search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-schannel: fix api_pipe_schannel_process(), was using incorrect buffer length.
[Samba/aatanasov.git] / source3 / rpc_server / srv_pipe.c
blobce7df63972abafc6e14c2163303a756b0447b512
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31 #include "../libcli/auth/libcli_auth.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33
34 extern struct current_user current_user;
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_RPC_SRV
38
39 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
40 {
41 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
42
43 if (a) {
44 auth_ntlmssp_end(&a);
45 }
46 auth->a_u.auth_ntlmssp_state = NULL;
47 }
48
49 static DATA_BLOB generic_session_key(void)
50 {
51 return data_blob("SystemLibraryDTC", 16);
52 }
53
54 /*******************************************************************
55 Generate the next PDU to be returned from the data in p->rdata.
56 Handle NTLMSSP.
57 ********************************************************************/
58
59 static bool create_next_pdu_ntlmssp(pipes_struct *p)
60 {
61 RPC_HDR_RESP hdr_resp;
62 uint32 ss_padding_len = 0;
63 uint32 data_space_available;
64 uint32 data_len_left;
65 uint32 data_len;
66 NTSTATUS status;
67 DATA_BLOB auth_blob;
68 RPC_HDR_AUTH auth_info;
69 uint8 auth_type, auth_level;
70 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
71
72 /*
73 * If we're in the fault state, keep returning fault PDU's until
74 * the pipe gets closed. JRA.
75 */
76
77 if(p->fault_state) {
78 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
79 return True;
80 }
81
82 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
83
84 /* Change the incoming request header to a response. */
85 p->hdr.pkt_type = RPC_RESPONSE;
86
87 /* Set up rpc header flags. */
88 if (p->out_data.data_sent_length == 0) {
89 p->hdr.flags = RPC_FLG_FIRST;
90 } else {
91 p->hdr.flags = 0;
92 }
93
94 /*
95 * Work out how much we can fit in a single PDU.
96 */
97
98 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
99
100 /*
101 * Ensure there really is data left to send.
102 */
103
104 if(!data_len_left) {
105 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
106 return False;
107 }
108
109 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
110 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
111
112 /*
113 * The amount we send is the minimum of the available
114 * space and the amount left to send.
115 */
116
117 data_len = MIN(data_len_left, data_space_available);
118
119 /*
120 * Set up the alloc hint. This should be the data left to
121 * send.
122 */
123
124 hdr_resp.alloc_hint = data_len_left;
125
126 /*
127 * Work out if this PDU will be the last.
128 */
129
130 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
131 p->hdr.flags |= RPC_FLG_LAST;
132 if (data_len_left % 8) {
133 ss_padding_len = 8 - (data_len_left % 8);
134 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
135 ss_padding_len ));
136 }
137 }
138
139 /*
140 * Set up the header lengths.
141 */
142
143 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
144 data_len + ss_padding_len +
145 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
146 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
147
148
149 /*
150 * Init the parse struct to point at the outgoing
151 * data.
152 */
153
154 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
155
156 /* Store the header in the data stream. */
157 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
158 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
159 prs_mem_free(&p->out_data.frag);
160 return False;
161 }
162
163 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
164 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
165 prs_mem_free(&p->out_data.frag);
166 return False;
167 }
168
169 /* Copy the data into the PDU. */
170
171 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
172 p->out_data.data_sent_length, data_len)) {
173 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
174 prs_mem_free(&p->out_data.frag);
175 return False;
176 }
177
178 /* Copy the sign/seal padding data. */
179 if (ss_padding_len) {
180 char pad[8];
181
182 memset(pad, '\0', 8);
183 if (!prs_copy_data_in(&p->out_data.frag, pad,
184 ss_padding_len)) {
185 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
186 (unsigned int)ss_padding_len));
187 prs_mem_free(&p->out_data.frag);
188 return False;
189 }
190 }
191
192
193 /* Now write out the auth header and null blob. */
194 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
195 auth_type = RPC_NTLMSSP_AUTH_TYPE;
196 } else {
197 auth_type = RPC_SPNEGO_AUTH_TYPE;
198 }
199 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
200 auth_level = RPC_AUTH_LEVEL_PRIVACY;
201 } else {
202 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
203 }
204
205 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
206 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &p->out_data.frag,
207 0)) {
208 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
209 prs_mem_free(&p->out_data.frag);
210 return False;
211 }
212
213 /* Generate the sign blob. */
214
215 switch (p->auth.auth_level) {
216 case PIPE_AUTH_LEVEL_PRIVACY:
217 /* Data portion is encrypted. */
218 status = ntlmssp_seal_packet(
219 a->ntlmssp_state,
220 (uint8_t *)prs_data_p(&p->out_data.frag)
221 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
222 data_len + ss_padding_len,
223 (unsigned char *)prs_data_p(&p->out_data.frag),
224 (size_t)prs_offset(&p->out_data.frag),
225 &auth_blob);
226 if (!NT_STATUS_IS_OK(status)) {
227 data_blob_free(&auth_blob);
228 prs_mem_free(&p->out_data.frag);
229 return False;
230 }
231 break;
232 case PIPE_AUTH_LEVEL_INTEGRITY:
233 /* Data is signed. */
234 status = ntlmssp_sign_packet(
235 a->ntlmssp_state,
236 (unsigned char *)prs_data_p(&p->out_data.frag)
237 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
238 data_len + ss_padding_len,
239 (unsigned char *)prs_data_p(&p->out_data.frag),
240 (size_t)prs_offset(&p->out_data.frag),
241 &auth_blob);
242 if (!NT_STATUS_IS_OK(status)) {
243 data_blob_free(&auth_blob);
244 prs_mem_free(&p->out_data.frag);
245 return False;
246 }
247 break;
248 default:
249 prs_mem_free(&p->out_data.frag);
250 return False;
251 }
252
253 /* Append the auth blob. */
254 if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
255 NTLMSSP_SIG_SIZE)) {
256 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
257 (unsigned int)NTLMSSP_SIG_SIZE));
258 data_blob_free(&auth_blob);
259 prs_mem_free(&p->out_data.frag);
260 return False;
261 }
262
263 data_blob_free(&auth_blob);
264
265 /*
266 * Setup the counts for this PDU.
267 */
268
269 p->out_data.data_sent_length += data_len;
270 p->out_data.current_pdu_sent = 0;
271
272 return True;
273 }
274
275 /*******************************************************************
276 Generate the next PDU to be returned from the data in p->rdata.
277 Return an schannel authenticated fragment.
278 ********************************************************************/
279
280 static bool create_next_pdu_schannel(pipes_struct *p)
281 {
282 RPC_HDR_RESP hdr_resp;
283 uint32 ss_padding_len = 0;
284 uint32 data_len;
285 uint32 data_space_available;
286 uint32 data_len_left;
287 uint32 data_pos;
288
289 /*
290 * If we're in the fault state, keep returning fault PDU's until
291 * the pipe gets closed. JRA.
292 */
293
294 if(p->fault_state) {
295 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
296 return True;
297 }
298
299 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
300
301 /* Change the incoming request header to a response. */
302 p->hdr.pkt_type = RPC_RESPONSE;
303
304 /* Set up rpc header flags. */
305 if (p->out_data.data_sent_length == 0) {
306 p->hdr.flags = RPC_FLG_FIRST;
307 } else {
308 p->hdr.flags = 0;
309 }
310
311 /*
312 * Work out how much we can fit in a single PDU.
313 */
314
315 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
316
317 /*
318 * Ensure there really is data left to send.
319 */
320
321 if(!data_len_left) {
322 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
323 return False;
324 }
325
326 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
327 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
328 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
329
330 /*
331 * The amount we send is the minimum of the available
332 * space and the amount left to send.
333 */
334
335 data_len = MIN(data_len_left, data_space_available);
336
337 /*
338 * Set up the alloc hint. This should be the data left to
339 * send.
340 */
341
342 hdr_resp.alloc_hint = data_len_left;
343
344 /*
345 * Work out if this PDU will be the last.
346 */
347
348 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
349 p->hdr.flags |= RPC_FLG_LAST;
350 if (data_len_left % 8) {
351 ss_padding_len = 8 - (data_len_left % 8);
352 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
353 ss_padding_len ));
354 }
355 }
356
357 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
358 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
359 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
360
361 /*
362 * Init the parse struct to point at the outgoing
363 * data.
364 */
365
366 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
367
368 /* Store the header in the data stream. */
369 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
370 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
371 prs_mem_free(&p->out_data.frag);
372 return False;
373 }
374
375 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
376 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
377 prs_mem_free(&p->out_data.frag);
378 return False;
379 }
380
381 /* Store the current offset. */
382 data_pos = prs_offset(&p->out_data.frag);
383
384 /* Copy the data into the PDU. */
385
386 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
387 p->out_data.data_sent_length, data_len)) {
388 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
389 prs_mem_free(&p->out_data.frag);
390 return False;
391 }
392
393 /* Copy the sign/seal padding data. */
394 if (ss_padding_len) {
395 char pad[8];
396 memset(pad, '\0', 8);
397 if (!prs_copy_data_in(&p->out_data.frag, pad,
398 ss_padding_len)) {
399 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
400 prs_mem_free(&p->out_data.frag);
401 return False;
402 }
403 }
404
405 {
406 /*
407 * Schannel processing.
408 */
409 RPC_HDR_AUTH auth_info;
410 struct NL_AUTH_SIGNATURE verf;
411 DATA_BLOB blob;
412 enum ndr_err_code ndr_err;
413
414 /* Check it's the type of reply we were expecting to decode */
415
416 init_rpc_hdr_auth(&auth_info,
417 RPC_SCHANNEL_AUTH_TYPE,
418 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
419 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
420 ss_padding_len, 1);
421
422 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
423 &p->out_data.frag, 0)) {
424 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
425 prs_mem_free(&p->out_data.frag);
426 return False;
427 }
428
429 schannel_encode(p->auth.a_u.schannel_auth,
430 p->auth.auth_level, SENDER_IS_ACCEPTOR, &verf,
431 prs_data_p(&p->out_data.frag) + data_pos,
432 data_len + ss_padding_len);
433
434 /* Finally marshall the blob. */
435
436 ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &verf,
437 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_SIGNATURE);
438 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
439 prs_mem_free(&p->out_data.frag);
440 return false;
441 }
442
443 if (DEBUGLEVEL >= 10) {
444 NDR_PRINT_DEBUG(NL_AUTH_SIGNATURE, &verf);
445 }
446
447 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
448 prs_mem_free(&p->out_data.frag);
449 return false;
450 }
451
452 p->auth.a_u.schannel_auth->seq_num++;
453 }
454
455 /*
456 * Setup the counts for this PDU.
457 */
458
459 p->out_data.data_sent_length += data_len;
460 p->out_data.current_pdu_sent = 0;
461
462 return True;
463 }
464
465 /*******************************************************************
466 Generate the next PDU to be returned from the data in p->rdata.
467 No authentication done.
468 ********************************************************************/
469
470 static bool create_next_pdu_noauth(pipes_struct *p)
471 {
472 RPC_HDR_RESP hdr_resp;
473 uint32 data_len;
474 uint32 data_space_available;
475 uint32 data_len_left;
476
477 /*
478 * If we're in the fault state, keep returning fault PDU's until
479 * the pipe gets closed. JRA.
480 */
481
482 if(p->fault_state) {
483 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
484 return True;
485 }
486
487 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
488
489 /* Change the incoming request header to a response. */
490 p->hdr.pkt_type = RPC_RESPONSE;
491
492 /* Set up rpc header flags. */
493 if (p->out_data.data_sent_length == 0) {
494 p->hdr.flags = RPC_FLG_FIRST;
495 } else {
496 p->hdr.flags = 0;
497 }
498
499 /*
500 * Work out how much we can fit in a single PDU.
501 */
502
503 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
504
505 /*
506 * Ensure there really is data left to send.
507 */
508
509 if(!data_len_left) {
510 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
511 return False;
512 }
513
514 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
515 - RPC_HDR_RESP_LEN;
516
517 /*
518 * The amount we send is the minimum of the available
519 * space and the amount left to send.
520 */
521
522 data_len = MIN(data_len_left, data_space_available);
523
524 /*
525 * Set up the alloc hint. This should be the data left to
526 * send.
527 */
528
529 hdr_resp.alloc_hint = data_len_left;
530
531 /*
532 * Work out if this PDU will be the last.
533 */
534
535 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
536 p->hdr.flags |= RPC_FLG_LAST;
537 }
538
539 /*
540 * Set up the header lengths.
541 */
542
543 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
544 p->hdr.auth_len = 0;
545
546 /*
547 * Init the parse struct to point at the outgoing
548 * data.
549 */
550
551 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
552
553 /* Store the header in the data stream. */
554 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
555 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
556 prs_mem_free(&p->out_data.frag);
557 return False;
558 }
559
560 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
561 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
562 prs_mem_free(&p->out_data.frag);
563 return False;
564 }
565
566 /* Copy the data into the PDU. */
567
568 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
569 p->out_data.data_sent_length, data_len)) {
570 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
571 prs_mem_free(&p->out_data.frag);
572 return False;
573 }
574
575 /*
576 * Setup the counts for this PDU.
577 */
578
579 p->out_data.data_sent_length += data_len;
580 p->out_data.current_pdu_sent = 0;
581
582 return True;
583 }
584
585 /*******************************************************************
586 Generate the next PDU to be returned from the data in p->rdata.
587 ********************************************************************/
588
589 bool create_next_pdu(pipes_struct *p)
590 {
591 switch(p->auth.auth_level) {
592 case PIPE_AUTH_LEVEL_NONE:
593 case PIPE_AUTH_LEVEL_CONNECT:
594 /* This is incorrect for auth level connect. Fixme. JRA */
595 return create_next_pdu_noauth(p);
596
597 default:
598 switch(p->auth.auth_type) {
599 case PIPE_AUTH_TYPE_NTLMSSP:
600 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
601 return create_next_pdu_ntlmssp(p);
602 case PIPE_AUTH_TYPE_SCHANNEL:
603 return create_next_pdu_schannel(p);
604 default:
605 break;
606 }
607 }
608
609 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
610 (unsigned int)p->auth.auth_level,
611 (unsigned int)p->auth.auth_type));
612 return False;
613 }
614
615 /*******************************************************************
616 Process an NTLMSSP authentication response.
617 If this function succeeds, the user has been authenticated
618 and their domain, name and calling workstation stored in
619 the pipe struct.
620 *******************************************************************/
621
622 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
623 {
624 DATA_BLOB session_key, reply;
625 NTSTATUS status;
626 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
627 bool ret;
628
629 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
630 get_pipe_name_from_iface(&p->syntax)));
631
632 ZERO_STRUCT(reply);
633
634 /* this has to be done as root in order to verify the password */
635 become_root();
636 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
637 unbecome_root();
638
639 /* Don't generate a reply. */
640 data_blob_free(&reply);
641
642 if (!NT_STATUS_IS_OK(status)) {
643 return False;
644 }
645
646 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
647 ensure the underlying NTLMSSP flags are also set. If not we should
648 refuse the bind. */
649
650 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
651 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
652 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
653 "but client declined signing.\n",
654 get_pipe_name_from_iface(&p->syntax)));
655 return False;
656 }
657 }
658 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
659 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
660 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
661 "but client declined sealing.\n",
662 get_pipe_name_from_iface(&p->syntax)));
663 return False;
664 }
665 }
666
667 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
668 "workstation: %s\n", a->ntlmssp_state->user,
669 a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
670
671 if (a->server_info->ptok == NULL) {
672 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
673 return False;
674 }
675
676 TALLOC_FREE(p->server_info);
677
678 p->server_info = copy_serverinfo(p, a->server_info);
679 if (p->server_info == NULL) {
680 DEBUG(0, ("copy_serverinfo failed\n"));
681 return false;
682 }
683
684 /*
685 * We're an authenticated bind over smb, so the session key needs to
686 * be set to "SystemLibraryDTC". Weird, but this is what Windows
687 * does. See the RPC-SAMBA3SESSIONKEY.
688 */
689
690 session_key = generic_session_key();
691 if (session_key.data == NULL) {
692 return False;
693 }
694
695 ret = server_info_set_session_key(p->server_info, session_key);
696
697 data_blob_free(&session_key);
698
699 return True;
700 }
701
702 /*******************************************************************
703 The switch table for the pipe names and the functions to handle them.
704 *******************************************************************/
705
706 struct rpc_table {
707 struct {
708 const char *clnt;
709 const char *srv;
710 } pipe;
711 struct ndr_syntax_id rpc_interface;
712 const struct api_struct *cmds;
713 int n_cmds;
714 };
715
716 static struct rpc_table *rpc_lookup;
717 static int rpc_lookup_size;
718
719 /*******************************************************************
720 This is the "stage3" NTLMSSP response after a bind request and reply.
721 *******************************************************************/
722
723 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
724 {
725 RPC_HDR_AUTH auth_info;
726 uint32 pad = 0;
727 DATA_BLOB blob;
728
729 ZERO_STRUCT(blob);
730
731 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
732
733 if (p->hdr.auth_len == 0) {
734 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
735 goto err;
736 }
737
738 /* 4 bytes padding. */
739 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
740 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
741 goto err;
742 }
743
744 /*
745 * Decode the authentication verifier response.
746 */
747
748 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
749 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
750 goto err;
751 }
752
753 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
754 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
755 (unsigned int)auth_info.auth_type ));
756 return False;
757 }
758
759 blob = data_blob(NULL,p->hdr.auth_len);
760
761 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
762 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
763 (unsigned int)p->hdr.auth_len ));
764 goto err;
765 }
766
767 /*
768 * The following call actually checks the challenge/response data.
769 * for correctness against the given DOMAIN\user name.
770 */
771
772 if (!pipe_ntlmssp_verify_final(p, &blob)) {
773 goto err;
774 }
775
776 data_blob_free(&blob);
777
778 p->pipe_bound = True;
779
780 return True;
781
782 err:
783
784 data_blob_free(&blob);
785 free_pipe_ntlmssp_auth_data(&p->auth);
786 p->auth.a_u.auth_ntlmssp_state = NULL;
787
788 return False;
789 }
790
791 /*******************************************************************
792 Marshall a bind_nak pdu.
793 *******************************************************************/
794
795 static bool setup_bind_nak(pipes_struct *p)
796 {
797 RPC_HDR nak_hdr;
798 uint16 zero = 0;
799
800 /* Free any memory in the current return data buffer. */
801 prs_mem_free(&p->out_data.rdata);
802
803 /*
804 * Marshall directly into the outgoing PDU space. We
805 * must do this as we need to set to the bind response
806 * header and are never sending more than one PDU here.
807 */
808
809 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
810
811 /*
812 * Initialize a bind_nak header.
813 */
814
815 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
816 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
817
818 /*
819 * Marshall the header into the outgoing PDU.
820 */
821
822 if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
823 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
824 prs_mem_free(&p->out_data.frag);
825 return False;
826 }
827
828 /*
829 * Now add the reject reason.
830 */
831
832 if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
833 prs_mem_free(&p->out_data.frag);
834 return False;
835 }
836
837 p->out_data.data_sent_length = 0;
838 p->out_data.current_pdu_sent = 0;
839
840 if (p->auth.auth_data_free_func) {
841 (*p->auth.auth_data_free_func)(&p->auth);
842 }
843 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
844 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
845 p->pipe_bound = False;
846
847 return True;
848 }
849
850 /*******************************************************************
851 Marshall a fault pdu.
852 *******************************************************************/
853
854 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
855 {
856 RPC_HDR fault_hdr;
857 RPC_HDR_RESP hdr_resp;
858 RPC_HDR_FAULT fault_resp;
859
860 /* Free any memory in the current return data buffer. */
861 prs_mem_free(&p->out_data.rdata);
862
863 /*
864 * Marshall directly into the outgoing PDU space. We
865 * must do this as we need to set to the bind response
866 * header and are never sending more than one PDU here.
867 */
868
869 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
870
871 /*
872 * Initialize a fault header.
873 */
874
875 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
876 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
877
878 /*
879 * Initialize the HDR_RESP and FAULT parts of the PDU.
880 */
881
882 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
883
884 fault_resp.status = status;
885 fault_resp.reserved = 0;
886
887 /*
888 * Marshall the header into the outgoing PDU.
889 */
890
891 if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
892 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
893 prs_mem_free(&p->out_data.frag);
894 return False;
895 }
896
897 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
898 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
899 prs_mem_free(&p->out_data.frag);
900 return False;
901 }
902
903 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
904 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
905 prs_mem_free(&p->out_data.frag);
906 return False;
907 }
908
909 p->out_data.data_sent_length = 0;
910 p->out_data.current_pdu_sent = 0;
911
912 return True;
913 }
914
915 #if 0
916 /*******************************************************************
917 Marshall a cancel_ack pdu.
918 We should probably check the auth-verifier here.
919 *******************************************************************/
920
921 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
922 {
923 prs_struct outgoing_pdu;
924 RPC_HDR ack_reply_hdr;
925
926 /* Free any memory in the current return data buffer. */
927 prs_mem_free(&p->out_data.rdata);
928
929 /*
930 * Marshall directly into the outgoing PDU space. We
931 * must do this as we need to set to the bind response
932 * header and are never sending more than one PDU here.
933 */
934
935 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
936 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
937
938 /*
939 * Initialize a cancel_ack header.
940 */
941
942 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
943 p->hdr.call_id, RPC_HEADER_LEN, 0);
944
945 /*
946 * Marshall the header into the outgoing PDU.
947 */
948
949 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
950 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
951 prs_mem_free(&outgoing_pdu);
952 return False;
953 }
954
955 p->out_data.data_sent_length = 0;
956 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
957 p->out_data.current_pdu_sent = 0;
958
959 prs_mem_free(&outgoing_pdu);
960 return True;
961 }
962 #endif
963
964 /*******************************************************************
965 Ensure a bind request has the correct abstract & transfer interface.
966 Used to reject unknown binds from Win2k.
967 *******************************************************************/
968
969 static bool check_bind_req(struct pipes_struct *p,
970 struct ndr_syntax_id* abstract,
971 struct ndr_syntax_id* transfer,
972 uint32 context_id)
973 {
974 int i=0;
975 struct pipe_rpc_fns *context_fns;
976
977 DEBUG(3,("check_bind_req for %s\n",
978 get_pipe_name_from_iface(&p->syntax)));
979
980 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
981
982 for (i=0; i<rpc_lookup_size; i++) {
983 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
984 if (ndr_syntax_id_equal(
985 abstract, &rpc_lookup[i].rpc_interface)
986 && ndr_syntax_id_equal(
987 transfer, &ndr_transfer_syntax)) {
988 break;
989 }
990 }
991
992 if (i == rpc_lookup_size) {
993 return false;
994 }
995
996 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
997 if (context_fns == NULL) {
998 DEBUG(0,("check_bind_req: malloc() failed!\n"));
999 return False;
1000 }
1001
1002 context_fns->cmds = rpc_lookup[i].cmds;
1003 context_fns->n_cmds = rpc_lookup[i].n_cmds;
1004 context_fns->context_id = context_id;
1005
1006 /* add to the list of open contexts */
1007
1008 DLIST_ADD( p->contexts, context_fns );
1009
1010 return True;
1011 }
1012
1013 /*******************************************************************
1014 Register commands to an RPC pipe
1015 *******************************************************************/
1016
1017 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1018 const struct ndr_interface_table *iface,
1019 const struct api_struct *cmds, int size)
1020 {
1021 struct rpc_table *rpc_entry;
1022
1023 if (!clnt || !srv || !cmds) {
1024 return NT_STATUS_INVALID_PARAMETER;
1025 }
1026
1027 if (version != SMB_RPC_INTERFACE_VERSION) {
1028 DEBUG(0,("Can't register rpc commands!\n"
1029 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1030 ", while this version of samba uses version %d!\n",
1031 version,SMB_RPC_INTERFACE_VERSION));
1032 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1033 }
1034
1035 /* TODO:
1036 *
1037 * we still need to make sure that don't register the same commands twice!!!
1038 *
1039 * --metze
1040 */
1041
1042 /* We use a temporary variable because this call can fail and
1043 rpc_lookup will still be valid afterwards. It could then succeed if
1044 called again later */
1045 rpc_lookup_size++;
1046 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1047 if (NULL == rpc_entry) {
1048 rpc_lookup_size--;
1049 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1050 return NT_STATUS_NO_MEMORY;
1051 } else {
1052 rpc_lookup = rpc_entry;
1053 }
1054
1055 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1056 ZERO_STRUCTP(rpc_entry);
1057 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1058 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1059 rpc_entry->rpc_interface = iface->syntax_id;
1060 rpc_entry->cmds = cmds;
1061 rpc_entry->n_cmds = size;
1062
1063 return NT_STATUS_OK;
1064 }
1065
1066 /**
1067 * Is a named pipe known?
1068 * @param[in] cli_filename The pipe name requested by the client
1069 * @result Do we want to serve this?
1070 */
1071 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1072 {
1073 const char *pipename = cli_filename;
1074 int i;
1075
1076 if (strnequal(pipename, "\\PIPE\\", 6)) {
1077 pipename += 5;
1078 }
1079
1080 if (*pipename == '\\') {
1081 pipename += 1;
1082 }
1083
1084 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1085 DEBUG(10, ("refusing spoolss access\n"));
1086 return false;
1087 }
1088
1089 for (i=0; i<rpc_lookup_size; i++) {
1090 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1091 *syntax = rpc_lookup[i].rpc_interface;
1092 return true;
1093 }
1094 }
1095
1096 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1097 return false;
1098 }
1099
1100 /*******************************************************************
1101 Handle a SPNEGO krb5 bind auth.
1102 *******************************************************************/
1103
1104 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1105 DATA_BLOB *psecblob, prs_struct *pout_auth)
1106 {
1107 return False;
1108 }
1109
1110 /*******************************************************************
1111 Handle the first part of a SPNEGO bind auth.
1112 *******************************************************************/
1113
1114 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1115 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1116 {
1117 DATA_BLOB blob;
1118 DATA_BLOB secblob;
1119 DATA_BLOB response;
1120 DATA_BLOB chal;
1121 char *OIDs[ASN1_MAX_OIDS];
1122 int i;
1123 NTSTATUS status;
1124 bool got_kerberos_mechanism = false;
1125 AUTH_NTLMSSP_STATE *a = NULL;
1126 RPC_HDR_AUTH auth_info;
1127
1128 ZERO_STRUCT(secblob);
1129 ZERO_STRUCT(chal);
1130 ZERO_STRUCT(response);
1131
1132 /* Grab the SPNEGO blob. */
1133 blob = data_blob(NULL,p->hdr.auth_len);
1134
1135 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1136 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1137 (unsigned int)p->hdr.auth_len ));
1138 goto err;
1139 }
1140
1141 if (blob.data[0] != ASN1_APPLICATION(0)) {
1142 goto err;
1143 }
1144
1145 /* parse out the OIDs and the first sec blob */
1146 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1147 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1148 goto err;
1149 }
1150
1151 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1152 got_kerberos_mechanism = true;
1153 }
1154
1155 for (i=0;OIDs[i];i++) {
1156 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1157 TALLOC_FREE(OIDs[i]);
1158 }
1159 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1160
1161 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1162 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1163 data_blob_free(&secblob);
1164 data_blob_free(&blob);
1165 return ret;
1166 }
1167
1168 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1169 /* Free any previous auth type. */
1170 free_pipe_ntlmssp_auth_data(&p->auth);
1171 }
1172
1173 if (!got_kerberos_mechanism) {
1174 /* Initialize the NTLM engine. */
1175 status = auth_ntlmssp_start(&a);
1176 if (!NT_STATUS_IS_OK(status)) {
1177 goto err;
1178 }
1179
1180 /*
1181 * Pass the first security blob of data to it.
1182 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1183 * which means we need another packet to complete the bind.
1184 */
1185
1186 status = auth_ntlmssp_update(a, secblob, &chal);
1187
1188 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1189 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1190 goto err;
1191 }
1192
1193 /* Generate the response blob we need for step 2 of the bind. */
1194 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1195 } else {
1196 /*
1197 * SPNEGO negotiate down to NTLMSSP. The subsequent
1198 * code to process follow-up packets is not complete
1199 * yet. JRA.
1200 */
1201 response = spnego_gen_auth_response(NULL,
1202 NT_STATUS_MORE_PROCESSING_REQUIRED,
1203 OID_NTLMSSP);
1204 }
1205
1206 /* Copy the blob into the pout_auth parse struct */
1207 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1208 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1209 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1210 goto err;
1211 }
1212
1213 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1214 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1215 goto err;
1216 }
1217
1218 p->auth.a_u.auth_ntlmssp_state = a;
1219 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1220 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1221
1222 data_blob_free(&blob);
1223 data_blob_free(&secblob);
1224 data_blob_free(&chal);
1225 data_blob_free(&response);
1226
1227 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1228 return True;
1229
1230 err:
1231
1232 data_blob_free(&blob);
1233 data_blob_free(&secblob);
1234 data_blob_free(&chal);
1235 data_blob_free(&response);
1236
1237 p->auth.a_u.auth_ntlmssp_state = NULL;
1238
1239 return False;
1240 }
1241
1242 /*******************************************************************
1243 Handle the second part of a SPNEGO bind auth.
1244 *******************************************************************/
1245
1246 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1247 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1248 {
1249 RPC_HDR_AUTH auth_info;
1250 DATA_BLOB spnego_blob;
1251 DATA_BLOB auth_blob;
1252 DATA_BLOB auth_reply;
1253 DATA_BLOB response;
1254 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1255
1256 ZERO_STRUCT(spnego_blob);
1257 ZERO_STRUCT(auth_blob);
1258 ZERO_STRUCT(auth_reply);
1259 ZERO_STRUCT(response);
1260
1261 /*
1262 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1263 * fail here as 'a' == NULL.
1264 */
1265 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1266 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1267 goto err;
1268 }
1269
1270 /* Grab the SPNEGO blob. */
1271 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1272
1273 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1274 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1275 (unsigned int)p->hdr.auth_len ));
1276 goto err;
1277 }
1278
1279 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1280 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1281 goto err;
1282 }
1283
1284 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1285 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1286 goto err;
1287 }
1288
1289 /*
1290 * The following call actually checks the challenge/response data.
1291 * for correctness against the given DOMAIN\user name.
1292 */
1293
1294 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1295 goto err;
1296 }
1297
1298 data_blob_free(&spnego_blob);
1299 data_blob_free(&auth_blob);
1300
1301 /* Generate the spnego "accept completed" blob - no incoming data. */
1302 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1303
1304 /* Copy the blob into the pout_auth parse struct */
1305 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1306 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1307 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1308 goto err;
1309 }
1310
1311 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1312 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1313 goto err;
1314 }
1315
1316 data_blob_free(&auth_reply);
1317 data_blob_free(&response);
1318
1319 p->pipe_bound = True;
1320
1321 return True;
1322
1323 err:
1324
1325 data_blob_free(&spnego_blob);
1326 data_blob_free(&auth_blob);
1327 data_blob_free(&auth_reply);
1328 data_blob_free(&response);
1329
1330 free_pipe_ntlmssp_auth_data(&p->auth);
1331 p->auth.a_u.auth_ntlmssp_state = NULL;
1332
1333 return False;
1334 }
1335
1336 /*******************************************************************
1337 Handle an schannel bind auth.
1338 *******************************************************************/
1339
1340 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1341 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1342 {
1343 RPC_HDR_AUTH auth_info;
1344 struct NL_AUTH_MESSAGE neg;
1345 struct NL_AUTH_MESSAGE reply;
1346 bool ret;
1347 NTSTATUS status;
1348 struct netlogon_creds_CredentialState *creds;
1349 DATA_BLOB session_key;
1350 enum ndr_err_code ndr_err;
1351 DATA_BLOB blob;
1352
1353 blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1354 prs_data_size(rpc_in_p));
1355
1356 ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg,
1357 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1358 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1359 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1360 return false;
1361 }
1362
1363 if (DEBUGLEVEL >= 10) {
1364 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1365 }
1366
1367 if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1368 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1369 return false;
1370 }
1371
1372 /*
1373 * The neg.oem_netbios_computer.a key here must match the remote computer name
1374 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1375 * operations that use credentials.
1376 */
1377
1378 become_root();
1379 status = schannel_fetch_session_key(p->mem_ctx,
1380 neg.oem_netbios_computer.a,
1381 &creds);
1382 unbecome_root();
1383
1384 if (!NT_STATUS_IS_OK(status)) {
1385 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1386 return False;
1387 }
1388
1389 p->auth.a_u.schannel_auth = talloc(p, struct schannel_auth_struct);
1390 if (!p->auth.a_u.schannel_auth) {
1391 TALLOC_FREE(creds);
1392 return False;
1393 }
1394
1395 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1396 memcpy(p->auth.a_u.schannel_auth->sess_key, creds->session_key,
1397 sizeof(creds->session_key));
1398
1399 TALLOC_FREE(creds);
1400
1401 p->auth.a_u.schannel_auth->seq_num = 0;
1402
1403 /*
1404 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1405 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1406 * struct of the person who opened the pipe. I need to test this further. JRA.
1407 *
1408 * VL. As we are mapping this to guest set the generic key
1409 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1410 * W2k3, as it does not allow schannel binds against SAMR and LSA
1411 * anymore.
1412 */
1413
1414 session_key = generic_session_key();
1415 if (session_key.data == NULL) {
1416 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1417 " key\n"));
1418 return false;
1419 }
1420
1421 ret = server_info_set_session_key(p->server_info, session_key);
1422
1423 data_blob_free(&session_key);
1424
1425 if (!ret) {
1426 DEBUG(0, ("server_info_set_session_key failed\n"));
1427 return false;
1428 }
1429
1430 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1431 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1432 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1433 return False;
1434 }
1435
1436 /*** SCHANNEL verifier ***/
1437
1438 reply.MessageType = NL_NEGOTIATE_RESPONSE;
1439 reply.Flags = 0;
1440 reply.Buffer.dummy = 5; /* ??? actually I don't think
1441 * this has any meaning
1442 * here - gd */
1443
1444 ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &reply,
1445 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1446 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1447 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1448 return false;
1449 }
1450
1451 if (DEBUGLEVEL >= 10) {
1452 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1453 }
1454
1455 if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1456 return false;
1457 }
1458
1459 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1460 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1461
1462 /* We're finished with this bind - no more packets. */
1463 p->auth.auth_data_free_func = NULL;
1464 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1465
1466 p->pipe_bound = True;
1467
1468 return True;
1469 }
1470
1471 /*******************************************************************
1472 Handle an NTLMSSP bind auth.
1473 *******************************************************************/
1474
1475 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1476 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1477 {
1478 RPC_HDR_AUTH auth_info;
1479 DATA_BLOB blob;
1480 DATA_BLOB response;
1481 NTSTATUS status;
1482 AUTH_NTLMSSP_STATE *a = NULL;
1483
1484 ZERO_STRUCT(blob);
1485 ZERO_STRUCT(response);
1486
1487 /* Grab the NTLMSSP blob. */
1488 blob = data_blob(NULL,p->hdr.auth_len);
1489
1490 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1491 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1492 (unsigned int)p->hdr.auth_len ));
1493 goto err;
1494 }
1495
1496 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1497 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1498 goto err;
1499 }
1500
1501 /* We have an NTLMSSP blob. */
1502 status = auth_ntlmssp_start(&a);
1503 if (!NT_STATUS_IS_OK(status)) {
1504 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1505 nt_errstr(status) ));
1506 goto err;
1507 }
1508
1509 status = auth_ntlmssp_update(a, blob, &response);
1510 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1511 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1512 nt_errstr(status) ));
1513 goto err;
1514 }
1515
1516 data_blob_free(&blob);
1517
1518 /* Copy the blob into the pout_auth parse struct */
1519 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1520 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1521 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1522 goto err;
1523 }
1524
1525 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1526 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1527 goto err;
1528 }
1529
1530 p->auth.a_u.auth_ntlmssp_state = a;
1531 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1532 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1533
1534 data_blob_free(&blob);
1535 data_blob_free(&response);
1536
1537 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1538
1539 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1540 return True;
1541
1542 err:
1543
1544 data_blob_free(&blob);
1545 data_blob_free(&response);
1546
1547 free_pipe_ntlmssp_auth_data(&p->auth);
1548 p->auth.a_u.auth_ntlmssp_state = NULL;
1549 return False;
1550 }
1551
1552 /*******************************************************************
1553 Respond to a pipe bind request.
1554 *******************************************************************/
1555
1556 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1557 {
1558 RPC_HDR_BA hdr_ba;
1559 RPC_HDR_RB hdr_rb;
1560 RPC_HDR_AUTH auth_info;
1561 uint16 assoc_gid;
1562 fstring ack_pipe_name;
1563 prs_struct out_hdr_ba;
1564 prs_struct out_auth;
1565 int i = 0;
1566 int auth_len = 0;
1567 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1568
1569 /* No rebinds on a bound pipe - use alter context. */
1570 if (p->pipe_bound) {
1571 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1572 "pipe %s.\n", get_pipe_name_from_iface(&p->syntax)));
1573 return setup_bind_nak(p);
1574 }
1575
1576 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1577
1578 /*
1579 * Marshall directly into the outgoing PDU space. We
1580 * must do this as we need to set to the bind response
1581 * header and are never sending more than one PDU here.
1582 */
1583
1584 /*
1585 * Setup the memory to marshall the ba header, and the
1586 * auth footers.
1587 */
1588
1589 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1590 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1591 prs_mem_free(&p->out_data.frag);
1592 return False;
1593 }
1594
1595 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1596 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1597 prs_mem_free(&p->out_data.frag);
1598 prs_mem_free(&out_hdr_ba);
1599 return False;
1600 }
1601
1602 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1603
1604 ZERO_STRUCT(hdr_rb);
1605
1606 /* decode the bind request */
1607
1608 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1609 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1610 "struct.\n"));
1611 goto err_exit;
1612 }
1613
1614 if (hdr_rb.num_contexts == 0) {
1615 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1616 goto err_exit;
1617 }
1618
1619 /*
1620 * Try and find the correct pipe name to ensure
1621 * that this is a pipe name we support.
1622 */
1623
1624 for (i = 0; i < rpc_lookup_size; i++) {
1625 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1626 &hdr_rb.rpc_context[0].abstract)) {
1627 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1628 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1629 break;
1630 }
1631 }
1632
1633 if (i == rpc_lookup_size) {
1634 NTSTATUS status;
1635
1636 status = smb_probe_module(
1637 "rpc", get_pipe_name_from_iface(
1638 &hdr_rb.rpc_context[0].abstract));
1639
1640 if (NT_STATUS_IS_ERR(status)) {
1641 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1642 get_pipe_name_from_iface(&hdr_rb.rpc_context[0].abstract)));
1643 prs_mem_free(&p->out_data.frag);
1644 prs_mem_free(&out_hdr_ba);
1645 prs_mem_free(&out_auth);
1646
1647 return setup_bind_nak(p);
1648 }
1649
1650 for (i = 0; i < rpc_lookup_size; i++) {
1651 if (strequal(rpc_lookup[i].pipe.clnt,
1652 get_pipe_name_from_iface(&p->syntax))) {
1653 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1654 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1655 break;
1656 }
1657 }
1658
1659 if (i == rpc_lookup_size) {
1660 DEBUG(0, ("module %s doesn't provide functions for "
1661 "pipe %s!\n",
1662 get_pipe_name_from_iface(&p->syntax),
1663 get_pipe_name_from_iface(&p->syntax)));
1664 goto err_exit;
1665 }
1666 }
1667
1668 /* name has to be \PIPE\xxxxx */
1669 fstrcpy(ack_pipe_name, "\\PIPE\\");
1670 fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1671
1672 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1673
1674 /*
1675 * Check if this is an authenticated bind request.
1676 */
1677
1678 if (p->hdr.auth_len) {
1679 /*
1680 * Decode the authentication verifier.
1681 */
1682
1683 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1684 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1685 goto err_exit;
1686 }
1687
1688 auth_type = auth_info.auth_type;
1689
1690 /* Work out if we have to sign or seal etc. */
1691 switch (auth_info.auth_level) {
1692 case RPC_AUTH_LEVEL_INTEGRITY:
1693 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1694 break;
1695 case RPC_AUTH_LEVEL_PRIVACY:
1696 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1697 break;
1698 default:
1699 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1700 (unsigned int)auth_info.auth_level ));
1701 goto err_exit;
1702 }
1703 } else {
1704 ZERO_STRUCT(auth_info);
1705 }
1706
1707 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1708
1709 switch(auth_type) {
1710 case RPC_NTLMSSP_AUTH_TYPE:
1711 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1712 goto err_exit;
1713 }
1714 assoc_gid = 0x7a77;
1715 break;
1716
1717 case RPC_SCHANNEL_AUTH_TYPE:
1718 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1719 goto err_exit;
1720 }
1721 break;
1722
1723 case RPC_SPNEGO_AUTH_TYPE:
1724 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1725 goto err_exit;
1726 }
1727 break;
1728
1729 case RPC_ANONYMOUS_AUTH_TYPE:
1730 /* Unauthenticated bind request. */
1731 /* We're finished - no more packets. */
1732 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1733 /* We must set the pipe auth_level here also. */
1734 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1735 p->pipe_bound = True;
1736 /* The session key was initialized from the SMB
1737 * session in make_internal_rpc_pipe_p */
1738 break;
1739
1740 default:
1741 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1742 goto err_exit;
1743 }
1744
1745 /*
1746 * Create the bind response struct.
1747 */
1748
1749 /* If the requested abstract synt uuid doesn't match our client pipe,
1750 reject the bind_ack & set the transfer interface synt to all 0's,
1751 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1752 unknown to NT4)
1753 Needed when adding entries to a DACL from NT5 - SK */
1754
1755 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1756 hdr_rb.rpc_context[0].context_id )) {
1757 init_rpc_hdr_ba(&hdr_ba,
1758 RPC_MAX_PDU_FRAG_LEN,
1759 RPC_MAX_PDU_FRAG_LEN,
1760 assoc_gid,
1761 ack_pipe_name,
1762 0x1, 0x0, 0x0,
1763 &hdr_rb.rpc_context[0].transfer[0]);
1764 } else {
1765 /* Rejection reason: abstract syntax not supported */
1766 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1767 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1768 ack_pipe_name, 0x1, 0x2, 0x1,
1769 &null_ndr_syntax_id);
1770 p->pipe_bound = False;
1771 }
1772
1773 /*
1774 * and marshall it.
1775 */
1776
1777 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1778 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1779 goto err_exit;
1780 }
1781
1782 /*
1783 * Create the header, now we know the length.
1784 */
1785
1786 if (prs_offset(&out_auth)) {
1787 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1788 }
1789
1790 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1791 p->hdr.call_id,
1792 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1793 auth_len);
1794
1795 /*
1796 * Marshall the header into the outgoing PDU.
1797 */
1798
1799 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1800 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1801 goto err_exit;
1802 }
1803
1804 /*
1805 * Now add the RPC_HDR_BA and any auth needed.
1806 */
1807
1808 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1809 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1810 goto err_exit;
1811 }
1812
1813 if (auth_len && !prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1814 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1815 goto err_exit;
1816 }
1817
1818 /*
1819 * Setup the lengths for the initial reply.
1820 */
1821
1822 p->out_data.data_sent_length = 0;
1823 p->out_data.current_pdu_sent = 0;
1824
1825 prs_mem_free(&out_hdr_ba);
1826 prs_mem_free(&out_auth);
1827
1828 return True;
1829
1830 err_exit:
1831
1832 prs_mem_free(&p->out_data.frag);
1833 prs_mem_free(&out_hdr_ba);
1834 prs_mem_free(&out_auth);
1835 return setup_bind_nak(p);
1836 }
1837
1838 /****************************************************************************
1839 Deal with an alter context call. Can be third part of 3 leg auth request for
1840 SPNEGO calls.
1841 ****************************************************************************/
1842
1843 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1844 {
1845 RPC_HDR_BA hdr_ba;
1846 RPC_HDR_RB hdr_rb;
1847 RPC_HDR_AUTH auth_info;
1848 uint16 assoc_gid;
1849 fstring ack_pipe_name;
1850 prs_struct out_hdr_ba;
1851 prs_struct out_auth;
1852 int auth_len = 0;
1853
1854 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1855
1856 /*
1857 * Marshall directly into the outgoing PDU space. We
1858 * must do this as we need to set to the bind response
1859 * header and are never sending more than one PDU here.
1860 */
1861
1862 /*
1863 * Setup the memory to marshall the ba header, and the
1864 * auth footers.
1865 */
1866
1867 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1868 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1869 prs_mem_free(&p->out_data.frag);
1870 return False;
1871 }
1872
1873 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1874 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1875 prs_mem_free(&p->out_data.frag);
1876 prs_mem_free(&out_hdr_ba);
1877 return False;
1878 }
1879
1880 ZERO_STRUCT(hdr_rb);
1881
1882 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1883
1884 /* decode the alter context request */
1885 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1886 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1887 goto err_exit;
1888 }
1889
1890 /* secondary address CAN be NULL
1891 * as the specs say it's ignored.
1892 * It MUST be NULL to have the spoolss working.
1893 */
1894 fstrcpy(ack_pipe_name,"");
1895
1896 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1897
1898 /*
1899 * Check if this is an authenticated alter context request.
1900 */
1901
1902 if (p->hdr.auth_len != 0) {
1903 /*
1904 * Decode the authentication verifier.
1905 */
1906
1907 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1908 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1909 goto err_exit;
1910 }
1911
1912 /*
1913 * Currently only the SPNEGO auth type uses the alter ctx
1914 * response in place of the NTLMSSP auth3 type.
1915 */
1916
1917 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1918 /* We can only finish if the pipe is unbound. */
1919 if (!p->pipe_bound) {
1920 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1921 goto err_exit;
1922 }
1923 } else {
1924 goto err_exit;
1925 }
1926 }
1927 } else {
1928 ZERO_STRUCT(auth_info);
1929 }
1930
1931 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1932
1933 /*
1934 * Create the bind response struct.
1935 */
1936
1937 /* If the requested abstract synt uuid doesn't match our client pipe,
1938 reject the bind_ack & set the transfer interface synt to all 0's,
1939 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1940 unknown to NT4)
1941 Needed when adding entries to a DACL from NT5 - SK */
1942
1943 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1944 hdr_rb.rpc_context[0].context_id )) {
1945 init_rpc_hdr_ba(&hdr_ba,
1946 RPC_MAX_PDU_FRAG_LEN,
1947 RPC_MAX_PDU_FRAG_LEN,
1948 assoc_gid,
1949 ack_pipe_name,
1950 0x1, 0x0, 0x0,
1951 &hdr_rb.rpc_context[0].transfer[0]);
1952 } else {
1953 /* Rejection reason: abstract syntax not supported */
1954 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1955 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1956 ack_pipe_name, 0x1, 0x2, 0x1,
1957 &null_ndr_syntax_id);
1958 p->pipe_bound = False;
1959 }
1960
1961 /*
1962 * and marshall it.
1963 */
1964
1965 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1966 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1967 goto err_exit;
1968 }
1969
1970 /*
1971 * Create the header, now we know the length.
1972 */
1973
1974 if (prs_offset(&out_auth)) {
1975 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1976 }
1977
1978 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1979 p->hdr.call_id,
1980 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1981 auth_len);
1982
1983 /*
1984 * Marshall the header into the outgoing PDU.
1985 */
1986
1987 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1988 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1989 goto err_exit;
1990 }
1991
1992 /*
1993 * Now add the RPC_HDR_BA and any auth needed.
1994 */
1995
1996 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1997 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1998 goto err_exit;
1999 }
2000
2001 if (auth_len && !prs_append_prs_data(&p->out_data.frag, &out_auth)) {
2002 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2003 goto err_exit;
2004 }
2005
2006 /*
2007 * Setup the lengths for the initial reply.
2008 */
2009
2010 p->out_data.data_sent_length = 0;
2011 p->out_data.current_pdu_sent = 0;
2012
2013 prs_mem_free(&out_hdr_ba);
2014 prs_mem_free(&out_auth);
2015
2016 return True;
2017
2018 err_exit:
2019
2020 prs_mem_free(&p->out_data.frag);
2021 prs_mem_free(&out_hdr_ba);
2022 prs_mem_free(&out_auth);
2023 return setup_bind_nak(p);
2024 }
2025
2026 /****************************************************************************
2027 Deal with NTLMSSP sign & seal processing on an RPC request.
2028 ****************************************************************************/
2029
2030 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2031 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2032 {
2033 RPC_HDR_AUTH auth_info;
2034 uint32 auth_len = p->hdr.auth_len;
2035 uint32 save_offset = prs_offset(rpc_in);
2036 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2037 unsigned char *data = NULL;
2038 size_t data_len;
2039 unsigned char *full_packet_data = NULL;
2040 size_t full_packet_data_len;
2041 DATA_BLOB auth_blob;
2042
2043 *pstatus = NT_STATUS_OK;
2044
2045 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
2046 return True;
2047 }
2048
2049 if (!a) {
2050 *pstatus = NT_STATUS_INVALID_PARAMETER;
2051 return False;
2052 }
2053
2054 /* Ensure there's enough data for an authenticated request. */
2055 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2056 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2057 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2058 (unsigned int)auth_len ));
2059 *pstatus = NT_STATUS_INVALID_PARAMETER;
2060 return False;
2061 }
2062
2063 /*
2064 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2065 * after the RPC header.
2066 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2067 * functions as NTLMv2 checks the rpc headers also.
2068 */
2069
2070 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2071 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2072
2073 full_packet_data = p->in_data.current_in_pdu;
2074 full_packet_data_len = p->hdr.frag_len - auth_len;
2075
2076 /* Pull the auth header and the following data into a blob. */
2077 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2078 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2079 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2080 *pstatus = NT_STATUS_INVALID_PARAMETER;
2081 return False;
2082 }
2083
2084 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2085 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2086 *pstatus = NT_STATUS_INVALID_PARAMETER;
2087 return False;
2088 }
2089
2090 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2091 auth_blob.length = auth_len;
2092
2093 switch (p->auth.auth_level) {
2094 case PIPE_AUTH_LEVEL_PRIVACY:
2095 /* Data is encrypted. */
2096 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2097 data, data_len,
2098 full_packet_data,
2099 full_packet_data_len,
2100 &auth_blob);
2101 if (!NT_STATUS_IS_OK(*pstatus)) {
2102 return False;
2103 }
2104 break;
2105 case PIPE_AUTH_LEVEL_INTEGRITY:
2106 /* Data is signed. */
2107 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2108 data, data_len,
2109 full_packet_data,
2110 full_packet_data_len,
2111 &auth_blob);
2112 if (!NT_STATUS_IS_OK(*pstatus)) {
2113 return False;
2114 }
2115 break;
2116 default:
2117 *pstatus = NT_STATUS_INVALID_PARAMETER;
2118 return False;
2119 }
2120
2121 /*
2122 * Return the current pointer to the data offset.
2123 */
2124
2125 if(!prs_set_offset(rpc_in, save_offset)) {
2126 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2127 (unsigned int)save_offset ));
2128 *pstatus = NT_STATUS_INVALID_PARAMETER;
2129 return False;
2130 }
2131
2132 /*
2133 * Remember the padding length. We must remove it from the real data
2134 * stream once the sign/seal is done.
2135 */
2136
2137 *p_ss_padding_len = auth_info.auth_pad_len;
2138
2139 return True;
2140 }
2141
2142 /****************************************************************************
2143 Deal with schannel processing on an RPC request.
2144 ****************************************************************************/
2145
2146 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2147 {
2148 uint32 data_len;
2149 uint32 auth_len;
2150 uint32 save_offset = prs_offset(rpc_in);
2151 RPC_HDR_AUTH auth_info;
2152 struct NL_AUTH_SIGNATURE schannel_chk;
2153 enum ndr_err_code ndr_err;
2154 DATA_BLOB blob;
2155
2156 auth_len = p->hdr.auth_len;
2157
2158 if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2159 auth_len > RPC_HEADER_LEN +
2160 RPC_HDR_REQ_LEN +
2161 RPC_HDR_AUTH_LEN +
2162 auth_len) {
2163 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2164 return False;
2165 }
2166
2167 /*
2168 * The following is that length of the data we must verify or unseal.
2169 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2170 * preceeding the auth_data.
2171 */
2172
2173 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2174 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2175 (unsigned int)p->hdr.frag_len,
2176 (unsigned int)auth_len ));
2177 return False;
2178 }
2179
2180 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2181 RPC_HDR_AUTH_LEN - auth_len;
2182
2183 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2184
2185 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2186 DEBUG(0,("cannot move offset to %u.\n",
2187 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2188 return False;
2189 }
2190
2191 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2192 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2193 return False;
2194 }
2195
2196 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2197 DEBUG(0,("Invalid auth info %d on schannel\n",
2198 auth_info.auth_type));
2199 return False;
2200 }
2201
2202 blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2203
2204 ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &schannel_chk,
2205 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_SIGNATURE);
2206 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2207 DEBUG(0,("failed to pull NL_AUTH_SIGNATURE\n"));
2208 dump_data(2, blob.data, blob.length);
2209 return false;
2210 }
2211
2212 if (DEBUGLEVEL >= 10) {
2213 NDR_PRINT_DEBUG(NL_AUTH_SIGNATURE, &schannel_chk);
2214 }
2215
2216 if (!schannel_decode(p->auth.a_u.schannel_auth,
2217 p->auth.auth_level,
2218 SENDER_IS_INITIATOR,
2219 &schannel_chk,
2220 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2221 DEBUG(3,("failed to decode PDU\n"));
2222 return False;
2223 }
2224
2225 /*
2226 * Return the current pointer to the data offset.
2227 */
2228
2229 if(!prs_set_offset(rpc_in, save_offset)) {
2230 DEBUG(0,("failed to set offset back to %u\n",
2231 (unsigned int)save_offset ));
2232 return False;
2233 }
2234
2235 /* The sequence number gets incremented on both send and receive. */
2236 p->auth.a_u.schannel_auth->seq_num++;
2237
2238 /*
2239 * Remember the padding length. We must remove it from the real data
2240 * stream once the sign/seal is done.
2241 */
2242
2243 *p_ss_padding_len = auth_info.auth_pad_len;
2244
2245 return True;
2246 }
2247
2248 /****************************************************************************
2249 Find the set of RPC functions associated with this context_id
2250 ****************************************************************************/
2251
2252 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2253 {
2254 PIPE_RPC_FNS *fns = NULL;
2255
2256 if ( !list ) {
2257 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2258 return NULL;
2259 }
2260
2261 for (fns=list; fns; fns=fns->next ) {
2262 if ( fns->context_id == context_id )
2263 return fns;
2264 }
2265 return NULL;
2266 }
2267
2268 /****************************************************************************
2269 Memory cleanup.
2270 ****************************************************************************/
2271
2272 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2273 {
2274 PIPE_RPC_FNS *tmp = list;
2275 PIPE_RPC_FNS *tmp2;
2276
2277 while (tmp) {
2278 tmp2 = tmp->next;
2279 SAFE_FREE(tmp);
2280 tmp = tmp2;
2281 }
2282
2283 return;
2284 }
2285
2286 static bool api_rpcTNP(pipes_struct *p,
2287 const struct api_struct *api_rpc_cmds, int n_cmds);
2288
2289 /****************************************************************************
2290 Find the correct RPC function to call for this request.
2291 If the pipe is authenticated then become the correct UNIX user
2292 before doing the call.
2293 ****************************************************************************/
2294
2295 bool api_pipe_request(pipes_struct *p)
2296 {
2297 bool ret = False;
2298 bool changed_user = False;
2299 PIPE_RPC_FNS *pipe_fns;
2300
2301 if (p->pipe_bound &&
2302 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2303 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2304 if(!become_authenticated_pipe_user(p)) {
2305 prs_mem_free(&p->out_data.rdata);
2306 return False;
2307 }
2308 changed_user = True;
2309 }
2310
2311 DEBUG(5, ("Requested \\PIPE\\%s\n",
2312 get_pipe_name_from_iface(&p->syntax)));
2313
2314 /* get the set of RPC functions for this context */
2315
2316 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2317
2318 if ( pipe_fns ) {
2319 TALLOC_CTX *frame = talloc_stackframe();
2320 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2321 TALLOC_FREE(frame);
2322 }
2323 else {
2324 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2325 p->hdr_req.context_id,
2326 get_pipe_name_from_iface(&p->syntax)));
2327 }
2328
2329 if (changed_user) {
2330 unbecome_authenticated_pipe_user();
2331 }
2332
2333 return ret;
2334 }
2335
2336 /*******************************************************************
2337 Calls the underlying RPC function for a named pipe.
2338 ********************************************************************/
2339
2340 static bool api_rpcTNP(pipes_struct *p,
2341 const struct api_struct *api_rpc_cmds, int n_cmds)
2342 {
2343 int fn_num;
2344 uint32 offset1, offset2;
2345
2346 /* interpret the command */
2347 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2348 get_pipe_name_from_iface(&p->syntax), p->hdr_req.opnum));
2349
2350 if (DEBUGLEVEL >= 50) {
2351 fstring name;
2352 slprintf(name, sizeof(name)-1, "in_%s",
2353 get_pipe_name_from_iface(&p->syntax));
2354 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2355 }
2356
2357 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2358 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2359 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2360 break;
2361 }
2362 }
2363
2364 if (fn_num == n_cmds) {
2365 /*
2366 * For an unknown RPC just return a fault PDU but
2367 * return True to allow RPC's on the pipe to continue
2368 * and not put the pipe into fault state. JRA.
2369 */
2370 DEBUG(4, ("unknown\n"));
2371 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2372 return True;
2373 }
2374
2375 offset1 = prs_offset(&p->out_data.rdata);
2376
2377 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2378 fn_num, api_rpc_cmds[fn_num].fn));
2379 /* do the actual command */
2380 if(!api_rpc_cmds[fn_num].fn(p)) {
2381 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2382 get_pipe_name_from_iface(&p->syntax),
2383 api_rpc_cmds[fn_num].name));
2384 prs_mem_free(&p->out_data.rdata);
2385 return False;
2386 }
2387
2388 if (p->bad_handle_fault_state) {
2389 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2390 p->bad_handle_fault_state = False;
2391 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2392 return True;
2393 }
2394
2395 if (p->rng_fault_state) {
2396 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2397 p->rng_fault_state = False;
2398 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2399 return True;
2400 }
2401
2402 offset2 = prs_offset(&p->out_data.rdata);
2403 prs_set_offset(&p->out_data.rdata, offset1);
2404 if (DEBUGLEVEL >= 50) {
2405 fstring name;
2406 slprintf(name, sizeof(name)-1, "out_%s",
2407 get_pipe_name_from_iface(&p->syntax));
2408 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2409 }
2410 prs_set_offset(&p->out_data.rdata, offset2);
2411
2412 DEBUG(5,("api_rpcTNP: called %s successfully\n",
2413 get_pipe_name_from_iface(&p->syntax)));
2414
2415 /* Check for buffer underflow in rpc parsing */
2416
2417 if ((DEBUGLEVEL >= 10) &&
2418 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2419 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2420 char *data = (char *)SMB_MALLOC(data_len);
2421
2422 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2423 if (data) {
2424 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2425 SAFE_FREE(data);
2426 }
2427
2428 }
2429
2430 return True;
2431 }
aatanasov's samba4 branch