search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
pdb-interface: Do not use unid_t here
[Samba.git] / source3 / rpc_server / srv_pipe.c
blob449bf7555b5ee9adecc62b9732b2b31d9ee0c0fa
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31 #include "system/filesys.h"
32 #include "srv_pipe_internal.h"
33 #include "../librpc/gen_ndr/ndr_schannel.h"
34 #include "../libcli/auth/schannel.h"
35 #include "../libcli/auth/spnego.h"
36 #include "dcesrv_ntlmssp.h"
37 #include "dcesrv_gssapi.h"
38 #include "dcesrv_spnego.h"
39 #include "rpc_server.h"
40 #include "rpc_dce.h"
41 #include "smbd/smbd.h"
42 #include "auth.h"
43 #include "ntdomain.h"
44 #include "rpc_server/srv_pipe.h"
45 #include "rpc_server/rpc_contexts.h"
46 #include "lib/param/param.h"
47
48 #undef DBGC_CLASS
49 #define DBGC_CLASS DBGC_RPC_SRV
50
51 /**
52 * Dump everything from the start of the end up of the provided data
53 * into a file, but only at debug level >= 50
54 **/
55 static void dump_pdu_region(const char *name, int v,
56 DATA_BLOB *data, size_t start, size_t end)
57 {
58 int fd, i;
59 char *fname = NULL;
60 ssize_t sz;
61
62 if (DEBUGLEVEL < 50) return;
63
64 if (start > data->length || end > data->length || start > end) return;
65
66 for (i = 1; i < 100; i++) {
67 if (v != -1) {
68 fname = talloc_asprintf(talloc_tos(),
69 "/tmp/%s_%d.%d.prs",
70 name, v, i);
71 } else {
72 fname = talloc_asprintf(talloc_tos(),
73 "/tmp/%s_%d.prs",
74 name, i);
75 }
76 if (!fname) {
77 return;
78 }
79 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
80 if (fd != -1 || errno != EEXIST) break;
81 }
82 if (fd != -1) {
83 sz = write(fd, data->data + start, end - start);
84 i = close(fd);
85 if ((sz != end - start) || (i != 0) ) {
86 DEBUG(0, ("Error writing/closing %s: %ld!=%ld %d\n",
87 fname, (unsigned long)sz,
88 (unsigned long)end - start, i));
89 } else {
90 DEBUG(0,("created %s\n", fname));
91 }
92 }
93 TALLOC_FREE(fname);
94 }
95
96 static DATA_BLOB generic_session_key(void)
97 {
98 return data_blob_const("SystemLibraryDTC", 16);
99 }
100
101 /*******************************************************************
102 Generate the next PDU to be returned from the data.
103 ********************************************************************/
104
105 static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx,
106 struct pipe_auth_data *auth,
107 uint32_t call_id,
108 DATA_BLOB *rdata,
109 size_t data_sent_length,
110 DATA_BLOB *frag,
111 size_t *pdu_size)
112 {
113 union dcerpc_payload u;
114 uint8_t pfc_flags;
115 size_t data_left;
116 size_t data_to_send;
117 size_t frag_len;
118 size_t pad_len = 0;
119 size_t auth_len = 0;
120 NTSTATUS status;
121
122 ZERO_STRUCT(u.response);
123
124 /* Set up rpc packet pfc flags. */
125 if (data_sent_length == 0) {
126 pfc_flags = DCERPC_PFC_FLAG_FIRST;
127 } else {
128 pfc_flags = 0;
129 }
130
131 /* Work out how much we can fit in a single PDU. */
132 data_left = rdata->length - data_sent_length;
133
134 /* Ensure there really is data left to send. */
135 if (!data_left) {
136 DEBUG(0, ("No data left to send !\n"));
137 return NT_STATUS_BUFFER_TOO_SMALL;
138 }
139
140 status = dcerpc_guess_sizes(auth,
141 DCERPC_RESPONSE_LENGTH,
142 data_left,
143 RPC_MAX_PDU_FRAG_LEN,
144 SERVER_NDR_PADDING_SIZE,
145 &data_to_send, &frag_len,
146 &auth_len, &pad_len);
147 if (!NT_STATUS_IS_OK(status)) {
148 return status;
149 }
150
151 /* Set up the alloc hint. This should be the data left to send. */
152 u.response.alloc_hint = data_left;
153
154 /* Work out if this PDU will be the last. */
155 if (data_sent_length + data_to_send >= rdata->length) {
156 pfc_flags |= DCERPC_PFC_FLAG_LAST;
157 }
158
159 /* Prepare data to be NDR encoded. */
160 u.response.stub_and_verifier =
161 data_blob_const(rdata->data + data_sent_length, data_to_send);
162
163 /* Store the packet in the data stream. */
164 status = dcerpc_push_ncacn_packet(mem_ctx, DCERPC_PKT_RESPONSE,
165 pfc_flags, auth_len, call_id,
166 &u, frag);
167 if (!NT_STATUS_IS_OK(status)) {
168 DEBUG(0, ("Failed to marshall RPC Packet.\n"));
169 return status;
170 }
171
172 if (auth_len) {
173 /* Set the proper length on the pdu, including padding.
174 * Only needed if an auth trailer will be appended. */
175 dcerpc_set_frag_length(frag, frag->length
176 + pad_len
177 + DCERPC_AUTH_TRAILER_LENGTH
178 + auth_len);
179 }
180
181 if (auth_len) {
182 status = dcerpc_add_auth_footer(auth, pad_len, frag);
183 if (!NT_STATUS_IS_OK(status)) {
184 data_blob_free(frag);
185 return status;
186 }
187 }
188
189 *pdu_size = data_to_send;
190 return NT_STATUS_OK;
191 }
192
193 /*******************************************************************
194 Generate the next PDU to be returned from the data in p->rdata.
195 ********************************************************************/
196
197 bool create_next_pdu(struct pipes_struct *p)
198 {
199 size_t pdu_size = 0;
200 NTSTATUS status;
201
202 /*
203 * If we're in the fault state, keep returning fault PDU's until
204 * the pipe gets closed. JRA.
205 */
206 if (p->fault_state) {
207 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
208 return true;
209 }
210
211 status = create_next_packet(p->mem_ctx, &p->auth,
212 p->call_id, &p->out_data.rdata,
213 p->out_data.data_sent_length,
214 &p->out_data.frag, &pdu_size);
215 if (!NT_STATUS_IS_OK(status)) {
216 DEBUG(0, ("Failed to create packet with error %s, "
217 "(auth level %u / type %u)\n",
218 nt_errstr(status),
219 (unsigned int)p->auth.auth_level,
220 (unsigned int)p->auth.auth_type));
221 return false;
222 }
223
224 /* Setup the counts for this PDU. */
225 p->out_data.data_sent_length += pdu_size;
226 p->out_data.current_pdu_sent = 0;
227 return true;
228 }
229
230
231 static bool pipe_init_outgoing_data(struct pipes_struct *p);
232
233 /*******************************************************************
234 Marshall a bind_nak pdu.
235 *******************************************************************/
236
237 static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
238 {
239 NTSTATUS status;
240 union dcerpc_payload u;
241
242 /* Free any memory in the current return data buffer. */
243 pipe_init_outgoing_data(p);
244
245 /*
246 * Initialize a bind_nak header.
247 */
248
249 ZERO_STRUCT(u);
250
251 u.bind_nak.reject_reason = 0;
252
253 /*
254 * Marshall directly into the outgoing PDU space. We
255 * must do this as we need to set to the bind response
256 * header and are never sending more than one PDU here.
257 */
258
259 status = dcerpc_push_ncacn_packet(p->mem_ctx,
260 DCERPC_PKT_BIND_NAK,
261 DCERPC_PFC_FLAG_FIRST |
262 DCERPC_PFC_FLAG_LAST,
263 0,
264 pkt->call_id,
265 &u,
266 &p->out_data.frag);
267 if (!NT_STATUS_IS_OK(status)) {
268 return False;
269 }
270
271 p->out_data.data_sent_length = 0;
272 p->out_data.current_pdu_sent = 0;
273
274 TALLOC_FREE(p->auth.auth_ctx);
275 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
276 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
277 p->pipe_bound = False;
278
279 return True;
280 }
281
282 /*******************************************************************
283 Marshall a fault pdu.
284 *******************************************************************/
285
286 bool setup_fault_pdu(struct pipes_struct *p, NTSTATUS fault_status)
287 {
288 NTSTATUS status;
289 union dcerpc_payload u;
290
291 /* Free any memory in the current return data buffer. */
292 pipe_init_outgoing_data(p);
293
294 /*
295 * Initialize a fault header.
296 */
297
298 ZERO_STRUCT(u);
299
300 u.fault.status = NT_STATUS_V(fault_status);
301 u.fault._pad = data_blob_talloc_zero(p->mem_ctx, 4);
302
303 /*
304 * Marshall directly into the outgoing PDU space. We
305 * must do this as we need to set to the bind response
306 * header and are never sending more than one PDU here.
307 */
308
309 status = dcerpc_push_ncacn_packet(p->mem_ctx,
310 DCERPC_PKT_FAULT,
311 DCERPC_PFC_FLAG_FIRST |
312 DCERPC_PFC_FLAG_LAST |
313 DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
314 0,
315 p->call_id,
316 &u,
317 &p->out_data.frag);
318 if (!NT_STATUS_IS_OK(status)) {
319 return False;
320 }
321
322 p->out_data.data_sent_length = 0;
323 p->out_data.current_pdu_sent = 0;
324
325 return True;
326 }
327
328 /*******************************************************************
329 Ensure a bind request has the correct abstract & transfer interface.
330 Used to reject unknown binds from Win2k.
331 *******************************************************************/
332
333 static bool check_bind_req(struct pipes_struct *p,
334 struct ndr_syntax_id* abstract,
335 struct ndr_syntax_id* transfer,
336 uint32_t context_id)
337 {
338 struct pipe_rpc_fns *context_fns;
339 bool ok;
340
341 DEBUG(3,("check_bind_req for %s\n",
342 get_pipe_name_from_syntax(talloc_tos(), abstract)));
343
344 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
345 if (rpc_srv_pipe_exists_by_id(abstract) &&
346 ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) {
347 DEBUG(3, ("check_bind_req: %s -> %s rpc service\n",
348 rpc_srv_get_pipe_cli_name(abstract),
349 rpc_srv_get_pipe_srv_name(abstract)));
350 } else {
351 return false;
352 }
353
354 ok = init_pipe_handles(p, abstract);
355 if (!ok) {
356 DEBUG(1, ("Failed to init pipe handles!\n"));
357 return false;
358 }
359
360 context_fns = talloc(p, struct pipe_rpc_fns);
361 if (context_fns == NULL) {
362 DEBUG(0,("check_bind_req: talloc() failed!\n"));
363 return false;
364 }
365
366 context_fns->next = context_fns->prev = NULL;
367 context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
368 context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
369 context_fns->context_id = context_id;
370 context_fns->syntax = *abstract;
371
372 /* add to the list of open contexts */
373
374 DLIST_ADD( p->contexts, context_fns );
375
376 return True;
377 }
378
379 /**
380 * Is a named pipe known?
381 * @param[in] cli_filename The pipe name requested by the client
382 * @result Do we want to serve this?
383 */
384 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
385 {
386 const char *pipename = cli_filename;
387 NTSTATUS status;
388
389 if (strnequal(pipename, "\\PIPE\\", 6)) {
390 pipename += 5;
391 }
392
393 if (*pipename == '\\') {
394 pipename += 1;
395 }
396
397 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
398 DEBUG(10, ("refusing spoolss access\n"));
399 return false;
400 }
401
402 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
403 return true;
404 }
405
406 status = smb_probe_module("rpc", pipename);
407 if (!NT_STATUS_IS_OK(status)) {
408 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
409 return false;
410 }
411 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
412
413 /*
414 * Scan the list again for the interface id
415 */
416 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
417 return true;
418 }
419
420 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
421 pipename));
422
423 return false;
424 }
425
426 /*******************************************************************
427 Handle the first part of a SPNEGO bind auth.
428 *******************************************************************/
429
430 static bool pipe_spnego_auth_bind(struct pipes_struct *p,
431 TALLOC_CTX *mem_ctx,
432 struct dcerpc_auth *auth_info,
433 DATA_BLOB *response)
434 {
435 struct spnego_context *spnego_ctx;
436 NTSTATUS status;
437
438 status = spnego_server_auth_start(p,
439 (auth_info->auth_level ==
440 DCERPC_AUTH_LEVEL_INTEGRITY),
441 (auth_info->auth_level ==
442 DCERPC_AUTH_LEVEL_PRIVACY),
443 true,
444 &auth_info->credentials,
445 response,
446 p->remote_address,
447 &spnego_ctx);
448 if (!NT_STATUS_IS_OK(status)) {
449 DEBUG(0, ("Failed SPNEGO negotiate (%s)\n",
450 nt_errstr(status)));
451 return false;
452 }
453
454 /* Make sure data is bound to the memctx, to be freed the caller */
455 talloc_steal(mem_ctx, response->data);
456
457 p->auth.auth_ctx = spnego_ctx;
458 p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO;
459
460 DEBUG(10, ("SPNEGO auth started\n"));
461
462 return true;
463 }
464
465 /*******************************************************************
466 Handle an schannel bind auth.
467 *******************************************************************/
468
469 static bool pipe_schannel_auth_bind(struct pipes_struct *p,
470 TALLOC_CTX *mem_ctx,
471 struct dcerpc_auth *auth_info,
472 DATA_BLOB *response)
473 {
474 struct NL_AUTH_MESSAGE neg;
475 struct NL_AUTH_MESSAGE reply;
476 bool ret;
477 NTSTATUS status;
478 struct netlogon_creds_CredentialState *creds;
479 enum ndr_err_code ndr_err;
480 struct schannel_state *schannel_auth;
481 struct loadparm_context *lp_ctx;
482
483 ndr_err = ndr_pull_struct_blob(
484 &auth_info->credentials, mem_ctx, &neg,
485 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
486 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
487 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
488 return false;
489 }
490
491 if (DEBUGLEVEL >= 10) {
492 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
493 }
494
495 if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
496 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
497 return false;
498 }
499
500 lp_ctx = loadparm_init_s3(p, loadparm_s3_context());
501 if (!lp_ctx) {
502 DEBUG(0,("pipe_schannel_auth_bind: loadparm_init_s3() failed!\n"));
503 return false;
504 }
505
506 /*
507 * The neg.oem_netbios_computer.a key here must match the remote computer name
508 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
509 * operations that use credentials.
510 */
511
512 become_root();
513 status = schannel_get_creds_state(p, lp_ctx,
514 neg.oem_netbios_computer.a, &creds);
515 unbecome_root();
516
517 talloc_unlink(p, lp_ctx);
518 if (!NT_STATUS_IS_OK(status)) {
519 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
520 return False;
521 }
522
523 schannel_auth = talloc(p, struct schannel_state);
524 if (!schannel_auth) {
525 TALLOC_FREE(creds);
526 return False;
527 }
528
529 schannel_auth->state = SCHANNEL_STATE_START;
530 schannel_auth->seq_num = 0;
531 schannel_auth->initiator = false;
532 schannel_auth->creds = creds;
533
534 /*
535 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
536 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
537 * struct of the person who opened the pipe. I need to test this further. JRA.
538 *
539 * VL. As we are mapping this to guest set the generic key
540 * "SystemLibraryDTC" key here. It's a bit difficult to test against
541 * W2k3, as it does not allow schannel binds against SAMR and LSA
542 * anymore.
543 */
544
545 ret = session_info_set_session_key(p->session_info, generic_session_key());
546
547 if (!ret) {
548 DEBUG(0, ("session_info_set_session_key failed\n"));
549 return false;
550 }
551
552 /*** SCHANNEL verifier ***/
553
554 reply.MessageType = NL_NEGOTIATE_RESPONSE;
555 reply.Flags = 0;
556 reply.Buffer.dummy = 5; /* ??? actually I don't think
557 * this has any meaning
558 * here - gd */
559
560 ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
561 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
562 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
563 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
564 return false;
565 }
566
567 if (DEBUGLEVEL >= 10) {
568 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
569 }
570
571 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
572 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
573
574 /* We're finished with this bind - no more packets. */
575 p->auth.auth_ctx = schannel_auth;
576 p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
577
578 p->pipe_bound = True;
579
580 return True;
581 }
582
583 /*******************************************************************
584 Handle an NTLMSSP bind auth.
585 *******************************************************************/
586
587 static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
588 TALLOC_CTX *mem_ctx,
589 struct dcerpc_auth *auth_info,
590 DATA_BLOB *response)
591 {
592 struct auth_ntlmssp_state *ntlmssp_state = NULL;
593 NTSTATUS status;
594
595 if (strncmp((char *)auth_info->credentials.data, "NTLMSSP", 7) != 0) {
596 DEBUG(0, ("Failed to read NTLMSSP in blob\n"));
597 return false;
598 }
599
600 /* We have an NTLMSSP blob. */
601 status = ntlmssp_server_auth_start(p,
602 (auth_info->auth_level ==
603 DCERPC_AUTH_LEVEL_INTEGRITY),
604 (auth_info->auth_level ==
605 DCERPC_AUTH_LEVEL_PRIVACY),
606 true,
607 &auth_info->credentials,
608 response,
609 p->remote_address,
610 &ntlmssp_state);
611 if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
612 DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n",
613 nt_errstr(status)));
614 return false;
615 }
616
617 /* Make sure data is bound to the memctx, to be freed the caller */
618 talloc_steal(mem_ctx, response->data);
619
620 p->auth.auth_ctx = ntlmssp_state;
621 p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
622
623 DEBUG(10, (__location__ ": NTLMSSP auth started\n"));
624
625 return true;
626 }
627
628 /*******************************************************************
629 Process an NTLMSSP authentication response.
630 If this function succeeds, the user has been authenticated
631 and their domain, name and calling workstation stored in
632 the pipe struct.
633 *******************************************************************/
634
635 static bool pipe_ntlmssp_verify_final(TALLOC_CTX *mem_ctx,
636 struct auth_ntlmssp_state *ntlmssp_ctx,
637 enum dcerpc_AuthLevel auth_level,
638 struct auth_session_info **session_info)
639 {
640 NTSTATUS status;
641 bool ret;
642
643 DEBUG(5, (__location__ ": checking user details\n"));
644
645 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
646 ensure the underlying NTLMSSP flags are also set. If not we should
647 refuse the bind. */
648
649 status = ntlmssp_server_check_flags(ntlmssp_ctx,
650 (auth_level ==
651 DCERPC_AUTH_LEVEL_INTEGRITY),
652 (auth_level ==
653 DCERPC_AUTH_LEVEL_PRIVACY));
654 if (!NT_STATUS_IS_OK(status)) {
655 DEBUG(0, (__location__ ": Client failed to negotatie proper "
656 "security for rpc connection\n"));
657 return false;
658 }
659
660 TALLOC_FREE(*session_info);
661
662 status = ntlmssp_server_get_user_info(ntlmssp_ctx,
663 mem_ctx, session_info);
664 if (!NT_STATUS_IS_OK(status)) {
665 DEBUG(0, (__location__ ": failed to obtain the server info "
666 "for authenticated user: %s\n", nt_errstr(status)));
667 return false;
668 }
669
670 if ((*session_info)->security_token == NULL) {
671 DEBUG(1, ("Auth module failed to provide nt_user_token\n"));
672 return false;
673 }
674
675 /*
676 * We're an authenticated bind over smb, so the session key needs to
677 * be set to "SystemLibraryDTC". Weird, but this is what Windows
678 * does. See the RPC-SAMBA3SESSIONKEY.
679 */
680
681 ret = session_info_set_session_key((*session_info), generic_session_key());
682 if (!ret) {
683 DEBUG(0, ("Failed to set session key!\n"));
684 return false;
685 }
686
687 return true;
688 }
689
690 /*******************************************************************
691 Handle a GSSAPI bind auth.
692 *******************************************************************/
693
694 static bool pipe_gssapi_auth_bind(struct pipes_struct *p,
695 TALLOC_CTX *mem_ctx,
696 struct dcerpc_auth *auth_info,
697 DATA_BLOB *response)
698 {
699 NTSTATUS status;
700 struct gse_context *gse_ctx = NULL;
701
702 status = gssapi_server_auth_start(p,
703 (auth_info->auth_level ==
704 DCERPC_AUTH_LEVEL_INTEGRITY),
705 (auth_info->auth_level ==
706 DCERPC_AUTH_LEVEL_PRIVACY),
707 true,
708 &auth_info->credentials,
709 response,
710 &gse_ctx);
711 if (!NT_STATUS_IS_OK(status)) {
712 DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n",
713 nt_errstr(status)));
714 goto err;
715 }
716
717 /* Make sure data is bound to the memctx, to be freed the caller */
718 talloc_steal(mem_ctx, response->data);
719
720 p->auth.auth_ctx = gse_ctx;
721 p->auth.auth_type = DCERPC_AUTH_TYPE_KRB5;
722
723 DEBUG(10, ("KRB5 auth started\n"));
724
725 return true;
726
727 err:
728 TALLOC_FREE(gse_ctx);
729 return false;
730 }
731
732 static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
733 struct gse_context *gse_ctx,
734 const struct tsocket_address *remote_address,
735 struct auth_session_info **session_info)
736 {
737 NTSTATUS status;
738 bool bret;
739
740 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
741 ensure the underlying flags are also set. If not we should
742 refuse the bind. */
743
744 status = gssapi_server_check_flags(gse_ctx);
745 if (!NT_STATUS_IS_OK(status)) {
746 DEBUG(0, ("Requested Security Layers not honored!\n"));
747 return status;
748 }
749
750 status = gssapi_server_get_user_info(gse_ctx, mem_ctx,
751 remote_address, session_info);
752 if (!NT_STATUS_IS_OK(status)) {
753 DEBUG(0, (__location__ ": failed to obtain the server info "
754 "for authenticated user: %s\n", nt_errstr(status)));
755 return status;
756 }
757
758 /*
759 * We're an authenticated bind over smb, so the session key needs to
760 * be set to "SystemLibraryDTC". Weird, but this is what Windows
761 * does. See the RPC-SAMBA3SESSIONKEY.
762 */
763
764 bret = session_info_set_session_key((*session_info), generic_session_key());
765 if (!bret) {
766 return NT_STATUS_ACCESS_DENIED;
767 }
768
769 return NT_STATUS_OK;
770 }
771
772 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
773 {
774 enum spnego_mech auth_type;
775 struct auth_ntlmssp_state *ntlmssp_ctx;
776 struct spnego_context *spnego_ctx;
777 struct gse_context *gse_ctx;
778 void *mech_ctx;
779 NTSTATUS status;
780
781 switch (p->auth.auth_type) {
782 case DCERPC_AUTH_TYPE_NTLMSSP:
783 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
784 struct auth_ntlmssp_state);
785 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
786 p->auth.auth_level,
787 &p->session_info)) {
788 return NT_STATUS_ACCESS_DENIED;
789 }
790 break;
791 case DCERPC_AUTH_TYPE_KRB5:
792 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
793 struct gse_context);
794 status = pipe_gssapi_verify_final(p, gse_ctx,
795 p->remote_address,
796 &p->session_info);
797 if (!NT_STATUS_IS_OK(status)) {
798 DEBUG(1, ("gssapi bind failed with: %s",
799 nt_errstr(status)));
800 return status;
801 }
802 break;
803 case DCERPC_AUTH_TYPE_SPNEGO:
804 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
805 struct spnego_context);
806 status = spnego_get_negotiated_mech(spnego_ctx,
807 &auth_type, &mech_ctx);
808 if (!NT_STATUS_IS_OK(status)) {
809 DEBUG(0, ("Bad SPNEGO state (%s)\n",
810 nt_errstr(status)));
811 return status;
812 }
813 switch(auth_type) {
814 case SPNEGO_KRB5:
815 gse_ctx = talloc_get_type_abort(mech_ctx,
816 struct gse_context);
817 status = pipe_gssapi_verify_final(p, gse_ctx,
818 p->remote_address,
819 &p->session_info);
820 if (!NT_STATUS_IS_OK(status)) {
821 DEBUG(1, ("gssapi bind failed with: %s",
822 nt_errstr(status)));
823 return status;
824 }
825 break;
826 case SPNEGO_NTLMSSP:
827 ntlmssp_ctx = talloc_get_type_abort(mech_ctx,
828 struct auth_ntlmssp_state);
829 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
830 p->auth.auth_level,
831 &p->session_info)) {
832 return NT_STATUS_ACCESS_DENIED;
833 }
834 break;
835 default:
836 DEBUG(0, (__location__ ": incorrect spnego type "
837 "(%d).\n", auth_type));
838 return NT_STATUS_ACCESS_DENIED;
839 }
840 break;
841 default:
842 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
843 (unsigned int)p->auth.auth_type));
844 return NT_STATUS_ACCESS_DENIED;
845 }
846
847 p->pipe_bound = true;
848
849 return NT_STATUS_OK;
850 }
851
852 /*******************************************************************
853 Respond to a pipe bind request.
854 *******************************************************************/
855
856 static bool api_pipe_bind_req(struct pipes_struct *p,
857 struct ncacn_packet *pkt)
858 {
859 struct dcerpc_auth auth_info;
860 uint16 assoc_gid;
861 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
862 NTSTATUS status;
863 struct ndr_syntax_id id;
864 union dcerpc_payload u;
865 struct dcerpc_ack_ctx bind_ack_ctx;
866 DATA_BLOB auth_resp = data_blob_null;
867 DATA_BLOB auth_blob = data_blob_null;
868
869 /* No rebinds on a bound pipe - use alter context. */
870 if (p->pipe_bound) {
871 DEBUG(2,("Rejecting bind request on bound rpc connection\n"));
872 return setup_bind_nak(p, pkt);
873 }
874
875 if (pkt->u.bind.num_contexts == 0) {
876 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
877 goto err_exit;
878 }
879
880 /*
881 * Try and find the correct pipe name to ensure
882 * that this is a pipe name we support.
883 */
884 id = pkt->u.bind.ctx_list[0].abstract_syntax;
885 if (rpc_srv_pipe_exists_by_id(&id)) {
886 DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
887 rpc_srv_get_pipe_cli_name(&id),
888 rpc_srv_get_pipe_srv_name(&id)));
889 } else {
890 status = smb_probe_module(
891 "rpc", get_pipe_name_from_syntax(
892 talloc_tos(),
893 &id));
894
895 if (NT_STATUS_IS_ERR(status)) {
896 DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
897 "%s in bind request.\n",
898 get_pipe_name_from_syntax(talloc_tos(), &id)));
899
900 return setup_bind_nak(p, pkt);
901 }
902
903 if (rpc_srv_get_pipe_interface_by_cli_name(
904 get_pipe_name_from_syntax(talloc_tos(),
905 &id),
906 &id)) {
907 DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
908 rpc_srv_get_pipe_cli_name(&id),
909 rpc_srv_get_pipe_srv_name(&id)));
910 } else {
911 DEBUG(0, ("module %s doesn't provide functions for "
912 "pipe %s!\n",
913 get_pipe_name_from_syntax(talloc_tos(), &id),
914 get_pipe_name_from_syntax(talloc_tos(), &id)));
915 return setup_bind_nak(p, pkt);
916 }
917 }
918
919 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
920
921 if (pkt->u.bind.assoc_group_id != 0) {
922 assoc_gid = pkt->u.bind.assoc_group_id;
923 } else {
924 assoc_gid = 0x53f0;
925 }
926
927 /*
928 * Create the bind response struct.
929 */
930
931 /* If the requested abstract synt uuid doesn't match our client pipe,
932 reject the bind_ack & set the transfer interface synt to all 0's,
933 ver 0 (observed when NT5 attempts to bind to abstract interfaces
934 unknown to NT4)
935 Needed when adding entries to a DACL from NT5 - SK */
936
937 if (check_bind_req(p,
938 &pkt->u.bind.ctx_list[0].abstract_syntax,
939 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
940 pkt->u.bind.ctx_list[0].context_id)) {
941
942 bind_ack_ctx.result = 0;
943 bind_ack_ctx.reason = 0;
944 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
945 } else {
946 p->pipe_bound = False;
947 /* Rejection reason: abstract syntax not supported */
948 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
949 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
950 bind_ack_ctx.syntax = null_ndr_syntax_id;
951 }
952
953 /*
954 * Check if this is an authenticated bind request.
955 */
956 if (pkt->auth_length) {
957 /* Quick length check. Won't catch a bad auth footer,
958 * prevents overrun. */
959
960 if (pkt->frag_length < RPC_HEADER_LEN +
961 DCERPC_AUTH_TRAILER_LENGTH +
962 pkt->auth_length) {
963 DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
964 "too long for fragment %u.\n",
965 (unsigned int)pkt->auth_length,
966 (unsigned int)pkt->frag_length));
967 goto err_exit;
968 }
969
970 /*
971 * Decode the authentication verifier.
972 */
973 status = dcerpc_pull_dcerpc_auth(pkt,
974 &pkt->u.bind.auth_info,
975 &auth_info, p->endian);
976 if (!NT_STATUS_IS_OK(status)) {
977 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
978 goto err_exit;
979 }
980
981 auth_type = auth_info.auth_type;
982
983 /* Work out if we have to sign or seal etc. */
984 switch (auth_info.auth_level) {
985 case DCERPC_AUTH_LEVEL_INTEGRITY:
986 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
987 break;
988 case DCERPC_AUTH_LEVEL_PRIVACY:
989 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
990 break;
991 case DCERPC_AUTH_LEVEL_CONNECT:
992 p->auth.auth_level = DCERPC_AUTH_LEVEL_CONNECT;
993 break;
994 default:
995 DEBUG(0, ("Unexpected auth level (%u).\n",
996 (unsigned int)auth_info.auth_level ));
997 goto err_exit;
998 }
999
1000 switch (auth_type) {
1001 case DCERPC_AUTH_TYPE_NTLMSSP:
1002 if (!pipe_ntlmssp_auth_bind(p, pkt,
1003 &auth_info, &auth_resp)) {
1004 goto err_exit;
1005 }
1006 assoc_gid = 0x7a77;
1007 break;
1008
1009 case DCERPC_AUTH_TYPE_SCHANNEL:
1010 if (!pipe_schannel_auth_bind(p, pkt,
1011 &auth_info, &auth_resp)) {
1012 goto err_exit;
1013 }
1014 break;
1015
1016 case DCERPC_AUTH_TYPE_SPNEGO:
1017 if (!pipe_spnego_auth_bind(p, pkt,
1018 &auth_info, &auth_resp)) {
1019 goto err_exit;
1020 }
1021 break;
1022
1023 case DCERPC_AUTH_TYPE_KRB5:
1024 if (!pipe_gssapi_auth_bind(p, pkt,
1025 &auth_info, &auth_resp)) {
1026 goto err_exit;
1027 }
1028 break;
1029
1030 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
1031 if (p->transport == NCALRPC && p->ncalrpc_as_system) {
1032 TALLOC_FREE(p->session_info);
1033
1034 status = make_session_info_system(p,
1035 &p->session_info);
1036 if (!NT_STATUS_IS_OK(status)) {
1037 goto err_exit;
1038 }
1039
1040 auth_resp = data_blob_talloc(pkt,
1041 "NCALRPC_AUTH_OK",
1042 15);
1043
1044 p->auth.auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM;
1045 p->pipe_bound = true;
1046 } else {
1047 goto err_exit;
1048 }
1049 break;
1050
1051 case DCERPC_AUTH_TYPE_NONE:
1052 break;
1053
1054 default:
1055 DEBUG(0, ("Unknown auth type %x requested.\n", auth_type));
1056 goto err_exit;
1057 }
1058 }
1059
1060 if (auth_type == DCERPC_AUTH_TYPE_NONE) {
1061 /* Unauthenticated bind request. */
1062 /* We're finished - no more packets. */
1063 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
1064 /* We must set the pipe auth_level here also. */
1065 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1066 p->pipe_bound = True;
1067 /* The session key was initialized from the SMB
1068 * session in make_internal_rpc_pipe_p */
1069 }
1070
1071 ZERO_STRUCT(u.bind_ack);
1072 u.bind_ack.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1073 u.bind_ack.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1074 u.bind_ack.assoc_group_id = assoc_gid;
1075
1076 /* name has to be \PIPE\xxxxx */
1077 u.bind_ack.secondary_address =
1078 talloc_asprintf(pkt, "\\PIPE\\%s",
1079 rpc_srv_get_pipe_srv_name(&id));
1080 if (!u.bind_ack.secondary_address) {
1081 DEBUG(0, ("Out of memory!\n"));
1082 goto err_exit;
1083 }
1084 u.bind_ack.secondary_address_size =
1085 strlen(u.bind_ack.secondary_address) + 1;
1086
1087 u.bind_ack.num_results = 1;
1088 u.bind_ack.ctx_list = &bind_ack_ctx;
1089
1090 /* NOTE: We leave the auth_info empty so we can calculate the padding
1091 * later and then append the auth_info --simo */
1092
1093 /*
1094 * Marshall directly into the outgoing PDU space. We
1095 * must do this as we need to set to the bind response
1096 * header and are never sending more than one PDU here.
1097 */
1098
1099 status = dcerpc_push_ncacn_packet(p->mem_ctx,
1100 DCERPC_PKT_BIND_ACK,
1101 DCERPC_PFC_FLAG_FIRST |
1102 DCERPC_PFC_FLAG_LAST,
1103 auth_resp.length,
1104 pkt->call_id,
1105 &u,
1106 &p->out_data.frag);
1107 if (!NT_STATUS_IS_OK(status)) {
1108 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1109 nt_errstr(status)));
1110 }
1111
1112 if (auth_resp.length) {
1113
1114 status = dcerpc_push_dcerpc_auth(pkt,
1115 auth_type,
1116 auth_info.auth_level,
1117 0,
1118 1, /* auth_context_id */
1119 &auth_resp,
1120 &auth_blob);
1121 if (!NT_STATUS_IS_OK(status)) {
1122 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1123 goto err_exit;
1124 }
1125 }
1126
1127 /* Now that we have the auth len store it into the right place in
1128 * the dcerpc header */
1129 dcerpc_set_frag_length(&p->out_data.frag,
1130 p->out_data.frag.length + auth_blob.length);
1131
1132 if (auth_blob.length) {
1133
1134 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1135 auth_blob.data, auth_blob.length)) {
1136 DEBUG(0, ("Append of auth info failed.\n"));
1137 goto err_exit;
1138 }
1139 }
1140
1141 /*
1142 * Setup the lengths for the initial reply.
1143 */
1144
1145 p->out_data.data_sent_length = 0;
1146 p->out_data.current_pdu_sent = 0;
1147
1148 TALLOC_FREE(auth_blob.data);
1149 return True;
1150
1151 err_exit:
1152
1153 data_blob_free(&p->out_data.frag);
1154 TALLOC_FREE(auth_blob.data);
1155 return setup_bind_nak(p, pkt);
1156 }
1157
1158 /*******************************************************************
1159 This is the "stage3" response after a bind request and reply.
1160 *******************************************************************/
1161
1162 bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
1163 {
1164 struct dcerpc_auth auth_info;
1165 DATA_BLOB response = data_blob_null;
1166 struct auth_ntlmssp_state *ntlmssp_ctx;
1167 struct spnego_context *spnego_ctx;
1168 struct gse_context *gse_ctx;
1169 NTSTATUS status;
1170
1171 DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
1172
1173 if (pkt->auth_length == 0) {
1174 DEBUG(0, ("No auth field sent for bind request!\n"));
1175 goto err;
1176 }
1177
1178 /* Ensure there's enough data for an authenticated request. */
1179 if (pkt->frag_length < RPC_HEADER_LEN
1180 + DCERPC_AUTH_TRAILER_LENGTH
1181 + pkt->auth_length) {
1182 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
1183 "%u is too large.\n",
1184 (unsigned int)pkt->auth_length));
1185 goto err;
1186 }
1187
1188 /*
1189 * Decode the authentication verifier response.
1190 */
1191
1192 status = dcerpc_pull_dcerpc_auth(pkt,
1193 &pkt->u.auth3.auth_info,
1194 &auth_info, p->endian);
1195 if (!NT_STATUS_IS_OK(status)) {
1196 DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n"));
1197 goto err;
1198 }
1199
1200 /* We must NEVER look at auth_info->auth_pad_len here,
1201 * as old Samba client code gets it wrong and sends it
1202 * as zero. JRA.
1203 */
1204
1205 if (auth_info.auth_type != p->auth.auth_type) {
1206 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1207 "but auth was started as type %d!\n",
1208 auth_info.auth_type, p->auth.auth_type));
1209 goto err;
1210 }
1211
1212 switch (auth_info.auth_type) {
1213 case DCERPC_AUTH_TYPE_NTLMSSP:
1214 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1215 struct auth_ntlmssp_state);
1216 status = ntlmssp_server_step(ntlmssp_ctx,
1217 pkt, &auth_info.credentials,
1218 &response);
1219 break;
1220 case DCERPC_AUTH_TYPE_KRB5:
1221 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1222 struct gse_context);
1223 status = gssapi_server_step(gse_ctx,
1224 pkt, &auth_info.credentials,
1225 &response);
1226 break;
1227 case DCERPC_AUTH_TYPE_SPNEGO:
1228 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1229 struct spnego_context);
1230 status = spnego_server_step(spnego_ctx,
1231 pkt, &auth_info.credentials,
1232 &response);
1233 break;
1234 default:
1235 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
1236 (unsigned int)auth_info.auth_type));
1237 return false;
1238 }
1239
1240 if (NT_STATUS_EQUAL(status,
1241 NT_STATUS_MORE_PROCESSING_REQUIRED) ||
1242 response.length) {
1243 DEBUG(0, (__location__ ": This was supposed to be the final "
1244 "leg, but crypto machinery claims a response is "
1245 "needed, aborting auth!\n"));
1246 data_blob_free(&response);
1247 goto err;
1248 }
1249 if (!NT_STATUS_IS_OK(status)) {
1250 DEBUG(0, ("Auth failed (%s)\n", nt_errstr(status)));
1251 goto err;
1252 }
1253
1254 /* Now verify auth was indeed successful and extract server info */
1255 status = pipe_auth_verify_final(p);
1256 if (!NT_STATUS_IS_OK(status)) {
1257 DEBUG(0, ("Auth Verify failed (%s)\n", nt_errstr(status)));
1258 goto err;
1259 }
1260
1261 return true;
1262
1263 err:
1264
1265 TALLOC_FREE(p->auth.auth_ctx);
1266 return false;
1267 }
1268
1269 /****************************************************************************
1270 Deal with an alter context call. Can be third part of 3 leg auth request for
1271 SPNEGO calls.
1272 ****************************************************************************/
1273
1274 static bool api_pipe_alter_context(struct pipes_struct *p,
1275 struct ncacn_packet *pkt)
1276 {
1277 struct dcerpc_auth auth_info;
1278 uint16 assoc_gid;
1279 NTSTATUS status;
1280 union dcerpc_payload u;
1281 struct dcerpc_ack_ctx bind_ack_ctx;
1282 DATA_BLOB auth_resp = data_blob_null;
1283 DATA_BLOB auth_blob = data_blob_null;
1284 int pad_len = 0;
1285 struct auth_ntlmssp_state *ntlmssp_ctx;
1286 struct spnego_context *spnego_ctx;
1287 struct gse_context *gse_ctx;
1288
1289 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1290
1291 if (pkt->u.bind.assoc_group_id != 0) {
1292 assoc_gid = pkt->u.bind.assoc_group_id;
1293 } else {
1294 assoc_gid = 0x53f0;
1295 }
1296
1297 /*
1298 * Create the bind response struct.
1299 */
1300
1301 /* If the requested abstract synt uuid doesn't match our client pipe,
1302 reject the bind_ack & set the transfer interface synt to all 0's,
1303 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1304 unknown to NT4)
1305 Needed when adding entries to a DACL from NT5 - SK */
1306
1307 if (check_bind_req(p,
1308 &pkt->u.bind.ctx_list[0].abstract_syntax,
1309 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
1310 pkt->u.bind.ctx_list[0].context_id)) {
1311
1312 bind_ack_ctx.result = 0;
1313 bind_ack_ctx.reason = 0;
1314 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
1315 } else {
1316 p->pipe_bound = False;
1317 /* Rejection reason: abstract syntax not supported */
1318 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1319 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
1320 bind_ack_ctx.syntax = null_ndr_syntax_id;
1321 }
1322
1323 /*
1324 * Check if this is an authenticated alter context request.
1325 */
1326 if (pkt->auth_length) {
1327 /* Quick length check. Won't catch a bad auth footer,
1328 * prevents overrun. */
1329
1330 if (pkt->frag_length < RPC_HEADER_LEN +
1331 DCERPC_AUTH_TRAILER_LENGTH +
1332 pkt->auth_length) {
1333 DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
1334 "too long for fragment %u.\n",
1335 (unsigned int)pkt->auth_length,
1336 (unsigned int)pkt->frag_length ));
1337 goto err_exit;
1338 }
1339
1340 status = dcerpc_pull_dcerpc_auth(pkt,
1341 &pkt->u.bind.auth_info,
1342 &auth_info, p->endian);
1343 if (!NT_STATUS_IS_OK(status)) {
1344 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1345 goto err_exit;
1346 }
1347
1348 /* We can only finish if the pipe is unbound for now */
1349 if (p->pipe_bound) {
1350 DEBUG(0, (__location__ ": Pipe already bound, "
1351 "Altering Context not yet supported!\n"));
1352 goto err_exit;
1353 }
1354
1355 if (auth_info.auth_type != p->auth.auth_type) {
1356 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1357 "but auth was started as type %d!\n",
1358 auth_info.auth_type, p->auth.auth_type));
1359 goto err_exit;
1360 }
1361
1362
1363 switch (auth_info.auth_type) {
1364 case DCERPC_AUTH_TYPE_SPNEGO:
1365 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1366 struct spnego_context);
1367 status = spnego_server_step(spnego_ctx,
1368 pkt,
1369 &auth_info.credentials,
1370 &auth_resp);
1371 break;
1372
1373 case DCERPC_AUTH_TYPE_KRB5:
1374 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1375 struct gse_context);
1376 status = gssapi_server_step(gse_ctx,
1377 pkt,
1378 &auth_info.credentials,
1379 &auth_resp);
1380 break;
1381 case DCERPC_AUTH_TYPE_NTLMSSP:
1382 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1383 struct auth_ntlmssp_state);
1384 status = ntlmssp_server_step(ntlmssp_ctx,
1385 pkt,
1386 &auth_info.credentials,
1387 &auth_resp);
1388 break;
1389
1390 default:
1391 DEBUG(3, (__location__ ": Usupported auth type (%d) "
1392 "in alter-context call\n",
1393 auth_info.auth_type));
1394 goto err_exit;
1395 }
1396
1397 if (NT_STATUS_IS_OK(status)) {
1398 /* third leg of auth, verify auth info */
1399 status = pipe_auth_verify_final(p);
1400 if (!NT_STATUS_IS_OK(status)) {
1401 DEBUG(0, ("Auth Verify failed (%s)\n",
1402 nt_errstr(status)));
1403 goto err_exit;
1404 }
1405 } else if (NT_STATUS_EQUAL(status,
1406 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1407 DEBUG(10, ("More auth legs required.\n"));
1408 } else {
1409 DEBUG(0, ("Auth step returned an error (%s)\n",
1410 nt_errstr(status)));
1411 goto err_exit;
1412 }
1413 }
1414
1415 ZERO_STRUCT(u.alter_resp);
1416 u.alter_resp.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1417 u.alter_resp.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1418 u.alter_resp.assoc_group_id = assoc_gid;
1419
1420 /* secondary address CAN be NULL
1421 * as the specs say it's ignored.
1422 * It MUST be NULL to have the spoolss working.
1423 */
1424 u.alter_resp.secondary_address = "";
1425 u.alter_resp.secondary_address_size = 1;
1426
1427 u.alter_resp.num_results = 1;
1428 u.alter_resp.ctx_list = &bind_ack_ctx;
1429
1430 /* NOTE: We leave the auth_info empty so we can calculate the padding
1431 * later and then append the auth_info --simo */
1432
1433 /*
1434 * Marshall directly into the outgoing PDU space. We
1435 * must do this as we need to set to the bind response
1436 * header and are never sending more than one PDU here.
1437 */
1438
1439 status = dcerpc_push_ncacn_packet(p->mem_ctx,
1440 DCERPC_PKT_ALTER_RESP,
1441 DCERPC_PFC_FLAG_FIRST |
1442 DCERPC_PFC_FLAG_LAST,
1443 auth_resp.length,
1444 pkt->call_id,
1445 &u,
1446 &p->out_data.frag);
1447 if (!NT_STATUS_IS_OK(status)) {
1448 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1449 nt_errstr(status)));
1450 }
1451
1452 if (auth_resp.length) {
1453
1454 /* Work out any padding needed before the auth footer. */
1455 pad_len = p->out_data.frag.length % SERVER_NDR_PADDING_SIZE;
1456 if (pad_len) {
1457 pad_len = SERVER_NDR_PADDING_SIZE - pad_len;
1458 DEBUG(10, ("auth pad_len = %u\n",
1459 (unsigned int)pad_len));
1460 }
1461
1462 status = dcerpc_push_dcerpc_auth(pkt,
1463 auth_info.auth_type,
1464 auth_info.auth_level,
1465 pad_len,
1466 1, /* auth_context_id */
1467 &auth_resp,
1468 &auth_blob);
1469 if (!NT_STATUS_IS_OK(status)) {
1470 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1471 goto err_exit;
1472 }
1473 }
1474
1475 /* Now that we have the auth len store it into the right place in
1476 * the dcerpc header */
1477 dcerpc_set_frag_length(&p->out_data.frag,
1478 p->out_data.frag.length +
1479 pad_len + auth_blob.length);
1480
1481 if (auth_resp.length) {
1482 if (pad_len) {
1483 char pad[SERVER_NDR_PADDING_SIZE];
1484 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1485 if (!data_blob_append(p->mem_ctx,
1486 &p->out_data.frag,
1487 pad, pad_len)) {
1488 DEBUG(0, ("api_pipe_bind_req: failed to add "
1489 "%u bytes of pad data.\n",
1490 (unsigned int)pad_len));
1491 goto err_exit;
1492 }
1493 }
1494
1495 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1496 auth_blob.data, auth_blob.length)) {
1497 DEBUG(0, ("Append of auth info failed.\n"));
1498 goto err_exit;
1499 }
1500 }
1501
1502 /*
1503 * Setup the lengths for the initial reply.
1504 */
1505
1506 p->out_data.data_sent_length = 0;
1507 p->out_data.current_pdu_sent = 0;
1508
1509 TALLOC_FREE(auth_blob.data);
1510 return True;
1511
1512 err_exit:
1513
1514 data_blob_free(&p->out_data.frag);
1515 TALLOC_FREE(auth_blob.data);
1516 return setup_bind_nak(p, pkt);
1517 }
1518
1519 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1520 const struct api_struct *api_rpc_cmds, int n_cmds,
1521 const struct ndr_syntax_id *syntax);
1522
1523 /****************************************************************************
1524 Find the correct RPC function to call for this request.
1525 If the pipe is authenticated then become the correct UNIX user
1526 before doing the call.
1527 ****************************************************************************/
1528
1529 static bool api_pipe_request(struct pipes_struct *p,
1530 struct ncacn_packet *pkt)
1531 {
1532 bool ret = False;
1533 struct pipe_rpc_fns *pipe_fns;
1534
1535 if (!p->pipe_bound) {
1536 DEBUG(1, ("Pipe not bound!\n"));
1537 data_blob_free(&p->out_data.rdata);
1538 return false;
1539 }
1540
1541 if (!become_authenticated_pipe_user(p->session_info)) {
1542 DEBUG(1, ("Failed to become pipe user!\n"));
1543 data_blob_free(&p->out_data.rdata);
1544 return false;
1545 }
1546
1547 /* get the set of RPC functions for this context */
1548
1549 pipe_fns = find_pipe_fns_by_context(p->contexts,
1550 pkt->u.request.context_id);
1551
1552 if ( pipe_fns ) {
1553 TALLOC_CTX *frame = talloc_stackframe();
1554
1555 DEBUG(5, ("Requested %s rpc service\n",
1556 get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
1557
1558 ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds,
1559 &pipe_fns->syntax);
1560
1561 TALLOC_FREE(frame);
1562 }
1563 else {
1564 DEBUG(0, ("No rpc function table associated with context "
1565 "[%d]\n",
1566 pkt->u.request.context_id));
1567 }
1568
1569 unbecome_authenticated_pipe_user();
1570
1571 return ret;
1572 }
1573
1574 /*******************************************************************
1575 Calls the underlying RPC function for a named pipe.
1576 ********************************************************************/
1577
1578 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1579 const struct api_struct *api_rpc_cmds, int n_cmds,
1580 const struct ndr_syntax_id *syntax)
1581 {
1582 int fn_num;
1583 uint32_t offset1;
1584
1585 /* interpret the command */
1586 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
1587 get_pipe_name_from_syntax(talloc_tos(), syntax),
1588 pkt->u.request.opnum));
1589
1590 if (DEBUGLEVEL >= 50) {
1591 fstring name;
1592 slprintf(name, sizeof(name)-1, "in_%s",
1593 get_pipe_name_from_syntax(talloc_tos(), syntax));
1594 dump_pdu_region(name, pkt->u.request.opnum,
1595 &p->in_data.data, 0,
1596 p->in_data.data.length);
1597 }
1598
1599 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1600 if (api_rpc_cmds[fn_num].opnum == pkt->u.request.opnum &&
1601 api_rpc_cmds[fn_num].fn != NULL) {
1602 DEBUG(3, ("api_rpcTNP: rpc command: %s\n",
1603 api_rpc_cmds[fn_num].name));
1604 break;
1605 }
1606 }
1607
1608 if (fn_num == n_cmds) {
1609 /*
1610 * For an unknown RPC just return a fault PDU but
1611 * return True to allow RPC's on the pipe to continue
1612 * and not put the pipe into fault state. JRA.
1613 */
1614 DEBUG(4, ("unknown\n"));
1615 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1616 return True;
1617 }
1618
1619 offset1 = p->out_data.rdata.length;
1620
1621 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1622 fn_num, api_rpc_cmds[fn_num].fn));
1623 /* do the actual command */
1624 if(!api_rpc_cmds[fn_num].fn(p)) {
1625 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
1626 get_pipe_name_from_syntax(talloc_tos(), syntax),
1627 api_rpc_cmds[fn_num].name));
1628 data_blob_free(&p->out_data.rdata);
1629 return False;
1630 }
1631
1632 if (p->bad_handle_fault_state) {
1633 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1634 p->bad_handle_fault_state = False;
1635 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
1636 return True;
1637 }
1638
1639 if (p->rng_fault_state) {
1640 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
1641 p->rng_fault_state = False;
1642 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1643 return True;
1644 }
1645
1646 if (DEBUGLEVEL >= 50) {
1647 fstring name;
1648 slprintf(name, sizeof(name)-1, "out_%s",
1649 get_pipe_name_from_syntax(talloc_tos(), syntax));
1650 dump_pdu_region(name, pkt->u.request.opnum,
1651 &p->out_data.rdata, offset1,
1652 p->out_data.rdata.length);
1653 }
1654
1655 DEBUG(5,("api_rpcTNP: called %s successfully\n",
1656 get_pipe_name_from_syntax(talloc_tos(), syntax)));
1657
1658 /* Check for buffer underflow in rpc parsing */
1659 if ((DEBUGLEVEL >= 10) &&
1660 (pkt->frag_length < p->in_data.data.length)) {
1661 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1662 dump_data(10, p->in_data.data.data + pkt->frag_length,
1663 p->in_data.data.length - pkt->frag_length);
1664 }
1665
1666 return True;
1667 }
1668
1669 /****************************************************************************
1670 Initialise an outgoing packet.
1671 ****************************************************************************/
1672
1673 static bool pipe_init_outgoing_data(struct pipes_struct *p)
1674 {
1675 output_data *o_data = &p->out_data;
1676
1677 /* Reset the offset counters. */
1678 o_data->data_sent_length = 0;
1679 o_data->current_pdu_sent = 0;
1680
1681 data_blob_free(&o_data->frag);
1682
1683 /* Free any memory in the current return data buffer. */
1684 data_blob_free(&o_data->rdata);
1685
1686 return True;
1687 }
1688
1689 /****************************************************************************
1690 Sets the fault state on incoming packets.
1691 ****************************************************************************/
1692
1693 void set_incoming_fault(struct pipes_struct *p)
1694 {
1695 data_blob_free(&p->in_data.data);
1696 p->in_data.pdu_needed_len = 0;
1697 p->in_data.pdu.length = 0;
1698 p->fault_state = True;
1699
1700 DEBUG(10, ("Setting fault state\n"));
1701 }
1702
1703 static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
1704 struct ncacn_packet *pkt,
1705 DATA_BLOB *raw_pkt)
1706 {
1707 NTSTATUS status;
1708 size_t hdr_size = DCERPC_REQUEST_LENGTH;
1709 size_t pad_len;
1710
1711 DEBUG(10, ("Checking request auth.\n"));
1712
1713 if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
1714 hdr_size += 16;
1715 }
1716
1717 /* in case of sealing this function will unseal the data in place */
1718 status = dcerpc_check_auth(auth, pkt,
1719 &pkt->u.request.stub_and_verifier,
1720 hdr_size, raw_pkt,
1721 &pad_len);
1722 if (!NT_STATUS_IS_OK(status)) {
1723 return status;
1724 }
1725
1726
1727 /* remove padding and auth trailer,
1728 * this way the caller will get just the data */
1729 if (pkt->auth_length) {
1730 size_t trail_len = pad_len
1731 + DCERPC_AUTH_TRAILER_LENGTH
1732 + pkt->auth_length;
1733 if (pkt->u.request.stub_and_verifier.length < trail_len) {
1734 return NT_STATUS_INFO_LENGTH_MISMATCH;
1735 }
1736 pkt->u.request.stub_and_verifier.length -= trail_len;
1737 }
1738
1739 return NT_STATUS_OK;
1740 }
1741
1742 /****************************************************************************
1743 Processes a request pdu. This will do auth processing if needed, and
1744 appends the data into the complete stream if the LAST flag is not set.
1745 ****************************************************************************/
1746
1747 static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
1748 {
1749 NTSTATUS status;
1750 DATA_BLOB data;
1751
1752 if (!p->pipe_bound) {
1753 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
1754 set_incoming_fault(p);
1755 return False;
1756 }
1757
1758 /* Store the opnum */
1759 p->opnum = pkt->u.request.opnum;
1760
1761 status = dcesrv_auth_request(&p->auth, pkt, &p->in_data.pdu);
1762 if (!NT_STATUS_IS_OK(status)) {
1763 DEBUG(0, ("Failed to check packet auth. (%s)\n",
1764 nt_errstr(status)));
1765 set_incoming_fault(p);
1766 return false;
1767 }
1768
1769 data = pkt->u.request.stub_and_verifier;
1770
1771 /*
1772 * Check the data length doesn't go over the 15Mb limit.
1773 * increased after observing a bug in the Windows NT 4.0 SP6a
1774 * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
1775 * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
1776 */
1777
1778 if (p->in_data.data.length + data.length > MAX_RPC_DATA_SIZE) {
1779 DEBUG(0, ("process_request_pdu: "
1780 "rpc data buffer too large (%u) + (%u)\n",
1781 (unsigned int)p->in_data.data.length,
1782 (unsigned int)data.length));
1783 set_incoming_fault(p);
1784 return False;
1785 }
1786
1787 /*
1788 * Append the data portion into the buffer and return.
1789 */
1790
1791 if (data.length) {
1792 if (!data_blob_append(p->mem_ctx, &p->in_data.data,
1793 data.data, data.length)) {
1794 DEBUG(0, ("Unable to append data size %u "
1795 "to parse buffer of size %u.\n",
1796 (unsigned int)data.length,
1797 (unsigned int)p->in_data.data.length));
1798 set_incoming_fault(p);
1799 return False;
1800 }
1801 }
1802
1803 if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
1804 bool ret = False;
1805 /*
1806 * Ok - we finally have a complete RPC stream.
1807 * Call the rpc command to process it.
1808 */
1809
1810 /*
1811 * Process the complete data stream here.
1812 */
1813 if (pipe_init_outgoing_data(p)) {
1814 ret = api_pipe_request(p, pkt);
1815 }
1816
1817 return ret;
1818 }
1819
1820 return True;
1821 }
1822
1823 /****************************************************************************
1824 Processes a finished PDU stored in p->in_data.pdu.
1825 ****************************************************************************/
1826
1827 void process_complete_pdu(struct pipes_struct *p)
1828 {
1829 struct ncacn_packet *pkt = NULL;
1830 NTSTATUS status;
1831 bool reply = False;
1832
1833 if(p->fault_state) {
1834 DEBUG(10,("RPC connection in fault state.\n"));
1835 goto done;
1836 }
1837
1838 pkt = talloc(p->mem_ctx, struct ncacn_packet);
1839 if (!pkt) {
1840 DEBUG(0, ("Out of memory!\n"));
1841 goto done;
1842 }
1843
1844 /*
1845 * Ensure we're using the corrent endianness for both the
1846 * RPC header flags and the raw data we will be reading from.
1847 */
1848 if (dcerpc_get_endian_flag(&p->in_data.pdu) & DCERPC_DREP_LE) {
1849 p->endian = RPC_LITTLE_ENDIAN;
1850 } else {
1851 p->endian = RPC_BIG_ENDIAN;
1852 }
1853 DEBUG(10, ("PDU is in %s Endian format!\n", p->endian?"Big":"Little"));
1854
1855 status = dcerpc_pull_ncacn_packet(pkt, &p->in_data.pdu,
1856 pkt, p->endian);
1857 if (!NT_STATUS_IS_OK(status)) {
1858 DEBUG(0, ("Failed to unmarshal rpc packet: %s!\n",
1859 nt_errstr(status)));
1860 goto done;
1861 }
1862
1863 /* Store the call_id */
1864 p->call_id = pkt->call_id;
1865
1866 DEBUG(10, ("Processing packet type %u\n", (unsigned int)pkt->ptype));
1867
1868 switch (pkt->ptype) {
1869 case DCERPC_PKT_REQUEST:
1870 reply = process_request_pdu(p, pkt);
1871 break;
1872
1873 case DCERPC_PKT_PING: /* CL request - ignore... */
1874 DEBUG(0, ("Error - Connectionless packet type %u received\n",
1875 (unsigned int)pkt->ptype));
1876 break;
1877
1878 case DCERPC_PKT_RESPONSE: /* No responses here. */
1879 DEBUG(0, ("Error - DCERPC_PKT_RESPONSE received from client"));
1880 break;
1881
1882 case DCERPC_PKT_FAULT:
1883 case DCERPC_PKT_WORKING:
1884 /* CL request - reply to a ping when a call in process. */
1885 case DCERPC_PKT_NOCALL:
1886 /* CL - server reply to a ping call. */
1887 case DCERPC_PKT_REJECT:
1888 case DCERPC_PKT_ACK:
1889 case DCERPC_PKT_CL_CANCEL:
1890 case DCERPC_PKT_FACK:
1891 case DCERPC_PKT_CANCEL_ACK:
1892 DEBUG(0, ("Error - Connectionless packet type %u received\n",
1893 (unsigned int)pkt->ptype));
1894 break;
1895
1896 case DCERPC_PKT_BIND:
1897 /*
1898 * We assume that a pipe bind is only in one pdu.
1899 */
1900 if (pipe_init_outgoing_data(p)) {
1901 reply = api_pipe_bind_req(p, pkt);
1902 }
1903 break;
1904
1905 case DCERPC_PKT_BIND_ACK:
1906 case DCERPC_PKT_BIND_NAK:
1907 DEBUG(0, ("Error - DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK "
1908 "packet type %u received.\n",
1909 (unsigned int)pkt->ptype));
1910 break;
1911
1912
1913 case DCERPC_PKT_ALTER:
1914 /*
1915 * We assume that a pipe bind is only in one pdu.
1916 */
1917 if (pipe_init_outgoing_data(p)) {
1918 reply = api_pipe_alter_context(p, pkt);
1919 }
1920 break;
1921
1922 case DCERPC_PKT_ALTER_RESP:
1923 DEBUG(0, ("Error - DCERPC_PKT_ALTER_RESP received: "
1924 "Should only be server -> client.\n"));
1925 break;
1926
1927 case DCERPC_PKT_AUTH3:
1928 /*
1929 * The third packet in an auth exchange.
1930 */
1931 if (pipe_init_outgoing_data(p)) {
1932 reply = api_pipe_bind_auth3(p, pkt);
1933 }
1934 break;
1935
1936 case DCERPC_PKT_SHUTDOWN:
1937 DEBUG(0, ("Error - DCERPC_PKT_SHUTDOWN received: "
1938 "Should only be server -> client.\n"));
1939 break;
1940
1941 case DCERPC_PKT_CO_CANCEL:
1942 /* For now just free all client data and continue
1943 * processing. */
1944 DEBUG(3,("process_complete_pdu: DCERPC_PKT_CO_CANCEL."
1945 " Abandoning rpc call.\n"));
1946 /* As we never do asynchronous RPC serving, we can
1947 * never cancel a call (as far as I know).
1948 * If we ever did we'd have to send a cancel_ack reply.
1949 * For now, just free all client data and continue
1950 * processing. */
1951 reply = True;
1952 break;
1953
1954 #if 0
1955 /* Enable this if we're doing async rpc. */
1956 /* We must check the outstanding callid matches. */
1957 if (pipe_init_outgoing_data(p)) {
1958 /* Send a cancel_ack PDU reply. */
1959 /* We should probably check the auth-verifier here. */
1960 reply = setup_cancel_ack_reply(p, pkt);
1961 }
1962 break;
1963 #endif
1964
1965 case DCERPC_PKT_ORPHANED:
1966 /* We should probably check the auth-verifier here.
1967 * For now just free all client data and continue
1968 * processing. */
1969 DEBUG(3, ("process_complete_pdu: DCERPC_PKT_ORPHANED."
1970 " Abandoning rpc call.\n"));
1971 reply = True;
1972 break;
1973
1974 default:
1975 DEBUG(0, ("process_complete_pdu: "
1976 "Unknown rpc type = %u received.\n",
1977 (unsigned int)pkt->ptype));
1978 break;
1979 }
1980
1981 done:
1982 if (!reply) {
1983 DEBUG(3,("DCE/RPC fault sent!"));
1984 set_incoming_fault(p);
1985 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1986 TALLOC_FREE(pkt);
1987 } else {
1988 /*
1989 * Reset the lengths. We're ready for a new pdu.
1990 */
1991 TALLOC_FREE(p->in_data.pdu.data);
1992 p->in_data.pdu_needed_len = 0;
1993 p->in_data.pdu.length = 0;
1994 }
1995
1996 TALLOC_FREE(pkt);
1997 }
1998
Samba GIT mirror