search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
More fixups.
[Samba.git] / source / rpc_server / srv_pipe.c
blob52e4fdfd5ba6c871eccf8be6e67ea326ec050fd0
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31
32 extern struct pipe_id_info pipe_names[];
33 extern struct current_user current_user;
34
35 #undef DBGC_CLASS
36 #define DBGC_CLASS DBGC_RPC_SRV
37
38 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
39 {
40 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
41
42 if (a) {
43 auth_ntlmssp_end(&a);
44 }
45 auth->a_u.auth_ntlmssp_state = NULL;
46 }
47
48 static DATA_BLOB generic_session_key(void)
49 {
50 return data_blob("SystemLibraryDTC", 16);
51 }
52
53 /*******************************************************************
54 Generate the next PDU to be returned from the data in p->rdata.
55 Handle NTLMSSP.
56 ********************************************************************/
57
58 static bool create_next_pdu_ntlmssp(pipes_struct *p)
59 {
60 RPC_HDR_RESP hdr_resp;
61 uint32 ss_padding_len = 0;
62 uint32 data_space_available;
63 uint32 data_len_left;
64 uint32 data_len;
65 prs_struct outgoing_pdu;
66 NTSTATUS status;
67 DATA_BLOB auth_blob;
68 RPC_HDR_AUTH auth_info;
69 uint8 auth_type, auth_level;
70 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
71
72 /*
73 * If we're in the fault state, keep returning fault PDU's until
74 * the pipe gets closed. JRA.
75 */
76
77 if(p->fault_state) {
78 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
79 return True;
80 }
81
82 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
83
84 /* Change the incoming request header to a response. */
85 p->hdr.pkt_type = RPC_RESPONSE;
86
87 /* Set up rpc header flags. */
88 if (p->out_data.data_sent_length == 0) {
89 p->hdr.flags = RPC_FLG_FIRST;
90 } else {
91 p->hdr.flags = 0;
92 }
93
94 /*
95 * Work out how much we can fit in a single PDU.
96 */
97
98 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
99
100 /*
101 * Ensure there really is data left to send.
102 */
103
104 if(!data_len_left) {
105 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
106 return False;
107 }
108
109 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
110 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
111
112 /*
113 * The amount we send is the minimum of the available
114 * space and the amount left to send.
115 */
116
117 data_len = MIN(data_len_left, data_space_available);
118
119 /*
120 * Set up the alloc hint. This should be the data left to
121 * send.
122 */
123
124 hdr_resp.alloc_hint = data_len_left;
125
126 /*
127 * Work out if this PDU will be the last.
128 */
129
130 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
131 p->hdr.flags |= RPC_FLG_LAST;
132 if (data_len_left % 8) {
133 ss_padding_len = 8 - (data_len_left % 8);
134 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
135 ss_padding_len ));
136 }
137 }
138
139 /*
140 * Set up the header lengths.
141 */
142
143 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
144 data_len + ss_padding_len +
145 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
146 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
147
148
149 /*
150 * Init the parse struct to point at the outgoing
151 * data.
152 */
153
154 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
155 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
156
157 /* Store the header in the data stream. */
158 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
159 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
160 prs_mem_free(&outgoing_pdu);
161 return False;
162 }
163
164 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
165 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
166 prs_mem_free(&outgoing_pdu);
167 return False;
168 }
169
170 /* Copy the data into the PDU. */
171
172 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
173 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
174 prs_mem_free(&outgoing_pdu);
175 return False;
176 }
177
178 /* Copy the sign/seal padding data. */
179 if (ss_padding_len) {
180 char pad[8];
181
182 memset(pad, '\0', 8);
183 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
184 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
185 (unsigned int)ss_padding_len));
186 prs_mem_free(&outgoing_pdu);
187 return False;
188 }
189 }
190
191
192 /* Now write out the auth header and null blob. */
193 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
194 auth_type = RPC_NTLMSSP_AUTH_TYPE;
195 } else {
196 auth_type = RPC_SPNEGO_AUTH_TYPE;
197 }
198 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
199 auth_level = RPC_AUTH_LEVEL_PRIVACY;
200 } else {
201 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
202 }
203
204 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
205 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
206 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
207 prs_mem_free(&outgoing_pdu);
208 return False;
209 }
210
211 /* Generate the sign blob. */
212
213 switch (p->auth.auth_level) {
214 case PIPE_AUTH_LEVEL_PRIVACY:
215 /* Data portion is encrypted. */
216 status = ntlmssp_seal_packet(a->ntlmssp_state,
217 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
218 data_len + ss_padding_len,
219 (unsigned char *)prs_data_p(&outgoing_pdu),
220 (size_t)prs_offset(&outgoing_pdu),
221 &auth_blob);
222 if (!NT_STATUS_IS_OK(status)) {
223 data_blob_free(&auth_blob);
224 prs_mem_free(&outgoing_pdu);
225 return False;
226 }
227 break;
228 case PIPE_AUTH_LEVEL_INTEGRITY:
229 /* Data is signed. */
230 status = ntlmssp_sign_packet(a->ntlmssp_state,
231 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
232 data_len + ss_padding_len,
233 (unsigned char *)prs_data_p(&outgoing_pdu),
234 (size_t)prs_offset(&outgoing_pdu),
235 &auth_blob);
236 if (!NT_STATUS_IS_OK(status)) {
237 data_blob_free(&auth_blob);
238 prs_mem_free(&outgoing_pdu);
239 return False;
240 }
241 break;
242 default:
243 prs_mem_free(&outgoing_pdu);
244 return False;
245 }
246
247 /* Append the auth blob. */
248 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
249 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
250 (unsigned int)NTLMSSP_SIG_SIZE));
251 data_blob_free(&auth_blob);
252 prs_mem_free(&outgoing_pdu);
253 return False;
254 }
255
256 data_blob_free(&auth_blob);
257
258 /*
259 * Setup the counts for this PDU.
260 */
261
262 p->out_data.data_sent_length += data_len;
263 p->out_data.current_pdu_len = p->hdr.frag_len;
264 p->out_data.current_pdu_sent = 0;
265
266 prs_mem_free(&outgoing_pdu);
267 return True;
268 }
269
270 /*******************************************************************
271 Generate the next PDU to be returned from the data in p->rdata.
272 Return an schannel authenticated fragment.
273 ********************************************************************/
274
275 static bool create_next_pdu_schannel(pipes_struct *p)
276 {
277 RPC_HDR_RESP hdr_resp;
278 uint32 ss_padding_len = 0;
279 uint32 data_len;
280 uint32 data_space_available;
281 uint32 data_len_left;
282 prs_struct outgoing_pdu;
283 uint32 data_pos;
284
285 /*
286 * If we're in the fault state, keep returning fault PDU's until
287 * the pipe gets closed. JRA.
288 */
289
290 if(p->fault_state) {
291 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
292 return True;
293 }
294
295 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
296
297 /* Change the incoming request header to a response. */
298 p->hdr.pkt_type = RPC_RESPONSE;
299
300 /* Set up rpc header flags. */
301 if (p->out_data.data_sent_length == 0) {
302 p->hdr.flags = RPC_FLG_FIRST;
303 } else {
304 p->hdr.flags = 0;
305 }
306
307 /*
308 * Work out how much we can fit in a single PDU.
309 */
310
311 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
312
313 /*
314 * Ensure there really is data left to send.
315 */
316
317 if(!data_len_left) {
318 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
319 return False;
320 }
321
322 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
323 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
324
325 /*
326 * The amount we send is the minimum of the available
327 * space and the amount left to send.
328 */
329
330 data_len = MIN(data_len_left, data_space_available);
331
332 /*
333 * Set up the alloc hint. This should be the data left to
334 * send.
335 */
336
337 hdr_resp.alloc_hint = data_len_left;
338
339 /*
340 * Work out if this PDU will be the last.
341 */
342
343 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
344 p->hdr.flags |= RPC_FLG_LAST;
345 if (data_len_left % 8) {
346 ss_padding_len = 8 - (data_len_left % 8);
347 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
348 ss_padding_len ));
349 }
350 }
351
352 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
353 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
354 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
355
356 /*
357 * Init the parse struct to point at the outgoing
358 * data.
359 */
360
361 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
362 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
363
364 /* Store the header in the data stream. */
365 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
366 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
367 prs_mem_free(&outgoing_pdu);
368 return False;
369 }
370
371 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
372 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
373 prs_mem_free(&outgoing_pdu);
374 return False;
375 }
376
377 /* Store the current offset. */
378 data_pos = prs_offset(&outgoing_pdu);
379
380 /* Copy the data into the PDU. */
381
382 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
383 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
384 prs_mem_free(&outgoing_pdu);
385 return False;
386 }
387
388 /* Copy the sign/seal padding data. */
389 if (ss_padding_len) {
390 char pad[8];
391 memset(pad, '\0', 8);
392 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
393 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
394 prs_mem_free(&outgoing_pdu);
395 return False;
396 }
397 }
398
399 {
400 /*
401 * Schannel processing.
402 */
403 char *data;
404 RPC_HDR_AUTH auth_info;
405 RPC_AUTH_SCHANNEL_CHK verf;
406
407 data = prs_data_p(&outgoing_pdu) + data_pos;
408 /* Check it's the type of reply we were expecting to decode */
409
410 init_rpc_hdr_auth(&auth_info,
411 RPC_SCHANNEL_AUTH_TYPE,
412 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
413 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
414 ss_padding_len, 1);
415
416 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
417 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
418 prs_mem_free(&outgoing_pdu);
419 return False;
420 }
421
422 schannel_encode(p->auth.a_u.schannel_auth,
423 p->auth.auth_level,
424 SENDER_IS_ACCEPTOR,
425 &verf, data, data_len + ss_padding_len);
426
427 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
428 &verf, &outgoing_pdu, 0)) {
429 prs_mem_free(&outgoing_pdu);
430 return False;
431 }
432
433 p->auth.a_u.schannel_auth->seq_num++;
434 }
435
436 /*
437 * Setup the counts for this PDU.
438 */
439
440 p->out_data.data_sent_length += data_len;
441 p->out_data.current_pdu_len = p->hdr.frag_len;
442 p->out_data.current_pdu_sent = 0;
443
444 prs_mem_free(&outgoing_pdu);
445 return True;
446 }
447
448 /*******************************************************************
449 Generate the next PDU to be returned from the data in p->rdata.
450 No authentication done.
451 ********************************************************************/
452
453 static bool create_next_pdu_noauth(pipes_struct *p)
454 {
455 RPC_HDR_RESP hdr_resp;
456 uint32 data_len;
457 uint32 data_space_available;
458 uint32 data_len_left;
459 prs_struct outgoing_pdu;
460
461 /*
462 * If we're in the fault state, keep returning fault PDU's until
463 * the pipe gets closed. JRA.
464 */
465
466 if(p->fault_state) {
467 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
468 return True;
469 }
470
471 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
472
473 /* Change the incoming request header to a response. */
474 p->hdr.pkt_type = RPC_RESPONSE;
475
476 /* Set up rpc header flags. */
477 if (p->out_data.data_sent_length == 0) {
478 p->hdr.flags = RPC_FLG_FIRST;
479 } else {
480 p->hdr.flags = 0;
481 }
482
483 /*
484 * Work out how much we can fit in a single PDU.
485 */
486
487 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
488
489 /*
490 * Ensure there really is data left to send.
491 */
492
493 if(!data_len_left) {
494 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
495 return False;
496 }
497
498 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
499
500 /*
501 * The amount we send is the minimum of the available
502 * space and the amount left to send.
503 */
504
505 data_len = MIN(data_len_left, data_space_available);
506
507 /*
508 * Set up the alloc hint. This should be the data left to
509 * send.
510 */
511
512 hdr_resp.alloc_hint = data_len_left;
513
514 /*
515 * Work out if this PDU will be the last.
516 */
517
518 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
519 p->hdr.flags |= RPC_FLG_LAST;
520 }
521
522 /*
523 * Set up the header lengths.
524 */
525
526 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
527 p->hdr.auth_len = 0;
528
529 /*
530 * Init the parse struct to point at the outgoing
531 * data.
532 */
533
534 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
535 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
536
537 /* Store the header in the data stream. */
538 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
539 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
540 prs_mem_free(&outgoing_pdu);
541 return False;
542 }
543
544 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
545 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
546 prs_mem_free(&outgoing_pdu);
547 return False;
548 }
549
550 /* Copy the data into the PDU. */
551
552 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
553 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
554 prs_mem_free(&outgoing_pdu);
555 return False;
556 }
557
558 /*
559 * Setup the counts for this PDU.
560 */
561
562 p->out_data.data_sent_length += data_len;
563 p->out_data.current_pdu_len = p->hdr.frag_len;
564 p->out_data.current_pdu_sent = 0;
565
566 prs_mem_free(&outgoing_pdu);
567 return True;
568 }
569
570 /*******************************************************************
571 Generate the next PDU to be returned from the data in p->rdata.
572 ********************************************************************/
573
574 bool create_next_pdu(pipes_struct *p)
575 {
576 switch(p->auth.auth_level) {
577 case PIPE_AUTH_LEVEL_NONE:
578 case PIPE_AUTH_LEVEL_CONNECT:
579 /* This is incorrect for auth level connect. Fixme. JRA */
580 return create_next_pdu_noauth(p);
581
582 default:
583 switch(p->auth.auth_type) {
584 case PIPE_AUTH_TYPE_NTLMSSP:
585 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
586 return create_next_pdu_ntlmssp(p);
587 case PIPE_AUTH_TYPE_SCHANNEL:
588 return create_next_pdu_schannel(p);
589 default:
590 break;
591 }
592 }
593
594 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
595 (unsigned int)p->auth.auth_level,
596 (unsigned int)p->auth.auth_type));
597 return False;
598 }
599
600 /*******************************************************************
601 Process an NTLMSSP authentication response.
602 If this function succeeds, the user has been authenticated
603 and their domain, name and calling workstation stored in
604 the pipe struct.
605 *******************************************************************/
606
607 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
608 {
609 DATA_BLOB reply;
610 NTSTATUS status;
611 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
612
613 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
614
615 ZERO_STRUCT(reply);
616
617 /* Set up for non-authenticated user. */
618 TALLOC_FREE(p->pipe_user.nt_user_token);
619 p->pipe_user.ut.ngroups = 0;
620 SAFE_FREE( p->pipe_user.ut.groups);
621
622 /* this has to be done as root in order to verify the password */
623 become_root();
624 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
625 unbecome_root();
626
627 /* Don't generate a reply. */
628 data_blob_free(&reply);
629
630 if (!NT_STATUS_IS_OK(status)) {
631 return False;
632 }
633
634 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
635 ensure the underlying NTLMSSP flags are also set. If not we should
636 refuse the bind. */
637
638 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
639 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
640 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
641 "but client declined signing.\n",
642 p->name ));
643 return False;
644 }
645 }
646 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
647 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
648 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
649 "but client declined sealing.\n",
650 p->name ));
651 return False;
652 }
653 }
654
655 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
656 "workstation: %s\n", a->ntlmssp_state->user,
657 a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
658
659 /*
660 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
661 */
662
663 p->pipe_user.ut.uid = a->server_info->uid;
664 p->pipe_user.ut.gid = a->server_info->gid;
665
666 /*
667 * We're an authenticated bind over smbd, so the session key needs to
668 * be set to "SystemLibraryDTC". Weird, but this is what Windows
669 * does. See the RPC-SAMBA3SESSIONKEY.
670 */
671
672 data_blob_free(&p->session_key);
673 p->session_key = generic_session_key();
674 if (!p->session_key.data) {
675 return False;
676 }
677
678 p->pipe_user.ut.ngroups = a->server_info->n_groups;
679 if (p->pipe_user.ut.ngroups) {
680 if (!(p->pipe_user.ut.groups = (gid_t *)memdup(a->server_info->groups,
681 sizeof(gid_t) * p->pipe_user.ut.ngroups))) {
682 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
683 return False;
684 }
685 }
686
687 if (a->server_info->ptok) {
688 p->pipe_user.nt_user_token =
689 dup_nt_token(NULL, a->server_info->ptok);
690 } else {
691 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
692 p->pipe_user.nt_user_token = NULL;
693 return False;
694 }
695
696 return True;
697 }
698
699 /*******************************************************************
700 The switch table for the pipe names and the functions to handle them.
701 *******************************************************************/
702
703 struct rpc_table {
704 struct {
705 const char *clnt;
706 const char *srv;
707 } pipe;
708 const struct api_struct *cmds;
709 int n_cmds;
710 };
711
712 static struct rpc_table *rpc_lookup;
713 static int rpc_lookup_size;
714
715 /*******************************************************************
716 This is the "stage3" NTLMSSP response after a bind request and reply.
717 *******************************************************************/
718
719 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
720 {
721 RPC_HDR_AUTH auth_info;
722 uint32 pad;
723 DATA_BLOB blob;
724
725 ZERO_STRUCT(blob);
726
727 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
728
729 if (p->hdr.auth_len == 0) {
730 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
731 goto err;
732 }
733
734 /* 4 bytes padding. */
735 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
736 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
737 goto err;
738 }
739
740 /*
741 * Decode the authentication verifier response.
742 */
743
744 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
745 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
746 goto err;
747 }
748
749 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
750 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
751 (unsigned int)auth_info.auth_type ));
752 return False;
753 }
754
755 blob = data_blob(NULL,p->hdr.auth_len);
756
757 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
758 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
759 (unsigned int)p->hdr.auth_len ));
760 goto err;
761 }
762
763 /*
764 * The following call actually checks the challenge/response data.
765 * for correctness against the given DOMAIN\user name.
766 */
767
768 if (!pipe_ntlmssp_verify_final(p, &blob)) {
769 goto err;
770 }
771
772 data_blob_free(&blob);
773
774 p->pipe_bound = True;
775
776 return True;
777
778 err:
779
780 data_blob_free(&blob);
781 free_pipe_ntlmssp_auth_data(&p->auth);
782 p->auth.a_u.auth_ntlmssp_state = NULL;
783
784 return False;
785 }
786
787 /*******************************************************************
788 Marshall a bind_nak pdu.
789 *******************************************************************/
790
791 static bool setup_bind_nak(pipes_struct *p)
792 {
793 prs_struct outgoing_rpc;
794 RPC_HDR nak_hdr;
795 uint16 zero = 0;
796
797 /* Free any memory in the current return data buffer. */
798 prs_mem_free(&p->out_data.rdata);
799
800 /*
801 * Marshall directly into the outgoing PDU space. We
802 * must do this as we need to set to the bind response
803 * header and are never sending more than one PDU here.
804 */
805
806 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
807 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
808
809 /*
810 * Initialize a bind_nak header.
811 */
812
813 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
814 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
815
816 /*
817 * Marshall the header into the outgoing PDU.
818 */
819
820 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
821 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
822 prs_mem_free(&outgoing_rpc);
823 return False;
824 }
825
826 /*
827 * Now add the reject reason.
828 */
829
830 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
831 prs_mem_free(&outgoing_rpc);
832 return False;
833 }
834
835 p->out_data.data_sent_length = 0;
836 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
837 p->out_data.current_pdu_sent = 0;
838
839 if (p->auth.auth_data_free_func) {
840 (*p->auth.auth_data_free_func)(&p->auth);
841 }
842 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
843 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
844 p->pipe_bound = False;
845
846 return True;
847 }
848
849 /*******************************************************************
850 Marshall a fault pdu.
851 *******************************************************************/
852
853 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
854 {
855 prs_struct outgoing_pdu;
856 RPC_HDR fault_hdr;
857 RPC_HDR_RESP hdr_resp;
858 RPC_HDR_FAULT fault_resp;
859
860 /* Free any memory in the current return data buffer. */
861 prs_mem_free(&p->out_data.rdata);
862
863 /*
864 * Marshall directly into the outgoing PDU space. We
865 * must do this as we need to set to the bind response
866 * header and are never sending more than one PDU here.
867 */
868
869 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
870 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
871
872 /*
873 * Initialize a fault header.
874 */
875
876 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
877 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
878
879 /*
880 * Initialize the HDR_RESP and FAULT parts of the PDU.
881 */
882
883 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
884
885 fault_resp.status = status;
886 fault_resp.reserved = 0;
887
888 /*
889 * Marshall the header into the outgoing PDU.
890 */
891
892 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
893 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
894 prs_mem_free(&outgoing_pdu);
895 return False;
896 }
897
898 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
899 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
900 prs_mem_free(&outgoing_pdu);
901 return False;
902 }
903
904 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
905 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
906 prs_mem_free(&outgoing_pdu);
907 return False;
908 }
909
910 p->out_data.data_sent_length = 0;
911 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
912 p->out_data.current_pdu_sent = 0;
913
914 prs_mem_free(&outgoing_pdu);
915 return True;
916 }
917
918 #if 0
919 /*******************************************************************
920 Marshall a cancel_ack pdu.
921 We should probably check the auth-verifier here.
922 *******************************************************************/
923
924 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
925 {
926 prs_struct outgoing_pdu;
927 RPC_HDR ack_reply_hdr;
928
929 /* Free any memory in the current return data buffer. */
930 prs_mem_free(&p->out_data.rdata);
931
932 /*
933 * Marshall directly into the outgoing PDU space. We
934 * must do this as we need to set to the bind response
935 * header and are never sending more than one PDU here.
936 */
937
938 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
939 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
940
941 /*
942 * Initialize a cancel_ack header.
943 */
944
945 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
946 p->hdr.call_id, RPC_HEADER_LEN, 0);
947
948 /*
949 * Marshall the header into the outgoing PDU.
950 */
951
952 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
953 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
954 prs_mem_free(&outgoing_pdu);
955 return False;
956 }
957
958 p->out_data.data_sent_length = 0;
959 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
960 p->out_data.current_pdu_sent = 0;
961
962 prs_mem_free(&outgoing_pdu);
963 return True;
964 }
965 #endif
966
967 /*******************************************************************
968 Ensure a bind request has the correct abstract & transfer interface.
969 Used to reject unknown binds from Win2k.
970 *******************************************************************/
971
972 bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
973 RPC_IFACE* transfer, uint32 context_id)
974 {
975 char *pipe_name = p->name;
976 int i=0;
977 fstring pname;
978
979 fstrcpy(pname,"\\PIPE\\");
980 fstrcat(pname,pipe_name);
981
982 DEBUG(3,("check_bind_req for %s\n", pname));
983
984 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
985
986 for ( i=0; pipe_names[i].client_pipe; i++ ) {
987 DEBUGADD(10,("checking %s\n", pipe_names[i].client_pipe));
988 if ( strequal(pipe_names[i].client_pipe, pname)
989 && (abstract->if_version == pipe_names[i].abstr_syntax->if_version)
990 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax->uuid, sizeof(struct GUID)) == 0)
991 && (transfer->if_version == pipe_names[i].trans_syntax->if_version)
992 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax->uuid, sizeof(struct GUID)) == 0) ) {
993 struct api_struct *fns = NULL;
994 int n_fns = 0;
995 PIPE_RPC_FNS *context_fns;
996
997 if ( !(context_fns = SMB_MALLOC_P(PIPE_RPC_FNS)) ) {
998 DEBUG(0,("check_bind_req: malloc() failed!\n"));
999 return False;
1000 }
1001
1002 /* save the RPC function table associated with this bind */
1003
1004 get_pipe_fns(i, &fns, &n_fns);
1005
1006 context_fns->cmds = fns;
1007 context_fns->n_cmds = n_fns;
1008 context_fns->context_id = context_id;
1009
1010 /* add to the list of open contexts */
1011
1012 DLIST_ADD( p->contexts, context_fns );
1013
1014 break;
1015 }
1016 }
1017
1018 if(pipe_names[i].client_pipe == NULL) {
1019 return False;
1020 }
1021
1022 return True;
1023 }
1024
1025 /*******************************************************************
1026 Register commands to an RPC pipe
1027 *******************************************************************/
1028
1029 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
1030 {
1031 struct rpc_table *rpc_entry;
1032
1033 if (!clnt || !srv || !cmds) {
1034 return NT_STATUS_INVALID_PARAMETER;
1035 }
1036
1037 if (version != SMB_RPC_INTERFACE_VERSION) {
1038 DEBUG(0,("Can't register rpc commands!\n"
1039 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1040 ", while this version of samba uses version %d!\n",
1041 version,SMB_RPC_INTERFACE_VERSION));
1042 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1043 }
1044
1045 /* TODO:
1046 *
1047 * we still need to make sure that don't register the same commands twice!!!
1048 *
1049 * --metze
1050 */
1051
1052 /* We use a temporary variable because this call can fail and
1053 rpc_lookup will still be valid afterwards. It could then succeed if
1054 called again later */
1055 rpc_lookup_size++;
1056 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1057 if (NULL == rpc_entry) {
1058 rpc_lookup_size--;
1059 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1060 return NT_STATUS_NO_MEMORY;
1061 } else {
1062 rpc_lookup = rpc_entry;
1063 }
1064
1065 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1066 ZERO_STRUCTP(rpc_entry);
1067 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1068 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1069 rpc_entry->cmds = cmds;
1070 rpc_entry->n_cmds = size;
1071
1072 return NT_STATUS_OK;
1073 }
1074
1075 /*******************************************************************
1076 Handle a SPNEGO krb5 bind auth.
1077 *******************************************************************/
1078
1079 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1080 DATA_BLOB *psecblob, prs_struct *pout_auth)
1081 {
1082 return False;
1083 }
1084
1085 /*******************************************************************
1086 Handle the first part of a SPNEGO bind auth.
1087 *******************************************************************/
1088
1089 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1090 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1091 {
1092 DATA_BLOB blob;
1093 DATA_BLOB secblob;
1094 DATA_BLOB response;
1095 DATA_BLOB chal;
1096 char *OIDs[ASN1_MAX_OIDS];
1097 int i;
1098 NTSTATUS status;
1099 bool got_kerberos_mechanism = false;
1100 AUTH_NTLMSSP_STATE *a = NULL;
1101 RPC_HDR_AUTH auth_info;
1102
1103 ZERO_STRUCT(secblob);
1104 ZERO_STRUCT(chal);
1105 ZERO_STRUCT(response);
1106
1107 /* Grab the SPNEGO blob. */
1108 blob = data_blob(NULL,p->hdr.auth_len);
1109
1110 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1111 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1112 (unsigned int)p->hdr.auth_len ));
1113 goto err;
1114 }
1115
1116 if (blob.data[0] != ASN1_APPLICATION(0)) {
1117 goto err;
1118 }
1119
1120 /* parse out the OIDs and the first sec blob */
1121 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1122 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1123 goto err;
1124 }
1125
1126 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1127 got_kerberos_mechanism = true;
1128 }
1129
1130 for (i=0;OIDs[i];i++) {
1131 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1132 SAFE_FREE(OIDs[i]);
1133 }
1134 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1135
1136 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1137 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1138 data_blob_free(&secblob);
1139 data_blob_free(&blob);
1140 return ret;
1141 }
1142
1143 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1144 /* Free any previous auth type. */
1145 free_pipe_ntlmssp_auth_data(&p->auth);
1146 }
1147
1148 if (!got_kerberos_mechanism) {
1149 /* Initialize the NTLM engine. */
1150 status = auth_ntlmssp_start(&a);
1151 if (!NT_STATUS_IS_OK(status)) {
1152 goto err;
1153 }
1154
1155 /*
1156 * Pass the first security blob of data to it.
1157 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1158 * which means we need another packet to complete the bind.
1159 */
1160
1161 status = auth_ntlmssp_update(a, secblob, &chal);
1162
1163 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1164 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1165 goto err;
1166 }
1167
1168 /* Generate the response blob we need for step 2 of the bind. */
1169 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1170 } else {
1171 /*
1172 * SPNEGO negotiate down to NTLMSSP. The subsequent
1173 * code to process follow-up packets is not complete
1174 * yet. JRA.
1175 */
1176 response = spnego_gen_auth_response(NULL,
1177 NT_STATUS_MORE_PROCESSING_REQUIRED,
1178 OID_NTLMSSP);
1179 }
1180
1181 /* Copy the blob into the pout_auth parse struct */
1182 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1183 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1184 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1185 goto err;
1186 }
1187
1188 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1189 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1190 goto err;
1191 }
1192
1193 p->auth.a_u.auth_ntlmssp_state = a;
1194 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1195 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1196
1197 data_blob_free(&blob);
1198 data_blob_free(&secblob);
1199 data_blob_free(&chal);
1200 data_blob_free(&response);
1201
1202 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1203 return True;
1204
1205 err:
1206
1207 data_blob_free(&blob);
1208 data_blob_free(&secblob);
1209 data_blob_free(&chal);
1210 data_blob_free(&response);
1211
1212 p->auth.a_u.auth_ntlmssp_state = NULL;
1213
1214 return False;
1215 }
1216
1217 /*******************************************************************
1218 Handle the second part of a SPNEGO bind auth.
1219 *******************************************************************/
1220
1221 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1222 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1223 {
1224 RPC_HDR_AUTH auth_info;
1225 DATA_BLOB spnego_blob;
1226 DATA_BLOB auth_blob;
1227 DATA_BLOB auth_reply;
1228 DATA_BLOB response;
1229 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1230
1231 ZERO_STRUCT(spnego_blob);
1232 ZERO_STRUCT(auth_blob);
1233 ZERO_STRUCT(auth_reply);
1234 ZERO_STRUCT(response);
1235
1236 /*
1237 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1238 * fail here as 'a' == NULL.
1239 */
1240 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1241 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1242 goto err;
1243 }
1244
1245 /* Grab the SPNEGO blob. */
1246 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1247
1248 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1249 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1250 (unsigned int)p->hdr.auth_len ));
1251 goto err;
1252 }
1253
1254 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1255 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1256 goto err;
1257 }
1258
1259 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1260 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1261 goto err;
1262 }
1263
1264 /*
1265 * The following call actually checks the challenge/response data.
1266 * for correctness against the given DOMAIN\user name.
1267 */
1268
1269 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1270 goto err;
1271 }
1272
1273 data_blob_free(&spnego_blob);
1274 data_blob_free(&auth_blob);
1275
1276 /* Generate the spnego "accept completed" blob - no incoming data. */
1277 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1278
1279 /* Copy the blob into the pout_auth parse struct */
1280 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1281 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1282 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1283 goto err;
1284 }
1285
1286 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1287 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1288 goto err;
1289 }
1290
1291 data_blob_free(&auth_reply);
1292 data_blob_free(&response);
1293
1294 p->pipe_bound = True;
1295
1296 return True;
1297
1298 err:
1299
1300 data_blob_free(&spnego_blob);
1301 data_blob_free(&auth_blob);
1302 data_blob_free(&auth_reply);
1303 data_blob_free(&response);
1304
1305 free_pipe_ntlmssp_auth_data(&p->auth);
1306 p->auth.a_u.auth_ntlmssp_state = NULL;
1307
1308 return False;
1309 }
1310
1311 /*******************************************************************
1312 Handle an schannel bind auth.
1313 *******************************************************************/
1314
1315 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1316 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1317 {
1318 RPC_HDR_AUTH auth_info;
1319 RPC_AUTH_SCHANNEL_NEG neg;
1320 RPC_AUTH_VERIFIER auth_verifier;
1321 bool ret;
1322 struct dcinfo *pdcinfo;
1323 uint32 flags;
1324
1325 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1326 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1327 return False;
1328 }
1329
1330 /*
1331 * The neg.myname key here must match the remote computer name
1332 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1333 * operations that use credentials.
1334 */
1335
1336 become_root();
1337 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1338 unbecome_root();
1339
1340 if (!ret) {
1341 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1342 return False;
1343 }
1344
1345 p->auth.a_u.schannel_auth = TALLOC_P(p->pipe_state_mem_ctx, struct schannel_auth_struct);
1346 if (!p->auth.a_u.schannel_auth) {
1347 TALLOC_FREE(pdcinfo);
1348 return False;
1349 }
1350
1351 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1352 memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1353 sizeof(pdcinfo->sess_key));
1354
1355 TALLOC_FREE(pdcinfo);
1356
1357 p->auth.a_u.schannel_auth->seq_num = 0;
1358
1359 /*
1360 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1361 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1362 * struct of the person who opened the pipe. I need to test this further. JRA.
1363 *
1364 * VL. As we are mapping this to guest set the generic key
1365 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1366 * W2k3, as it does not allow schannel binds against SAMR and LSA
1367 * anymore.
1368 */
1369
1370 data_blob_free(&p->session_key);
1371 p->session_key = generic_session_key();
1372 if (p->session_key.data == NULL) {
1373 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1374 " key\n"));
1375 return False;
1376 }
1377
1378 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1379 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1380 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1381 return False;
1382 }
1383
1384 /*** SCHANNEL verifier ***/
1385
1386 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1387 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1388 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1389 return False;
1390 }
1391
1392 prs_align(pout_auth);
1393
1394 flags = 5;
1395 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1396 return False;
1397 }
1398
1399 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1400 neg.domain, neg.myname));
1401
1402 /* We're finished with this bind - no more packets. */
1403 p->auth.auth_data_free_func = NULL;
1404 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1405
1406 p->pipe_bound = True;
1407
1408 return True;
1409 }
1410
1411 /*******************************************************************
1412 Handle an NTLMSSP bind auth.
1413 *******************************************************************/
1414
1415 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1416 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1417 {
1418 RPC_HDR_AUTH auth_info;
1419 DATA_BLOB blob;
1420 DATA_BLOB response;
1421 NTSTATUS status;
1422 AUTH_NTLMSSP_STATE *a = NULL;
1423
1424 ZERO_STRUCT(blob);
1425 ZERO_STRUCT(response);
1426
1427 /* Grab the NTLMSSP blob. */
1428 blob = data_blob(NULL,p->hdr.auth_len);
1429
1430 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1431 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1432 (unsigned int)p->hdr.auth_len ));
1433 goto err;
1434 }
1435
1436 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1437 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1438 goto err;
1439 }
1440
1441 /* We have an NTLMSSP blob. */
1442 status = auth_ntlmssp_start(&a);
1443 if (!NT_STATUS_IS_OK(status)) {
1444 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1445 nt_errstr(status) ));
1446 goto err;
1447 }
1448
1449 status = auth_ntlmssp_update(a, blob, &response);
1450 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1451 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1452 nt_errstr(status) ));
1453 goto err;
1454 }
1455
1456 data_blob_free(&blob);
1457
1458 /* Copy the blob into the pout_auth parse struct */
1459 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1460 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1461 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1462 goto err;
1463 }
1464
1465 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1466 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1467 goto err;
1468 }
1469
1470 p->auth.a_u.auth_ntlmssp_state = a;
1471 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1472 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1473
1474 data_blob_free(&blob);
1475 data_blob_free(&response);
1476
1477 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1478
1479 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1480 return True;
1481
1482 err:
1483
1484 data_blob_free(&blob);
1485 data_blob_free(&response);
1486
1487 free_pipe_ntlmssp_auth_data(&p->auth);
1488 p->auth.a_u.auth_ntlmssp_state = NULL;
1489 return False;
1490 }
1491
1492 /*******************************************************************
1493 Respond to a pipe bind request.
1494 *******************************************************************/
1495
1496 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1497 {
1498 RPC_HDR_BA hdr_ba;
1499 RPC_HDR_RB hdr_rb;
1500 RPC_HDR_AUTH auth_info;
1501 uint16 assoc_gid;
1502 fstring ack_pipe_name;
1503 prs_struct out_hdr_ba;
1504 prs_struct out_auth;
1505 prs_struct outgoing_rpc;
1506 int i = 0;
1507 int auth_len = 0;
1508 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1509
1510 /* No rebinds on a bound pipe - use alter context. */
1511 if (p->pipe_bound) {
1512 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1513 return setup_bind_nak(p);
1514 }
1515
1516 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1517
1518 /*
1519 * Marshall directly into the outgoing PDU space. We
1520 * must do this as we need to set to the bind response
1521 * header and are never sending more than one PDU here.
1522 */
1523
1524 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1525
1526 /*
1527 * Setup the memory to marshall the ba header, and the
1528 * auth footers.
1529 */
1530
1531 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1532 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1533 prs_mem_free(&outgoing_rpc);
1534 return False;
1535 }
1536
1537 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1538 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1539 prs_mem_free(&outgoing_rpc);
1540 prs_mem_free(&out_hdr_ba);
1541 return False;
1542 }
1543
1544 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1545
1546 /*
1547 * Try and find the correct pipe name to ensure
1548 * that this is a pipe name we support.
1549 */
1550
1551
1552 for (i = 0; i < rpc_lookup_size; i++) {
1553 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1554 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1555 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1556 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1557 break;
1558 }
1559 }
1560
1561 if (i == rpc_lookup_size) {
1562 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1563 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1564 p->name ));
1565 prs_mem_free(&outgoing_rpc);
1566 prs_mem_free(&out_hdr_ba);
1567 prs_mem_free(&out_auth);
1568
1569 return setup_bind_nak(p);
1570 }
1571
1572 for (i = 0; i < rpc_lookup_size; i++) {
1573 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1574 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1575 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1576 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1577 break;
1578 }
1579 }
1580
1581 if (i == rpc_lookup_size) {
1582 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1583 goto err_exit;
1584 }
1585 }
1586
1587 ZERO_STRUCT(hdr_rb);
1588
1589 /* decode the bind request */
1590 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1591 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
1592 goto err_exit;
1593 }
1594
1595 /* name has to be \PIPE\xxxxx */
1596 fstrcpy(ack_pipe_name, "\\PIPE\\");
1597 fstrcat(ack_pipe_name, p->pipe_srv_name);
1598
1599 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1600
1601 /*
1602 * Check if this is an authenticated bind request.
1603 */
1604
1605 if (p->hdr.auth_len) {
1606 /*
1607 * Decode the authentication verifier.
1608 */
1609
1610 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1611 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1612 goto err_exit;
1613 }
1614
1615 auth_type = auth_info.auth_type;
1616
1617 /* Work out if we have to sign or seal etc. */
1618 switch (auth_info.auth_level) {
1619 case RPC_AUTH_LEVEL_INTEGRITY:
1620 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1621 break;
1622 case RPC_AUTH_LEVEL_PRIVACY:
1623 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1624 break;
1625 default:
1626 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1627 (unsigned int)auth_info.auth_level ));
1628 goto err_exit;
1629 }
1630 } else {
1631 ZERO_STRUCT(auth_info);
1632 }
1633
1634 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1635
1636 switch(auth_type) {
1637 case RPC_NTLMSSP_AUTH_TYPE:
1638 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1639 goto err_exit;
1640 }
1641 assoc_gid = 0x7a77;
1642 break;
1643
1644 case RPC_SCHANNEL_AUTH_TYPE:
1645 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1646 goto err_exit;
1647 }
1648 break;
1649
1650 case RPC_SPNEGO_AUTH_TYPE:
1651 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1652 goto err_exit;
1653 }
1654 break;
1655
1656 case RPC_ANONYMOUS_AUTH_TYPE:
1657 /* Unauthenticated bind request. */
1658 /* Get the authenticated pipe user from current_user */
1659 if (!copy_current_user(&p->pipe_user, &current_user)) {
1660 DEBUG(10, ("Could not copy current user\n"));
1661 goto err_exit;
1662 }
1663 /* We're finished - no more packets. */
1664 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1665 /* We must set the pipe auth_level here also. */
1666 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1667 p->pipe_bound = True;
1668 /* The session key was initialized from the SMB
1669 * session in make_internal_rpc_pipe_p */
1670 break;
1671
1672 default:
1673 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1674 goto err_exit;
1675 }
1676
1677 /*
1678 * Create the bind response struct.
1679 */
1680
1681 /* If the requested abstract synt uuid doesn't match our client pipe,
1682 reject the bind_ack & set the transfer interface synt to all 0's,
1683 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1684 unknown to NT4)
1685 Needed when adding entries to a DACL from NT5 - SK */
1686
1687 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1688 hdr_rb.rpc_context[0].context_id )) {
1689 init_rpc_hdr_ba(&hdr_ba,
1690 RPC_MAX_PDU_FRAG_LEN,
1691 RPC_MAX_PDU_FRAG_LEN,
1692 assoc_gid,
1693 ack_pipe_name,
1694 0x1, 0x0, 0x0,
1695 &hdr_rb.rpc_context[0].transfer[0]);
1696 } else {
1697 RPC_IFACE null_interface;
1698 ZERO_STRUCT(null_interface);
1699 /* Rejection reason: abstract syntax not supported */
1700 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1701 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1702 ack_pipe_name, 0x1, 0x2, 0x1,
1703 &null_interface);
1704 p->pipe_bound = False;
1705 }
1706
1707 /*
1708 * and marshall it.
1709 */
1710
1711 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1712 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1713 goto err_exit;
1714 }
1715
1716 /*
1717 * Create the header, now we know the length.
1718 */
1719
1720 if (prs_offset(&out_auth)) {
1721 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1722 }
1723
1724 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1725 p->hdr.call_id,
1726 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1727 auth_len);
1728
1729 /*
1730 * Marshall the header into the outgoing PDU.
1731 */
1732
1733 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1734 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1735 goto err_exit;
1736 }
1737
1738 /*
1739 * Now add the RPC_HDR_BA and any auth needed.
1740 */
1741
1742 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1743 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1744 goto err_exit;
1745 }
1746
1747 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1748 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1749 goto err_exit;
1750 }
1751
1752 /*
1753 * Setup the lengths for the initial reply.
1754 */
1755
1756 p->out_data.data_sent_length = 0;
1757 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1758 p->out_data.current_pdu_sent = 0;
1759
1760 prs_mem_free(&out_hdr_ba);
1761 prs_mem_free(&out_auth);
1762
1763 return True;
1764
1765 err_exit:
1766
1767 prs_mem_free(&outgoing_rpc);
1768 prs_mem_free(&out_hdr_ba);
1769 prs_mem_free(&out_auth);
1770 return setup_bind_nak(p);
1771 }
1772
1773 /****************************************************************************
1774 Deal with an alter context call. Can be third part of 3 leg auth request for
1775 SPNEGO calls.
1776 ****************************************************************************/
1777
1778 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1779 {
1780 RPC_HDR_BA hdr_ba;
1781 RPC_HDR_RB hdr_rb;
1782 RPC_HDR_AUTH auth_info;
1783 uint16 assoc_gid;
1784 fstring ack_pipe_name;
1785 prs_struct out_hdr_ba;
1786 prs_struct out_auth;
1787 prs_struct outgoing_rpc;
1788 int auth_len = 0;
1789
1790 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1791
1792 /*
1793 * Marshall directly into the outgoing PDU space. We
1794 * must do this as we need to set to the bind response
1795 * header and are never sending more than one PDU here.
1796 */
1797
1798 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1799
1800 /*
1801 * Setup the memory to marshall the ba header, and the
1802 * auth footers.
1803 */
1804
1805 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1806 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1807 prs_mem_free(&outgoing_rpc);
1808 return False;
1809 }
1810
1811 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1812 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1813 prs_mem_free(&outgoing_rpc);
1814 prs_mem_free(&out_hdr_ba);
1815 return False;
1816 }
1817
1818 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1819
1820 /* decode the alter context request */
1821 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1822 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1823 goto err_exit;
1824 }
1825
1826 /* secondary address CAN be NULL
1827 * as the specs say it's ignored.
1828 * It MUST be NULL to have the spoolss working.
1829 */
1830 fstrcpy(ack_pipe_name,"");
1831
1832 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1833
1834 /*
1835 * Check if this is an authenticated alter context request.
1836 */
1837
1838 if (p->hdr.auth_len != 0) {
1839 /*
1840 * Decode the authentication verifier.
1841 */
1842
1843 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1844 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1845 goto err_exit;
1846 }
1847
1848 /*
1849 * Currently only the SPNEGO auth type uses the alter ctx
1850 * response in place of the NTLMSSP auth3 type.
1851 */
1852
1853 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1854 /* We can only finish if the pipe is unbound. */
1855 if (!p->pipe_bound) {
1856 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1857 goto err_exit;
1858 }
1859 } else {
1860 goto err_exit;
1861 }
1862 }
1863 } else {
1864 ZERO_STRUCT(auth_info);
1865 }
1866
1867 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1868
1869 /*
1870 * Create the bind response struct.
1871 */
1872
1873 /* If the requested abstract synt uuid doesn't match our client pipe,
1874 reject the bind_ack & set the transfer interface synt to all 0's,
1875 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1876 unknown to NT4)
1877 Needed when adding entries to a DACL from NT5 - SK */
1878
1879 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1880 hdr_rb.rpc_context[0].context_id )) {
1881 init_rpc_hdr_ba(&hdr_ba,
1882 RPC_MAX_PDU_FRAG_LEN,
1883 RPC_MAX_PDU_FRAG_LEN,
1884 assoc_gid,
1885 ack_pipe_name,
1886 0x1, 0x0, 0x0,
1887 &hdr_rb.rpc_context[0].transfer[0]);
1888 } else {
1889 RPC_IFACE null_interface;
1890 ZERO_STRUCT(null_interface);
1891 /* Rejection reason: abstract syntax not supported */
1892 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1893 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1894 ack_pipe_name, 0x1, 0x2, 0x1,
1895 &null_interface);
1896 p->pipe_bound = False;
1897 }
1898
1899 /*
1900 * and marshall it.
1901 */
1902
1903 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1904 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1905 goto err_exit;
1906 }
1907
1908 /*
1909 * Create the header, now we know the length.
1910 */
1911
1912 if (prs_offset(&out_auth)) {
1913 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1914 }
1915
1916 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1917 p->hdr.call_id,
1918 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1919 auth_len);
1920
1921 /*
1922 * Marshall the header into the outgoing PDU.
1923 */
1924
1925 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1926 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1927 goto err_exit;
1928 }
1929
1930 /*
1931 * Now add the RPC_HDR_BA and any auth needed.
1932 */
1933
1934 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1935 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1936 goto err_exit;
1937 }
1938
1939 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1940 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1941 goto err_exit;
1942 }
1943
1944 /*
1945 * Setup the lengths for the initial reply.
1946 */
1947
1948 p->out_data.data_sent_length = 0;
1949 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1950 p->out_data.current_pdu_sent = 0;
1951
1952 prs_mem_free(&out_hdr_ba);
1953 prs_mem_free(&out_auth);
1954
1955 return True;
1956
1957 err_exit:
1958
1959 prs_mem_free(&outgoing_rpc);
1960 prs_mem_free(&out_hdr_ba);
1961 prs_mem_free(&out_auth);
1962 return setup_bind_nak(p);
1963 }
1964
1965 /****************************************************************************
1966 Deal with NTLMSSP sign & seal processing on an RPC request.
1967 ****************************************************************************/
1968
1969 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1970 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1971 {
1972 RPC_HDR_AUTH auth_info;
1973 uint32 auth_len = p->hdr.auth_len;
1974 uint32 save_offset = prs_offset(rpc_in);
1975 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1976 unsigned char *data = NULL;
1977 size_t data_len;
1978 unsigned char *full_packet_data = NULL;
1979 size_t full_packet_data_len;
1980 DATA_BLOB auth_blob;
1981
1982 *pstatus = NT_STATUS_OK;
1983
1984 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
1985 return True;
1986 }
1987
1988 if (!a) {
1989 *pstatus = NT_STATUS_INVALID_PARAMETER;
1990 return False;
1991 }
1992
1993 /* Ensure there's enough data for an authenticated request. */
1994 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
1995 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
1996 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
1997 (unsigned int)auth_len ));
1998 *pstatus = NT_STATUS_INVALID_PARAMETER;
1999 return False;
2000 }
2001
2002 /*
2003 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2004 * after the RPC header.
2005 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2006 * functions as NTLMv2 checks the rpc headers also.
2007 */
2008
2009 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2010 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2011
2012 full_packet_data = p->in_data.current_in_pdu;
2013 full_packet_data_len = p->hdr.frag_len - auth_len;
2014
2015 /* Pull the auth header and the following data into a blob. */
2016 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2017 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2018 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2019 *pstatus = NT_STATUS_INVALID_PARAMETER;
2020 return False;
2021 }
2022
2023 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2024 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2025 *pstatus = NT_STATUS_INVALID_PARAMETER;
2026 return False;
2027 }
2028
2029 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2030 auth_blob.length = auth_len;
2031
2032 switch (p->auth.auth_level) {
2033 case PIPE_AUTH_LEVEL_PRIVACY:
2034 /* Data is encrypted. */
2035 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2036 data, data_len,
2037 full_packet_data,
2038 full_packet_data_len,
2039 &auth_blob);
2040 if (!NT_STATUS_IS_OK(*pstatus)) {
2041 return False;
2042 }
2043 break;
2044 case PIPE_AUTH_LEVEL_INTEGRITY:
2045 /* Data is signed. */
2046 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2047 data, data_len,
2048 full_packet_data,
2049 full_packet_data_len,
2050 &auth_blob);
2051 if (!NT_STATUS_IS_OK(*pstatus)) {
2052 return False;
2053 }
2054 break;
2055 default:
2056 *pstatus = NT_STATUS_INVALID_PARAMETER;
2057 return False;
2058 }
2059
2060 /*
2061 * Return the current pointer to the data offset.
2062 */
2063
2064 if(!prs_set_offset(rpc_in, save_offset)) {
2065 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2066 (unsigned int)save_offset ));
2067 *pstatus = NT_STATUS_INVALID_PARAMETER;
2068 return False;
2069 }
2070
2071 /*
2072 * Remember the padding length. We must remove it from the real data
2073 * stream once the sign/seal is done.
2074 */
2075
2076 *p_ss_padding_len = auth_info.auth_pad_len;
2077
2078 return True;
2079 }
2080
2081 /****************************************************************************
2082 Deal with schannel processing on an RPC request.
2083 ****************************************************************************/
2084
2085 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2086 {
2087 uint32 data_len;
2088 uint32 auth_len;
2089 uint32 save_offset = prs_offset(rpc_in);
2090 RPC_HDR_AUTH auth_info;
2091 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2092
2093 auth_len = p->hdr.auth_len;
2094
2095 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2096 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2097 return False;
2098 }
2099
2100 /*
2101 * The following is that length of the data we must verify or unseal.
2102 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2103 * preceeding the auth_data.
2104 */
2105
2106 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2107 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2108 (unsigned int)p->hdr.frag_len,
2109 (unsigned int)auth_len ));
2110 return False;
2111 }
2112
2113 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2114 RPC_HDR_AUTH_LEN - auth_len;
2115
2116 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2117
2118 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2119 DEBUG(0,("cannot move offset to %u.\n",
2120 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2121 return False;
2122 }
2123
2124 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2125 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2126 return False;
2127 }
2128
2129 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2130 DEBUG(0,("Invalid auth info %d on schannel\n",
2131 auth_info.auth_type));
2132 return False;
2133 }
2134
2135 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2136 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2137 return False;
2138 }
2139
2140 if (!schannel_decode(p->auth.a_u.schannel_auth,
2141 p->auth.auth_level,
2142 SENDER_IS_INITIATOR,
2143 &schannel_chk,
2144 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2145 DEBUG(3,("failed to decode PDU\n"));
2146 return False;
2147 }
2148
2149 /*
2150 * Return the current pointer to the data offset.
2151 */
2152
2153 if(!prs_set_offset(rpc_in, save_offset)) {
2154 DEBUG(0,("failed to set offset back to %u\n",
2155 (unsigned int)save_offset ));
2156 return False;
2157 }
2158
2159 /* The sequence number gets incremented on both send and receive. */
2160 p->auth.a_u.schannel_auth->seq_num++;
2161
2162 /*
2163 * Remember the padding length. We must remove it from the real data
2164 * stream once the sign/seal is done.
2165 */
2166
2167 *p_ss_padding_len = auth_info.auth_pad_len;
2168
2169 return True;
2170 }
2171
2172 /****************************************************************************
2173 Return a user struct for a pipe user.
2174 ****************************************************************************/
2175
2176 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
2177 {
2178 if (p->pipe_bound &&
2179 (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP ||
2180 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2181 memcpy(user, &p->pipe_user, sizeof(struct current_user));
2182 } else {
2183 memcpy(user, &current_user, sizeof(struct current_user));
2184 }
2185
2186 return user;
2187 }
2188
2189 /****************************************************************************
2190 Find the set of RPC functions associated with this context_id
2191 ****************************************************************************/
2192
2193 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2194 {
2195 PIPE_RPC_FNS *fns = NULL;
2196 PIPE_RPC_FNS *tmp = NULL;
2197
2198 if ( !list ) {
2199 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2200 return NULL;
2201 }
2202
2203 for (tmp=list; tmp; tmp=tmp->next ) {
2204 if ( tmp->context_id == context_id )
2205 break;
2206 }
2207
2208 fns = tmp;
2209
2210 return fns;
2211 }
2212
2213 /****************************************************************************
2214 Memory cleanup.
2215 ****************************************************************************/
2216
2217 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2218 {
2219 PIPE_RPC_FNS *tmp = list;
2220 PIPE_RPC_FNS *tmp2;
2221
2222 while (tmp) {
2223 tmp2 = tmp->next;
2224 SAFE_FREE(tmp);
2225 tmp = tmp2;
2226 }
2227
2228 return;
2229 }
2230
2231 /****************************************************************************
2232 Find the correct RPC function to call for this request.
2233 If the pipe is authenticated then become the correct UNIX user
2234 before doing the call.
2235 ****************************************************************************/
2236
2237 bool api_pipe_request(pipes_struct *p)
2238 {
2239 bool ret = False;
2240 bool changed_user = False;
2241 PIPE_RPC_FNS *pipe_fns;
2242
2243 if (p->pipe_bound &&
2244 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2245 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2246 if(!become_authenticated_pipe_user(p)) {
2247 prs_mem_free(&p->out_data.rdata);
2248 return False;
2249 }
2250 changed_user = True;
2251 }
2252
2253 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2254
2255 /* get the set of RPC functions for this context */
2256
2257 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2258
2259 if ( pipe_fns ) {
2260 TALLOC_CTX *frame = talloc_stackframe();
2261 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2262 TALLOC_FREE(frame);
2263 }
2264 else {
2265 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2266 p->hdr_req.context_id, p->name));
2267 }
2268
2269 if (changed_user) {
2270 unbecome_authenticated_pipe_user();
2271 }
2272
2273 return ret;
2274 }
2275
2276 /*******************************************************************
2277 Calls the underlying RPC function for a named pipe.
2278 ********************************************************************/
2279
2280 bool api_rpcTNP(pipes_struct *p, const char *rpc_name,
2281 const struct api_struct *api_rpc_cmds, int n_cmds)
2282 {
2283 int fn_num;
2284 fstring name;
2285 uint32 offset1, offset2;
2286
2287 /* interpret the command */
2288 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2289
2290 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2291 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2292
2293 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2294 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2295 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2296 break;
2297 }
2298 }
2299
2300 if (fn_num == n_cmds) {
2301 /*
2302 * For an unknown RPC just return a fault PDU but
2303 * return True to allow RPC's on the pipe to continue
2304 * and not put the pipe into fault state. JRA.
2305 */
2306 DEBUG(4, ("unknown\n"));
2307 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2308 return True;
2309 }
2310
2311 offset1 = prs_offset(&p->out_data.rdata);
2312
2313 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2314 fn_num, api_rpc_cmds[fn_num].fn));
2315 /* do the actual command */
2316 if(!api_rpc_cmds[fn_num].fn(p)) {
2317 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2318 prs_mem_free(&p->out_data.rdata);
2319 return False;
2320 }
2321
2322 if (p->bad_handle_fault_state) {
2323 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2324 p->bad_handle_fault_state = False;
2325 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2326 return True;
2327 }
2328
2329 if (p->rng_fault_state) {
2330 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2331 p->rng_fault_state = False;
2332 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2333 return True;
2334 }
2335
2336 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2337 offset2 = prs_offset(&p->out_data.rdata);
2338 prs_set_offset(&p->out_data.rdata, offset1);
2339 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2340 prs_set_offset(&p->out_data.rdata, offset2);
2341
2342 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2343
2344 /* Check for buffer underflow in rpc parsing */
2345
2346 if ((DEBUGLEVEL >= 10) &&
2347 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2348 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2349 char *data = (char *)SMB_MALLOC(data_len);
2350
2351 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2352 if (data) {
2353 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2354 SAFE_FREE(data);
2355 }
2356
2357 }
2358
2359 return True;
2360 }
2361
2362 /*******************************************************************
2363 *******************************************************************/
2364
2365 void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
2366 {
2367 struct api_struct *cmds = NULL;
2368 int n_cmds = 0;
2369
2370 switch ( idx ) {
2371 case PI_LSARPC:
2372 lsarpc_get_pipe_fns( &cmds, &n_cmds );
2373 break;
2374 case PI_DSSETUP:
2375 dssetup_get_pipe_fns( &cmds, &n_cmds );
2376 break;
2377 case PI_SAMR:
2378 samr_get_pipe_fns( &cmds, &n_cmds );
2379 break;
2380 case PI_NETLOGON:
2381 netlogon_get_pipe_fns( &cmds, &n_cmds );
2382 break;
2383 case PI_SRVSVC:
2384 srvsvc_get_pipe_fns( &cmds, &n_cmds );
2385 break;
2386 case PI_WKSSVC:
2387 wkssvc_get_pipe_fns( &cmds, &n_cmds );
2388 break;
2389 case PI_WINREG:
2390 winreg_get_pipe_fns( &cmds, &n_cmds );
2391 break;
2392 case PI_SPOOLSS:
2393 spoolss_get_pipe_fns( &cmds, &n_cmds );
2394 break;
2395 case PI_NETDFS:
2396 netdfs_get_pipe_fns( &cmds, &n_cmds );
2397 break;
2398 case PI_SVCCTL:
2399 svcctl2_get_pipe_fns( &cmds, &n_cmds );
2400 break;
2401 case PI_EVENTLOG:
2402 eventlog2_get_pipe_fns( &cmds, &n_cmds );
2403 break;
2404 case PI_NTSVCS:
2405 ntsvcs2_get_pipe_fns( &cmds, &n_cmds );
2406 break;
2407 #ifdef DEVELOPER
2408 case PI_RPCECHO:
2409 rpcecho_get_pipe_fns( &cmds, &n_cmds );
2410 break;
2411 #endif
2412 default:
2413 DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));
2414 }
2415
2416 *fns = cmds;
2417 *n_fns = n_cmds;
2418
2419 return;
2420 }
Samba GIT mirror