */
179 u.response.alloc_hint = data_len_left;
180
181 /* Work out if this PDU will be the last. */
182 if (p->out_data.data_sent_length
183 + data_len >= p->out_data.rdata.length) {
184 pfc_flags |= DCERPC_PFC_FLAG_LAST;
185 }
186
187 /* Prepare data to be NDR encoded. */
188 u.response.stub_and_verifier =
189 data_blob_const(p->out_data.rdata.data +
190 p->out_data.data_sent_length, data_len);
191
192 /* Store the packet in the data stream. */
193 status = dcerpc_push_ncacn_packet(p->mem_ctx,
194 DCERPC_PKT_RESPONSE,
195 pfc_flags,
196 auth_length,
197 p->call_id,
198 &u,
199 &p->out_data.frag);
200 if (!NT_STATUS_IS_OK(status)) {
201 DEBUG(0, ("Failed to marshall RPC Packet.\n"));
202 return false;
203 }
204
205 if (auth_length) {
206 /* Set the proper length on the pdu, including padding.
207 * Only needed if an auth trailer will be appended. */
208 dcerpc_set_frag_length(&p->out_data.frag,
209 p->out_data.frag.length
210 + pad_len
211 + DCERPC_AUTH_TRAILER_LENGTH
212 + auth_length);
213 }
214
215 /* Setup the counts for this PDU. */
216 p->out_data.data_sent_length += data_len;
217 p->out_data.current_pdu_sent = 0;
218 *_pad_len = pad_len;
219 return true;
220 }
221
222 /*******************************************************************
223 Generate the next PDU to be returned from the data in p->rdata.
224 ********************************************************************/
225
226 bool create_next_pdu(struct pipes_struct *p)
227 {
228 enum dcerpc_AuthType auth_type =
229 map_pipe_auth_type_to_rpc_auth_type(p->auth.auth_type);
230 size_t auth_len = 0;
231 size_t pad_len = 0;
232 NTSTATUS status;
233 bool ret;
234
235 /*
236 * If we're in the fault state, keep returning fault PDU's until
237 * the pipe gets closed. JRA.
238 */
239 if (p->fault_state) {
240 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
241 return true;
242 }
243
244 switch (p->auth.auth_level) {
245 case DCERPC_AUTH_LEVEL_NONE:
246 case DCERPC_AUTH_LEVEL_CONNECT:
247 /* This is incorrect for auth level connect. Fixme. JRA */
248
249 /* No authentication done. */
250 break;
251
252 case DCERPC_AUTH_LEVEL_CALL:
253 case DCERPC_AUTH_LEVEL_PACKET:
254 case DCERPC_AUTH_LEVEL_INTEGRITY:
255 case DCERPC_AUTH_LEVEL_PRIVACY:
256
257 switch(p->auth.auth_type) {
258 case PIPE_AUTH_TYPE_NTLMSSP:
259 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
260 auth_len = NTLMSSP_SIG_SIZE;
261 break;
262
263 case PIPE_AUTH_TYPE_SCHANNEL:
264 auth_len = NL_AUTH_SIGNATURE_SIZE;
265 break;
266
267 default:
268 goto err_out;
269 }
270
271 break;
272
273 default:
274 goto err_out;
275 }
276
277 ret = create_next_packet(p, auth_type,
278 p->auth.auth_level,
279 auth_len, &pad_len);
280 if (!ret) {
281 return false;
282 }
283
284 if (auth_len) {
285 status = dcerpc_add_auth_footer(&p->auth, pad_len,
286 &p->out_data.frag);
287 if (!NT_STATUS_IS_OK(status)) {
288 data_blob_free(&p->out_data.frag);
289 return false;
290 }
291 }
292
293 return true;
294
295 err_out:
296 DEBUG(0, ("Invalid internal auth level %u / type %u\n",
297 (unsigned int)p->auth.auth_level,
298 (unsigned int)p->auth.auth_type));
299 return false;
300 }
301
302 /*******************************************************************
303 Process an NTLMSSP authentication response.
304 If this function succeeds, the user has been authenticated
305 and their domain, name and calling workstation stored in
306 the pipe struct.
307 *******************************************************************/
308
309 static bool pipe_ntlmssp_verify_final(struct pipes_struct *p,
310 DATA_BLOB *p_resp_blob)
311 {
312 DATA_BLOB session_key, reply;
313 NTSTATUS status;
314 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
315 bool ret;
316
317 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
318 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
319
320 ZERO_STRUCT(reply);
321
322 /* this has to be done as root in order to verify the password */
323 become_root();
324 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
325 unbecome_root();
326
327 /* Don't generate a reply. */
328 data_blob_free(&reply);
329
330 if (!NT_STATUS_IS_OK(status)) {
331 return False;
332 }
333
334 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
335 ensure the underlying NTLMSSP flags are also set. If not we should
336 refuse the bind. */
337
338 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
339 if (!auth_ntlmssp_negotiated_sign(a)) {
340 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
341 "but client declined signing.\n",
342 get_pipe_name_from_syntax(talloc_tos(),
343 &p->syntax)));
344 return False;
345 }
346 }
347 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
348 if (!auth_ntlmssp_negotiated_seal(a)) {
349 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
350 "but client declined sealing.\n",
351 get_pipe_name_from_syntax(talloc_tos(),
352 &p->syntax)));
353 return False;
354 }
355 }
356
357 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
358 "workstation: %s\n",
359 auth_ntlmssp_get_username(a),
360 auth_ntlmssp_get_domain(a),
361 auth_ntlmssp_get_client(a)));
362
363 TALLOC_FREE(p->server_info);
364
365 status = auth_ntlmssp_steal_server_info(p, a, &p->server_info);
366 if (!NT_STATUS_IS_OK(status)) {
367 DEBUG(0, ("auth_ntlmssp_server_info failed to obtain the server info for authenticated user: %s\n",
368 nt_errstr(status)));
369 return false;
370 }
371
372 if (p->server_info->ptok == NULL) {
373 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
374 return False;
375 }
376
377 /*
378 * We're an authenticated bind over smb, so the session key needs to
379 * be set to "SystemLibraryDTC". Weird, but this is what Windows
380 * does. See the RPC-SAMBA3SESSIONKEY.
381 */
382
383 session_key = generic_session_key();
384 if (session_key.data == NULL) {
385 return False;
386 }
387
388 ret = server_info_set_session_key(p->server_info, session_key);
389
390 data_blob_free(&session_key);
391
392 return True;
393 }
394
395 /*******************************************************************
396 This is the "stage3" NTLMSSP response after a bind request and reply.
397 *******************************************************************/
398
399 bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
400 {
401 struct dcerpc_auth auth_info;
402 NTSTATUS status;
403
404 DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
405
406 if (pkt->auth_length == 0) {
407 DEBUG(0, ("No auth field sent for bind request!\n"));
408 goto err;
409 }
410
411 /* Ensure there's enough data for an authenticated request. */
412 if (pkt->frag_length < RPC_HEADER_LEN
413 + DCERPC_AUTH_TRAILER_LENGTH
414 + pkt->auth_length) {
415 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
416 "%u is too large.\n",
417 (unsigned int)pkt->auth_length));
418 goto err;
419 }
420
421 /*
422 * Decode the authentication verifier response.
423 */
424
425 status = dcerpc_pull_dcerpc_auth(pkt,
426 &pkt->u.auth3.auth_info,
427 &auth_info, p->endian);
428 if (!NT_STATUS_IS_OK(status)) {
429 DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n"));
430 goto err;
431 }
432
433 /* We must NEVER look at auth_info->auth_pad_len here,
434 * as old Samba client code gets it wrong and sends it
435 * as zero. JRA.
436 */
437
438 if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
439 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
440 (unsigned int)auth_info.auth_type ));
441 return False;
442 }
443
444 /*
445 * The following call actually checks the challenge/response data.
446 * for correctness against the given DOMAIN\user name.
447 */
448
449 if (!pipe_ntlmssp_verify_final(p, &auth_info.credentials)) {
450 goto err;
451 }
452
453 p->pipe_bound = True;
454
455 return True;
456
457 err:
458
459 free_pipe_auth_data(&p->auth);
460
461 return False;
462 }
463
464 static bool pipe_init_outgoing_data(struct pipes_struct *p);
465
466 /*******************************************************************
467 Marshall a bind_nak pdu.
468 *******************************************************************/
469
470 static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
471 {
472 NTSTATUS status;
473 union dcerpc_payload u;
474
475 /* Free any memory in the current return data buffer. */
476 pipe_init_outgoing_data(p);
477
478 /*
479 * Initialize a bind_nak header.
480 */
481
482 ZERO_STRUCT(u);
483
484 u.bind_nak.reject_reason = 0;
485
486 /*
487 * Marshall directly into the outgoing PDU space. We
488 * must do this as we need to set to the bind response
489 * header and are never sending more than one PDU here.
490 */
491
492 status = dcerpc_push_ncacn_packet(p->mem_ctx,
493 DCERPC_PKT_BIND_NAK,
494 DCERPC_PFC_FLAG_FIRST |
495 DCERPC_PFC_FLAG_LAST,
496 0,
497 pkt->call_id,
498 &u,
499 &p->out_data.frag);
500 if (!NT_STATUS_IS_OK(status)) {
501 return False;
502 }
503
504 p->out_data.data_sent_length = 0;
505 p->out_data.current_pdu_sent = 0;
506
507 free_pipe_auth_data(&p->auth);
508 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
509 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
510 p->pipe_bound = False;
511
512 return True;
513 }
514
515 /*******************************************************************
516 Marshall a fault pdu.
517 *******************************************************************/
518
519 bool setup_fault_pdu(struct pipes_struct *p, NTSTATUS fault_status)
520 {
521 NTSTATUS status;
522 union dcerpc_payload u;
523
524 /* Free any memory in the current return data buffer. */
525 pipe_init_outgoing_data(p);
526
527 /*
528 * Initialize a fault header.
529 */
530
531 ZERO_STRUCT(u);
532
533 u.fault.status = NT_STATUS_V(fault_status);
534 u.fault._pad = data_blob_talloc_zero(p->mem_ctx, 4);
535
536 /*
537 * Marshall directly into the outgoing PDU space. We
538 * must do this as we need to set to the bind response
539 * header and are never sending more than one PDU here.
540 */
541
542 status = dcerpc_push_ncacn_packet(p->mem_ctx,
543 DCERPC_PKT_FAULT,
544 DCERPC_PFC_FLAG_FIRST |
545 DCERPC_PFC_FLAG_LAST |
546 DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
547 0,
548 p->call_id,
549 &u,
550 &p->out_data.frag);
551 if (!NT_STATUS_IS_OK(status)) {
552 return False;
553 }
554
555 p->out_data.data_sent_length = 0;
556 p->out_data.current_pdu_sent = 0;
557
558 return True;
559 }
560
561 /*******************************************************************
562 Ensure a bind request has the correct abstract & transfer interface.
563 Used to reject unknown binds from Win2k.
564 *******************************************************************/
565
566 static bool check_bind_req(struct pipes_struct *p,
567 struct ndr_syntax_id* abstract,
568 struct ndr_syntax_id* transfer,
569 uint32 context_id)
570 {
571 struct pipe_rpc_fns *context_fns;
572
573 DEBUG(3,("check_bind_req for %s\n",
574 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
575
576 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
577 if (rpc_srv_pipe_exists_by_id(abstract) &&
578 ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) {
579 DEBUG(3, ("check_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
580 rpc_srv_get_pipe_cli_name(abstract),
581 rpc_srv_get_pipe_srv_name(abstract)));
582 } else {
583 return false;
584 }
585
586 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
587 if (context_fns == NULL) {
588 DEBUG(0,("check_bind_req: malloc() failed!\n"));
589 return False;
590 }
591
592 context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
593 context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
594 context_fns->context_id = context_id;
595
596 /* add to the list of open contexts */
597
598 DLIST_ADD( p->contexts, context_fns );
599
600 return True;
601 }
602
603 /**
604 * Is a named pipe known?
605 * @param[in] cli_filename The pipe name requested by the client
606 * @result Do we want to serve this?
607 */
608 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
609 {
610 const char *pipename = cli_filename;
611 NTSTATUS status;
612
613 if (strnequal(pipename, "\\PIPE\\", 6)) {
614 pipename += 5;
615 }
616
617 if (*pipename == '\\') {
618 pipename += 1;
619 }
620
621 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
622 DEBUG(10, ("refusing spoolss access\n"));
623 return false;
624 }
625
626 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
627 return true;
628 }
629
630 status = smb_probe_module("rpc", pipename);
631 if (!NT_STATUS_IS_OK(status)) {
632 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
633 return false;
634 }
635 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
636
637 /*
638 * Scan the list again for the interface id
639 */
640 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
641 return true;
642 }
643
644 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
645 pipename));
646
647 return false;
648 }
649
650 /*******************************************************************
651 Handle a SPNEGO krb5 bind auth.
652 *******************************************************************/
653
654 static bool pipe_spnego_auth_bind_kerberos(struct pipes_struct *p,
655 TALLOC_CTX *mem_ctx,
656 struct dcerpc_auth *pauth_info,
657 DATA_BLOB *psecblob,
658 DATA_BLOB *response)
659 {
660 return False;
661 }
662
663 /*******************************************************************
664 Handle the first part of a SPNEGO bind auth.
665 *******************************************************************/
666
667 static bool pipe_spnego_auth_bind_negotiate(struct pipes_struct *p,
668 TALLOC_CTX *mem_ctx,
669 struct dcerpc_auth *pauth_info,
670 DATA_BLOB *response)
671 {
672 DATA_BLOB secblob;
673 DATA_BLOB chal;
674 char *OIDs[ASN1_MAX_OIDS];
675 int i;
676 NTSTATUS status;
677 bool got_kerberos_mechanism = false;
678 struct auth_ntlmssp_state *a = NULL;
679
680 ZERO_STRUCT(secblob);
681 ZERO_STRUCT(chal);
682
683 if (pauth_info->credentials.data[0] != ASN1_APPLICATION(0)) {
684 goto err;
685 }
686
687 /* parse out the OIDs and the first sec blob */
688 if (!spnego_parse_negTokenInit(talloc_tos(),
689 pauth_info->credentials, OIDs, NULL, &secblob)) {
690 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
691 goto err;
692 }
693
694 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
695 got_kerberos_mechanism = true;
696 }
697
698 for (i=0;OIDs[i];i++) {
699 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
700 TALLOC_FREE(OIDs[i]);
701 }
702 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
703
704 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
705 bool ret;
706 ret = pipe_spnego_auth_bind_kerberos(p, mem_ctx, pauth_info,
707 &secblob, response);
708 data_blob_free(&secblob);
709 return ret;
710 }
711
712 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
713 /* Free any previous auth type. */
714 free_pipe_auth_data(&p->auth);
715 }
716
717 if (!got_kerberos_mechanism) {
718 /* Initialize the NTLM engine. */
719 status = auth_ntlmssp_start(&a);
720 if (!NT_STATUS_IS_OK(status)) {
721 goto err;
722 }
723
724 switch (pauth_info->auth_level) {
725 case DCERPC_AUTH_LEVEL_INTEGRITY:
726 auth_ntlmssp_want_sign(a);
727 break;
728 case DCERPC_AUTH_LEVEL_PRIVACY:
729 auth_ntlmssp_want_seal(a);
730 break;
731 default:
732 break;
733 }
734 /*
735 * Pass the first security blob of data to it.
736 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
737 * which means we need another packet to complete the bind.
738 */
739
740 status = auth_ntlmssp_update(a, secblob, &chal);
741
742 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
743 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
744 goto err;
745 }
746
747 /* Generate the response blob we need for step 2 of the bind. */
748 *response = spnego_gen_auth_response(mem_ctx, &chal, status, OID_NTLMSSP);
749 } else {
750 /*
751 * SPNEGO negotiate down to NTLMSSP. The subsequent
752 * code to process follow-up packets is not complete
753 * yet. JRA.
754 */
755 *response = spnego_gen_auth_response(mem_ctx, NULL,
756 NT_STATUS_MORE_PROCESSING_REQUIRED,
757 OID_NTLMSSP);
758 }
759
760 /* auth_pad_len will be handled by the caller */
761
762 p->auth.a_u.auth_ntlmssp_state = a;
763 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
764 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
765
766 data_blob_free(&secblob);
767 data_blob_free(&chal);
768
769 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
770 return True;
771
772 err:
773
774 data_blob_free(&secblob);
775 data_blob_free(&chal);
776
777 p->auth.a_u.auth_ntlmssp_state = NULL;
778
779 return False;
780 }
781
782 /*******************************************************************
783 Handle the second part of a SPNEGO bind auth.
784 *******************************************************************/
785
786 static bool pipe_spnego_auth_bind_continue(struct pipes_struct *p,
787 TALLOC_CTX *mem_ctx,
788 struct dcerpc_auth *pauth_info,
789 DATA_BLOB *response)
790 {
791 DATA_BLOB auth_blob;
792 DATA_BLOB auth_reply;
793 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
794
795 ZERO_STRUCT(auth_blob);
796 ZERO_STRUCT(auth_reply);
797
798 /*
799 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
800 * fail here as 'a' == NULL.
801 */
802 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
803 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
804 goto err;
805 }
806
807 if (pauth_info->credentials.data[0] != ASN1_CONTEXT(1)) {
808 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
809 goto err;
810 }
811
812 if (!spnego_parse_auth(talloc_tos(), pauth_info->credentials, &auth_blob)) {
813 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
814 goto err;
815 }
816
817 /*
818 * The following call actually checks the challenge/response data.
819 * for correctness against the given DOMAIN\user name.
820 */
821
822 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
823 goto err;
824 }
825
826 data_blob_free(&auth_blob);
827
828 /* Generate the spnego "accept completed" blob - no incoming data. */
829 *response = spnego_gen_auth_response(mem_ctx, &auth_reply, NT_STATUS_OK, OID_NTLMSSP);
830
831 data_blob_free(&auth_reply);
832
833 p->pipe_bound = True;
834
835 return True;
836
837 err:
838
839 data_blob_free(&auth_blob);
840 data_blob_free(&auth_reply);
841
842 free_pipe_auth_data(&p->auth);
843
844 return False;
845 }
846
847 /*******************************************************************
848 Handle an schannel bind auth.
849 *******************************************************************/
850
851 static bool pipe_schannel_auth_bind(struct pipes_struct *p,
852 TALLOC_CTX *mem_ctx,
853 struct dcerpc_auth *auth_info,
854 DATA_BLOB *response)
855 {
856 struct NL_AUTH_MESSAGE neg;
857 struct NL_AUTH_MESSAGE reply;
858 bool ret;
859 NTSTATUS status;
860 struct netlogon_creds_CredentialState *creds;
861 DATA_BLOB session_key;
862 enum ndr_err_code ndr_err;
863
864 ndr_err = ndr_pull_struct_blob(
865 &auth_info->credentials, mem_ctx, &neg,
866 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
867 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
868 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
869 return false;
870 }
871
872 if (DEBUGLEVEL >= 10) {
873 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
874 }
875
876 if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
877 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
878 return false;
879 }
880
881 /*
882 * The neg.oem_netbios_computer.a key here must match the remote computer name
883 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
884 * operations that use credentials.
885 */
886
887 become_root();
888 status = schannel_get_creds_state(p, lp_private_dir(),
889 neg.oem_netbios_computer.a, &creds);
890 unbecome_root();
891
892 if (!NT_STATUS_IS_OK(status)) {
893 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
894 return False;
895 }
896
897 p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
898 if (!p->auth.a_u.schannel_auth) {
899 TALLOC_FREE(creds);
900 return False;
901 }
902
903 p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
904 p->auth.a_u.schannel_auth->seq_num = 0;
905 p->auth.a_u.schannel_auth->initiator = false;
906 p->auth.a_u.schannel_auth->creds = creds;
907
908 /*
909 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
910 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
911 * struct of the person who opened the pipe. I need to test this further. JRA.
912 *
913 * VL. As we are mapping this to guest set the generic key
914 * "SystemLibraryDTC" key here. It's a bit difficult to test against
915 * W2k3, as it does not allow schannel binds against SAMR and LSA
916 * anymore.
917 */
918
919 session_key = generic_session_key();
920 if (session_key.data == NULL) {
921 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
922 " key\n"));
923 return false;
924 }
925
926 ret = server_info_set_session_key(p->server_info, session_key);
927
928 data_blob_free(&session_key);
929
930 if (!ret) {
931 DEBUG(0, ("server_info_set_session_key failed\n"));
932 return false;
933 }
934
935 /*** SCHANNEL verifier ***/
936
937 reply.MessageType = NL_NEGOTIATE_RESPONSE;
938 reply.Flags = 0;
939 reply.Buffer.dummy = 5; /* ??? actually I don't think
940 * this has any meaning
941 * here - gd */
942
943 ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
944 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
945 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
946 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
947 return false;
948 }
949
950 if (DEBUGLEVEL >= 10) {
951 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
952 }
953
954 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
955 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
956
957 /* We're finished with this bind - no more packets. */
958 p->auth.auth_data_free_func = &free_pipe_schannel_auth_data;
959 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
960
961 p->pipe_bound = True;
962
963 return True;
964 }
965
966 /*******************************************************************
967 Handle an NTLMSSP bind auth.
968 *******************************************************************/
969
970 static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
971 TALLOC_CTX *mem_ctx,
972 struct dcerpc_auth *auth_info,
973 DATA_BLOB *response)
974 {
975 NTSTATUS status;
976 struct auth_ntlmssp_state *a = NULL;
977
978 if (strncmp((char *)auth_info->credentials.data, "NTLMSSP", 7) != 0) {
979 DEBUG(0, ("Failed to read NTLMSSP in blob\n"));
980 goto err;
981 }
982
983 /* We have an NTLMSSP blob. */
984 status = auth_ntlmssp_start(&a);
985 if (!NT_STATUS_IS_OK(status)) {
986 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
987 nt_errstr(status) ));
988 goto err;
989 }
990
991 switch (auth_info->auth_level) {
992 case DCERPC_AUTH_LEVEL_INTEGRITY:
993 auth_ntlmssp_want_sign(a);
994 break;
995 case DCERPC_AUTH_LEVEL_PRIVACY:
996 auth_ntlmssp_want_seal(a);
997 break;
998 default:
999 break;
1000 }
1001
1002 status = auth_ntlmssp_update(a, auth_info->credentials, response);
1003 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1004 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1005 nt_errstr(status) ));
1006 goto err;
1007 }
1008
1009 /* Make sure data is bound to the memctx, to be freed the caller */
1010 talloc_steal(mem_ctx, response->data);
1011
1012 p->auth.a_u.auth_ntlmssp_state = a;
1013 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1014 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1015
1016 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1017
1018 /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1019 return True;
1020
1021 err:
1022
1023 TALLOC_FREE(a);
1024 return False;
1025 }
1026
1027 /*******************************************************************
1028 Respond to a pipe bind request.
1029 *******************************************************************/
1030
1031 bool api_pipe_bind_req(struct pipes_struct *p, struct ncacn_packet *pkt)
1032 {
1033 struct dcerpc_auth auth_info;
1034 uint16 assoc_gid;
1035 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1036 NTSTATUS status;
1037 struct ndr_syntax_id id;
1038 union dcerpc_payload u;
1039 struct dcerpc_ack_ctx bind_ack_ctx;
1040 DATA_BLOB auth_resp = data_blob_null;
1041 DATA_BLOB auth_blob = data_blob_null;
1042
1043 /* No rebinds on a bound pipe - use alter context. */
1044 if (p->pipe_bound) {
1045 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1046 "pipe %s.\n",
1047 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1048 return setup_bind_nak(p, pkt);
1049 }
1050
1051 if (pkt->u.bind.num_contexts == 0) {
1052 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1053 goto err_exit;
1054 }
1055
1056 /*
1057 * Try and find the correct pipe name to ensure
1058 * that this is a pipe name we support.
1059 */
1060 id = pkt->u.bind.ctx_list[0].abstract_syntax;
1061 if (rpc_srv_pipe_exists_by_id(&id)) {
1062 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1063 rpc_srv_get_pipe_cli_name(&id),
1064 rpc_srv_get_pipe_srv_name(&id)));
1065 } else {
1066 status = smb_probe_module(
1067 "rpc", get_pipe_name_from_syntax(
1068 talloc_tos(),
1069 &pkt->u.bind.ctx_list[0].abstract_syntax));
1070
1071 if (NT_STATUS_IS_ERR(status)) {
1072 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1073 get_pipe_name_from_syntax(
1074 talloc_tos(),
1075 &pkt->u.bind.ctx_list[0].abstract_syntax)));
1076
1077 return setup_bind_nak(p, pkt);
1078 }
1079
1080 if (rpc_srv_get_pipe_interface_by_cli_name(
1081 get_pipe_name_from_syntax(talloc_tos(),
1082 &p->syntax),
1083 &id)) {
1084 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1085 rpc_srv_get_pipe_cli_name(&id),
1086 rpc_srv_get_pipe_srv_name(&id)));
1087 } else {
1088 DEBUG(0, ("module %s doesn't provide functions for "
1089 "pipe %s!\n",
1090 get_pipe_name_from_syntax(talloc_tos(),
1091 &p->syntax),
1092 get_pipe_name_from_syntax(talloc_tos(),
1093 &p->syntax)));
1094 return setup_bind_nak(p, pkt);
1095 }
1096 }
1097
1098 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1099
1100 if (pkt->u.bind.assoc_group_id != 0) {
1101 assoc_gid = pkt->u.bind.assoc_group_id;
1102 } else {
1103 assoc_gid = 0x53f0;
1104 }
1105
1106 /*
1107 * Create the bind response struct.
1108 */
1109
1110 /* If the requested abstract synt uuid doesn't match our client pipe,
1111 reject the bind_ack & set the transfer interface synt to all 0's,
1112 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1113 unknown to NT4)
1114 Needed when adding entries to a DACL from NT5 - SK */
1115
1116 if (check_bind_req(p,
1117 &pkt->u.bind.ctx_list[0].abstract_syntax,
1118 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
1119 pkt->u.bind.ctx_list[0].context_id)) {
1120
1121 bind_ack_ctx.result = 0;
1122 bind_ack_ctx.reason = 0;
1123 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
1124 } else {
1125 p->pipe_bound = False;
1126 /* Rejection reason: abstract syntax not supported */
1127 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1128 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
1129 bind_ack_ctx.syntax = null_ndr_syntax_id;
1130 }
1131
1132 /*
1133 * Check if this is an authenticated bind request.
1134 */
1135 if (pkt->auth_length) {
1136 /* Quick length check. Won't catch a bad auth footer,
1137 * prevents overrun. */
1138
1139 if (pkt->frag_length < RPC_HEADER_LEN +
1140 DCERPC_AUTH_TRAILER_LENGTH +
1141 pkt->auth_length) {
1142 DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
1143 "too long for fragment %u.\n",
1144 (unsigned int)pkt->auth_length,
1145 (unsigned int)pkt->frag_length));
1146 goto err_exit;
1147 }
1148
1149 /*
1150 * Decode the authentication verifier.
1151 */
1152 status = dcerpc_pull_dcerpc_auth(pkt,
1153 &pkt->u.bind.auth_info,
1154 &auth_info, p->endian);
1155 if (!NT_STATUS_IS_OK(status)) {
1156 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1157 goto err_exit;
1158 }
1159
1160 auth_type = auth_info.auth_type;
1161
1162 /* Work out if we have to sign or seal etc. */
1163 switch (auth_info.auth_level) {
1164 case DCERPC_AUTH_LEVEL_INTEGRITY:
1165 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1166 break;
1167 case DCERPC_AUTH_LEVEL_PRIVACY:
1168 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1169 break;
1170 default:
1171 DEBUG(0, ("Unexpected auth level (%u).\n",
1172 (unsigned int)auth_info.auth_level ));
1173 goto err_exit;
1174 }
1175
1176 switch (auth_type) {
1177 case DCERPC_AUTH_TYPE_NTLMSSP:
1178 if (!pipe_ntlmssp_auth_bind(p, pkt,
1179 &auth_info, &auth_resp)) {
1180 goto err_exit;
1181 }
1182 assoc_gid = 0x7a77;
1183 break;
1184
1185 case DCERPC_AUTH_TYPE_SCHANNEL:
1186 if (!pipe_schannel_auth_bind(p, pkt,
1187 &auth_info, &auth_resp)) {
1188 goto err_exit;
1189 }
1190 break;
1191
1192 case DCERPC_AUTH_TYPE_SPNEGO:
1193 if (!pipe_spnego_auth_bind_negotiate(p, pkt,
1194 &auth_info, &auth_resp)) {
1195 goto err_exit;
1196 }
1197 break;
1198
1199 case DCERPC_AUTH_TYPE_NONE:
1200 break;
1201
1202 default:
1203 DEBUG(0, ("Unknown auth type %x requested.\n", auth_type));
1204 goto err_exit;
1205 }
1206 }
1207
1208 if (auth_type == DCERPC_AUTH_TYPE_NONE) {
1209 /* Unauthenticated bind request. */
1210 /* We're finished - no more packets. */
1211 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1212 /* We must set the pipe auth_level here also. */
1213 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1214 p->pipe_bound = True;
1215 /* The session key was initialized from the SMB
1216 * session in make_internal_rpc_pipe_p */
1217 }
1218
1219 ZERO_STRUCT(u.bind_ack);
1220 u.bind_ack.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1221 u.bind_ack.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1222 u.bind_ack.assoc_group_id = assoc_gid;
1223
1224 /* name has to be \PIPE\xxxxx */
1225 u.bind_ack.secondary_address =
1226 talloc_asprintf(pkt, "\\PIPE\\%s",
1227 rpc_srv_get_pipe_srv_name(&id));
1228 if (!u.bind_ack.secondary_address) {
1229 DEBUG(0, ("Out of memory!\n"));
1230 goto err_exit;
1231 }
1232 u.bind_ack.secondary_address_size =
1233 strlen(u.bind_ack.secondary_address) + 1;
1234
1235 u.bind_ack.num_results = 1;
1236 u.bind_ack.ctx_list = &bind_ack_ctx;
1237
1238 /* NOTE: We leave the auth_info empty so we can calculate the padding
1239 * later and then append the auth_info --simo */
1240
1241 /*
1242 * Marshall directly into the outgoing PDU space. We
1243 * must do this as we need to set to the bind response
1244 * header and are never sending more than one PDU here.
1245 */
1246
1247 status = dcerpc_push_ncacn_packet(p->mem_ctx,
1248 DCERPC_PKT_BIND_ACK,
1249 DCERPC_PFC_FLAG_FIRST |
1250 DCERPC_PFC_FLAG_LAST,
1251 auth_resp.length,
1252 pkt->call_id,
1253 &u,
1254 &p->out_data.frag);
1255 if (!NT_STATUS_IS_OK(status)) {
1256 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1257 nt_errstr(status)));
1258 }
1259
1260 if (auth_resp.length) {
1261
1262 status = dcerpc_push_dcerpc_auth(pkt,
1263 auth_type,
1264 auth_info.auth_level,
1265 0,
1266 1, /* auth_context_id */
1267 &auth_resp,
1268 &auth_blob);
1269 if (!NT_STATUS_IS_OK(status)) {
1270 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1271 goto err_exit;
1272 }
1273 }
1274
1275 /* Now that we have the auth len store it into the right place in
1276 * the dcerpc header */
1277 dcerpc_set_frag_length(&p->out_data.frag,
1278 p->out_data.frag.length + auth_blob.length);
1279
1280 if (auth_blob.length) {
1281
1282 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1283 auth_blob.data, auth_blob.length)) {
1284 DEBUG(0, ("Append of auth info failed.\n"));
1285 goto err_exit;
1286 }
1287 }
1288
1289 /*
1290 * Setup the lengths for the initial reply.
1291 */
1292
1293 p->out_data.data_sent_length = 0;
1294 p->out_data.current_pdu_sent = 0;
1295
1296 TALLOC_FREE(auth_blob.data);
1297 return True;
1298
1299 err_exit:
1300
1301 data_blob_free(&p->out_data.frag);
1302 TALLOC_FREE(auth_blob.data);
1303 return setup_bind_nak(p, pkt);
1304 }
1305
1306 /****************************************************************************
1307 Deal with an alter context call. Can be third part of 3 leg auth request for
1308 SPNEGO calls.
1309 ****************************************************************************/
1310
1311 bool api_pipe_alter_context(struct pipes_struct *p, struct ncacn_packet *pkt)
1312 {
1313 struct dcerpc_auth auth_info;
1314 uint16 assoc_gid;
1315 NTSTATUS status;
1316 union dcerpc_payload u;
1317 struct dcerpc_ack_ctx bind_ack_ctx;
1318 DATA_BLOB auth_resp = data_blob_null;
1319 DATA_BLOB auth_blob = data_blob_null;
1320 int pad_len = 0;
1321
1322 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1323
1324 if (pkt->u.bind.assoc_group_id != 0) {
1325 assoc_gid = pkt->u.bind.assoc_group_id;
1326 } else {
1327 assoc_gid = 0x53f0;
1328 }
1329
1330 /*
1331 * Create the bind response struct.
1332 */
1333
1334 /* If the requested abstract synt uuid doesn't match our client pipe,
1335 reject the bind_ack & set the transfer interface synt to all 0's,
1336 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1337 unknown to NT4)
1338 Needed when adding entries to a DACL from NT5 - SK */
1339
1340 if (check_bind_req(p,
1341 &pkt->u.bind.ctx_list[0].abstract_syntax,
1342 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
1343 pkt->u.bind.ctx_list[0].context_id)) {
1344
1345 bind_ack_ctx.result = 0;
1346 bind_ack_ctx.reason = 0;
1347 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
1348 } else {
1349 p->pipe_bound = False;
1350 /* Rejection reason: abstract syntax not supported */
1351 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1352 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
1353 bind_ack_ctx.syntax = null_ndr_syntax_id;
1354 }
1355
1356 /*
1357 * Check if this is an authenticated alter context request.
1358 */
1359 if (pkt->auth_length) {
1360 /* Quick length check. Won't catch a bad auth footer,
1361 * prevents overrun. */
1362
1363 if (pkt->frag_length < RPC_HEADER_LEN +
1364 DCERPC_AUTH_TRAILER_LENGTH +
1365 pkt->auth_length) {
1366 DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
1367 "too long for fragment %u.\n",
1368 (unsigned int)pkt->auth_length,
1369 (unsigned int)pkt->frag_length ));
1370 goto err_exit;
1371 }
1372
1373 status = dcerpc_pull_dcerpc_auth(pkt,
1374 &pkt->u.bind.auth_info,
1375 &auth_info, p->endian);
1376 if (!NT_STATUS_IS_OK(status)) {
1377 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1378 goto err_exit;
1379 }
1380
1381
1382 /*
1383 * Currently only the SPNEGO auth type uses the alter ctx
1384 * response in place of the NTLMSSP auth3 type.
1385 */
1386
1387 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
1388 /* We can only finish if the pipe is unbound. */
1389 if (!p->pipe_bound) {
1390 if (!pipe_spnego_auth_bind_continue(p, pkt,
1391 &auth_info, &auth_resp)) {
1392 goto err_exit;
1393 }
1394
1395 } else {
1396 goto err_exit;
1397 }
1398 }
1399 }
1400
1401 ZERO_STRUCT(u.alter_resp);
1402 u.alter_resp.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1403 u.alter_resp.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1404 u.alter_resp.assoc_group_id = assoc_gid;
1405
1406 /* secondary address CAN be NULL
1407 * as the specs say it's ignored.
1408 * It MUST be NULL to have the spoolss working.
1409 */
1410 u.alter_resp.secondary_address = "";
1411 u.alter_resp.secondary_address_size = 1;
1412
1413 u.alter_resp.num_results = 1;
1414 u.alter_resp.ctx_list = &bind_ack_ctx;
1415
1416 /* NOTE: We leave the auth_info empty so we can calculate the padding
1417 * later and then append the auth_info --simo */
1418
1419 /*
1420 * Marshall directly into the outgoing PDU space. We
1421 * must do this as we need to set to the bind response
1422 * header and are never sending more than one PDU here.
1423 */
1424
1425 status = dcerpc_push_ncacn_packet(p->mem_ctx,
1426 DCERPC_PKT_ALTER_RESP,
1427 DCERPC_PFC_FLAG_FIRST |
1428 DCERPC_PFC_FLAG_LAST,
1429 auth_resp.length,
1430 pkt->call_id,
1431 &u,
1432 &p->out_data.frag);
1433 if (!NT_STATUS_IS_OK(status)) {
1434 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1435 nt_errstr(status)));
1436 }
1437
1438 if (auth_resp.length) {
1439
1440 /* Work out any padding needed before the auth footer. */
1441 pad_len = p->out_data.frag.length % SERVER_NDR_PADDING_SIZE;
1442 if (pad_len) {
1443 pad_len = SERVER_NDR_PADDING_SIZE - pad_len;
1444 DEBUG(10, ("auth pad_len = %u\n",
1445 (unsigned int)pad_len));
1446 }
1447
1448 status = dcerpc_push_dcerpc_auth(pkt,
1449 auth_info.auth_type,
1450 auth_info.auth_level,
1451 pad_len,
1452 1, /* auth_context_id */
1453 &auth_resp,
1454 &auth_blob);
1455 if (!NT_STATUS_IS_OK(status)) {
1456 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1457 goto err_exit;
1458 }
1459 }
1460
1461 /* Now that we have the auth len store it into the right place in
1462 * the dcerpc header */
1463 dcerpc_set_frag_length(&p->out_data.frag,
1464 p->out_data.frag.length +
1465 pad_len + auth_blob.length);
1466
1467 if (auth_resp.length) {
1468 if (pad_len) {
1469 char pad[SERVER_NDR_PADDING_SIZE];
1470 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1471 if (!data_blob_append(p->mem_ctx,
1472 &p->out_data.frag,
1473 pad, pad_len)) {
1474 DEBUG(0, ("api_pipe_bind_req: failed to add "
1475 "%u bytes of pad data.\n",
1476 (unsigned int)pad_len));
1477 goto err_exit;
1478 }
1479 }
1480
1481 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1482 auth_blob.data, auth_blob.length)) {
1483 DEBUG(0, ("Append of auth info failed.\n"));
1484 goto err_exit;
1485 }
1486 }
1487
1488 /*
1489 * Setup the lengths for the initial reply.
1490 */
1491
1492 p->out_data.data_sent_length = 0;
1493 p->out_data.current_pdu_sent = 0;
1494
1495 TALLOC_FREE(auth_blob.data);
1496 return True;
1497
1498 err_exit:
1499
1500 data_blob_free(&p->out_data.frag);
1501 TALLOC_FREE(auth_blob.data);
1502 return setup_bind_nak(p, pkt);
1503 }
1504
1505 /****************************************************************************
1506 Find the set of RPC functions associated with this context_id
1507 ****************************************************************************/
1508
1509 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
1510 {
1511 PIPE_RPC_FNS *fns = NULL;
1512
1513 if ( !list ) {
1514 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
1515 return NULL;
1516 }
1517
1518 for (fns=list; fns; fns=fns->next ) {
1519 if ( fns->context_id == context_id )
1520 return fns;
1521 }
1522 return NULL;
1523 }
1524
1525 /****************************************************************************
1526 Memory cleanup.
1527 ****************************************************************************/
1528
1529 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
1530 {
1531 PIPE_RPC_FNS *tmp = list;
1532 PIPE_RPC_FNS *tmp2;
1533
1534 while (tmp) {
1535 tmp2 = tmp->next;
1536 SAFE_FREE(tmp);
1537 tmp = tmp2;
1538 }
1539
1540 return;
1541 }
1542
1543 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1544 const struct api_struct *api_rpc_cmds, int n_cmds);
1545
1546 /****************************************************************************
1547 Find the correct RPC function to call for this request.
1548 If the pipe is authenticated then become the correct UNIX user
1549 before doing the call.
1550 ****************************************************************************/
1551
1552 bool api_pipe_request(struct pipes_struct *p, struct ncacn_packet *pkt)
1553 {
1554 bool ret = False;
1555 bool changed_user = False;
1556 PIPE_RPC_FNS *pipe_fns;
1557
1558 if (p->pipe_bound &&
1559 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
1560 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
1561 if(!become_authenticated_pipe_user(p)) {
1562 data_blob_free(&p->out_data.rdata);
1563 return False;
1564 }
1565 changed_user = True;
1566 }
1567
1568 DEBUG(5, ("Requested \\PIPE\\%s\n",
1569 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1570
1571 /* get the set of RPC functions for this context */
1572
1573 pipe_fns = find_pipe_fns_by_context(p->contexts,
1574 pkt->u.request.context_id);
1575
1576 if ( pipe_fns ) {
1577 TALLOC_CTX *frame = talloc_stackframe();
1578 ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds);
1579 TALLOC_FREE(frame);
1580 }
1581 else {
1582 DEBUG(0, ("No rpc function table associated with context "
1583 "[%d] on pipe [%s]\n",
1584 pkt->u.request.context_id,
1585 get_pipe_name_from_syntax(talloc_tos(),
1586 &p->syntax)));
1587 }
1588
1589 if (changed_user) {
1590 unbecome_authenticated_pipe_user();
1591 }
1592
1593 return ret;
1594 }
1595
1596 /*******************************************************************
1597 Calls the underlying RPC function for a named pipe.
1598 ********************************************************************/
1599
1600 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1601 const struct api_struct *api_rpc_cmds, int n_cmds)
1602 {
1603 int fn_num;
1604 uint32_t offset1;
1605
1606 /* interpret the command */
1607 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
1608 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
1609 pkt->u.request.opnum));
1610
1611 if (DEBUGLEVEL >= 50) {
1612 fstring name;
1613 slprintf(name, sizeof(name)-1, "in_%s",
1614 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
1615 dump_pdu_region(name, pkt->u.request.opnum,
1616 &p->in_data.data, 0,
1617 p->in_data.data.length);
1618 }
1619
1620 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1621 if (api_rpc_cmds[fn_num].opnum == pkt->u.request.opnum &&
1622 api_rpc_cmds[fn_num].fn != NULL) {
1623 DEBUG(3, ("api_rpcTNP: rpc command: %s\n",
1624 api_rpc_cmds[fn_num].name));
1625 break;
1626 }
1627 }
1628
1629 if (fn_num == n_cmds) {
1630 /*
1631 * For an unknown RPC just return a fault PDU but
1632 * return True to allow RPC's on the pipe to continue
1633 * and not put the pipe into fault state. JRA.
1634 */
1635 DEBUG(4, ("unknown\n"));
1636 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1637 return True;
1638 }
1639
1640 offset1 = p->out_data.rdata.length;
1641
1642 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1643 fn_num, api_rpc_cmds[fn_num].fn));
1644 /* do the actual command */
1645 if(!api_rpc_cmds[fn_num].fn(p)) {
1646 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
1647 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
1648 api_rpc_cmds[fn_num].name));
1649 data_blob_free(&p->out_data.rdata);
1650 return False;
1651 }
1652
1653 if (p->bad_handle_fault_state) {
1654 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1655 p->bad_handle_fault_state = False;
1656 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
1657 return True;
1658 }
1659
1660 if (p->rng_fault_state) {
1661 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
1662 p->rng_fault_state = False;
1663 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1664 return True;
1665 }
1666
1667 if (DEBUGLEVEL >= 50) {
1668 fstring name;
1669 slprintf(name, sizeof(name)-1, "out_%s",
1670 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
1671 dump_pdu_region(name, pkt->u.request.opnum,
1672 &p->out_data.rdata, offset1,
1673 p->out_data.rdata.length);
1674 }
1675
1676 DEBUG(5,("api_rpcTNP: called %s successfully\n",
1677 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1678
1679 /* Check for buffer underflow in rpc parsing */
1680 if ((DEBUGLEVEL >= 10) &&
1681 (pkt->frag_length < p->in_data.data.length)) {
1682 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1683 dump_data(10, p->in_data.data.data + pkt->frag_length,
1684 p->in_data.data.length - pkt->frag_length);
1685 }
1686
1687 return True;
1688 }
1689
1690 /****************************************************************************
1691 Initialise an outgoing packet.
1692 ****************************************************************************/
1693
1694 static bool pipe_init_outgoing_data(struct pipes_struct *p)
1695 {
1696 output_data *o_data = &p->out_data;
1697
1698 /* Reset the offset counters. */
1699 o_data->data_sent_length = 0;
1700 o_data->current_pdu_sent = 0;
1701
1702 data_blob_free(&o_data->frag);
1703
1704 /* Free any memory in the current return data buffer. */
1705 data_blob_free(&o_data->rdata);
1706
1707 return True;
1708 }
1709
1710 /****************************************************************************
1711 Sets the fault state on incoming packets.
1712 ****************************************************************************/
1713
1714 void set_incoming_fault(struct pipes_struct *p)
1715 {
1716 data_blob_free(&p->in_data.data);
1717 p->in_data.pdu_needed_len = 0;
1718 p->in_data.pdu.length = 0;
1719 p->fault_state = True;
1720 DEBUG(10, ("set_incoming_fault: Setting fault state on pipe %s\n",
1721 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1722 }
1723
1724 static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
1725 struct ncacn_packet *pkt,
1726 DATA_BLOB *raw_pkt)
1727 {
1728 NTSTATUS status;
1729 size_t hdr_size = DCERPC_REQUEST_LENGTH;
1730 struct dcerpc_auth auth_info;
1731 uint32_t auth_length;
1732 DATA_BLOB data;
1733 DATA_BLOB full_pkt;
1734
1735 DEBUG(10, ("Checking request auth.\n"));
1736
1737 if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
1738 hdr_size += 16;
1739 }
1740
1741 switch (auth->auth_level) {
1742 case DCERPC_AUTH_LEVEL_PRIVACY:
1743 DEBUG(10, ("Requested Privacy.\n"));
1744 break;
1745
1746 case DCERPC_AUTH_LEVEL_INTEGRITY:
1747 DEBUG(10, ("Requested Integrity.\n"));
1748 break;
1749
1750 case DCERPC_AUTH_LEVEL_CONNECT:
1751 if (pkt->auth_length != 0) {
1752 break;
1753 }
1754 return NT_STATUS_OK;
1755
1756 case DCERPC_AUTH_LEVEL_NONE:
1757 if (pkt->auth_length != 0) {
1758 DEBUG(3, ("Got non-zero auth len on non "
1759 "authenticated connection!\n"));
1760 return NT_STATUS_INVALID_PARAMETER;
1761 }
1762 return NT_STATUS_OK;
1763
1764 default:
1765 DEBUG(3, ("Unimplemented Auth Level %d",
1766 auth->auth_level));
1767 return NT_STATUS_INVALID_PARAMETER;
1768 }
1769
1770 status = dcerpc_pull_auth_trailer(pkt, pkt,
1771 &pkt->u.request.stub_and_verifier,
1772 &auth_info, &auth_length, false);
1773 if (!NT_STATUS_IS_OK(status)) {
1774 return status;
1775 }
1776
1777 pkt->u.request.stub_and_verifier.length -= auth_length;
1778
1779 data = data_blob_const(raw_pkt->data + hdr_size,
1780 pkt->u.request.stub_and_verifier.length);
1781 full_pkt = data_blob_const(raw_pkt->data,
1782 raw_pkt->length - auth_info.credentials.length);
1783
1784 switch (auth->auth_type) {
1785 case PIPE_AUTH_TYPE_NONE:
1786 return NT_STATUS_OK;
1787
1788 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
1789 case PIPE_AUTH_TYPE_NTLMSSP:
1790
1791 DEBUG(10, ("NTLMSSP auth\n"));
1792
1793 if (!auth->a_u.auth_ntlmssp_state) {
1794 DEBUG(0, ("Invalid auth level, "
1795 "failed to process packet auth.\n"));
1796 return NT_STATUS_INVALID_PARAMETER;
1797 }
1798
1799 switch (auth->auth_level) {
1800 case DCERPC_AUTH_LEVEL_PRIVACY:
1801 status = auth_ntlmssp_unseal_packet(
1802 auth->a_u.auth_ntlmssp_state,
1803 data.data, data.length,
1804 full_pkt.data, full_pkt.length,
1805 &auth_info.credentials);
1806 if (!NT_STATUS_IS_OK(status)) {
1807 return status;
1808 }
1809 memcpy(pkt->u.request.stub_and_verifier.data,
1810 data.data, data.length);
1811 break;
1812
1813 case DCERPC_AUTH_LEVEL_INTEGRITY:
1814 status = auth_ntlmssp_check_packet(
1815 auth->a_u.auth_ntlmssp_state,
1816 data.data, data.length,
1817 full_pkt.data, full_pkt.length,
1818 &auth_info.credentials);
1819 if (!NT_STATUS_IS_OK(status)) {
1820 return status;
1821 }
1822 break;
1823
1824 default:
1825 DEBUG(0, ("Invalid auth level, "
1826 "failed to process packet auth.\n"));
1827 return NT_STATUS_INVALID_PARAMETER;
1828 }
1829 break;
1830
1831 case PIPE_AUTH_TYPE_SCHANNEL:
1832
1833 DEBUG(10, ("SCHANNEL auth\n"));
1834
1835 switch (auth->auth_level) {
1836 case DCERPC_AUTH_LEVEL_PRIVACY:
1837 status = netsec_incoming_packet(
1838 auth->a_u.schannel_auth,
1839 pkt, true,
1840 data.data, data.length,
1841 &auth_info.credentials);
1842 if (!NT_STATUS_IS_OK(status)) {
1843 return status;
1844 }
1845 memcpy(pkt->u.request.stub_and_verifier.data,
1846 data.data, data.length);
1847 break;
1848
1849 case DCERPC_AUTH_LEVEL_INTEGRITY:
1850 status = netsec_incoming_packet(
1851 auth->a_u.schannel_auth,
1852 pkt, false,
1853 data.data, data.length,
1854 &auth_info.credentials);
1855 if (!NT_STATUS_IS_OK(status)) {
1856 return status;
1857 }
1858 break;
1859
1860 default:
1861 DEBUG(0, ("Invalid auth level, "
1862 "failed to process packet auth.\n"));
1863 return NT_STATUS_INVALID_PARAMETER;
1864 }
1865 break;
1866
1867 default:
1868 DEBUG(0, ("process_request_pdu: "
1869 "unknown auth type %u set.\n",
1870 (unsigned int)auth->auth_type));
1871 return NT_STATUS_INVALID_PARAMETER;
1872 }
1873
1874 /* remove the indicated amount of padding */
1875 if (pkt->u.request.stub_and_verifier.length < auth_info.auth_pad_length) {
1876 return NT_STATUS_INVALID_PARAMETER;
1877 }
1878 pkt->u.request.stub_and_verifier.length -= auth_info.auth_pad_length;
1879
1880 return NT_STATUS_OK;
1881 }
1882
1883 /****************************************************************************
1884 Processes a request pdu. This will do auth processing if needed, and
1885 appends the data into the complete stream if the LAST flag is not set.
1886 ****************************************************************************/
1887
1888 static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
1889 {
1890 NTSTATUS status;
1891 DATA_BLOB data;
1892
1893 if (!p->pipe_bound) {
1894 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
1895 set_incoming_fault(p);
1896 return False;
1897 }
1898
1899 /* Store the opnum */
1900 p->opnum = pkt->u.request.opnum;
1901
1902 status = dcesrv_auth_request(&p->auth, pkt, &p->in_data.pdu);
1903 if (!NT_STATUS_IS_OK(status)) {
1904 DEBUG(0,("Failed to check packet auth.\n"));
1905 set_incoming_fault(p);
1906 return false;
1907 }
1908
1909 data = pkt->u.request.stub_and_verifier;
1910
1911 /*
1912 * Check the data length doesn't go over the 15Mb limit.
1913 * increased after observing a bug in the Windows NT 4.0 SP6a
1914 * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
1915 * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
1916 */
1917
1918 if (p->in_data.data.length + data.length > MAX_RPC_DATA_SIZE) {
1919 DEBUG(0, ("process_request_pdu: "
1920 "rpc data buffer too large (%u) + (%u)\n",
1921 (unsigned int)p->in_data.data.length,
1922 (unsigned int)data.length));
1923 set_incoming_fault(p);
1924 return False;
1925 }
1926
1927 /*
1928 * Append the data portion into the buffer and return.
1929 */
1930
1931 if (data.length) {
1932 if (!data_blob_append(p->mem_ctx, &p->in_data.data,
1933 data.data, data.length)) {
1934 DEBUG(0, ("Unable to append data size %u "
1935 "to parse buffer of size %u.\n",
1936 (unsigned int)data.length,
1937 (unsigned int)p->in_data.data.length));
1938 set_incoming_fault(p);
1939 return False;
1940 }
1941 }
1942
1943 if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
1944 bool ret = False;
1945 /*
1946 * Ok - we finally have a complete RPC stream.
1947 * Call the rpc command to process it.
1948 */
1949
1950 /*
1951 * Process the complete data stream here.
1952 */
1953 if (pipe_init_outgoing_data(p)) {
1954 ret = api_pipe_request(p, pkt);
1955 }
1956
1957 return ret;
1958 }
1959
1960 return True;
1961 }
1962
1963 /****************************************************************************
1964 Processes a finished PDU stored in p->in_data.pdu.
1965 ****************************************************************************/
1966
1967 void process_complete_pdu(struct pipes_struct *p)
1968 {
1969 struct ncacn_packet *pkt = NULL;
1970 NTSTATUS status;
1971 bool reply = False;
1972
1973 if(p->fault_state) {
1974 DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n",
1975 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1976 goto done;
1977 }
1978
1979 pkt = talloc(p->mem_ctx, struct ncacn_packet);
1980 if (!pkt) {
1981 DEBUG(0, ("Out of memory!\n"));
1982 goto done;
1983 }
1984
1985 /*
1986 * Ensure we're using the corrent endianness for both the
1987 * RPC header flags and the raw data we will be reading from.
1988 */
1989 if (dcerpc_get_endian_flag(&p->in_data.pdu) & DCERPC_DREP_LE) {
1990 p->endian = RPC_LITTLE_ENDIAN;
1991 } else {
1992 p->endian = RPC_BIG_ENDIAN;
1993 }
1994 DEBUG(10, ("PDU is in %s Endian format!\n", p->endian?"Big":"Little"));
1995
1996 status = dcerpc_pull_ncacn_packet(pkt, &p->in_data.pdu,
1997 pkt, p->endian);
1998 if (!NT_STATUS_IS_OK(status)) {
1999 DEBUG(0, ("Failed to unmarshal rpc packet: %s!\n",
2000 nt_errstr(status)));
2001 goto done;
2002 }
2003
2004 /* Store the call_id */
2005 p->call_id = pkt->call_id;
2006
2007 DEBUG(10, ("Processing packet type %d\n", (int)pkt->ptype));
2008
2009 switch (pkt->ptype) {
2010 case DCERPC_PKT_REQUEST:
2011 reply = process_request_pdu(p, pkt);
2012 break;
2013
2014 case DCERPC_PKT_PING: /* CL request - ignore... */
2015 DEBUG(0, ("process_complete_pdu: Error. "
2016 "Connectionless packet type %d received on "
2017 "pipe %s.\n", (int)pkt->ptype,
2018 get_pipe_name_from_syntax(talloc_tos(),
2019 &p->syntax)));
2020 break;
2021
2022 case DCERPC_PKT_RESPONSE: /* No responses here. */
2023 DEBUG(0, ("process_complete_pdu: Error. "
2024 "DCERPC_PKT_RESPONSE received from client "
2025 "on pipe %s.\n",
2026 get_pipe_name_from_syntax(talloc_tos(),
2027 &p->syntax)));
2028 break;
2029
2030 case DCERPC_PKT_FAULT:
2031 case DCERPC_PKT_WORKING:
2032 /* CL request - reply to a ping when a call in process. */
2033 case DCERPC_PKT_NOCALL:
2034 /* CL - server reply to a ping call. */
2035 case DCERPC_PKT_REJECT:
2036 case DCERPC_PKT_ACK:
2037 case DCERPC_PKT_CL_CANCEL:
2038 case DCERPC_PKT_FACK:
2039 case DCERPC_PKT_CANCEL_ACK:
2040 DEBUG(0, ("process_complete_pdu: Error. "
2041 "Connectionless packet type %u received on "
2042 "pipe %s.\n", (unsigned int)pkt->ptype,
2043 get_pipe_name_from_syntax(talloc_tos(),
2044 &p->syntax)));
2045 break;
2046
2047 case DCERPC_PKT_BIND:
2048 /*
2049 * We assume that a pipe bind is only in one pdu.
2050 */
2051 if (pipe_init_outgoing_data(p)) {
2052 reply = api_pipe_bind_req(p, pkt);
2053 }
2054 break;
2055
2056 case DCERPC_PKT_BIND_ACK:
2057 case DCERPC_PKT_BIND_NAK:
2058 DEBUG(0, ("process_complete_pdu: Error. "
2059 "DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK "
2060 "packet type %u received on pipe %s.\n",
2061 (unsigned int)pkt->ptype,
2062 get_pipe_name_from_syntax(talloc_tos(),
2063 &p->syntax)));
2064 break;
2065
2066
2067 case DCERPC_PKT_ALTER:
2068 /*
2069 * We assume that a pipe bind is only in one pdu.
2070 */
2071 if (pipe_init_outgoing_data(p)) {
2072 reply = api_pipe_alter_context(p, pkt);
2073 }
2074 break;
2075
2076 case DCERPC_PKT_ALTER_RESP:
2077 DEBUG(0, ("process_complete_pdu: Error. "
2078 "DCERPC_PKT_ALTER_RESP on pipe %s: "
2079 "Should only be server -> client.\n",
2080 get_pipe_name_from_syntax(talloc_tos(),
2081 &p->syntax)));
2082 break;
2083
2084 case DCERPC_PKT_AUTH3:
2085 /*
2086 * The third packet in an NTLMSSP auth exchange.
2087 */
2088 if (pipe_init_outgoing_data(p)) {
2089 reply = api_pipe_bind_auth3(p, pkt);
2090 }
2091 break;
2092
2093 case DCERPC_PKT_SHUTDOWN:
2094 DEBUG(0, ("process_complete_pdu: Error. "
2095 "DCERPC_PKT_SHUTDOWN on pipe %s: "
2096 "Should only be server -> client.\n",
2097 get_pipe_name_from_syntax(talloc_tos(),
2098 &p->syntax)));
2099 break;
2100
2101 case DCERPC_PKT_CO_CANCEL:
2102 /* For now just free all client data and continue
2103 * processing. */
2104 DEBUG(3,("process_complete_pdu: DCERPC_PKT_CO_CANCEL."
2105 " Abandoning rpc call.\n"));
2106 /* As we never do asynchronous RPC serving, we can
2107 * never cancel a call (as far as I know).
2108 * If we ever did we'd have to send a cancel_ack reply.
2109 * For now, just free all client data and continue
2110 * processing. */
2111 reply = True;
2112 break;
2113
2114 #if 0
2115 /* Enable this if we're doing async rpc. */
2116 /* We must check the outstanding callid matches. */
2117 if (pipe_init_outgoing_data(p)) {
2118 /* Send a cancel_ack PDU reply. */
2119 /* We should probably check the auth-verifier here. */
2120 reply = setup_cancel_ack_reply(p, pkt);
2121 }
2122 break;
2123 #endif
2124
2125 case DCERPC_PKT_ORPHANED:
2126 /* We should probably check the auth-verifier here.
2127 * For now just free all client data and continue
2128 * processing. */
2129 DEBUG(3, ("process_complete_pdu: DCERPC_PKT_ORPHANED."
2130 " Abandoning rpc call.\n"));
2131 reply = True;
2132 break;
2133
2134 default:
2135 DEBUG(0, ("process_complete_pdu: "
2136 "Unknown rpc type = %u received.\n",
2137 (unsigned int)pkt->ptype));
2138 break;
2139 }
2140
2141 done:
2142 if (!reply) {
2143 DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on "
2144 "pipe %s\n", get_pipe_name_from_syntax(talloc_tos(),
2145 &p->syntax)));
2146 set_incoming_fault(p);
2147 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2148 TALLOC_FREE(pkt);
2149 } else {
2150 /*
2151 * Reset the lengths. We're ready for a new pdu.
2152 */
2153 TALLOC_FREE(p->in_data.pdu.data);
2154 p->in_data.pdu_needed_len = 0;
2155 p->in_data.pdu.length = 0;
2156 }
2157
2158 TALLOC_FREE(pkt);
2159 }
2160
Samba GIT mirror