search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-rpc_server: Free unused memory.
[Samba.git] / source3 / rpc_server / srv_pipe.c
blobf941f33ddffcb7f47118d8d438d7f1298e302e4a
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31 #include "srv_pipe_internal.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33 #include "../libcli/auth/schannel.h"
34 #include "../libcli/auth/spnego.h"
35 #include "dcesrv_ntlmssp.h"
36 #include "dcesrv_gssapi.h"
37 #include "dcesrv_spnego.h"
38 #include "rpc_server.h"
39 #include "rpc_dce.h"
40
41 #undef DBGC_CLASS
42 #define DBGC_CLASS DBGC_RPC_SRV
43
44 /**
45 * Dump everything from the start of the end up of the provided data
46 * into a file, but only at debug level >= 50
47 **/
48 static void dump_pdu_region(const char *name, int v,
49 DATA_BLOB *data, size_t start, size_t end)
50 {
51 int fd, i;
52 char *fname = NULL;
53 ssize_t sz;
54
55 if (DEBUGLEVEL < 50) return;
56
57 if (start > data->length || end > data->length || start > end) return;
58
59 for (i = 1; i < 100; i++) {
60 if (v != -1) {
61 fname = talloc_asprintf(talloc_tos(),
62 "/tmp/%s_%d.%d.prs",
63 name, v, i);
64 } else {
65 fname = talloc_asprintf(talloc_tos(),
66 "/tmp/%s_%d.prs",
67 name, i);
68 }
69 if (!fname) {
70 return;
71 }
72 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
73 if (fd != -1 || errno != EEXIST) break;
74 }
75 if (fd != -1) {
76 sz = write(fd, data->data + start, end - start);
77 i = close(fd);
78 if ((sz != end - start) || (i != 0) ) {
79 DEBUG(0, ("Error writing/closing %s: %ld!=%ld %d\n",
80 fname, (unsigned long)sz,
81 (unsigned long)end - start, i));
82 } else {
83 DEBUG(0,("created %s\n", fname));
84 }
85 }
86 TALLOC_FREE(fname);
87 }
88
89 static DATA_BLOB generic_session_key(void)
90 {
91 return data_blob_const("SystemLibraryDTC", 16);
92 }
93
94 /*******************************************************************
95 Generate the next PDU to be returned from the data.
96 ********************************************************************/
97
98 static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx,
99 struct pipe_auth_data *auth,
100 uint32_t call_id,
101 DATA_BLOB *rdata,
102 size_t data_sent_length,
103 DATA_BLOB *frag,
104 size_t *pdu_size)
105 {
106 union dcerpc_payload u;
107 uint8_t pfc_flags;
108 size_t data_left;
109 size_t data_to_send;
110 size_t frag_len;
111 size_t pad_len = 0;
112 size_t auth_len = 0;
113 NTSTATUS status;
114
115 ZERO_STRUCT(u.response);
116
117 /* Set up rpc packet pfc flags. */
118 if (data_sent_length == 0) {
119 pfc_flags = DCERPC_PFC_FLAG_FIRST;
120 } else {
121 pfc_flags = 0;
122 }
123
124 /* Work out how much we can fit in a single PDU. */
125 data_left = rdata->length - data_sent_length;
126
127 /* Ensure there really is data left to send. */
128 if (!data_left) {
129 DEBUG(0, ("No data left to send !\n"));
130 return NT_STATUS_BUFFER_TOO_SMALL;
131 }
132
133 status = dcerpc_guess_sizes(auth,
134 DCERPC_RESPONSE_LENGTH,
135 data_left,
136 RPC_MAX_PDU_FRAG_LEN,
137 SERVER_NDR_PADDING_SIZE,
138 &data_to_send, &frag_len,
139 &auth_len, &pad_len);
140 if (!NT_STATUS_IS_OK(status)) {
141 return status;
142 }
143
144 /* Set up the alloc hint. This should be the data left to send. */
145 u.response.alloc_hint = data_left;
146
147 /* Work out if this PDU will be the last. */
148 if (data_sent_length + data_to_send >= rdata->length) {
149 pfc_flags |= DCERPC_PFC_FLAG_LAST;
150 }
151
152 /* Prepare data to be NDR encoded. */
153 u.response.stub_and_verifier =
154 data_blob_const(rdata->data + data_sent_length, data_to_send);
155
156 /* Store the packet in the data stream. */
157 status = dcerpc_push_ncacn_packet(mem_ctx, DCERPC_PKT_RESPONSE,
158 pfc_flags, auth_len, call_id,
159 &u, frag);
160 if (!NT_STATUS_IS_OK(status)) {
161 DEBUG(0, ("Failed to marshall RPC Packet.\n"));
162 return status;
163 }
164
165 if (auth_len) {
166 /* Set the proper length on the pdu, including padding.
167 * Only needed if an auth trailer will be appended. */
168 dcerpc_set_frag_length(frag, frag->length
169 + pad_len
170 + DCERPC_AUTH_TRAILER_LENGTH
171 + auth_len);
172 }
173
174 if (auth_len) {
175 status = dcerpc_add_auth_footer(auth, pad_len, frag);
176 if (!NT_STATUS_IS_OK(status)) {
177 data_blob_free(frag);
178 return status;
179 }
180 }
181
182 *pdu_size = data_to_send;
183 return NT_STATUS_OK;
184 }
185
186 /*******************************************************************
187 Generate the next PDU to be returned from the data in p->rdata.
188 ********************************************************************/
189
190 bool create_next_pdu(struct pipes_struct *p)
191 {
192 size_t pdu_size = 0;
193 NTSTATUS status;
194
195 /*
196 * If we're in the fault state, keep returning fault PDU's until
197 * the pipe gets closed. JRA.
198 */
199 if (p->fault_state) {
200 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
201 return true;
202 }
203
204 status = create_next_packet(p->mem_ctx, &p->auth,
205 p->call_id, &p->out_data.rdata,
206 p->out_data.data_sent_length,
207 &p->out_data.frag, &pdu_size);
208 if (!NT_STATUS_IS_OK(status)) {
209 DEBUG(0, ("Failed to create packet with error %s, "
210 "(auth level %u / type %u)\n",
211 nt_errstr(status),
212 (unsigned int)p->auth.auth_level,
213 (unsigned int)p->auth.auth_type));
214 return false;
215 }
216
217 /* Setup the counts for this PDU. */
218 p->out_data.data_sent_length += pdu_size;
219 p->out_data.current_pdu_sent = 0;
220 return true;
221 }
222
223
224 static bool pipe_init_outgoing_data(struct pipes_struct *p);
225
226 /*******************************************************************
227 Marshall a bind_nak pdu.
228 *******************************************************************/
229
230 static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
231 {
232 NTSTATUS status;
233 union dcerpc_payload u;
234
235 /* Free any memory in the current return data buffer. */
236 pipe_init_outgoing_data(p);
237
238 /*
239 * Initialize a bind_nak header.
240 */
241
242 ZERO_STRUCT(u);
243
244 u.bind_nak.reject_reason = 0;
245
246 /*
247 * Marshall directly into the outgoing PDU space. We
248 * must do this as we need to set to the bind response
249 * header and are never sending more than one PDU here.
250 */
251
252 status = dcerpc_push_ncacn_packet(p->mem_ctx,
253 DCERPC_PKT_BIND_NAK,
254 DCERPC_PFC_FLAG_FIRST |
255 DCERPC_PFC_FLAG_LAST,
256 0,
257 pkt->call_id,
258 &u,
259 &p->out_data.frag);
260 if (!NT_STATUS_IS_OK(status)) {
261 return False;
262 }
263
264 p->out_data.data_sent_length = 0;
265 p->out_data.current_pdu_sent = 0;
266
267 TALLOC_FREE(p->auth.auth_ctx);
268 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
269 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
270 p->pipe_bound = False;
271
272 return True;
273 }
274
275 /*******************************************************************
276 Marshall a fault pdu.
277 *******************************************************************/
278
279 bool setup_fault_pdu(struct pipes_struct *p, NTSTATUS fault_status)
280 {
281 NTSTATUS status;
282 union dcerpc_payload u;
283
284 /* Free any memory in the current return data buffer. */
285 pipe_init_outgoing_data(p);
286
287 /*
288 * Initialize a fault header.
289 */
290
291 ZERO_STRUCT(u);
292
293 u.fault.status = NT_STATUS_V(fault_status);
294 u.fault._pad = data_blob_talloc_zero(p->mem_ctx, 4);
295
296 /*
297 * Marshall directly into the outgoing PDU space. We
298 * must do this as we need to set to the bind response
299 * header and are never sending more than one PDU here.
300 */
301
302 status = dcerpc_push_ncacn_packet(p->mem_ctx,
303 DCERPC_PKT_FAULT,
304 DCERPC_PFC_FLAG_FIRST |
305 DCERPC_PFC_FLAG_LAST |
306 DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
307 0,
308 p->call_id,
309 &u,
310 &p->out_data.frag);
311 if (!NT_STATUS_IS_OK(status)) {
312 return False;
313 }
314
315 p->out_data.data_sent_length = 0;
316 p->out_data.current_pdu_sent = 0;
317
318 return True;
319 }
320
321 /*******************************************************************
322 Ensure a bind request has the correct abstract & transfer interface.
323 Used to reject unknown binds from Win2k.
324 *******************************************************************/
325
326 static bool check_bind_req(struct pipes_struct *p,
327 struct ndr_syntax_id* abstract,
328 struct ndr_syntax_id* transfer,
329 uint32 context_id)
330 {
331 struct pipe_rpc_fns *context_fns;
332
333 DEBUG(3,("check_bind_req for %s\n",
334 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
335
336 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
337 if (rpc_srv_pipe_exists_by_id(abstract) &&
338 ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) {
339 DEBUG(3, ("check_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
340 rpc_srv_get_pipe_cli_name(abstract),
341 rpc_srv_get_pipe_srv_name(abstract)));
342 } else {
343 return false;
344 }
345
346 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
347 if (context_fns == NULL) {
348 DEBUG(0,("check_bind_req: malloc() failed!\n"));
349 return False;
350 }
351
352 context_fns->next = context_fns->prev = NULL;
353 context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
354 context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
355 context_fns->context_id = context_id;
356
357 /* add to the list of open contexts */
358
359 DLIST_ADD( p->contexts, context_fns );
360
361 return True;
362 }
363
364 /**
365 * Is a named pipe known?
366 * @param[in] cli_filename The pipe name requested by the client
367 * @result Do we want to serve this?
368 */
369 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
370 {
371 const char *pipename = cli_filename;
372 NTSTATUS status;
373
374 if (strnequal(pipename, "\\PIPE\\", 6)) {
375 pipename += 5;
376 }
377
378 if (*pipename == '\\') {
379 pipename += 1;
380 }
381
382 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
383 DEBUG(10, ("refusing spoolss access\n"));
384 return false;
385 }
386
387 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
388 return true;
389 }
390
391 status = smb_probe_module("rpc", pipename);
392 if (!NT_STATUS_IS_OK(status)) {
393 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
394 return false;
395 }
396 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
397
398 /*
399 * Scan the list again for the interface id
400 */
401 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
402 return true;
403 }
404
405 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
406 pipename));
407
408 return false;
409 }
410
411 /*******************************************************************
412 Handle the first part of a SPNEGO bind auth.
413 *******************************************************************/
414
415 static bool pipe_spnego_auth_bind(struct pipes_struct *p,
416 TALLOC_CTX *mem_ctx,
417 struct dcerpc_auth *auth_info,
418 DATA_BLOB *response)
419 {
420 struct spnego_context *spnego_ctx;
421 NTSTATUS status;
422
423 status = spnego_server_auth_start(p,
424 (auth_info->auth_level ==
425 DCERPC_AUTH_LEVEL_INTEGRITY),
426 (auth_info->auth_level ==
427 DCERPC_AUTH_LEVEL_PRIVACY),
428 true,
429 &auth_info->credentials,
430 response,
431 &spnego_ctx);
432 if (!NT_STATUS_IS_OK(status)) {
433 DEBUG(0, ("Failed SPNEGO negotiate (%s)\n",
434 nt_errstr(status)));
435 return false;
436 }
437
438 /* Make sure data is bound to the memctx, to be freed the caller */
439 talloc_steal(mem_ctx, response->data);
440
441 p->auth.auth_ctx = spnego_ctx;
442 p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO;
443
444 DEBUG(10, ("SPNEGO auth started\n"));
445
446 return true;
447 }
448
449 /*******************************************************************
450 Handle an schannel bind auth.
451 *******************************************************************/
452
453 static bool pipe_schannel_auth_bind(struct pipes_struct *p,
454 TALLOC_CTX *mem_ctx,
455 struct dcerpc_auth *auth_info,
456 DATA_BLOB *response)
457 {
458 struct NL_AUTH_MESSAGE neg;
459 struct NL_AUTH_MESSAGE reply;
460 bool ret;
461 NTSTATUS status;
462 struct netlogon_creds_CredentialState *creds;
463 enum ndr_err_code ndr_err;
464 struct schannel_state *schannel_auth;
465
466 ndr_err = ndr_pull_struct_blob(
467 &auth_info->credentials, mem_ctx, &neg,
468 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
469 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
470 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
471 return false;
472 }
473
474 if (DEBUGLEVEL >= 10) {
475 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
476 }
477
478 if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
479 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
480 return false;
481 }
482
483 /*
484 * The neg.oem_netbios_computer.a key here must match the remote computer name
485 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
486 * operations that use credentials.
487 */
488
489 become_root();
490 status = schannel_get_creds_state(p, lp_private_dir(),
491 neg.oem_netbios_computer.a, &creds);
492 unbecome_root();
493
494 if (!NT_STATUS_IS_OK(status)) {
495 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
496 return False;
497 }
498
499 schannel_auth = talloc(p, struct schannel_state);
500 if (!schannel_auth) {
501 TALLOC_FREE(creds);
502 return False;
503 }
504
505 schannel_auth->state = SCHANNEL_STATE_START;
506 schannel_auth->seq_num = 0;
507 schannel_auth->initiator = false;
508 schannel_auth->creds = creds;
509
510 /*
511 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
512 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
513 * struct of the person who opened the pipe. I need to test this further. JRA.
514 *
515 * VL. As we are mapping this to guest set the generic key
516 * "SystemLibraryDTC" key here. It's a bit difficult to test against
517 * W2k3, as it does not allow schannel binds against SAMR and LSA
518 * anymore.
519 */
520
521 ret = session_info_set_session_key(p->session_info, generic_session_key());
522
523 if (!ret) {
524 DEBUG(0, ("session_info_set_session_key failed\n"));
525 return false;
526 }
527
528 /*** SCHANNEL verifier ***/
529
530 reply.MessageType = NL_NEGOTIATE_RESPONSE;
531 reply.Flags = 0;
532 reply.Buffer.dummy = 5; /* ??? actually I don't think
533 * this has any meaning
534 * here - gd */
535
536 ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
537 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
538 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
539 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
540 return false;
541 }
542
543 if (DEBUGLEVEL >= 10) {
544 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
545 }
546
547 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
548 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
549
550 /* We're finished with this bind - no more packets. */
551 p->auth.auth_ctx = schannel_auth;
552 p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
553
554 p->pipe_bound = True;
555
556 return True;
557 }
558
559 /*******************************************************************
560 Handle an NTLMSSP bind auth.
561 *******************************************************************/
562
563 static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
564 TALLOC_CTX *mem_ctx,
565 struct dcerpc_auth *auth_info,
566 DATA_BLOB *response)
567 {
568 struct auth_ntlmssp_state *ntlmssp_state = NULL;
569 NTSTATUS status;
570
571 if (strncmp((char *)auth_info->credentials.data, "NTLMSSP", 7) != 0) {
572 DEBUG(0, ("Failed to read NTLMSSP in blob\n"));
573 return false;
574 }
575
576 /* We have an NTLMSSP blob. */
577 status = ntlmssp_server_auth_start(p,
578 (auth_info->auth_level ==
579 DCERPC_AUTH_LEVEL_INTEGRITY),
580 (auth_info->auth_level ==
581 DCERPC_AUTH_LEVEL_PRIVACY),
582 true,
583 &auth_info->credentials,
584 response,
585 &ntlmssp_state);
586 if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
587 DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n",
588 nt_errstr(status)));
589 return false;
590 }
591
592 /* Make sure data is bound to the memctx, to be freed the caller */
593 talloc_steal(mem_ctx, response->data);
594
595 p->auth.auth_ctx = ntlmssp_state;
596 p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
597
598 DEBUG(10, (__location__ ": NTLMSSP auth started\n"));
599
600 return true;
601 }
602
603 /*******************************************************************
604 Process an NTLMSSP authentication response.
605 If this function succeeds, the user has been authenticated
606 and their domain, name and calling workstation stored in
607 the pipe struct.
608 *******************************************************************/
609
610 static bool pipe_ntlmssp_verify_final(TALLOC_CTX *mem_ctx,
611 struct auth_ntlmssp_state *ntlmssp_ctx,
612 enum dcerpc_AuthLevel auth_level,
613 struct client_address *client_id,
614 struct ndr_syntax_id *syntax,
615 struct auth_serversupplied_info **session_info)
616 {
617 NTSTATUS status;
618 bool ret;
619
620 DEBUG(5, (__location__ ": pipe %s checking user details\n",
621 get_pipe_name_from_syntax(talloc_tos(), syntax)));
622
623 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
624 ensure the underlying NTLMSSP flags are also set. If not we should
625 refuse the bind. */
626
627 status = ntlmssp_server_check_flags(ntlmssp_ctx,
628 (auth_level ==
629 DCERPC_AUTH_LEVEL_INTEGRITY),
630 (auth_level ==
631 DCERPC_AUTH_LEVEL_PRIVACY));
632 if (!NT_STATUS_IS_OK(status)) {
633 DEBUG(0, (__location__ ": Client failed to negotatie proper "
634 "security for pipe %s\n",
635 get_pipe_name_from_syntax(talloc_tos(), syntax)));
636 return false;
637 }
638
639 TALLOC_FREE(*session_info);
640
641 status = ntlmssp_server_get_user_info(ntlmssp_ctx,
642 mem_ctx, session_info);
643 if (!NT_STATUS_IS_OK(status)) {
644 DEBUG(0, (__location__ ": failed to obtain the server info "
645 "for authenticated user: %s\n", nt_errstr(status)));
646 return false;
647 }
648
649 if ((*session_info)->security_token == NULL) {
650 DEBUG(1, ("Auth module failed to provide nt_user_token\n"));
651 return false;
652 }
653
654 /*
655 * We're an authenticated bind over smb, so the session key needs to
656 * be set to "SystemLibraryDTC". Weird, but this is what Windows
657 * does. See the RPC-SAMBA3SESSIONKEY.
658 */
659
660 ret = session_info_set_session_key((*session_info), generic_session_key());
661 if (!ret) {
662 DEBUG(0, ("Failed to set session key!\n"));
663 return false;
664 }
665
666 return true;
667 }
668
669 /*******************************************************************
670 Handle a GSSAPI bind auth.
671 *******************************************************************/
672
673 static bool pipe_gssapi_auth_bind(struct pipes_struct *p,
674 TALLOC_CTX *mem_ctx,
675 struct dcerpc_auth *auth_info,
676 DATA_BLOB *response)
677 {
678 NTSTATUS status;
679 struct gse_context *gse_ctx = NULL;
680
681 status = gssapi_server_auth_start(p,
682 (auth_info->auth_level ==
683 DCERPC_AUTH_LEVEL_INTEGRITY),
684 (auth_info->auth_level ==
685 DCERPC_AUTH_LEVEL_PRIVACY),
686 true,
687 &auth_info->credentials,
688 response,
689 &gse_ctx);
690 if (!NT_STATUS_IS_OK(status)) {
691 DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n",
692 nt_errstr(status)));
693 goto err;
694 }
695
696 /* Make sure data is bound to the memctx, to be freed the caller */
697 talloc_steal(mem_ctx, response->data);
698
699 p->auth.auth_ctx = gse_ctx;
700 p->auth.auth_type = DCERPC_AUTH_TYPE_KRB5;
701
702 DEBUG(10, ("KRB5 auth started\n"));
703
704 return true;
705
706 err:
707 TALLOC_FREE(gse_ctx);
708 return false;
709 }
710
711 static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
712 struct gse_context *gse_ctx,
713 struct client_address *client_id,
714 struct auth_serversupplied_info **session_info)
715 {
716 NTSTATUS status;
717 bool bret;
718
719 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
720 ensure the underlying flags are also set. If not we should
721 refuse the bind. */
722
723 status = gssapi_server_check_flags(gse_ctx);
724 if (!NT_STATUS_IS_OK(status)) {
725 DEBUG(0, ("Requested Security Layers not honored!\n"));
726 return status;
727 }
728
729 status = gssapi_server_get_user_info(gse_ctx, mem_ctx,
730 client_id, session_info);
731 if (!NT_STATUS_IS_OK(status)) {
732 DEBUG(0, (__location__ ": failed to obtain the server info "
733 "for authenticated user: %s\n", nt_errstr(status)));
734 return status;
735 }
736
737 if ((*session_info)->security_token == NULL) {
738 status = create_local_token(*session_info);
739 if (!NT_STATUS_IS_OK(status)) {
740 DEBUG(1, ("Failed to create local user token (%s)\n",
741 nt_errstr(status)));
742 status = NT_STATUS_ACCESS_DENIED;
743 return status;
744 }
745 }
746
747 /* TODO: this is what the ntlmssp code does with the session_key, check
748 * it is ok with gssapi too */
749 /*
750 * We're an authenticated bind over smb, so the session key needs to
751 * be set to "SystemLibraryDTC". Weird, but this is what Windows
752 * does. See the RPC-SAMBA3SESSIONKEY.
753 */
754
755 bret = session_info_set_session_key((*session_info), generic_session_key());
756 if (!bret) {
757 return NT_STATUS_ACCESS_DENIED;
758 }
759
760 return NT_STATUS_OK;
761 }
762
763 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
764 {
765 enum spnego_mech auth_type;
766 struct auth_ntlmssp_state *ntlmssp_ctx;
767 struct spnego_context *spnego_ctx;
768 struct gse_context *gse_ctx;
769 void *mech_ctx;
770 NTSTATUS status;
771
772 switch (p->auth.auth_type) {
773 case DCERPC_AUTH_TYPE_NTLMSSP:
774 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
775 struct auth_ntlmssp_state);
776 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
777 p->auth.auth_level,
778 p->client_id, &p->syntax,
779 &p->session_info)) {
780 return NT_STATUS_ACCESS_DENIED;
781 }
782 break;
783 case DCERPC_AUTH_TYPE_KRB5:
784 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
785 struct gse_context);
786 status = pipe_gssapi_verify_final(p, gse_ctx,
787 p->client_id,
788 &p->session_info);
789 if (!NT_STATUS_IS_OK(status)) {
790 DEBUG(1, ("gssapi bind failed with: %s",
791 nt_errstr(status)));
792 return status;
793 }
794 break;
795 case DCERPC_AUTH_TYPE_SPNEGO:
796 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
797 struct spnego_context);
798 status = spnego_get_negotiated_mech(spnego_ctx,
799 &auth_type, &mech_ctx);
800 if (!NT_STATUS_IS_OK(status)) {
801 DEBUG(0, ("Bad SPNEGO state (%s)\n",
802 nt_errstr(status)));
803 return status;
804 }
805 switch(auth_type) {
806 case SPNEGO_KRB5:
807 gse_ctx = talloc_get_type_abort(mech_ctx,
808 struct gse_context);
809 status = pipe_gssapi_verify_final(p, gse_ctx,
810 p->client_id,
811 &p->session_info);
812 if (!NT_STATUS_IS_OK(status)) {
813 DEBUG(1, ("gssapi bind failed with: %s",
814 nt_errstr(status)));
815 return status;
816 }
817 break;
818 case SPNEGO_NTLMSSP:
819 ntlmssp_ctx = talloc_get_type_abort(mech_ctx,
820 struct auth_ntlmssp_state);
821 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
822 p->auth.auth_level,
823 p->client_id,
824 &p->syntax,
825 &p->session_info)) {
826 return NT_STATUS_ACCESS_DENIED;
827 }
828 break;
829 default:
830 DEBUG(0, (__location__ ": incorrect spnego type "
831 "(%d).\n", auth_type));
832 return NT_STATUS_ACCESS_DENIED;
833 }
834 break;
835 default:
836 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
837 (unsigned int)p->auth.auth_type));
838 return NT_STATUS_ACCESS_DENIED;
839 }
840
841 p->pipe_bound = true;
842
843 return NT_STATUS_OK;
844 }
845
846 /*******************************************************************
847 Respond to a pipe bind request.
848 *******************************************************************/
849
850 static bool api_pipe_bind_req(struct pipes_struct *p,
851 struct ncacn_packet *pkt)
852 {
853 struct dcerpc_auth auth_info;
854 uint16 assoc_gid;
855 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
856 NTSTATUS status;
857 struct ndr_syntax_id id;
858 union dcerpc_payload u;
859 struct dcerpc_ack_ctx bind_ack_ctx;
860 DATA_BLOB auth_resp = data_blob_null;
861 DATA_BLOB auth_blob = data_blob_null;
862
863 /* No rebinds on a bound pipe - use alter context. */
864 if (p->pipe_bound) {
865 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
866 "pipe %s.\n",
867 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
868 return setup_bind_nak(p, pkt);
869 }
870
871 if (pkt->u.bind.num_contexts == 0) {
872 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
873 goto err_exit;
874 }
875
876 /*
877 * Try and find the correct pipe name to ensure
878 * that this is a pipe name we support.
879 */
880 id = pkt->u.bind.ctx_list[0].abstract_syntax;
881 if (rpc_srv_pipe_exists_by_id(&id)) {
882 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
883 rpc_srv_get_pipe_cli_name(&id),
884 rpc_srv_get_pipe_srv_name(&id)));
885 } else {
886 status = smb_probe_module(
887 "rpc", get_pipe_name_from_syntax(
888 talloc_tos(),
889 &pkt->u.bind.ctx_list[0].abstract_syntax));
890
891 if (NT_STATUS_IS_ERR(status)) {
892 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
893 get_pipe_name_from_syntax(
894 talloc_tos(),
895 &pkt->u.bind.ctx_list[0].abstract_syntax)));
896
897 return setup_bind_nak(p, pkt);
898 }
899
900 if (rpc_srv_get_pipe_interface_by_cli_name(
901 get_pipe_name_from_syntax(talloc_tos(),
902 &p->syntax),
903 &id)) {
904 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
905 rpc_srv_get_pipe_cli_name(&id),
906 rpc_srv_get_pipe_srv_name(&id)));
907 } else {
908 DEBUG(0, ("module %s doesn't provide functions for "
909 "pipe %s!\n",
910 get_pipe_name_from_syntax(talloc_tos(),
911 &p->syntax),
912 get_pipe_name_from_syntax(talloc_tos(),
913 &p->syntax)));
914 return setup_bind_nak(p, pkt);
915 }
916 }
917
918 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
919
920 if (pkt->u.bind.assoc_group_id != 0) {
921 assoc_gid = pkt->u.bind.assoc_group_id;
922 } else {
923 assoc_gid = 0x53f0;
924 }
925
926 /*
927 * Create the bind response struct.
928 */
929
930 /* If the requested abstract synt uuid doesn't match our client pipe,
931 reject the bind_ack & set the transfer interface synt to all 0's,
932 ver 0 (observed when NT5 attempts to bind to abstract interfaces
933 unknown to NT4)
934 Needed when adding entries to a DACL from NT5 - SK */
935
936 if (check_bind_req(p,
937 &pkt->u.bind.ctx_list[0].abstract_syntax,
938 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
939 pkt->u.bind.ctx_list[0].context_id)) {
940
941 bind_ack_ctx.result = 0;
942 bind_ack_ctx.reason = 0;
943 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
944 } else {
945 p->pipe_bound = False;
946 /* Rejection reason: abstract syntax not supported */
947 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
948 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
949 bind_ack_ctx.syntax = null_ndr_syntax_id;
950 }
951
952 /*
953 * Check if this is an authenticated bind request.
954 */
955 if (pkt->auth_length) {
956 /* Quick length check. Won't catch a bad auth footer,
957 * prevents overrun. */
958
959 if (pkt->frag_length < RPC_HEADER_LEN +
960 DCERPC_AUTH_TRAILER_LENGTH +
961 pkt->auth_length) {
962 DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
963 "too long for fragment %u.\n",
964 (unsigned int)pkt->auth_length,
965 (unsigned int)pkt->frag_length));
966 goto err_exit;
967 }
968
969 /*
970 * Decode the authentication verifier.
971 */
972 status = dcerpc_pull_dcerpc_auth(pkt,
973 &pkt->u.bind.auth_info,
974 &auth_info, p->endian);
975 if (!NT_STATUS_IS_OK(status)) {
976 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
977 goto err_exit;
978 }
979
980 auth_type = auth_info.auth_type;
981
982 /* Work out if we have to sign or seal etc. */
983 switch (auth_info.auth_level) {
984 case DCERPC_AUTH_LEVEL_INTEGRITY:
985 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
986 break;
987 case DCERPC_AUTH_LEVEL_PRIVACY:
988 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
989 break;
990 case DCERPC_AUTH_LEVEL_NONE:
991 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
992 break;
993 default:
994 DEBUG(0, ("Unexpected auth level (%u).\n",
995 (unsigned int)auth_info.auth_level ));
996 goto err_exit;
997 }
998
999 switch (auth_type) {
1000 case DCERPC_AUTH_TYPE_NTLMSSP:
1001 if (!pipe_ntlmssp_auth_bind(p, pkt,
1002 &auth_info, &auth_resp)) {
1003 goto err_exit;
1004 }
1005 assoc_gid = 0x7a77;
1006 break;
1007
1008 case DCERPC_AUTH_TYPE_SCHANNEL:
1009 if (!pipe_schannel_auth_bind(p, pkt,
1010 &auth_info, &auth_resp)) {
1011 goto err_exit;
1012 }
1013 break;
1014
1015 case DCERPC_AUTH_TYPE_SPNEGO:
1016 if (!pipe_spnego_auth_bind(p, pkt,
1017 &auth_info, &auth_resp)) {
1018 goto err_exit;
1019 }
1020 break;
1021
1022 case DCERPC_AUTH_TYPE_KRB5:
1023 if (!pipe_gssapi_auth_bind(p, pkt,
1024 &auth_info, &auth_resp)) {
1025 goto err_exit;
1026 }
1027 break;
1028
1029 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
1030 if (p->transport == NCALRPC && p->system_user) {
1031 TALLOC_FREE(p->session_info);
1032
1033 status = make_session_info_system(p,
1034 &p->session_info);
1035 if (!NT_STATUS_IS_OK(status)) {
1036 goto err_exit;
1037 }
1038
1039 auth_resp = data_blob_talloc(pkt,
1040 "NCALRPC_AUTH_OK",
1041 15);
1042
1043 p->auth.auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM;
1044 p->pipe_bound = true;
1045 } else {
1046 goto err_exit;
1047 }
1048 break;
1049
1050 case DCERPC_AUTH_TYPE_NONE:
1051 break;
1052
1053 default:
1054 DEBUG(0, ("Unknown auth type %x requested.\n", auth_type));
1055 goto err_exit;
1056 }
1057 }
1058
1059 if (auth_type == DCERPC_AUTH_TYPE_NONE) {
1060 /* Unauthenticated bind request. */
1061 /* We're finished - no more packets. */
1062 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
1063 /* We must set the pipe auth_level here also. */
1064 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1065 p->pipe_bound = True;
1066 /* The session key was initialized from the SMB
1067 * session in make_internal_rpc_pipe_p */
1068 }
1069
1070 ZERO_STRUCT(u.bind_ack);
1071 u.bind_ack.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1072 u.bind_ack.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1073 u.bind_ack.assoc_group_id = assoc_gid;
1074
1075 /* name has to be \PIPE\xxxxx */
1076 u.bind_ack.secondary_address =
1077 talloc_asprintf(pkt, "\\PIPE\\%s",
1078 rpc_srv_get_pipe_srv_name(&id));
1079 if (!u.bind_ack.secondary_address) {
1080 DEBUG(0, ("Out of memory!\n"));
1081 goto err_exit;
1082 }
1083 u.bind_ack.secondary_address_size =
1084 strlen(u.bind_ack.secondary_address) + 1;
1085
1086 u.bind_ack.num_results = 1;
1087 u.bind_ack.ctx_list = &bind_ack_ctx;
1088
1089 /* NOTE: We leave the auth_info empty so we can calculate the padding
1090 * later and then append the auth_info --simo */
1091
1092 /*
1093 * Marshall directly into the outgoing PDU space. We
1094 * must do this as we need to set to the bind response
1095 * header and are never sending more than one PDU here.
1096 */
1097
1098 status = dcerpc_push_ncacn_packet(p->mem_ctx,
1099 DCERPC_PKT_BIND_ACK,
1100 DCERPC_PFC_FLAG_FIRST |
1101 DCERPC_PFC_FLAG_LAST,
1102 auth_resp.length,
1103 pkt->call_id,
1104 &u,
1105 &p->out_data.frag);
1106 if (!NT_STATUS_IS_OK(status)) {
1107 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1108 nt_errstr(status)));
1109 }
1110
1111 if (auth_resp.length) {
1112
1113 status = dcerpc_push_dcerpc_auth(pkt,
1114 auth_type,
1115 auth_info.auth_level,
1116 0,
1117 1, /* auth_context_id */
1118 &auth_resp,
1119 &auth_blob);
1120 if (!NT_STATUS_IS_OK(status)) {
1121 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1122 goto err_exit;
1123 }
1124 }
1125
1126 /* Now that we have the auth len store it into the right place in
1127 * the dcerpc header */
1128 dcerpc_set_frag_length(&p->out_data.frag,
1129 p->out_data.frag.length + auth_blob.length);
1130
1131 if (auth_blob.length) {
1132
1133 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1134 auth_blob.data, auth_blob.length)) {
1135 DEBUG(0, ("Append of auth info failed.\n"));
1136 goto err_exit;
1137 }
1138 }
1139
1140 /*
1141 * Setup the lengths for the initial reply.
1142 */
1143
1144 p->out_data.data_sent_length = 0;
1145 p->out_data.current_pdu_sent = 0;
1146
1147 TALLOC_FREE(auth_blob.data);
1148 return True;
1149
1150 err_exit:
1151
1152 data_blob_free(&p->out_data.frag);
1153 TALLOC_FREE(auth_blob.data);
1154 return setup_bind_nak(p, pkt);
1155 }
1156
1157 /*******************************************************************
1158 This is the "stage3" response after a bind request and reply.
1159 *******************************************************************/
1160
1161 bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
1162 {
1163 struct dcerpc_auth auth_info;
1164 DATA_BLOB response = data_blob_null;
1165 struct auth_ntlmssp_state *ntlmssp_ctx;
1166 struct spnego_context *spnego_ctx;
1167 struct gse_context *gse_ctx;
1168 NTSTATUS status;
1169
1170 DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
1171
1172 if (pkt->auth_length == 0) {
1173 DEBUG(0, ("No auth field sent for bind request!\n"));
1174 goto err;
1175 }
1176
1177 /* Ensure there's enough data for an authenticated request. */
1178 if (pkt->frag_length < RPC_HEADER_LEN
1179 + DCERPC_AUTH_TRAILER_LENGTH
1180 + pkt->auth_length) {
1181 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
1182 "%u is too large.\n",
1183 (unsigned int)pkt->auth_length));
1184 goto err;
1185 }
1186
1187 /*
1188 * Decode the authentication verifier response.
1189 */
1190
1191 status = dcerpc_pull_dcerpc_auth(pkt,
1192 &pkt->u.auth3.auth_info,
1193 &auth_info, p->endian);
1194 if (!NT_STATUS_IS_OK(status)) {
1195 DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n"));
1196 goto err;
1197 }
1198
1199 /* We must NEVER look at auth_info->auth_pad_len here,
1200 * as old Samba client code gets it wrong and sends it
1201 * as zero. JRA.
1202 */
1203
1204 if (auth_info.auth_type != p->auth.auth_type) {
1205 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1206 "but auth was started as type %d!\n",
1207 auth_info.auth_type, p->auth.auth_type));
1208 goto err;
1209 }
1210
1211 switch (auth_info.auth_type) {
1212 case DCERPC_AUTH_TYPE_NTLMSSP:
1213 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1214 struct auth_ntlmssp_state);
1215 status = ntlmssp_server_step(ntlmssp_ctx,
1216 pkt, &auth_info.credentials,
1217 &response);
1218 break;
1219 case DCERPC_AUTH_TYPE_KRB5:
1220 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1221 struct gse_context);
1222 status = gssapi_server_step(gse_ctx,
1223 pkt, &auth_info.credentials,
1224 &response);
1225 break;
1226 case DCERPC_AUTH_TYPE_SPNEGO:
1227 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1228 struct spnego_context);
1229 status = spnego_server_step(spnego_ctx,
1230 pkt, &auth_info.credentials,
1231 &response);
1232 break;
1233 default:
1234 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
1235 (unsigned int)auth_info.auth_type));
1236 return false;
1237 }
1238
1239 if (NT_STATUS_EQUAL(status,
1240 NT_STATUS_MORE_PROCESSING_REQUIRED) ||
1241 response.length) {
1242 DEBUG(0, (__location__ ": This was supposed to be the final "
1243 "leg, but crypto machinery claims a response is "
1244 "needed, aborting auth!\n"));
1245 data_blob_free(&response);
1246 goto err;
1247 }
1248 if (!NT_STATUS_IS_OK(status)) {
1249 DEBUG(0, ("Auth failed (%s)\n", nt_errstr(status)));
1250 goto err;
1251 }
1252
1253 /* Now verify auth was indeed successful and extract server info */
1254 status = pipe_auth_verify_final(p);
1255 if (!NT_STATUS_IS_OK(status)) {
1256 DEBUG(0, ("Auth Verify failed (%s)\n", nt_errstr(status)));
1257 goto err;
1258 }
1259
1260 return true;
1261
1262 err:
1263
1264 TALLOC_FREE(p->auth.auth_ctx);
1265 return false;
1266 }
1267
1268 /****************************************************************************
1269 Deal with an alter context call. Can be third part of 3 leg auth request for
1270 SPNEGO calls.
1271 ****************************************************************************/
1272
1273 static bool api_pipe_alter_context(struct pipes_struct *p,
1274 struct ncacn_packet *pkt)
1275 {
1276 struct dcerpc_auth auth_info;
1277 uint16 assoc_gid;
1278 NTSTATUS status;
1279 union dcerpc_payload u;
1280 struct dcerpc_ack_ctx bind_ack_ctx;
1281 DATA_BLOB auth_resp = data_blob_null;
1282 DATA_BLOB auth_blob = data_blob_null;
1283 int pad_len = 0;
1284 struct auth_ntlmssp_state *ntlmssp_ctx;
1285 struct spnego_context *spnego_ctx;
1286 struct gse_context *gse_ctx;
1287
1288 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1289
1290 if (pkt->u.bind.assoc_group_id != 0) {
1291 assoc_gid = pkt->u.bind.assoc_group_id;
1292 } else {
1293 assoc_gid = 0x53f0;
1294 }
1295
1296 /*
1297 * Create the bind response struct.
1298 */
1299
1300 /* If the requested abstract synt uuid doesn't match our client pipe,
1301 reject the bind_ack & set the transfer interface synt to all 0's,
1302 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1303 unknown to NT4)
1304 Needed when adding entries to a DACL from NT5 - SK */
1305
1306 if (check_bind_req(p,
1307 &pkt->u.bind.ctx_list[0].abstract_syntax,
1308 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
1309 pkt->u.bind.ctx_list[0].context_id)) {
1310
1311 bind_ack_ctx.result = 0;
1312 bind_ack_ctx.reason = 0;
1313 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
1314 } else {
1315 p->pipe_bound = False;
1316 /* Rejection reason: abstract syntax not supported */
1317 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1318 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
1319 bind_ack_ctx.syntax = null_ndr_syntax_id;
1320 }
1321
1322 /*
1323 * Check if this is an authenticated alter context request.
1324 */
1325 if (pkt->auth_length) {
1326 /* Quick length check. Won't catch a bad auth footer,
1327 * prevents overrun. */
1328
1329 if (pkt->frag_length < RPC_HEADER_LEN +
1330 DCERPC_AUTH_TRAILER_LENGTH +
1331 pkt->auth_length) {
1332 DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
1333 "too long for fragment %u.\n",
1334 (unsigned int)pkt->auth_length,
1335 (unsigned int)pkt->frag_length ));
1336 goto err_exit;
1337 }
1338
1339 status = dcerpc_pull_dcerpc_auth(pkt,
1340 &pkt->u.bind.auth_info,
1341 &auth_info, p->endian);
1342 if (!NT_STATUS_IS_OK(status)) {
1343 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1344 goto err_exit;
1345 }
1346
1347 /* We can only finish if the pipe is unbound for now */
1348 if (p->pipe_bound) {
1349 DEBUG(0, (__location__ ": Pipe already bound, "
1350 "Altering Context not yet supported!\n"));
1351 goto err_exit;
1352 }
1353
1354 if (auth_info.auth_type != p->auth.auth_type) {
1355 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1356 "but auth was started as type %d!\n",
1357 auth_info.auth_type, p->auth.auth_type));
1358 goto err_exit;
1359 }
1360
1361
1362 switch (auth_info.auth_type) {
1363 case DCERPC_AUTH_TYPE_SPNEGO:
1364 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1365 struct spnego_context);
1366 status = spnego_server_step(spnego_ctx,
1367 pkt,
1368 &auth_info.credentials,
1369 &auth_resp);
1370 break;
1371
1372 case DCERPC_AUTH_TYPE_KRB5:
1373 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1374 struct gse_context);
1375 status = gssapi_server_step(gse_ctx,
1376 pkt,
1377 &auth_info.credentials,
1378 &auth_resp);
1379 break;
1380 case DCERPC_AUTH_TYPE_NTLMSSP:
1381 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1382 struct auth_ntlmssp_state);
1383 status = ntlmssp_server_step(ntlmssp_ctx,
1384 pkt,
1385 &auth_info.credentials,
1386 &auth_resp);
1387 break;
1388
1389 default:
1390 DEBUG(3, (__location__ ": Usupported auth type (%d) "
1391 "in alter-context call\n",
1392 auth_info.auth_type));
1393 goto err_exit;
1394 }
1395
1396 if (NT_STATUS_IS_OK(status)) {
1397 /* third leg of auth, verify auth info */
1398 status = pipe_auth_verify_final(p);
1399 if (!NT_STATUS_IS_OK(status)) {
1400 DEBUG(0, ("Auth Verify failed (%s)\n",
1401 nt_errstr(status)));
1402 goto err_exit;
1403 }
1404 } else if (NT_STATUS_EQUAL(status,
1405 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1406 DEBUG(10, ("More auth legs required.\n"));
1407 } else {
1408 DEBUG(0, ("Auth step returned an error (%s)\n",
1409 nt_errstr(status)));
1410 goto err_exit;
1411 }
1412 }
1413
1414 ZERO_STRUCT(u.alter_resp);
1415 u.alter_resp.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1416 u.alter_resp.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1417 u.alter_resp.assoc_group_id = assoc_gid;
1418
1419 /* secondary address CAN be NULL
1420 * as the specs say it's ignored.
1421 * It MUST be NULL to have the spoolss working.
1422 */
1423 u.alter_resp.secondary_address = "";
1424 u.alter_resp.secondary_address_size = 1;
1425
1426 u.alter_resp.num_results = 1;
1427 u.alter_resp.ctx_list = &bind_ack_ctx;
1428
1429 /* NOTE: We leave the auth_info empty so we can calculate the padding
1430 * later and then append the auth_info --simo */
1431
1432 /*
1433 * Marshall directly into the outgoing PDU space. We
1434 * must do this as we need to set to the bind response
1435 * header and are never sending more than one PDU here.
1436 */
1437
1438 status = dcerpc_push_ncacn_packet(p->mem_ctx,
1439 DCERPC_PKT_ALTER_RESP,
1440 DCERPC_PFC_FLAG_FIRST |
1441 DCERPC_PFC_FLAG_LAST,
1442 auth_resp.length,
1443 pkt->call_id,
1444 &u,
1445 &p->out_data.frag);
1446 if (!NT_STATUS_IS_OK(status)) {
1447 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1448 nt_errstr(status)));
1449 }
1450
1451 if (auth_resp.length) {
1452
1453 /* Work out any padding needed before the auth footer. */
1454 pad_len = p->out_data.frag.length % SERVER_NDR_PADDING_SIZE;
1455 if (pad_len) {
1456 pad_len = SERVER_NDR_PADDING_SIZE - pad_len;
1457 DEBUG(10, ("auth pad_len = %u\n",
1458 (unsigned int)pad_len));
1459 }
1460
1461 status = dcerpc_push_dcerpc_auth(pkt,
1462 auth_info.auth_type,
1463 auth_info.auth_level,
1464 pad_len,
1465 1, /* auth_context_id */
1466 &auth_resp,
1467 &auth_blob);
1468 if (!NT_STATUS_IS_OK(status)) {
1469 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1470 goto err_exit;
1471 }
1472 }
1473
1474 /* Now that we have the auth len store it into the right place in
1475 * the dcerpc header */
1476 dcerpc_set_frag_length(&p->out_data.frag,
1477 p->out_data.frag.length +
1478 pad_len + auth_blob.length);
1479
1480 if (auth_resp.length) {
1481 if (pad_len) {
1482 char pad[SERVER_NDR_PADDING_SIZE];
1483 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1484 if (!data_blob_append(p->mem_ctx,
1485 &p->out_data.frag,
1486 pad, pad_len)) {
1487 DEBUG(0, ("api_pipe_bind_req: failed to add "
1488 "%u bytes of pad data.\n",
1489 (unsigned int)pad_len));
1490 goto err_exit;
1491 }
1492 }
1493
1494 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1495 auth_blob.data, auth_blob.length)) {
1496 DEBUG(0, ("Append of auth info failed.\n"));
1497 goto err_exit;
1498 }
1499 }
1500
1501 /*
1502 * Setup the lengths for the initial reply.
1503 */
1504
1505 p->out_data.data_sent_length = 0;
1506 p->out_data.current_pdu_sent = 0;
1507
1508 TALLOC_FREE(auth_blob.data);
1509 return True;
1510
1511 err_exit:
1512
1513 data_blob_free(&p->out_data.frag);
1514 TALLOC_FREE(auth_blob.data);
1515 return setup_bind_nak(p, pkt);
1516 }
1517
1518 /****************************************************************************
1519 Find the set of RPC functions associated with this context_id
1520 ****************************************************************************/
1521
1522 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
1523 {
1524 PIPE_RPC_FNS *fns = NULL;
1525
1526 if ( !list ) {
1527 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
1528 return NULL;
1529 }
1530
1531 for (fns=list; fns; fns=fns->next ) {
1532 if ( fns->context_id == context_id )
1533 return fns;
1534 }
1535 return NULL;
1536 }
1537
1538 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1539 const struct api_struct *api_rpc_cmds, int n_cmds);
1540
1541 /****************************************************************************
1542 Find the correct RPC function to call for this request.
1543 If the pipe is authenticated then become the correct UNIX user
1544 before doing the call.
1545 ****************************************************************************/
1546
1547 static bool api_pipe_request(struct pipes_struct *p,
1548 struct ncacn_packet *pkt)
1549 {
1550 bool ret = False;
1551 bool changed_user = False;
1552 PIPE_RPC_FNS *pipe_fns;
1553
1554 if (p->pipe_bound &&
1555 ((p->auth.auth_type == DCERPC_AUTH_TYPE_NTLMSSP) ||
1556 (p->auth.auth_type == DCERPC_AUTH_TYPE_KRB5) ||
1557 (p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO))) {
1558 if(!become_authenticated_pipe_user(p)) {
1559 data_blob_free(&p->out_data.rdata);
1560 return False;
1561 }
1562 changed_user = True;
1563 }
1564
1565 DEBUG(5, ("Requested \\PIPE\\%s\n",
1566 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1567
1568 /* get the set of RPC functions for this context */
1569
1570 pipe_fns = find_pipe_fns_by_context(p->contexts,
1571 pkt->u.request.context_id);
1572
1573 if ( pipe_fns ) {
1574 TALLOC_CTX *frame = talloc_stackframe();
1575 ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds);
1576 TALLOC_FREE(frame);
1577 }
1578 else {
1579 DEBUG(0, ("No rpc function table associated with context "
1580 "[%d] on pipe [%s]\n",
1581 pkt->u.request.context_id,
1582 get_pipe_name_from_syntax(talloc_tos(),
1583 &p->syntax)));
1584 }
1585
1586 if (changed_user) {
1587 unbecome_authenticated_pipe_user();
1588 }
1589
1590 return ret;
1591 }
1592
1593 /*******************************************************************
1594 Calls the underlying RPC function for a named pipe.
1595 ********************************************************************/
1596
1597 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1598 const struct api_struct *api_rpc_cmds, int n_cmds)
1599 {
1600 int fn_num;
1601 uint32_t offset1;
1602
1603 /* interpret the command */
1604 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
1605 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
1606 pkt->u.request.opnum));
1607
1608 if (DEBUGLEVEL >= 50) {
1609 fstring name;
1610 slprintf(name, sizeof(name)-1, "in_%s",
1611 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
1612 dump_pdu_region(name, pkt->u.request.opnum,
1613 &p->in_data.data, 0,
1614 p->in_data.data.length);
1615 }
1616
1617 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1618 if (api_rpc_cmds[fn_num].opnum == pkt->u.request.opnum &&
1619 api_rpc_cmds[fn_num].fn != NULL) {
1620 DEBUG(3, ("api_rpcTNP: rpc command: %s\n",
1621 api_rpc_cmds[fn_num].name));
1622 break;
1623 }
1624 }
1625
1626 if (fn_num == n_cmds) {
1627 /*
1628 * For an unknown RPC just return a fault PDU but
1629 * return True to allow RPC's on the pipe to continue
1630 * and not put the pipe into fault state. JRA.
1631 */
1632 DEBUG(4, ("unknown\n"));
1633 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1634 return True;
1635 }
1636
1637 offset1 = p->out_data.rdata.length;
1638
1639 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1640 fn_num, api_rpc_cmds[fn_num].fn));
1641 /* do the actual command */
1642 if(!api_rpc_cmds[fn_num].fn(p)) {
1643 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
1644 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
1645 api_rpc_cmds[fn_num].name));
1646 data_blob_free(&p->out_data.rdata);
1647 return False;
1648 }
1649
1650 if (p->bad_handle_fault_state) {
1651 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1652 p->bad_handle_fault_state = False;
1653 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
1654 return True;
1655 }
1656
1657 if (p->rng_fault_state) {
1658 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
1659 p->rng_fault_state = False;
1660 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1661 return True;
1662 }
1663
1664 if (DEBUGLEVEL >= 50) {
1665 fstring name;
1666 slprintf(name, sizeof(name)-1, "out_%s",
1667 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
1668 dump_pdu_region(name, pkt->u.request.opnum,
1669 &p->out_data.rdata, offset1,
1670 p->out_data.rdata.length);
1671 }
1672
1673 DEBUG(5,("api_rpcTNP: called %s successfully\n",
1674 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1675
1676 /* Check for buffer underflow in rpc parsing */
1677 if ((DEBUGLEVEL >= 10) &&
1678 (pkt->frag_length < p->in_data.data.length)) {
1679 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1680 dump_data(10, p->in_data.data.data + pkt->frag_length,
1681 p->in_data.data.length - pkt->frag_length);
1682 }
1683
1684 return True;
1685 }
1686
1687 /****************************************************************************
1688 Initialise an outgoing packet.
1689 ****************************************************************************/
1690
1691 static bool pipe_init_outgoing_data(struct pipes_struct *p)
1692 {
1693 output_data *o_data = &p->out_data;
1694
1695 /* Reset the offset counters. */
1696 o_data->data_sent_length = 0;
1697 o_data->current_pdu_sent = 0;
1698
1699 data_blob_free(&o_data->frag);
1700
1701 /* Free any memory in the current return data buffer. */
1702 data_blob_free(&o_data->rdata);
1703
1704 return True;
1705 }
1706
1707 /****************************************************************************
1708 Sets the fault state on incoming packets.
1709 ****************************************************************************/
1710
1711 void set_incoming_fault(struct pipes_struct *p)
1712 {
1713 data_blob_free(&p->in_data.data);
1714 p->in_data.pdu_needed_len = 0;
1715 p->in_data.pdu.length = 0;
1716 p->fault_state = True;
1717 DEBUG(10, ("set_incoming_fault: Setting fault state on pipe %s\n",
1718 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1719 }
1720
1721 static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
1722 struct ncacn_packet *pkt,
1723 DATA_BLOB *raw_pkt)
1724 {
1725 NTSTATUS status;
1726 size_t hdr_size = DCERPC_REQUEST_LENGTH;
1727 size_t pad_len;
1728
1729 DEBUG(10, ("Checking request auth.\n"));
1730
1731 if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
1732 hdr_size += 16;
1733 }
1734
1735 /* in case of sealing this function will unseal the data in place */
1736 status = dcerpc_check_auth(auth, pkt,
1737 &pkt->u.request.stub_and_verifier,
1738 hdr_size, raw_pkt,
1739 &pad_len);
1740 if (!NT_STATUS_IS_OK(status)) {
1741 return status;
1742 }
1743
1744
1745 /* remove padding and auth trailer,
1746 * this way the caller will get just the data */
1747 if (pkt->auth_length) {
1748 size_t trail_len = pad_len
1749 + DCERPC_AUTH_TRAILER_LENGTH
1750 + pkt->auth_length;
1751 if (pkt->u.request.stub_and_verifier.length < trail_len) {
1752 return NT_STATUS_INFO_LENGTH_MISMATCH;
1753 }
1754 pkt->u.request.stub_and_verifier.length -= trail_len;
1755 }
1756
1757 return NT_STATUS_OK;
1758 }
1759
1760 /****************************************************************************
1761 Processes a request pdu. This will do auth processing if needed, and
1762 appends the data into the complete stream if the LAST flag is not set.
1763 ****************************************************************************/
1764
1765 static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
1766 {
1767 NTSTATUS status;
1768 DATA_BLOB data;
1769
1770 if (!p->pipe_bound) {
1771 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
1772 set_incoming_fault(p);
1773 return False;
1774 }
1775
1776 /* Store the opnum */
1777 p->opnum = pkt->u.request.opnum;
1778
1779 status = dcesrv_auth_request(&p->auth, pkt, &p->in_data.pdu);
1780 if (!NT_STATUS_IS_OK(status)) {
1781 DEBUG(0, ("Failed to check packet auth. (%s)\n",
1782 nt_errstr(status)));
1783 set_incoming_fault(p);
1784 return false;
1785 }
1786
1787 data = pkt->u.request.stub_and_verifier;
1788
1789 /*
1790 * Check the data length doesn't go over the 15Mb limit.
1791 * increased after observing a bug in the Windows NT 4.0 SP6a
1792 * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
1793 * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
1794 */
1795
1796 if (p->in_data.data.length + data.length > MAX_RPC_DATA_SIZE) {
1797 DEBUG(0, ("process_request_pdu: "
1798 "rpc data buffer too large (%u) + (%u)\n",
1799 (unsigned int)p->in_data.data.length,
1800 (unsigned int)data.length));
1801 set_incoming_fault(p);
1802 return False;
1803 }
1804
1805 /*
1806 * Append the data portion into the buffer and return.
1807 */
1808
1809 if (data.length) {
1810 if (!data_blob_append(p->mem_ctx, &p->in_data.data,
1811 data.data, data.length)) {
1812 DEBUG(0, ("Unable to append data size %u "
1813 "to parse buffer of size %u.\n",
1814 (unsigned int)data.length,
1815 (unsigned int)p->in_data.data.length));
1816 set_incoming_fault(p);
1817 return False;
1818 }
1819 }
1820
1821 if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
1822 bool ret = False;
1823 /*
1824 * Ok - we finally have a complete RPC stream.
1825 * Call the rpc command to process it.
1826 */
1827
1828 /*
1829 * Process the complete data stream here.
1830 */
1831 if (pipe_init_outgoing_data(p)) {
1832 ret = api_pipe_request(p, pkt);
1833 }
1834
1835 return ret;
1836 }
1837
1838 return True;
1839 }
1840
1841 /****************************************************************************
1842 Processes a finished PDU stored in p->in_data.pdu.
1843 ****************************************************************************/
1844
1845 void process_complete_pdu(struct pipes_struct *p)
1846 {
1847 struct ncacn_packet *pkt = NULL;
1848 NTSTATUS status;
1849 bool reply = False;
1850
1851 if(p->fault_state) {
1852 DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n",
1853 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1854 goto done;
1855 }
1856
1857 pkt = talloc(p->mem_ctx, struct ncacn_packet);
1858 if (!pkt) {
1859 DEBUG(0, ("Out of memory!\n"));
1860 goto done;
1861 }
1862
1863 /*
1864 * Ensure we're using the corrent endianness for both the
1865 * RPC header flags and the raw data we will be reading from.
1866 */
1867 if (dcerpc_get_endian_flag(&p->in_data.pdu) & DCERPC_DREP_LE) {
1868 p->endian = RPC_LITTLE_ENDIAN;
1869 } else {
1870 p->endian = RPC_BIG_ENDIAN;
1871 }
1872 DEBUG(10, ("PDU is in %s Endian format!\n", p->endian?"Big":"Little"));
1873
1874 status = dcerpc_pull_ncacn_packet(pkt, &p->in_data.pdu,
1875 pkt, p->endian);
1876 if (!NT_STATUS_IS_OK(status)) {
1877 DEBUG(0, ("Failed to unmarshal rpc packet: %s!\n",
1878 nt_errstr(status)));
1879 goto done;
1880 }
1881
1882 /* Store the call_id */
1883 p->call_id = pkt->call_id;
1884
1885 DEBUG(10, ("Processing packet type %d\n", (int)pkt->ptype));
1886
1887 switch (pkt->ptype) {
1888 case DCERPC_PKT_REQUEST:
1889 reply = process_request_pdu(p, pkt);
1890 break;
1891
1892 case DCERPC_PKT_PING: /* CL request - ignore... */
1893 DEBUG(0, ("process_complete_pdu: Error. "
1894 "Connectionless packet type %d received on "
1895 "pipe %s.\n", (int)pkt->ptype,
1896 get_pipe_name_from_syntax(talloc_tos(),
1897 &p->syntax)));
1898 break;
1899
1900 case DCERPC_PKT_RESPONSE: /* No responses here. */
1901 DEBUG(0, ("process_complete_pdu: Error. "
1902 "DCERPC_PKT_RESPONSE received from client "
1903 "on pipe %s.\n",
1904 get_pipe_name_from_syntax(talloc_tos(),
1905 &p->syntax)));
1906 break;
1907
1908 case DCERPC_PKT_FAULT:
1909 case DCERPC_PKT_WORKING:
1910 /* CL request - reply to a ping when a call in process. */
1911 case DCERPC_PKT_NOCALL:
1912 /* CL - server reply to a ping call. */
1913 case DCERPC_PKT_REJECT:
1914 case DCERPC_PKT_ACK:
1915 case DCERPC_PKT_CL_CANCEL:
1916 case DCERPC_PKT_FACK:
1917 case DCERPC_PKT_CANCEL_ACK:
1918 DEBUG(0, ("process_complete_pdu: Error. "
1919 "Connectionless packet type %u received on "
1920 "pipe %s.\n", (unsigned int)pkt->ptype,
1921 get_pipe_name_from_syntax(talloc_tos(),
1922 &p->syntax)));
1923 break;
1924
1925 case DCERPC_PKT_BIND:
1926 /*
1927 * We assume that a pipe bind is only in one pdu.
1928 */
1929 if (pipe_init_outgoing_data(p)) {
1930 reply = api_pipe_bind_req(p, pkt);
1931 }
1932 break;
1933
1934 case DCERPC_PKT_BIND_ACK:
1935 case DCERPC_PKT_BIND_NAK:
1936 DEBUG(0, ("process_complete_pdu: Error. "
1937 "DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK "
1938 "packet type %u received on pipe %s.\n",
1939 (unsigned int)pkt->ptype,
1940 get_pipe_name_from_syntax(talloc_tos(),
1941 &p->syntax)));
1942 break;
1943
1944
1945 case DCERPC_PKT_ALTER:
1946 /*
1947 * We assume that a pipe bind is only in one pdu.
1948 */
1949 if (pipe_init_outgoing_data(p)) {
1950 reply = api_pipe_alter_context(p, pkt);
1951 }
1952 break;
1953
1954 case DCERPC_PKT_ALTER_RESP:
1955 DEBUG(0, ("process_complete_pdu: Error. "
1956 "DCERPC_PKT_ALTER_RESP on pipe %s: "
1957 "Should only be server -> client.\n",
1958 get_pipe_name_from_syntax(talloc_tos(),
1959 &p->syntax)));
1960 break;
1961
1962 case DCERPC_PKT_AUTH3:
1963 /*
1964 * The third packet in an auth exchange.
1965 */
1966 if (pipe_init_outgoing_data(p)) {
1967 reply = api_pipe_bind_auth3(p, pkt);
1968 }
1969 break;
1970
1971 case DCERPC_PKT_SHUTDOWN:
1972 DEBUG(0, ("process_complete_pdu: Error. "
1973 "DCERPC_PKT_SHUTDOWN on pipe %s: "
1974 "Should only be server -> client.\n",
1975 get_pipe_name_from_syntax(talloc_tos(),
1976 &p->syntax)));
1977 break;
1978
1979 case DCERPC_PKT_CO_CANCEL:
1980 /* For now just free all client data and continue
1981 * processing. */
1982 DEBUG(3,("process_complete_pdu: DCERPC_PKT_CO_CANCEL."
1983 " Abandoning rpc call.\n"));
1984 /* As we never do asynchronous RPC serving, we can
1985 * never cancel a call (as far as I know).
1986 * If we ever did we'd have to send a cancel_ack reply.
1987 * For now, just free all client data and continue
1988 * processing. */
1989 reply = True;
1990 break;
1991
1992 #if 0
1993 /* Enable this if we're doing async rpc. */
1994 /* We must check the outstanding callid matches. */
1995 if (pipe_init_outgoing_data(p)) {
1996 /* Send a cancel_ack PDU reply. */
1997 /* We should probably check the auth-verifier here. */
1998 reply = setup_cancel_ack_reply(p, pkt);
1999 }
2000 break;
2001 #endif
2002
2003 case DCERPC_PKT_ORPHANED:
2004 /* We should probably check the auth-verifier here.
2005 * For now just free all client data and continue
2006 * processing. */
2007 DEBUG(3, ("process_complete_pdu: DCERPC_PKT_ORPHANED."
2008 " Abandoning rpc call.\n"));
2009 reply = True;
2010 break;
2011
2012 default:
2013 DEBUG(0, ("process_complete_pdu: "
2014 "Unknown rpc type = %u received.\n",
2015 (unsigned int)pkt->ptype));
2016 break;
2017 }
2018
2019 done:
2020 if (!reply) {
2021 DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on "
2022 "pipe %s\n", get_pipe_name_from_syntax(talloc_tos(),
2023 &p->syntax)));
2024 set_incoming_fault(p);
2025 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2026 TALLOC_FREE(pkt);
2027 } else {
2028 /*
2029 * Reset the lengths. We're ready for a new pdu.
2030 */
2031 TALLOC_FREE(p->in_data.pdu.data);
2032 p->in_data.pdu_needed_len = 0;
2033 p->in_data.pdu.length = 0;
2034 }
2035
2036 TALLOC_FREE(pkt);
2037 }
2038
Samba GIT mirror