search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r25055: Add file_id_string_tos
[Samba.git] / source / rpc_server / srv_pipe.c
blobfefdb529b2cc1647d09a50de8f696d1e2f929916
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31
32 extern struct pipe_id_info pipe_names[];
33 extern struct current_user current_user;
34
35 #undef DBGC_CLASS
36 #define DBGC_CLASS DBGC_RPC_SRV
37
38 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
39 {
40 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
41
42 if (a) {
43 auth_ntlmssp_end(&a);
44 }
45 auth->a_u.auth_ntlmssp_state = NULL;
46 }
47
48 static DATA_BLOB generic_session_key(void)
49 {
50 return data_blob("SystemLibraryDTC", 16);
51 }
52
53 /*******************************************************************
54 Generate the next PDU to be returned from the data in p->rdata.
55 Handle NTLMSSP.
56 ********************************************************************/
57
58 static BOOL create_next_pdu_ntlmssp(pipes_struct *p)
59 {
60 RPC_HDR_RESP hdr_resp;
61 uint32 ss_padding_len = 0;
62 uint32 data_space_available;
63 uint32 data_len_left;
64 uint32 data_len;
65 prs_struct outgoing_pdu;
66 NTSTATUS status;
67 DATA_BLOB auth_blob;
68 RPC_HDR_AUTH auth_info;
69 uint8 auth_type, auth_level;
70 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
71
72 /*
73 * If we're in the fault state, keep returning fault PDU's until
74 * the pipe gets closed. JRA.
75 */
76
77 if(p->fault_state) {
78 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
79 return True;
80 }
81
82 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
83
84 /* Change the incoming request header to a response. */
85 p->hdr.pkt_type = RPC_RESPONSE;
86
87 /* Set up rpc header flags. */
88 if (p->out_data.data_sent_length == 0) {
89 p->hdr.flags = RPC_FLG_FIRST;
90 } else {
91 p->hdr.flags = 0;
92 }
93
94 /*
95 * Work out how much we can fit in a single PDU.
96 */
97
98 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
99
100 /*
101 * Ensure there really is data left to send.
102 */
103
104 if(!data_len_left) {
105 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
106 return False;
107 }
108
109 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
110 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
111
112 /*
113 * The amount we send is the minimum of the available
114 * space and the amount left to send.
115 */
116
117 data_len = MIN(data_len_left, data_space_available);
118
119 /*
120 * Set up the alloc hint. This should be the data left to
121 * send.
122 */
123
124 hdr_resp.alloc_hint = data_len_left;
125
126 /*
127 * Work out if this PDU will be the last.
128 */
129
130 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
131 p->hdr.flags |= RPC_FLG_LAST;
132 if (data_len_left % 8) {
133 ss_padding_len = 8 - (data_len_left % 8);
134 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
135 ss_padding_len ));
136 }
137 }
138
139 /*
140 * Set up the header lengths.
141 */
142
143 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
144 data_len + ss_padding_len +
145 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
146 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
147
148
149 /*
150 * Init the parse struct to point at the outgoing
151 * data.
152 */
153
154 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
155 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
156
157 /* Store the header in the data stream. */
158 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
159 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
160 prs_mem_free(&outgoing_pdu);
161 return False;
162 }
163
164 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
165 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
166 prs_mem_free(&outgoing_pdu);
167 return False;
168 }
169
170 /* Copy the data into the PDU. */
171
172 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
173 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
174 prs_mem_free(&outgoing_pdu);
175 return False;
176 }
177
178 /* Copy the sign/seal padding data. */
179 if (ss_padding_len) {
180 char pad[8];
181
182 memset(pad, '\0', 8);
183 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
184 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
185 (unsigned int)ss_padding_len));
186 prs_mem_free(&outgoing_pdu);
187 return False;
188 }
189 }
190
191
192 /* Now write out the auth header and null blob. */
193 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
194 auth_type = RPC_NTLMSSP_AUTH_TYPE;
195 } else {
196 auth_type = RPC_SPNEGO_AUTH_TYPE;
197 }
198 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
199 auth_level = RPC_AUTH_LEVEL_PRIVACY;
200 } else {
201 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
202 }
203
204 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
205 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
206 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
207 prs_mem_free(&outgoing_pdu);
208 return False;
209 }
210
211 /* Generate the sign blob. */
212
213 switch (p->auth.auth_level) {
214 case PIPE_AUTH_LEVEL_PRIVACY:
215 /* Data portion is encrypted. */
216 status = ntlmssp_seal_packet(a->ntlmssp_state,
217 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
218 data_len + ss_padding_len,
219 (unsigned char *)prs_data_p(&outgoing_pdu),
220 (size_t)prs_offset(&outgoing_pdu),
221 &auth_blob);
222 if (!NT_STATUS_IS_OK(status)) {
223 data_blob_free(&auth_blob);
224 prs_mem_free(&outgoing_pdu);
225 return False;
226 }
227 break;
228 case PIPE_AUTH_LEVEL_INTEGRITY:
229 /* Data is signed. */
230 status = ntlmssp_sign_packet(a->ntlmssp_state,
231 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
232 data_len + ss_padding_len,
233 (unsigned char *)prs_data_p(&outgoing_pdu),
234 (size_t)prs_offset(&outgoing_pdu),
235 &auth_blob);
236 if (!NT_STATUS_IS_OK(status)) {
237 data_blob_free(&auth_blob);
238 prs_mem_free(&outgoing_pdu);
239 return False;
240 }
241 break;
242 default:
243 prs_mem_free(&outgoing_pdu);
244 return False;
245 }
246
247 /* Append the auth blob. */
248 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
249 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
250 (unsigned int)NTLMSSP_SIG_SIZE));
251 data_blob_free(&auth_blob);
252 prs_mem_free(&outgoing_pdu);
253 return False;
254 }
255
256 data_blob_free(&auth_blob);
257
258 /*
259 * Setup the counts for this PDU.
260 */
261
262 p->out_data.data_sent_length += data_len;
263 p->out_data.current_pdu_len = p->hdr.frag_len;
264 p->out_data.current_pdu_sent = 0;
265
266 prs_mem_free(&outgoing_pdu);
267 return True;
268 }
269
270 /*******************************************************************
271 Generate the next PDU to be returned from the data in p->rdata.
272 Return an schannel authenticated fragment.
273 ********************************************************************/
274
275 static BOOL create_next_pdu_schannel(pipes_struct *p)
276 {
277 RPC_HDR_RESP hdr_resp;
278 uint32 ss_padding_len = 0;
279 uint32 data_len;
280 uint32 data_space_available;
281 uint32 data_len_left;
282 prs_struct outgoing_pdu;
283 uint32 data_pos;
284
285 /*
286 * If we're in the fault state, keep returning fault PDU's until
287 * the pipe gets closed. JRA.
288 */
289
290 if(p->fault_state) {
291 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
292 return True;
293 }
294
295 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
296
297 /* Change the incoming request header to a response. */
298 p->hdr.pkt_type = RPC_RESPONSE;
299
300 /* Set up rpc header flags. */
301 if (p->out_data.data_sent_length == 0) {
302 p->hdr.flags = RPC_FLG_FIRST;
303 } else {
304 p->hdr.flags = 0;
305 }
306
307 /*
308 * Work out how much we can fit in a single PDU.
309 */
310
311 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
312
313 /*
314 * Ensure there really is data left to send.
315 */
316
317 if(!data_len_left) {
318 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
319 return False;
320 }
321
322 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
323 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
324
325 /*
326 * The amount we send is the minimum of the available
327 * space and the amount left to send.
328 */
329
330 data_len = MIN(data_len_left, data_space_available);
331
332 /*
333 * Set up the alloc hint. This should be the data left to
334 * send.
335 */
336
337 hdr_resp.alloc_hint = data_len_left;
338
339 /*
340 * Work out if this PDU will be the last.
341 */
342
343 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
344 p->hdr.flags |= RPC_FLG_LAST;
345 if (data_len_left % 8) {
346 ss_padding_len = 8 - (data_len_left % 8);
347 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
348 ss_padding_len ));
349 }
350 }
351
352 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
353 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
354 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
355
356 /*
357 * Init the parse struct to point at the outgoing
358 * data.
359 */
360
361 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
362 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
363
364 /* Store the header in the data stream. */
365 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
366 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
367 prs_mem_free(&outgoing_pdu);
368 return False;
369 }
370
371 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
372 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
373 prs_mem_free(&outgoing_pdu);
374 return False;
375 }
376
377 /* Store the current offset. */
378 data_pos = prs_offset(&outgoing_pdu);
379
380 /* Copy the data into the PDU. */
381
382 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
383 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
384 prs_mem_free(&outgoing_pdu);
385 return False;
386 }
387
388 /* Copy the sign/seal padding data. */
389 if (ss_padding_len) {
390 char pad[8];
391 memset(pad, '\0', 8);
392 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
393 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
394 prs_mem_free(&outgoing_pdu);
395 return False;
396 }
397 }
398
399 {
400 /*
401 * Schannel processing.
402 */
403 char *data;
404 RPC_HDR_AUTH auth_info;
405 RPC_AUTH_SCHANNEL_CHK verf;
406
407 data = prs_data_p(&outgoing_pdu) + data_pos;
408 /* Check it's the type of reply we were expecting to decode */
409
410 init_rpc_hdr_auth(&auth_info,
411 RPC_SCHANNEL_AUTH_TYPE,
412 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
413 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
414 ss_padding_len, 1);
415
416 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
417 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
418 prs_mem_free(&outgoing_pdu);
419 return False;
420 }
421
422 schannel_encode(p->auth.a_u.schannel_auth,
423 p->auth.auth_level,
424 SENDER_IS_ACCEPTOR,
425 &verf, data, data_len + ss_padding_len);
426
427 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
428 &verf, &outgoing_pdu, 0)) {
429 prs_mem_free(&outgoing_pdu);
430 return False;
431 }
432
433 p->auth.a_u.schannel_auth->seq_num++;
434 }
435
436 /*
437 * Setup the counts for this PDU.
438 */
439
440 p->out_data.data_sent_length += data_len;
441 p->out_data.current_pdu_len = p->hdr.frag_len;
442 p->out_data.current_pdu_sent = 0;
443
444 prs_mem_free(&outgoing_pdu);
445 return True;
446 }
447
448 /*******************************************************************
449 Generate the next PDU to be returned from the data in p->rdata.
450 No authentication done.
451 ********************************************************************/
452
453 static BOOL create_next_pdu_noauth(pipes_struct *p)
454 {
455 RPC_HDR_RESP hdr_resp;
456 uint32 data_len;
457 uint32 data_space_available;
458 uint32 data_len_left;
459 prs_struct outgoing_pdu;
460
461 /*
462 * If we're in the fault state, keep returning fault PDU's until
463 * the pipe gets closed. JRA.
464 */
465
466 if(p->fault_state) {
467 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
468 return True;
469 }
470
471 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
472
473 /* Change the incoming request header to a response. */
474 p->hdr.pkt_type = RPC_RESPONSE;
475
476 /* Set up rpc header flags. */
477 if (p->out_data.data_sent_length == 0) {
478 p->hdr.flags = RPC_FLG_FIRST;
479 } else {
480 p->hdr.flags = 0;
481 }
482
483 /*
484 * Work out how much we can fit in a single PDU.
485 */
486
487 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
488
489 /*
490 * Ensure there really is data left to send.
491 */
492
493 if(!data_len_left) {
494 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
495 return False;
496 }
497
498 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
499
500 /*
501 * The amount we send is the minimum of the available
502 * space and the amount left to send.
503 */
504
505 data_len = MIN(data_len_left, data_space_available);
506
507 /*
508 * Set up the alloc hint. This should be the data left to
509 * send.
510 */
511
512 hdr_resp.alloc_hint = data_len_left;
513
514 /*
515 * Work out if this PDU will be the last.
516 */
517
518 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
519 p->hdr.flags |= RPC_FLG_LAST;
520 }
521
522 /*
523 * Set up the header lengths.
524 */
525
526 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
527 p->hdr.auth_len = 0;
528
529 /*
530 * Init the parse struct to point at the outgoing
531 * data.
532 */
533
534 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
535 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
536
537 /* Store the header in the data stream. */
538 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
539 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
540 prs_mem_free(&outgoing_pdu);
541 return False;
542 }
543
544 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
545 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
546 prs_mem_free(&outgoing_pdu);
547 return False;
548 }
549
550 /* Copy the data into the PDU. */
551
552 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
553 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
554 prs_mem_free(&outgoing_pdu);
555 return False;
556 }
557
558 /*
559 * Setup the counts for this PDU.
560 */
561
562 p->out_data.data_sent_length += data_len;
563 p->out_data.current_pdu_len = p->hdr.frag_len;
564 p->out_data.current_pdu_sent = 0;
565
566 prs_mem_free(&outgoing_pdu);
567 return True;
568 }
569
570 /*******************************************************************
571 Generate the next PDU to be returned from the data in p->rdata.
572 ********************************************************************/
573
574 BOOL create_next_pdu(pipes_struct *p)
575 {
576 switch(p->auth.auth_level) {
577 case PIPE_AUTH_LEVEL_NONE:
578 case PIPE_AUTH_LEVEL_CONNECT:
579 /* This is incorrect for auth level connect. Fixme. JRA */
580 return create_next_pdu_noauth(p);
581
582 default:
583 switch(p->auth.auth_type) {
584 case PIPE_AUTH_TYPE_NTLMSSP:
585 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
586 return create_next_pdu_ntlmssp(p);
587 case PIPE_AUTH_TYPE_SCHANNEL:
588 return create_next_pdu_schannel(p);
589 default:
590 break;
591 }
592 }
593
594 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
595 (unsigned int)p->auth.auth_level,
596 (unsigned int)p->auth.auth_type));
597 return False;
598 }
599
600 /*******************************************************************
601 Process an NTLMSSP authentication response.
602 If this function succeeds, the user has been authenticated
603 and their domain, name and calling workstation stored in
604 the pipe struct.
605 *******************************************************************/
606
607 static BOOL pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
608 {
609 DATA_BLOB reply;
610 NTSTATUS status;
611 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
612
613 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
614
615 ZERO_STRUCT(reply);
616
617 /* this has to be done as root in order to verify the password */
618 become_root();
619 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
620 unbecome_root();
621
622 /* Don't generate a reply. */
623 data_blob_free(&reply);
624
625 if (!NT_STATUS_IS_OK(status)) {
626 return False;
627 }
628
629 if (a->server_info->ptok == NULL) {
630 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
631 p->pipe_user.nt_user_token = NULL;
632 return False;
633 }
634
635 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
636 ensure the underlying NTLMSSP flags are also set. If not we should
637 refuse the bind. */
638
639 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
640 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
641 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
642 "but client declined signing.\n",
643 p->name ));
644 return False;
645 }
646 }
647 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
648 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
649 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
650 "but client declined sealing.\n",
651 p->name ));
652 return False;
653 }
654 }
655
656 DEBUG(5,("pipe_ntlmssp_verify_final: OK: user: %s domain: %s workstation: %s\n",
657 a->ntlmssp_state->user, a->ntlmssp_state->domain,
658 a->ntlmssp_state->workstation));
659
660 /*
661 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
662 */
663
664 p->pipe_user.ut.uid = a->server_info->uid;
665 p->pipe_user.ut.gid = a->server_info->gid;
666
667 /*
668 * We're an authenticated bind over smb, so the session key needs to
669 * be set to "SystemLibraryDTC". Weird, but this is what Windows
670 * does. See the RPC-SAMBA3SESSIONKEY.
671 */
672
673 data_blob_free(&p->session_key);
674 p->session_key = generic_session_key();
675 if (!p->session_key.data) {
676 return False;
677 }
678
679 p->pipe_user.ut.ngroups = a->server_info->n_groups;
680 if (p->pipe_user.ut.ngroups) {
681 if (!(p->pipe_user.ut.groups = (gid_t *)
682 memdup(a->server_info->groups,
683 sizeof(gid_t) * p->pipe_user.ut.ngroups))) {
684 DEBUG(0,("pipe_ntlmssp_verify_final: failed to memdup group list to p->pipe_user.groups\n"));
685 data_blob_free(&p->session_key);
686 return False;
687 }
688 }
689
690 if (!a->server_info->ptok) {
691 DEBUG(1,("pipe_ntlmssp_verify_final: Error: Authmodule failed to provide nt_user_token\n"));
692 data_blob_free(&p->session_key);
693 SAFE_FREE(p->pipe_user.ut.groups);
694 return False;
695 }
696
697 p->pipe_user.nt_user_token = dup_nt_token(NULL, a->server_info->ptok);
698 if (!p->pipe_user.nt_user_token) {
699 DEBUG(1,("pipe_ntlmssp_verify_final: dup_nt_token failed.\n"));
700 data_blob_free(&p->session_key);
701 SAFE_FREE(p->pipe_user.ut.groups);
702 return False;
703 }
704
705 return True;
706 }
707
708 /*******************************************************************
709 The switch table for the pipe names and the functions to handle them.
710 *******************************************************************/
711
712 struct rpc_table {
713 struct {
714 const char *clnt;
715 const char *srv;
716 } pipe;
717 struct api_struct *cmds;
718 int n_cmds;
719 };
720
721 static struct rpc_table *rpc_lookup;
722 static int rpc_lookup_size;
723
724 /*******************************************************************
725 This is the "stage3" NTLMSSP response after a bind request and reply.
726 *******************************************************************/
727
728 BOOL api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
729 {
730 RPC_HDR_AUTH auth_info;
731 uint32 pad;
732 DATA_BLOB blob;
733
734 ZERO_STRUCT(blob);
735
736 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
737
738 if (p->hdr.auth_len == 0) {
739 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
740 goto err;
741 }
742
743 /* 4 bytes padding. */
744 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
745 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
746 goto err;
747 }
748
749 /*
750 * Decode the authentication verifier response.
751 */
752
753 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
754 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
755 goto err;
756 }
757
758 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
759 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
760 (unsigned int)auth_info.auth_type ));
761 return False;
762 }
763
764 blob = data_blob(NULL,p->hdr.auth_len);
765
766 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
767 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
768 (unsigned int)p->hdr.auth_len ));
769 goto err;
770 }
771
772 /*
773 * The following call actually checks the challenge/response data.
774 * for correctness against the given DOMAIN\user name.
775 */
776
777 if (!pipe_ntlmssp_verify_final(p, &blob)) {
778 goto err;
779 }
780
781 data_blob_free(&blob);
782
783 p->pipe_bound = True;
784
785 return True;
786
787 err:
788
789 data_blob_free(&blob);
790 free_pipe_ntlmssp_auth_data(&p->auth);
791 p->auth.a_u.auth_ntlmssp_state = NULL;
792
793 return False;
794 }
795
796 /*******************************************************************
797 Marshall a bind_nak pdu.
798 *******************************************************************/
799
800 static BOOL setup_bind_nak(pipes_struct *p)
801 {
802 prs_struct outgoing_rpc;
803 RPC_HDR nak_hdr;
804 uint16 zero = 0;
805
806 /* Free any memory in the current return data buffer. */
807 prs_mem_free(&p->out_data.rdata);
808
809 /*
810 * Marshall directly into the outgoing PDU space. We
811 * must do this as we need to set to the bind response
812 * header and are never sending more than one PDU here.
813 */
814
815 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
816 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
817
818 /*
819 * Initialize a bind_nak header.
820 */
821
822 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
823 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
824
825 /*
826 * Marshall the header into the outgoing PDU.
827 */
828
829 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
830 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
831 prs_mem_free(&outgoing_rpc);
832 return False;
833 }
834
835 /*
836 * Now add the reject reason.
837 */
838
839 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
840 prs_mem_free(&outgoing_rpc);
841 return False;
842 }
843
844 p->out_data.data_sent_length = 0;
845 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
846 p->out_data.current_pdu_sent = 0;
847
848 if (p->auth.auth_data_free_func) {
849 (*p->auth.auth_data_free_func)(&p->auth);
850 }
851 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
852 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
853 p->pipe_bound = False;
854
855 return True;
856 }
857
858 /*******************************************************************
859 Marshall a fault pdu.
860 *******************************************************************/
861
862 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
863 {
864 prs_struct outgoing_pdu;
865 RPC_HDR fault_hdr;
866 RPC_HDR_RESP hdr_resp;
867 RPC_HDR_FAULT fault_resp;
868
869 /* Free any memory in the current return data buffer. */
870 prs_mem_free(&p->out_data.rdata);
871
872 /*
873 * Marshall directly into the outgoing PDU space. We
874 * must do this as we need to set to the bind response
875 * header and are never sending more than one PDU here.
876 */
877
878 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
879 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
880
881 /*
882 * Initialize a fault header.
883 */
884
885 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
886 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
887
888 /*
889 * Initialize the HDR_RESP and FAULT parts of the PDU.
890 */
891
892 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
893
894 fault_resp.status = status;
895 fault_resp.reserved = 0;
896
897 /*
898 * Marshall the header into the outgoing PDU.
899 */
900
901 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
902 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
903 prs_mem_free(&outgoing_pdu);
904 return False;
905 }
906
907 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
908 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
909 prs_mem_free(&outgoing_pdu);
910 return False;
911 }
912
913 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
914 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
915 prs_mem_free(&outgoing_pdu);
916 return False;
917 }
918
919 p->out_data.data_sent_length = 0;
920 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
921 p->out_data.current_pdu_sent = 0;
922
923 prs_mem_free(&outgoing_pdu);
924 return True;
925 }
926
927 #if 0
928 /*******************************************************************
929 Marshall a cancel_ack pdu.
930 We should probably check the auth-verifier here.
931 *******************************************************************/
932
933 BOOL setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
934 {
935 prs_struct outgoing_pdu;
936 RPC_HDR ack_reply_hdr;
937
938 /* Free any memory in the current return data buffer. */
939 prs_mem_free(&p->out_data.rdata);
940
941 /*
942 * Marshall directly into the outgoing PDU space. We
943 * must do this as we need to set to the bind response
944 * header and are never sending more than one PDU here.
945 */
946
947 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
948 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
949
950 /*
951 * Initialize a cancel_ack header.
952 */
953
954 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
955 p->hdr.call_id, RPC_HEADER_LEN, 0);
956
957 /*
958 * Marshall the header into the outgoing PDU.
959 */
960
961 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
962 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
963 prs_mem_free(&outgoing_pdu);
964 return False;
965 }
966
967 p->out_data.data_sent_length = 0;
968 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
969 p->out_data.current_pdu_sent = 0;
970
971 prs_mem_free(&outgoing_pdu);
972 return True;
973 }
974 #endif
975
976 /*******************************************************************
977 Ensure a bind request has the correct abstract & transfer interface.
978 Used to reject unknown binds from Win2k.
979 *******************************************************************/
980
981 BOOL check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
982 RPC_IFACE* transfer, uint32 context_id)
983 {
984 char *pipe_name = p->name;
985 int i=0;
986 fstring pname;
987
988 fstrcpy(pname,"\\PIPE\\");
989 fstrcat(pname,pipe_name);
990
991 DEBUG(3,("check_bind_req for %s\n", pname));
992
993 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
994
995 for ( i=0; pipe_names[i].client_pipe; i++ ) {
996 DEBUG(10,("checking %s\n", pipe_names[i].client_pipe));
997 if ( strequal(pipe_names[i].client_pipe, pname)
998 && (abstract->version == pipe_names[i].abstr_syntax.version)
999 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct GUID)) == 0)
1000 && (transfer->version == pipe_names[i].trans_syntax.version)
1001 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(struct GUID)) == 0) ) {
1002 struct api_struct *fns = NULL;
1003 int n_fns = 0;
1004 PIPE_RPC_FNS *context_fns;
1005
1006 if ( !(context_fns = SMB_MALLOC_P(PIPE_RPC_FNS)) ) {
1007 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1008 return False;
1009 }
1010
1011 /* save the RPC function table associated with this bind */
1012
1013 get_pipe_fns(i, &fns, &n_fns);
1014
1015 context_fns->cmds = fns;
1016 context_fns->n_cmds = n_fns;
1017 context_fns->context_id = context_id;
1018
1019 /* add to the list of open contexts */
1020
1021 DLIST_ADD( p->contexts, context_fns );
1022
1023 break;
1024 }
1025 }
1026
1027 if(pipe_names[i].client_pipe == NULL) {
1028 return False;
1029 }
1030
1031 return True;
1032 }
1033
1034 /*******************************************************************
1035 Register commands to an RPC pipe
1036 *******************************************************************/
1037
1038 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
1039 {
1040 struct rpc_table *rpc_entry;
1041
1042 if (!clnt || !srv || !cmds) {
1043 return NT_STATUS_INVALID_PARAMETER;
1044 }
1045
1046 if (version != SMB_RPC_INTERFACE_VERSION) {
1047 DEBUG(0,("Can't register rpc commands!\n"
1048 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1049 ", while this version of samba uses version %d!\n",
1050 version,SMB_RPC_INTERFACE_VERSION));
1051 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1052 }
1053
1054 /* TODO:
1055 *
1056 * we still need to make sure that don't register the same commands twice!!!
1057 *
1058 * --metze
1059 */
1060
1061 /* We use a temporary variable because this call can fail and
1062 rpc_lookup will still be valid afterwards. It could then succeed if
1063 called again later */
1064 rpc_lookup_size++;
1065 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1066 if (NULL == rpc_entry) {
1067 rpc_lookup_size--;
1068 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1069 return NT_STATUS_NO_MEMORY;
1070 } else {
1071 rpc_lookup = rpc_entry;
1072 }
1073
1074 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1075 ZERO_STRUCTP(rpc_entry);
1076 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1077 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1078 rpc_entry->cmds = SMB_REALLOC_ARRAY(rpc_entry->cmds, struct api_struct, rpc_entry->n_cmds + size);
1079 if (!rpc_entry->cmds) {
1080 return NT_STATUS_NO_MEMORY;
1081 }
1082 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds, size * sizeof(struct api_struct));
1083 rpc_entry->n_cmds += size;
1084
1085 return NT_STATUS_OK;
1086 }
1087
1088 /*******************************************************************
1089 Handle a SPNEGO krb5 bind auth.
1090 *******************************************************************/
1091
1092 static BOOL pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1093 DATA_BLOB *psecblob, prs_struct *pout_auth)
1094 {
1095 return False;
1096 }
1097
1098 /*******************************************************************
1099 Handle the first part of a SPNEGO bind auth.
1100 *******************************************************************/
1101
1102 static BOOL pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1103 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1104 {
1105 DATA_BLOB blob;
1106 DATA_BLOB secblob;
1107 DATA_BLOB response;
1108 DATA_BLOB chal;
1109 char *OIDs[ASN1_MAX_OIDS];
1110 int i;
1111 NTSTATUS status;
1112 BOOL got_kerberos_mechanism = False;
1113 AUTH_NTLMSSP_STATE *a = NULL;
1114 RPC_HDR_AUTH auth_info;
1115
1116 ZERO_STRUCT(secblob);
1117 ZERO_STRUCT(chal);
1118 ZERO_STRUCT(response);
1119
1120 /* Grab the SPNEGO blob. */
1121 blob = data_blob(NULL,p->hdr.auth_len);
1122
1123 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1124 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1125 (unsigned int)p->hdr.auth_len ));
1126 goto err;
1127 }
1128
1129 if (blob.data[0] != ASN1_APPLICATION(0)) {
1130 goto err;
1131 }
1132
1133 /* parse out the OIDs and the first sec blob */
1134 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1135 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1136 goto err;
1137 }
1138
1139 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1140 got_kerberos_mechanism = True;
1141 }
1142
1143 for (i=0;OIDs[i];i++) {
1144 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1145 SAFE_FREE(OIDs[i]);
1146 }
1147 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1148
1149 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1150 BOOL ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1151 data_blob_free(&secblob);
1152 data_blob_free(&blob);
1153 return ret;
1154 }
1155
1156 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1157 /* Free any previous auth type. */
1158 free_pipe_ntlmssp_auth_data(&p->auth);
1159 }
1160
1161 /* Initialize the NTLM engine. */
1162 status = auth_ntlmssp_start(&a);
1163 if (!NT_STATUS_IS_OK(status)) {
1164 goto err;
1165 }
1166
1167 /*
1168 * Pass the first security blob of data to it.
1169 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1170 * which means we need another packet to complete the bind.
1171 */
1172
1173 status = auth_ntlmssp_update(a, secblob, &chal);
1174
1175 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1176 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1177 goto err;
1178 }
1179
1180 /* Generate the response blob we need for step 2 of the bind. */
1181 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1182
1183 /* Copy the blob into the pout_auth parse struct */
1184 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1185 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1186 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1187 goto err;
1188 }
1189
1190 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1191 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1192 goto err;
1193 }
1194
1195 p->auth.a_u.auth_ntlmssp_state = a;
1196 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1197 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1198
1199 data_blob_free(&blob);
1200 data_blob_free(&secblob);
1201 data_blob_free(&chal);
1202 data_blob_free(&response);
1203
1204 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1205 return True;
1206
1207 err:
1208
1209 data_blob_free(&blob);
1210 data_blob_free(&secblob);
1211 data_blob_free(&chal);
1212 data_blob_free(&response);
1213
1214 p->auth.a_u.auth_ntlmssp_state = NULL;
1215
1216 return False;
1217 }
1218
1219 /*******************************************************************
1220 Handle the second part of a SPNEGO bind auth.
1221 *******************************************************************/
1222
1223 static BOOL pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1224 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1225 {
1226 RPC_HDR_AUTH auth_info;
1227 DATA_BLOB spnego_blob;
1228 DATA_BLOB auth_blob;
1229 DATA_BLOB auth_reply;
1230 DATA_BLOB response;
1231 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1232
1233 ZERO_STRUCT(spnego_blob);
1234 ZERO_STRUCT(auth_blob);
1235 ZERO_STRUCT(auth_reply);
1236 ZERO_STRUCT(response);
1237
1238 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1239 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1240 goto err;
1241 }
1242
1243 /* Grab the SPNEGO blob. */
1244 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1245
1246 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1247 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1248 (unsigned int)p->hdr.auth_len ));
1249 goto err;
1250 }
1251
1252 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1253 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1254 goto err;
1255 }
1256
1257 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1258 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1259 goto err;
1260 }
1261
1262 /*
1263 * The following call actually checks the challenge/response data.
1264 * for correctness against the given DOMAIN\user name.
1265 */
1266
1267 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1268 goto err;
1269 }
1270
1271 data_blob_free(&spnego_blob);
1272 data_blob_free(&auth_blob);
1273
1274 /* Generate the spnego "accept completed" blob - no incoming data. */
1275 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1276
1277 /* Copy the blob into the pout_auth parse struct */
1278 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1279 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1280 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1281 goto err;
1282 }
1283
1284 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1285 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1286 goto err;
1287 }
1288
1289 data_blob_free(&auth_reply);
1290 data_blob_free(&response);
1291
1292 p->pipe_bound = True;
1293
1294 return True;
1295
1296 err:
1297
1298 data_blob_free(&spnego_blob);
1299 data_blob_free(&auth_blob);
1300 data_blob_free(&auth_reply);
1301 data_blob_free(&response);
1302
1303 free_pipe_ntlmssp_auth_data(&p->auth);
1304 p->auth.a_u.auth_ntlmssp_state = NULL;
1305
1306 return False;
1307 }
1308
1309 /*******************************************************************
1310 Handle an schannel bind auth.
1311 *******************************************************************/
1312
1313 static BOOL pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1314 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1315 {
1316 RPC_HDR_AUTH auth_info;
1317 RPC_AUTH_SCHANNEL_NEG neg;
1318 RPC_AUTH_VERIFIER auth_verifier;
1319 BOOL ret;
1320 struct dcinfo *pdcinfo;
1321 uint32 flags;
1322
1323 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1324 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1325 return False;
1326 }
1327
1328 /*
1329 * The neg.myname key here must match the remote computer name
1330 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1331 * operations that use credentials.
1332 */
1333
1334 become_root();
1335 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1336 unbecome_root();
1337
1338 if (!ret) {
1339 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1340 return False;
1341 }
1342
1343 p->auth.a_u.schannel_auth = TALLOC_P(p->pipe_state_mem_ctx, struct schannel_auth_struct);
1344 if (!p->auth.a_u.schannel_auth) {
1345 TALLOC_FREE(pdcinfo);
1346 return False;
1347 }
1348
1349 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1350 memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1351 sizeof(pdcinfo->sess_key));
1352
1353 TALLOC_FREE(pdcinfo);
1354
1355 p->auth.a_u.schannel_auth->seq_num = 0;
1356
1357 /*
1358 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1359 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1360 * struct of the person who opened the pipe. I need to test this further. JRA.
1361 *
1362 * VL. As we are mapping this to guest set the generic key
1363 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1364 * W2k3, as it does not allow schannel binds against SAMR and LSA
1365 * anymore.
1366 */
1367
1368 data_blob_free(&p->session_key);
1369 p->session_key = generic_session_key();
1370 if (p->session_key.data == NULL) {
1371 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1372 " key\n"));
1373 return False;
1374 }
1375
1376 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1377 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1378 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1379 return False;
1380 }
1381
1382 /*** SCHANNEL verifier ***/
1383
1384 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1385 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1386 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1387 return False;
1388 }
1389
1390 prs_align(pout_auth);
1391
1392 flags = 5;
1393 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1394 return False;
1395 }
1396
1397 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1398 neg.domain, neg.myname));
1399
1400 /* We're finished with this bind - no more packets. */
1401 p->auth.auth_data_free_func = NULL;
1402 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1403
1404 if (!set_current_user_guest(&p->pipe_user)) {
1405 DEBUG(1, ("pipe_schannel_auth_bind: Could not set guest "
1406 "token\n"));
1407 return False;
1408 }
1409
1410 p->pipe_bound = True;
1411
1412 return True;
1413 }
1414
1415 /*******************************************************************
1416 Handle an NTLMSSP bind auth.
1417 *******************************************************************/
1418
1419 static BOOL pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1420 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1421 {
1422 RPC_HDR_AUTH auth_info;
1423 DATA_BLOB blob;
1424 DATA_BLOB response;
1425 NTSTATUS status;
1426 AUTH_NTLMSSP_STATE *a = NULL;
1427
1428 ZERO_STRUCT(blob);
1429 ZERO_STRUCT(response);
1430
1431 /* Grab the NTLMSSP blob. */
1432 blob = data_blob(NULL,p->hdr.auth_len);
1433
1434 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1435 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1436 (unsigned int)p->hdr.auth_len ));
1437 goto err;
1438 }
1439
1440 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1441 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1442 goto err;
1443 }
1444
1445 /* We have an NTLMSSP blob. */
1446 status = auth_ntlmssp_start(&a);
1447 if (!NT_STATUS_IS_OK(status)) {
1448 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1449 nt_errstr(status) ));
1450 goto err;
1451 }
1452
1453 status = auth_ntlmssp_update(a, blob, &response);
1454 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1455 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1456 nt_errstr(status) ));
1457 goto err;
1458 }
1459
1460 data_blob_free(&blob);
1461
1462 /* Copy the blob into the pout_auth parse struct */
1463 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1464 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1465 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1466 goto err;
1467 }
1468
1469 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1470 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1471 goto err;
1472 }
1473
1474 p->auth.a_u.auth_ntlmssp_state = a;
1475 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1476 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1477
1478 data_blob_free(&blob);
1479 data_blob_free(&response);
1480
1481 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1482
1483 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1484 return True;
1485
1486 err:
1487
1488 data_blob_free(&blob);
1489 data_blob_free(&response);
1490
1491 free_pipe_ntlmssp_auth_data(&p->auth);
1492 p->auth.a_u.auth_ntlmssp_state = NULL;
1493 return False;
1494 }
1495
1496 /*******************************************************************
1497 Respond to a pipe bind request.
1498 *******************************************************************/
1499
1500 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1501 {
1502 RPC_HDR_BA hdr_ba;
1503 RPC_HDR_RB hdr_rb;
1504 RPC_HDR_AUTH auth_info;
1505 uint16 assoc_gid;
1506 fstring ack_pipe_name;
1507 prs_struct out_hdr_ba;
1508 prs_struct out_auth;
1509 prs_struct outgoing_rpc;
1510 int i = 0;
1511 int auth_len = 0;
1512 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1513
1514 /* No rebinds on a bound pipe - use alter context. */
1515 if (p->pipe_bound) {
1516 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1517 return setup_bind_nak(p);
1518 }
1519
1520 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1521
1522 /*
1523 * Marshall directly into the outgoing PDU space. We
1524 * must do this as we need to set to the bind response
1525 * header and are never sending more than one PDU here.
1526 */
1527
1528 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1529
1530 /*
1531 * Setup the memory to marshall the ba header, and the
1532 * auth footers.
1533 */
1534
1535 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1536 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1537 prs_mem_free(&outgoing_rpc);
1538 return False;
1539 }
1540
1541 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1542 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1543 prs_mem_free(&outgoing_rpc);
1544 prs_mem_free(&out_hdr_ba);
1545 return False;
1546 }
1547
1548 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1549
1550 /*
1551 * Try and find the correct pipe name to ensure
1552 * that this is a pipe name we support.
1553 */
1554
1555
1556 for (i = 0; i < rpc_lookup_size; i++) {
1557 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1558 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1559 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1560 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1561 break;
1562 }
1563 }
1564
1565 if (i == rpc_lookup_size) {
1566 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1567 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1568 p->name ));
1569 prs_mem_free(&outgoing_rpc);
1570 prs_mem_free(&out_hdr_ba);
1571 prs_mem_free(&out_auth);
1572
1573 return setup_bind_nak(p);
1574 }
1575
1576 for (i = 0; i < rpc_lookup_size; i++) {
1577 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1578 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1579 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1580 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1581 break;
1582 }
1583 }
1584
1585 if (i == rpc_lookup_size) {
1586 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1587 goto err_exit;
1588 }
1589 }
1590
1591 /* decode the bind request */
1592 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1593 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
1594 goto err_exit;
1595 }
1596
1597 /* name has to be \PIPE\xxxxx */
1598 fstrcpy(ack_pipe_name, "\\PIPE\\");
1599 fstrcat(ack_pipe_name, p->pipe_srv_name);
1600
1601 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1602
1603 /*
1604 * Check if this is an authenticated bind request.
1605 */
1606
1607 if (p->hdr.auth_len) {
1608 /*
1609 * Decode the authentication verifier.
1610 */
1611
1612 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1613 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1614 goto err_exit;
1615 }
1616
1617 auth_type = auth_info.auth_type;
1618
1619 /* Work out if we have to sign or seal etc. */
1620 switch (auth_info.auth_level) {
1621 case RPC_AUTH_LEVEL_INTEGRITY:
1622 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1623 break;
1624 case RPC_AUTH_LEVEL_PRIVACY:
1625 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1626 break;
1627 default:
1628 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1629 (unsigned int)auth_info.auth_level ));
1630 goto err_exit;
1631 }
1632 } else {
1633 ZERO_STRUCT(auth_info);
1634 }
1635
1636 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1637
1638 switch(auth_type) {
1639 case RPC_NTLMSSP_AUTH_TYPE:
1640 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1641 goto err_exit;
1642 }
1643 assoc_gid = 0x7a77;
1644 break;
1645
1646 case RPC_SCHANNEL_AUTH_TYPE:
1647 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1648 goto err_exit;
1649 }
1650 break;
1651
1652 case RPC_SPNEGO_AUTH_TYPE:
1653 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1654 goto err_exit;
1655 }
1656 break;
1657
1658 case RPC_ANONYMOUS_AUTH_TYPE:
1659 /* Unauthenticated bind request. */
1660 /* Get the authenticated pipe user from current_user */
1661 if (!copy_current_user(&p->pipe_user, &current_user)) {
1662 DEBUG(10, ("Could not copy current user\n"));
1663 goto err_exit;
1664 }
1665 /* We're finished - no more packets. */
1666 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1667 /* We must set the pipe auth_level here also. */
1668 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1669 p->pipe_bound = True;
1670 /* The session key was initialized from the SMB
1671 * session in make_internal_rpc_pipe_p */
1672 break;
1673
1674 default:
1675 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1676 goto err_exit;
1677 }
1678
1679 /*
1680 * Create the bind response struct.
1681 */
1682
1683 /* If the requested abstract synt uuid doesn't match our client pipe,
1684 reject the bind_ack & set the transfer interface synt to all 0's,
1685 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1686 unknown to NT4)
1687 Needed when adding entries to a DACL from NT5 - SK */
1688
1689 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1690 hdr_rb.rpc_context[0].context_id )) {
1691 init_rpc_hdr_ba(&hdr_ba,
1692 RPC_MAX_PDU_FRAG_LEN,
1693 RPC_MAX_PDU_FRAG_LEN,
1694 assoc_gid,
1695 ack_pipe_name,
1696 0x1, 0x0, 0x0,
1697 &hdr_rb.rpc_context[0].transfer[0]);
1698 } else {
1699 RPC_IFACE null_interface;
1700 ZERO_STRUCT(null_interface);
1701 /* Rejection reason: abstract syntax not supported */
1702 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1703 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1704 ack_pipe_name, 0x1, 0x2, 0x1,
1705 &null_interface);
1706 p->pipe_bound = False;
1707 }
1708
1709 /*
1710 * and marshall it.
1711 */
1712
1713 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1714 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1715 goto err_exit;
1716 }
1717
1718 /*
1719 * Create the header, now we know the length.
1720 */
1721
1722 if (prs_offset(&out_auth)) {
1723 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1724 }
1725
1726 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1727 p->hdr.call_id,
1728 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1729 auth_len);
1730
1731 /*
1732 * Marshall the header into the outgoing PDU.
1733 */
1734
1735 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1736 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1737 goto err_exit;
1738 }
1739
1740 /*
1741 * Now add the RPC_HDR_BA and any auth needed.
1742 */
1743
1744 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1745 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1746 goto err_exit;
1747 }
1748
1749 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1750 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1751 goto err_exit;
1752 }
1753
1754 /*
1755 * Setup the lengths for the initial reply.
1756 */
1757
1758 p->out_data.data_sent_length = 0;
1759 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1760 p->out_data.current_pdu_sent = 0;
1761
1762 prs_mem_free(&out_hdr_ba);
1763 prs_mem_free(&out_auth);
1764
1765 return True;
1766
1767 err_exit:
1768
1769 prs_mem_free(&outgoing_rpc);
1770 prs_mem_free(&out_hdr_ba);
1771 prs_mem_free(&out_auth);
1772 return setup_bind_nak(p);
1773 }
1774
1775 /****************************************************************************
1776 Deal with an alter context call. Can be third part of 3 leg auth request for
1777 SPNEGO calls.
1778 ****************************************************************************/
1779
1780 BOOL api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1781 {
1782 RPC_HDR_BA hdr_ba;
1783 RPC_HDR_RB hdr_rb;
1784 RPC_HDR_AUTH auth_info;
1785 uint16 assoc_gid;
1786 fstring ack_pipe_name;
1787 prs_struct out_hdr_ba;
1788 prs_struct out_auth;
1789 prs_struct outgoing_rpc;
1790 int auth_len = 0;
1791
1792 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1793
1794 /*
1795 * Marshall directly into the outgoing PDU space. We
1796 * must do this as we need to set to the bind response
1797 * header and are never sending more than one PDU here.
1798 */
1799
1800 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1801
1802 /*
1803 * Setup the memory to marshall the ba header, and the
1804 * auth footers.
1805 */
1806
1807 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1808 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1809 prs_mem_free(&outgoing_rpc);
1810 return False;
1811 }
1812
1813 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1814 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1815 prs_mem_free(&outgoing_rpc);
1816 prs_mem_free(&out_hdr_ba);
1817 return False;
1818 }
1819
1820 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1821
1822 /* decode the alter context request */
1823 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1824 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1825 goto err_exit;
1826 }
1827
1828 /* secondary address CAN be NULL
1829 * as the specs say it's ignored.
1830 * It MUST be NULL to have the spoolss working.
1831 */
1832 fstrcpy(ack_pipe_name,"");
1833
1834 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1835
1836 /*
1837 * Check if this is an authenticated alter context request.
1838 */
1839
1840 if (p->hdr.auth_len != 0) {
1841 /*
1842 * Decode the authentication verifier.
1843 */
1844
1845 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1846 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1847 goto err_exit;
1848 }
1849
1850 /*
1851 * Currently only the SPNEGO auth type uses the alter ctx
1852 * response in place of the NTLMSSP auth3 type.
1853 */
1854
1855 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1856 /* We can only finish if the pipe is unbound. */
1857 if (!p->pipe_bound) {
1858 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1859 goto err_exit;
1860 }
1861 } else {
1862 goto err_exit;
1863 }
1864 }
1865 } else {
1866 ZERO_STRUCT(auth_info);
1867 }
1868
1869 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1870
1871 /*
1872 * Create the bind response struct.
1873 */
1874
1875 /* If the requested abstract synt uuid doesn't match our client pipe,
1876 reject the bind_ack & set the transfer interface synt to all 0's,
1877 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1878 unknown to NT4)
1879 Needed when adding entries to a DACL from NT5 - SK */
1880
1881 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1882 hdr_rb.rpc_context[0].context_id )) {
1883 init_rpc_hdr_ba(&hdr_ba,
1884 RPC_MAX_PDU_FRAG_LEN,
1885 RPC_MAX_PDU_FRAG_LEN,
1886 assoc_gid,
1887 ack_pipe_name,
1888 0x1, 0x0, 0x0,
1889 &hdr_rb.rpc_context[0].transfer[0]);
1890 } else {
1891 RPC_IFACE null_interface;
1892 ZERO_STRUCT(null_interface);
1893 /* Rejection reason: abstract syntax not supported */
1894 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1895 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1896 ack_pipe_name, 0x1, 0x2, 0x1,
1897 &null_interface);
1898 p->pipe_bound = False;
1899 }
1900
1901 /*
1902 * and marshall it.
1903 */
1904
1905 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1906 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1907 goto err_exit;
1908 }
1909
1910 /*
1911 * Create the header, now we know the length.
1912 */
1913
1914 if (prs_offset(&out_auth)) {
1915 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1916 }
1917
1918 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1919 p->hdr.call_id,
1920 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1921 auth_len);
1922
1923 /*
1924 * Marshall the header into the outgoing PDU.
1925 */
1926
1927 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1928 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1929 goto err_exit;
1930 }
1931
1932 /*
1933 * Now add the RPC_HDR_BA and any auth needed.
1934 */
1935
1936 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1937 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1938 goto err_exit;
1939 }
1940
1941 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1942 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1943 goto err_exit;
1944 }
1945
1946 /*
1947 * Setup the lengths for the initial reply.
1948 */
1949
1950 p->out_data.data_sent_length = 0;
1951 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1952 p->out_data.current_pdu_sent = 0;
1953
1954 prs_mem_free(&out_hdr_ba);
1955 prs_mem_free(&out_auth);
1956
1957 return True;
1958
1959 err_exit:
1960
1961 prs_mem_free(&outgoing_rpc);
1962 prs_mem_free(&out_hdr_ba);
1963 prs_mem_free(&out_auth);
1964 return setup_bind_nak(p);
1965 }
1966
1967 /****************************************************************************
1968 Deal with NTLMSSP sign & seal processing on an RPC request.
1969 ****************************************************************************/
1970
1971 BOOL api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1972 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1973 {
1974 RPC_HDR_AUTH auth_info;
1975 uint32 auth_len = p->hdr.auth_len;
1976 uint32 save_offset = prs_offset(rpc_in);
1977 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1978 unsigned char *data = NULL;
1979 size_t data_len;
1980 unsigned char *full_packet_data = NULL;
1981 size_t full_packet_data_len;
1982 DATA_BLOB auth_blob;
1983
1984 *pstatus = NT_STATUS_OK;
1985
1986 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
1987 return True;
1988 }
1989
1990 if (!a) {
1991 *pstatus = NT_STATUS_INVALID_PARAMETER;
1992 return False;
1993 }
1994
1995 /* Ensure there's enough data for an authenticated request. */
1996 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
1997 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
1998 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
1999 (unsigned int)auth_len ));
2000 *pstatus = NT_STATUS_INVALID_PARAMETER;
2001 return False;
2002 }
2003
2004 /*
2005 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2006 * after the RPC header.
2007 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2008 * functions as NTLMv2 checks the rpc headers also.
2009 */
2010
2011 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2012 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2013
2014 full_packet_data = p->in_data.current_in_pdu;
2015 full_packet_data_len = p->hdr.frag_len - auth_len;
2016
2017 /* Pull the auth header and the following data into a blob. */
2018 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2019 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2020 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2021 *pstatus = NT_STATUS_INVALID_PARAMETER;
2022 return False;
2023 }
2024
2025 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2026 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2027 *pstatus = NT_STATUS_INVALID_PARAMETER;
2028 return False;
2029 }
2030
2031 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2032 auth_blob.length = auth_len;
2033
2034 switch (p->auth.auth_level) {
2035 case PIPE_AUTH_LEVEL_PRIVACY:
2036 /* Data is encrypted. */
2037 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2038 data, data_len,
2039 full_packet_data,
2040 full_packet_data_len,
2041 &auth_blob);
2042 if (!NT_STATUS_IS_OK(*pstatus)) {
2043 return False;
2044 }
2045 break;
2046 case PIPE_AUTH_LEVEL_INTEGRITY:
2047 /* Data is signed. */
2048 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2049 data, data_len,
2050 full_packet_data,
2051 full_packet_data_len,
2052 &auth_blob);
2053 if (!NT_STATUS_IS_OK(*pstatus)) {
2054 return False;
2055 }
2056 break;
2057 default:
2058 *pstatus = NT_STATUS_INVALID_PARAMETER;
2059 return False;
2060 }
2061
2062 /*
2063 * Return the current pointer to the data offset.
2064 */
2065
2066 if(!prs_set_offset(rpc_in, save_offset)) {
2067 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2068 (unsigned int)save_offset ));
2069 *pstatus = NT_STATUS_INVALID_PARAMETER;
2070 return False;
2071 }
2072
2073 /*
2074 * Remember the padding length. We must remove it from the real data
2075 * stream once the sign/seal is done.
2076 */
2077
2078 *p_ss_padding_len = auth_info.auth_pad_len;
2079
2080 return True;
2081 }
2082
2083 /****************************************************************************
2084 Deal with schannel processing on an RPC request.
2085 ****************************************************************************/
2086
2087 BOOL api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2088 {
2089 uint32 data_len;
2090 uint32 auth_len;
2091 uint32 save_offset = prs_offset(rpc_in);
2092 RPC_HDR_AUTH auth_info;
2093 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2094
2095 auth_len = p->hdr.auth_len;
2096
2097 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2098 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2099 return False;
2100 }
2101
2102 /*
2103 * The following is that length of the data we must verify or unseal.
2104 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2105 * preceeding the auth_data.
2106 */
2107
2108 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2109 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2110 (unsigned int)p->hdr.frag_len,
2111 (unsigned int)auth_len ));
2112 return False;
2113 }
2114
2115 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2116 RPC_HDR_AUTH_LEN - auth_len;
2117
2118 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2119
2120 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2121 DEBUG(0,("cannot move offset to %u.\n",
2122 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2123 return False;
2124 }
2125
2126 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2127 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2128 return False;
2129 }
2130
2131 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2132 DEBUG(0,("Invalid auth info %d on schannel\n",
2133 auth_info.auth_type));
2134 return False;
2135 }
2136
2137 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2138 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2139 return False;
2140 }
2141
2142 if (!schannel_decode(p->auth.a_u.schannel_auth,
2143 p->auth.auth_level,
2144 SENDER_IS_INITIATOR,
2145 &schannel_chk,
2146 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2147 DEBUG(3,("failed to decode PDU\n"));
2148 return False;
2149 }
2150
2151 /*
2152 * Return the current pointer to the data offset.
2153 */
2154
2155 if(!prs_set_offset(rpc_in, save_offset)) {
2156 DEBUG(0,("failed to set offset back to %u\n",
2157 (unsigned int)save_offset ));
2158 return False;
2159 }
2160
2161 /* The sequence number gets incremented on both send and receive. */
2162 p->auth.a_u.schannel_auth->seq_num++;
2163
2164 /*
2165 * Remember the padding length. We must remove it from the real data
2166 * stream once the sign/seal is done.
2167 */
2168
2169 *p_ss_padding_len = auth_info.auth_pad_len;
2170
2171 return True;
2172 }
2173
2174 /****************************************************************************
2175 Find the set of RPC functions associated with this context_id
2176 ****************************************************************************/
2177
2178 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2179 {
2180 PIPE_RPC_FNS *fns = NULL;
2181 PIPE_RPC_FNS *tmp = NULL;
2182
2183 if ( !list ) {
2184 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2185 return NULL;
2186 }
2187
2188 for (tmp=list; tmp; tmp=tmp->next ) {
2189 if ( tmp->context_id == context_id )
2190 break;
2191 }
2192
2193 fns = tmp;
2194
2195 return fns;
2196 }
2197
2198 /****************************************************************************
2199 Memory cleanup.
2200 ****************************************************************************/
2201
2202 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2203 {
2204 PIPE_RPC_FNS *tmp = list;
2205 PIPE_RPC_FNS *tmp2;
2206
2207 while (tmp) {
2208 tmp2 = tmp->next;
2209 SAFE_FREE(tmp);
2210 tmp = tmp2;
2211 }
2212
2213 return;
2214 }
2215
2216 /****************************************************************************
2217 Find the correct RPC function to call for this request.
2218 If the pipe is authenticated then become the correct UNIX user
2219 before doing the call.
2220 ****************************************************************************/
2221
2222 BOOL api_pipe_request(pipes_struct *p)
2223 {
2224 BOOL ret = False;
2225 BOOL changed_user = False;
2226 PIPE_RPC_FNS *pipe_fns;
2227
2228 if (p->pipe_bound) {
2229 if(!become_authenticated_pipe_user(p)) {
2230 prs_mem_free(&p->out_data.rdata);
2231 return False;
2232 }
2233 changed_user = True;
2234 }
2235
2236 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2237
2238 /* get the set of RPC functions for this context */
2239
2240 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2241
2242 if ( pipe_fns ) {
2243 TALLOC_CTX *frame = talloc_stackframe();
2244 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2245 TALLOC_FREE(frame);
2246 }
2247 else {
2248 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2249 p->hdr_req.context_id, p->name));
2250 }
2251
2252 if (changed_user) {
2253 unbecome_authenticated_pipe_user();
2254 }
2255
2256 return ret;
2257 }
2258
2259 /*******************************************************************
2260 Calls the underlying RPC function for a named pipe.
2261 ********************************************************************/
2262
2263 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
2264 const struct api_struct *api_rpc_cmds, int n_cmds)
2265 {
2266 int fn_num;
2267 fstring name;
2268 uint32 offset1, offset2;
2269
2270 /* interpret the command */
2271 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2272
2273 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2274 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2275
2276 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2277 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2278 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2279 break;
2280 }
2281 }
2282
2283 if (fn_num == n_cmds) {
2284 /*
2285 * For an unknown RPC just return a fault PDU but
2286 * return True to allow RPC's on the pipe to continue
2287 * and not put the pipe into fault state. JRA.
2288 */
2289 DEBUG(4, ("unknown\n"));
2290 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2291 return True;
2292 }
2293
2294 offset1 = prs_offset(&p->out_data.rdata);
2295
2296 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2297 fn_num, api_rpc_cmds[fn_num].fn));
2298 /* do the actual command */
2299 if(!api_rpc_cmds[fn_num].fn(p)) {
2300 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2301 prs_mem_free(&p->out_data.rdata);
2302 return False;
2303 }
2304
2305 if (p->bad_handle_fault_state) {
2306 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2307 p->bad_handle_fault_state = False;
2308 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2309 return True;
2310 }
2311
2312 if (p->rng_fault_state) {
2313 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2314 p->rng_fault_state = False;
2315 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2316 return True;
2317 }
2318
2319 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2320 offset2 = prs_offset(&p->out_data.rdata);
2321 prs_set_offset(&p->out_data.rdata, offset1);
2322 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2323 prs_set_offset(&p->out_data.rdata, offset2);
2324
2325 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2326
2327 /* Check for buffer underflow in rpc parsing */
2328
2329 if ((DEBUGLEVEL >= 10) &&
2330 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2331 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2332 char *data = (char *)SMB_MALLOC(data_len);
2333
2334 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2335 if (data) {
2336 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2337 SAFE_FREE(data);
2338 }
2339
2340 }
2341
2342 return True;
2343 }
2344
2345 /*******************************************************************
2346 *******************************************************************/
2347
2348 void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
2349 {
2350 struct api_struct *cmds = NULL;
2351 int n_cmds = 0;
2352
2353 switch ( idx ) {
2354 case PI_LSARPC:
2355 lsa_get_pipe_fns( &cmds, &n_cmds );
2356 break;
2357 case PI_LSARPC_DS:
2358 lsa_ds_get_pipe_fns( &cmds, &n_cmds );
2359 break;
2360 case PI_SAMR:
2361 samr_get_pipe_fns( &cmds, &n_cmds );
2362 break;
2363 case PI_NETLOGON:
2364 netlog_get_pipe_fns( &cmds, &n_cmds );
2365 break;
2366 case PI_SRVSVC:
2367 srvsvc_get_pipe_fns( &cmds, &n_cmds );
2368 break;
2369 case PI_WKSSVC:
2370 wkssvc_get_pipe_fns( &cmds, &n_cmds );
2371 break;
2372 case PI_WINREG:
2373 winreg_get_pipe_fns( &cmds, &n_cmds );
2374 break;
2375 case PI_SPOOLSS:
2376 spoolss_get_pipe_fns( &cmds, &n_cmds );
2377 break;
2378 case PI_NETDFS:
2379 netdfs_get_pipe_fns( &cmds, &n_cmds );
2380 break;
2381 case PI_SVCCTL:
2382 svcctl2_get_pipe_fns( &cmds, &n_cmds );
2383 break;
2384 case PI_EVENTLOG:
2385 eventlog2_get_pipe_fns( &cmds, &n_cmds );
2386 break;
2387 case PI_UNIXINFO:
2388 unixinfo_get_pipe_fns( &cmds, &n_cmds );
2389 break;
2390 case PI_NTSVCS:
2391 ntsvcs_get_pipe_fns( &cmds, &n_cmds );
2392 break;
2393 #ifdef DEVELOPER
2394 case PI_RPCECHO:
2395 rpcecho_get_pipe_fns( &cmds, &n_cmds );
2396 break;
2397 #endif
2398 case PI_EPMAPPER:
2399 epmapper_get_pipe_fns( &cmds, &n_cmds );
2400 break;
2401 default:
2402 DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));
2403 }
2404
2405 *fns = cmds;
2406 *n_fns = n_cmds;
2407
2408 return;
2409 }
Samba GIT mirror