search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tdb: raise version to 1.2.1
[Samba.git] / source3 / rpc_server / srv_pipe.c
blob46f67f499b100fc6a2163015ac20486adb4c0c09
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31 #include "../librpc/gen_ndr/ndr_schannel.h"
32 #include "../libcli/auth/schannel.h"
33 #include "../libcli/auth/spnego.h"
34
35 extern struct current_user current_user;
36
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_RPC_SRV
39
40 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
41 {
42 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
43
44 if (a) {
45 auth_ntlmssp_end(&a);
46 }
47 auth->a_u.auth_ntlmssp_state = NULL;
48 }
49
50 static DATA_BLOB generic_session_key(void)
51 {
52 return data_blob("SystemLibraryDTC", 16);
53 }
54
55 /*******************************************************************
56 Generate the next PDU to be returned from the data in p->rdata.
57 Handle NTLMSSP.
58 ********************************************************************/
59
60 static bool create_next_pdu_ntlmssp(pipes_struct *p)
61 {
62 RPC_HDR_RESP hdr_resp;
63 uint32 ss_padding_len = 0;
64 uint32 data_space_available;
65 uint32 data_len_left;
66 uint32 data_len;
67 NTSTATUS status;
68 DATA_BLOB auth_blob;
69 RPC_HDR_AUTH auth_info;
70 uint8 auth_type, auth_level;
71 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
72
73 /*
74 * If we're in the fault state, keep returning fault PDU's until
75 * the pipe gets closed. JRA.
76 */
77
78 if(p->fault_state) {
79 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
80 return True;
81 }
82
83 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
84
85 /* Change the incoming request header to a response. */
86 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
87
88 /* Set up rpc header flags. */
89 if (p->out_data.data_sent_length == 0) {
90 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
91 } else {
92 p->hdr.flags = 0;
93 }
94
95 /*
96 * Work out how much we can fit in a single PDU.
97 */
98
99 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
100
101 /*
102 * Ensure there really is data left to send.
103 */
104
105 if(!data_len_left) {
106 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
107 return False;
108 }
109
110 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
111 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
112
113 /*
114 * The amount we send is the minimum of the available
115 * space and the amount left to send.
116 */
117
118 data_len = MIN(data_len_left, data_space_available);
119
120 /*
121 * Set up the alloc hint. This should be the data left to
122 * send.
123 */
124
125 hdr_resp.alloc_hint = data_len_left;
126
127 /*
128 * Work out if this PDU will be the last.
129 */
130
131 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
132 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
133 if (data_len_left % 8) {
134 ss_padding_len = 8 - (data_len_left % 8);
135 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
136 ss_padding_len ));
137 }
138 }
139
140 /*
141 * Set up the header lengths.
142 */
143
144 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
145 data_len + ss_padding_len +
146 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
147 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
148
149
150 /*
151 * Init the parse struct to point at the outgoing
152 * data.
153 */
154
155 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
156
157 /* Store the header in the data stream. */
158 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
159 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
160 prs_mem_free(&p->out_data.frag);
161 return False;
162 }
163
164 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
165 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
166 prs_mem_free(&p->out_data.frag);
167 return False;
168 }
169
170 /* Copy the data into the PDU. */
171
172 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
173 p->out_data.data_sent_length, data_len)) {
174 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
175 prs_mem_free(&p->out_data.frag);
176 return False;
177 }
178
179 /* Copy the sign/seal padding data. */
180 if (ss_padding_len) {
181 char pad[8];
182
183 memset(pad, '\0', 8);
184 if (!prs_copy_data_in(&p->out_data.frag, pad,
185 ss_padding_len)) {
186 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
187 (unsigned int)ss_padding_len));
188 prs_mem_free(&p->out_data.frag);
189 return False;
190 }
191 }
192
193
194 /* Now write out the auth header and null blob. */
195 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
196 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
197 } else {
198 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
199 }
200 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
201 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
202 } else {
203 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
204 }
205
206 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
207 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &p->out_data.frag,
208 0)) {
209 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
210 prs_mem_free(&p->out_data.frag);
211 return False;
212 }
213
214 /* Generate the sign blob. */
215
216 switch (p->auth.auth_level) {
217 case DCERPC_AUTH_LEVEL_PRIVACY:
218 /* Data portion is encrypted. */
219 status = ntlmssp_seal_packet(
220 a->ntlmssp_state,
221 (uint8_t *)prs_data_p(&p->out_data.frag)
222 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
223 data_len + ss_padding_len,
224 (unsigned char *)prs_data_p(&p->out_data.frag),
225 (size_t)prs_offset(&p->out_data.frag),
226 &auth_blob);
227 if (!NT_STATUS_IS_OK(status)) {
228 data_blob_free(&auth_blob);
229 prs_mem_free(&p->out_data.frag);
230 return False;
231 }
232 break;
233 case DCERPC_AUTH_LEVEL_INTEGRITY:
234 /* Data is signed. */
235 status = ntlmssp_sign_packet(
236 a->ntlmssp_state,
237 (unsigned char *)prs_data_p(&p->out_data.frag)
238 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
239 data_len + ss_padding_len,
240 (unsigned char *)prs_data_p(&p->out_data.frag),
241 (size_t)prs_offset(&p->out_data.frag),
242 &auth_blob);
243 if (!NT_STATUS_IS_OK(status)) {
244 data_blob_free(&auth_blob);
245 prs_mem_free(&p->out_data.frag);
246 return False;
247 }
248 break;
249 default:
250 prs_mem_free(&p->out_data.frag);
251 return False;
252 }
253
254 /* Append the auth blob. */
255 if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
256 NTLMSSP_SIG_SIZE)) {
257 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
258 (unsigned int)NTLMSSP_SIG_SIZE));
259 data_blob_free(&auth_blob);
260 prs_mem_free(&p->out_data.frag);
261 return False;
262 }
263
264 data_blob_free(&auth_blob);
265
266 /*
267 * Setup the counts for this PDU.
268 */
269
270 p->out_data.data_sent_length += data_len;
271 p->out_data.current_pdu_sent = 0;
272
273 return True;
274 }
275
276 /*******************************************************************
277 Generate the next PDU to be returned from the data in p->rdata.
278 Return an schannel authenticated fragment.
279 ********************************************************************/
280
281 static bool create_next_pdu_schannel(pipes_struct *p)
282 {
283 RPC_HDR_RESP hdr_resp;
284 uint32 ss_padding_len = 0;
285 uint32 data_len;
286 uint32 data_space_available;
287 uint32 data_len_left;
288 uint32 data_pos;
289 NTSTATUS status;
290
291 /*
292 * If we're in the fault state, keep returning fault PDU's until
293 * the pipe gets closed. JRA.
294 */
295
296 if(p->fault_state) {
297 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
298 return True;
299 }
300
301 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
302
303 /* Change the incoming request header to a response. */
304 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
305
306 /* Set up rpc header flags. */
307 if (p->out_data.data_sent_length == 0) {
308 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
309 } else {
310 p->hdr.flags = 0;
311 }
312
313 /*
314 * Work out how much we can fit in a single PDU.
315 */
316
317 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
318
319 /*
320 * Ensure there really is data left to send.
321 */
322
323 if(!data_len_left) {
324 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
325 return False;
326 }
327
328 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
329 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
330 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
331
332 /*
333 * The amount we send is the minimum of the available
334 * space and the amount left to send.
335 */
336
337 data_len = MIN(data_len_left, data_space_available);
338
339 /*
340 * Set up the alloc hint. This should be the data left to
341 * send.
342 */
343
344 hdr_resp.alloc_hint = data_len_left;
345
346 /*
347 * Work out if this PDU will be the last.
348 */
349
350 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
351 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
352 if (data_len_left % 8) {
353 ss_padding_len = 8 - (data_len_left % 8);
354 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
355 ss_padding_len ));
356 }
357 }
358
359 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
360 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
361 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
362
363 /*
364 * Init the parse struct to point at the outgoing
365 * data.
366 */
367
368 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
369
370 /* Store the header in the data stream. */
371 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
372 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
373 prs_mem_free(&p->out_data.frag);
374 return False;
375 }
376
377 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
378 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
379 prs_mem_free(&p->out_data.frag);
380 return False;
381 }
382
383 /* Store the current offset. */
384 data_pos = prs_offset(&p->out_data.frag);
385
386 /* Copy the data into the PDU. */
387
388 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
389 p->out_data.data_sent_length, data_len)) {
390 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
391 prs_mem_free(&p->out_data.frag);
392 return False;
393 }
394
395 /* Copy the sign/seal padding data. */
396 if (ss_padding_len) {
397 char pad[8];
398 memset(pad, '\0', 8);
399 if (!prs_copy_data_in(&p->out_data.frag, pad,
400 ss_padding_len)) {
401 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
402 prs_mem_free(&p->out_data.frag);
403 return False;
404 }
405 }
406
407 {
408 /*
409 * Schannel processing.
410 */
411 RPC_HDR_AUTH auth_info;
412 DATA_BLOB blob;
413 uint8_t *data;
414
415 /* Check it's the type of reply we were expecting to decode */
416
417 init_rpc_hdr_auth(&auth_info,
418 DCERPC_AUTH_TYPE_SCHANNEL,
419 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
420 DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
421 ss_padding_len, 1);
422
423 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
424 &p->out_data.frag, 0)) {
425 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
426 prs_mem_free(&p->out_data.frag);
427 return False;
428 }
429
430 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos;
431
432 switch (p->auth.auth_level) {
433 case DCERPC_AUTH_LEVEL_PRIVACY:
434 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
435 talloc_tos(),
436 true,
437 data,
438 data_len + ss_padding_len,
439 &blob);
440 break;
441 case DCERPC_AUTH_LEVEL_INTEGRITY:
442 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
443 talloc_tos(),
444 false,
445 data,
446 data_len + ss_padding_len,
447 &blob);
448 break;
449 default:
450 status = NT_STATUS_INTERNAL_ERROR;
451 break;
452 }
453
454 if (!NT_STATUS_IS_OK(status)) {
455 DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
456 nt_errstr(status)));
457 prs_mem_free(&p->out_data.frag);
458 return false;
459 }
460
461 /* Finally marshall the blob. */
462
463 if (DEBUGLEVEL >= 10) {
464 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
465 }
466
467 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
468 prs_mem_free(&p->out_data.frag);
469 return false;
470 }
471 }
472
473 /*
474 * Setup the counts for this PDU.
475 */
476
477 p->out_data.data_sent_length += data_len;
478 p->out_data.current_pdu_sent = 0;
479
480 return True;
481 }
482
483 /*******************************************************************
484 Generate the next PDU to be returned from the data in p->rdata.
485 No authentication done.
486 ********************************************************************/
487
488 static bool create_next_pdu_noauth(pipes_struct *p)
489 {
490 RPC_HDR_RESP hdr_resp;
491 uint32 data_len;
492 uint32 data_space_available;
493 uint32 data_len_left;
494
495 /*
496 * If we're in the fault state, keep returning fault PDU's until
497 * the pipe gets closed. JRA.
498 */
499
500 if(p->fault_state) {
501 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
502 return True;
503 }
504
505 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
506
507 /* Change the incoming request header to a response. */
508 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
509
510 /* Set up rpc header flags. */
511 if (p->out_data.data_sent_length == 0) {
512 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
513 } else {
514 p->hdr.flags = 0;
515 }
516
517 /*
518 * Work out how much we can fit in a single PDU.
519 */
520
521 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
522
523 /*
524 * Ensure there really is data left to send.
525 */
526
527 if(!data_len_left) {
528 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
529 return False;
530 }
531
532 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
533 - RPC_HDR_RESP_LEN;
534
535 /*
536 * The amount we send is the minimum of the available
537 * space and the amount left to send.
538 */
539
540 data_len = MIN(data_len_left, data_space_available);
541
542 /*
543 * Set up the alloc hint. This should be the data left to
544 * send.
545 */
546
547 hdr_resp.alloc_hint = data_len_left;
548
549 /*
550 * Work out if this PDU will be the last.
551 */
552
553 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
554 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
555 }
556
557 /*
558 * Set up the header lengths.
559 */
560
561 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
562 p->hdr.auth_len = 0;
563
564 /*
565 * Init the parse struct to point at the outgoing
566 * data.
567 */
568
569 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
570
571 /* Store the header in the data stream. */
572 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
573 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
574 prs_mem_free(&p->out_data.frag);
575 return False;
576 }
577
578 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
579 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
580 prs_mem_free(&p->out_data.frag);
581 return False;
582 }
583
584 /* Copy the data into the PDU. */
585
586 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
587 p->out_data.data_sent_length, data_len)) {
588 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
589 prs_mem_free(&p->out_data.frag);
590 return False;
591 }
592
593 /*
594 * Setup the counts for this PDU.
595 */
596
597 p->out_data.data_sent_length += data_len;
598 p->out_data.current_pdu_sent = 0;
599
600 return True;
601 }
602
603 /*******************************************************************
604 Generate the next PDU to be returned from the data in p->rdata.
605 ********************************************************************/
606
607 bool create_next_pdu(pipes_struct *p)
608 {
609 switch(p->auth.auth_level) {
610 case DCERPC_AUTH_LEVEL_NONE:
611 case DCERPC_AUTH_LEVEL_CONNECT:
612 /* This is incorrect for auth level connect. Fixme. JRA */
613 return create_next_pdu_noauth(p);
614
615 default:
616 switch(p->auth.auth_type) {
617 case PIPE_AUTH_TYPE_NTLMSSP:
618 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
619 return create_next_pdu_ntlmssp(p);
620 case PIPE_AUTH_TYPE_SCHANNEL:
621 return create_next_pdu_schannel(p);
622 default:
623 break;
624 }
625 }
626
627 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
628 (unsigned int)p->auth.auth_level,
629 (unsigned int)p->auth.auth_type));
630 return False;
631 }
632
633 /*******************************************************************
634 Process an NTLMSSP authentication response.
635 If this function succeeds, the user has been authenticated
636 and their domain, name and calling workstation stored in
637 the pipe struct.
638 *******************************************************************/
639
640 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
641 {
642 DATA_BLOB session_key, reply;
643 NTSTATUS status;
644 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
645 bool ret;
646
647 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
648 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
649
650 ZERO_STRUCT(reply);
651
652 /* this has to be done as root in order to verify the password */
653 become_root();
654 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
655 unbecome_root();
656
657 /* Don't generate a reply. */
658 data_blob_free(&reply);
659
660 if (!NT_STATUS_IS_OK(status)) {
661 return False;
662 }
663
664 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
665 ensure the underlying NTLMSSP flags are also set. If not we should
666 refuse the bind. */
667
668 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
669 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
670 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
671 "but client declined signing.\n",
672 get_pipe_name_from_syntax(talloc_tos(),
673 &p->syntax)));
674 return False;
675 }
676 }
677 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
678 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
679 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
680 "but client declined sealing.\n",
681 get_pipe_name_from_syntax(talloc_tos(),
682 &p->syntax)));
683 return False;
684 }
685 }
686
687 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
688 "workstation: %s\n", a->ntlmssp_state->user,
689 a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
690
691 if (a->server_info->ptok == NULL) {
692 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
693 return False;
694 }
695
696 TALLOC_FREE(p->server_info);
697
698 p->server_info = copy_serverinfo(p, a->server_info);
699 if (p->server_info == NULL) {
700 DEBUG(0, ("copy_serverinfo failed\n"));
701 return false;
702 }
703
704 /*
705 * We're an authenticated bind over smb, so the session key needs to
706 * be set to "SystemLibraryDTC". Weird, but this is what Windows
707 * does. See the RPC-SAMBA3SESSIONKEY.
708 */
709
710 session_key = generic_session_key();
711 if (session_key.data == NULL) {
712 return False;
713 }
714
715 ret = server_info_set_session_key(p->server_info, session_key);
716
717 data_blob_free(&session_key);
718
719 return True;
720 }
721
722 /*******************************************************************
723 The switch table for the pipe names and the functions to handle them.
724 *******************************************************************/
725
726 struct rpc_table {
727 struct {
728 const char *clnt;
729 const char *srv;
730 } pipe;
731 struct ndr_syntax_id rpc_interface;
732 const struct api_struct *cmds;
733 int n_cmds;
734 };
735
736 static struct rpc_table *rpc_lookup;
737 static int rpc_lookup_size;
738
739 /*******************************************************************
740 This is the "stage3" NTLMSSP response after a bind request and reply.
741 *******************************************************************/
742
743 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
744 {
745 RPC_HDR_AUTH auth_info;
746 uint32 pad = 0;
747 DATA_BLOB blob;
748
749 ZERO_STRUCT(blob);
750
751 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
752
753 if (p->hdr.auth_len == 0) {
754 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
755 goto err;
756 }
757
758 /* 4 bytes padding. */
759 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
760 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
761 goto err;
762 }
763
764 /*
765 * Decode the authentication verifier response.
766 */
767
768 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
769 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
770 goto err;
771 }
772
773 if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
774 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
775 (unsigned int)auth_info.auth_type ));
776 return False;
777 }
778
779 blob = data_blob(NULL,p->hdr.auth_len);
780
781 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
782 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
783 (unsigned int)p->hdr.auth_len ));
784 goto err;
785 }
786
787 /*
788 * The following call actually checks the challenge/response data.
789 * for correctness against the given DOMAIN\user name.
790 */
791
792 if (!pipe_ntlmssp_verify_final(p, &blob)) {
793 goto err;
794 }
795
796 data_blob_free(&blob);
797
798 p->pipe_bound = True;
799
800 return True;
801
802 err:
803
804 data_blob_free(&blob);
805 free_pipe_ntlmssp_auth_data(&p->auth);
806 p->auth.a_u.auth_ntlmssp_state = NULL;
807
808 return False;
809 }
810
811 /*******************************************************************
812 Marshall a bind_nak pdu.
813 *******************************************************************/
814
815 static bool setup_bind_nak(pipes_struct *p)
816 {
817 RPC_HDR nak_hdr;
818 uint16 zero = 0;
819
820 /* Free any memory in the current return data buffer. */
821 prs_mem_free(&p->out_data.rdata);
822
823 /*
824 * Marshall directly into the outgoing PDU space. We
825 * must do this as we need to set to the bind response
826 * header and are never sending more than one PDU here.
827 */
828
829 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
830
831 /*
832 * Initialize a bind_nak header.
833 */
834
835 init_rpc_hdr(&nak_hdr, DCERPC_PKT_BIND_NAK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
836 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
837
838 /*
839 * Marshall the header into the outgoing PDU.
840 */
841
842 if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
843 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
844 prs_mem_free(&p->out_data.frag);
845 return False;
846 }
847
848 /*
849 * Now add the reject reason.
850 */
851
852 if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
853 prs_mem_free(&p->out_data.frag);
854 return False;
855 }
856
857 p->out_data.data_sent_length = 0;
858 p->out_data.current_pdu_sent = 0;
859
860 if (p->auth.auth_data_free_func) {
861 (*p->auth.auth_data_free_func)(&p->auth);
862 }
863 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
864 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
865 p->pipe_bound = False;
866
867 return True;
868 }
869
870 /*******************************************************************
871 Marshall a fault pdu.
872 *******************************************************************/
873
874 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
875 {
876 RPC_HDR fault_hdr;
877 RPC_HDR_RESP hdr_resp;
878 RPC_HDR_FAULT fault_resp;
879
880 /* Free any memory in the current return data buffer. */
881 prs_mem_free(&p->out_data.rdata);
882
883 /*
884 * Marshall directly into the outgoing PDU space. We
885 * must do this as we need to set to the bind response
886 * header and are never sending more than one PDU here.
887 */
888
889 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
890
891 /*
892 * Initialize a fault header.
893 */
894
895 init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
896 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
897
898 /*
899 * Initialize the HDR_RESP and FAULT parts of the PDU.
900 */
901
902 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
903
904 fault_resp.status = status;
905 fault_resp.reserved = 0;
906
907 /*
908 * Marshall the header into the outgoing PDU.
909 */
910
911 if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
912 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
913 prs_mem_free(&p->out_data.frag);
914 return False;
915 }
916
917 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
918 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
919 prs_mem_free(&p->out_data.frag);
920 return False;
921 }
922
923 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
924 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
925 prs_mem_free(&p->out_data.frag);
926 return False;
927 }
928
929 p->out_data.data_sent_length = 0;
930 p->out_data.current_pdu_sent = 0;
931
932 return True;
933 }
934
935 #if 0
936 /*******************************************************************
937 Marshall a cancel_ack pdu.
938 We should probably check the auth-verifier here.
939 *******************************************************************/
940
941 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
942 {
943 prs_struct outgoing_pdu;
944 RPC_HDR ack_reply_hdr;
945
946 /* Free any memory in the current return data buffer. */
947 prs_mem_free(&p->out_data.rdata);
948
949 /*
950 * Marshall directly into the outgoing PDU space. We
951 * must do this as we need to set to the bind response
952 * header and are never sending more than one PDU here.
953 */
954
955 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
956 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
957
958 /*
959 * Initialize a cancel_ack header.
960 */
961
962 init_rpc_hdr(&ack_reply_hdr, DCERPC_PKT_CANCEL_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
963 p->hdr.call_id, RPC_HEADER_LEN, 0);
964
965 /*
966 * Marshall the header into the outgoing PDU.
967 */
968
969 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
970 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
971 prs_mem_free(&outgoing_pdu);
972 return False;
973 }
974
975 p->out_data.data_sent_length = 0;
976 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
977 p->out_data.current_pdu_sent = 0;
978
979 prs_mem_free(&outgoing_pdu);
980 return True;
981 }
982 #endif
983
984 /*******************************************************************
985 Ensure a bind request has the correct abstract & transfer interface.
986 Used to reject unknown binds from Win2k.
987 *******************************************************************/
988
989 static bool check_bind_req(struct pipes_struct *p,
990 struct ndr_syntax_id* abstract,
991 struct ndr_syntax_id* transfer,
992 uint32 context_id)
993 {
994 int i=0;
995 struct pipe_rpc_fns *context_fns;
996
997 DEBUG(3,("check_bind_req for %s\n",
998 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
999
1000 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
1001
1002 for (i=0; i<rpc_lookup_size; i++) {
1003 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
1004 if (ndr_syntax_id_equal(
1005 abstract, &rpc_lookup[i].rpc_interface)
1006 && ndr_syntax_id_equal(
1007 transfer, &ndr_transfer_syntax)) {
1008 break;
1009 }
1010 }
1011
1012 if (i == rpc_lookup_size) {
1013 return false;
1014 }
1015
1016 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1017 if (context_fns == NULL) {
1018 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1019 return False;
1020 }
1021
1022 context_fns->cmds = rpc_lookup[i].cmds;
1023 context_fns->n_cmds = rpc_lookup[i].n_cmds;
1024 context_fns->context_id = context_id;
1025
1026 /* add to the list of open contexts */
1027
1028 DLIST_ADD( p->contexts, context_fns );
1029
1030 return True;
1031 }
1032
1033 /*******************************************************************
1034 Register commands to an RPC pipe
1035 *******************************************************************/
1036
1037 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1038 const struct ndr_interface_table *iface,
1039 const struct api_struct *cmds, int size)
1040 {
1041 struct rpc_table *rpc_entry;
1042
1043 if (!clnt || !srv || !cmds) {
1044 return NT_STATUS_INVALID_PARAMETER;
1045 }
1046
1047 if (version != SMB_RPC_INTERFACE_VERSION) {
1048 DEBUG(0,("Can't register rpc commands!\n"
1049 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1050 ", while this version of samba uses version %d!\n",
1051 version,SMB_RPC_INTERFACE_VERSION));
1052 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1053 }
1054
1055 /* TODO:
1056 *
1057 * we still need to make sure that don't register the same commands twice!!!
1058 *
1059 * --metze
1060 */
1061
1062 /* We use a temporary variable because this call can fail and
1063 rpc_lookup will still be valid afterwards. It could then succeed if
1064 called again later */
1065 rpc_lookup_size++;
1066 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1067 if (NULL == rpc_entry) {
1068 rpc_lookup_size--;
1069 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1070 return NT_STATUS_NO_MEMORY;
1071 } else {
1072 rpc_lookup = rpc_entry;
1073 }
1074
1075 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1076 ZERO_STRUCTP(rpc_entry);
1077 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1078 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1079 rpc_entry->rpc_interface = iface->syntax_id;
1080 rpc_entry->cmds = cmds;
1081 rpc_entry->n_cmds = size;
1082
1083 return NT_STATUS_OK;
1084 }
1085
1086 /**
1087 * Is a named pipe known?
1088 * @param[in] cli_filename The pipe name requested by the client
1089 * @result Do we want to serve this?
1090 */
1091 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1092 {
1093 const char *pipename = cli_filename;
1094 int i;
1095 NTSTATUS status;
1096
1097 if (strnequal(pipename, "\\PIPE\\", 6)) {
1098 pipename += 5;
1099 }
1100
1101 if (*pipename == '\\') {
1102 pipename += 1;
1103 }
1104
1105 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1106 DEBUG(10, ("refusing spoolss access\n"));
1107 return false;
1108 }
1109
1110 for (i=0; i<rpc_lookup_size; i++) {
1111 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1112 *syntax = rpc_lookup[i].rpc_interface;
1113 return true;
1114 }
1115 }
1116
1117 status = smb_probe_module("rpc", pipename);
1118 if (!NT_STATUS_IS_OK(status)) {
1119 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1120 return false;
1121 }
1122 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
1123
1124 /*
1125 * Scan the list again for the interface id
1126 */
1127
1128 for (i=0; i<rpc_lookup_size; i++) {
1129 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1130 *syntax = rpc_lookup[i].rpc_interface;
1131 return true;
1132 }
1133 }
1134
1135 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
1136 pipename));
1137
1138 return false;
1139 }
1140
1141 /*******************************************************************
1142 Handle a SPNEGO krb5 bind auth.
1143 *******************************************************************/
1144
1145 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1146 DATA_BLOB *psecblob, prs_struct *pout_auth)
1147 {
1148 return False;
1149 }
1150
1151 /*******************************************************************
1152 Handle the first part of a SPNEGO bind auth.
1153 *******************************************************************/
1154
1155 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1156 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1157 {
1158 DATA_BLOB blob;
1159 DATA_BLOB secblob;
1160 DATA_BLOB response;
1161 DATA_BLOB chal;
1162 char *OIDs[ASN1_MAX_OIDS];
1163 int i;
1164 NTSTATUS status;
1165 bool got_kerberos_mechanism = false;
1166 AUTH_NTLMSSP_STATE *a = NULL;
1167 RPC_HDR_AUTH auth_info;
1168
1169 ZERO_STRUCT(secblob);
1170 ZERO_STRUCT(chal);
1171 ZERO_STRUCT(response);
1172
1173 /* Grab the SPNEGO blob. */
1174 blob = data_blob(NULL,p->hdr.auth_len);
1175
1176 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1177 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1178 (unsigned int)p->hdr.auth_len ));
1179 goto err;
1180 }
1181
1182 if (blob.data[0] != ASN1_APPLICATION(0)) {
1183 goto err;
1184 }
1185
1186 /* parse out the OIDs and the first sec blob */
1187 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1188 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1189 goto err;
1190 }
1191
1192 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1193 got_kerberos_mechanism = true;
1194 }
1195
1196 for (i=0;OIDs[i];i++) {
1197 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1198 TALLOC_FREE(OIDs[i]);
1199 }
1200 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1201
1202 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1203 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1204 data_blob_free(&secblob);
1205 data_blob_free(&blob);
1206 return ret;
1207 }
1208
1209 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1210 /* Free any previous auth type. */
1211 free_pipe_ntlmssp_auth_data(&p->auth);
1212 }
1213
1214 if (!got_kerberos_mechanism) {
1215 /* Initialize the NTLM engine. */
1216 status = auth_ntlmssp_start(&a);
1217 if (!NT_STATUS_IS_OK(status)) {
1218 goto err;
1219 }
1220
1221 /*
1222 * Pass the first security blob of data to it.
1223 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1224 * which means we need another packet to complete the bind.
1225 */
1226
1227 status = auth_ntlmssp_update(a, secblob, &chal);
1228
1229 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1230 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1231 goto err;
1232 }
1233
1234 /* Generate the response blob we need for step 2 of the bind. */
1235 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1236 } else {
1237 /*
1238 * SPNEGO negotiate down to NTLMSSP. The subsequent
1239 * code to process follow-up packets is not complete
1240 * yet. JRA.
1241 */
1242 response = spnego_gen_auth_response(NULL,
1243 NT_STATUS_MORE_PROCESSING_REQUIRED,
1244 OID_NTLMSSP);
1245 }
1246
1247 /* Copy the blob into the pout_auth parse struct */
1248 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1249 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1250 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1251 goto err;
1252 }
1253
1254 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1255 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1256 goto err;
1257 }
1258
1259 p->auth.a_u.auth_ntlmssp_state = a;
1260 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1261 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1262
1263 data_blob_free(&blob);
1264 data_blob_free(&secblob);
1265 data_blob_free(&chal);
1266 data_blob_free(&response);
1267
1268 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1269 return True;
1270
1271 err:
1272
1273 data_blob_free(&blob);
1274 data_blob_free(&secblob);
1275 data_blob_free(&chal);
1276 data_blob_free(&response);
1277
1278 p->auth.a_u.auth_ntlmssp_state = NULL;
1279
1280 return False;
1281 }
1282
1283 /*******************************************************************
1284 Handle the second part of a SPNEGO bind auth.
1285 *******************************************************************/
1286
1287 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1288 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1289 {
1290 RPC_HDR_AUTH auth_info;
1291 DATA_BLOB spnego_blob;
1292 DATA_BLOB auth_blob;
1293 DATA_BLOB auth_reply;
1294 DATA_BLOB response;
1295 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1296
1297 ZERO_STRUCT(spnego_blob);
1298 ZERO_STRUCT(auth_blob);
1299 ZERO_STRUCT(auth_reply);
1300 ZERO_STRUCT(response);
1301
1302 /*
1303 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1304 * fail here as 'a' == NULL.
1305 */
1306 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1307 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1308 goto err;
1309 }
1310
1311 /* Grab the SPNEGO blob. */
1312 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1313
1314 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1315 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1316 (unsigned int)p->hdr.auth_len ));
1317 goto err;
1318 }
1319
1320 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1321 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1322 goto err;
1323 }
1324
1325 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1326 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1327 goto err;
1328 }
1329
1330 /*
1331 * The following call actually checks the challenge/response data.
1332 * for correctness against the given DOMAIN\user name.
1333 */
1334
1335 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1336 goto err;
1337 }
1338
1339 data_blob_free(&spnego_blob);
1340 data_blob_free(&auth_blob);
1341
1342 /* Generate the spnego "accept completed" blob - no incoming data. */
1343 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1344
1345 /* Copy the blob into the pout_auth parse struct */
1346 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1347 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1348 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1349 goto err;
1350 }
1351
1352 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1353 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1354 goto err;
1355 }
1356
1357 data_blob_free(&auth_reply);
1358 data_blob_free(&response);
1359
1360 p->pipe_bound = True;
1361
1362 return True;
1363
1364 err:
1365
1366 data_blob_free(&spnego_blob);
1367 data_blob_free(&auth_blob);
1368 data_blob_free(&auth_reply);
1369 data_blob_free(&response);
1370
1371 free_pipe_ntlmssp_auth_data(&p->auth);
1372 p->auth.a_u.auth_ntlmssp_state = NULL;
1373
1374 return False;
1375 }
1376
1377 /*******************************************************************
1378 Handle an schannel bind auth.
1379 *******************************************************************/
1380
1381 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1382 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1383 {
1384 RPC_HDR_AUTH auth_info;
1385 struct NL_AUTH_MESSAGE neg;
1386 struct NL_AUTH_MESSAGE reply;
1387 bool ret;
1388 NTSTATUS status;
1389 struct netlogon_creds_CredentialState *creds;
1390 DATA_BLOB session_key;
1391 enum ndr_err_code ndr_err;
1392 DATA_BLOB blob;
1393
1394 blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1395 prs_data_size(rpc_in_p));
1396
1397 ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg,
1398 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1399 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1400 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1401 return false;
1402 }
1403
1404 if (DEBUGLEVEL >= 10) {
1405 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1406 }
1407
1408 if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1409 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1410 return false;
1411 }
1412
1413 /*
1414 * The neg.oem_netbios_computer.a key here must match the remote computer name
1415 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1416 * operations that use credentials.
1417 */
1418
1419 become_root();
1420 status = schannel_fetch_session_key(p,
1421 neg.oem_netbios_computer.a,
1422 &creds);
1423 unbecome_root();
1424
1425 if (!NT_STATUS_IS_OK(status)) {
1426 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1427 return False;
1428 }
1429
1430 p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
1431 if (!p->auth.a_u.schannel_auth) {
1432 TALLOC_FREE(creds);
1433 return False;
1434 }
1435
1436 p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
1437 p->auth.a_u.schannel_auth->seq_num = 0;
1438 p->auth.a_u.schannel_auth->initiator = false;
1439 p->auth.a_u.schannel_auth->creds = creds;
1440
1441 /*
1442 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1443 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1444 * struct of the person who opened the pipe. I need to test this further. JRA.
1445 *
1446 * VL. As we are mapping this to guest set the generic key
1447 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1448 * W2k3, as it does not allow schannel binds against SAMR and LSA
1449 * anymore.
1450 */
1451
1452 session_key = generic_session_key();
1453 if (session_key.data == NULL) {
1454 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1455 " key\n"));
1456 return false;
1457 }
1458
1459 ret = server_info_set_session_key(p->server_info, session_key);
1460
1461 data_blob_free(&session_key);
1462
1463 if (!ret) {
1464 DEBUG(0, ("server_info_set_session_key failed\n"));
1465 return false;
1466 }
1467
1468 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1469 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1470 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1471 return False;
1472 }
1473
1474 /*** SCHANNEL verifier ***/
1475
1476 reply.MessageType = NL_NEGOTIATE_RESPONSE;
1477 reply.Flags = 0;
1478 reply.Buffer.dummy = 5; /* ??? actually I don't think
1479 * this has any meaning
1480 * here - gd */
1481
1482 ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &reply,
1483 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1484 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1485 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1486 return false;
1487 }
1488
1489 if (DEBUGLEVEL >= 10) {
1490 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1491 }
1492
1493 if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1494 return false;
1495 }
1496
1497 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1498 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1499
1500 /* We're finished with this bind - no more packets. */
1501 p->auth.auth_data_free_func = NULL;
1502 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1503
1504 p->pipe_bound = True;
1505
1506 return True;
1507 }
1508
1509 /*******************************************************************
1510 Handle an NTLMSSP bind auth.
1511 *******************************************************************/
1512
1513 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1514 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1515 {
1516 RPC_HDR_AUTH auth_info;
1517 DATA_BLOB blob;
1518 DATA_BLOB response;
1519 NTSTATUS status;
1520 AUTH_NTLMSSP_STATE *a = NULL;
1521
1522 ZERO_STRUCT(blob);
1523 ZERO_STRUCT(response);
1524
1525 /* Grab the NTLMSSP blob. */
1526 blob = data_blob(NULL,p->hdr.auth_len);
1527
1528 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1529 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1530 (unsigned int)p->hdr.auth_len ));
1531 goto err;
1532 }
1533
1534 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1535 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1536 goto err;
1537 }
1538
1539 /* We have an NTLMSSP blob. */
1540 status = auth_ntlmssp_start(&a);
1541 if (!NT_STATUS_IS_OK(status)) {
1542 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1543 nt_errstr(status) ));
1544 goto err;
1545 }
1546
1547 status = auth_ntlmssp_update(a, blob, &response);
1548 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1549 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1550 nt_errstr(status) ));
1551 goto err;
1552 }
1553
1554 data_blob_free(&blob);
1555
1556 /* Copy the blob into the pout_auth parse struct */
1557 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1558 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1559 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1560 goto err;
1561 }
1562
1563 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1564 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1565 goto err;
1566 }
1567
1568 p->auth.a_u.auth_ntlmssp_state = a;
1569 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1570 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1571
1572 data_blob_free(&blob);
1573 data_blob_free(&response);
1574
1575 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1576
1577 /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1578 return True;
1579
1580 err:
1581
1582 data_blob_free(&blob);
1583 data_blob_free(&response);
1584
1585 free_pipe_ntlmssp_auth_data(&p->auth);
1586 p->auth.a_u.auth_ntlmssp_state = NULL;
1587 return False;
1588 }
1589
1590 /*******************************************************************
1591 Respond to a pipe bind request.
1592 *******************************************************************/
1593
1594 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1595 {
1596 RPC_HDR_BA hdr_ba;
1597 RPC_HDR_RB hdr_rb;
1598 RPC_HDR_AUTH auth_info;
1599 uint16 assoc_gid;
1600 fstring ack_pipe_name;
1601 prs_struct out_hdr_ba;
1602 prs_struct out_auth;
1603 int i = 0;
1604 int auth_len = 0;
1605 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1606
1607 /* No rebinds on a bound pipe - use alter context. */
1608 if (p->pipe_bound) {
1609 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1610 "pipe %s.\n",
1611 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1612 return setup_bind_nak(p);
1613 }
1614
1615 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1616
1617 /*
1618 * Marshall directly into the outgoing PDU space. We
1619 * must do this as we need to set to the bind response
1620 * header and are never sending more than one PDU here.
1621 */
1622
1623 /*
1624 * Setup the memory to marshall the ba header, and the
1625 * auth footers.
1626 */
1627
1628 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1629 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1630 prs_mem_free(&p->out_data.frag);
1631 return False;
1632 }
1633
1634 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1635 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1636 prs_mem_free(&p->out_data.frag);
1637 prs_mem_free(&out_hdr_ba);
1638 return False;
1639 }
1640
1641 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1642
1643 ZERO_STRUCT(hdr_rb);
1644
1645 /* decode the bind request */
1646
1647 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1648 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1649 "struct.\n"));
1650 goto err_exit;
1651 }
1652
1653 if (hdr_rb.num_contexts == 0) {
1654 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1655 goto err_exit;
1656 }
1657
1658 /*
1659 * Try and find the correct pipe name to ensure
1660 * that this is a pipe name we support.
1661 */
1662
1663 for (i = 0; i < rpc_lookup_size; i++) {
1664 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1665 &hdr_rb.rpc_context[0].abstract)) {
1666 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1667 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1668 break;
1669 }
1670 }
1671
1672 if (i == rpc_lookup_size) {
1673 NTSTATUS status;
1674
1675 status = smb_probe_module(
1676 "rpc", get_pipe_name_from_syntax(
1677 talloc_tos(),
1678 &hdr_rb.rpc_context[0].abstract));
1679
1680 if (NT_STATUS_IS_ERR(status)) {
1681 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1682 get_pipe_name_from_syntax(
1683 talloc_tos(),
1684 &hdr_rb.rpc_context[0].abstract)));
1685 prs_mem_free(&p->out_data.frag);
1686 prs_mem_free(&out_hdr_ba);
1687 prs_mem_free(&out_auth);
1688
1689 return setup_bind_nak(p);
1690 }
1691
1692 for (i = 0; i < rpc_lookup_size; i++) {
1693 if (strequal(rpc_lookup[i].pipe.clnt,
1694 get_pipe_name_from_syntax(talloc_tos(),
1695 &p->syntax))) {
1696 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1697 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1698 break;
1699 }
1700 }
1701
1702 if (i == rpc_lookup_size) {
1703 DEBUG(0, ("module %s doesn't provide functions for "
1704 "pipe %s!\n",
1705 get_pipe_name_from_syntax(talloc_tos(),
1706 &p->syntax),
1707 get_pipe_name_from_syntax(talloc_tos(),
1708 &p->syntax)));
1709 goto err_exit;
1710 }
1711 }
1712
1713 /* name has to be \PIPE\xxxxx */
1714 fstrcpy(ack_pipe_name, "\\PIPE\\");
1715 fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1716
1717 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1718
1719 /*
1720 * Check if this is an authenticated bind request.
1721 */
1722
1723 if (p->hdr.auth_len) {
1724 /*
1725 * Decode the authentication verifier.
1726 */
1727
1728 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1729 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1730 goto err_exit;
1731 }
1732
1733 auth_type = auth_info.auth_type;
1734
1735 /* Work out if we have to sign or seal etc. */
1736 switch (auth_info.auth_level) {
1737 case DCERPC_AUTH_LEVEL_INTEGRITY:
1738 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1739 break;
1740 case DCERPC_AUTH_LEVEL_PRIVACY:
1741 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1742 break;
1743 default:
1744 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1745 (unsigned int)auth_info.auth_level ));
1746 goto err_exit;
1747 }
1748 } else {
1749 ZERO_STRUCT(auth_info);
1750 }
1751
1752 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1753
1754 switch(auth_type) {
1755 case DCERPC_AUTH_TYPE_NTLMSSP:
1756 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1757 goto err_exit;
1758 }
1759 assoc_gid = 0x7a77;
1760 break;
1761
1762 case DCERPC_AUTH_TYPE_SCHANNEL:
1763 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1764 goto err_exit;
1765 }
1766 break;
1767
1768 case DCERPC_AUTH_TYPE_SPNEGO:
1769 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1770 goto err_exit;
1771 }
1772 break;
1773
1774 case DCERPC_AUTH_TYPE_NONE:
1775 /* Unauthenticated bind request. */
1776 /* We're finished - no more packets. */
1777 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1778 /* We must set the pipe auth_level here also. */
1779 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1780 p->pipe_bound = True;
1781 /* The session key was initialized from the SMB
1782 * session in make_internal_rpc_pipe_p */
1783 break;
1784
1785 default:
1786 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1787 goto err_exit;
1788 }
1789
1790 /*
1791 * Create the bind response struct.
1792 */
1793
1794 /* If the requested abstract synt uuid doesn't match our client pipe,
1795 reject the bind_ack & set the transfer interface synt to all 0's,
1796 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1797 unknown to NT4)
1798 Needed when adding entries to a DACL from NT5 - SK */
1799
1800 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1801 hdr_rb.rpc_context[0].context_id )) {
1802 init_rpc_hdr_ba(&hdr_ba,
1803 RPC_MAX_PDU_FRAG_LEN,
1804 RPC_MAX_PDU_FRAG_LEN,
1805 assoc_gid,
1806 ack_pipe_name,
1807 0x1, 0x0, 0x0,
1808 &hdr_rb.rpc_context[0].transfer[0]);
1809 } else {
1810 /* Rejection reason: abstract syntax not supported */
1811 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1812 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1813 ack_pipe_name, 0x1, 0x2, 0x1,
1814 &null_ndr_syntax_id);
1815 p->pipe_bound = False;
1816 }
1817
1818 /*
1819 * and marshall it.
1820 */
1821
1822 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1823 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1824 goto err_exit;
1825 }
1826
1827 /*
1828 * Create the header, now we know the length.
1829 */
1830
1831 if (prs_offset(&out_auth)) {
1832 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1833 }
1834
1835 init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1836 p->hdr.call_id,
1837 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1838 auth_len);
1839
1840 /*
1841 * Marshall the header into the outgoing PDU.
1842 */
1843
1844 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1845 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1846 goto err_exit;
1847 }
1848
1849 /*
1850 * Now add the RPC_HDR_BA and any auth needed.
1851 */
1852
1853 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1854 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1855 goto err_exit;
1856 }
1857
1858 if (auth_len && !prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1859 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1860 goto err_exit;
1861 }
1862
1863 /*
1864 * Setup the lengths for the initial reply.
1865 */
1866
1867 p->out_data.data_sent_length = 0;
1868 p->out_data.current_pdu_sent = 0;
1869
1870 prs_mem_free(&out_hdr_ba);
1871 prs_mem_free(&out_auth);
1872
1873 return True;
1874
1875 err_exit:
1876
1877 prs_mem_free(&p->out_data.frag);
1878 prs_mem_free(&out_hdr_ba);
1879 prs_mem_free(&out_auth);
1880 return setup_bind_nak(p);
1881 }
1882
1883 /****************************************************************************
1884 Deal with an alter context call. Can be third part of 3 leg auth request for
1885 SPNEGO calls.
1886 ****************************************************************************/
1887
1888 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1889 {
1890 RPC_HDR_BA hdr_ba;
1891 RPC_HDR_RB hdr_rb;
1892 RPC_HDR_AUTH auth_info;
1893 uint16 assoc_gid;
1894 fstring ack_pipe_name;
1895 prs_struct out_hdr_ba;
1896 prs_struct out_auth;
1897 int auth_len = 0;
1898
1899 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1900
1901 /*
1902 * Marshall directly into the outgoing PDU space. We
1903 * must do this as we need to set to the bind response
1904 * header and are never sending more than one PDU here.
1905 */
1906
1907 /*
1908 * Setup the memory to marshall the ba header, and the
1909 * auth footers.
1910 */
1911
1912 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1913 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1914 prs_mem_free(&p->out_data.frag);
1915 return False;
1916 }
1917
1918 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1919 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1920 prs_mem_free(&p->out_data.frag);
1921 prs_mem_free(&out_hdr_ba);
1922 return False;
1923 }
1924
1925 ZERO_STRUCT(hdr_rb);
1926
1927 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1928
1929 /* decode the alter context request */
1930 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1931 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1932 goto err_exit;
1933 }
1934
1935 /* secondary address CAN be NULL
1936 * as the specs say it's ignored.
1937 * It MUST be NULL to have the spoolss working.
1938 */
1939 fstrcpy(ack_pipe_name,"");
1940
1941 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1942
1943 /*
1944 * Check if this is an authenticated alter context request.
1945 */
1946
1947 if (p->hdr.auth_len != 0) {
1948 /*
1949 * Decode the authentication verifier.
1950 */
1951
1952 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1953 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1954 goto err_exit;
1955 }
1956
1957 /*
1958 * Currently only the SPNEGO auth type uses the alter ctx
1959 * response in place of the NTLMSSP auth3 type.
1960 */
1961
1962 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
1963 /* We can only finish if the pipe is unbound. */
1964 if (!p->pipe_bound) {
1965 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1966 goto err_exit;
1967 }
1968 } else {
1969 goto err_exit;
1970 }
1971 }
1972 } else {
1973 ZERO_STRUCT(auth_info);
1974 }
1975
1976 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1977
1978 /*
1979 * Create the bind response struct.
1980 */
1981
1982 /* If the requested abstract synt uuid doesn't match our client pipe,
1983 reject the bind_ack & set the transfer interface synt to all 0's,
1984 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1985 unknown to NT4)
1986 Needed when adding entries to a DACL from NT5 - SK */
1987
1988 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1989 hdr_rb.rpc_context[0].context_id )) {
1990 init_rpc_hdr_ba(&hdr_ba,
1991 RPC_MAX_PDU_FRAG_LEN,
1992 RPC_MAX_PDU_FRAG_LEN,
1993 assoc_gid,
1994 ack_pipe_name,
1995 0x1, 0x0, 0x0,
1996 &hdr_rb.rpc_context[0].transfer[0]);
1997 } else {
1998 /* Rejection reason: abstract syntax not supported */
1999 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
2000 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
2001 ack_pipe_name, 0x1, 0x2, 0x1,
2002 &null_ndr_syntax_id);
2003 p->pipe_bound = False;
2004 }
2005
2006 /*
2007 * and marshall it.
2008 */
2009
2010 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
2011 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
2012 goto err_exit;
2013 }
2014
2015 /*
2016 * Create the header, now we know the length.
2017 */
2018
2019 if (prs_offset(&out_auth)) {
2020 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
2021 }
2022
2023 init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
2024 p->hdr.call_id,
2025 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
2026 auth_len);
2027
2028 /*
2029 * Marshall the header into the outgoing PDU.
2030 */
2031
2032 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
2033 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2034 goto err_exit;
2035 }
2036
2037 /*
2038 * Now add the RPC_HDR_BA and any auth needed.
2039 */
2040
2041 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
2042 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2043 goto err_exit;
2044 }
2045
2046 if (auth_len && !prs_append_prs_data(&p->out_data.frag, &out_auth)) {
2047 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2048 goto err_exit;
2049 }
2050
2051 /*
2052 * Setup the lengths for the initial reply.
2053 */
2054
2055 p->out_data.data_sent_length = 0;
2056 p->out_data.current_pdu_sent = 0;
2057
2058 prs_mem_free(&out_hdr_ba);
2059 prs_mem_free(&out_auth);
2060
2061 return True;
2062
2063 err_exit:
2064
2065 prs_mem_free(&p->out_data.frag);
2066 prs_mem_free(&out_hdr_ba);
2067 prs_mem_free(&out_auth);
2068 return setup_bind_nak(p);
2069 }
2070
2071 /****************************************************************************
2072 Deal with NTLMSSP sign & seal processing on an RPC request.
2073 ****************************************************************************/
2074
2075 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2076 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2077 {
2078 RPC_HDR_AUTH auth_info;
2079 uint32 auth_len = p->hdr.auth_len;
2080 uint32 save_offset = prs_offset(rpc_in);
2081 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2082 unsigned char *data = NULL;
2083 size_t data_len;
2084 unsigned char *full_packet_data = NULL;
2085 size_t full_packet_data_len;
2086 DATA_BLOB auth_blob;
2087
2088 *pstatus = NT_STATUS_OK;
2089
2090 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2091 return True;
2092 }
2093
2094 if (!a) {
2095 *pstatus = NT_STATUS_INVALID_PARAMETER;
2096 return False;
2097 }
2098
2099 /* Ensure there's enough data for an authenticated request. */
2100 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2101 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2102 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2103 (unsigned int)auth_len ));
2104 *pstatus = NT_STATUS_INVALID_PARAMETER;
2105 return False;
2106 }
2107
2108 /*
2109 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2110 * after the RPC header.
2111 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2112 * functions as NTLMv2 checks the rpc headers also.
2113 */
2114
2115 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2116 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2117
2118 full_packet_data = p->in_data.current_in_pdu;
2119 full_packet_data_len = p->hdr.frag_len - auth_len;
2120
2121 /* Pull the auth header and the following data into a blob. */
2122 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2123 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2124 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2125 *pstatus = NT_STATUS_INVALID_PARAMETER;
2126 return False;
2127 }
2128
2129 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2130 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2131 *pstatus = NT_STATUS_INVALID_PARAMETER;
2132 return False;
2133 }
2134
2135 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2136 auth_blob.length = auth_len;
2137
2138 switch (p->auth.auth_level) {
2139 case DCERPC_AUTH_LEVEL_PRIVACY:
2140 /* Data is encrypted. */
2141 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2142 data, data_len,
2143 full_packet_data,
2144 full_packet_data_len,
2145 &auth_blob);
2146 if (!NT_STATUS_IS_OK(*pstatus)) {
2147 return False;
2148 }
2149 break;
2150 case DCERPC_AUTH_LEVEL_INTEGRITY:
2151 /* Data is signed. */
2152 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2153 data, data_len,
2154 full_packet_data,
2155 full_packet_data_len,
2156 &auth_blob);
2157 if (!NT_STATUS_IS_OK(*pstatus)) {
2158 return False;
2159 }
2160 break;
2161 default:
2162 *pstatus = NT_STATUS_INVALID_PARAMETER;
2163 return False;
2164 }
2165
2166 /*
2167 * Return the current pointer to the data offset.
2168 */
2169
2170 if(!prs_set_offset(rpc_in, save_offset)) {
2171 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2172 (unsigned int)save_offset ));
2173 *pstatus = NT_STATUS_INVALID_PARAMETER;
2174 return False;
2175 }
2176
2177 /*
2178 * Remember the padding length. We must remove it from the real data
2179 * stream once the sign/seal is done.
2180 */
2181
2182 *p_ss_padding_len = auth_info.auth_pad_len;
2183
2184 return True;
2185 }
2186
2187 /****************************************************************************
2188 Deal with schannel processing on an RPC request.
2189 ****************************************************************************/
2190
2191 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2192 {
2193 uint32 data_len;
2194 uint32 auth_len;
2195 uint32 save_offset = prs_offset(rpc_in);
2196 RPC_HDR_AUTH auth_info;
2197 DATA_BLOB blob;
2198 NTSTATUS status;
2199 uint8_t *data;
2200
2201 auth_len = p->hdr.auth_len;
2202
2203 if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2204 auth_len > RPC_HEADER_LEN +
2205 RPC_HDR_REQ_LEN +
2206 RPC_HDR_AUTH_LEN +
2207 auth_len) {
2208 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2209 return False;
2210 }
2211
2212 /*
2213 * The following is that length of the data we must verify or unseal.
2214 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2215 * preceeding the auth_data.
2216 */
2217
2218 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2219 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2220 (unsigned int)p->hdr.frag_len,
2221 (unsigned int)auth_len ));
2222 return False;
2223 }
2224
2225 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2226 RPC_HDR_AUTH_LEN - auth_len;
2227
2228 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2229
2230 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2231 DEBUG(0,("cannot move offset to %u.\n",
2232 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2233 return False;
2234 }
2235
2236 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2237 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2238 return False;
2239 }
2240
2241 if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2242 DEBUG(0,("Invalid auth info %d on schannel\n",
2243 auth_info.auth_type));
2244 return False;
2245 }
2246
2247 blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2248
2249 if (DEBUGLEVEL >= 10) {
2250 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
2251 }
2252
2253 data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN;
2254
2255 switch (auth_info.auth_level) {
2256 case DCERPC_AUTH_LEVEL_PRIVACY:
2257 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2258 talloc_tos(),
2259 true,
2260 data,
2261 data_len,
2262 &blob);
2263 break;
2264 case DCERPC_AUTH_LEVEL_INTEGRITY:
2265 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2266 talloc_tos(),
2267 false,
2268 data,
2269 data_len,
2270 &blob);
2271 break;
2272 default:
2273 status = NT_STATUS_INTERNAL_ERROR;
2274 break;
2275 }
2276
2277 if (!NT_STATUS_IS_OK(status)) {
2278 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
2279 return false;
2280 }
2281
2282 /*
2283 * Return the current pointer to the data offset.
2284 */
2285
2286 if(!prs_set_offset(rpc_in, save_offset)) {
2287 DEBUG(0,("failed to set offset back to %u\n",
2288 (unsigned int)save_offset ));
2289 return False;
2290 }
2291
2292 /*
2293 * Remember the padding length. We must remove it from the real data
2294 * stream once the sign/seal is done.
2295 */
2296
2297 *p_ss_padding_len = auth_info.auth_pad_len;
2298
2299 return True;
2300 }
2301
2302 /****************************************************************************
2303 Find the set of RPC functions associated with this context_id
2304 ****************************************************************************/
2305
2306 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2307 {
2308 PIPE_RPC_FNS *fns = NULL;
2309
2310 if ( !list ) {
2311 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2312 return NULL;
2313 }
2314
2315 for (fns=list; fns; fns=fns->next ) {
2316 if ( fns->context_id == context_id )
2317 return fns;
2318 }
2319 return NULL;
2320 }
2321
2322 /****************************************************************************
2323 Memory cleanup.
2324 ****************************************************************************/
2325
2326 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2327 {
2328 PIPE_RPC_FNS *tmp = list;
2329 PIPE_RPC_FNS *tmp2;
2330
2331 while (tmp) {
2332 tmp2 = tmp->next;
2333 SAFE_FREE(tmp);
2334 tmp = tmp2;
2335 }
2336
2337 return;
2338 }
2339
2340 static bool api_rpcTNP(pipes_struct *p,
2341 const struct api_struct *api_rpc_cmds, int n_cmds);
2342
2343 /****************************************************************************
2344 Find the correct RPC function to call for this request.
2345 If the pipe is authenticated then become the correct UNIX user
2346 before doing the call.
2347 ****************************************************************************/
2348
2349 bool api_pipe_request(pipes_struct *p)
2350 {
2351 bool ret = False;
2352 bool changed_user = False;
2353 PIPE_RPC_FNS *pipe_fns;
2354
2355 if (p->pipe_bound &&
2356 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2357 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2358 if(!become_authenticated_pipe_user(p)) {
2359 prs_mem_free(&p->out_data.rdata);
2360 return False;
2361 }
2362 changed_user = True;
2363 }
2364
2365 DEBUG(5, ("Requested \\PIPE\\%s\n",
2366 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2367
2368 /* get the set of RPC functions for this context */
2369
2370 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2371
2372 if ( pipe_fns ) {
2373 TALLOC_CTX *frame = talloc_stackframe();
2374 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2375 TALLOC_FREE(frame);
2376 }
2377 else {
2378 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2379 p->hdr_req.context_id,
2380 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2381 }
2382
2383 if (changed_user) {
2384 unbecome_authenticated_pipe_user();
2385 }
2386
2387 return ret;
2388 }
2389
2390 /*******************************************************************
2391 Calls the underlying RPC function for a named pipe.
2392 ********************************************************************/
2393
2394 static bool api_rpcTNP(pipes_struct *p,
2395 const struct api_struct *api_rpc_cmds, int n_cmds)
2396 {
2397 int fn_num;
2398 uint32 offset1, offset2;
2399
2400 /* interpret the command */
2401 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2402 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2403 p->hdr_req.opnum));
2404
2405 if (DEBUGLEVEL >= 50) {
2406 fstring name;
2407 slprintf(name, sizeof(name)-1, "in_%s",
2408 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2409 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2410 }
2411
2412 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2413 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2414 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2415 break;
2416 }
2417 }
2418
2419 if (fn_num == n_cmds) {
2420 /*
2421 * For an unknown RPC just return a fault PDU but
2422 * return True to allow RPC's on the pipe to continue
2423 * and not put the pipe into fault state. JRA.
2424 */
2425 DEBUG(4, ("unknown\n"));
2426 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2427 return True;
2428 }
2429
2430 offset1 = prs_offset(&p->out_data.rdata);
2431
2432 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2433 fn_num, api_rpc_cmds[fn_num].fn));
2434 /* do the actual command */
2435 if(!api_rpc_cmds[fn_num].fn(p)) {
2436 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2437 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2438 api_rpc_cmds[fn_num].name));
2439 prs_mem_free(&p->out_data.rdata);
2440 return False;
2441 }
2442
2443 if (p->bad_handle_fault_state) {
2444 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2445 p->bad_handle_fault_state = False;
2446 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2447 return True;
2448 }
2449
2450 if (p->rng_fault_state) {
2451 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2452 p->rng_fault_state = False;
2453 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2454 return True;
2455 }
2456
2457 offset2 = prs_offset(&p->out_data.rdata);
2458 prs_set_offset(&p->out_data.rdata, offset1);
2459 if (DEBUGLEVEL >= 50) {
2460 fstring name;
2461 slprintf(name, sizeof(name)-1, "out_%s",
2462 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2463 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2464 }
2465 prs_set_offset(&p->out_data.rdata, offset2);
2466
2467 DEBUG(5,("api_rpcTNP: called %s successfully\n",
2468 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2469
2470 /* Check for buffer underflow in rpc parsing */
2471
2472 if ((DEBUGLEVEL >= 10) &&
2473 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2474 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2475 char *data = (char *)SMB_MALLOC(data_len);
2476
2477 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2478 if (data) {
2479 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2480 SAFE_FREE(data);
2481 }
2482
2483 }
2484
2485 return True;
2486 }
Samba GIT mirror