search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:rpc_server/lsa/dcesrv_lsa.c - fix typo
[Samba.git] / source3 / rpc_server / srv_pipe.c
blob3bc997ecbf518a288b87cd675e943e2fdac9a9a7
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31 #include "srv_pipe_internal.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33 #include "../libcli/auth/schannel.h"
34 #include "../libcli/auth/spnego.h"
35 #include "../libcli/auth/ntlmssp.h"
36
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_RPC_SRV
39
40 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
41 {
42 struct auth_ntlmssp_state *a = auth->a_u.auth_ntlmssp_state;
43
44 if (a) {
45 auth_ntlmssp_end(&a);
46 }
47 auth->a_u.auth_ntlmssp_state = NULL;
48 }
49
50 static DATA_BLOB generic_session_key(void)
51 {
52 return data_blob("SystemLibraryDTC", 16);
53 }
54
55 /*******************************************************************
56 Generate the next PDU to be returned from the data in p->rdata.
57 Handle NTLMSSP.
58 ********************************************************************/
59
60 static bool create_next_pdu_ntlmssp(pipes_struct *p)
61 {
62 RPC_HDR_RESP hdr_resp;
63 uint32 ss_padding_len = 0;
64 uint32 data_space_available;
65 uint32 data_len_left;
66 uint32 data_len;
67 NTSTATUS status;
68 DATA_BLOB auth_blob;
69 RPC_HDR_AUTH auth_info;
70 uint8 auth_type, auth_level;
71 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
72 TALLOC_CTX *frame;
73
74 /*
75 * If we're in the fault state, keep returning fault PDU's until
76 * the pipe gets closed. JRA.
77 */
78
79 if(p->fault_state) {
80 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
81 return True;
82 }
83
84 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
85
86 /* Change the incoming request header to a response. */
87 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
88
89 /* Set up rpc header flags. */
90 if (p->out_data.data_sent_length == 0) {
91 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
92 } else {
93 p->hdr.flags = 0;
94 }
95
96 /*
97 * Work out how much we can fit in a single PDU.
98 */
99
100 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
101
102 /*
103 * Ensure there really is data left to send.
104 */
105
106 if(!data_len_left) {
107 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
108 return False;
109 }
110
111 /* Space available - not including padding. */
112 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN -
113 RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
114
115 /*
116 * The amount we send is the minimum of the available
117 * space and the amount left to send.
118 */
119
120 data_len = MIN(data_len_left, data_space_available);
121
122 /* Work out any padding alignment requirements. */
123 if ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE) {
124 ss_padding_len = SERVER_NDR_PADDING_SIZE -
125 ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE);
126 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
127 ss_padding_len ));
128 /* If we're over filling the packet, we need to make space
129 * for the padding at the end of the data. */
130 if (data_len + ss_padding_len > data_space_available) {
131 data_len -= SERVER_NDR_PADDING_SIZE;
132 }
133 }
134
135 /*
136 * Set up the alloc hint. This should be the data left to
137 * send.
138 */
139
140 hdr_resp.alloc_hint = data_len_left;
141
142 /*
143 * Work out if this PDU will be the last.
144 */
145
146 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
147 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
148 }
149
150 /*
151 * Set up the header lengths.
152 */
153
154 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
155 data_len + ss_padding_len +
156 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
157 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
158
159
160 /*
161 * Init the parse struct to point at the outgoing
162 * data.
163 */
164
165 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
166
167 /* Store the header in the data stream. */
168 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
169 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
170 prs_mem_free(&p->out_data.frag);
171 return False;
172 }
173
174 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
175 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
176 prs_mem_free(&p->out_data.frag);
177 return False;
178 }
179
180 /* Copy the data into the PDU. */
181
182 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
183 p->out_data.data_sent_length, data_len)) {
184 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
185 prs_mem_free(&p->out_data.frag);
186 return False;
187 }
188
189 /* Copy the sign/seal padding data. */
190 if (ss_padding_len) {
191 char pad[SERVER_NDR_PADDING_SIZE];
192
193 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
194 if (!prs_copy_data_in(&p->out_data.frag, pad,
195 ss_padding_len)) {
196 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
197 (unsigned int)ss_padding_len));
198 prs_mem_free(&p->out_data.frag);
199 return False;
200 }
201 }
202
203
204 /* Now write out the auth header and null blob. */
205 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
206 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
207 } else {
208 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
209 }
210 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
211 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
212 } else {
213 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
214 }
215
216 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
217
218 if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
219 &p->out_data.frag, 0)) {
220 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
221 prs_mem_free(&p->out_data.frag);
222 return False;
223 }
224
225 /* Generate the sign blob. */
226
227 frame = talloc_stackframe();
228 switch (p->auth.auth_level) {
229 case DCERPC_AUTH_LEVEL_PRIVACY:
230 /* Data portion is encrypted. */
231 status = auth_ntlmssp_seal_packet(
232 a, frame,
233 (uint8_t *)prs_data_p(&p->out_data.frag)
234 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
235 data_len + ss_padding_len,
236 (unsigned char *)prs_data_p(&p->out_data.frag),
237 (size_t)prs_offset(&p->out_data.frag),
238 &auth_blob);
239 if (!NT_STATUS_IS_OK(status)) {
240 talloc_free(frame);
241 prs_mem_free(&p->out_data.frag);
242 return False;
243 }
244 break;
245 case DCERPC_AUTH_LEVEL_INTEGRITY:
246 /* Data is signed. */
247 status = auth_ntlmssp_sign_packet(
248 a, frame,
249 (unsigned char *)prs_data_p(&p->out_data.frag)
250 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
251 data_len + ss_padding_len,
252 (unsigned char *)prs_data_p(&p->out_data.frag),
253 (size_t)prs_offset(&p->out_data.frag),
254 &auth_blob);
255 if (!NT_STATUS_IS_OK(status)) {
256 talloc_free(frame);
257 prs_mem_free(&p->out_data.frag);
258 return False;
259 }
260 break;
261 default:
262 talloc_free(frame);
263 prs_mem_free(&p->out_data.frag);
264 return False;
265 }
266
267 /* Append the auth blob. */
268 if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
269 NTLMSSP_SIG_SIZE)) {
270 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
271 (unsigned int)NTLMSSP_SIG_SIZE));
272 talloc_free(frame);
273 prs_mem_free(&p->out_data.frag);
274 return False;
275 }
276 talloc_free(frame);
277
278 /*
279 * Setup the counts for this PDU.
280 */
281
282 p->out_data.data_sent_length += data_len;
283 p->out_data.current_pdu_sent = 0;
284
285 return True;
286 }
287
288 /*******************************************************************
289 Generate the next PDU to be returned from the data in p->rdata.
290 Return an schannel authenticated fragment.
291 ********************************************************************/
292
293 static bool create_next_pdu_schannel(pipes_struct *p)
294 {
295 RPC_HDR_RESP hdr_resp;
296 uint32 ss_padding_len = 0;
297 uint32 data_len;
298 uint32 data_space_available;
299 uint32 data_len_left;
300 uint32 data_pos;
301 NTSTATUS status;
302
303 /*
304 * If we're in the fault state, keep returning fault PDU's until
305 * the pipe gets closed. JRA.
306 */
307
308 if(p->fault_state) {
309 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
310 return True;
311 }
312
313 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
314
315 /* Change the incoming request header to a response. */
316 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
317
318 /* Set up rpc header flags. */
319 if (p->out_data.data_sent_length == 0) {
320 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
321 } else {
322 p->hdr.flags = 0;
323 }
324
325 /*
326 * Work out how much we can fit in a single PDU.
327 */
328
329 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
330
331 /*
332 * Ensure there really is data left to send.
333 */
334
335 if(!data_len_left) {
336 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
337 return False;
338 }
339
340 /* Space available - not including padding. */
341 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
342 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
343 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
344
345 /*
346 * The amount we send is the minimum of the available
347 * space and the amount left to send.
348 */
349
350 data_len = MIN(data_len_left, data_space_available);
351
352 /* Work out any padding alignment requirements. */
353 if ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE) {
354 ss_padding_len = SERVER_NDR_PADDING_SIZE -
355 ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE);
356 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
357 ss_padding_len ));
358 /* If we're over filling the packet, we need to make space
359 * for the padding at the end of the data. */
360 if (data_len + ss_padding_len > data_space_available) {
361 data_len -= SERVER_NDR_PADDING_SIZE;
362 }
363 }
364
365 /*
366 * Set up the alloc hint. This should be the data left to
367 * send.
368 */
369
370 hdr_resp.alloc_hint = data_len_left;
371
372 /*
373 * Work out if this PDU will be the last.
374 */
375
376 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
377 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
378 }
379
380 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
381 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
382 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
383
384 /*
385 * Init the parse struct to point at the outgoing
386 * data.
387 */
388
389 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
390
391 /* Store the header in the data stream. */
392 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
393 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
394 prs_mem_free(&p->out_data.frag);
395 return False;
396 }
397
398 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
399 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
400 prs_mem_free(&p->out_data.frag);
401 return False;
402 }
403
404 /* Store the current offset. */
405 data_pos = prs_offset(&p->out_data.frag);
406
407 /* Copy the data into the PDU. */
408
409 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
410 p->out_data.data_sent_length, data_len)) {
411 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
412 prs_mem_free(&p->out_data.frag);
413 return False;
414 }
415
416 /* Copy the sign/seal padding data. */
417 if (ss_padding_len) {
418 char pad[SERVER_NDR_PADDING_SIZE];
419 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
420 if (!prs_copy_data_in(&p->out_data.frag, pad,
421 ss_padding_len)) {
422 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
423 prs_mem_free(&p->out_data.frag);
424 return False;
425 }
426 }
427
428 {
429 /*
430 * Schannel processing.
431 */
432 RPC_HDR_AUTH auth_info;
433 DATA_BLOB blob;
434 uint8_t *data;
435
436 /* Check it's the type of reply we were expecting to decode */
437
438 init_rpc_hdr_auth(&auth_info,
439 DCERPC_AUTH_TYPE_SCHANNEL,
440 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
441 DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
442 ss_padding_len, 1);
443
444 if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
445 &p->out_data.frag, 0)) {
446 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
447 prs_mem_free(&p->out_data.frag);
448 return False;
449 }
450
451 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos;
452
453 switch (p->auth.auth_level) {
454 case DCERPC_AUTH_LEVEL_PRIVACY:
455 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
456 talloc_tos(),
457 true,
458 data,
459 data_len + ss_padding_len,
460 &blob);
461 break;
462 case DCERPC_AUTH_LEVEL_INTEGRITY:
463 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
464 talloc_tos(),
465 false,
466 data,
467 data_len + ss_padding_len,
468 &blob);
469 break;
470 default:
471 status = NT_STATUS_INTERNAL_ERROR;
472 break;
473 }
474
475 if (!NT_STATUS_IS_OK(status)) {
476 DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
477 nt_errstr(status)));
478 prs_mem_free(&p->out_data.frag);
479 return false;
480 }
481
482 /* Finally marshall the blob. */
483
484 if (DEBUGLEVEL >= 10) {
485 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
486 }
487
488 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
489 prs_mem_free(&p->out_data.frag);
490 return false;
491 }
492 }
493
494 /*
495 * Setup the counts for this PDU.
496 */
497
498 p->out_data.data_sent_length += data_len;
499 p->out_data.current_pdu_sent = 0;
500
501 return True;
502 }
503
504 /*******************************************************************
505 Generate the next PDU to be returned from the data in p->rdata.
506 No authentication done.
507 ********************************************************************/
508
509 static bool create_next_pdu_noauth(pipes_struct *p)
510 {
511 RPC_HDR_RESP hdr_resp;
512 uint32 data_len;
513 uint32 data_space_available;
514 uint32 data_len_left;
515
516 /*
517 * If we're in the fault state, keep returning fault PDU's until
518 * the pipe gets closed. JRA.
519 */
520
521 if(p->fault_state) {
522 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
523 return True;
524 }
525
526 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
527
528 /* Change the incoming request header to a response. */
529 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
530
531 /* Set up rpc header flags. */
532 if (p->out_data.data_sent_length == 0) {
533 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
534 } else {
535 p->hdr.flags = 0;
536 }
537
538 /*
539 * Work out how much we can fit in a single PDU.
540 */
541
542 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
543
544 /*
545 * Ensure there really is data left to send.
546 */
547
548 if(!data_len_left) {
549 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
550 return False;
551 }
552
553 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
554 - RPC_HDR_RESP_LEN;
555
556 /*
557 * The amount we send is the minimum of the available
558 * space and the amount left to send.
559 */
560
561 data_len = MIN(data_len_left, data_space_available);
562
563 /*
564 * Set up the alloc hint. This should be the data left to
565 * send.
566 */
567
568 hdr_resp.alloc_hint = data_len_left;
569
570 /*
571 * Work out if this PDU will be the last.
572 */
573
574 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
575 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
576 }
577
578 /*
579 * Set up the header lengths.
580 */
581
582 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
583 p->hdr.auth_len = 0;
584
585 /*
586 * Init the parse struct to point at the outgoing
587 * data.
588 */
589
590 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
591
592 /* Store the header in the data stream. */
593 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
594 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
595 prs_mem_free(&p->out_data.frag);
596 return False;
597 }
598
599 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
600 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
601 prs_mem_free(&p->out_data.frag);
602 return False;
603 }
604
605 /* Copy the data into the PDU. */
606
607 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
608 p->out_data.data_sent_length, data_len)) {
609 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
610 prs_mem_free(&p->out_data.frag);
611 return False;
612 }
613
614 /*
615 * Setup the counts for this PDU.
616 */
617
618 p->out_data.data_sent_length += data_len;
619 p->out_data.current_pdu_sent = 0;
620
621 return True;
622 }
623
624 /*******************************************************************
625 Generate the next PDU to be returned from the data in p->rdata.
626 ********************************************************************/
627
628 bool create_next_pdu(pipes_struct *p)
629 {
630 switch(p->auth.auth_level) {
631 case DCERPC_AUTH_LEVEL_NONE:
632 case DCERPC_AUTH_LEVEL_CONNECT:
633 /* This is incorrect for auth level connect. Fixme. JRA */
634 return create_next_pdu_noauth(p);
635
636 default:
637 switch(p->auth.auth_type) {
638 case PIPE_AUTH_TYPE_NTLMSSP:
639 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
640 return create_next_pdu_ntlmssp(p);
641 case PIPE_AUTH_TYPE_SCHANNEL:
642 return create_next_pdu_schannel(p);
643 default:
644 break;
645 }
646 }
647
648 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
649 (unsigned int)p->auth.auth_level,
650 (unsigned int)p->auth.auth_type));
651 return False;
652 }
653
654 /*******************************************************************
655 Process an NTLMSSP authentication response.
656 If this function succeeds, the user has been authenticated
657 and their domain, name and calling workstation stored in
658 the pipe struct.
659 *******************************************************************/
660
661 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
662 {
663 DATA_BLOB session_key, reply;
664 NTSTATUS status;
665 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
666 bool ret;
667
668 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
669 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
670
671 ZERO_STRUCT(reply);
672
673 /* this has to be done as root in order to verify the password */
674 become_root();
675 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
676 unbecome_root();
677
678 /* Don't generate a reply. */
679 data_blob_free(&reply);
680
681 if (!NT_STATUS_IS_OK(status)) {
682 return False;
683 }
684
685 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
686 ensure the underlying NTLMSSP flags are also set. If not we should
687 refuse the bind. */
688
689 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
690 if (!auth_ntlmssp_negotiated_sign(a)) {
691 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
692 "but client declined signing.\n",
693 get_pipe_name_from_syntax(talloc_tos(),
694 &p->syntax)));
695 return False;
696 }
697 }
698 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
699 if (!auth_ntlmssp_negotiated_seal(a)) {
700 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
701 "but client declined sealing.\n",
702 get_pipe_name_from_syntax(talloc_tos(),
703 &p->syntax)));
704 return False;
705 }
706 }
707
708 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
709 "workstation: %s\n",
710 auth_ntlmssp_get_username(a),
711 auth_ntlmssp_get_domain(a),
712 auth_ntlmssp_get_client(a)));
713
714 TALLOC_FREE(p->server_info);
715
716 p->server_info = auth_ntlmssp_server_info(p, a);
717 if (p->server_info == NULL) {
718 DEBUG(0, ("auth_ntlmssp_server_info failed to obtain the server info for authenticated user\n"));
719 return false;
720 }
721
722 if (p->server_info->ptok == NULL) {
723 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
724 return False;
725 }
726
727 /*
728 * We're an authenticated bind over smb, so the session key needs to
729 * be set to "SystemLibraryDTC". Weird, but this is what Windows
730 * does. See the RPC-SAMBA3SESSIONKEY.
731 */
732
733 session_key = generic_session_key();
734 if (session_key.data == NULL) {
735 return False;
736 }
737
738 ret = server_info_set_session_key(p->server_info, session_key);
739
740 data_blob_free(&session_key);
741
742 return True;
743 }
744
745 /*******************************************************************
746 This is the "stage3" NTLMSSP response after a bind request and reply.
747 *******************************************************************/
748
749 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
750 {
751 RPC_HDR_AUTH auth_info;
752 uint32 pad = 0;
753 DATA_BLOB blob;
754 uint32_t auth_len = p->hdr.auth_len;
755
756 ZERO_STRUCT(blob);
757
758 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
759
760 if (auth_len == 0) {
761 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
762 goto err;
763 }
764
765 /* 4 bytes padding. */
766 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
767 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
768 goto err;
769 }
770
771 /* Ensure there's enough data for an authenticated request. */
772 if (RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + auth_len >
773 p->hdr.frag_len) {
774 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
775 "%u is too large.\n",
776 (unsigned int)auth_len ));
777 goto err;
778 }
779
780 /*
781 * Decode the authentication verifier response.
782 */
783
784 /* Pull the auth header and the following data into a blob. */
785 /* NB. The offset of the auth_header is relative to the *end*
786 * of the packet, not the start. Also, the length of the
787 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
788 * as the RPC header isn't included in rpc_in_p. */
789 if(!prs_set_offset(rpc_in_p,
790 p->hdr.frag_len - RPC_HEADER_LEN -
791 RPC_HDR_AUTH_LEN - auth_len)) {
792 DEBUG(0,("api_pipe_bind_auth3: cannot move "
793 "offset to %u.\n",
794 (unsigned int)(p->hdr.frag_len -
795 RPC_HDR_AUTH_LEN - auth_len) ));
796 goto err;
797 }
798
799 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in_p, 0)) {
800 DEBUG(0,("api_pipe_bind_auth3: failed to "
801 "unmarshall RPC_HDR_AUTH.\n"));
802 goto err;
803 }
804
805 /* We must NEVER look at auth_info->auth_pad_len here,
806 * as old Samba client code gets it wrong and sends it
807 * as zero. JRA.
808 */
809
810 if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
811 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
812 (unsigned int)auth_info.auth_type ));
813 return False;
814 }
815
816 blob = data_blob(NULL,p->hdr.auth_len);
817
818 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
819 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
820 (unsigned int)p->hdr.auth_len ));
821 goto err;
822 }
823
824 /*
825 * The following call actually checks the challenge/response data.
826 * for correctness against the given DOMAIN\user name.
827 */
828
829 if (!pipe_ntlmssp_verify_final(p, &blob)) {
830 goto err;
831 }
832
833 data_blob_free(&blob);
834
835 p->pipe_bound = True;
836
837 return True;
838
839 err:
840
841 data_blob_free(&blob);
842 free_pipe_ntlmssp_auth_data(&p->auth);
843 p->auth.a_u.auth_ntlmssp_state = NULL;
844
845 return False;
846 }
847
848 /*******************************************************************
849 Marshall a bind_nak pdu.
850 *******************************************************************/
851
852 static bool setup_bind_nak(pipes_struct *p)
853 {
854 RPC_HDR nak_hdr;
855 uint16 zero = 0;
856
857 /* Free any memory in the current return data buffer. */
858 prs_mem_free(&p->out_data.rdata);
859
860 /*
861 * Marshall directly into the outgoing PDU space. We
862 * must do this as we need to set to the bind response
863 * header and are never sending more than one PDU here.
864 */
865
866 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
867
868 /*
869 * Initialize a bind_nak header.
870 */
871
872 init_rpc_hdr(&nak_hdr, DCERPC_PKT_BIND_NAK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
873 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
874
875 /*
876 * Marshall the header into the outgoing PDU.
877 */
878
879 if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
880 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
881 prs_mem_free(&p->out_data.frag);
882 return False;
883 }
884
885 /*
886 * Now add the reject reason.
887 */
888
889 if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
890 prs_mem_free(&p->out_data.frag);
891 return False;
892 }
893
894 p->out_data.data_sent_length = 0;
895 p->out_data.current_pdu_sent = 0;
896
897 if (p->auth.auth_data_free_func) {
898 (*p->auth.auth_data_free_func)(&p->auth);
899 }
900 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
901 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
902 p->pipe_bound = False;
903
904 return True;
905 }
906
907 /*******************************************************************
908 Marshall a fault pdu.
909 *******************************************************************/
910
911 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
912 {
913 RPC_HDR fault_hdr;
914 RPC_HDR_RESP hdr_resp;
915 RPC_HDR_FAULT fault_resp;
916
917 /* Free any memory in the current return data buffer. */
918 prs_mem_free(&p->out_data.rdata);
919
920 /*
921 * Marshall directly into the outgoing PDU space. We
922 * must do this as we need to set to the bind response
923 * header and are never sending more than one PDU here.
924 */
925
926 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
927
928 /*
929 * Initialize a fault header.
930 */
931
932 init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
933 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
934
935 /*
936 * Initialize the HDR_RESP and FAULT parts of the PDU.
937 */
938
939 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
940
941 fault_resp.status = status;
942 fault_resp.reserved = 0;
943
944 /*
945 * Marshall the header into the outgoing PDU.
946 */
947
948 if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
949 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
950 prs_mem_free(&p->out_data.frag);
951 return False;
952 }
953
954 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
955 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
956 prs_mem_free(&p->out_data.frag);
957 return False;
958 }
959
960 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
961 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
962 prs_mem_free(&p->out_data.frag);
963 return False;
964 }
965
966 p->out_data.data_sent_length = 0;
967 p->out_data.current_pdu_sent = 0;
968
969 return True;
970 }
971
972 /*******************************************************************
973 Ensure a bind request has the correct abstract & transfer interface.
974 Used to reject unknown binds from Win2k.
975 *******************************************************************/
976
977 static bool check_bind_req(struct pipes_struct *p,
978 struct ndr_syntax_id* abstract,
979 struct ndr_syntax_id* transfer,
980 uint32 context_id)
981 {
982 struct pipe_rpc_fns *context_fns;
983
984 DEBUG(3,("check_bind_req for %s\n",
985 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
986
987 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
988 if (rpc_srv_pipe_exists_by_id(abstract) &&
989 ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) {
990 DEBUG(3, ("check_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
991 rpc_srv_get_pipe_cli_name(abstract),
992 rpc_srv_get_pipe_srv_name(abstract)));
993 } else {
994 return false;
995 }
996
997 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
998 if (context_fns == NULL) {
999 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1000 return False;
1001 }
1002
1003 context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
1004 context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
1005 context_fns->context_id = context_id;
1006
1007 /* add to the list of open contexts */
1008
1009 DLIST_ADD( p->contexts, context_fns );
1010
1011 return True;
1012 }
1013
1014 /**
1015 * Is a named pipe known?
1016 * @param[in] cli_filename The pipe name requested by the client
1017 * @result Do we want to serve this?
1018 */
1019 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1020 {
1021 const char *pipename = cli_filename;
1022 NTSTATUS status;
1023
1024 if (strnequal(pipename, "\\PIPE\\", 6)) {
1025 pipename += 5;
1026 }
1027
1028 if (*pipename == '\\') {
1029 pipename += 1;
1030 }
1031
1032 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1033 DEBUG(10, ("refusing spoolss access\n"));
1034 return false;
1035 }
1036
1037 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
1038 return true;
1039 }
1040
1041 status = smb_probe_module("rpc", pipename);
1042 if (!NT_STATUS_IS_OK(status)) {
1043 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1044 return false;
1045 }
1046 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
1047
1048 /*
1049 * Scan the list again for the interface id
1050 */
1051 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
1052 return true;
1053 }
1054
1055 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
1056 pipename));
1057
1058 return false;
1059 }
1060
1061 /*******************************************************************
1062 Handle a SPNEGO krb5 bind auth.
1063 *******************************************************************/
1064
1065 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1066 DATA_BLOB *psecblob, prs_struct *pout_auth)
1067 {
1068 return False;
1069 }
1070
1071 /*******************************************************************
1072 Handle the first part of a SPNEGO bind auth.
1073 *******************************************************************/
1074
1075 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1076 uint32_t ss_padding_len,
1077 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1078 {
1079 DATA_BLOB blob;
1080 DATA_BLOB secblob;
1081 DATA_BLOB response;
1082 DATA_BLOB chal;
1083 char *OIDs[ASN1_MAX_OIDS];
1084 int i;
1085 NTSTATUS status;
1086 bool got_kerberos_mechanism = false;
1087 struct auth_ntlmssp_state *a = NULL;
1088 RPC_HDR_AUTH auth_info;
1089
1090 ZERO_STRUCT(secblob);
1091 ZERO_STRUCT(chal);
1092 ZERO_STRUCT(response);
1093
1094 /* Grab the SPNEGO blob. */
1095 blob = data_blob(NULL,p->hdr.auth_len);
1096
1097 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1098 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1099 (unsigned int)p->hdr.auth_len ));
1100 goto err;
1101 }
1102
1103 if (blob.data[0] != ASN1_APPLICATION(0)) {
1104 goto err;
1105 }
1106
1107 /* parse out the OIDs and the first sec blob */
1108 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1109 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1110 goto err;
1111 }
1112
1113 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1114 got_kerberos_mechanism = true;
1115 }
1116
1117 for (i=0;OIDs[i];i++) {
1118 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1119 TALLOC_FREE(OIDs[i]);
1120 }
1121 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1122
1123 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1124 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1125 data_blob_free(&secblob);
1126 data_blob_free(&blob);
1127 return ret;
1128 }
1129
1130 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1131 /* Free any previous auth type. */
1132 free_pipe_ntlmssp_auth_data(&p->auth);
1133 }
1134
1135 if (!got_kerberos_mechanism) {
1136 /* Initialize the NTLM engine. */
1137 status = auth_ntlmssp_start(&a);
1138 if (!NT_STATUS_IS_OK(status)) {
1139 goto err;
1140 }
1141
1142 switch (pauth_info->auth_level) {
1143 case DCERPC_AUTH_LEVEL_INTEGRITY:
1144 auth_ntlmssp_want_sign(a);
1145 break;
1146 case DCERPC_AUTH_LEVEL_PRIVACY:
1147 auth_ntlmssp_want_seal(a);
1148 break;
1149 default:
1150 break;
1151 }
1152 /*
1153 * Pass the first security blob of data to it.
1154 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1155 * which means we need another packet to complete the bind.
1156 */
1157
1158 status = auth_ntlmssp_update(a, secblob, &chal);
1159
1160 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1161 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1162 goto err;
1163 }
1164
1165 /* Generate the response blob we need for step 2 of the bind. */
1166 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1167 } else {
1168 /*
1169 * SPNEGO negotiate down to NTLMSSP. The subsequent
1170 * code to process follow-up packets is not complete
1171 * yet. JRA.
1172 */
1173 response = spnego_gen_auth_response(NULL,
1174 NT_STATUS_MORE_PROCESSING_REQUIRED,
1175 OID_NTLMSSP);
1176 }
1177
1178 /* auth_pad_len will be handled by the caller */
1179
1180 /* Copy the blob into the pout_auth parse struct */
1181 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO,
1182 pauth_info->auth_level, ss_padding_len, 1);
1183 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1184 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1185 goto err;
1186 }
1187
1188 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1189 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1190 goto err;
1191 }
1192
1193 p->auth.a_u.auth_ntlmssp_state = a;
1194 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1195 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1196
1197 data_blob_free(&blob);
1198 data_blob_free(&secblob);
1199 data_blob_free(&chal);
1200 data_blob_free(&response);
1201
1202 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1203 return True;
1204
1205 err:
1206
1207 data_blob_free(&blob);
1208 data_blob_free(&secblob);
1209 data_blob_free(&chal);
1210 data_blob_free(&response);
1211
1212 p->auth.a_u.auth_ntlmssp_state = NULL;
1213
1214 return False;
1215 }
1216
1217 /*******************************************************************
1218 Handle the second part of a SPNEGO bind auth.
1219 *******************************************************************/
1220
1221 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1222 uint32_t ss_padding_len,
1223 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1224 {
1225 RPC_HDR_AUTH auth_info;
1226 DATA_BLOB spnego_blob;
1227 DATA_BLOB auth_blob;
1228 DATA_BLOB auth_reply;
1229 DATA_BLOB response;
1230 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
1231
1232 ZERO_STRUCT(spnego_blob);
1233 ZERO_STRUCT(auth_blob);
1234 ZERO_STRUCT(auth_reply);
1235 ZERO_STRUCT(response);
1236
1237 /*
1238 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1239 * fail here as 'a' == NULL.
1240 */
1241 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1242 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1243 goto err;
1244 }
1245
1246 /* Grab the SPNEGO blob. */
1247 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1248
1249 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1250 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1251 (unsigned int)p->hdr.auth_len ));
1252 goto err;
1253 }
1254
1255 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1256 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1257 goto err;
1258 }
1259
1260 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1261 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1262 goto err;
1263 }
1264
1265 /*
1266 * The following call actually checks the challenge/response data.
1267 * for correctness against the given DOMAIN\user name.
1268 */
1269
1270 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1271 goto err;
1272 }
1273
1274 data_blob_free(&spnego_blob);
1275 data_blob_free(&auth_blob);
1276
1277 /* Generate the spnego "accept completed" blob - no incoming data. */
1278 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1279
1280 /* FIXME - add auth_pad_len here ! */
1281
1282 /* Copy the blob into the pout_auth parse struct */
1283 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO,
1284 pauth_info->auth_level, ss_padding_len, 1);
1285 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1286 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1287 goto err;
1288 }
1289
1290 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1291 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1292 goto err;
1293 }
1294
1295 data_blob_free(&auth_reply);
1296 data_blob_free(&response);
1297
1298 p->pipe_bound = True;
1299
1300 return True;
1301
1302 err:
1303
1304 data_blob_free(&spnego_blob);
1305 data_blob_free(&auth_blob);
1306 data_blob_free(&auth_reply);
1307 data_blob_free(&response);
1308
1309 free_pipe_ntlmssp_auth_data(&p->auth);
1310 p->auth.a_u.auth_ntlmssp_state = NULL;
1311
1312 return False;
1313 }
1314
1315 /*******************************************************************
1316 Handle an schannel bind auth.
1317 *******************************************************************/
1318
1319 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1320 uint32_t ss_padding_len,
1321 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1322 {
1323 RPC_HDR_AUTH auth_info;
1324 struct NL_AUTH_MESSAGE neg;
1325 struct NL_AUTH_MESSAGE reply;
1326 bool ret;
1327 NTSTATUS status;
1328 struct netlogon_creds_CredentialState *creds;
1329 DATA_BLOB session_key;
1330 enum ndr_err_code ndr_err;
1331 DATA_BLOB blob;
1332
1333 blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1334 prs_data_size(rpc_in_p));
1335
1336 ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), &neg,
1337 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1338 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1339 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1340 return false;
1341 }
1342
1343 if (DEBUGLEVEL >= 10) {
1344 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1345 }
1346
1347 if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1348 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1349 return false;
1350 }
1351
1352 /*
1353 * The neg.oem_netbios_computer.a key here must match the remote computer name
1354 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1355 * operations that use credentials.
1356 */
1357
1358 become_root();
1359 status = schannel_get_creds_state(p, lp_private_dir(),
1360 neg.oem_netbios_computer.a, &creds);
1361 unbecome_root();
1362
1363 if (!NT_STATUS_IS_OK(status)) {
1364 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1365 return False;
1366 }
1367
1368 p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
1369 if (!p->auth.a_u.schannel_auth) {
1370 TALLOC_FREE(creds);
1371 return False;
1372 }
1373
1374 p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
1375 p->auth.a_u.schannel_auth->seq_num = 0;
1376 p->auth.a_u.schannel_auth->initiator = false;
1377 p->auth.a_u.schannel_auth->creds = creds;
1378
1379 /*
1380 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1381 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1382 * struct of the person who opened the pipe. I need to test this further. JRA.
1383 *
1384 * VL. As we are mapping this to guest set the generic key
1385 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1386 * W2k3, as it does not allow schannel binds against SAMR and LSA
1387 * anymore.
1388 */
1389
1390 session_key = generic_session_key();
1391 if (session_key.data == NULL) {
1392 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1393 " key\n"));
1394 return false;
1395 }
1396
1397 ret = server_info_set_session_key(p->server_info, session_key);
1398
1399 data_blob_free(&session_key);
1400
1401 if (!ret) {
1402 DEBUG(0, ("server_info_set_session_key failed\n"));
1403 return false;
1404 }
1405
1406 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL,
1407 pauth_info->auth_level, ss_padding_len, 1);
1408 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1409 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1410 return False;
1411 }
1412
1413 /*** SCHANNEL verifier ***/
1414
1415 reply.MessageType = NL_NEGOTIATE_RESPONSE;
1416 reply.Flags = 0;
1417 reply.Buffer.dummy = 5; /* ??? actually I don't think
1418 * this has any meaning
1419 * here - gd */
1420
1421 ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), &reply,
1422 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1423 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1424 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1425 return false;
1426 }
1427
1428 if (DEBUGLEVEL >= 10) {
1429 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1430 }
1431
1432 if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1433 return false;
1434 }
1435
1436 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1437 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1438
1439 /* We're finished with this bind - no more packets. */
1440 p->auth.auth_data_free_func = NULL;
1441 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1442
1443 p->pipe_bound = True;
1444
1445 return True;
1446 }
1447
1448 /*******************************************************************
1449 Handle an NTLMSSP bind auth.
1450 *******************************************************************/
1451
1452 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1453 uint32_t ss_padding_len,
1454 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1455 {
1456 RPC_HDR_AUTH auth_info;
1457 DATA_BLOB blob;
1458 DATA_BLOB response;
1459 NTSTATUS status;
1460 struct auth_ntlmssp_state *a = NULL;
1461
1462 ZERO_STRUCT(blob);
1463 ZERO_STRUCT(response);
1464
1465 /* Grab the NTLMSSP blob. */
1466 blob = data_blob(NULL,p->hdr.auth_len);
1467
1468 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1469 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1470 (unsigned int)p->hdr.auth_len ));
1471 goto err;
1472 }
1473
1474 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1475 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1476 goto err;
1477 }
1478
1479 /* We have an NTLMSSP blob. */
1480 status = auth_ntlmssp_start(&a);
1481 if (!NT_STATUS_IS_OK(status)) {
1482 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1483 nt_errstr(status) ));
1484 goto err;
1485 }
1486
1487 switch (pauth_info->auth_level) {
1488 case DCERPC_AUTH_LEVEL_INTEGRITY:
1489 auth_ntlmssp_want_sign(a);
1490 break;
1491 case DCERPC_AUTH_LEVEL_PRIVACY:
1492 auth_ntlmssp_want_seal(a);
1493 break;
1494 default:
1495 break;
1496 }
1497
1498 status = auth_ntlmssp_update(a, blob, &response);
1499 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1500 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1501 nt_errstr(status) ));
1502 goto err;
1503 }
1504
1505 data_blob_free(&blob);
1506
1507 /* Copy the blob into the pout_auth parse struct */
1508 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP,
1509 pauth_info->auth_level, ss_padding_len, 1);
1510 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1511 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1512 goto err;
1513 }
1514
1515 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1516 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1517 goto err;
1518 }
1519
1520 p->auth.a_u.auth_ntlmssp_state = a;
1521 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1522 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1523
1524 data_blob_free(&blob);
1525 data_blob_free(&response);
1526
1527 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1528
1529 /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1530 return True;
1531
1532 err:
1533
1534 data_blob_free(&blob);
1535 data_blob_free(&response);
1536
1537 free_pipe_ntlmssp_auth_data(&p->auth);
1538 p->auth.a_u.auth_ntlmssp_state = NULL;
1539 return False;
1540 }
1541
1542 /*******************************************************************
1543 Respond to a pipe bind request.
1544 *******************************************************************/
1545
1546 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1547 {
1548 RPC_HDR_BA hdr_ba;
1549 RPC_HDR_RB hdr_rb;
1550 RPC_HDR_AUTH auth_info;
1551 uint16 assoc_gid;
1552 fstring ack_pipe_name;
1553 prs_struct out_hdr_ba;
1554 prs_struct out_auth;
1555 int auth_len = 0;
1556 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1557 uint32_t ss_padding_len = 0;
1558 NTSTATUS status;
1559 struct ndr_syntax_id id;
1560
1561 /* No rebinds on a bound pipe - use alter context. */
1562 if (p->pipe_bound) {
1563 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1564 "pipe %s.\n",
1565 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1566 return setup_bind_nak(p);
1567 }
1568
1569 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1570
1571 /*
1572 * Marshall directly into the outgoing PDU space. We
1573 * must do this as we need to set to the bind response
1574 * header and are never sending more than one PDU here.
1575 */
1576
1577 /*
1578 * Setup the memory to marshall the ba header, and the
1579 * auth footers.
1580 */
1581
1582 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1583 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1584 prs_mem_free(&p->out_data.frag);
1585 return False;
1586 }
1587
1588 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1589 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1590 prs_mem_free(&p->out_data.frag);
1591 prs_mem_free(&out_hdr_ba);
1592 return False;
1593 }
1594
1595 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1596
1597 ZERO_STRUCT(hdr_rb);
1598
1599 /* decode the bind request */
1600
1601 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1602 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1603 "struct.\n"));
1604 goto err_exit;
1605 }
1606
1607 if (hdr_rb.num_contexts == 0) {
1608 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1609 goto err_exit;
1610 }
1611
1612 /*
1613 * Try and find the correct pipe name to ensure
1614 * that this is a pipe name we support.
1615 */
1616 id = hdr_rb.rpc_context[0].abstract;
1617 if (rpc_srv_pipe_exists_by_id(&id)) {
1618 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1619 rpc_srv_get_pipe_cli_name(&id),
1620 rpc_srv_get_pipe_srv_name(&id)));
1621 } else {
1622 status = smb_probe_module(
1623 "rpc", get_pipe_name_from_syntax(
1624 talloc_tos(),
1625 &hdr_rb.rpc_context[0].abstract));
1626
1627 if (NT_STATUS_IS_ERR(status)) {
1628 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1629 get_pipe_name_from_syntax(
1630 talloc_tos(),
1631 &hdr_rb.rpc_context[0].abstract)));
1632 prs_mem_free(&p->out_data.frag);
1633 prs_mem_free(&out_hdr_ba);
1634 prs_mem_free(&out_auth);
1635
1636 return setup_bind_nak(p);
1637 }
1638
1639 if (rpc_srv_get_pipe_interface_by_cli_name(
1640 get_pipe_name_from_syntax(talloc_tos(),
1641 &p->syntax),
1642 &id)) {
1643 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1644 rpc_srv_get_pipe_cli_name(&id),
1645 rpc_srv_get_pipe_srv_name(&id)));
1646 } else {
1647 DEBUG(0, ("module %s doesn't provide functions for "
1648 "pipe %s!\n",
1649 get_pipe_name_from_syntax(talloc_tos(),
1650 &p->syntax),
1651 get_pipe_name_from_syntax(talloc_tos(),
1652 &p->syntax)));
1653 goto err_exit;
1654 }
1655 }
1656
1657 /* name has to be \PIPE\xxxxx */
1658 fstrcpy(ack_pipe_name, "\\PIPE\\");
1659 fstrcat(ack_pipe_name, rpc_srv_get_pipe_srv_name(&id));
1660
1661 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1662
1663 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1664
1665 /*
1666 * Create the bind response struct.
1667 */
1668
1669 /* If the requested abstract synt uuid doesn't match our client pipe,
1670 reject the bind_ack & set the transfer interface synt to all 0's,
1671 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1672 unknown to NT4)
1673 Needed when adding entries to a DACL from NT5 - SK */
1674
1675 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1676 hdr_rb.rpc_context[0].context_id )) {
1677 init_rpc_hdr_ba(&hdr_ba,
1678 RPC_MAX_PDU_FRAG_LEN,
1679 RPC_MAX_PDU_FRAG_LEN,
1680 assoc_gid,
1681 ack_pipe_name,
1682 0x1, 0x0, 0x0,
1683 &hdr_rb.rpc_context[0].transfer[0]);
1684 } else {
1685 /* Rejection reason: abstract syntax not supported */
1686 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1687 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1688 ack_pipe_name, 0x1, 0x2, 0x1,
1689 &null_ndr_syntax_id);
1690 p->pipe_bound = False;
1691 }
1692
1693 /*
1694 * and marshall it.
1695 */
1696
1697 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1698 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1699 goto err_exit;
1700 }
1701
1702 /*
1703 * Check if this is an authenticated bind request.
1704 */
1705
1706 if (p->hdr.auth_len) {
1707 /*
1708 * Decode the authentication verifier.
1709 */
1710
1711 /* Work out any padding needed before the auth footer. */
1712 if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
1713 ss_padding_len = SERVER_NDR_PADDING_SIZE -
1714 ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
1715 DEBUG(10,("api_pipe_bind_req: auth pad_len = %u\n",
1716 (unsigned int)ss_padding_len ));
1717 }
1718
1719 /* Quick length check. Won't catch a bad auth footer,
1720 * prevents overrun. */
1721
1722 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
1723 DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
1724 "too long for fragment %u.\n",
1725 (unsigned int)p->hdr.auth_len,
1726 (unsigned int)p->hdr.frag_len ));
1727 goto err_exit;
1728 }
1729
1730 /* Pull the auth header and the following data into a blob. */
1731 /* NB. The offset of the auth_header is relative to the *end*
1732 * of the packet, not the start. Also, the length of the
1733 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
1734 * as the RPC header isn't included in rpc_in_p. */
1735 if(!prs_set_offset(rpc_in_p,
1736 p->hdr.frag_len - RPC_HEADER_LEN -
1737 RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
1738 DEBUG(0,("api_pipe_bind_req: cannot move "
1739 "offset to %u.\n",
1740 (unsigned int)(p->hdr.frag_len -
1741 RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
1742 goto err_exit;
1743 }
1744
1745 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1746 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1747 goto err_exit;
1748 }
1749
1750 auth_type = auth_info.auth_type;
1751
1752 /* Work out if we have to sign or seal etc. */
1753 switch (auth_info.auth_level) {
1754 case DCERPC_AUTH_LEVEL_INTEGRITY:
1755 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1756 break;
1757 case DCERPC_AUTH_LEVEL_PRIVACY:
1758 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1759 break;
1760 default:
1761 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1762 (unsigned int)auth_info.auth_level ));
1763 goto err_exit;
1764 }
1765 } else {
1766 ZERO_STRUCT(auth_info);
1767 }
1768
1769 switch(auth_type) {
1770 case DCERPC_AUTH_TYPE_NTLMSSP:
1771 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p,
1772 ss_padding_len, &auth_info, &out_auth)) {
1773 goto err_exit;
1774 }
1775 assoc_gid = 0x7a77;
1776 break;
1777
1778 case DCERPC_AUTH_TYPE_SCHANNEL:
1779 if (!pipe_schannel_auth_bind(p, rpc_in_p,
1780 ss_padding_len, &auth_info, &out_auth)) {
1781 goto err_exit;
1782 }
1783 break;
1784
1785 case DCERPC_AUTH_TYPE_SPNEGO:
1786 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p,
1787 ss_padding_len, &auth_info, &out_auth)) {
1788 goto err_exit;
1789 }
1790 break;
1791
1792 case DCERPC_AUTH_TYPE_NONE:
1793 /* Unauthenticated bind request. */
1794 /* We're finished - no more packets. */
1795 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1796 /* We must set the pipe auth_level here also. */
1797 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1798 p->pipe_bound = True;
1799 /* The session key was initialized from the SMB
1800 * session in make_internal_rpc_pipe_p */
1801 ss_padding_len = 0;
1802 break;
1803
1804 default:
1805 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1806 goto err_exit;
1807 }
1808 /*
1809 * Create the header, now we know the length.
1810 */
1811
1812 if (prs_offset(&out_auth)) {
1813 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1814 }
1815
1816 init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1817 p->hdr.call_id,
1818 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) +
1819 ss_padding_len + prs_offset(&out_auth),
1820 auth_len);
1821
1822 /*
1823 * Marshall the header into the outgoing PDU.
1824 */
1825
1826 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1827 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1828 goto err_exit;
1829 }
1830
1831 /*
1832 * Now add the RPC_HDR_BA and any auth needed.
1833 */
1834
1835 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1836 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1837 goto err_exit;
1838 }
1839
1840 if (auth_len) {
1841 if (ss_padding_len) {
1842 char pad[SERVER_NDR_PADDING_SIZE];
1843 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1844 if (!prs_copy_data_in(&p->out_data.frag, pad,
1845 ss_padding_len)) {
1846 DEBUG(0,("api_pipe_bind_req: failed to add %u "
1847 "bytes of pad data.\n",
1848 (unsigned int)ss_padding_len));
1849 goto err_exit;
1850 }
1851 }
1852
1853 if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1854 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1855 goto err_exit;
1856 }
1857 }
1858
1859 /*
1860 * Setup the lengths for the initial reply.
1861 */
1862
1863 p->out_data.data_sent_length = 0;
1864 p->out_data.current_pdu_sent = 0;
1865
1866 prs_mem_free(&out_hdr_ba);
1867 prs_mem_free(&out_auth);
1868
1869 return True;
1870
1871 err_exit:
1872
1873 prs_mem_free(&p->out_data.frag);
1874 prs_mem_free(&out_hdr_ba);
1875 prs_mem_free(&out_auth);
1876 return setup_bind_nak(p);
1877 }
1878
1879 /****************************************************************************
1880 Deal with an alter context call. Can be third part of 3 leg auth request for
1881 SPNEGO calls.
1882 ****************************************************************************/
1883
1884 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1885 {
1886 RPC_HDR_BA hdr_ba;
1887 RPC_HDR_RB hdr_rb;
1888 RPC_HDR_AUTH auth_info;
1889 uint16 assoc_gid;
1890 fstring ack_pipe_name;
1891 prs_struct out_hdr_ba;
1892 prs_struct out_auth;
1893 int auth_len = 0;
1894 uint32_t ss_padding_len = 0;
1895
1896 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1897
1898 /*
1899 * Marshall directly into the outgoing PDU space. We
1900 * must do this as we need to set to the bind response
1901 * header and are never sending more than one PDU here.
1902 */
1903
1904 /*
1905 * Setup the memory to marshall the ba header, and the
1906 * auth footers.
1907 */
1908
1909 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1910 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1911 prs_mem_free(&p->out_data.frag);
1912 return False;
1913 }
1914
1915 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1916 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1917 prs_mem_free(&p->out_data.frag);
1918 prs_mem_free(&out_hdr_ba);
1919 return False;
1920 }
1921
1922 ZERO_STRUCT(hdr_rb);
1923
1924 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1925
1926 /* decode the alter context request */
1927 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1928 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1929 goto err_exit;
1930 }
1931
1932 /* secondary address CAN be NULL
1933 * as the specs say it's ignored.
1934 * It MUST be NULL to have the spoolss working.
1935 */
1936 fstrcpy(ack_pipe_name,"");
1937
1938 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1939
1940 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1941
1942 /*
1943 * Create the bind response struct.
1944 */
1945
1946 /* If the requested abstract synt uuid doesn't match our client pipe,
1947 reject the bind_ack & set the transfer interface synt to all 0's,
1948 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1949 unknown to NT4)
1950 Needed when adding entries to a DACL from NT5 - SK */
1951
1952 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1953 hdr_rb.rpc_context[0].context_id )) {
1954 init_rpc_hdr_ba(&hdr_ba,
1955 RPC_MAX_PDU_FRAG_LEN,
1956 RPC_MAX_PDU_FRAG_LEN,
1957 assoc_gid,
1958 ack_pipe_name,
1959 0x1, 0x0, 0x0,
1960 &hdr_rb.rpc_context[0].transfer[0]);
1961 } else {
1962 /* Rejection reason: abstract syntax not supported */
1963 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1964 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1965 ack_pipe_name, 0x1, 0x2, 0x1,
1966 &null_ndr_syntax_id);
1967 p->pipe_bound = False;
1968 }
1969
1970 /*
1971 * and marshall it.
1972 */
1973
1974 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1975 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1976 goto err_exit;
1977 }
1978
1979
1980 /*
1981 * Check if this is an authenticated alter context request.
1982 */
1983
1984 if (p->hdr.auth_len != 0) {
1985 /*
1986 * Decode the authentication verifier.
1987 */
1988
1989 /* Work out any padding needed before the auth footer. */
1990 if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
1991 ss_padding_len = SERVER_NDR_PADDING_SIZE -
1992 ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
1993 DEBUG(10,("api_pipe_alter_context: auth pad_len = %u\n",
1994 (unsigned int)ss_padding_len ));
1995 }
1996
1997 /* Quick length check. Won't catch a bad auth footer,
1998 * prevents overrun. */
1999
2000 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
2001 DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
2002 "too long for fragment %u.\n",
2003 (unsigned int)p->hdr.auth_len,
2004 (unsigned int)p->hdr.frag_len ));
2005 goto err_exit;
2006 }
2007
2008 /* Pull the auth header and the following data into a blob. */
2009 /* NB. The offset of the auth_header is relative to the *end*
2010 * of the packet, not the start. Also, the length of the
2011 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2012 * as the RPC header isn't included in rpc_in_p. */
2013 if(!prs_set_offset(rpc_in_p,
2014 p->hdr.frag_len - RPC_HEADER_LEN -
2015 RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
2016 DEBUG(0,("api_alter_context: cannot move "
2017 "offset to %u.\n",
2018 (unsigned int)(p->hdr.frag_len -
2019 RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
2020 goto err_exit;
2021 }
2022
2023 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
2024 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
2025 goto err_exit;
2026 }
2027
2028 /*
2029 * Currently only the SPNEGO auth type uses the alter ctx
2030 * response in place of the NTLMSSP auth3 type.
2031 */
2032
2033 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
2034 /* We can only finish if the pipe is unbound. */
2035 if (!p->pipe_bound) {
2036 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p,
2037 ss_padding_len, &auth_info, &out_auth)) {
2038 goto err_exit;
2039 }
2040 } else {
2041 goto err_exit;
2042 }
2043 }
2044 } else {
2045 ZERO_STRUCT(auth_info);
2046 }
2047 /*
2048 * Create the header, now we know the length.
2049 */
2050
2051 if (prs_offset(&out_auth)) {
2052 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
2053 }
2054
2055 init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
2056 p->hdr.call_id,
2057 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
2058 auth_len);
2059
2060 /*
2061 * Marshall the header into the outgoing PDU.
2062 */
2063
2064 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
2065 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2066 goto err_exit;
2067 }
2068
2069 /*
2070 * Now add the RPC_HDR_BA and any auth needed.
2071 */
2072
2073 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
2074 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2075 goto err_exit;
2076 }
2077
2078 if (auth_len) {
2079 if (ss_padding_len) {
2080 char pad[SERVER_NDR_PADDING_SIZE];
2081 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
2082 if (!prs_copy_data_in(&p->out_data.frag, pad,
2083 ss_padding_len)) {
2084 DEBUG(0,("api_pipe_alter_context: failed to add %u "
2085 "bytes of pad data.\n",
2086 (unsigned int)ss_padding_len));
2087 goto err_exit;
2088 }
2089 }
2090
2091 if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
2092 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2093 goto err_exit;
2094 }
2095 }
2096
2097 /*
2098 * Setup the lengths for the initial reply.
2099 */
2100
2101 p->out_data.data_sent_length = 0;
2102 p->out_data.current_pdu_sent = 0;
2103
2104 prs_mem_free(&out_hdr_ba);
2105 prs_mem_free(&out_auth);
2106
2107 return True;
2108
2109 err_exit:
2110
2111 prs_mem_free(&p->out_data.frag);
2112 prs_mem_free(&out_hdr_ba);
2113 prs_mem_free(&out_auth);
2114 return setup_bind_nak(p);
2115 }
2116
2117 /****************************************************************************
2118 Deal with NTLMSSP sign & seal processing on an RPC request.
2119 ****************************************************************************/
2120
2121 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2122 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2123 {
2124 RPC_HDR_AUTH auth_info;
2125 uint32 auth_len = p->hdr.auth_len;
2126 uint32 save_offset = prs_offset(rpc_in);
2127 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
2128 unsigned char *data = NULL;
2129 size_t data_len;
2130 unsigned char *full_packet_data = NULL;
2131 size_t full_packet_data_len;
2132 DATA_BLOB auth_blob;
2133
2134 *pstatus = NT_STATUS_OK;
2135
2136 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2137 return True;
2138 }
2139
2140 if (!a) {
2141 *pstatus = NT_STATUS_INVALID_PARAMETER;
2142 return False;
2143 }
2144
2145 /* Ensure there's enough data for an authenticated request. */
2146 if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN
2147 + auth_len > p->hdr.frag_len) {
2148 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2149 (unsigned int)auth_len ));
2150 *pstatus = NT_STATUS_INVALID_PARAMETER;
2151 return False;
2152 }
2153
2154 /*
2155 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2156 * after the RPC header.
2157 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2158 * functions as NTLMv2 checks the rpc headers also.
2159 * Both of these values include any auth_pad_len bytes.
2160 */
2161
2162 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2163 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2164
2165 full_packet_data = p->in_data.current_in_pdu;
2166 full_packet_data_len = p->hdr.frag_len - auth_len;
2167
2168 /* Pull the auth header and the following data into a blob. */
2169 /* NB. The offset of the auth_header is relative to the *end*
2170 * of the packet, not the start. Also, the length of the
2171 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2172 * as the RPC header isn't included in rpc_in_p. */
2173 if(!prs_set_offset(rpc_in,
2174 p->hdr.frag_len - RPC_HEADER_LEN -
2175 RPC_HDR_AUTH_LEN - auth_len)) {
2176 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move "
2177 "offset to %u.\n",
2178 (unsigned int)(p->hdr.frag_len -
2179 RPC_HDR_AUTH_LEN - auth_len) ));
2180 *pstatus = NT_STATUS_INVALID_PARAMETER;
2181 return False;
2182 }
2183
2184 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2185 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to "
2186 "unmarshall RPC_HDR_AUTH.\n"));
2187 *pstatus = NT_STATUS_INVALID_PARAMETER;
2188 return False;
2189 }
2190
2191 /* Ensure auth_pad_len fits into the packet. */
2192 if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
2193 RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
2194 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_info.auth_pad_len "
2195 "too large (%u), auth_len (%u), frag_len = (%u).\n",
2196 (unsigned int)auth_info.auth_pad_len,
2197 (unsigned int)auth_len,
2198 (unsigned int)p->hdr.frag_len ));
2199 *pstatus = NT_STATUS_INVALID_PARAMETER;
2200 return False;
2201 }
2202
2203 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2204 auth_blob.length = auth_len;
2205
2206 switch (p->auth.auth_level) {
2207 case DCERPC_AUTH_LEVEL_PRIVACY:
2208 /* Data is encrypted. */
2209 *pstatus = auth_ntlmssp_unseal_packet(a,
2210 data, data_len,
2211 full_packet_data,
2212 full_packet_data_len,
2213 &auth_blob);
2214 if (!NT_STATUS_IS_OK(*pstatus)) {
2215 return False;
2216 }
2217 break;
2218 case DCERPC_AUTH_LEVEL_INTEGRITY:
2219 /* Data is signed. */
2220 *pstatus = auth_ntlmssp_check_packet(a,
2221 data, data_len,
2222 full_packet_data,
2223 full_packet_data_len,
2224 &auth_blob);
2225 if (!NT_STATUS_IS_OK(*pstatus)) {
2226 return False;
2227 }
2228 break;
2229 default:
2230 *pstatus = NT_STATUS_INVALID_PARAMETER;
2231 return False;
2232 }
2233
2234 /*
2235 * Return the current pointer to the data offset.
2236 */
2237
2238 if(!prs_set_offset(rpc_in, save_offset)) {
2239 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2240 (unsigned int)save_offset ));
2241 *pstatus = NT_STATUS_INVALID_PARAMETER;
2242 return False;
2243 }
2244
2245 /*
2246 * Remember the padding length. We must remove it from the real data
2247 * stream once the sign/seal is done.
2248 */
2249
2250 *p_ss_padding_len = auth_info.auth_pad_len;
2251
2252 return True;
2253 }
2254
2255 /****************************************************************************
2256 Deal with schannel processing on an RPC request.
2257 ****************************************************************************/
2258
2259 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2260 {
2261 uint32 data_len;
2262 uint32 auth_len;
2263 uint32 save_offset = prs_offset(rpc_in);
2264 RPC_HDR_AUTH auth_info;
2265 DATA_BLOB blob;
2266 NTSTATUS status;
2267 uint8_t *data;
2268
2269 auth_len = p->hdr.auth_len;
2270
2271 if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2272 auth_len > RPC_HEADER_LEN +
2273 RPC_HDR_REQ_LEN +
2274 RPC_HDR_AUTH_LEN +
2275 auth_len) {
2276 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2277 return False;
2278 }
2279
2280 /*
2281 * The following is that length of the data we must verify or unseal.
2282 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2283 * preceeding the auth_data, but does include the auth_pad_len bytes.
2284 */
2285
2286 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2287 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2288 (unsigned int)p->hdr.frag_len,
2289 (unsigned int)auth_len ));
2290 return False;
2291 }
2292
2293 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2294 RPC_HDR_AUTH_LEN - auth_len;
2295
2296 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2297
2298 /* Pull the auth header and the following data into a blob. */
2299 /* NB. The offset of the auth_header is relative to the *end*
2300 * of the packet, not the start. Also, the length of the
2301 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2302 * as the RPC header isn't included in rpc_in_p. */
2303 if(!prs_set_offset(rpc_in,
2304 p->hdr.frag_len - RPC_HEADER_LEN -
2305 RPC_HDR_AUTH_LEN - auth_len)) {
2306 DEBUG(0,("api_pipe_schannel_process: cannot move "
2307 "offset to %u.\n",
2308 (unsigned int)(p->hdr.frag_len -
2309 RPC_HDR_AUTH_LEN - auth_len) ));
2310 return False;
2311 }
2312
2313 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2314 DEBUG(0,("api_pipe_schannel_process: failed to "
2315 "unmarshall RPC_HDR_AUTH.\n"));
2316 return False;
2317 }
2318
2319 /* Ensure auth_pad_len fits into the packet. */
2320 if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
2321 RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
2322 DEBUG(0,("api_pipe_schannel_process: auth_info.auth_pad_len "
2323 "too large (%u), auth_len (%u), frag_len = (%u).\n",
2324 (unsigned int)auth_info.auth_pad_len,
2325 (unsigned int)auth_len,
2326 (unsigned int)p->hdr.frag_len ));
2327 return False;
2328 }
2329
2330 if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2331 DEBUG(0,("Invalid auth info %d on schannel\n",
2332 auth_info.auth_type));
2333 return False;
2334 }
2335
2336 blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2337
2338 if (DEBUGLEVEL >= 10) {
2339 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
2340 }
2341
2342 data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN;
2343
2344 switch (auth_info.auth_level) {
2345 case DCERPC_AUTH_LEVEL_PRIVACY:
2346 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2347 talloc_tos(),
2348 true,
2349 data,
2350 data_len,
2351 &blob);
2352 break;
2353 case DCERPC_AUTH_LEVEL_INTEGRITY:
2354 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2355 talloc_tos(),
2356 false,
2357 data,
2358 data_len,
2359 &blob);
2360 break;
2361 default:
2362 status = NT_STATUS_INTERNAL_ERROR;
2363 break;
2364 }
2365
2366 if (!NT_STATUS_IS_OK(status)) {
2367 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
2368 return false;
2369 }
2370
2371 /*
2372 * Return the current pointer to the data offset.
2373 */
2374
2375 if(!prs_set_offset(rpc_in, save_offset)) {
2376 DEBUG(0,("failed to set offset back to %u\n",
2377 (unsigned int)save_offset ));
2378 return False;
2379 }
2380
2381 /*
2382 * Remember the padding length. We must remove it from the real data
2383 * stream once the sign/seal is done.
2384 */
2385
2386 *p_ss_padding_len = auth_info.auth_pad_len;
2387
2388 return True;
2389 }
2390
2391 /****************************************************************************
2392 Find the set of RPC functions associated with this context_id
2393 ****************************************************************************/
2394
2395 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2396 {
2397 PIPE_RPC_FNS *fns = NULL;
2398
2399 if ( !list ) {
2400 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2401 return NULL;
2402 }
2403
2404 for (fns=list; fns; fns=fns->next ) {
2405 if ( fns->context_id == context_id )
2406 return fns;
2407 }
2408 return NULL;
2409 }
2410
2411 /****************************************************************************
2412 Memory cleanup.
2413 ****************************************************************************/
2414
2415 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2416 {
2417 PIPE_RPC_FNS *tmp = list;
2418 PIPE_RPC_FNS *tmp2;
2419
2420 while (tmp) {
2421 tmp2 = tmp->next;
2422 SAFE_FREE(tmp);
2423 tmp = tmp2;
2424 }
2425
2426 return;
2427 }
2428
2429 static bool api_rpcTNP(pipes_struct *p,
2430 const struct api_struct *api_rpc_cmds, int n_cmds);
2431
2432 /****************************************************************************
2433 Find the correct RPC function to call for this request.
2434 If the pipe is authenticated then become the correct UNIX user
2435 before doing the call.
2436 ****************************************************************************/
2437
2438 bool api_pipe_request(pipes_struct *p)
2439 {
2440 bool ret = False;
2441 bool changed_user = False;
2442 PIPE_RPC_FNS *pipe_fns;
2443
2444 if (p->pipe_bound &&
2445 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2446 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2447 if(!become_authenticated_pipe_user(p)) {
2448 prs_mem_free(&p->out_data.rdata);
2449 return False;
2450 }
2451 changed_user = True;
2452 }
2453
2454 DEBUG(5, ("Requested \\PIPE\\%s\n",
2455 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2456
2457 /* get the set of RPC functions for this context */
2458
2459 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2460
2461 if ( pipe_fns ) {
2462 TALLOC_CTX *frame = talloc_stackframe();
2463 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2464 TALLOC_FREE(frame);
2465 }
2466 else {
2467 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2468 p->hdr_req.context_id,
2469 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2470 }
2471
2472 if (changed_user) {
2473 unbecome_authenticated_pipe_user();
2474 }
2475
2476 return ret;
2477 }
2478
2479 /*******************************************************************
2480 Calls the underlying RPC function for a named pipe.
2481 ********************************************************************/
2482
2483 static bool api_rpcTNP(pipes_struct *p,
2484 const struct api_struct *api_rpc_cmds, int n_cmds)
2485 {
2486 int fn_num;
2487 uint32 offset1, offset2;
2488
2489 /* interpret the command */
2490 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2491 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2492 p->hdr_req.opnum));
2493
2494 if (DEBUGLEVEL >= 50) {
2495 fstring name;
2496 slprintf(name, sizeof(name)-1, "in_%s",
2497 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2498 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2499 }
2500
2501 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2502 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2503 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2504 break;
2505 }
2506 }
2507
2508 if (fn_num == n_cmds) {
2509 /*
2510 * For an unknown RPC just return a fault PDU but
2511 * return True to allow RPC's on the pipe to continue
2512 * and not put the pipe into fault state. JRA.
2513 */
2514 DEBUG(4, ("unknown\n"));
2515 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2516 return True;
2517 }
2518
2519 offset1 = prs_offset(&p->out_data.rdata);
2520
2521 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2522 fn_num, api_rpc_cmds[fn_num].fn));
2523 /* do the actual command */
2524 if(!api_rpc_cmds[fn_num].fn(p)) {
2525 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2526 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2527 api_rpc_cmds[fn_num].name));
2528 prs_mem_free(&p->out_data.rdata);
2529 return False;
2530 }
2531
2532 if (p->bad_handle_fault_state) {
2533 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2534 p->bad_handle_fault_state = False;
2535 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2536 return True;
2537 }
2538
2539 if (p->rng_fault_state) {
2540 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2541 p->rng_fault_state = False;
2542 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2543 return True;
2544 }
2545
2546 offset2 = prs_offset(&p->out_data.rdata);
2547 prs_set_offset(&p->out_data.rdata, offset1);
2548 if (DEBUGLEVEL >= 50) {
2549 fstring name;
2550 slprintf(name, sizeof(name)-1, "out_%s",
2551 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2552 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2553 }
2554 prs_set_offset(&p->out_data.rdata, offset2);
2555
2556 DEBUG(5,("api_rpcTNP: called %s successfully\n",
2557 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2558
2559 /* Check for buffer underflow in rpc parsing */
2560
2561 if ((DEBUGLEVEL >= 10) &&
2562 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2563 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2564 char *data = (char *)SMB_MALLOC(data_len);
2565
2566 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2567 if (data) {
2568 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2569 SAFE_FREE(data);
2570 }
2571
2572 }
2573
2574 return True;
2575 }
Samba GIT mirror