Make use of ZERO_STRUCT instead of memset in namequery.c
[Samba.git] / source / rpc_server / srv_pipe.c
blob05cdb65a8317cba332852a8f91218bfd3bdf4f80
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
30 #include "includes.h"
32 extern struct pipe_id_info pipe_names[];
33 extern struct current_user current_user;
35 #undef DBGC_CLASS
36 #define DBGC_CLASS DBGC_RPC_SRV
38 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
40 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
42 if (a) {
43 auth_ntlmssp_end(&a);
45 auth->a_u.auth_ntlmssp_state = NULL;
48 static DATA_BLOB generic_session_key(void)
50 return data_blob("SystemLibraryDTC", 16);
53 /*******************************************************************
54 Generate the next PDU to be returned from the data in p->rdata.
55 Handle NTLMSSP.
56 ********************************************************************/
58 static bool create_next_pdu_ntlmssp(pipes_struct *p)
60 RPC_HDR_RESP hdr_resp;
61 uint32 ss_padding_len = 0;
62 uint32 data_space_available;
63 uint32 data_len_left;
64 uint32 data_len;
65 prs_struct outgoing_pdu;
66 NTSTATUS status;
67 DATA_BLOB auth_blob;
68 RPC_HDR_AUTH auth_info;
69 uint8 auth_type, auth_level;
70 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
73 * If we're in the fault state, keep returning fault PDU's until
74 * the pipe gets closed. JRA.
77 if(p->fault_state) {
78 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
79 return True;
82 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
84 /* Change the incoming request header to a response. */
85 p->hdr.pkt_type = RPC_RESPONSE;
87 /* Set up rpc header flags. */
88 if (p->out_data.data_sent_length == 0) {
89 p->hdr.flags = RPC_FLG_FIRST;
90 } else {
91 p->hdr.flags = 0;
95 * Work out how much we can fit in a single PDU.
98 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
101 * Ensure there really is data left to send.
104 if(!data_len_left) {
105 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
106 return False;
109 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
110 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
113 * The amount we send is the minimum of the available
114 * space and the amount left to send.
117 data_len = MIN(data_len_left, data_space_available);
120 * Set up the alloc hint. This should be the data left to
121 * send.
124 hdr_resp.alloc_hint = data_len_left;
127 * Work out if this PDU will be the last.
130 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
131 p->hdr.flags |= RPC_FLG_LAST;
132 if (data_len_left % 8) {
133 ss_padding_len = 8 - (data_len_left % 8);
134 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
135 ss_padding_len ));
140 * Set up the header lengths.
143 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
144 data_len + ss_padding_len +
145 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
146 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
150 * Init the parse struct to point at the outgoing
151 * data.
154 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
155 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
157 /* Store the header in the data stream. */
158 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
159 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
160 prs_mem_free(&outgoing_pdu);
161 return False;
164 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
165 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
166 prs_mem_free(&outgoing_pdu);
167 return False;
170 /* Copy the data into the PDU. */
172 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
173 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
174 prs_mem_free(&outgoing_pdu);
175 return False;
178 /* Copy the sign/seal padding data. */
179 if (ss_padding_len) {
180 char pad[8];
182 memset(pad, '\0', 8);
183 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
184 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
185 (unsigned int)ss_padding_len));
186 prs_mem_free(&outgoing_pdu);
187 return False;
192 /* Now write out the auth header and null blob. */
193 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
194 auth_type = RPC_NTLMSSP_AUTH_TYPE;
195 } else {
196 auth_type = RPC_SPNEGO_AUTH_TYPE;
198 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
199 auth_level = RPC_AUTH_LEVEL_PRIVACY;
200 } else {
201 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
204 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
205 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
206 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
207 prs_mem_free(&outgoing_pdu);
208 return False;
211 /* Generate the sign blob. */
213 switch (p->auth.auth_level) {
214 case PIPE_AUTH_LEVEL_PRIVACY:
215 /* Data portion is encrypted. */
216 status = ntlmssp_seal_packet(a->ntlmssp_state,
217 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
218 data_len + ss_padding_len,
219 (unsigned char *)prs_data_p(&outgoing_pdu),
220 (size_t)prs_offset(&outgoing_pdu),
221 &auth_blob);
222 if (!NT_STATUS_IS_OK(status)) {
223 data_blob_free(&auth_blob);
224 prs_mem_free(&outgoing_pdu);
225 return False;
227 break;
228 case PIPE_AUTH_LEVEL_INTEGRITY:
229 /* Data is signed. */
230 status = ntlmssp_sign_packet(a->ntlmssp_state,
231 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
232 data_len + ss_padding_len,
233 (unsigned char *)prs_data_p(&outgoing_pdu),
234 (size_t)prs_offset(&outgoing_pdu),
235 &auth_blob);
236 if (!NT_STATUS_IS_OK(status)) {
237 data_blob_free(&auth_blob);
238 prs_mem_free(&outgoing_pdu);
239 return False;
241 break;
242 default:
243 prs_mem_free(&outgoing_pdu);
244 return False;
247 /* Append the auth blob. */
248 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
249 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
250 (unsigned int)NTLMSSP_SIG_SIZE));
251 data_blob_free(&auth_blob);
252 prs_mem_free(&outgoing_pdu);
253 return False;
256 data_blob_free(&auth_blob);
259 * Setup the counts for this PDU.
262 p->out_data.data_sent_length += data_len;
263 p->out_data.current_pdu_len = p->hdr.frag_len;
264 p->out_data.current_pdu_sent = 0;
266 prs_mem_free(&outgoing_pdu);
267 return True;
270 /*******************************************************************
271 Generate the next PDU to be returned from the data in p->rdata.
272 Return an schannel authenticated fragment.
273 ********************************************************************/
275 static bool create_next_pdu_schannel(pipes_struct *p)
277 RPC_HDR_RESP hdr_resp;
278 uint32 ss_padding_len = 0;
279 uint32 data_len;
280 uint32 data_space_available;
281 uint32 data_len_left;
282 prs_struct outgoing_pdu;
283 uint32 data_pos;
286 * If we're in the fault state, keep returning fault PDU's until
287 * the pipe gets closed. JRA.
290 if(p->fault_state) {
291 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
292 return True;
295 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
297 /* Change the incoming request header to a response. */
298 p->hdr.pkt_type = RPC_RESPONSE;
300 /* Set up rpc header flags. */
301 if (p->out_data.data_sent_length == 0) {
302 p->hdr.flags = RPC_FLG_FIRST;
303 } else {
304 p->hdr.flags = 0;
308 * Work out how much we can fit in a single PDU.
311 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
314 * Ensure there really is data left to send.
317 if(!data_len_left) {
318 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
319 return False;
322 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
323 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
326 * The amount we send is the minimum of the available
327 * space and the amount left to send.
330 data_len = MIN(data_len_left, data_space_available);
333 * Set up the alloc hint. This should be the data left to
334 * send.
337 hdr_resp.alloc_hint = data_len_left;
340 * Work out if this PDU will be the last.
343 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
344 p->hdr.flags |= RPC_FLG_LAST;
345 if (data_len_left % 8) {
346 ss_padding_len = 8 - (data_len_left % 8);
347 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
348 ss_padding_len ));
352 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
353 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
354 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
357 * Init the parse struct to point at the outgoing
358 * data.
361 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
362 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
364 /* Store the header in the data stream. */
365 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
366 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
367 prs_mem_free(&outgoing_pdu);
368 return False;
371 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
372 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
373 prs_mem_free(&outgoing_pdu);
374 return False;
377 /* Store the current offset. */
378 data_pos = prs_offset(&outgoing_pdu);
380 /* Copy the data into the PDU. */
382 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
383 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
384 prs_mem_free(&outgoing_pdu);
385 return False;
388 /* Copy the sign/seal padding data. */
389 if (ss_padding_len) {
390 char pad[8];
391 memset(pad, '\0', 8);
392 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
393 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
394 prs_mem_free(&outgoing_pdu);
395 return False;
401 * Schannel processing.
403 char *data;
404 RPC_HDR_AUTH auth_info;
405 RPC_AUTH_SCHANNEL_CHK verf;
407 data = prs_data_p(&outgoing_pdu) + data_pos;
408 /* Check it's the type of reply we were expecting to decode */
410 init_rpc_hdr_auth(&auth_info,
411 RPC_SCHANNEL_AUTH_TYPE,
412 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
413 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
414 ss_padding_len, 1);
416 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
417 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
418 prs_mem_free(&outgoing_pdu);
419 return False;
422 schannel_encode(p->auth.a_u.schannel_auth,
423 p->auth.auth_level,
424 SENDER_IS_ACCEPTOR,
425 &verf, data, data_len + ss_padding_len);
427 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
428 &verf, &outgoing_pdu, 0)) {
429 prs_mem_free(&outgoing_pdu);
430 return False;
433 p->auth.a_u.schannel_auth->seq_num++;
437 * Setup the counts for this PDU.
440 p->out_data.data_sent_length += data_len;
441 p->out_data.current_pdu_len = p->hdr.frag_len;
442 p->out_data.current_pdu_sent = 0;
444 prs_mem_free(&outgoing_pdu);
445 return True;
448 /*******************************************************************
449 Generate the next PDU to be returned from the data in p->rdata.
450 No authentication done.
451 ********************************************************************/
453 static bool create_next_pdu_noauth(pipes_struct *p)
455 RPC_HDR_RESP hdr_resp;
456 uint32 data_len;
457 uint32 data_space_available;
458 uint32 data_len_left;
459 prs_struct outgoing_pdu;
462 * If we're in the fault state, keep returning fault PDU's until
463 * the pipe gets closed. JRA.
466 if(p->fault_state) {
467 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
468 return True;
471 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
473 /* Change the incoming request header to a response. */
474 p->hdr.pkt_type = RPC_RESPONSE;
476 /* Set up rpc header flags. */
477 if (p->out_data.data_sent_length == 0) {
478 p->hdr.flags = RPC_FLG_FIRST;
479 } else {
480 p->hdr.flags = 0;
484 * Work out how much we can fit in a single PDU.
487 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
490 * Ensure there really is data left to send.
493 if(!data_len_left) {
494 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
495 return False;
498 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
501 * The amount we send is the minimum of the available
502 * space and the amount left to send.
505 data_len = MIN(data_len_left, data_space_available);
508 * Set up the alloc hint. This should be the data left to
509 * send.
512 hdr_resp.alloc_hint = data_len_left;
515 * Work out if this PDU will be the last.
518 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
519 p->hdr.flags |= RPC_FLG_LAST;
523 * Set up the header lengths.
526 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
527 p->hdr.auth_len = 0;
530 * Init the parse struct to point at the outgoing
531 * data.
534 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
535 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
537 /* Store the header in the data stream. */
538 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
539 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
540 prs_mem_free(&outgoing_pdu);
541 return False;
544 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
545 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
546 prs_mem_free(&outgoing_pdu);
547 return False;
550 /* Copy the data into the PDU. */
552 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
553 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
554 prs_mem_free(&outgoing_pdu);
555 return False;
559 * Setup the counts for this PDU.
562 p->out_data.data_sent_length += data_len;
563 p->out_data.current_pdu_len = p->hdr.frag_len;
564 p->out_data.current_pdu_sent = 0;
566 prs_mem_free(&outgoing_pdu);
567 return True;
570 /*******************************************************************
571 Generate the next PDU to be returned from the data in p->rdata.
572 ********************************************************************/
574 bool create_next_pdu(pipes_struct *p)
576 switch(p->auth.auth_level) {
577 case PIPE_AUTH_LEVEL_NONE:
578 case PIPE_AUTH_LEVEL_CONNECT:
579 /* This is incorrect for auth level connect. Fixme. JRA */
580 return create_next_pdu_noauth(p);
582 default:
583 switch(p->auth.auth_type) {
584 case PIPE_AUTH_TYPE_NTLMSSP:
585 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
586 return create_next_pdu_ntlmssp(p);
587 case PIPE_AUTH_TYPE_SCHANNEL:
588 return create_next_pdu_schannel(p);
589 default:
590 break;
594 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
595 (unsigned int)p->auth.auth_level,
596 (unsigned int)p->auth.auth_type));
597 return False;
600 /*******************************************************************
601 Process an NTLMSSP authentication response.
602 If this function succeeds, the user has been authenticated
603 and their domain, name and calling workstation stored in
604 the pipe struct.
605 *******************************************************************/
607 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
609 DATA_BLOB reply;
610 NTSTATUS status;
611 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
613 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
615 ZERO_STRUCT(reply);
617 memset(p->user_name, '\0', sizeof(p->user_name));
618 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
619 memset(p->domain, '\0', sizeof(p->domain));
620 memset(p->wks, '\0', sizeof(p->wks));
622 /* Set up for non-authenticated user. */
623 TALLOC_FREE(p->pipe_user.nt_user_token);
624 p->pipe_user.ut.ngroups = 0;
625 SAFE_FREE( p->pipe_user.ut.groups);
627 /* this has to be done as root in order to verify the password */
628 become_root();
629 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
630 unbecome_root();
632 /* Don't generate a reply. */
633 data_blob_free(&reply);
635 if (!NT_STATUS_IS_OK(status)) {
636 return False;
639 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
640 ensure the underlying NTLMSSP flags are also set. If not we should
641 refuse the bind. */
643 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
644 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
645 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
646 "but client declined signing.\n",
647 p->name ));
648 return False;
651 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
652 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
653 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
654 "but client declined sealing.\n",
655 p->name ));
656 return False;
660 fstrcpy(p->user_name, a->ntlmssp_state->user);
661 fstrcpy(p->pipe_user_name, a->server_info->unix_name);
662 fstrcpy(p->domain, a->ntlmssp_state->domain);
663 fstrcpy(p->wks, a->ntlmssp_state->workstation);
665 DEBUG(5,("pipe_ntlmssp_verify_final: OK: user: %s domain: %s workstation: %s\n",
666 p->user_name, p->domain, p->wks));
669 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
672 p->pipe_user.ut.uid = a->server_info->uid;
673 p->pipe_user.ut.gid = a->server_info->gid;
676 * We're an authenticated bind over smbd, so the session key needs to
677 * be set to "SystemLibraryDTC". Weird, but this is what Windows
678 * does. See the RPC-SAMBA3SESSIONKEY.
681 data_blob_free(&p->session_key);
682 p->session_key = generic_session_key();
683 if (!p->session_key.data) {
684 return False;
687 p->pipe_user.ut.ngroups = a->server_info->n_groups;
688 if (p->pipe_user.ut.ngroups) {
689 if (!(p->pipe_user.ut.groups = (gid_t *)memdup(a->server_info->groups,
690 sizeof(gid_t) * p->pipe_user.ut.ngroups))) {
691 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
692 return False;
696 if (a->server_info->ptok) {
697 p->pipe_user.nt_user_token =
698 dup_nt_token(NULL, a->server_info->ptok);
699 } else {
700 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
701 p->pipe_user.nt_user_token = NULL;
702 return False;
705 return True;
708 /*******************************************************************
709 The switch table for the pipe names and the functions to handle them.
710 *******************************************************************/
712 struct rpc_table {
713 struct {
714 const char *clnt;
715 const char *srv;
716 } pipe;
717 const struct api_struct *cmds;
718 int n_cmds;
721 static struct rpc_table *rpc_lookup;
722 static int rpc_lookup_size;
724 /*******************************************************************
725 This is the "stage3" NTLMSSP response after a bind request and reply.
726 *******************************************************************/
728 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
730 RPC_HDR_AUTH auth_info;
731 uint32 pad;
732 DATA_BLOB blob;
734 ZERO_STRUCT(blob);
736 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
738 if (p->hdr.auth_len == 0) {
739 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
740 goto err;
743 /* 4 bytes padding. */
744 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
745 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
746 goto err;
750 * Decode the authentication verifier response.
753 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
754 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
755 goto err;
758 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
759 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
760 (unsigned int)auth_info.auth_type ));
761 return False;
764 blob = data_blob(NULL,p->hdr.auth_len);
766 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
767 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
768 (unsigned int)p->hdr.auth_len ));
769 goto err;
773 * The following call actually checks the challenge/response data.
774 * for correctness against the given DOMAIN\user name.
777 if (!pipe_ntlmssp_verify_final(p, &blob)) {
778 goto err;
781 data_blob_free(&blob);
783 p->pipe_bound = True;
785 return True;
787 err:
789 data_blob_free(&blob);
790 free_pipe_ntlmssp_auth_data(&p->auth);
791 p->auth.a_u.auth_ntlmssp_state = NULL;
793 return False;
796 /*******************************************************************
797 Marshall a bind_nak pdu.
798 *******************************************************************/
800 static bool setup_bind_nak(pipes_struct *p)
802 prs_struct outgoing_rpc;
803 RPC_HDR nak_hdr;
804 uint16 zero = 0;
806 /* Free any memory in the current return data buffer. */
807 prs_mem_free(&p->out_data.rdata);
810 * Marshall directly into the outgoing PDU space. We
811 * must do this as we need to set to the bind response
812 * header and are never sending more than one PDU here.
815 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
816 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
819 * Initialize a bind_nak header.
822 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
823 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
826 * Marshall the header into the outgoing PDU.
829 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
830 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
831 prs_mem_free(&outgoing_rpc);
832 return False;
836 * Now add the reject reason.
839 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
840 prs_mem_free(&outgoing_rpc);
841 return False;
844 p->out_data.data_sent_length = 0;
845 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
846 p->out_data.current_pdu_sent = 0;
848 if (p->auth.auth_data_free_func) {
849 (*p->auth.auth_data_free_func)(&p->auth);
851 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
852 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
853 p->pipe_bound = False;
855 return True;
858 /*******************************************************************
859 Marshall a fault pdu.
860 *******************************************************************/
862 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
864 prs_struct outgoing_pdu;
865 RPC_HDR fault_hdr;
866 RPC_HDR_RESP hdr_resp;
867 RPC_HDR_FAULT fault_resp;
869 /* Free any memory in the current return data buffer. */
870 prs_mem_free(&p->out_data.rdata);
873 * Marshall directly into the outgoing PDU space. We
874 * must do this as we need to set to the bind response
875 * header and are never sending more than one PDU here.
878 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
879 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
882 * Initialize a fault header.
885 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
886 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
889 * Initialize the HDR_RESP and FAULT parts of the PDU.
892 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
894 fault_resp.status = status;
895 fault_resp.reserved = 0;
898 * Marshall the header into the outgoing PDU.
901 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
902 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
903 prs_mem_free(&outgoing_pdu);
904 return False;
907 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
908 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
909 prs_mem_free(&outgoing_pdu);
910 return False;
913 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
914 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
915 prs_mem_free(&outgoing_pdu);
916 return False;
919 p->out_data.data_sent_length = 0;
920 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
921 p->out_data.current_pdu_sent = 0;
923 prs_mem_free(&outgoing_pdu);
924 return True;
927 #if 0
928 /*******************************************************************
929 Marshall a cancel_ack pdu.
930 We should probably check the auth-verifier here.
931 *******************************************************************/
933 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
935 prs_struct outgoing_pdu;
936 RPC_HDR ack_reply_hdr;
938 /* Free any memory in the current return data buffer. */
939 prs_mem_free(&p->out_data.rdata);
942 * Marshall directly into the outgoing PDU space. We
943 * must do this as we need to set to the bind response
944 * header and are never sending more than one PDU here.
947 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
948 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
951 * Initialize a cancel_ack header.
954 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
955 p->hdr.call_id, RPC_HEADER_LEN, 0);
958 * Marshall the header into the outgoing PDU.
961 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
962 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
963 prs_mem_free(&outgoing_pdu);
964 return False;
967 p->out_data.data_sent_length = 0;
968 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
969 p->out_data.current_pdu_sent = 0;
971 prs_mem_free(&outgoing_pdu);
972 return True;
974 #endif
976 /*******************************************************************
977 Ensure a bind request has the correct abstract & transfer interface.
978 Used to reject unknown binds from Win2k.
979 *******************************************************************/
981 bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
982 RPC_IFACE* transfer, uint32 context_id)
984 char *pipe_name = p->name;
985 int i=0;
986 fstring pname;
988 fstrcpy(pname,"\\PIPE\\");
989 fstrcat(pname,pipe_name);
991 DEBUG(3,("check_bind_req for %s\n", pname));
993 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
995 for ( i=0; pipe_names[i].client_pipe; i++ ) {
996 DEBUGADD(10,("checking %s\n", pipe_names[i].client_pipe));
997 if ( strequal(pipe_names[i].client_pipe, pname)
998 && (abstract->version == pipe_names[i].abstr_syntax.version)
999 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct GUID)) == 0)
1000 && (transfer->version == pipe_names[i].trans_syntax.version)
1001 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(struct GUID)) == 0) ) {
1002 struct api_struct *fns = NULL;
1003 int n_fns = 0;
1004 PIPE_RPC_FNS *context_fns;
1006 if ( !(context_fns = SMB_MALLOC_P(PIPE_RPC_FNS)) ) {
1007 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1008 return False;
1011 /* save the RPC function table associated with this bind */
1013 get_pipe_fns(i, &fns, &n_fns);
1015 context_fns->cmds = fns;
1016 context_fns->n_cmds = n_fns;
1017 context_fns->context_id = context_id;
1019 /* add to the list of open contexts */
1021 DLIST_ADD( p->contexts, context_fns );
1023 break;
1027 if(pipe_names[i].client_pipe == NULL) {
1028 return False;
1031 return True;
1034 /*******************************************************************
1035 Register commands to an RPC pipe
1036 *******************************************************************/
1038 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
1040 struct rpc_table *rpc_entry;
1042 if (!clnt || !srv || !cmds) {
1043 return NT_STATUS_INVALID_PARAMETER;
1046 if (version != SMB_RPC_INTERFACE_VERSION) {
1047 DEBUG(0,("Can't register rpc commands!\n"
1048 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1049 ", while this version of samba uses version %d!\n",
1050 version,SMB_RPC_INTERFACE_VERSION));
1051 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1054 /* TODO:
1056 * we still need to make sure that don't register the same commands twice!!!
1058 * --metze
1061 /* We use a temporary variable because this call can fail and
1062 rpc_lookup will still be valid afterwards. It could then succeed if
1063 called again later */
1064 rpc_lookup_size++;
1065 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1066 if (NULL == rpc_entry) {
1067 rpc_lookup_size--;
1068 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1069 return NT_STATUS_NO_MEMORY;
1070 } else {
1071 rpc_lookup = rpc_entry;
1074 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1075 ZERO_STRUCTP(rpc_entry);
1076 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1077 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1078 rpc_entry->cmds = cmds;
1079 rpc_entry->n_cmds = size;
1081 return NT_STATUS_OK;
1084 /*******************************************************************
1085 Handle a SPNEGO krb5 bind auth.
1086 *******************************************************************/
1088 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1089 DATA_BLOB *psecblob, prs_struct *pout_auth)
1091 return False;
1094 /*******************************************************************
1095 Handle the first part of a SPNEGO bind auth.
1096 *******************************************************************/
1098 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1099 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1101 DATA_BLOB blob;
1102 DATA_BLOB secblob;
1103 DATA_BLOB response;
1104 DATA_BLOB chal;
1105 char *OIDs[ASN1_MAX_OIDS];
1106 int i;
1107 NTSTATUS status;
1108 bool got_kerberos_mechanism = false;
1109 AUTH_NTLMSSP_STATE *a = NULL;
1110 RPC_HDR_AUTH auth_info;
1112 ZERO_STRUCT(secblob);
1113 ZERO_STRUCT(chal);
1114 ZERO_STRUCT(response);
1116 /* Grab the SPNEGO blob. */
1117 blob = data_blob(NULL,p->hdr.auth_len);
1119 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1120 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1121 (unsigned int)p->hdr.auth_len ));
1122 goto err;
1125 if (blob.data[0] != ASN1_APPLICATION(0)) {
1126 goto err;
1129 /* parse out the OIDs and the first sec blob */
1130 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1131 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1132 goto err;
1135 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1136 got_kerberos_mechanism = true;
1139 for (i=0;OIDs[i];i++) {
1140 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1141 SAFE_FREE(OIDs[i]);
1143 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1145 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1146 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1147 data_blob_free(&secblob);
1148 data_blob_free(&blob);
1149 return ret;
1152 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1153 /* Free any previous auth type. */
1154 free_pipe_ntlmssp_auth_data(&p->auth);
1157 if (!got_kerberos_mechanism) {
1158 /* Initialize the NTLM engine. */
1159 status = auth_ntlmssp_start(&a);
1160 if (!NT_STATUS_IS_OK(status)) {
1161 goto err;
1165 * Pass the first security blob of data to it.
1166 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1167 * which means we need another packet to complete the bind.
1170 status = auth_ntlmssp_update(a, secblob, &chal);
1172 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1173 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1174 goto err;
1177 /* Generate the response blob we need for step 2 of the bind. */
1178 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1179 } else {
1181 * SPNEGO negotiate down to NTLMSSP. The subsequent
1182 * code to process follow-up packets is not complete
1183 * yet. JRA.
1185 response = spnego_gen_auth_response(NULL,
1186 NT_STATUS_MORE_PROCESSING_REQUIRED,
1187 OID_NTLMSSP);
1190 /* Copy the blob into the pout_auth parse struct */
1191 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1192 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1193 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1194 goto err;
1197 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1198 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1199 goto err;
1202 p->auth.a_u.auth_ntlmssp_state = a;
1203 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1204 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1206 data_blob_free(&blob);
1207 data_blob_free(&secblob);
1208 data_blob_free(&chal);
1209 data_blob_free(&response);
1211 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1212 return True;
1214 err:
1216 data_blob_free(&blob);
1217 data_blob_free(&secblob);
1218 data_blob_free(&chal);
1219 data_blob_free(&response);
1221 p->auth.a_u.auth_ntlmssp_state = NULL;
1223 return False;
1226 /*******************************************************************
1227 Handle the second part of a SPNEGO bind auth.
1228 *******************************************************************/
1230 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1231 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1233 RPC_HDR_AUTH auth_info;
1234 DATA_BLOB spnego_blob;
1235 DATA_BLOB auth_blob;
1236 DATA_BLOB auth_reply;
1237 DATA_BLOB response;
1238 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1240 ZERO_STRUCT(spnego_blob);
1241 ZERO_STRUCT(auth_blob);
1242 ZERO_STRUCT(auth_reply);
1243 ZERO_STRUCT(response);
1246 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1247 * fail here as 'a' == NULL.
1249 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1250 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1251 goto err;
1254 /* Grab the SPNEGO blob. */
1255 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1257 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1258 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1259 (unsigned int)p->hdr.auth_len ));
1260 goto err;
1263 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1264 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1265 goto err;
1268 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1269 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1270 goto err;
1274 * The following call actually checks the challenge/response data.
1275 * for correctness against the given DOMAIN\user name.
1278 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1279 goto err;
1282 data_blob_free(&spnego_blob);
1283 data_blob_free(&auth_blob);
1285 /* Generate the spnego "accept completed" blob - no incoming data. */
1286 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1288 /* Copy the blob into the pout_auth parse struct */
1289 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1290 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1291 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1292 goto err;
1295 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1296 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1297 goto err;
1300 data_blob_free(&auth_reply);
1301 data_blob_free(&response);
1303 p->pipe_bound = True;
1305 return True;
1307 err:
1309 data_blob_free(&spnego_blob);
1310 data_blob_free(&auth_blob);
1311 data_blob_free(&auth_reply);
1312 data_blob_free(&response);
1314 free_pipe_ntlmssp_auth_data(&p->auth);
1315 p->auth.a_u.auth_ntlmssp_state = NULL;
1317 return False;
1320 /*******************************************************************
1321 Handle an schannel bind auth.
1322 *******************************************************************/
1324 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1325 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1327 RPC_HDR_AUTH auth_info;
1328 RPC_AUTH_SCHANNEL_NEG neg;
1329 RPC_AUTH_VERIFIER auth_verifier;
1330 bool ret;
1331 struct dcinfo *pdcinfo;
1332 uint32 flags;
1334 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1335 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1336 return False;
1340 * The neg.myname key here must match the remote computer name
1341 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1342 * operations that use credentials.
1345 become_root();
1346 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1347 unbecome_root();
1349 if (!ret) {
1350 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1351 return False;
1354 p->auth.a_u.schannel_auth = TALLOC_P(p->pipe_state_mem_ctx, struct schannel_auth_struct);
1355 if (!p->auth.a_u.schannel_auth) {
1356 TALLOC_FREE(pdcinfo);
1357 return False;
1360 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1361 memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1362 sizeof(pdcinfo->sess_key));
1364 TALLOC_FREE(pdcinfo);
1366 p->auth.a_u.schannel_auth->seq_num = 0;
1369 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1370 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1371 * struct of the person who opened the pipe. I need to test this further. JRA.
1373 * VL. As we are mapping this to guest set the generic key
1374 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1375 * W2k3, as it does not allow schannel binds against SAMR and LSA
1376 * anymore.
1379 data_blob_free(&p->session_key);
1380 p->session_key = generic_session_key();
1381 if (p->session_key.data == NULL) {
1382 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1383 " key\n"));
1384 return False;
1387 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1388 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1389 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1390 return False;
1393 /*** SCHANNEL verifier ***/
1395 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1396 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1397 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1398 return False;
1401 prs_align(pout_auth);
1403 flags = 5;
1404 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1405 return False;
1408 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1409 neg.domain, neg.myname));
1411 /* We're finished with this bind - no more packets. */
1412 p->auth.auth_data_free_func = NULL;
1413 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1415 p->pipe_bound = True;
1417 return True;
1420 /*******************************************************************
1421 Handle an NTLMSSP bind auth.
1422 *******************************************************************/
1424 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1425 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1427 RPC_HDR_AUTH auth_info;
1428 DATA_BLOB blob;
1429 DATA_BLOB response;
1430 NTSTATUS status;
1431 AUTH_NTLMSSP_STATE *a = NULL;
1433 ZERO_STRUCT(blob);
1434 ZERO_STRUCT(response);
1436 /* Grab the NTLMSSP blob. */
1437 blob = data_blob(NULL,p->hdr.auth_len);
1439 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1440 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1441 (unsigned int)p->hdr.auth_len ));
1442 goto err;
1445 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1446 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1447 goto err;
1450 /* We have an NTLMSSP blob. */
1451 status = auth_ntlmssp_start(&a);
1452 if (!NT_STATUS_IS_OK(status)) {
1453 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1454 nt_errstr(status) ));
1455 goto err;
1458 status = auth_ntlmssp_update(a, blob, &response);
1459 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1460 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1461 nt_errstr(status) ));
1462 goto err;
1465 data_blob_free(&blob);
1467 /* Copy the blob into the pout_auth parse struct */
1468 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1469 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1470 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1471 goto err;
1474 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1475 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1476 goto err;
1479 p->auth.a_u.auth_ntlmssp_state = a;
1480 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1481 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1483 data_blob_free(&blob);
1484 data_blob_free(&response);
1486 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1488 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1489 return True;
1491 err:
1493 data_blob_free(&blob);
1494 data_blob_free(&response);
1496 free_pipe_ntlmssp_auth_data(&p->auth);
1497 p->auth.a_u.auth_ntlmssp_state = NULL;
1498 return False;
1501 /*******************************************************************
1502 Respond to a pipe bind request.
1503 *******************************************************************/
1505 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1507 RPC_HDR_BA hdr_ba;
1508 RPC_HDR_RB hdr_rb;
1509 RPC_HDR_AUTH auth_info;
1510 uint16 assoc_gid;
1511 fstring ack_pipe_name;
1512 prs_struct out_hdr_ba;
1513 prs_struct out_auth;
1514 prs_struct outgoing_rpc;
1515 int i = 0;
1516 int auth_len = 0;
1517 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1519 /* No rebinds on a bound pipe - use alter context. */
1520 if (p->pipe_bound) {
1521 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1522 return setup_bind_nak(p);
1525 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1528 * Marshall directly into the outgoing PDU space. We
1529 * must do this as we need to set to the bind response
1530 * header and are never sending more than one PDU here.
1533 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1536 * Setup the memory to marshall the ba header, and the
1537 * auth footers.
1540 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1541 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1542 prs_mem_free(&outgoing_rpc);
1543 return False;
1546 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1547 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1548 prs_mem_free(&outgoing_rpc);
1549 prs_mem_free(&out_hdr_ba);
1550 return False;
1553 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1556 * Try and find the correct pipe name to ensure
1557 * that this is a pipe name we support.
1561 for (i = 0; i < rpc_lookup_size; i++) {
1562 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1563 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1564 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1565 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1566 break;
1570 if (i == rpc_lookup_size) {
1571 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1572 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1573 p->name ));
1574 prs_mem_free(&outgoing_rpc);
1575 prs_mem_free(&out_hdr_ba);
1576 prs_mem_free(&out_auth);
1578 return setup_bind_nak(p);
1581 for (i = 0; i < rpc_lookup_size; i++) {
1582 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1583 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1584 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1585 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1586 break;
1590 if (i == rpc_lookup_size) {
1591 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1592 goto err_exit;
1596 ZERO_STRUCT(hdr_rb);
1598 /* decode the bind request */
1599 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1600 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
1601 goto err_exit;
1604 /* name has to be \PIPE\xxxxx */
1605 fstrcpy(ack_pipe_name, "\\PIPE\\");
1606 fstrcat(ack_pipe_name, p->pipe_srv_name);
1608 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1611 * Check if this is an authenticated bind request.
1614 if (p->hdr.auth_len) {
1616 * Decode the authentication verifier.
1619 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1620 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1621 goto err_exit;
1624 auth_type = auth_info.auth_type;
1626 /* Work out if we have to sign or seal etc. */
1627 switch (auth_info.auth_level) {
1628 case RPC_AUTH_LEVEL_INTEGRITY:
1629 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1630 break;
1631 case RPC_AUTH_LEVEL_PRIVACY:
1632 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1633 break;
1634 default:
1635 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1636 (unsigned int)auth_info.auth_level ));
1637 goto err_exit;
1639 } else {
1640 ZERO_STRUCT(auth_info);
1643 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1645 switch(auth_type) {
1646 case RPC_NTLMSSP_AUTH_TYPE:
1647 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1648 goto err_exit;
1650 assoc_gid = 0x7a77;
1651 break;
1653 case RPC_SCHANNEL_AUTH_TYPE:
1654 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1655 goto err_exit;
1657 break;
1659 case RPC_SPNEGO_AUTH_TYPE:
1660 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1661 goto err_exit;
1663 break;
1665 case RPC_ANONYMOUS_AUTH_TYPE:
1666 /* Unauthenticated bind request. */
1667 /* Get the authenticated pipe user from current_user */
1668 if (!copy_current_user(&p->pipe_user, &current_user)) {
1669 DEBUG(10, ("Could not copy current user\n"));
1670 goto err_exit;
1672 /* We're finished - no more packets. */
1673 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1674 /* We must set the pipe auth_level here also. */
1675 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1676 p->pipe_bound = True;
1677 /* The session key was initialized from the SMB
1678 * session in make_internal_rpc_pipe_p */
1679 break;
1681 default:
1682 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1683 goto err_exit;
1687 * Create the bind response struct.
1690 /* If the requested abstract synt uuid doesn't match our client pipe,
1691 reject the bind_ack & set the transfer interface synt to all 0's,
1692 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1693 unknown to NT4)
1694 Needed when adding entries to a DACL from NT5 - SK */
1696 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1697 hdr_rb.rpc_context[0].context_id )) {
1698 init_rpc_hdr_ba(&hdr_ba,
1699 RPC_MAX_PDU_FRAG_LEN,
1700 RPC_MAX_PDU_FRAG_LEN,
1701 assoc_gid,
1702 ack_pipe_name,
1703 0x1, 0x0, 0x0,
1704 &hdr_rb.rpc_context[0].transfer[0]);
1705 } else {
1706 RPC_IFACE null_interface;
1707 ZERO_STRUCT(null_interface);
1708 /* Rejection reason: abstract syntax not supported */
1709 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1710 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1711 ack_pipe_name, 0x1, 0x2, 0x1,
1712 &null_interface);
1713 p->pipe_bound = False;
1717 * and marshall it.
1720 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1721 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1722 goto err_exit;
1726 * Create the header, now we know the length.
1729 if (prs_offset(&out_auth)) {
1730 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1733 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1734 p->hdr.call_id,
1735 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1736 auth_len);
1739 * Marshall the header into the outgoing PDU.
1742 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1743 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1744 goto err_exit;
1748 * Now add the RPC_HDR_BA and any auth needed.
1751 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1752 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1753 goto err_exit;
1756 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1757 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1758 goto err_exit;
1762 * Setup the lengths for the initial reply.
1765 p->out_data.data_sent_length = 0;
1766 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1767 p->out_data.current_pdu_sent = 0;
1769 prs_mem_free(&out_hdr_ba);
1770 prs_mem_free(&out_auth);
1772 return True;
1774 err_exit:
1776 prs_mem_free(&outgoing_rpc);
1777 prs_mem_free(&out_hdr_ba);
1778 prs_mem_free(&out_auth);
1779 return setup_bind_nak(p);
1782 /****************************************************************************
1783 Deal with an alter context call. Can be third part of 3 leg auth request for
1784 SPNEGO calls.
1785 ****************************************************************************/
1787 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1789 RPC_HDR_BA hdr_ba;
1790 RPC_HDR_RB hdr_rb;
1791 RPC_HDR_AUTH auth_info;
1792 uint16 assoc_gid;
1793 fstring ack_pipe_name;
1794 prs_struct out_hdr_ba;
1795 prs_struct out_auth;
1796 prs_struct outgoing_rpc;
1797 int auth_len = 0;
1799 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1802 * Marshall directly into the outgoing PDU space. We
1803 * must do this as we need to set to the bind response
1804 * header and are never sending more than one PDU here.
1807 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1810 * Setup the memory to marshall the ba header, and the
1811 * auth footers.
1814 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1815 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1816 prs_mem_free(&outgoing_rpc);
1817 return False;
1820 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1821 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1822 prs_mem_free(&outgoing_rpc);
1823 prs_mem_free(&out_hdr_ba);
1824 return False;
1827 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1829 /* decode the alter context request */
1830 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1831 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1832 goto err_exit;
1835 /* secondary address CAN be NULL
1836 * as the specs say it's ignored.
1837 * It MUST be NULL to have the spoolss working.
1839 fstrcpy(ack_pipe_name,"");
1841 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1844 * Check if this is an authenticated alter context request.
1847 if (p->hdr.auth_len != 0) {
1849 * Decode the authentication verifier.
1852 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1853 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1854 goto err_exit;
1858 * Currently only the SPNEGO auth type uses the alter ctx
1859 * response in place of the NTLMSSP auth3 type.
1862 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1863 /* We can only finish if the pipe is unbound. */
1864 if (!p->pipe_bound) {
1865 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1866 goto err_exit;
1868 } else {
1869 goto err_exit;
1872 } else {
1873 ZERO_STRUCT(auth_info);
1876 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1879 * Create the bind response struct.
1882 /* If the requested abstract synt uuid doesn't match our client pipe,
1883 reject the bind_ack & set the transfer interface synt to all 0's,
1884 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1885 unknown to NT4)
1886 Needed when adding entries to a DACL from NT5 - SK */
1888 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1889 hdr_rb.rpc_context[0].context_id )) {
1890 init_rpc_hdr_ba(&hdr_ba,
1891 RPC_MAX_PDU_FRAG_LEN,
1892 RPC_MAX_PDU_FRAG_LEN,
1893 assoc_gid,
1894 ack_pipe_name,
1895 0x1, 0x0, 0x0,
1896 &hdr_rb.rpc_context[0].transfer[0]);
1897 } else {
1898 RPC_IFACE null_interface;
1899 ZERO_STRUCT(null_interface);
1900 /* Rejection reason: abstract syntax not supported */
1901 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1902 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1903 ack_pipe_name, 0x1, 0x2, 0x1,
1904 &null_interface);
1905 p->pipe_bound = False;
1909 * and marshall it.
1912 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1913 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1914 goto err_exit;
1918 * Create the header, now we know the length.
1921 if (prs_offset(&out_auth)) {
1922 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1925 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1926 p->hdr.call_id,
1927 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1928 auth_len);
1931 * Marshall the header into the outgoing PDU.
1934 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1935 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1936 goto err_exit;
1940 * Now add the RPC_HDR_BA and any auth needed.
1943 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1944 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1945 goto err_exit;
1948 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1949 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1950 goto err_exit;
1954 * Setup the lengths for the initial reply.
1957 p->out_data.data_sent_length = 0;
1958 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1959 p->out_data.current_pdu_sent = 0;
1961 prs_mem_free(&out_hdr_ba);
1962 prs_mem_free(&out_auth);
1964 return True;
1966 err_exit:
1968 prs_mem_free(&outgoing_rpc);
1969 prs_mem_free(&out_hdr_ba);
1970 prs_mem_free(&out_auth);
1971 return setup_bind_nak(p);
1974 /****************************************************************************
1975 Deal with NTLMSSP sign & seal processing on an RPC request.
1976 ****************************************************************************/
1978 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1979 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1981 RPC_HDR_AUTH auth_info;
1982 uint32 auth_len = p->hdr.auth_len;
1983 uint32 save_offset = prs_offset(rpc_in);
1984 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1985 unsigned char *data = NULL;
1986 size_t data_len;
1987 unsigned char *full_packet_data = NULL;
1988 size_t full_packet_data_len;
1989 DATA_BLOB auth_blob;
1991 *pstatus = NT_STATUS_OK;
1993 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
1994 return True;
1997 if (!a) {
1998 *pstatus = NT_STATUS_INVALID_PARAMETER;
1999 return False;
2002 /* Ensure there's enough data for an authenticated request. */
2003 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2004 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2005 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2006 (unsigned int)auth_len ));
2007 *pstatus = NT_STATUS_INVALID_PARAMETER;
2008 return False;
2012 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2013 * after the RPC header.
2014 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2015 * functions as NTLMv2 checks the rpc headers also.
2018 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2019 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2021 full_packet_data = p->in_data.current_in_pdu;
2022 full_packet_data_len = p->hdr.frag_len - auth_len;
2024 /* Pull the auth header and the following data into a blob. */
2025 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2026 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2027 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2028 *pstatus = NT_STATUS_INVALID_PARAMETER;
2029 return False;
2032 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2033 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2034 *pstatus = NT_STATUS_INVALID_PARAMETER;
2035 return False;
2038 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2039 auth_blob.length = auth_len;
2041 switch (p->auth.auth_level) {
2042 case PIPE_AUTH_LEVEL_PRIVACY:
2043 /* Data is encrypted. */
2044 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2045 data, data_len,
2046 full_packet_data,
2047 full_packet_data_len,
2048 &auth_blob);
2049 if (!NT_STATUS_IS_OK(*pstatus)) {
2050 return False;
2052 break;
2053 case PIPE_AUTH_LEVEL_INTEGRITY:
2054 /* Data is signed. */
2055 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2056 data, data_len,
2057 full_packet_data,
2058 full_packet_data_len,
2059 &auth_blob);
2060 if (!NT_STATUS_IS_OK(*pstatus)) {
2061 return False;
2063 break;
2064 default:
2065 *pstatus = NT_STATUS_INVALID_PARAMETER;
2066 return False;
2070 * Return the current pointer to the data offset.
2073 if(!prs_set_offset(rpc_in, save_offset)) {
2074 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2075 (unsigned int)save_offset ));
2076 *pstatus = NT_STATUS_INVALID_PARAMETER;
2077 return False;
2081 * Remember the padding length. We must remove it from the real data
2082 * stream once the sign/seal is done.
2085 *p_ss_padding_len = auth_info.auth_pad_len;
2087 return True;
2090 /****************************************************************************
2091 Deal with schannel processing on an RPC request.
2092 ****************************************************************************/
2094 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2096 uint32 data_len;
2097 uint32 auth_len;
2098 uint32 save_offset = prs_offset(rpc_in);
2099 RPC_HDR_AUTH auth_info;
2100 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2102 auth_len = p->hdr.auth_len;
2104 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2105 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2106 return False;
2110 * The following is that length of the data we must verify or unseal.
2111 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2112 * preceeding the auth_data.
2115 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2116 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2117 (unsigned int)p->hdr.frag_len,
2118 (unsigned int)auth_len ));
2119 return False;
2122 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2123 RPC_HDR_AUTH_LEN - auth_len;
2125 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2127 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2128 DEBUG(0,("cannot move offset to %u.\n",
2129 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2130 return False;
2133 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2134 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2135 return False;
2138 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2139 DEBUG(0,("Invalid auth info %d on schannel\n",
2140 auth_info.auth_type));
2141 return False;
2144 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2145 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2146 return False;
2149 if (!schannel_decode(p->auth.a_u.schannel_auth,
2150 p->auth.auth_level,
2151 SENDER_IS_INITIATOR,
2152 &schannel_chk,
2153 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2154 DEBUG(3,("failed to decode PDU\n"));
2155 return False;
2159 * Return the current pointer to the data offset.
2162 if(!prs_set_offset(rpc_in, save_offset)) {
2163 DEBUG(0,("failed to set offset back to %u\n",
2164 (unsigned int)save_offset ));
2165 return False;
2168 /* The sequence number gets incremented on both send and receive. */
2169 p->auth.a_u.schannel_auth->seq_num++;
2172 * Remember the padding length. We must remove it from the real data
2173 * stream once the sign/seal is done.
2176 *p_ss_padding_len = auth_info.auth_pad_len;
2178 return True;
2181 /****************************************************************************
2182 Return a user struct for a pipe user.
2183 ****************************************************************************/
2185 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
2187 if (p->pipe_bound &&
2188 (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP ||
2189 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2190 memcpy(user, &p->pipe_user, sizeof(struct current_user));
2191 } else {
2192 memcpy(user, &current_user, sizeof(struct current_user));
2195 return user;
2198 /****************************************************************************
2199 Find the set of RPC functions associated with this context_id
2200 ****************************************************************************/
2202 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2204 PIPE_RPC_FNS *fns = NULL;
2205 PIPE_RPC_FNS *tmp = NULL;
2207 if ( !list ) {
2208 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2209 return NULL;
2212 for (tmp=list; tmp; tmp=tmp->next ) {
2213 if ( tmp->context_id == context_id )
2214 break;
2217 fns = tmp;
2219 return fns;
2222 /****************************************************************************
2223 Memory cleanup.
2224 ****************************************************************************/
2226 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2228 PIPE_RPC_FNS *tmp = list;
2229 PIPE_RPC_FNS *tmp2;
2231 while (tmp) {
2232 tmp2 = tmp->next;
2233 SAFE_FREE(tmp);
2234 tmp = tmp2;
2237 return;
2240 /****************************************************************************
2241 Find the correct RPC function to call for this request.
2242 If the pipe is authenticated then become the correct UNIX user
2243 before doing the call.
2244 ****************************************************************************/
2246 bool api_pipe_request(pipes_struct *p)
2248 bool ret = False;
2249 bool changed_user = False;
2250 PIPE_RPC_FNS *pipe_fns;
2252 if (p->pipe_bound &&
2253 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2254 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2255 if(!become_authenticated_pipe_user(p)) {
2256 prs_mem_free(&p->out_data.rdata);
2257 return False;
2259 changed_user = True;
2262 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2264 /* get the set of RPC functions for this context */
2266 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2268 if ( pipe_fns ) {
2269 TALLOC_CTX *frame = talloc_stackframe();
2270 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2271 TALLOC_FREE(frame);
2273 else {
2274 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2275 p->hdr_req.context_id, p->name));
2278 if (changed_user) {
2279 unbecome_authenticated_pipe_user();
2282 return ret;
2285 /*******************************************************************
2286 Calls the underlying RPC function for a named pipe.
2287 ********************************************************************/
2289 bool api_rpcTNP(pipes_struct *p, const char *rpc_name,
2290 const struct api_struct *api_rpc_cmds, int n_cmds)
2292 int fn_num;
2293 fstring name;
2294 uint32 offset1, offset2;
2296 /* interpret the command */
2297 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2299 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2300 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2302 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2303 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2304 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2305 break;
2309 if (fn_num == n_cmds) {
2311 * For an unknown RPC just return a fault PDU but
2312 * return True to allow RPC's on the pipe to continue
2313 * and not put the pipe into fault state. JRA.
2315 DEBUG(4, ("unknown\n"));
2316 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2317 return True;
2320 offset1 = prs_offset(&p->out_data.rdata);
2322 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2323 fn_num, api_rpc_cmds[fn_num].fn));
2324 /* do the actual command */
2325 if(!api_rpc_cmds[fn_num].fn(p)) {
2326 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2327 prs_mem_free(&p->out_data.rdata);
2328 return False;
2331 if (p->bad_handle_fault_state) {
2332 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2333 p->bad_handle_fault_state = False;
2334 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2335 return True;
2338 if (p->rng_fault_state) {
2339 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2340 p->rng_fault_state = False;
2341 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2342 return True;
2345 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2346 offset2 = prs_offset(&p->out_data.rdata);
2347 prs_set_offset(&p->out_data.rdata, offset1);
2348 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2349 prs_set_offset(&p->out_data.rdata, offset2);
2351 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2353 /* Check for buffer underflow in rpc parsing */
2355 if ((DEBUGLEVEL >= 10) &&
2356 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2357 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2358 char *data = (char *)SMB_MALLOC(data_len);
2360 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2361 if (data) {
2362 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2363 SAFE_FREE(data);
2368 return True;
2371 /*******************************************************************
2372 *******************************************************************/
2374 void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
2376 struct api_struct *cmds = NULL;
2377 int n_cmds = 0;
2379 switch ( idx ) {
2380 case PI_LSARPC:
2381 lsarpc_get_pipe_fns( &cmds, &n_cmds );
2382 break;
2383 case PI_DSSETUP:
2384 dssetup_get_pipe_fns( &cmds, &n_cmds );
2385 break;
2386 case PI_SAMR:
2387 samr_get_pipe_fns( &cmds, &n_cmds );
2388 break;
2389 case PI_NETLOGON:
2390 netlogon_get_pipe_fns( &cmds, &n_cmds );
2391 break;
2392 case PI_SRVSVC:
2393 srvsvc_get_pipe_fns( &cmds, &n_cmds );
2394 break;
2395 case PI_WKSSVC:
2396 wkssvc_get_pipe_fns( &cmds, &n_cmds );
2397 break;
2398 case PI_WINREG:
2399 winreg_get_pipe_fns( &cmds, &n_cmds );
2400 break;
2401 case PI_SPOOLSS:
2402 spoolss_get_pipe_fns( &cmds, &n_cmds );
2403 break;
2404 case PI_NETDFS:
2405 netdfs_get_pipe_fns( &cmds, &n_cmds );
2406 break;
2407 case PI_SVCCTL:
2408 svcctl2_get_pipe_fns( &cmds, &n_cmds );
2409 break;
2410 case PI_EVENTLOG:
2411 eventlog2_get_pipe_fns( &cmds, &n_cmds );
2412 break;
2413 case PI_NTSVCS:
2414 ntsvcs2_get_pipe_fns( &cmds, &n_cmds );
2415 break;
2416 #ifdef DEVELOPER
2417 case PI_RPCECHO:
2418 rpcecho_get_pipe_fns( &cmds, &n_cmds );
2419 break;
2420 #endif
2421 default:
2422 DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));
2425 *fns = cmds;
2426 *n_fns = n_cmds;
2428 return;