search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Move the "rid_name" typedef to the only place where it might be used
[Samba.git] / source3 / rpc_server / srv_pipe.c
blob5610e0bf71f9437c7a880e66886d7407689990e2
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31
32 extern struct current_user current_user;
33
34 #undef DBGC_CLASS
35 #define DBGC_CLASS DBGC_RPC_SRV
36
37 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
38 {
39 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
40
41 if (a) {
42 auth_ntlmssp_end(&a);
43 }
44 auth->a_u.auth_ntlmssp_state = NULL;
45 }
46
47 static DATA_BLOB generic_session_key(void)
48 {
49 return data_blob("SystemLibraryDTC", 16);
50 }
51
52 /*******************************************************************
53 Generate the next PDU to be returned from the data in p->rdata.
54 Handle NTLMSSP.
55 ********************************************************************/
56
57 static bool create_next_pdu_ntlmssp(pipes_struct *p)
58 {
59 RPC_HDR_RESP hdr_resp;
60 uint32 ss_padding_len = 0;
61 uint32 data_space_available;
62 uint32 data_len_left;
63 uint32 data_len;
64 prs_struct outgoing_pdu;
65 NTSTATUS status;
66 DATA_BLOB auth_blob;
67 RPC_HDR_AUTH auth_info;
68 uint8 auth_type, auth_level;
69 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
70
71 /*
72 * If we're in the fault state, keep returning fault PDU's until
73 * the pipe gets closed. JRA.
74 */
75
76 if(p->fault_state) {
77 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
78 return True;
79 }
80
81 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
82
83 /* Change the incoming request header to a response. */
84 p->hdr.pkt_type = RPC_RESPONSE;
85
86 /* Set up rpc header flags. */
87 if (p->out_data.data_sent_length == 0) {
88 p->hdr.flags = RPC_FLG_FIRST;
89 } else {
90 p->hdr.flags = 0;
91 }
92
93 /*
94 * Work out how much we can fit in a single PDU.
95 */
96
97 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
98
99 /*
100 * Ensure there really is data left to send.
101 */
102
103 if(!data_len_left) {
104 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
105 return False;
106 }
107
108 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
109 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
110
111 /*
112 * The amount we send is the minimum of the available
113 * space and the amount left to send.
114 */
115
116 data_len = MIN(data_len_left, data_space_available);
117
118 /*
119 * Set up the alloc hint. This should be the data left to
120 * send.
121 */
122
123 hdr_resp.alloc_hint = data_len_left;
124
125 /*
126 * Work out if this PDU will be the last.
127 */
128
129 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
130 p->hdr.flags |= RPC_FLG_LAST;
131 if (data_len_left % 8) {
132 ss_padding_len = 8 - (data_len_left % 8);
133 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
134 ss_padding_len ));
135 }
136 }
137
138 /*
139 * Set up the header lengths.
140 */
141
142 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
143 data_len + ss_padding_len +
144 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
145 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
146
147
148 /*
149 * Init the parse struct to point at the outgoing
150 * data.
151 */
152
153 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
154 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
155
156 /* Store the header in the data stream. */
157 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
158 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
159 prs_mem_free(&outgoing_pdu);
160 return False;
161 }
162
163 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
164 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
165 prs_mem_free(&outgoing_pdu);
166 return False;
167 }
168
169 /* Copy the data into the PDU. */
170
171 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
172 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
173 prs_mem_free(&outgoing_pdu);
174 return False;
175 }
176
177 /* Copy the sign/seal padding data. */
178 if (ss_padding_len) {
179 char pad[8];
180
181 memset(pad, '\0', 8);
182 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
183 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
184 (unsigned int)ss_padding_len));
185 prs_mem_free(&outgoing_pdu);
186 return False;
187 }
188 }
189
190
191 /* Now write out the auth header and null blob. */
192 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
193 auth_type = RPC_NTLMSSP_AUTH_TYPE;
194 } else {
195 auth_type = RPC_SPNEGO_AUTH_TYPE;
196 }
197 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
198 auth_level = RPC_AUTH_LEVEL_PRIVACY;
199 } else {
200 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
201 }
202
203 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
204 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
205 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
206 prs_mem_free(&outgoing_pdu);
207 return False;
208 }
209
210 /* Generate the sign blob. */
211
212 switch (p->auth.auth_level) {
213 case PIPE_AUTH_LEVEL_PRIVACY:
214 /* Data portion is encrypted. */
215 status = ntlmssp_seal_packet(a->ntlmssp_state,
216 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
217 data_len + ss_padding_len,
218 (unsigned char *)prs_data_p(&outgoing_pdu),
219 (size_t)prs_offset(&outgoing_pdu),
220 &auth_blob);
221 if (!NT_STATUS_IS_OK(status)) {
222 data_blob_free(&auth_blob);
223 prs_mem_free(&outgoing_pdu);
224 return False;
225 }
226 break;
227 case PIPE_AUTH_LEVEL_INTEGRITY:
228 /* Data is signed. */
229 status = ntlmssp_sign_packet(a->ntlmssp_state,
230 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
231 data_len + ss_padding_len,
232 (unsigned char *)prs_data_p(&outgoing_pdu),
233 (size_t)prs_offset(&outgoing_pdu),
234 &auth_blob);
235 if (!NT_STATUS_IS_OK(status)) {
236 data_blob_free(&auth_blob);
237 prs_mem_free(&outgoing_pdu);
238 return False;
239 }
240 break;
241 default:
242 prs_mem_free(&outgoing_pdu);
243 return False;
244 }
245
246 /* Append the auth blob. */
247 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
248 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
249 (unsigned int)NTLMSSP_SIG_SIZE));
250 data_blob_free(&auth_blob);
251 prs_mem_free(&outgoing_pdu);
252 return False;
253 }
254
255 data_blob_free(&auth_blob);
256
257 /*
258 * Setup the counts for this PDU.
259 */
260
261 p->out_data.data_sent_length += data_len;
262 p->out_data.current_pdu_len = p->hdr.frag_len;
263 p->out_data.current_pdu_sent = 0;
264
265 prs_mem_free(&outgoing_pdu);
266 return True;
267 }
268
269 /*******************************************************************
270 Generate the next PDU to be returned from the data in p->rdata.
271 Return an schannel authenticated fragment.
272 ********************************************************************/
273
274 static bool create_next_pdu_schannel(pipes_struct *p)
275 {
276 RPC_HDR_RESP hdr_resp;
277 uint32 ss_padding_len = 0;
278 uint32 data_len;
279 uint32 data_space_available;
280 uint32 data_len_left;
281 prs_struct outgoing_pdu;
282 uint32 data_pos;
283
284 /*
285 * If we're in the fault state, keep returning fault PDU's until
286 * the pipe gets closed. JRA.
287 */
288
289 if(p->fault_state) {
290 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
291 return True;
292 }
293
294 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
295
296 /* Change the incoming request header to a response. */
297 p->hdr.pkt_type = RPC_RESPONSE;
298
299 /* Set up rpc header flags. */
300 if (p->out_data.data_sent_length == 0) {
301 p->hdr.flags = RPC_FLG_FIRST;
302 } else {
303 p->hdr.flags = 0;
304 }
305
306 /*
307 * Work out how much we can fit in a single PDU.
308 */
309
310 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
311
312 /*
313 * Ensure there really is data left to send.
314 */
315
316 if(!data_len_left) {
317 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
318 return False;
319 }
320
321 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
322 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
323
324 /*
325 * The amount we send is the minimum of the available
326 * space and the amount left to send.
327 */
328
329 data_len = MIN(data_len_left, data_space_available);
330
331 /*
332 * Set up the alloc hint. This should be the data left to
333 * send.
334 */
335
336 hdr_resp.alloc_hint = data_len_left;
337
338 /*
339 * Work out if this PDU will be the last.
340 */
341
342 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
343 p->hdr.flags |= RPC_FLG_LAST;
344 if (data_len_left % 8) {
345 ss_padding_len = 8 - (data_len_left % 8);
346 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
347 ss_padding_len ));
348 }
349 }
350
351 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
352 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
353 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
354
355 /*
356 * Init the parse struct to point at the outgoing
357 * data.
358 */
359
360 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
361 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
362
363 /* Store the header in the data stream. */
364 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
365 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
366 prs_mem_free(&outgoing_pdu);
367 return False;
368 }
369
370 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
371 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
372 prs_mem_free(&outgoing_pdu);
373 return False;
374 }
375
376 /* Store the current offset. */
377 data_pos = prs_offset(&outgoing_pdu);
378
379 /* Copy the data into the PDU. */
380
381 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
382 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
383 prs_mem_free(&outgoing_pdu);
384 return False;
385 }
386
387 /* Copy the sign/seal padding data. */
388 if (ss_padding_len) {
389 char pad[8];
390 memset(pad, '\0', 8);
391 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
392 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
393 prs_mem_free(&outgoing_pdu);
394 return False;
395 }
396 }
397
398 {
399 /*
400 * Schannel processing.
401 */
402 char *data;
403 RPC_HDR_AUTH auth_info;
404 RPC_AUTH_SCHANNEL_CHK verf;
405
406 data = prs_data_p(&outgoing_pdu) + data_pos;
407 /* Check it's the type of reply we were expecting to decode */
408
409 init_rpc_hdr_auth(&auth_info,
410 RPC_SCHANNEL_AUTH_TYPE,
411 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
412 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
413 ss_padding_len, 1);
414
415 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
416 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
417 prs_mem_free(&outgoing_pdu);
418 return False;
419 }
420
421 schannel_encode(p->auth.a_u.schannel_auth,
422 p->auth.auth_level,
423 SENDER_IS_ACCEPTOR,
424 &verf, data, data_len + ss_padding_len);
425
426 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
427 &verf, &outgoing_pdu, 0)) {
428 prs_mem_free(&outgoing_pdu);
429 return False;
430 }
431
432 p->auth.a_u.schannel_auth->seq_num++;
433 }
434
435 /*
436 * Setup the counts for this PDU.
437 */
438
439 p->out_data.data_sent_length += data_len;
440 p->out_data.current_pdu_len = p->hdr.frag_len;
441 p->out_data.current_pdu_sent = 0;
442
443 prs_mem_free(&outgoing_pdu);
444 return True;
445 }
446
447 /*******************************************************************
448 Generate the next PDU to be returned from the data in p->rdata.
449 No authentication done.
450 ********************************************************************/
451
452 static bool create_next_pdu_noauth(pipes_struct *p)
453 {
454 RPC_HDR_RESP hdr_resp;
455 uint32 data_len;
456 uint32 data_space_available;
457 uint32 data_len_left;
458 prs_struct outgoing_pdu;
459
460 /*
461 * If we're in the fault state, keep returning fault PDU's until
462 * the pipe gets closed. JRA.
463 */
464
465 if(p->fault_state) {
466 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
467 return True;
468 }
469
470 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
471
472 /* Change the incoming request header to a response. */
473 p->hdr.pkt_type = RPC_RESPONSE;
474
475 /* Set up rpc header flags. */
476 if (p->out_data.data_sent_length == 0) {
477 p->hdr.flags = RPC_FLG_FIRST;
478 } else {
479 p->hdr.flags = 0;
480 }
481
482 /*
483 * Work out how much we can fit in a single PDU.
484 */
485
486 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
487
488 /*
489 * Ensure there really is data left to send.
490 */
491
492 if(!data_len_left) {
493 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
494 return False;
495 }
496
497 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
498
499 /*
500 * The amount we send is the minimum of the available
501 * space and the amount left to send.
502 */
503
504 data_len = MIN(data_len_left, data_space_available);
505
506 /*
507 * Set up the alloc hint. This should be the data left to
508 * send.
509 */
510
511 hdr_resp.alloc_hint = data_len_left;
512
513 /*
514 * Work out if this PDU will be the last.
515 */
516
517 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
518 p->hdr.flags |= RPC_FLG_LAST;
519 }
520
521 /*
522 * Set up the header lengths.
523 */
524
525 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
526 p->hdr.auth_len = 0;
527
528 /*
529 * Init the parse struct to point at the outgoing
530 * data.
531 */
532
533 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
534 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
535
536 /* Store the header in the data stream. */
537 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
538 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
539 prs_mem_free(&outgoing_pdu);
540 return False;
541 }
542
543 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
544 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
545 prs_mem_free(&outgoing_pdu);
546 return False;
547 }
548
549 /* Copy the data into the PDU. */
550
551 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
552 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
553 prs_mem_free(&outgoing_pdu);
554 return False;
555 }
556
557 /*
558 * Setup the counts for this PDU.
559 */
560
561 p->out_data.data_sent_length += data_len;
562 p->out_data.current_pdu_len = p->hdr.frag_len;
563 p->out_data.current_pdu_sent = 0;
564
565 prs_mem_free(&outgoing_pdu);
566 return True;
567 }
568
569 /*******************************************************************
570 Generate the next PDU to be returned from the data in p->rdata.
571 ********************************************************************/
572
573 bool create_next_pdu(pipes_struct *p)
574 {
575 switch(p->auth.auth_level) {
576 case PIPE_AUTH_LEVEL_NONE:
577 case PIPE_AUTH_LEVEL_CONNECT:
578 /* This is incorrect for auth level connect. Fixme. JRA */
579 return create_next_pdu_noauth(p);
580
581 default:
582 switch(p->auth.auth_type) {
583 case PIPE_AUTH_TYPE_NTLMSSP:
584 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
585 return create_next_pdu_ntlmssp(p);
586 case PIPE_AUTH_TYPE_SCHANNEL:
587 return create_next_pdu_schannel(p);
588 default:
589 break;
590 }
591 }
592
593 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
594 (unsigned int)p->auth.auth_level,
595 (unsigned int)p->auth.auth_type));
596 return False;
597 }
598
599 /*******************************************************************
600 Process an NTLMSSP authentication response.
601 If this function succeeds, the user has been authenticated
602 and their domain, name and calling workstation stored in
603 the pipe struct.
604 *******************************************************************/
605
606 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
607 {
608 DATA_BLOB session_key, reply;
609 NTSTATUS status;
610 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
611 bool ret;
612
613 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
614
615 ZERO_STRUCT(reply);
616
617 /* this has to be done as root in order to verify the password */
618 become_root();
619 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
620 unbecome_root();
621
622 /* Don't generate a reply. */
623 data_blob_free(&reply);
624
625 if (!NT_STATUS_IS_OK(status)) {
626 return False;
627 }
628
629 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
630 ensure the underlying NTLMSSP flags are also set. If not we should
631 refuse the bind. */
632
633 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
634 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
635 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
636 "but client declined signing.\n",
637 p->name ));
638 return False;
639 }
640 }
641 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
642 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
643 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
644 "but client declined sealing.\n",
645 p->name ));
646 return False;
647 }
648 }
649
650 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
651 "workstation: %s\n", a->ntlmssp_state->user,
652 a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
653
654 if (a->server_info->ptok == NULL) {
655 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
656 return False;
657 }
658
659 TALLOC_FREE(p->server_info);
660
661 p->server_info = copy_serverinfo(p, a->server_info);
662 if (p->server_info == NULL) {
663 DEBUG(0, ("copy_serverinfo failed\n"));
664 return false;
665 }
666
667 /*
668 * We're an authenticated bind over smb, so the session key needs to
669 * be set to "SystemLibraryDTC". Weird, but this is what Windows
670 * does. See the RPC-SAMBA3SESSIONKEY.
671 */
672
673 session_key = generic_session_key();
674 if (session_key.data == NULL) {
675 return False;
676 }
677
678 ret = server_info_set_session_key(p->server_info, session_key);
679
680 data_blob_free(&session_key);
681
682 return True;
683 }
684
685 /*******************************************************************
686 The switch table for the pipe names and the functions to handle them.
687 *******************************************************************/
688
689 struct rpc_table {
690 struct {
691 const char *clnt;
692 const char *srv;
693 } pipe;
694 struct ndr_syntax_id rpc_interface;
695 const struct api_struct *cmds;
696 int n_cmds;
697 };
698
699 static struct rpc_table *rpc_lookup;
700 static int rpc_lookup_size;
701
702 /*******************************************************************
703 This is the "stage3" NTLMSSP response after a bind request and reply.
704 *******************************************************************/
705
706 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
707 {
708 RPC_HDR_AUTH auth_info;
709 uint32 pad;
710 DATA_BLOB blob;
711
712 ZERO_STRUCT(blob);
713
714 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
715
716 if (p->hdr.auth_len == 0) {
717 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
718 goto err;
719 }
720
721 /* 4 bytes padding. */
722 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
723 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
724 goto err;
725 }
726
727 /*
728 * Decode the authentication verifier response.
729 */
730
731 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
732 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
733 goto err;
734 }
735
736 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
737 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
738 (unsigned int)auth_info.auth_type ));
739 return False;
740 }
741
742 blob = data_blob(NULL,p->hdr.auth_len);
743
744 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
745 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
746 (unsigned int)p->hdr.auth_len ));
747 goto err;
748 }
749
750 /*
751 * The following call actually checks the challenge/response data.
752 * for correctness against the given DOMAIN\user name.
753 */
754
755 if (!pipe_ntlmssp_verify_final(p, &blob)) {
756 goto err;
757 }
758
759 data_blob_free(&blob);
760
761 p->pipe_bound = True;
762
763 return True;
764
765 err:
766
767 data_blob_free(&blob);
768 free_pipe_ntlmssp_auth_data(&p->auth);
769 p->auth.a_u.auth_ntlmssp_state = NULL;
770
771 return False;
772 }
773
774 /*******************************************************************
775 Marshall a bind_nak pdu.
776 *******************************************************************/
777
778 static bool setup_bind_nak(pipes_struct *p)
779 {
780 prs_struct outgoing_rpc;
781 RPC_HDR nak_hdr;
782 uint16 zero = 0;
783
784 /* Free any memory in the current return data buffer. */
785 prs_mem_free(&p->out_data.rdata);
786
787 /*
788 * Marshall directly into the outgoing PDU space. We
789 * must do this as we need to set to the bind response
790 * header and are never sending more than one PDU here.
791 */
792
793 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
794 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
795
796 /*
797 * Initialize a bind_nak header.
798 */
799
800 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
801 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
802
803 /*
804 * Marshall the header into the outgoing PDU.
805 */
806
807 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
808 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
809 prs_mem_free(&outgoing_rpc);
810 return False;
811 }
812
813 /*
814 * Now add the reject reason.
815 */
816
817 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
818 prs_mem_free(&outgoing_rpc);
819 return False;
820 }
821
822 p->out_data.data_sent_length = 0;
823 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
824 p->out_data.current_pdu_sent = 0;
825
826 if (p->auth.auth_data_free_func) {
827 (*p->auth.auth_data_free_func)(&p->auth);
828 }
829 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
830 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
831 p->pipe_bound = False;
832
833 return True;
834 }
835
836 /*******************************************************************
837 Marshall a fault pdu.
838 *******************************************************************/
839
840 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
841 {
842 prs_struct outgoing_pdu;
843 RPC_HDR fault_hdr;
844 RPC_HDR_RESP hdr_resp;
845 RPC_HDR_FAULT fault_resp;
846
847 /* Free any memory in the current return data buffer. */
848 prs_mem_free(&p->out_data.rdata);
849
850 /*
851 * Marshall directly into the outgoing PDU space. We
852 * must do this as we need to set to the bind response
853 * header and are never sending more than one PDU here.
854 */
855
856 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
857 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
858
859 /*
860 * Initialize a fault header.
861 */
862
863 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
864 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
865
866 /*
867 * Initialize the HDR_RESP and FAULT parts of the PDU.
868 */
869
870 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
871
872 fault_resp.status = status;
873 fault_resp.reserved = 0;
874
875 /*
876 * Marshall the header into the outgoing PDU.
877 */
878
879 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
880 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
881 prs_mem_free(&outgoing_pdu);
882 return False;
883 }
884
885 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
886 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
887 prs_mem_free(&outgoing_pdu);
888 return False;
889 }
890
891 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
892 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
893 prs_mem_free(&outgoing_pdu);
894 return False;
895 }
896
897 p->out_data.data_sent_length = 0;
898 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
899 p->out_data.current_pdu_sent = 0;
900
901 prs_mem_free(&outgoing_pdu);
902 return True;
903 }
904
905 #if 0
906 /*******************************************************************
907 Marshall a cancel_ack pdu.
908 We should probably check the auth-verifier here.
909 *******************************************************************/
910
911 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
912 {
913 prs_struct outgoing_pdu;
914 RPC_HDR ack_reply_hdr;
915
916 /* Free any memory in the current return data buffer. */
917 prs_mem_free(&p->out_data.rdata);
918
919 /*
920 * Marshall directly into the outgoing PDU space. We
921 * must do this as we need to set to the bind response
922 * header and are never sending more than one PDU here.
923 */
924
925 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
926 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
927
928 /*
929 * Initialize a cancel_ack header.
930 */
931
932 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
933 p->hdr.call_id, RPC_HEADER_LEN, 0);
934
935 /*
936 * Marshall the header into the outgoing PDU.
937 */
938
939 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
940 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
941 prs_mem_free(&outgoing_pdu);
942 return False;
943 }
944
945 p->out_data.data_sent_length = 0;
946 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
947 p->out_data.current_pdu_sent = 0;
948
949 prs_mem_free(&outgoing_pdu);
950 return True;
951 }
952 #endif
953
954 /*******************************************************************
955 Ensure a bind request has the correct abstract & transfer interface.
956 Used to reject unknown binds from Win2k.
957 *******************************************************************/
958
959 bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
960 RPC_IFACE* transfer, uint32 context_id)
961 {
962 int i=0;
963 struct pipe_rpc_fns *context_fns;
964
965 DEBUG(3,("check_bind_req for %s\n", p->name));
966
967 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
968
969 for (i=0; i<rpc_lookup_size; i++) {
970 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
971 if (strequal(rpc_lookup[i].pipe.clnt, p->name)
972 && ndr_syntax_id_equal(
973 abstract, &rpc_lookup[i].rpc_interface)
974 && ndr_syntax_id_equal(
975 transfer, &ndr_transfer_syntax)) {
976 break;
977 }
978 }
979
980 if (i == rpc_lookup_size) {
981 return false;
982 }
983
984 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
985 if (context_fns == NULL) {
986 DEBUG(0,("check_bind_req: malloc() failed!\n"));
987 return False;
988 }
989
990 context_fns->cmds = rpc_lookup[i].cmds;
991 context_fns->n_cmds = rpc_lookup[i].n_cmds;
992 context_fns->context_id = context_id;
993
994 /* add to the list of open contexts */
995
996 DLIST_ADD( p->contexts, context_fns );
997
998 return True;
999 }
1000
1001 /*******************************************************************
1002 Register commands to an RPC pipe
1003 *******************************************************************/
1004
1005 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt,
1006 const char *srv,
1007 const struct ndr_syntax_id *interface,
1008 const struct api_struct *cmds, int size)
1009 {
1010 struct rpc_table *rpc_entry;
1011
1012 if (!clnt || !srv || !cmds) {
1013 return NT_STATUS_INVALID_PARAMETER;
1014 }
1015
1016 if (version != SMB_RPC_INTERFACE_VERSION) {
1017 DEBUG(0,("Can't register rpc commands!\n"
1018 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1019 ", while this version of samba uses version %d!\n",
1020 version,SMB_RPC_INTERFACE_VERSION));
1021 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1022 }
1023
1024 /* TODO:
1025 *
1026 * we still need to make sure that don't register the same commands twice!!!
1027 *
1028 * --metze
1029 */
1030
1031 /* We use a temporary variable because this call can fail and
1032 rpc_lookup will still be valid afterwards. It could then succeed if
1033 called again later */
1034 rpc_lookup_size++;
1035 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1036 if (NULL == rpc_entry) {
1037 rpc_lookup_size--;
1038 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1039 return NT_STATUS_NO_MEMORY;
1040 } else {
1041 rpc_lookup = rpc_entry;
1042 }
1043
1044 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1045 ZERO_STRUCTP(rpc_entry);
1046 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1047 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1048 rpc_entry->rpc_interface = *interface;
1049 rpc_entry->cmds = cmds;
1050 rpc_entry->n_cmds = size;
1051
1052 return NT_STATUS_OK;
1053 }
1054
1055 /**
1056 * Is a named pipe known?
1057 * @param[in] cli_filename The pipe name requested by the client
1058 * @result Do we want to serve this?
1059 */
1060 bool is_known_pipename(const char *cli_filename)
1061 {
1062 const char *pipename = cli_filename;
1063 int i;
1064
1065 if (strnequal(pipename, "\\PIPE\\", 6)) {
1066 pipename += 5;
1067 }
1068
1069 if (*pipename == '\\') {
1070 pipename += 1;
1071 }
1072
1073 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1074 DEBUG(10, ("refusing spoolss access\n"));
1075 return false;
1076 }
1077
1078 for (i=0; i<rpc_lookup_size; i++) {
1079 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1080 return true;
1081 }
1082 }
1083
1084 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1085 return false;
1086 }
1087
1088 /*******************************************************************
1089 Handle a SPNEGO krb5 bind auth.
1090 *******************************************************************/
1091
1092 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1093 DATA_BLOB *psecblob, prs_struct *pout_auth)
1094 {
1095 return False;
1096 }
1097
1098 /*******************************************************************
1099 Handle the first part of a SPNEGO bind auth.
1100 *******************************************************************/
1101
1102 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1103 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1104 {
1105 DATA_BLOB blob;
1106 DATA_BLOB secblob;
1107 DATA_BLOB response;
1108 DATA_BLOB chal;
1109 char *OIDs[ASN1_MAX_OIDS];
1110 int i;
1111 NTSTATUS status;
1112 bool got_kerberos_mechanism = false;
1113 AUTH_NTLMSSP_STATE *a = NULL;
1114 RPC_HDR_AUTH auth_info;
1115
1116 ZERO_STRUCT(secblob);
1117 ZERO_STRUCT(chal);
1118 ZERO_STRUCT(response);
1119
1120 /* Grab the SPNEGO blob. */
1121 blob = data_blob(NULL,p->hdr.auth_len);
1122
1123 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1124 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1125 (unsigned int)p->hdr.auth_len ));
1126 goto err;
1127 }
1128
1129 if (blob.data[0] != ASN1_APPLICATION(0)) {
1130 goto err;
1131 }
1132
1133 /* parse out the OIDs and the first sec blob */
1134 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1135 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1136 goto err;
1137 }
1138
1139 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1140 got_kerberos_mechanism = true;
1141 }
1142
1143 for (i=0;OIDs[i];i++) {
1144 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1145 TALLOC_FREE(OIDs[i]);
1146 }
1147 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1148
1149 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1150 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1151 data_blob_free(&secblob);
1152 data_blob_free(&blob);
1153 return ret;
1154 }
1155
1156 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1157 /* Free any previous auth type. */
1158 free_pipe_ntlmssp_auth_data(&p->auth);
1159 }
1160
1161 if (!got_kerberos_mechanism) {
1162 /* Initialize the NTLM engine. */
1163 status = auth_ntlmssp_start(&a);
1164 if (!NT_STATUS_IS_OK(status)) {
1165 goto err;
1166 }
1167
1168 /*
1169 * Pass the first security blob of data to it.
1170 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1171 * which means we need another packet to complete the bind.
1172 */
1173
1174 status = auth_ntlmssp_update(a, secblob, &chal);
1175
1176 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1177 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1178 goto err;
1179 }
1180
1181 /* Generate the response blob we need for step 2 of the bind. */
1182 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1183 } else {
1184 /*
1185 * SPNEGO negotiate down to NTLMSSP. The subsequent
1186 * code to process follow-up packets is not complete
1187 * yet. JRA.
1188 */
1189 response = spnego_gen_auth_response(NULL,
1190 NT_STATUS_MORE_PROCESSING_REQUIRED,
1191 OID_NTLMSSP);
1192 }
1193
1194 /* Copy the blob into the pout_auth parse struct */
1195 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1196 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1197 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1198 goto err;
1199 }
1200
1201 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1202 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1203 goto err;
1204 }
1205
1206 p->auth.a_u.auth_ntlmssp_state = a;
1207 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1208 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1209
1210 data_blob_free(&blob);
1211 data_blob_free(&secblob);
1212 data_blob_free(&chal);
1213 data_blob_free(&response);
1214
1215 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1216 return True;
1217
1218 err:
1219
1220 data_blob_free(&blob);
1221 data_blob_free(&secblob);
1222 data_blob_free(&chal);
1223 data_blob_free(&response);
1224
1225 p->auth.a_u.auth_ntlmssp_state = NULL;
1226
1227 return False;
1228 }
1229
1230 /*******************************************************************
1231 Handle the second part of a SPNEGO bind auth.
1232 *******************************************************************/
1233
1234 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1235 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1236 {
1237 RPC_HDR_AUTH auth_info;
1238 DATA_BLOB spnego_blob;
1239 DATA_BLOB auth_blob;
1240 DATA_BLOB auth_reply;
1241 DATA_BLOB response;
1242 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1243
1244 ZERO_STRUCT(spnego_blob);
1245 ZERO_STRUCT(auth_blob);
1246 ZERO_STRUCT(auth_reply);
1247 ZERO_STRUCT(response);
1248
1249 /*
1250 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1251 * fail here as 'a' == NULL.
1252 */
1253 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1254 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1255 goto err;
1256 }
1257
1258 /* Grab the SPNEGO blob. */
1259 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1260
1261 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1262 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1263 (unsigned int)p->hdr.auth_len ));
1264 goto err;
1265 }
1266
1267 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1268 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1269 goto err;
1270 }
1271
1272 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1273 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1274 goto err;
1275 }
1276
1277 /*
1278 * The following call actually checks the challenge/response data.
1279 * for correctness against the given DOMAIN\user name.
1280 */
1281
1282 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1283 goto err;
1284 }
1285
1286 data_blob_free(&spnego_blob);
1287 data_blob_free(&auth_blob);
1288
1289 /* Generate the spnego "accept completed" blob - no incoming data. */
1290 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1291
1292 /* Copy the blob into the pout_auth parse struct */
1293 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1294 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1295 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1296 goto err;
1297 }
1298
1299 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1300 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1301 goto err;
1302 }
1303
1304 data_blob_free(&auth_reply);
1305 data_blob_free(&response);
1306
1307 p->pipe_bound = True;
1308
1309 return True;
1310
1311 err:
1312
1313 data_blob_free(&spnego_blob);
1314 data_blob_free(&auth_blob);
1315 data_blob_free(&auth_reply);
1316 data_blob_free(&response);
1317
1318 free_pipe_ntlmssp_auth_data(&p->auth);
1319 p->auth.a_u.auth_ntlmssp_state = NULL;
1320
1321 return False;
1322 }
1323
1324 /*******************************************************************
1325 Handle an schannel bind auth.
1326 *******************************************************************/
1327
1328 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1329 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1330 {
1331 RPC_HDR_AUTH auth_info;
1332 RPC_AUTH_SCHANNEL_NEG neg;
1333 RPC_AUTH_VERIFIER auth_verifier;
1334 bool ret;
1335 struct dcinfo *pdcinfo;
1336 uint32 flags;
1337 DATA_BLOB session_key;
1338
1339 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1340 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1341 return False;
1342 }
1343
1344 /*
1345 * The neg.myname key here must match the remote computer name
1346 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1347 * operations that use credentials.
1348 */
1349
1350 become_root();
1351 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1352 unbecome_root();
1353
1354 if (!ret) {
1355 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1356 return False;
1357 }
1358
1359 p->auth.a_u.schannel_auth = talloc(p, struct schannel_auth_struct);
1360 if (!p->auth.a_u.schannel_auth) {
1361 TALLOC_FREE(pdcinfo);
1362 return False;
1363 }
1364
1365 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1366 memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1367 sizeof(pdcinfo->sess_key));
1368
1369 TALLOC_FREE(pdcinfo);
1370
1371 p->auth.a_u.schannel_auth->seq_num = 0;
1372
1373 /*
1374 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1375 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1376 * struct of the person who opened the pipe. I need to test this further. JRA.
1377 *
1378 * VL. As we are mapping this to guest set the generic key
1379 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1380 * W2k3, as it does not allow schannel binds against SAMR and LSA
1381 * anymore.
1382 */
1383
1384 session_key = generic_session_key();
1385 if (session_key.data == NULL) {
1386 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1387 " key\n"));
1388 return false;
1389 }
1390
1391 ret = server_info_set_session_key(p->server_info, session_key);
1392
1393 data_blob_free(&session_key);
1394
1395 if (!ret) {
1396 DEBUG(0, ("server_info_set_session_key failed\n"));
1397 return false;
1398 }
1399
1400 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1401 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1402 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1403 return False;
1404 }
1405
1406 /*** SCHANNEL verifier ***/
1407
1408 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1409 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1410 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1411 return False;
1412 }
1413
1414 prs_align(pout_auth);
1415
1416 flags = 5;
1417 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1418 return False;
1419 }
1420
1421 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1422 neg.domain, neg.myname));
1423
1424 /* We're finished with this bind - no more packets. */
1425 p->auth.auth_data_free_func = NULL;
1426 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1427
1428 p->pipe_bound = True;
1429
1430 return True;
1431 }
1432
1433 /*******************************************************************
1434 Handle an NTLMSSP bind auth.
1435 *******************************************************************/
1436
1437 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1438 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1439 {
1440 RPC_HDR_AUTH auth_info;
1441 DATA_BLOB blob;
1442 DATA_BLOB response;
1443 NTSTATUS status;
1444 AUTH_NTLMSSP_STATE *a = NULL;
1445
1446 ZERO_STRUCT(blob);
1447 ZERO_STRUCT(response);
1448
1449 /* Grab the NTLMSSP blob. */
1450 blob = data_blob(NULL,p->hdr.auth_len);
1451
1452 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1453 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1454 (unsigned int)p->hdr.auth_len ));
1455 goto err;
1456 }
1457
1458 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1459 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1460 goto err;
1461 }
1462
1463 /* We have an NTLMSSP blob. */
1464 status = auth_ntlmssp_start(&a);
1465 if (!NT_STATUS_IS_OK(status)) {
1466 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1467 nt_errstr(status) ));
1468 goto err;
1469 }
1470
1471 status = auth_ntlmssp_update(a, blob, &response);
1472 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1473 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1474 nt_errstr(status) ));
1475 goto err;
1476 }
1477
1478 data_blob_free(&blob);
1479
1480 /* Copy the blob into the pout_auth parse struct */
1481 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1482 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1483 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1484 goto err;
1485 }
1486
1487 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1488 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1489 goto err;
1490 }
1491
1492 p->auth.a_u.auth_ntlmssp_state = a;
1493 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1494 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1495
1496 data_blob_free(&blob);
1497 data_blob_free(&response);
1498
1499 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1500
1501 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1502 return True;
1503
1504 err:
1505
1506 data_blob_free(&blob);
1507 data_blob_free(&response);
1508
1509 free_pipe_ntlmssp_auth_data(&p->auth);
1510 p->auth.a_u.auth_ntlmssp_state = NULL;
1511 return False;
1512 }
1513
1514 /*******************************************************************
1515 Respond to a pipe bind request.
1516 *******************************************************************/
1517
1518 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1519 {
1520 RPC_HDR_BA hdr_ba;
1521 RPC_HDR_RB hdr_rb;
1522 RPC_HDR_AUTH auth_info;
1523 uint16 assoc_gid;
1524 fstring ack_pipe_name;
1525 prs_struct out_hdr_ba;
1526 prs_struct out_auth;
1527 prs_struct outgoing_rpc;
1528 int i = 0;
1529 int auth_len = 0;
1530 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1531
1532 /* No rebinds on a bound pipe - use alter context. */
1533 if (p->pipe_bound) {
1534 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1535 return setup_bind_nak(p);
1536 }
1537
1538 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1539
1540 /*
1541 * Marshall directly into the outgoing PDU space. We
1542 * must do this as we need to set to the bind response
1543 * header and are never sending more than one PDU here.
1544 */
1545
1546 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1547
1548 /*
1549 * Setup the memory to marshall the ba header, and the
1550 * auth footers.
1551 */
1552
1553 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1554 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1555 prs_mem_free(&outgoing_rpc);
1556 return False;
1557 }
1558
1559 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1560 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1561 prs_mem_free(&outgoing_rpc);
1562 prs_mem_free(&out_hdr_ba);
1563 return False;
1564 }
1565
1566 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1567
1568 ZERO_STRUCT(hdr_rb);
1569
1570 /* decode the bind request */
1571
1572 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1573 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1574 "struct.\n"));
1575 goto err_exit;
1576 }
1577
1578 if (hdr_rb.num_contexts == 0) {
1579 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1580 goto err_exit;
1581 }
1582
1583 /*
1584 * Try and find the correct pipe name to ensure
1585 * that this is a pipe name we support.
1586 */
1587
1588 for (i = 0; i < rpc_lookup_size; i++) {
1589 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1590 &hdr_rb.rpc_context[0].abstract)) {
1591 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1592 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1593 fstrcpy(p->name, rpc_lookup[i].pipe.clnt);
1594 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1595 break;
1596 }
1597 }
1598
1599 if (i == rpc_lookup_size) {
1600 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1601 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1602 p->name ));
1603 prs_mem_free(&outgoing_rpc);
1604 prs_mem_free(&out_hdr_ba);
1605 prs_mem_free(&out_auth);
1606
1607 return setup_bind_nak(p);
1608 }
1609
1610 for (i = 0; i < rpc_lookup_size; i++) {
1611 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1612 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1613 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1614 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1615 break;
1616 }
1617 }
1618
1619 if (i == rpc_lookup_size) {
1620 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1621 goto err_exit;
1622 }
1623 }
1624
1625 /* name has to be \PIPE\xxxxx */
1626 fstrcpy(ack_pipe_name, "\\PIPE\\");
1627 fstrcat(ack_pipe_name, p->pipe_srv_name);
1628
1629 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1630
1631 /*
1632 * Check if this is an authenticated bind request.
1633 */
1634
1635 if (p->hdr.auth_len) {
1636 /*
1637 * Decode the authentication verifier.
1638 */
1639
1640 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1641 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1642 goto err_exit;
1643 }
1644
1645 auth_type = auth_info.auth_type;
1646
1647 /* Work out if we have to sign or seal etc. */
1648 switch (auth_info.auth_level) {
1649 case RPC_AUTH_LEVEL_INTEGRITY:
1650 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1651 break;
1652 case RPC_AUTH_LEVEL_PRIVACY:
1653 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1654 break;
1655 default:
1656 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1657 (unsigned int)auth_info.auth_level ));
1658 goto err_exit;
1659 }
1660 } else {
1661 ZERO_STRUCT(auth_info);
1662 }
1663
1664 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1665
1666 switch(auth_type) {
1667 case RPC_NTLMSSP_AUTH_TYPE:
1668 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1669 goto err_exit;
1670 }
1671 assoc_gid = 0x7a77;
1672 break;
1673
1674 case RPC_SCHANNEL_AUTH_TYPE:
1675 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1676 goto err_exit;
1677 }
1678 break;
1679
1680 case RPC_SPNEGO_AUTH_TYPE:
1681 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1682 goto err_exit;
1683 }
1684 break;
1685
1686 case RPC_ANONYMOUS_AUTH_TYPE:
1687 /* Unauthenticated bind request. */
1688 /* We're finished - no more packets. */
1689 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1690 /* We must set the pipe auth_level here also. */
1691 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1692 p->pipe_bound = True;
1693 /* The session key was initialized from the SMB
1694 * session in make_internal_rpc_pipe_p */
1695 break;
1696
1697 default:
1698 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1699 goto err_exit;
1700 }
1701
1702 /*
1703 * Create the bind response struct.
1704 */
1705
1706 /* If the requested abstract synt uuid doesn't match our client pipe,
1707 reject the bind_ack & set the transfer interface synt to all 0's,
1708 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1709 unknown to NT4)
1710 Needed when adding entries to a DACL from NT5 - SK */
1711
1712 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1713 hdr_rb.rpc_context[0].context_id )) {
1714 init_rpc_hdr_ba(&hdr_ba,
1715 RPC_MAX_PDU_FRAG_LEN,
1716 RPC_MAX_PDU_FRAG_LEN,
1717 assoc_gid,
1718 ack_pipe_name,
1719 0x1, 0x0, 0x0,
1720 &hdr_rb.rpc_context[0].transfer[0]);
1721 } else {
1722 RPC_IFACE null_interface;
1723 ZERO_STRUCT(null_interface);
1724 /* Rejection reason: abstract syntax not supported */
1725 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1726 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1727 ack_pipe_name, 0x1, 0x2, 0x1,
1728 &null_interface);
1729 p->pipe_bound = False;
1730 }
1731
1732 /*
1733 * and marshall it.
1734 */
1735
1736 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1737 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1738 goto err_exit;
1739 }
1740
1741 /*
1742 * Create the header, now we know the length.
1743 */
1744
1745 if (prs_offset(&out_auth)) {
1746 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1747 }
1748
1749 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1750 p->hdr.call_id,
1751 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1752 auth_len);
1753
1754 /*
1755 * Marshall the header into the outgoing PDU.
1756 */
1757
1758 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1759 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1760 goto err_exit;
1761 }
1762
1763 /*
1764 * Now add the RPC_HDR_BA and any auth needed.
1765 */
1766
1767 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1768 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1769 goto err_exit;
1770 }
1771
1772 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1773 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1774 goto err_exit;
1775 }
1776
1777 /*
1778 * Setup the lengths for the initial reply.
1779 */
1780
1781 p->out_data.data_sent_length = 0;
1782 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1783 p->out_data.current_pdu_sent = 0;
1784
1785 prs_mem_free(&out_hdr_ba);
1786 prs_mem_free(&out_auth);
1787
1788 return True;
1789
1790 err_exit:
1791
1792 prs_mem_free(&outgoing_rpc);
1793 prs_mem_free(&out_hdr_ba);
1794 prs_mem_free(&out_auth);
1795 return setup_bind_nak(p);
1796 }
1797
1798 /****************************************************************************
1799 Deal with an alter context call. Can be third part of 3 leg auth request for
1800 SPNEGO calls.
1801 ****************************************************************************/
1802
1803 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1804 {
1805 RPC_HDR_BA hdr_ba;
1806 RPC_HDR_RB hdr_rb;
1807 RPC_HDR_AUTH auth_info;
1808 uint16 assoc_gid;
1809 fstring ack_pipe_name;
1810 prs_struct out_hdr_ba;
1811 prs_struct out_auth;
1812 prs_struct outgoing_rpc;
1813 int auth_len = 0;
1814
1815 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1816
1817 /*
1818 * Marshall directly into the outgoing PDU space. We
1819 * must do this as we need to set to the bind response
1820 * header and are never sending more than one PDU here.
1821 */
1822
1823 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1824
1825 /*
1826 * Setup the memory to marshall the ba header, and the
1827 * auth footers.
1828 */
1829
1830 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1831 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1832 prs_mem_free(&outgoing_rpc);
1833 return False;
1834 }
1835
1836 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1837 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1838 prs_mem_free(&outgoing_rpc);
1839 prs_mem_free(&out_hdr_ba);
1840 return False;
1841 }
1842
1843 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1844
1845 /* decode the alter context request */
1846 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1847 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1848 goto err_exit;
1849 }
1850
1851 /* secondary address CAN be NULL
1852 * as the specs say it's ignored.
1853 * It MUST be NULL to have the spoolss working.
1854 */
1855 fstrcpy(ack_pipe_name,"");
1856
1857 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1858
1859 /*
1860 * Check if this is an authenticated alter context request.
1861 */
1862
1863 if (p->hdr.auth_len != 0) {
1864 /*
1865 * Decode the authentication verifier.
1866 */
1867
1868 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1869 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1870 goto err_exit;
1871 }
1872
1873 /*
1874 * Currently only the SPNEGO auth type uses the alter ctx
1875 * response in place of the NTLMSSP auth3 type.
1876 */
1877
1878 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1879 /* We can only finish if the pipe is unbound. */
1880 if (!p->pipe_bound) {
1881 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1882 goto err_exit;
1883 }
1884 } else {
1885 goto err_exit;
1886 }
1887 }
1888 } else {
1889 ZERO_STRUCT(auth_info);
1890 }
1891
1892 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1893
1894 /*
1895 * Create the bind response struct.
1896 */
1897
1898 /* If the requested abstract synt uuid doesn't match our client pipe,
1899 reject the bind_ack & set the transfer interface synt to all 0's,
1900 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1901 unknown to NT4)
1902 Needed when adding entries to a DACL from NT5 - SK */
1903
1904 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1905 hdr_rb.rpc_context[0].context_id )) {
1906 init_rpc_hdr_ba(&hdr_ba,
1907 RPC_MAX_PDU_FRAG_LEN,
1908 RPC_MAX_PDU_FRAG_LEN,
1909 assoc_gid,
1910 ack_pipe_name,
1911 0x1, 0x0, 0x0,
1912 &hdr_rb.rpc_context[0].transfer[0]);
1913 } else {
1914 RPC_IFACE null_interface;
1915 ZERO_STRUCT(null_interface);
1916 /* Rejection reason: abstract syntax not supported */
1917 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1918 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1919 ack_pipe_name, 0x1, 0x2, 0x1,
1920 &null_interface);
1921 p->pipe_bound = False;
1922 }
1923
1924 /*
1925 * and marshall it.
1926 */
1927
1928 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1929 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1930 goto err_exit;
1931 }
1932
1933 /*
1934 * Create the header, now we know the length.
1935 */
1936
1937 if (prs_offset(&out_auth)) {
1938 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1939 }
1940
1941 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1942 p->hdr.call_id,
1943 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1944 auth_len);
1945
1946 /*
1947 * Marshall the header into the outgoing PDU.
1948 */
1949
1950 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1951 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1952 goto err_exit;
1953 }
1954
1955 /*
1956 * Now add the RPC_HDR_BA and any auth needed.
1957 */
1958
1959 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1960 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1961 goto err_exit;
1962 }
1963
1964 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1965 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1966 goto err_exit;
1967 }
1968
1969 /*
1970 * Setup the lengths for the initial reply.
1971 */
1972
1973 p->out_data.data_sent_length = 0;
1974 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1975 p->out_data.current_pdu_sent = 0;
1976
1977 prs_mem_free(&out_hdr_ba);
1978 prs_mem_free(&out_auth);
1979
1980 return True;
1981
1982 err_exit:
1983
1984 prs_mem_free(&outgoing_rpc);
1985 prs_mem_free(&out_hdr_ba);
1986 prs_mem_free(&out_auth);
1987 return setup_bind_nak(p);
1988 }
1989
1990 /****************************************************************************
1991 Deal with NTLMSSP sign & seal processing on an RPC request.
1992 ****************************************************************************/
1993
1994 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1995 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1996 {
1997 RPC_HDR_AUTH auth_info;
1998 uint32 auth_len = p->hdr.auth_len;
1999 uint32 save_offset = prs_offset(rpc_in);
2000 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2001 unsigned char *data = NULL;
2002 size_t data_len;
2003 unsigned char *full_packet_data = NULL;
2004 size_t full_packet_data_len;
2005 DATA_BLOB auth_blob;
2006
2007 *pstatus = NT_STATUS_OK;
2008
2009 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
2010 return True;
2011 }
2012
2013 if (!a) {
2014 *pstatus = NT_STATUS_INVALID_PARAMETER;
2015 return False;
2016 }
2017
2018 /* Ensure there's enough data for an authenticated request. */
2019 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2020 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2021 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2022 (unsigned int)auth_len ));
2023 *pstatus = NT_STATUS_INVALID_PARAMETER;
2024 return False;
2025 }
2026
2027 /*
2028 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2029 * after the RPC header.
2030 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2031 * functions as NTLMv2 checks the rpc headers also.
2032 */
2033
2034 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2035 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2036
2037 full_packet_data = p->in_data.current_in_pdu;
2038 full_packet_data_len = p->hdr.frag_len - auth_len;
2039
2040 /* Pull the auth header and the following data into a blob. */
2041 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2042 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2043 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2044 *pstatus = NT_STATUS_INVALID_PARAMETER;
2045 return False;
2046 }
2047
2048 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2049 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2050 *pstatus = NT_STATUS_INVALID_PARAMETER;
2051 return False;
2052 }
2053
2054 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2055 auth_blob.length = auth_len;
2056
2057 switch (p->auth.auth_level) {
2058 case PIPE_AUTH_LEVEL_PRIVACY:
2059 /* Data is encrypted. */
2060 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2061 data, data_len,
2062 full_packet_data,
2063 full_packet_data_len,
2064 &auth_blob);
2065 if (!NT_STATUS_IS_OK(*pstatus)) {
2066 return False;
2067 }
2068 break;
2069 case PIPE_AUTH_LEVEL_INTEGRITY:
2070 /* Data is signed. */
2071 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2072 data, data_len,
2073 full_packet_data,
2074 full_packet_data_len,
2075 &auth_blob);
2076 if (!NT_STATUS_IS_OK(*pstatus)) {
2077 return False;
2078 }
2079 break;
2080 default:
2081 *pstatus = NT_STATUS_INVALID_PARAMETER;
2082 return False;
2083 }
2084
2085 /*
2086 * Return the current pointer to the data offset.
2087 */
2088
2089 if(!prs_set_offset(rpc_in, save_offset)) {
2090 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2091 (unsigned int)save_offset ));
2092 *pstatus = NT_STATUS_INVALID_PARAMETER;
2093 return False;
2094 }
2095
2096 /*
2097 * Remember the padding length. We must remove it from the real data
2098 * stream once the sign/seal is done.
2099 */
2100
2101 *p_ss_padding_len = auth_info.auth_pad_len;
2102
2103 return True;
2104 }
2105
2106 /****************************************************************************
2107 Deal with schannel processing on an RPC request.
2108 ****************************************************************************/
2109
2110 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2111 {
2112 uint32 data_len;
2113 uint32 auth_len;
2114 uint32 save_offset = prs_offset(rpc_in);
2115 RPC_HDR_AUTH auth_info;
2116 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2117
2118 auth_len = p->hdr.auth_len;
2119
2120 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2121 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2122 return False;
2123 }
2124
2125 /*
2126 * The following is that length of the data we must verify or unseal.
2127 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2128 * preceeding the auth_data.
2129 */
2130
2131 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2132 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2133 (unsigned int)p->hdr.frag_len,
2134 (unsigned int)auth_len ));
2135 return False;
2136 }
2137
2138 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2139 RPC_HDR_AUTH_LEN - auth_len;
2140
2141 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2142
2143 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2144 DEBUG(0,("cannot move offset to %u.\n",
2145 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2146 return False;
2147 }
2148
2149 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2150 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2151 return False;
2152 }
2153
2154 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2155 DEBUG(0,("Invalid auth info %d on schannel\n",
2156 auth_info.auth_type));
2157 return False;
2158 }
2159
2160 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2161 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2162 return False;
2163 }
2164
2165 if (!schannel_decode(p->auth.a_u.schannel_auth,
2166 p->auth.auth_level,
2167 SENDER_IS_INITIATOR,
2168 &schannel_chk,
2169 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2170 DEBUG(3,("failed to decode PDU\n"));
2171 return False;
2172 }
2173
2174 /*
2175 * Return the current pointer to the data offset.
2176 */
2177
2178 if(!prs_set_offset(rpc_in, save_offset)) {
2179 DEBUG(0,("failed to set offset back to %u\n",
2180 (unsigned int)save_offset ));
2181 return False;
2182 }
2183
2184 /* The sequence number gets incremented on both send and receive. */
2185 p->auth.a_u.schannel_auth->seq_num++;
2186
2187 /*
2188 * Remember the padding length. We must remove it from the real data
2189 * stream once the sign/seal is done.
2190 */
2191
2192 *p_ss_padding_len = auth_info.auth_pad_len;
2193
2194 return True;
2195 }
2196
2197 /****************************************************************************
2198 Find the set of RPC functions associated with this context_id
2199 ****************************************************************************/
2200
2201 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2202 {
2203 PIPE_RPC_FNS *fns = NULL;
2204 PIPE_RPC_FNS *tmp = NULL;
2205
2206 if ( !list ) {
2207 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2208 return NULL;
2209 }
2210
2211 for (tmp=list; tmp; tmp=tmp->next ) {
2212 if ( tmp->context_id == context_id )
2213 break;
2214 }
2215
2216 fns = tmp;
2217
2218 return fns;
2219 }
2220
2221 /****************************************************************************
2222 Memory cleanup.
2223 ****************************************************************************/
2224
2225 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2226 {
2227 PIPE_RPC_FNS *tmp = list;
2228 PIPE_RPC_FNS *tmp2;
2229
2230 while (tmp) {
2231 tmp2 = tmp->next;
2232 SAFE_FREE(tmp);
2233 tmp = tmp2;
2234 }
2235
2236 return;
2237 }
2238
2239 static bool api_rpcTNP(pipes_struct *p, const char *rpc_name,
2240 const struct api_struct *api_rpc_cmds, int n_cmds);
2241
2242 /****************************************************************************
2243 Find the correct RPC function to call for this request.
2244 If the pipe is authenticated then become the correct UNIX user
2245 before doing the call.
2246 ****************************************************************************/
2247
2248 bool api_pipe_request(pipes_struct *p)
2249 {
2250 bool ret = False;
2251 bool changed_user = False;
2252 PIPE_RPC_FNS *pipe_fns;
2253
2254 if (p->pipe_bound &&
2255 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2256 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2257 if(!become_authenticated_pipe_user(p)) {
2258 prs_mem_free(&p->out_data.rdata);
2259 return False;
2260 }
2261 changed_user = True;
2262 }
2263
2264 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2265
2266 /* get the set of RPC functions for this context */
2267
2268 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2269
2270 if ( pipe_fns ) {
2271 TALLOC_CTX *frame = talloc_stackframe();
2272 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2273 TALLOC_FREE(frame);
2274 }
2275 else {
2276 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2277 p->hdr_req.context_id, p->name));
2278 }
2279
2280 if (changed_user) {
2281 unbecome_authenticated_pipe_user();
2282 }
2283
2284 return ret;
2285 }
2286
2287 /*******************************************************************
2288 Calls the underlying RPC function for a named pipe.
2289 ********************************************************************/
2290
2291 static bool api_rpcTNP(pipes_struct *p, const char *rpc_name,
2292 const struct api_struct *api_rpc_cmds, int n_cmds)
2293 {
2294 int fn_num;
2295 fstring name;
2296 uint32 offset1, offset2;
2297
2298 /* interpret the command */
2299 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2300
2301 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2302 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2303
2304 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2305 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2306 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2307 break;
2308 }
2309 }
2310
2311 if (fn_num == n_cmds) {
2312 /*
2313 * For an unknown RPC just return a fault PDU but
2314 * return True to allow RPC's on the pipe to continue
2315 * and not put the pipe into fault state. JRA.
2316 */
2317 DEBUG(4, ("unknown\n"));
2318 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2319 return True;
2320 }
2321
2322 offset1 = prs_offset(&p->out_data.rdata);
2323
2324 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2325 fn_num, api_rpc_cmds[fn_num].fn));
2326 /* do the actual command */
2327 if(!api_rpc_cmds[fn_num].fn(p)) {
2328 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2329 prs_mem_free(&p->out_data.rdata);
2330 return False;
2331 }
2332
2333 if (p->bad_handle_fault_state) {
2334 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2335 p->bad_handle_fault_state = False;
2336 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2337 return True;
2338 }
2339
2340 if (p->rng_fault_state) {
2341 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2342 p->rng_fault_state = False;
2343 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2344 return True;
2345 }
2346
2347 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2348 offset2 = prs_offset(&p->out_data.rdata);
2349 prs_set_offset(&p->out_data.rdata, offset1);
2350 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2351 prs_set_offset(&p->out_data.rdata, offset2);
2352
2353 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2354
2355 /* Check for buffer underflow in rpc parsing */
2356
2357 if ((DEBUGLEVEL >= 10) &&
2358 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2359 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2360 char *data = (char *)SMB_MALLOC(data_len);
2361
2362 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2363 if (data) {
2364 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2365 SAFE_FREE(data);
2366 }
2367
2368 }
2369
2370 return True;
2371 }
Samba GIT mirror