search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix a bug that prevent core files from being created
[Samba.git] / source / rpc_server / srv_pipe.c
blob705add6f7b3b81339ea342bee463bfd9d073e3a4
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31
32 extern struct current_user current_user;
33
34 #undef DBGC_CLASS
35 #define DBGC_CLASS DBGC_RPC_SRV
36
37 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
38 {
39 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
40
41 if (a) {
42 auth_ntlmssp_end(&a);
43 }
44 auth->a_u.auth_ntlmssp_state = NULL;
45 }
46
47 static DATA_BLOB generic_session_key(void)
48 {
49 return data_blob("SystemLibraryDTC", 16);
50 }
51
52 /*******************************************************************
53 Generate the next PDU to be returned from the data in p->rdata.
54 Handle NTLMSSP.
55 ********************************************************************/
56
57 static bool create_next_pdu_ntlmssp(pipes_struct *p)
58 {
59 RPC_HDR_RESP hdr_resp;
60 uint32 ss_padding_len = 0;
61 uint32 data_space_available;
62 uint32 data_len_left;
63 uint32 data_len;
64 prs_struct outgoing_pdu;
65 NTSTATUS status;
66 DATA_BLOB auth_blob;
67 RPC_HDR_AUTH auth_info;
68 uint8 auth_type, auth_level;
69 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
70
71 /*
72 * If we're in the fault state, keep returning fault PDU's until
73 * the pipe gets closed. JRA.
74 */
75
76 if(p->fault_state) {
77 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
78 return True;
79 }
80
81 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
82
83 /* Change the incoming request header to a response. */
84 p->hdr.pkt_type = RPC_RESPONSE;
85
86 /* Set up rpc header flags. */
87 if (p->out_data.data_sent_length == 0) {
88 p->hdr.flags = RPC_FLG_FIRST;
89 } else {
90 p->hdr.flags = 0;
91 }
92
93 /*
94 * Work out how much we can fit in a single PDU.
95 */
96
97 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
98
99 /*
100 * Ensure there really is data left to send.
101 */
102
103 if(!data_len_left) {
104 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
105 return False;
106 }
107
108 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
109 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
110
111 /*
112 * The amount we send is the minimum of the available
113 * space and the amount left to send.
114 */
115
116 data_len = MIN(data_len_left, data_space_available);
117
118 /*
119 * Set up the alloc hint. This should be the data left to
120 * send.
121 */
122
123 hdr_resp.alloc_hint = data_len_left;
124
125 /*
126 * Work out if this PDU will be the last.
127 */
128
129 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
130 p->hdr.flags |= RPC_FLG_LAST;
131 if (data_len_left % 8) {
132 ss_padding_len = 8 - (data_len_left % 8);
133 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
134 ss_padding_len ));
135 }
136 }
137
138 /*
139 * Set up the header lengths.
140 */
141
142 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
143 data_len + ss_padding_len +
144 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
145 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
146
147
148 /*
149 * Init the parse struct to point at the outgoing
150 * data.
151 */
152
153 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
154 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
155
156 /* Store the header in the data stream. */
157 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
158 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
159 prs_mem_free(&outgoing_pdu);
160 return False;
161 }
162
163 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
164 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
165 prs_mem_free(&outgoing_pdu);
166 return False;
167 }
168
169 /* Copy the data into the PDU. */
170
171 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
172 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
173 prs_mem_free(&outgoing_pdu);
174 return False;
175 }
176
177 /* Copy the sign/seal padding data. */
178 if (ss_padding_len) {
179 char pad[8];
180
181 memset(pad, '\0', 8);
182 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
183 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
184 (unsigned int)ss_padding_len));
185 prs_mem_free(&outgoing_pdu);
186 return False;
187 }
188 }
189
190
191 /* Now write out the auth header and null blob. */
192 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
193 auth_type = RPC_NTLMSSP_AUTH_TYPE;
194 } else {
195 auth_type = RPC_SPNEGO_AUTH_TYPE;
196 }
197 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
198 auth_level = RPC_AUTH_LEVEL_PRIVACY;
199 } else {
200 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
201 }
202
203 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
204 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
205 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
206 prs_mem_free(&outgoing_pdu);
207 return False;
208 }
209
210 /* Generate the sign blob. */
211
212 switch (p->auth.auth_level) {
213 case PIPE_AUTH_LEVEL_PRIVACY:
214 /* Data portion is encrypted. */
215 status = ntlmssp_seal_packet(a->ntlmssp_state,
216 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
217 data_len + ss_padding_len,
218 (unsigned char *)prs_data_p(&outgoing_pdu),
219 (size_t)prs_offset(&outgoing_pdu),
220 &auth_blob);
221 if (!NT_STATUS_IS_OK(status)) {
222 data_blob_free(&auth_blob);
223 prs_mem_free(&outgoing_pdu);
224 return False;
225 }
226 break;
227 case PIPE_AUTH_LEVEL_INTEGRITY:
228 /* Data is signed. */
229 status = ntlmssp_sign_packet(a->ntlmssp_state,
230 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
231 data_len + ss_padding_len,
232 (unsigned char *)prs_data_p(&outgoing_pdu),
233 (size_t)prs_offset(&outgoing_pdu),
234 &auth_blob);
235 if (!NT_STATUS_IS_OK(status)) {
236 data_blob_free(&auth_blob);
237 prs_mem_free(&outgoing_pdu);
238 return False;
239 }
240 break;
241 default:
242 prs_mem_free(&outgoing_pdu);
243 return False;
244 }
245
246 /* Append the auth blob. */
247 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
248 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
249 (unsigned int)NTLMSSP_SIG_SIZE));
250 data_blob_free(&auth_blob);
251 prs_mem_free(&outgoing_pdu);
252 return False;
253 }
254
255 data_blob_free(&auth_blob);
256
257 /*
258 * Setup the counts for this PDU.
259 */
260
261 p->out_data.data_sent_length += data_len;
262 p->out_data.current_pdu_len = p->hdr.frag_len;
263 p->out_data.current_pdu_sent = 0;
264
265 prs_mem_free(&outgoing_pdu);
266 return True;
267 }
268
269 /*******************************************************************
270 Generate the next PDU to be returned from the data in p->rdata.
271 Return an schannel authenticated fragment.
272 ********************************************************************/
273
274 static bool create_next_pdu_schannel(pipes_struct *p)
275 {
276 RPC_HDR_RESP hdr_resp;
277 uint32 ss_padding_len = 0;
278 uint32 data_len;
279 uint32 data_space_available;
280 uint32 data_len_left;
281 prs_struct outgoing_pdu;
282 uint32 data_pos;
283
284 /*
285 * If we're in the fault state, keep returning fault PDU's until
286 * the pipe gets closed. JRA.
287 */
288
289 if(p->fault_state) {
290 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
291 return True;
292 }
293
294 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
295
296 /* Change the incoming request header to a response. */
297 p->hdr.pkt_type = RPC_RESPONSE;
298
299 /* Set up rpc header flags. */
300 if (p->out_data.data_sent_length == 0) {
301 p->hdr.flags = RPC_FLG_FIRST;
302 } else {
303 p->hdr.flags = 0;
304 }
305
306 /*
307 * Work out how much we can fit in a single PDU.
308 */
309
310 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
311
312 /*
313 * Ensure there really is data left to send.
314 */
315
316 if(!data_len_left) {
317 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
318 return False;
319 }
320
321 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
322 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
323
324 /*
325 * The amount we send is the minimum of the available
326 * space and the amount left to send.
327 */
328
329 data_len = MIN(data_len_left, data_space_available);
330
331 /*
332 * Set up the alloc hint. This should be the data left to
333 * send.
334 */
335
336 hdr_resp.alloc_hint = data_len_left;
337
338 /*
339 * Work out if this PDU will be the last.
340 */
341
342 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
343 p->hdr.flags |= RPC_FLG_LAST;
344 if (data_len_left % 8) {
345 ss_padding_len = 8 - (data_len_left % 8);
346 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
347 ss_padding_len ));
348 }
349 }
350
351 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
352 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
353 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
354
355 /*
356 * Init the parse struct to point at the outgoing
357 * data.
358 */
359
360 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
361 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
362
363 /* Store the header in the data stream. */
364 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
365 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
366 prs_mem_free(&outgoing_pdu);
367 return False;
368 }
369
370 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
371 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
372 prs_mem_free(&outgoing_pdu);
373 return False;
374 }
375
376 /* Store the current offset. */
377 data_pos = prs_offset(&outgoing_pdu);
378
379 /* Copy the data into the PDU. */
380
381 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
382 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
383 prs_mem_free(&outgoing_pdu);
384 return False;
385 }
386
387 /* Copy the sign/seal padding data. */
388 if (ss_padding_len) {
389 char pad[8];
390 memset(pad, '\0', 8);
391 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
392 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
393 prs_mem_free(&outgoing_pdu);
394 return False;
395 }
396 }
397
398 {
399 /*
400 * Schannel processing.
401 */
402 char *data;
403 RPC_HDR_AUTH auth_info;
404 RPC_AUTH_SCHANNEL_CHK verf;
405
406 data = prs_data_p(&outgoing_pdu) + data_pos;
407 /* Check it's the type of reply we were expecting to decode */
408
409 init_rpc_hdr_auth(&auth_info,
410 RPC_SCHANNEL_AUTH_TYPE,
411 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
412 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
413 ss_padding_len, 1);
414
415 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
416 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
417 prs_mem_free(&outgoing_pdu);
418 return False;
419 }
420
421 schannel_encode(p->auth.a_u.schannel_auth,
422 p->auth.auth_level,
423 SENDER_IS_ACCEPTOR,
424 &verf, data, data_len + ss_padding_len);
425
426 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
427 &verf, &outgoing_pdu, 0)) {
428 prs_mem_free(&outgoing_pdu);
429 return False;
430 }
431
432 p->auth.a_u.schannel_auth->seq_num++;
433 }
434
435 /*
436 * Setup the counts for this PDU.
437 */
438
439 p->out_data.data_sent_length += data_len;
440 p->out_data.current_pdu_len = p->hdr.frag_len;
441 p->out_data.current_pdu_sent = 0;
442
443 prs_mem_free(&outgoing_pdu);
444 return True;
445 }
446
447 /*******************************************************************
448 Generate the next PDU to be returned from the data in p->rdata.
449 No authentication done.
450 ********************************************************************/
451
452 static bool create_next_pdu_noauth(pipes_struct *p)
453 {
454 RPC_HDR_RESP hdr_resp;
455 uint32 data_len;
456 uint32 data_space_available;
457 uint32 data_len_left;
458 prs_struct outgoing_pdu;
459
460 /*
461 * If we're in the fault state, keep returning fault PDU's until
462 * the pipe gets closed. JRA.
463 */
464
465 if(p->fault_state) {
466 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
467 return True;
468 }
469
470 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
471
472 /* Change the incoming request header to a response. */
473 p->hdr.pkt_type = RPC_RESPONSE;
474
475 /* Set up rpc header flags. */
476 if (p->out_data.data_sent_length == 0) {
477 p->hdr.flags = RPC_FLG_FIRST;
478 } else {
479 p->hdr.flags = 0;
480 }
481
482 /*
483 * Work out how much we can fit in a single PDU.
484 */
485
486 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
487
488 /*
489 * Ensure there really is data left to send.
490 */
491
492 if(!data_len_left) {
493 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
494 return False;
495 }
496
497 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
498
499 /*
500 * The amount we send is the minimum of the available
501 * space and the amount left to send.
502 */
503
504 data_len = MIN(data_len_left, data_space_available);
505
506 /*
507 * Set up the alloc hint. This should be the data left to
508 * send.
509 */
510
511 hdr_resp.alloc_hint = data_len_left;
512
513 /*
514 * Work out if this PDU will be the last.
515 */
516
517 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
518 p->hdr.flags |= RPC_FLG_LAST;
519 }
520
521 /*
522 * Set up the header lengths.
523 */
524
525 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
526 p->hdr.auth_len = 0;
527
528 /*
529 * Init the parse struct to point at the outgoing
530 * data.
531 */
532
533 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
534 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
535
536 /* Store the header in the data stream. */
537 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
538 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
539 prs_mem_free(&outgoing_pdu);
540 return False;
541 }
542
543 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
544 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
545 prs_mem_free(&outgoing_pdu);
546 return False;
547 }
548
549 /* Copy the data into the PDU. */
550
551 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
552 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
553 prs_mem_free(&outgoing_pdu);
554 return False;
555 }
556
557 /*
558 * Setup the counts for this PDU.
559 */
560
561 p->out_data.data_sent_length += data_len;
562 p->out_data.current_pdu_len = p->hdr.frag_len;
563 p->out_data.current_pdu_sent = 0;
564
565 prs_mem_free(&outgoing_pdu);
566 return True;
567 }
568
569 /*******************************************************************
570 Generate the next PDU to be returned from the data in p->rdata.
571 ********************************************************************/
572
573 bool create_next_pdu(pipes_struct *p)
574 {
575 switch(p->auth.auth_level) {
576 case PIPE_AUTH_LEVEL_NONE:
577 case PIPE_AUTH_LEVEL_CONNECT:
578 /* This is incorrect for auth level connect. Fixme. JRA */
579 return create_next_pdu_noauth(p);
580
581 default:
582 switch(p->auth.auth_type) {
583 case PIPE_AUTH_TYPE_NTLMSSP:
584 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
585 return create_next_pdu_ntlmssp(p);
586 case PIPE_AUTH_TYPE_SCHANNEL:
587 return create_next_pdu_schannel(p);
588 default:
589 break;
590 }
591 }
592
593 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
594 (unsigned int)p->auth.auth_level,
595 (unsigned int)p->auth.auth_type));
596 return False;
597 }
598
599 /*******************************************************************
600 Process an NTLMSSP authentication response.
601 If this function succeeds, the user has been authenticated
602 and their domain, name and calling workstation stored in
603 the pipe struct.
604 *******************************************************************/
605
606 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
607 {
608 DATA_BLOB session_key, reply;
609 NTSTATUS status;
610 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
611 bool ret;
612
613 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
614
615 ZERO_STRUCT(reply);
616
617 /* Set up for non-authenticated user. */
618 TALLOC_FREE(p->pipe_user.nt_user_token);
619 p->pipe_user.ut.ngroups = 0;
620 SAFE_FREE( p->pipe_user.ut.groups);
621
622 /* this has to be done as root in order to verify the password */
623 become_root();
624 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
625 unbecome_root();
626
627 /* Don't generate a reply. */
628 data_blob_free(&reply);
629
630 if (!NT_STATUS_IS_OK(status)) {
631 return False;
632 }
633
634 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
635 ensure the underlying NTLMSSP flags are also set. If not we should
636 refuse the bind. */
637
638 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
639 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
640 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
641 "but client declined signing.\n",
642 p->name ));
643 return False;
644 }
645 }
646 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
647 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
648 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
649 "but client declined sealing.\n",
650 p->name ));
651 return False;
652 }
653 }
654
655 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
656 "workstation: %s\n", a->ntlmssp_state->user,
657 a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
658
659 /*
660 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
661 */
662
663 p->pipe_user.ut.uid = a->server_info->utok.uid;
664 p->pipe_user.ut.gid = a->server_info->utok.gid;
665
666 p->pipe_user.ut.ngroups = a->server_info->utok.ngroups;
667 if (p->pipe_user.ut.ngroups) {
668 if (!(p->pipe_user.ut.groups = (gid_t *)memdup(
669 a->server_info->utok.groups,
670 sizeof(gid_t) * p->pipe_user.ut.ngroups))) {
671 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
672 return False;
673 }
674 }
675
676 if (a->server_info->ptok) {
677 p->pipe_user.nt_user_token =
678 dup_nt_token(NULL, a->server_info->ptok);
679 } else {
680 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
681 p->pipe_user.nt_user_token = NULL;
682 return False;
683 }
684
685 TALLOC_FREE(p->server_info);
686
687 p->server_info = copy_serverinfo(p, a->server_info);
688 if (p->server_info == NULL) {
689 DEBUG(0, ("copy_serverinfo failed\n"));
690 return false;
691 }
692
693 /*
694 * We're an authenticated bind over smb, so the session key needs to
695 * be set to "SystemLibraryDTC". Weird, but this is what Windows
696 * does. See the RPC-SAMBA3SESSIONKEY.
697 */
698
699 session_key = generic_session_key();
700 if (session_key.data == NULL) {
701 return False;
702 }
703
704 ret = server_info_set_session_key(p->server_info, session_key);
705
706 data_blob_free(&session_key);
707
708 return True;
709 }
710
711 /*******************************************************************
712 The switch table for the pipe names and the functions to handle them.
713 *******************************************************************/
714
715 struct rpc_table {
716 struct {
717 const char *clnt;
718 const char *srv;
719 } pipe;
720 struct ndr_syntax_id rpc_interface;
721 const struct api_struct *cmds;
722 int n_cmds;
723 };
724
725 static struct rpc_table *rpc_lookup;
726 static int rpc_lookup_size;
727
728 /*******************************************************************
729 This is the "stage3" NTLMSSP response after a bind request and reply.
730 *******************************************************************/
731
732 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
733 {
734 RPC_HDR_AUTH auth_info;
735 uint32 pad = 0;
736 DATA_BLOB blob;
737
738 ZERO_STRUCT(blob);
739
740 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
741
742 if (p->hdr.auth_len == 0) {
743 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
744 goto err;
745 }
746
747 /* 4 bytes padding. */
748 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
749 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
750 goto err;
751 }
752
753 /*
754 * Decode the authentication verifier response.
755 */
756
757 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
758 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
759 goto err;
760 }
761
762 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
763 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
764 (unsigned int)auth_info.auth_type ));
765 return False;
766 }
767
768 blob = data_blob(NULL,p->hdr.auth_len);
769
770 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
771 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
772 (unsigned int)p->hdr.auth_len ));
773 goto err;
774 }
775
776 /*
777 * The following call actually checks the challenge/response data.
778 * for correctness against the given DOMAIN\user name.
779 */
780
781 if (!pipe_ntlmssp_verify_final(p, &blob)) {
782 goto err;
783 }
784
785 data_blob_free(&blob);
786
787 p->pipe_bound = True;
788
789 return True;
790
791 err:
792
793 data_blob_free(&blob);
794 free_pipe_ntlmssp_auth_data(&p->auth);
795 p->auth.a_u.auth_ntlmssp_state = NULL;
796
797 return False;
798 }
799
800 /*******************************************************************
801 Marshall a bind_nak pdu.
802 *******************************************************************/
803
804 static bool setup_bind_nak(pipes_struct *p)
805 {
806 prs_struct outgoing_rpc;
807 RPC_HDR nak_hdr;
808 uint16 zero = 0;
809
810 /* Free any memory in the current return data buffer. */
811 prs_mem_free(&p->out_data.rdata);
812
813 /*
814 * Marshall directly into the outgoing PDU space. We
815 * must do this as we need to set to the bind response
816 * header and are never sending more than one PDU here.
817 */
818
819 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
820 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
821
822 /*
823 * Initialize a bind_nak header.
824 */
825
826 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
827 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
828
829 /*
830 * Marshall the header into the outgoing PDU.
831 */
832
833 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
834 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
835 prs_mem_free(&outgoing_rpc);
836 return False;
837 }
838
839 /*
840 * Now add the reject reason.
841 */
842
843 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
844 prs_mem_free(&outgoing_rpc);
845 return False;
846 }
847
848 p->out_data.data_sent_length = 0;
849 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
850 p->out_data.current_pdu_sent = 0;
851
852 if (p->auth.auth_data_free_func) {
853 (*p->auth.auth_data_free_func)(&p->auth);
854 }
855 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
856 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
857 p->pipe_bound = False;
858
859 return True;
860 }
861
862 /*******************************************************************
863 Marshall a fault pdu.
864 *******************************************************************/
865
866 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
867 {
868 prs_struct outgoing_pdu;
869 RPC_HDR fault_hdr;
870 RPC_HDR_RESP hdr_resp;
871 RPC_HDR_FAULT fault_resp;
872
873 /* Free any memory in the current return data buffer. */
874 prs_mem_free(&p->out_data.rdata);
875
876 /*
877 * Marshall directly into the outgoing PDU space. We
878 * must do this as we need to set to the bind response
879 * header and are never sending more than one PDU here.
880 */
881
882 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
883 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
884
885 /*
886 * Initialize a fault header.
887 */
888
889 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
890 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
891
892 /*
893 * Initialize the HDR_RESP and FAULT parts of the PDU.
894 */
895
896 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
897
898 fault_resp.status = status;
899 fault_resp.reserved = 0;
900
901 /*
902 * Marshall the header into the outgoing PDU.
903 */
904
905 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
906 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
907 prs_mem_free(&outgoing_pdu);
908 return False;
909 }
910
911 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
912 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
913 prs_mem_free(&outgoing_pdu);
914 return False;
915 }
916
917 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
918 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
919 prs_mem_free(&outgoing_pdu);
920 return False;
921 }
922
923 p->out_data.data_sent_length = 0;
924 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
925 p->out_data.current_pdu_sent = 0;
926
927 prs_mem_free(&outgoing_pdu);
928 return True;
929 }
930
931 #if 0
932 /*******************************************************************
933 Marshall a cancel_ack pdu.
934 We should probably check the auth-verifier here.
935 *******************************************************************/
936
937 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
938 {
939 prs_struct outgoing_pdu;
940 RPC_HDR ack_reply_hdr;
941
942 /* Free any memory in the current return data buffer. */
943 prs_mem_free(&p->out_data.rdata);
944
945 /*
946 * Marshall directly into the outgoing PDU space. We
947 * must do this as we need to set to the bind response
948 * header and are never sending more than one PDU here.
949 */
950
951 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
952 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
953
954 /*
955 * Initialize a cancel_ack header.
956 */
957
958 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
959 p->hdr.call_id, RPC_HEADER_LEN, 0);
960
961 /*
962 * Marshall the header into the outgoing PDU.
963 */
964
965 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
966 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
967 prs_mem_free(&outgoing_pdu);
968 return False;
969 }
970
971 p->out_data.data_sent_length = 0;
972 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
973 p->out_data.current_pdu_sent = 0;
974
975 prs_mem_free(&outgoing_pdu);
976 return True;
977 }
978 #endif
979
980 /*******************************************************************
981 Ensure a bind request has the correct abstract & transfer interface.
982 Used to reject unknown binds from Win2k.
983 *******************************************************************/
984
985 bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
986 RPC_IFACE* transfer, uint32 context_id)
987 {
988 int i=0;
989 struct pipe_rpc_fns *context_fns;
990
991 DEBUG(3,("check_bind_req for %s\n", p->name));
992
993 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
994
995 for (i=0; i<rpc_lookup_size; i++) {
996 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
997 if (strequal(rpc_lookup[i].pipe.clnt, p->name)
998 && ndr_syntax_id_equal(
999 abstract, &rpc_lookup[i].rpc_interface)
1000 && ndr_syntax_id_equal(
1001 transfer, &ndr_transfer_syntax)) {
1002 break;
1003 }
1004 }
1005
1006 if (i == rpc_lookup_size) {
1007 return false;
1008 }
1009
1010 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1011 if (context_fns == NULL) {
1012 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1013 return False;
1014 }
1015
1016 context_fns->cmds = rpc_lookup[i].cmds;
1017 context_fns->n_cmds = rpc_lookup[i].n_cmds;
1018 context_fns->context_id = context_id;
1019
1020 /* add to the list of open contexts */
1021
1022 DLIST_ADD( p->contexts, context_fns );
1023
1024 return True;
1025 }
1026
1027 /*******************************************************************
1028 Register commands to an RPC pipe
1029 *******************************************************************/
1030
1031 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt,
1032 const char *srv,
1033 const struct ndr_syntax_id *interface,
1034 const struct api_struct *cmds, int size)
1035 {
1036 struct rpc_table *rpc_entry;
1037
1038 if (!clnt || !srv || !cmds) {
1039 return NT_STATUS_INVALID_PARAMETER;
1040 }
1041
1042 if (version != SMB_RPC_INTERFACE_VERSION) {
1043 DEBUG(0,("Can't register rpc commands!\n"
1044 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1045 ", while this version of samba uses version %d!\n",
1046 version,SMB_RPC_INTERFACE_VERSION));
1047 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1048 }
1049
1050 /* TODO:
1051 *
1052 * we still need to make sure that don't register the same commands twice!!!
1053 *
1054 * --metze
1055 */
1056
1057 /* We use a temporary variable because this call can fail and
1058 rpc_lookup will still be valid afterwards. It could then succeed if
1059 called again later */
1060 rpc_lookup_size++;
1061 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1062 if (NULL == rpc_entry) {
1063 rpc_lookup_size--;
1064 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1065 return NT_STATUS_NO_MEMORY;
1066 } else {
1067 rpc_lookup = rpc_entry;
1068 }
1069
1070 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1071 ZERO_STRUCTP(rpc_entry);
1072 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1073 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1074 rpc_entry->rpc_interface = *interface;
1075 rpc_entry->cmds = cmds;
1076 rpc_entry->n_cmds = size;
1077
1078 return NT_STATUS_OK;
1079 }
1080
1081 /**
1082 * Is a named pipe known?
1083 * @param[in] cli_filename The pipe name requested by the client
1084 * @result Do we want to serve this?
1085 */
1086 bool is_known_pipename(const char *cli_filename)
1087 {
1088 const char *pipename = cli_filename;
1089 int i;
1090
1091 if (strnequal(pipename, "\\PIPE\\", 6)) {
1092 pipename += 5;
1093 }
1094
1095 if (*pipename == '\\') {
1096 pipename += 1;
1097 }
1098
1099 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1100 DEBUG(10, ("refusing spoolss access\n"));
1101 return false;
1102 }
1103
1104 for (i=0; i<rpc_lookup_size; i++) {
1105 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1106 return true;
1107 }
1108 }
1109
1110 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1111 return false;
1112 }
1113
1114 /*******************************************************************
1115 Handle a SPNEGO krb5 bind auth.
1116 *******************************************************************/
1117
1118 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1119 DATA_BLOB *psecblob, prs_struct *pout_auth)
1120 {
1121 return False;
1122 }
1123
1124 /*******************************************************************
1125 Handle the first part of a SPNEGO bind auth.
1126 *******************************************************************/
1127
1128 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1129 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1130 {
1131 DATA_BLOB blob;
1132 DATA_BLOB secblob;
1133 DATA_BLOB response;
1134 DATA_BLOB chal;
1135 char *OIDs[ASN1_MAX_OIDS];
1136 int i;
1137 NTSTATUS status;
1138 bool got_kerberos_mechanism = false;
1139 AUTH_NTLMSSP_STATE *a = NULL;
1140 RPC_HDR_AUTH auth_info;
1141
1142 ZERO_STRUCT(secblob);
1143 ZERO_STRUCT(chal);
1144 ZERO_STRUCT(response);
1145
1146 /* Grab the SPNEGO blob. */
1147 blob = data_blob(NULL,p->hdr.auth_len);
1148
1149 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1150 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1151 (unsigned int)p->hdr.auth_len ));
1152 goto err;
1153 }
1154
1155 if (blob.data[0] != ASN1_APPLICATION(0)) {
1156 goto err;
1157 }
1158
1159 /* parse out the OIDs and the first sec blob */
1160 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1161 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1162 goto err;
1163 }
1164
1165 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1166 got_kerberos_mechanism = true;
1167 }
1168
1169 for (i=0;OIDs[i];i++) {
1170 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1171 SAFE_FREE(OIDs[i]);
1172 }
1173 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1174
1175 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1176 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1177 data_blob_free(&secblob);
1178 data_blob_free(&blob);
1179 return ret;
1180 }
1181
1182 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1183 /* Free any previous auth type. */
1184 free_pipe_ntlmssp_auth_data(&p->auth);
1185 }
1186
1187 if (!got_kerberos_mechanism) {
1188 /* Initialize the NTLM engine. */
1189 status = auth_ntlmssp_start(&a);
1190 if (!NT_STATUS_IS_OK(status)) {
1191 goto err;
1192 }
1193
1194 /*
1195 * Pass the first security blob of data to it.
1196 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1197 * which means we need another packet to complete the bind.
1198 */
1199
1200 status = auth_ntlmssp_update(a, secblob, &chal);
1201
1202 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1203 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1204 goto err;
1205 }
1206
1207 /* Generate the response blob we need for step 2 of the bind. */
1208 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1209 } else {
1210 /*
1211 * SPNEGO negotiate down to NTLMSSP. The subsequent
1212 * code to process follow-up packets is not complete
1213 * yet. JRA.
1214 */
1215 response = spnego_gen_auth_response(NULL,
1216 NT_STATUS_MORE_PROCESSING_REQUIRED,
1217 OID_NTLMSSP);
1218 }
1219
1220 /* Copy the blob into the pout_auth parse struct */
1221 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1222 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1223 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1224 goto err;
1225 }
1226
1227 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1228 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1229 goto err;
1230 }
1231
1232 p->auth.a_u.auth_ntlmssp_state = a;
1233 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1234 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1235
1236 data_blob_free(&blob);
1237 data_blob_free(&secblob);
1238 data_blob_free(&chal);
1239 data_blob_free(&response);
1240
1241 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1242 return True;
1243
1244 err:
1245
1246 data_blob_free(&blob);
1247 data_blob_free(&secblob);
1248 data_blob_free(&chal);
1249 data_blob_free(&response);
1250
1251 p->auth.a_u.auth_ntlmssp_state = NULL;
1252
1253 return False;
1254 }
1255
1256 /*******************************************************************
1257 Handle the second part of a SPNEGO bind auth.
1258 *******************************************************************/
1259
1260 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1261 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1262 {
1263 RPC_HDR_AUTH auth_info;
1264 DATA_BLOB spnego_blob;
1265 DATA_BLOB auth_blob;
1266 DATA_BLOB auth_reply;
1267 DATA_BLOB response;
1268 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1269
1270 ZERO_STRUCT(spnego_blob);
1271 ZERO_STRUCT(auth_blob);
1272 ZERO_STRUCT(auth_reply);
1273 ZERO_STRUCT(response);
1274
1275 /*
1276 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1277 * fail here as 'a' == NULL.
1278 */
1279 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1280 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1281 goto err;
1282 }
1283
1284 /* Grab the SPNEGO blob. */
1285 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1286
1287 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1288 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1289 (unsigned int)p->hdr.auth_len ));
1290 goto err;
1291 }
1292
1293 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1294 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1295 goto err;
1296 }
1297
1298 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1299 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1300 goto err;
1301 }
1302
1303 /*
1304 * The following call actually checks the challenge/response data.
1305 * for correctness against the given DOMAIN\user name.
1306 */
1307
1308 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1309 goto err;
1310 }
1311
1312 data_blob_free(&spnego_blob);
1313 data_blob_free(&auth_blob);
1314
1315 /* Generate the spnego "accept completed" blob - no incoming data. */
1316 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1317
1318 /* Copy the blob into the pout_auth parse struct */
1319 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1320 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1321 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1322 goto err;
1323 }
1324
1325 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1326 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1327 goto err;
1328 }
1329
1330 data_blob_free(&auth_reply);
1331 data_blob_free(&response);
1332
1333 p->pipe_bound = True;
1334
1335 return True;
1336
1337 err:
1338
1339 data_blob_free(&spnego_blob);
1340 data_blob_free(&auth_blob);
1341 data_blob_free(&auth_reply);
1342 data_blob_free(&response);
1343
1344 free_pipe_ntlmssp_auth_data(&p->auth);
1345 p->auth.a_u.auth_ntlmssp_state = NULL;
1346
1347 return False;
1348 }
1349
1350 /*******************************************************************
1351 Handle an schannel bind auth.
1352 *******************************************************************/
1353
1354 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1355 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1356 {
1357 RPC_HDR_AUTH auth_info;
1358 RPC_AUTH_SCHANNEL_NEG neg;
1359 RPC_AUTH_VERIFIER auth_verifier;
1360 bool ret;
1361 struct dcinfo *pdcinfo;
1362 uint32 flags;
1363 DATA_BLOB session_key;
1364
1365 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1366 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1367 return False;
1368 }
1369
1370 /*
1371 * The neg.myname key here must match the remote computer name
1372 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1373 * operations that use credentials.
1374 */
1375
1376 become_root();
1377 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1378 unbecome_root();
1379
1380 if (!ret) {
1381 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1382 return False;
1383 }
1384
1385 p->auth.a_u.schannel_auth = talloc(p, struct schannel_auth_struct);
1386 if (!p->auth.a_u.schannel_auth) {
1387 TALLOC_FREE(pdcinfo);
1388 return False;
1389 }
1390
1391 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1392 memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1393 sizeof(pdcinfo->sess_key));
1394
1395 TALLOC_FREE(pdcinfo);
1396
1397 p->auth.a_u.schannel_auth->seq_num = 0;
1398
1399 /*
1400 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1401 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1402 * struct of the person who opened the pipe. I need to test this further. JRA.
1403 *
1404 * VL. As we are mapping this to guest set the generic key
1405 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1406 * W2k3, as it does not allow schannel binds against SAMR and LSA
1407 * anymore.
1408 */
1409
1410 session_key = generic_session_key();
1411 if (session_key.data == NULL) {
1412 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1413 " key\n"));
1414 return false;
1415 }
1416
1417 ret = server_info_set_session_key(p->server_info, session_key);
1418
1419 data_blob_free(&session_key);
1420
1421 if (!ret) {
1422 DEBUG(0, ("server_info_set_session_key failed\n"));
1423 return false;
1424 }
1425
1426 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1427 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1428 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1429 return False;
1430 }
1431
1432 /*** SCHANNEL verifier ***/
1433
1434 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1435 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1436 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1437 return False;
1438 }
1439
1440 prs_align(pout_auth);
1441
1442 flags = 5;
1443 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1444 return False;
1445 }
1446
1447 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1448 neg.domain, neg.myname));
1449
1450 /* We're finished with this bind - no more packets. */
1451 p->auth.auth_data_free_func = NULL;
1452 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1453
1454 p->pipe_bound = True;
1455
1456 return True;
1457 }
1458
1459 /*******************************************************************
1460 Handle an NTLMSSP bind auth.
1461 *******************************************************************/
1462
1463 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1464 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1465 {
1466 RPC_HDR_AUTH auth_info;
1467 DATA_BLOB blob;
1468 DATA_BLOB response;
1469 NTSTATUS status;
1470 AUTH_NTLMSSP_STATE *a = NULL;
1471
1472 ZERO_STRUCT(blob);
1473 ZERO_STRUCT(response);
1474
1475 /* Grab the NTLMSSP blob. */
1476 blob = data_blob(NULL,p->hdr.auth_len);
1477
1478 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1479 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1480 (unsigned int)p->hdr.auth_len ));
1481 goto err;
1482 }
1483
1484 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1485 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1486 goto err;
1487 }
1488
1489 /* We have an NTLMSSP blob. */
1490 status = auth_ntlmssp_start(&a);
1491 if (!NT_STATUS_IS_OK(status)) {
1492 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1493 nt_errstr(status) ));
1494 goto err;
1495 }
1496
1497 status = auth_ntlmssp_update(a, blob, &response);
1498 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1499 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1500 nt_errstr(status) ));
1501 goto err;
1502 }
1503
1504 data_blob_free(&blob);
1505
1506 /* Copy the blob into the pout_auth parse struct */
1507 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1508 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1509 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1510 goto err;
1511 }
1512
1513 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1514 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1515 goto err;
1516 }
1517
1518 p->auth.a_u.auth_ntlmssp_state = a;
1519 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1520 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1521
1522 data_blob_free(&blob);
1523 data_blob_free(&response);
1524
1525 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1526
1527 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1528 return True;
1529
1530 err:
1531
1532 data_blob_free(&blob);
1533 data_blob_free(&response);
1534
1535 free_pipe_ntlmssp_auth_data(&p->auth);
1536 p->auth.a_u.auth_ntlmssp_state = NULL;
1537 return False;
1538 }
1539
1540 /*******************************************************************
1541 Respond to a pipe bind request.
1542 *******************************************************************/
1543
1544 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1545 {
1546 RPC_HDR_BA hdr_ba;
1547 RPC_HDR_RB hdr_rb;
1548 RPC_HDR_AUTH auth_info;
1549 uint16 assoc_gid;
1550 fstring ack_pipe_name;
1551 prs_struct out_hdr_ba;
1552 prs_struct out_auth;
1553 prs_struct outgoing_rpc;
1554 int i = 0;
1555 int auth_len = 0;
1556 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1557
1558 /* No rebinds on a bound pipe - use alter context. */
1559 if (p->pipe_bound) {
1560 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1561 return setup_bind_nak(p);
1562 }
1563
1564 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1565
1566 /*
1567 * Marshall directly into the outgoing PDU space. We
1568 * must do this as we need to set to the bind response
1569 * header and are never sending more than one PDU here.
1570 */
1571
1572 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1573
1574 /*
1575 * Setup the memory to marshall the ba header, and the
1576 * auth footers.
1577 */
1578
1579 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1580 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1581 prs_mem_free(&outgoing_rpc);
1582 return False;
1583 }
1584
1585 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1586 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1587 prs_mem_free(&outgoing_rpc);
1588 prs_mem_free(&out_hdr_ba);
1589 return False;
1590 }
1591
1592 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1593
1594 ZERO_STRUCT(hdr_rb);
1595
1596 /* decode the bind request */
1597
1598 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1599 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1600 "struct.\n"));
1601 goto err_exit;
1602 }
1603
1604 if (hdr_rb.num_contexts == 0) {
1605 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1606 goto err_exit;
1607 }
1608
1609 /*
1610 * Try and find the correct pipe name to ensure
1611 * that this is a pipe name we support.
1612 */
1613
1614 for (i = 0; i < rpc_lookup_size; i++) {
1615 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1616 &hdr_rb.rpc_context[0].abstract)) {
1617 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1618 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1619 fstrcpy(p->name, rpc_lookup[i].pipe.clnt);
1620 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1621 break;
1622 }
1623 }
1624
1625 if (i == rpc_lookup_size) {
1626 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1627 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1628 p->name ));
1629 prs_mem_free(&outgoing_rpc);
1630 prs_mem_free(&out_hdr_ba);
1631 prs_mem_free(&out_auth);
1632
1633 return setup_bind_nak(p);
1634 }
1635
1636 for (i = 0; i < rpc_lookup_size; i++) {
1637 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1638 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1639 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1640 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1641 break;
1642 }
1643 }
1644
1645 if (i == rpc_lookup_size) {
1646 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1647 goto err_exit;
1648 }
1649 }
1650
1651 /* name has to be \PIPE\xxxxx */
1652 fstrcpy(ack_pipe_name, "\\PIPE\\");
1653 fstrcat(ack_pipe_name, p->pipe_srv_name);
1654
1655 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1656
1657 /*
1658 * Check if this is an authenticated bind request.
1659 */
1660
1661 if (p->hdr.auth_len) {
1662 /*
1663 * Decode the authentication verifier.
1664 */
1665
1666 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1667 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1668 goto err_exit;
1669 }
1670
1671 auth_type = auth_info.auth_type;
1672
1673 /* Work out if we have to sign or seal etc. */
1674 switch (auth_info.auth_level) {
1675 case RPC_AUTH_LEVEL_INTEGRITY:
1676 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1677 break;
1678 case RPC_AUTH_LEVEL_PRIVACY:
1679 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1680 break;
1681 default:
1682 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1683 (unsigned int)auth_info.auth_level ));
1684 goto err_exit;
1685 }
1686 } else {
1687 ZERO_STRUCT(auth_info);
1688 }
1689
1690 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1691
1692 switch(auth_type) {
1693 case RPC_NTLMSSP_AUTH_TYPE:
1694 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1695 goto err_exit;
1696 }
1697 assoc_gid = 0x7a77;
1698 break;
1699
1700 case RPC_SCHANNEL_AUTH_TYPE:
1701 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1702 goto err_exit;
1703 }
1704 break;
1705
1706 case RPC_SPNEGO_AUTH_TYPE:
1707 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1708 goto err_exit;
1709 }
1710 break;
1711
1712 case RPC_ANONYMOUS_AUTH_TYPE:
1713 /* Unauthenticated bind request. */
1714 /* Get the authenticated pipe user from current_user */
1715 if (!copy_current_user(&p->pipe_user, &current_user)) {
1716 DEBUG(10, ("Could not copy current user\n"));
1717 goto err_exit;
1718 }
1719 /* We're finished - no more packets. */
1720 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1721 /* We must set the pipe auth_level here also. */
1722 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1723 p->pipe_bound = True;
1724 /* The session key was initialized from the SMB
1725 * session in make_internal_rpc_pipe_p */
1726 break;
1727
1728 default:
1729 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1730 goto err_exit;
1731 }
1732
1733 /*
1734 * Create the bind response struct.
1735 */
1736
1737 /* If the requested abstract synt uuid doesn't match our client pipe,
1738 reject the bind_ack & set the transfer interface synt to all 0's,
1739 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1740 unknown to NT4)
1741 Needed when adding entries to a DACL from NT5 - SK */
1742
1743 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1744 hdr_rb.rpc_context[0].context_id )) {
1745 init_rpc_hdr_ba(&hdr_ba,
1746 RPC_MAX_PDU_FRAG_LEN,
1747 RPC_MAX_PDU_FRAG_LEN,
1748 assoc_gid,
1749 ack_pipe_name,
1750 0x1, 0x0, 0x0,
1751 &hdr_rb.rpc_context[0].transfer[0]);
1752 } else {
1753 RPC_IFACE null_interface;
1754 ZERO_STRUCT(null_interface);
1755 /* Rejection reason: abstract syntax not supported */
1756 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1757 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1758 ack_pipe_name, 0x1, 0x2, 0x1,
1759 &null_interface);
1760 p->pipe_bound = False;
1761 }
1762
1763 /*
1764 * and marshall it.
1765 */
1766
1767 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1768 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1769 goto err_exit;
1770 }
1771
1772 /*
1773 * Create the header, now we know the length.
1774 */
1775
1776 if (prs_offset(&out_auth)) {
1777 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1778 }
1779
1780 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1781 p->hdr.call_id,
1782 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1783 auth_len);
1784
1785 /*
1786 * Marshall the header into the outgoing PDU.
1787 */
1788
1789 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1790 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1791 goto err_exit;
1792 }
1793
1794 /*
1795 * Now add the RPC_HDR_BA and any auth needed.
1796 */
1797
1798 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1799 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1800 goto err_exit;
1801 }
1802
1803 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1804 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1805 goto err_exit;
1806 }
1807
1808 /*
1809 * Setup the lengths for the initial reply.
1810 */
1811
1812 p->out_data.data_sent_length = 0;
1813 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1814 p->out_data.current_pdu_sent = 0;
1815
1816 prs_mem_free(&out_hdr_ba);
1817 prs_mem_free(&out_auth);
1818
1819 return True;
1820
1821 err_exit:
1822
1823 prs_mem_free(&outgoing_rpc);
1824 prs_mem_free(&out_hdr_ba);
1825 prs_mem_free(&out_auth);
1826 return setup_bind_nak(p);
1827 }
1828
1829 /****************************************************************************
1830 Deal with an alter context call. Can be third part of 3 leg auth request for
1831 SPNEGO calls.
1832 ****************************************************************************/
1833
1834 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1835 {
1836 RPC_HDR_BA hdr_ba;
1837 RPC_HDR_RB hdr_rb;
1838 RPC_HDR_AUTH auth_info;
1839 uint16 assoc_gid;
1840 fstring ack_pipe_name;
1841 prs_struct out_hdr_ba;
1842 prs_struct out_auth;
1843 prs_struct outgoing_rpc;
1844 int auth_len = 0;
1845
1846 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1847
1848 /*
1849 * Marshall directly into the outgoing PDU space. We
1850 * must do this as we need to set to the bind response
1851 * header and are never sending more than one PDU here.
1852 */
1853
1854 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1855
1856 /*
1857 * Setup the memory to marshall the ba header, and the
1858 * auth footers.
1859 */
1860
1861 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1862 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1863 prs_mem_free(&outgoing_rpc);
1864 return False;
1865 }
1866
1867 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1868 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1869 prs_mem_free(&outgoing_rpc);
1870 prs_mem_free(&out_hdr_ba);
1871 return False;
1872 }
1873
1874 ZERO_STRUCT(hdr_rb);
1875
1876 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1877
1878 /* decode the alter context request */
1879 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1880 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1881 goto err_exit;
1882 }
1883
1884 /* secondary address CAN be NULL
1885 * as the specs say it's ignored.
1886 * It MUST be NULL to have the spoolss working.
1887 */
1888 fstrcpy(ack_pipe_name,"");
1889
1890 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1891
1892 /*
1893 * Check if this is an authenticated alter context request.
1894 */
1895
1896 if (p->hdr.auth_len != 0) {
1897 /*
1898 * Decode the authentication verifier.
1899 */
1900
1901 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1902 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1903 goto err_exit;
1904 }
1905
1906 /*
1907 * Currently only the SPNEGO auth type uses the alter ctx
1908 * response in place of the NTLMSSP auth3 type.
1909 */
1910
1911 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1912 /* We can only finish if the pipe is unbound. */
1913 if (!p->pipe_bound) {
1914 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1915 goto err_exit;
1916 }
1917 } else {
1918 goto err_exit;
1919 }
1920 }
1921 } else {
1922 ZERO_STRUCT(auth_info);
1923 }
1924
1925 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1926
1927 /*
1928 * Create the bind response struct.
1929 */
1930
1931 /* If the requested abstract synt uuid doesn't match our client pipe,
1932 reject the bind_ack & set the transfer interface synt to all 0's,
1933 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1934 unknown to NT4)
1935 Needed when adding entries to a DACL from NT5 - SK */
1936
1937 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1938 hdr_rb.rpc_context[0].context_id )) {
1939 init_rpc_hdr_ba(&hdr_ba,
1940 RPC_MAX_PDU_FRAG_LEN,
1941 RPC_MAX_PDU_FRAG_LEN,
1942 assoc_gid,
1943 ack_pipe_name,
1944 0x1, 0x0, 0x0,
1945 &hdr_rb.rpc_context[0].transfer[0]);
1946 } else {
1947 RPC_IFACE null_interface;
1948 ZERO_STRUCT(null_interface);
1949 /* Rejection reason: abstract syntax not supported */
1950 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1951 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1952 ack_pipe_name, 0x1, 0x2, 0x1,
1953 &null_interface);
1954 p->pipe_bound = False;
1955 }
1956
1957 /*
1958 * and marshall it.
1959 */
1960
1961 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1962 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1963 goto err_exit;
1964 }
1965
1966 /*
1967 * Create the header, now we know the length.
1968 */
1969
1970 if (prs_offset(&out_auth)) {
1971 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1972 }
1973
1974 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1975 p->hdr.call_id,
1976 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1977 auth_len);
1978
1979 /*
1980 * Marshall the header into the outgoing PDU.
1981 */
1982
1983 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1984 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1985 goto err_exit;
1986 }
1987
1988 /*
1989 * Now add the RPC_HDR_BA and any auth needed.
1990 */
1991
1992 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1993 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1994 goto err_exit;
1995 }
1996
1997 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1998 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1999 goto err_exit;
2000 }
2001
2002 /*
2003 * Setup the lengths for the initial reply.
2004 */
2005
2006 p->out_data.data_sent_length = 0;
2007 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
2008 p->out_data.current_pdu_sent = 0;
2009
2010 prs_mem_free(&out_hdr_ba);
2011 prs_mem_free(&out_auth);
2012
2013 return True;
2014
2015 err_exit:
2016
2017 prs_mem_free(&outgoing_rpc);
2018 prs_mem_free(&out_hdr_ba);
2019 prs_mem_free(&out_auth);
2020 return setup_bind_nak(p);
2021 }
2022
2023 /****************************************************************************
2024 Deal with NTLMSSP sign & seal processing on an RPC request.
2025 ****************************************************************************/
2026
2027 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2028 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2029 {
2030 RPC_HDR_AUTH auth_info;
2031 uint32 auth_len = p->hdr.auth_len;
2032 uint32 save_offset = prs_offset(rpc_in);
2033 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2034 unsigned char *data = NULL;
2035 size_t data_len;
2036 unsigned char *full_packet_data = NULL;
2037 size_t full_packet_data_len;
2038 DATA_BLOB auth_blob;
2039
2040 *pstatus = NT_STATUS_OK;
2041
2042 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
2043 return True;
2044 }
2045
2046 if (!a) {
2047 *pstatus = NT_STATUS_INVALID_PARAMETER;
2048 return False;
2049 }
2050
2051 /* Ensure there's enough data for an authenticated request. */
2052 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2053 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2054 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2055 (unsigned int)auth_len ));
2056 *pstatus = NT_STATUS_INVALID_PARAMETER;
2057 return False;
2058 }
2059
2060 /*
2061 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2062 * after the RPC header.
2063 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2064 * functions as NTLMv2 checks the rpc headers also.
2065 */
2066
2067 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2068 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2069
2070 full_packet_data = p->in_data.current_in_pdu;
2071 full_packet_data_len = p->hdr.frag_len - auth_len;
2072
2073 /* Pull the auth header and the following data into a blob. */
2074 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2075 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2076 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2077 *pstatus = NT_STATUS_INVALID_PARAMETER;
2078 return False;
2079 }
2080
2081 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2082 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2083 *pstatus = NT_STATUS_INVALID_PARAMETER;
2084 return False;
2085 }
2086
2087 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2088 auth_blob.length = auth_len;
2089
2090 switch (p->auth.auth_level) {
2091 case PIPE_AUTH_LEVEL_PRIVACY:
2092 /* Data is encrypted. */
2093 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2094 data, data_len,
2095 full_packet_data,
2096 full_packet_data_len,
2097 &auth_blob);
2098 if (!NT_STATUS_IS_OK(*pstatus)) {
2099 return False;
2100 }
2101 break;
2102 case PIPE_AUTH_LEVEL_INTEGRITY:
2103 /* Data is signed. */
2104 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2105 data, data_len,
2106 full_packet_data,
2107 full_packet_data_len,
2108 &auth_blob);
2109 if (!NT_STATUS_IS_OK(*pstatus)) {
2110 return False;
2111 }
2112 break;
2113 default:
2114 *pstatus = NT_STATUS_INVALID_PARAMETER;
2115 return False;
2116 }
2117
2118 /*
2119 * Return the current pointer to the data offset.
2120 */
2121
2122 if(!prs_set_offset(rpc_in, save_offset)) {
2123 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2124 (unsigned int)save_offset ));
2125 *pstatus = NT_STATUS_INVALID_PARAMETER;
2126 return False;
2127 }
2128
2129 /*
2130 * Remember the padding length. We must remove it from the real data
2131 * stream once the sign/seal is done.
2132 */
2133
2134 *p_ss_padding_len = auth_info.auth_pad_len;
2135
2136 return True;
2137 }
2138
2139 /****************************************************************************
2140 Deal with schannel processing on an RPC request.
2141 ****************************************************************************/
2142
2143 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2144 {
2145 uint32 data_len;
2146 uint32 auth_len;
2147 uint32 save_offset = prs_offset(rpc_in);
2148 RPC_HDR_AUTH auth_info;
2149 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2150
2151 auth_len = p->hdr.auth_len;
2152
2153 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2154 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2155 return False;
2156 }
2157
2158 /*
2159 * The following is that length of the data we must verify or unseal.
2160 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2161 * preceeding the auth_data.
2162 */
2163
2164 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2165 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2166 (unsigned int)p->hdr.frag_len,
2167 (unsigned int)auth_len ));
2168 return False;
2169 }
2170
2171 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2172 RPC_HDR_AUTH_LEN - auth_len;
2173
2174 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2175
2176 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2177 DEBUG(0,("cannot move offset to %u.\n",
2178 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2179 return False;
2180 }
2181
2182 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2183 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2184 return False;
2185 }
2186
2187 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2188 DEBUG(0,("Invalid auth info %d on schannel\n",
2189 auth_info.auth_type));
2190 return False;
2191 }
2192
2193 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2194 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2195 return False;
2196 }
2197
2198 if (!schannel_decode(p->auth.a_u.schannel_auth,
2199 p->auth.auth_level,
2200 SENDER_IS_INITIATOR,
2201 &schannel_chk,
2202 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2203 DEBUG(3,("failed to decode PDU\n"));
2204 return False;
2205 }
2206
2207 /*
2208 * Return the current pointer to the data offset.
2209 */
2210
2211 if(!prs_set_offset(rpc_in, save_offset)) {
2212 DEBUG(0,("failed to set offset back to %u\n",
2213 (unsigned int)save_offset ));
2214 return False;
2215 }
2216
2217 /* The sequence number gets incremented on both send and receive. */
2218 p->auth.a_u.schannel_auth->seq_num++;
2219
2220 /*
2221 * Remember the padding length. We must remove it from the real data
2222 * stream once the sign/seal is done.
2223 */
2224
2225 *p_ss_padding_len = auth_info.auth_pad_len;
2226
2227 return True;
2228 }
2229
2230 /****************************************************************************
2231 Return a user struct for a pipe user.
2232 ****************************************************************************/
2233
2234 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
2235 {
2236 if (p->pipe_bound &&
2237 (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP ||
2238 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2239 memcpy(user, &p->pipe_user, sizeof(struct current_user));
2240 } else {
2241 memcpy(user, &current_user, sizeof(struct current_user));
2242 }
2243
2244 return user;
2245 }
2246
2247 /****************************************************************************
2248 Find the set of RPC functions associated with this context_id
2249 ****************************************************************************/
2250
2251 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2252 {
2253 PIPE_RPC_FNS *fns = NULL;
2254 PIPE_RPC_FNS *tmp = NULL;
2255
2256 if ( !list ) {
2257 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2258 return NULL;
2259 }
2260
2261 for (tmp=list; tmp; tmp=tmp->next ) {
2262 if ( tmp->context_id == context_id )
2263 break;
2264 }
2265
2266 fns = tmp;
2267
2268 return fns;
2269 }
2270
2271 /****************************************************************************
2272 Memory cleanup.
2273 ****************************************************************************/
2274
2275 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2276 {
2277 PIPE_RPC_FNS *tmp = list;
2278 PIPE_RPC_FNS *tmp2;
2279
2280 while (tmp) {
2281 tmp2 = tmp->next;
2282 SAFE_FREE(tmp);
2283 tmp = tmp2;
2284 }
2285
2286 return;
2287 }
2288
2289 static bool api_rpcTNP(pipes_struct *p, const char *rpc_name,
2290 const struct api_struct *api_rpc_cmds, int n_cmds);
2291
2292 /****************************************************************************
2293 Find the correct RPC function to call for this request.
2294 If the pipe is authenticated then become the correct UNIX user
2295 before doing the call.
2296 ****************************************************************************/
2297
2298 bool api_pipe_request(pipes_struct *p)
2299 {
2300 bool ret = False;
2301 bool changed_user = False;
2302 PIPE_RPC_FNS *pipe_fns;
2303
2304 if (p->pipe_bound &&
2305 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2306 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2307 if(!become_authenticated_pipe_user(p)) {
2308 prs_mem_free(&p->out_data.rdata);
2309 return False;
2310 }
2311 changed_user = True;
2312 }
2313
2314 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2315
2316 /* get the set of RPC functions for this context */
2317
2318 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2319
2320 if ( pipe_fns ) {
2321 TALLOC_CTX *frame = talloc_stackframe();
2322 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2323 TALLOC_FREE(frame);
2324 }
2325 else {
2326 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2327 p->hdr_req.context_id, p->name));
2328 }
2329
2330 if (changed_user) {
2331 unbecome_authenticated_pipe_user();
2332 }
2333
2334 return ret;
2335 }
2336
2337 /*******************************************************************
2338 Calls the underlying RPC function for a named pipe.
2339 ********************************************************************/
2340
2341 static bool api_rpcTNP(pipes_struct *p, const char *rpc_name,
2342 const struct api_struct *api_rpc_cmds, int n_cmds)
2343 {
2344 int fn_num;
2345 fstring name;
2346 uint32 offset1, offset2;
2347
2348 /* interpret the command */
2349 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2350
2351 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2352 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2353
2354 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2355 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2356 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2357 break;
2358 }
2359 }
2360
2361 if (fn_num == n_cmds) {
2362 /*
2363 * For an unknown RPC just return a fault PDU but
2364 * return True to allow RPC's on the pipe to continue
2365 * and not put the pipe into fault state. JRA.
2366 */
2367 DEBUG(4, ("unknown\n"));
2368 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2369 return True;
2370 }
2371
2372 offset1 = prs_offset(&p->out_data.rdata);
2373
2374 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2375 fn_num, api_rpc_cmds[fn_num].fn));
2376 /* do the actual command */
2377 if(!api_rpc_cmds[fn_num].fn(p)) {
2378 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2379 prs_mem_free(&p->out_data.rdata);
2380 return False;
2381 }
2382
2383 if (p->bad_handle_fault_state) {
2384 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2385 p->bad_handle_fault_state = False;
2386 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2387 return True;
2388 }
2389
2390 if (p->rng_fault_state) {
2391 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2392 p->rng_fault_state = False;
2393 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2394 return True;
2395 }
2396
2397 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2398 offset2 = prs_offset(&p->out_data.rdata);
2399 prs_set_offset(&p->out_data.rdata, offset1);
2400 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2401 prs_set_offset(&p->out_data.rdata, offset2);
2402
2403 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2404
2405 /* Check for buffer underflow in rpc parsing */
2406
2407 if ((DEBUGLEVEL >= 10) &&
2408 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2409 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2410 char *data = (char *)SMB_MALLOC(data_len);
2411
2412 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2413 if (data) {
2414 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2415 SAFE_FREE(data);
2416 }
2417
2418 }
2419
2420 return True;
2421 }
Samba GIT mirror