search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:minschema/fullschema - add correct header comments
[Samba/aatanasov.git] / source3 / rpc_server / srv_pipe.c
blob8611be49e31e112c6ea731f2089c3ab8923b218a
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31 #include "../libcli/auth/libcli_auth.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33 #include "../libcli/auth/schannel.h"
34 #include "../libcli/auth/schannel_proto.h"
35 #include "../libcli/auth/spnego.h"
36
37 extern struct current_user current_user;
38
39 #undef DBGC_CLASS
40 #define DBGC_CLASS DBGC_RPC_SRV
41
42 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
43 {
44 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
45
46 if (a) {
47 auth_ntlmssp_end(&a);
48 }
49 auth->a_u.auth_ntlmssp_state = NULL;
50 }
51
52 static DATA_BLOB generic_session_key(void)
53 {
54 return data_blob("SystemLibraryDTC", 16);
55 }
56
57 /*******************************************************************
58 Generate the next PDU to be returned from the data in p->rdata.
59 Handle NTLMSSP.
60 ********************************************************************/
61
62 static bool create_next_pdu_ntlmssp(pipes_struct *p)
63 {
64 RPC_HDR_RESP hdr_resp;
65 uint32 ss_padding_len = 0;
66 uint32 data_space_available;
67 uint32 data_len_left;
68 uint32 data_len;
69 NTSTATUS status;
70 DATA_BLOB auth_blob;
71 RPC_HDR_AUTH auth_info;
72 uint8 auth_type, auth_level;
73 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
74
75 /*
76 * If we're in the fault state, keep returning fault PDU's until
77 * the pipe gets closed. JRA.
78 */
79
80 if(p->fault_state) {
81 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
82 return True;
83 }
84
85 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
86
87 /* Change the incoming request header to a response. */
88 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
89
90 /* Set up rpc header flags. */
91 if (p->out_data.data_sent_length == 0) {
92 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
93 } else {
94 p->hdr.flags = 0;
95 }
96
97 /*
98 * Work out how much we can fit in a single PDU.
99 */
100
101 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
102
103 /*
104 * Ensure there really is data left to send.
105 */
106
107 if(!data_len_left) {
108 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
109 return False;
110 }
111
112 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
113 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
114
115 /*
116 * The amount we send is the minimum of the available
117 * space and the amount left to send.
118 */
119
120 data_len = MIN(data_len_left, data_space_available);
121
122 /*
123 * Set up the alloc hint. This should be the data left to
124 * send.
125 */
126
127 hdr_resp.alloc_hint = data_len_left;
128
129 /*
130 * Work out if this PDU will be the last.
131 */
132
133 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
134 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
135 if (data_len_left % 8) {
136 ss_padding_len = 8 - (data_len_left % 8);
137 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
138 ss_padding_len ));
139 }
140 }
141
142 /*
143 * Set up the header lengths.
144 */
145
146 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
147 data_len + ss_padding_len +
148 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
149 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
150
151
152 /*
153 * Init the parse struct to point at the outgoing
154 * data.
155 */
156
157 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
158
159 /* Store the header in the data stream. */
160 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
161 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
162 prs_mem_free(&p->out_data.frag);
163 return False;
164 }
165
166 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
167 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
168 prs_mem_free(&p->out_data.frag);
169 return False;
170 }
171
172 /* Copy the data into the PDU. */
173
174 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
175 p->out_data.data_sent_length, data_len)) {
176 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
177 prs_mem_free(&p->out_data.frag);
178 return False;
179 }
180
181 /* Copy the sign/seal padding data. */
182 if (ss_padding_len) {
183 char pad[8];
184
185 memset(pad, '\0', 8);
186 if (!prs_copy_data_in(&p->out_data.frag, pad,
187 ss_padding_len)) {
188 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
189 (unsigned int)ss_padding_len));
190 prs_mem_free(&p->out_data.frag);
191 return False;
192 }
193 }
194
195
196 /* Now write out the auth header and null blob. */
197 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
198 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
199 } else {
200 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
201 }
202 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
203 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
204 } else {
205 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
206 }
207
208 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
209 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &p->out_data.frag,
210 0)) {
211 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
212 prs_mem_free(&p->out_data.frag);
213 return False;
214 }
215
216 /* Generate the sign blob. */
217
218 switch (p->auth.auth_level) {
219 case DCERPC_AUTH_LEVEL_PRIVACY:
220 /* Data portion is encrypted. */
221 status = ntlmssp_seal_packet(
222 a->ntlmssp_state,
223 (uint8_t *)prs_data_p(&p->out_data.frag)
224 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
225 data_len + ss_padding_len,
226 (unsigned char *)prs_data_p(&p->out_data.frag),
227 (size_t)prs_offset(&p->out_data.frag),
228 &auth_blob);
229 if (!NT_STATUS_IS_OK(status)) {
230 data_blob_free(&auth_blob);
231 prs_mem_free(&p->out_data.frag);
232 return False;
233 }
234 break;
235 case DCERPC_AUTH_LEVEL_INTEGRITY:
236 /* Data is signed. */
237 status = ntlmssp_sign_packet(
238 a->ntlmssp_state,
239 (unsigned char *)prs_data_p(&p->out_data.frag)
240 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
241 data_len + ss_padding_len,
242 (unsigned char *)prs_data_p(&p->out_data.frag),
243 (size_t)prs_offset(&p->out_data.frag),
244 &auth_blob);
245 if (!NT_STATUS_IS_OK(status)) {
246 data_blob_free(&auth_blob);
247 prs_mem_free(&p->out_data.frag);
248 return False;
249 }
250 break;
251 default:
252 prs_mem_free(&p->out_data.frag);
253 return False;
254 }
255
256 /* Append the auth blob. */
257 if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
258 NTLMSSP_SIG_SIZE)) {
259 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
260 (unsigned int)NTLMSSP_SIG_SIZE));
261 data_blob_free(&auth_blob);
262 prs_mem_free(&p->out_data.frag);
263 return False;
264 }
265
266 data_blob_free(&auth_blob);
267
268 /*
269 * Setup the counts for this PDU.
270 */
271
272 p->out_data.data_sent_length += data_len;
273 p->out_data.current_pdu_sent = 0;
274
275 return True;
276 }
277
278 /*******************************************************************
279 Generate the next PDU to be returned from the data in p->rdata.
280 Return an schannel authenticated fragment.
281 ********************************************************************/
282
283 static bool create_next_pdu_schannel(pipes_struct *p)
284 {
285 RPC_HDR_RESP hdr_resp;
286 uint32 ss_padding_len = 0;
287 uint32 data_len;
288 uint32 data_space_available;
289 uint32 data_len_left;
290 uint32 data_pos;
291 NTSTATUS status;
292
293 /*
294 * If we're in the fault state, keep returning fault PDU's until
295 * the pipe gets closed. JRA.
296 */
297
298 if(p->fault_state) {
299 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
300 return True;
301 }
302
303 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
304
305 /* Change the incoming request header to a response. */
306 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
307
308 /* Set up rpc header flags. */
309 if (p->out_data.data_sent_length == 0) {
310 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
311 } else {
312 p->hdr.flags = 0;
313 }
314
315 /*
316 * Work out how much we can fit in a single PDU.
317 */
318
319 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
320
321 /*
322 * Ensure there really is data left to send.
323 */
324
325 if(!data_len_left) {
326 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
327 return False;
328 }
329
330 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
331 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
332 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
333
334 /*
335 * The amount we send is the minimum of the available
336 * space and the amount left to send.
337 */
338
339 data_len = MIN(data_len_left, data_space_available);
340
341 /*
342 * Set up the alloc hint. This should be the data left to
343 * send.
344 */
345
346 hdr_resp.alloc_hint = data_len_left;
347
348 /*
349 * Work out if this PDU will be the last.
350 */
351
352 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
353 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
354 if (data_len_left % 8) {
355 ss_padding_len = 8 - (data_len_left % 8);
356 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
357 ss_padding_len ));
358 }
359 }
360
361 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
362 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
363 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
364
365 /*
366 * Init the parse struct to point at the outgoing
367 * data.
368 */
369
370 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
371
372 /* Store the header in the data stream. */
373 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
374 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
375 prs_mem_free(&p->out_data.frag);
376 return False;
377 }
378
379 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
380 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
381 prs_mem_free(&p->out_data.frag);
382 return False;
383 }
384
385 /* Store the current offset. */
386 data_pos = prs_offset(&p->out_data.frag);
387
388 /* Copy the data into the PDU. */
389
390 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
391 p->out_data.data_sent_length, data_len)) {
392 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
393 prs_mem_free(&p->out_data.frag);
394 return False;
395 }
396
397 /* Copy the sign/seal padding data. */
398 if (ss_padding_len) {
399 char pad[8];
400 memset(pad, '\0', 8);
401 if (!prs_copy_data_in(&p->out_data.frag, pad,
402 ss_padding_len)) {
403 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
404 prs_mem_free(&p->out_data.frag);
405 return False;
406 }
407 }
408
409 {
410 /*
411 * Schannel processing.
412 */
413 RPC_HDR_AUTH auth_info;
414 DATA_BLOB blob;
415 uint8_t *data;
416
417 /* Check it's the type of reply we were expecting to decode */
418
419 init_rpc_hdr_auth(&auth_info,
420 DCERPC_AUTH_TYPE_SCHANNEL,
421 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
422 DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
423 ss_padding_len, 1);
424
425 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
426 &p->out_data.frag, 0)) {
427 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
428 prs_mem_free(&p->out_data.frag);
429 return False;
430 }
431
432 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos;
433
434 switch (p->auth.auth_level) {
435 case DCERPC_AUTH_LEVEL_PRIVACY:
436 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
437 talloc_tos(),
438 true,
439 data,
440 data_len + ss_padding_len,
441 &blob);
442 break;
443 case DCERPC_AUTH_LEVEL_INTEGRITY:
444 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
445 talloc_tos(),
446 false,
447 data,
448 data_len + ss_padding_len,
449 &blob);
450 break;
451 default:
452 status = NT_STATUS_INTERNAL_ERROR;
453 break;
454 }
455
456 if (!NT_STATUS_IS_OK(status)) {
457 DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
458 nt_errstr(status)));
459 prs_mem_free(&p->out_data.frag);
460 return false;
461 }
462
463 /* Finally marshall the blob. */
464
465 if (DEBUGLEVEL >= 10) {
466 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
467 }
468
469 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
470 prs_mem_free(&p->out_data.frag);
471 return false;
472 }
473 }
474
475 /*
476 * Setup the counts for this PDU.
477 */
478
479 p->out_data.data_sent_length += data_len;
480 p->out_data.current_pdu_sent = 0;
481
482 return True;
483 }
484
485 /*******************************************************************
486 Generate the next PDU to be returned from the data in p->rdata.
487 No authentication done.
488 ********************************************************************/
489
490 static bool create_next_pdu_noauth(pipes_struct *p)
491 {
492 RPC_HDR_RESP hdr_resp;
493 uint32 data_len;
494 uint32 data_space_available;
495 uint32 data_len_left;
496
497 /*
498 * If we're in the fault state, keep returning fault PDU's until
499 * the pipe gets closed. JRA.
500 */
501
502 if(p->fault_state) {
503 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
504 return True;
505 }
506
507 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
508
509 /* Change the incoming request header to a response. */
510 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
511
512 /* Set up rpc header flags. */
513 if (p->out_data.data_sent_length == 0) {
514 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
515 } else {
516 p->hdr.flags = 0;
517 }
518
519 /*
520 * Work out how much we can fit in a single PDU.
521 */
522
523 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
524
525 /*
526 * Ensure there really is data left to send.
527 */
528
529 if(!data_len_left) {
530 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
531 return False;
532 }
533
534 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
535 - RPC_HDR_RESP_LEN;
536
537 /*
538 * The amount we send is the minimum of the available
539 * space and the amount left to send.
540 */
541
542 data_len = MIN(data_len_left, data_space_available);
543
544 /*
545 * Set up the alloc hint. This should be the data left to
546 * send.
547 */
548
549 hdr_resp.alloc_hint = data_len_left;
550
551 /*
552 * Work out if this PDU will be the last.
553 */
554
555 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
556 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
557 }
558
559 /*
560 * Set up the header lengths.
561 */
562
563 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
564 p->hdr.auth_len = 0;
565
566 /*
567 * Init the parse struct to point at the outgoing
568 * data.
569 */
570
571 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
572
573 /* Store the header in the data stream. */
574 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
575 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
576 prs_mem_free(&p->out_data.frag);
577 return False;
578 }
579
580 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
581 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
582 prs_mem_free(&p->out_data.frag);
583 return False;
584 }
585
586 /* Copy the data into the PDU. */
587
588 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
589 p->out_data.data_sent_length, data_len)) {
590 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
591 prs_mem_free(&p->out_data.frag);
592 return False;
593 }
594
595 /*
596 * Setup the counts for this PDU.
597 */
598
599 p->out_data.data_sent_length += data_len;
600 p->out_data.current_pdu_sent = 0;
601
602 return True;
603 }
604
605 /*******************************************************************
606 Generate the next PDU to be returned from the data in p->rdata.
607 ********************************************************************/
608
609 bool create_next_pdu(pipes_struct *p)
610 {
611 switch(p->auth.auth_level) {
612 case DCERPC_AUTH_LEVEL_NONE:
613 case DCERPC_AUTH_LEVEL_CONNECT:
614 /* This is incorrect for auth level connect. Fixme. JRA */
615 return create_next_pdu_noauth(p);
616
617 default:
618 switch(p->auth.auth_type) {
619 case PIPE_AUTH_TYPE_NTLMSSP:
620 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
621 return create_next_pdu_ntlmssp(p);
622 case PIPE_AUTH_TYPE_SCHANNEL:
623 return create_next_pdu_schannel(p);
624 default:
625 break;
626 }
627 }
628
629 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
630 (unsigned int)p->auth.auth_level,
631 (unsigned int)p->auth.auth_type));
632 return False;
633 }
634
635 /*******************************************************************
636 Process an NTLMSSP authentication response.
637 If this function succeeds, the user has been authenticated
638 and their domain, name and calling workstation stored in
639 the pipe struct.
640 *******************************************************************/
641
642 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
643 {
644 DATA_BLOB session_key, reply;
645 NTSTATUS status;
646 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
647 bool ret;
648
649 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
650 get_pipe_name_from_iface(&p->syntax)));
651
652 ZERO_STRUCT(reply);
653
654 /* this has to be done as root in order to verify the password */
655 become_root();
656 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
657 unbecome_root();
658
659 /* Don't generate a reply. */
660 data_blob_free(&reply);
661
662 if (!NT_STATUS_IS_OK(status)) {
663 return False;
664 }
665
666 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
667 ensure the underlying NTLMSSP flags are also set. If not we should
668 refuse the bind. */
669
670 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
671 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
672 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
673 "but client declined signing.\n",
674 get_pipe_name_from_iface(&p->syntax)));
675 return False;
676 }
677 }
678 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
679 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
680 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
681 "but client declined sealing.\n",
682 get_pipe_name_from_iface(&p->syntax)));
683 return False;
684 }
685 }
686
687 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
688 "workstation: %s\n", a->ntlmssp_state->user,
689 a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
690
691 if (a->server_info->ptok == NULL) {
692 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
693 return False;
694 }
695
696 TALLOC_FREE(p->server_info);
697
698 p->server_info = copy_serverinfo(p, a->server_info);
699 if (p->server_info == NULL) {
700 DEBUG(0, ("copy_serverinfo failed\n"));
701 return false;
702 }
703
704 /*
705 * We're an authenticated bind over smb, so the session key needs to
706 * be set to "SystemLibraryDTC". Weird, but this is what Windows
707 * does. See the RPC-SAMBA3SESSIONKEY.
708 */
709
710 session_key = generic_session_key();
711 if (session_key.data == NULL) {
712 return False;
713 }
714
715 ret = server_info_set_session_key(p->server_info, session_key);
716
717 data_blob_free(&session_key);
718
719 return True;
720 }
721
722 /*******************************************************************
723 The switch table for the pipe names and the functions to handle them.
724 *******************************************************************/
725
726 struct rpc_table {
727 struct {
728 const char *clnt;
729 const char *srv;
730 } pipe;
731 struct ndr_syntax_id rpc_interface;
732 const struct api_struct *cmds;
733 int n_cmds;
734 };
735
736 static struct rpc_table *rpc_lookup;
737 static int rpc_lookup_size;
738
739 /*******************************************************************
740 This is the "stage3" NTLMSSP response after a bind request and reply.
741 *******************************************************************/
742
743 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
744 {
745 RPC_HDR_AUTH auth_info;
746 uint32 pad = 0;
747 DATA_BLOB blob;
748
749 ZERO_STRUCT(blob);
750
751 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
752
753 if (p->hdr.auth_len == 0) {
754 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
755 goto err;
756 }
757
758 /* 4 bytes padding. */
759 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
760 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
761 goto err;
762 }
763
764 /*
765 * Decode the authentication verifier response.
766 */
767
768 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
769 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
770 goto err;
771 }
772
773 if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
774 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
775 (unsigned int)auth_info.auth_type ));
776 return False;
777 }
778
779 blob = data_blob(NULL,p->hdr.auth_len);
780
781 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
782 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
783 (unsigned int)p->hdr.auth_len ));
784 goto err;
785 }
786
787 /*
788 * The following call actually checks the challenge/response data.
789 * for correctness against the given DOMAIN\user name.
790 */
791
792 if (!pipe_ntlmssp_verify_final(p, &blob)) {
793 goto err;
794 }
795
796 data_blob_free(&blob);
797
798 p->pipe_bound = True;
799
800 return True;
801
802 err:
803
804 data_blob_free(&blob);
805 free_pipe_ntlmssp_auth_data(&p->auth);
806 p->auth.a_u.auth_ntlmssp_state = NULL;
807
808 return False;
809 }
810
811 /*******************************************************************
812 Marshall a bind_nak pdu.
813 *******************************************************************/
814
815 static bool setup_bind_nak(pipes_struct *p)
816 {
817 RPC_HDR nak_hdr;
818 uint16 zero = 0;
819
820 /* Free any memory in the current return data buffer. */
821 prs_mem_free(&p->out_data.rdata);
822
823 /*
824 * Marshall directly into the outgoing PDU space. We
825 * must do this as we need to set to the bind response
826 * header and are never sending more than one PDU here.
827 */
828
829 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
830
831 /*
832 * Initialize a bind_nak header.
833 */
834
835 init_rpc_hdr(&nak_hdr, DCERPC_PKT_BIND_NAK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
836 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
837
838 /*
839 * Marshall the header into the outgoing PDU.
840 */
841
842 if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
843 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
844 prs_mem_free(&p->out_data.frag);
845 return False;
846 }
847
848 /*
849 * Now add the reject reason.
850 */
851
852 if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
853 prs_mem_free(&p->out_data.frag);
854 return False;
855 }
856
857 p->out_data.data_sent_length = 0;
858 p->out_data.current_pdu_sent = 0;
859
860 if (p->auth.auth_data_free_func) {
861 (*p->auth.auth_data_free_func)(&p->auth);
862 }
863 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
864 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
865 p->pipe_bound = False;
866
867 return True;
868 }
869
870 /*******************************************************************
871 Marshall a fault pdu.
872 *******************************************************************/
873
874 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
875 {
876 RPC_HDR fault_hdr;
877 RPC_HDR_RESP hdr_resp;
878 RPC_HDR_FAULT fault_resp;
879
880 /* Free any memory in the current return data buffer. */
881 prs_mem_free(&p->out_data.rdata);
882
883 /*
884 * Marshall directly into the outgoing PDU space. We
885 * must do this as we need to set to the bind response
886 * header and are never sending more than one PDU here.
887 */
888
889 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
890
891 /*
892 * Initialize a fault header.
893 */
894
895 init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
896 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
897
898 /*
899 * Initialize the HDR_RESP and FAULT parts of the PDU.
900 */
901
902 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
903
904 fault_resp.status = status;
905 fault_resp.reserved = 0;
906
907 /*
908 * Marshall the header into the outgoing PDU.
909 */
910
911 if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
912 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
913 prs_mem_free(&p->out_data.frag);
914 return False;
915 }
916
917 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
918 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
919 prs_mem_free(&p->out_data.frag);
920 return False;
921 }
922
923 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
924 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
925 prs_mem_free(&p->out_data.frag);
926 return False;
927 }
928
929 p->out_data.data_sent_length = 0;
930 p->out_data.current_pdu_sent = 0;
931
932 return True;
933 }
934
935 #if 0
936 /*******************************************************************
937 Marshall a cancel_ack pdu.
938 We should probably check the auth-verifier here.
939 *******************************************************************/
940
941 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
942 {
943 prs_struct outgoing_pdu;
944 RPC_HDR ack_reply_hdr;
945
946 /* Free any memory in the current return data buffer. */
947 prs_mem_free(&p->out_data.rdata);
948
949 /*
950 * Marshall directly into the outgoing PDU space. We
951 * must do this as we need to set to the bind response
952 * header and are never sending more than one PDU here.
953 */
954
955 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
956 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
957
958 /*
959 * Initialize a cancel_ack header.
960 */
961
962 init_rpc_hdr(&ack_reply_hdr, DCERPC_PKT_CANCEL_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
963 p->hdr.call_id, RPC_HEADER_LEN, 0);
964
965 /*
966 * Marshall the header into the outgoing PDU.
967 */
968
969 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
970 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
971 prs_mem_free(&outgoing_pdu);
972 return False;
973 }
974
975 p->out_data.data_sent_length = 0;
976 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
977 p->out_data.current_pdu_sent = 0;
978
979 prs_mem_free(&outgoing_pdu);
980 return True;
981 }
982 #endif
983
984 /*******************************************************************
985 Ensure a bind request has the correct abstract & transfer interface.
986 Used to reject unknown binds from Win2k.
987 *******************************************************************/
988
989 static bool check_bind_req(struct pipes_struct *p,
990 struct ndr_syntax_id* abstract,
991 struct ndr_syntax_id* transfer,
992 uint32 context_id)
993 {
994 int i=0;
995 struct pipe_rpc_fns *context_fns;
996
997 DEBUG(3,("check_bind_req for %s\n",
998 get_pipe_name_from_iface(&p->syntax)));
999
1000 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
1001
1002 for (i=0; i<rpc_lookup_size; i++) {
1003 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
1004 if (ndr_syntax_id_equal(
1005 abstract, &rpc_lookup[i].rpc_interface)
1006 && ndr_syntax_id_equal(
1007 transfer, &ndr_transfer_syntax)) {
1008 break;
1009 }
1010 }
1011
1012 if (i == rpc_lookup_size) {
1013 return false;
1014 }
1015
1016 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1017 if (context_fns == NULL) {
1018 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1019 return False;
1020 }
1021
1022 context_fns->cmds = rpc_lookup[i].cmds;
1023 context_fns->n_cmds = rpc_lookup[i].n_cmds;
1024 context_fns->context_id = context_id;
1025
1026 /* add to the list of open contexts */
1027
1028 DLIST_ADD( p->contexts, context_fns );
1029
1030 return True;
1031 }
1032
1033 /*******************************************************************
1034 Register commands to an RPC pipe
1035 *******************************************************************/
1036
1037 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1038 const struct ndr_interface_table *iface,
1039 const struct api_struct *cmds, int size)
1040 {
1041 struct rpc_table *rpc_entry;
1042
1043 if (!clnt || !srv || !cmds) {
1044 return NT_STATUS_INVALID_PARAMETER;
1045 }
1046
1047 if (version != SMB_RPC_INTERFACE_VERSION) {
1048 DEBUG(0,("Can't register rpc commands!\n"
1049 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1050 ", while this version of samba uses version %d!\n",
1051 version,SMB_RPC_INTERFACE_VERSION));
1052 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1053 }
1054
1055 /* TODO:
1056 *
1057 * we still need to make sure that don't register the same commands twice!!!
1058 *
1059 * --metze
1060 */
1061
1062 /* We use a temporary variable because this call can fail and
1063 rpc_lookup will still be valid afterwards. It could then succeed if
1064 called again later */
1065 rpc_lookup_size++;
1066 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1067 if (NULL == rpc_entry) {
1068 rpc_lookup_size--;
1069 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1070 return NT_STATUS_NO_MEMORY;
1071 } else {
1072 rpc_lookup = rpc_entry;
1073 }
1074
1075 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1076 ZERO_STRUCTP(rpc_entry);
1077 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1078 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1079 rpc_entry->rpc_interface = iface->syntax_id;
1080 rpc_entry->cmds = cmds;
1081 rpc_entry->n_cmds = size;
1082
1083 return NT_STATUS_OK;
1084 }
1085
1086 /**
1087 * Is a named pipe known?
1088 * @param[in] cli_filename The pipe name requested by the client
1089 * @result Do we want to serve this?
1090 */
1091 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1092 {
1093 const char *pipename = cli_filename;
1094 int i;
1095
1096 if (strnequal(pipename, "\\PIPE\\", 6)) {
1097 pipename += 5;
1098 }
1099
1100 if (*pipename == '\\') {
1101 pipename += 1;
1102 }
1103
1104 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1105 DEBUG(10, ("refusing spoolss access\n"));
1106 return false;
1107 }
1108
1109 for (i=0; i<rpc_lookup_size; i++) {
1110 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1111 *syntax = rpc_lookup[i].rpc_interface;
1112 return true;
1113 }
1114 }
1115
1116 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1117 return false;
1118 }
1119
1120 /*******************************************************************
1121 Handle a SPNEGO krb5 bind auth.
1122 *******************************************************************/
1123
1124 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1125 DATA_BLOB *psecblob, prs_struct *pout_auth)
1126 {
1127 return False;
1128 }
1129
1130 /*******************************************************************
1131 Handle the first part of a SPNEGO bind auth.
1132 *******************************************************************/
1133
1134 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1135 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1136 {
1137 DATA_BLOB blob;
1138 DATA_BLOB secblob;
1139 DATA_BLOB response;
1140 DATA_BLOB chal;
1141 char *OIDs[ASN1_MAX_OIDS];
1142 int i;
1143 NTSTATUS status;
1144 bool got_kerberos_mechanism = false;
1145 AUTH_NTLMSSP_STATE *a = NULL;
1146 RPC_HDR_AUTH auth_info;
1147
1148 ZERO_STRUCT(secblob);
1149 ZERO_STRUCT(chal);
1150 ZERO_STRUCT(response);
1151
1152 /* Grab the SPNEGO blob. */
1153 blob = data_blob(NULL,p->hdr.auth_len);
1154
1155 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1156 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1157 (unsigned int)p->hdr.auth_len ));
1158 goto err;
1159 }
1160
1161 if (blob.data[0] != ASN1_APPLICATION(0)) {
1162 goto err;
1163 }
1164
1165 /* parse out the OIDs and the first sec blob */
1166 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1167 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1168 goto err;
1169 }
1170
1171 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1172 got_kerberos_mechanism = true;
1173 }
1174
1175 for (i=0;OIDs[i];i++) {
1176 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1177 TALLOC_FREE(OIDs[i]);
1178 }
1179 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1180
1181 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1182 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1183 data_blob_free(&secblob);
1184 data_blob_free(&blob);
1185 return ret;
1186 }
1187
1188 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1189 /* Free any previous auth type. */
1190 free_pipe_ntlmssp_auth_data(&p->auth);
1191 }
1192
1193 if (!got_kerberos_mechanism) {
1194 /* Initialize the NTLM engine. */
1195 status = auth_ntlmssp_start(&a);
1196 if (!NT_STATUS_IS_OK(status)) {
1197 goto err;
1198 }
1199
1200 /*
1201 * Pass the first security blob of data to it.
1202 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1203 * which means we need another packet to complete the bind.
1204 */
1205
1206 status = auth_ntlmssp_update(a, secblob, &chal);
1207
1208 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1209 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1210 goto err;
1211 }
1212
1213 /* Generate the response blob we need for step 2 of the bind. */
1214 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1215 } else {
1216 /*
1217 * SPNEGO negotiate down to NTLMSSP. The subsequent
1218 * code to process follow-up packets is not complete
1219 * yet. JRA.
1220 */
1221 response = spnego_gen_auth_response(NULL,
1222 NT_STATUS_MORE_PROCESSING_REQUIRED,
1223 OID_NTLMSSP);
1224 }
1225
1226 /* Copy the blob into the pout_auth parse struct */
1227 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1228 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1229 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1230 goto err;
1231 }
1232
1233 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1234 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1235 goto err;
1236 }
1237
1238 p->auth.a_u.auth_ntlmssp_state = a;
1239 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1240 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1241
1242 data_blob_free(&blob);
1243 data_blob_free(&secblob);
1244 data_blob_free(&chal);
1245 data_blob_free(&response);
1246
1247 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1248 return True;
1249
1250 err:
1251
1252 data_blob_free(&blob);
1253 data_blob_free(&secblob);
1254 data_blob_free(&chal);
1255 data_blob_free(&response);
1256
1257 p->auth.a_u.auth_ntlmssp_state = NULL;
1258
1259 return False;
1260 }
1261
1262 /*******************************************************************
1263 Handle the second part of a SPNEGO bind auth.
1264 *******************************************************************/
1265
1266 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1267 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1268 {
1269 RPC_HDR_AUTH auth_info;
1270 DATA_BLOB spnego_blob;
1271 DATA_BLOB auth_blob;
1272 DATA_BLOB auth_reply;
1273 DATA_BLOB response;
1274 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1275
1276 ZERO_STRUCT(spnego_blob);
1277 ZERO_STRUCT(auth_blob);
1278 ZERO_STRUCT(auth_reply);
1279 ZERO_STRUCT(response);
1280
1281 /*
1282 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1283 * fail here as 'a' == NULL.
1284 */
1285 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1286 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1287 goto err;
1288 }
1289
1290 /* Grab the SPNEGO blob. */
1291 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1292
1293 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1294 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1295 (unsigned int)p->hdr.auth_len ));
1296 goto err;
1297 }
1298
1299 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1300 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1301 goto err;
1302 }
1303
1304 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1305 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1306 goto err;
1307 }
1308
1309 /*
1310 * The following call actually checks the challenge/response data.
1311 * for correctness against the given DOMAIN\user name.
1312 */
1313
1314 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1315 goto err;
1316 }
1317
1318 data_blob_free(&spnego_blob);
1319 data_blob_free(&auth_blob);
1320
1321 /* Generate the spnego "accept completed" blob - no incoming data. */
1322 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1323
1324 /* Copy the blob into the pout_auth parse struct */
1325 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1326 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1327 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1328 goto err;
1329 }
1330
1331 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1332 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1333 goto err;
1334 }
1335
1336 data_blob_free(&auth_reply);
1337 data_blob_free(&response);
1338
1339 p->pipe_bound = True;
1340
1341 return True;
1342
1343 err:
1344
1345 data_blob_free(&spnego_blob);
1346 data_blob_free(&auth_blob);
1347 data_blob_free(&auth_reply);
1348 data_blob_free(&response);
1349
1350 free_pipe_ntlmssp_auth_data(&p->auth);
1351 p->auth.a_u.auth_ntlmssp_state = NULL;
1352
1353 return False;
1354 }
1355
1356 /*******************************************************************
1357 Handle an schannel bind auth.
1358 *******************************************************************/
1359
1360 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1361 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1362 {
1363 RPC_HDR_AUTH auth_info;
1364 struct NL_AUTH_MESSAGE neg;
1365 struct NL_AUTH_MESSAGE reply;
1366 bool ret;
1367 NTSTATUS status;
1368 struct netlogon_creds_CredentialState *creds;
1369 DATA_BLOB session_key;
1370 enum ndr_err_code ndr_err;
1371 DATA_BLOB blob;
1372
1373 blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1374 prs_data_size(rpc_in_p));
1375
1376 ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg,
1377 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1378 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1379 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1380 return false;
1381 }
1382
1383 if (DEBUGLEVEL >= 10) {
1384 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1385 }
1386
1387 if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1388 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1389 return false;
1390 }
1391
1392 /*
1393 * The neg.oem_netbios_computer.a key here must match the remote computer name
1394 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1395 * operations that use credentials.
1396 */
1397
1398 become_root();
1399 status = schannel_fetch_session_key(p,
1400 neg.oem_netbios_computer.a,
1401 &creds);
1402 unbecome_root();
1403
1404 if (!NT_STATUS_IS_OK(status)) {
1405 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1406 return False;
1407 }
1408
1409 p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
1410 if (!p->auth.a_u.schannel_auth) {
1411 TALLOC_FREE(creds);
1412 return False;
1413 }
1414
1415 p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
1416 p->auth.a_u.schannel_auth->seq_num = 0;
1417 p->auth.a_u.schannel_auth->initiator = false;
1418 p->auth.a_u.schannel_auth->creds = creds;
1419
1420 /*
1421 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1422 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1423 * struct of the person who opened the pipe. I need to test this further. JRA.
1424 *
1425 * VL. As we are mapping this to guest set the generic key
1426 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1427 * W2k3, as it does not allow schannel binds against SAMR and LSA
1428 * anymore.
1429 */
1430
1431 session_key = generic_session_key();
1432 if (session_key.data == NULL) {
1433 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1434 " key\n"));
1435 return false;
1436 }
1437
1438 ret = server_info_set_session_key(p->server_info, session_key);
1439
1440 data_blob_free(&session_key);
1441
1442 if (!ret) {
1443 DEBUG(0, ("server_info_set_session_key failed\n"));
1444 return false;
1445 }
1446
1447 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1448 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1449 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1450 return False;
1451 }
1452
1453 /*** SCHANNEL verifier ***/
1454
1455 reply.MessageType = NL_NEGOTIATE_RESPONSE;
1456 reply.Flags = 0;
1457 reply.Buffer.dummy = 5; /* ??? actually I don't think
1458 * this has any meaning
1459 * here - gd */
1460
1461 ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &reply,
1462 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1463 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1464 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1465 return false;
1466 }
1467
1468 if (DEBUGLEVEL >= 10) {
1469 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1470 }
1471
1472 if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1473 return false;
1474 }
1475
1476 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1477 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1478
1479 /* We're finished with this bind - no more packets. */
1480 p->auth.auth_data_free_func = NULL;
1481 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1482
1483 p->pipe_bound = True;
1484
1485 return True;
1486 }
1487
1488 /*******************************************************************
1489 Handle an NTLMSSP bind auth.
1490 *******************************************************************/
1491
1492 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1493 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1494 {
1495 RPC_HDR_AUTH auth_info;
1496 DATA_BLOB blob;
1497 DATA_BLOB response;
1498 NTSTATUS status;
1499 AUTH_NTLMSSP_STATE *a = NULL;
1500
1501 ZERO_STRUCT(blob);
1502 ZERO_STRUCT(response);
1503
1504 /* Grab the NTLMSSP blob. */
1505 blob = data_blob(NULL,p->hdr.auth_len);
1506
1507 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1508 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1509 (unsigned int)p->hdr.auth_len ));
1510 goto err;
1511 }
1512
1513 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1514 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1515 goto err;
1516 }
1517
1518 /* We have an NTLMSSP blob. */
1519 status = auth_ntlmssp_start(&a);
1520 if (!NT_STATUS_IS_OK(status)) {
1521 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1522 nt_errstr(status) ));
1523 goto err;
1524 }
1525
1526 status = auth_ntlmssp_update(a, blob, &response);
1527 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1528 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1529 nt_errstr(status) ));
1530 goto err;
1531 }
1532
1533 data_blob_free(&blob);
1534
1535 /* Copy the blob into the pout_auth parse struct */
1536 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1537 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1538 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1539 goto err;
1540 }
1541
1542 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1543 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1544 goto err;
1545 }
1546
1547 p->auth.a_u.auth_ntlmssp_state = a;
1548 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1549 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1550
1551 data_blob_free(&blob);
1552 data_blob_free(&response);
1553
1554 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1555
1556 /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1557 return True;
1558
1559 err:
1560
1561 data_blob_free(&blob);
1562 data_blob_free(&response);
1563
1564 free_pipe_ntlmssp_auth_data(&p->auth);
1565 p->auth.a_u.auth_ntlmssp_state = NULL;
1566 return False;
1567 }
1568
1569 /*******************************************************************
1570 Respond to a pipe bind request.
1571 *******************************************************************/
1572
1573 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1574 {
1575 RPC_HDR_BA hdr_ba;
1576 RPC_HDR_RB hdr_rb;
1577 RPC_HDR_AUTH auth_info;
1578 uint16 assoc_gid;
1579 fstring ack_pipe_name;
1580 prs_struct out_hdr_ba;
1581 prs_struct out_auth;
1582 int i = 0;
1583 int auth_len = 0;
1584 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1585
1586 /* No rebinds on a bound pipe - use alter context. */
1587 if (p->pipe_bound) {
1588 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1589 "pipe %s.\n", get_pipe_name_from_iface(&p->syntax)));
1590 return setup_bind_nak(p);
1591 }
1592
1593 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1594
1595 /*
1596 * Marshall directly into the outgoing PDU space. We
1597 * must do this as we need to set to the bind response
1598 * header and are never sending more than one PDU here.
1599 */
1600
1601 /*
1602 * Setup the memory to marshall the ba header, and the
1603 * auth footers.
1604 */
1605
1606 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1607 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1608 prs_mem_free(&p->out_data.frag);
1609 return False;
1610 }
1611
1612 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1613 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1614 prs_mem_free(&p->out_data.frag);
1615 prs_mem_free(&out_hdr_ba);
1616 return False;
1617 }
1618
1619 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1620
1621 ZERO_STRUCT(hdr_rb);
1622
1623 /* decode the bind request */
1624
1625 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1626 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1627 "struct.\n"));
1628 goto err_exit;
1629 }
1630
1631 if (hdr_rb.num_contexts == 0) {
1632 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1633 goto err_exit;
1634 }
1635
1636 /*
1637 * Try and find the correct pipe name to ensure
1638 * that this is a pipe name we support.
1639 */
1640
1641 for (i = 0; i < rpc_lookup_size; i++) {
1642 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1643 &hdr_rb.rpc_context[0].abstract)) {
1644 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1645 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1646 break;
1647 }
1648 }
1649
1650 if (i == rpc_lookup_size) {
1651 NTSTATUS status;
1652
1653 status = smb_probe_module(
1654 "rpc", get_pipe_name_from_iface(
1655 &hdr_rb.rpc_context[0].abstract));
1656
1657 if (NT_STATUS_IS_ERR(status)) {
1658 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1659 get_pipe_name_from_iface(&hdr_rb.rpc_context[0].abstract)));
1660 prs_mem_free(&p->out_data.frag);
1661 prs_mem_free(&out_hdr_ba);
1662 prs_mem_free(&out_auth);
1663
1664 return setup_bind_nak(p);
1665 }
1666
1667 for (i = 0; i < rpc_lookup_size; i++) {
1668 if (strequal(rpc_lookup[i].pipe.clnt,
1669 get_pipe_name_from_iface(&p->syntax))) {
1670 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1671 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1672 break;
1673 }
1674 }
1675
1676 if (i == rpc_lookup_size) {
1677 DEBUG(0, ("module %s doesn't provide functions for "
1678 "pipe %s!\n",
1679 get_pipe_name_from_iface(&p->syntax),
1680 get_pipe_name_from_iface(&p->syntax)));
1681 goto err_exit;
1682 }
1683 }
1684
1685 /* name has to be \PIPE\xxxxx */
1686 fstrcpy(ack_pipe_name, "\\PIPE\\");
1687 fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1688
1689 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1690
1691 /*
1692 * Check if this is an authenticated bind request.
1693 */
1694
1695 if (p->hdr.auth_len) {
1696 /*
1697 * Decode the authentication verifier.
1698 */
1699
1700 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1701 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1702 goto err_exit;
1703 }
1704
1705 auth_type = auth_info.auth_type;
1706
1707 /* Work out if we have to sign or seal etc. */
1708 switch (auth_info.auth_level) {
1709 case DCERPC_AUTH_LEVEL_INTEGRITY:
1710 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1711 break;
1712 case DCERPC_AUTH_LEVEL_PRIVACY:
1713 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1714 break;
1715 default:
1716 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1717 (unsigned int)auth_info.auth_level ));
1718 goto err_exit;
1719 }
1720 } else {
1721 ZERO_STRUCT(auth_info);
1722 }
1723
1724 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1725
1726 switch(auth_type) {
1727 case DCERPC_AUTH_TYPE_NTLMSSP:
1728 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1729 goto err_exit;
1730 }
1731 assoc_gid = 0x7a77;
1732 break;
1733
1734 case DCERPC_AUTH_TYPE_SCHANNEL:
1735 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1736 goto err_exit;
1737 }
1738 break;
1739
1740 case DCERPC_AUTH_TYPE_SPNEGO:
1741 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1742 goto err_exit;
1743 }
1744 break;
1745
1746 case DCERPC_AUTH_TYPE_NONE:
1747 /* Unauthenticated bind request. */
1748 /* We're finished - no more packets. */
1749 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1750 /* We must set the pipe auth_level here also. */
1751 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1752 p->pipe_bound = True;
1753 /* The session key was initialized from the SMB
1754 * session in make_internal_rpc_pipe_p */
1755 break;
1756
1757 default:
1758 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1759 goto err_exit;
1760 }
1761
1762 /*
1763 * Create the bind response struct.
1764 */
1765
1766 /* If the requested abstract synt uuid doesn't match our client pipe,
1767 reject the bind_ack & set the transfer interface synt to all 0's,
1768 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1769 unknown to NT4)
1770 Needed when adding entries to a DACL from NT5 - SK */
1771
1772 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1773 hdr_rb.rpc_context[0].context_id )) {
1774 init_rpc_hdr_ba(&hdr_ba,
1775 RPC_MAX_PDU_FRAG_LEN,
1776 RPC_MAX_PDU_FRAG_LEN,
1777 assoc_gid,
1778 ack_pipe_name,
1779 0x1, 0x0, 0x0,
1780 &hdr_rb.rpc_context[0].transfer[0]);
1781 } else {
1782 /* Rejection reason: abstract syntax not supported */
1783 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1784 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1785 ack_pipe_name, 0x1, 0x2, 0x1,
1786 &null_ndr_syntax_id);
1787 p->pipe_bound = False;
1788 }
1789
1790 /*
1791 * and marshall it.
1792 */
1793
1794 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1795 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1796 goto err_exit;
1797 }
1798
1799 /*
1800 * Create the header, now we know the length.
1801 */
1802
1803 if (prs_offset(&out_auth)) {
1804 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1805 }
1806
1807 init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1808 p->hdr.call_id,
1809 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1810 auth_len);
1811
1812 /*
1813 * Marshall the header into the outgoing PDU.
1814 */
1815
1816 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1817 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1818 goto err_exit;
1819 }
1820
1821 /*
1822 * Now add the RPC_HDR_BA and any auth needed.
1823 */
1824
1825 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1826 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1827 goto err_exit;
1828 }
1829
1830 if (auth_len && !prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1831 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1832 goto err_exit;
1833 }
1834
1835 /*
1836 * Setup the lengths for the initial reply.
1837 */
1838
1839 p->out_data.data_sent_length = 0;
1840 p->out_data.current_pdu_sent = 0;
1841
1842 prs_mem_free(&out_hdr_ba);
1843 prs_mem_free(&out_auth);
1844
1845 return True;
1846
1847 err_exit:
1848
1849 prs_mem_free(&p->out_data.frag);
1850 prs_mem_free(&out_hdr_ba);
1851 prs_mem_free(&out_auth);
1852 return setup_bind_nak(p);
1853 }
1854
1855 /****************************************************************************
1856 Deal with an alter context call. Can be third part of 3 leg auth request for
1857 SPNEGO calls.
1858 ****************************************************************************/
1859
1860 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1861 {
1862 RPC_HDR_BA hdr_ba;
1863 RPC_HDR_RB hdr_rb;
1864 RPC_HDR_AUTH auth_info;
1865 uint16 assoc_gid;
1866 fstring ack_pipe_name;
1867 prs_struct out_hdr_ba;
1868 prs_struct out_auth;
1869 int auth_len = 0;
1870
1871 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1872
1873 /*
1874 * Marshall directly into the outgoing PDU space. We
1875 * must do this as we need to set to the bind response
1876 * header and are never sending more than one PDU here.
1877 */
1878
1879 /*
1880 * Setup the memory to marshall the ba header, and the
1881 * auth footers.
1882 */
1883
1884 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1885 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1886 prs_mem_free(&p->out_data.frag);
1887 return False;
1888 }
1889
1890 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1891 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1892 prs_mem_free(&p->out_data.frag);
1893 prs_mem_free(&out_hdr_ba);
1894 return False;
1895 }
1896
1897 ZERO_STRUCT(hdr_rb);
1898
1899 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1900
1901 /* decode the alter context request */
1902 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1903 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1904 goto err_exit;
1905 }
1906
1907 /* secondary address CAN be NULL
1908 * as the specs say it's ignored.
1909 * It MUST be NULL to have the spoolss working.
1910 */
1911 fstrcpy(ack_pipe_name,"");
1912
1913 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1914
1915 /*
1916 * Check if this is an authenticated alter context request.
1917 */
1918
1919 if (p->hdr.auth_len != 0) {
1920 /*
1921 * Decode the authentication verifier.
1922 */
1923
1924 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1925 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1926 goto err_exit;
1927 }
1928
1929 /*
1930 * Currently only the SPNEGO auth type uses the alter ctx
1931 * response in place of the NTLMSSP auth3 type.
1932 */
1933
1934 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
1935 /* We can only finish if the pipe is unbound. */
1936 if (!p->pipe_bound) {
1937 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1938 goto err_exit;
1939 }
1940 } else {
1941 goto err_exit;
1942 }
1943 }
1944 } else {
1945 ZERO_STRUCT(auth_info);
1946 }
1947
1948 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1949
1950 /*
1951 * Create the bind response struct.
1952 */
1953
1954 /* If the requested abstract synt uuid doesn't match our client pipe,
1955 reject the bind_ack & set the transfer interface synt to all 0's,
1956 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1957 unknown to NT4)
1958 Needed when adding entries to a DACL from NT5 - SK */
1959
1960 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1961 hdr_rb.rpc_context[0].context_id )) {
1962 init_rpc_hdr_ba(&hdr_ba,
1963 RPC_MAX_PDU_FRAG_LEN,
1964 RPC_MAX_PDU_FRAG_LEN,
1965 assoc_gid,
1966 ack_pipe_name,
1967 0x1, 0x0, 0x0,
1968 &hdr_rb.rpc_context[0].transfer[0]);
1969 } else {
1970 /* Rejection reason: abstract syntax not supported */
1971 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1972 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1973 ack_pipe_name, 0x1, 0x2, 0x1,
1974 &null_ndr_syntax_id);
1975 p->pipe_bound = False;
1976 }
1977
1978 /*
1979 * and marshall it.
1980 */
1981
1982 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1983 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1984 goto err_exit;
1985 }
1986
1987 /*
1988 * Create the header, now we know the length.
1989 */
1990
1991 if (prs_offset(&out_auth)) {
1992 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1993 }
1994
1995 init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1996 p->hdr.call_id,
1997 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1998 auth_len);
1999
2000 /*
2001 * Marshall the header into the outgoing PDU.
2002 */
2003
2004 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
2005 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2006 goto err_exit;
2007 }
2008
2009 /*
2010 * Now add the RPC_HDR_BA and any auth needed.
2011 */
2012
2013 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
2014 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2015 goto err_exit;
2016 }
2017
2018 if (auth_len && !prs_append_prs_data(&p->out_data.frag, &out_auth)) {
2019 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2020 goto err_exit;
2021 }
2022
2023 /*
2024 * Setup the lengths for the initial reply.
2025 */
2026
2027 p->out_data.data_sent_length = 0;
2028 p->out_data.current_pdu_sent = 0;
2029
2030 prs_mem_free(&out_hdr_ba);
2031 prs_mem_free(&out_auth);
2032
2033 return True;
2034
2035 err_exit:
2036
2037 prs_mem_free(&p->out_data.frag);
2038 prs_mem_free(&out_hdr_ba);
2039 prs_mem_free(&out_auth);
2040 return setup_bind_nak(p);
2041 }
2042
2043 /****************************************************************************
2044 Deal with NTLMSSP sign & seal processing on an RPC request.
2045 ****************************************************************************/
2046
2047 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2048 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2049 {
2050 RPC_HDR_AUTH auth_info;
2051 uint32 auth_len = p->hdr.auth_len;
2052 uint32 save_offset = prs_offset(rpc_in);
2053 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2054 unsigned char *data = NULL;
2055 size_t data_len;
2056 unsigned char *full_packet_data = NULL;
2057 size_t full_packet_data_len;
2058 DATA_BLOB auth_blob;
2059
2060 *pstatus = NT_STATUS_OK;
2061
2062 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2063 return True;
2064 }
2065
2066 if (!a) {
2067 *pstatus = NT_STATUS_INVALID_PARAMETER;
2068 return False;
2069 }
2070
2071 /* Ensure there's enough data for an authenticated request. */
2072 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2073 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2074 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2075 (unsigned int)auth_len ));
2076 *pstatus = NT_STATUS_INVALID_PARAMETER;
2077 return False;
2078 }
2079
2080 /*
2081 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2082 * after the RPC header.
2083 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2084 * functions as NTLMv2 checks the rpc headers also.
2085 */
2086
2087 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2088 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2089
2090 full_packet_data = p->in_data.current_in_pdu;
2091 full_packet_data_len = p->hdr.frag_len - auth_len;
2092
2093 /* Pull the auth header and the following data into a blob. */
2094 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2095 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2096 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2097 *pstatus = NT_STATUS_INVALID_PARAMETER;
2098 return False;
2099 }
2100
2101 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2102 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2103 *pstatus = NT_STATUS_INVALID_PARAMETER;
2104 return False;
2105 }
2106
2107 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2108 auth_blob.length = auth_len;
2109
2110 switch (p->auth.auth_level) {
2111 case DCERPC_AUTH_LEVEL_PRIVACY:
2112 /* Data is encrypted. */
2113 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2114 data, data_len,
2115 full_packet_data,
2116 full_packet_data_len,
2117 &auth_blob);
2118 if (!NT_STATUS_IS_OK(*pstatus)) {
2119 return False;
2120 }
2121 break;
2122 case DCERPC_AUTH_LEVEL_INTEGRITY:
2123 /* Data is signed. */
2124 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2125 data, data_len,
2126 full_packet_data,
2127 full_packet_data_len,
2128 &auth_blob);
2129 if (!NT_STATUS_IS_OK(*pstatus)) {
2130 return False;
2131 }
2132 break;
2133 default:
2134 *pstatus = NT_STATUS_INVALID_PARAMETER;
2135 return False;
2136 }
2137
2138 /*
2139 * Return the current pointer to the data offset.
2140 */
2141
2142 if(!prs_set_offset(rpc_in, save_offset)) {
2143 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2144 (unsigned int)save_offset ));
2145 *pstatus = NT_STATUS_INVALID_PARAMETER;
2146 return False;
2147 }
2148
2149 /*
2150 * Remember the padding length. We must remove it from the real data
2151 * stream once the sign/seal is done.
2152 */
2153
2154 *p_ss_padding_len = auth_info.auth_pad_len;
2155
2156 return True;
2157 }
2158
2159 /****************************************************************************
2160 Deal with schannel processing on an RPC request.
2161 ****************************************************************************/
2162
2163 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2164 {
2165 uint32 data_len;
2166 uint32 auth_len;
2167 uint32 save_offset = prs_offset(rpc_in);
2168 RPC_HDR_AUTH auth_info;
2169 DATA_BLOB blob;
2170 NTSTATUS status;
2171 uint8_t *data;
2172
2173 auth_len = p->hdr.auth_len;
2174
2175 if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2176 auth_len > RPC_HEADER_LEN +
2177 RPC_HDR_REQ_LEN +
2178 RPC_HDR_AUTH_LEN +
2179 auth_len) {
2180 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2181 return False;
2182 }
2183
2184 /*
2185 * The following is that length of the data we must verify or unseal.
2186 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2187 * preceeding the auth_data.
2188 */
2189
2190 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2191 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2192 (unsigned int)p->hdr.frag_len,
2193 (unsigned int)auth_len ));
2194 return False;
2195 }
2196
2197 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2198 RPC_HDR_AUTH_LEN - auth_len;
2199
2200 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2201
2202 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2203 DEBUG(0,("cannot move offset to %u.\n",
2204 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2205 return False;
2206 }
2207
2208 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2209 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2210 return False;
2211 }
2212
2213 if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2214 DEBUG(0,("Invalid auth info %d on schannel\n",
2215 auth_info.auth_type));
2216 return False;
2217 }
2218
2219 blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2220
2221 if (DEBUGLEVEL >= 10) {
2222 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
2223 }
2224
2225 data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN;
2226
2227 switch (auth_info.auth_level) {
2228 case DCERPC_AUTH_LEVEL_PRIVACY:
2229 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2230 talloc_tos(),
2231 true,
2232 data,
2233 data_len,
2234 &blob);
2235 break;
2236 case DCERPC_AUTH_LEVEL_INTEGRITY:
2237 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2238 talloc_tos(),
2239 false,
2240 data,
2241 data_len,
2242 &blob);
2243 break;
2244 default:
2245 status = NT_STATUS_INTERNAL_ERROR;
2246 break;
2247 }
2248
2249 if (!NT_STATUS_IS_OK(status)) {
2250 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
2251 return false;
2252 }
2253
2254 /*
2255 * Return the current pointer to the data offset.
2256 */
2257
2258 if(!prs_set_offset(rpc_in, save_offset)) {
2259 DEBUG(0,("failed to set offset back to %u\n",
2260 (unsigned int)save_offset ));
2261 return False;
2262 }
2263
2264 /*
2265 * Remember the padding length. We must remove it from the real data
2266 * stream once the sign/seal is done.
2267 */
2268
2269 *p_ss_padding_len = auth_info.auth_pad_len;
2270
2271 return True;
2272 }
2273
2274 /****************************************************************************
2275 Find the set of RPC functions associated with this context_id
2276 ****************************************************************************/
2277
2278 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2279 {
2280 PIPE_RPC_FNS *fns = NULL;
2281
2282 if ( !list ) {
2283 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2284 return NULL;
2285 }
2286
2287 for (fns=list; fns; fns=fns->next ) {
2288 if ( fns->context_id == context_id )
2289 return fns;
2290 }
2291 return NULL;
2292 }
2293
2294 /****************************************************************************
2295 Memory cleanup.
2296 ****************************************************************************/
2297
2298 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2299 {
2300 PIPE_RPC_FNS *tmp = list;
2301 PIPE_RPC_FNS *tmp2;
2302
2303 while (tmp) {
2304 tmp2 = tmp->next;
2305 SAFE_FREE(tmp);
2306 tmp = tmp2;
2307 }
2308
2309 return;
2310 }
2311
2312 static bool api_rpcTNP(pipes_struct *p,
2313 const struct api_struct *api_rpc_cmds, int n_cmds);
2314
2315 /****************************************************************************
2316 Find the correct RPC function to call for this request.
2317 If the pipe is authenticated then become the correct UNIX user
2318 before doing the call.
2319 ****************************************************************************/
2320
2321 bool api_pipe_request(pipes_struct *p)
2322 {
2323 bool ret = False;
2324 bool changed_user = False;
2325 PIPE_RPC_FNS *pipe_fns;
2326
2327 if (p->pipe_bound &&
2328 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2329 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2330 if(!become_authenticated_pipe_user(p)) {
2331 prs_mem_free(&p->out_data.rdata);
2332 return False;
2333 }
2334 changed_user = True;
2335 }
2336
2337 DEBUG(5, ("Requested \\PIPE\\%s\n",
2338 get_pipe_name_from_iface(&p->syntax)));
2339
2340 /* get the set of RPC functions for this context */
2341
2342 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2343
2344 if ( pipe_fns ) {
2345 TALLOC_CTX *frame = talloc_stackframe();
2346 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2347 TALLOC_FREE(frame);
2348 }
2349 else {
2350 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2351 p->hdr_req.context_id,
2352 get_pipe_name_from_iface(&p->syntax)));
2353 }
2354
2355 if (changed_user) {
2356 unbecome_authenticated_pipe_user();
2357 }
2358
2359 return ret;
2360 }
2361
2362 /*******************************************************************
2363 Calls the underlying RPC function for a named pipe.
2364 ********************************************************************/
2365
2366 static bool api_rpcTNP(pipes_struct *p,
2367 const struct api_struct *api_rpc_cmds, int n_cmds)
2368 {
2369 int fn_num;
2370 uint32 offset1, offset2;
2371
2372 /* interpret the command */
2373 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2374 get_pipe_name_from_iface(&p->syntax), p->hdr_req.opnum));
2375
2376 if (DEBUGLEVEL >= 50) {
2377 fstring name;
2378 slprintf(name, sizeof(name)-1, "in_%s",
2379 get_pipe_name_from_iface(&p->syntax));
2380 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2381 }
2382
2383 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2384 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2385 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2386 break;
2387 }
2388 }
2389
2390 if (fn_num == n_cmds) {
2391 /*
2392 * For an unknown RPC just return a fault PDU but
2393 * return True to allow RPC's on the pipe to continue
2394 * and not put the pipe into fault state. JRA.
2395 */
2396 DEBUG(4, ("unknown\n"));
2397 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2398 return True;
2399 }
2400
2401 offset1 = prs_offset(&p->out_data.rdata);
2402
2403 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2404 fn_num, api_rpc_cmds[fn_num].fn));
2405 /* do the actual command */
2406 if(!api_rpc_cmds[fn_num].fn(p)) {
2407 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2408 get_pipe_name_from_iface(&p->syntax),
2409 api_rpc_cmds[fn_num].name));
2410 prs_mem_free(&p->out_data.rdata);
2411 return False;
2412 }
2413
2414 if (p->bad_handle_fault_state) {
2415 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2416 p->bad_handle_fault_state = False;
2417 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2418 return True;
2419 }
2420
2421 if (p->rng_fault_state) {
2422 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2423 p->rng_fault_state = False;
2424 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2425 return True;
2426 }
2427
2428 offset2 = prs_offset(&p->out_data.rdata);
2429 prs_set_offset(&p->out_data.rdata, offset1);
2430 if (DEBUGLEVEL >= 50) {
2431 fstring name;
2432 slprintf(name, sizeof(name)-1, "out_%s",
2433 get_pipe_name_from_iface(&p->syntax));
2434 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2435 }
2436 prs_set_offset(&p->out_data.rdata, offset2);
2437
2438 DEBUG(5,("api_rpcTNP: called %s successfully\n",
2439 get_pipe_name_from_iface(&p->syntax)));
2440
2441 /* Check for buffer underflow in rpc parsing */
2442
2443 if ((DEBUGLEVEL >= 10) &&
2444 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2445 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2446 char *data = (char *)SMB_MALLOC(data_len);
2447
2448 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2449 if (data) {
2450 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2451 SAFE_FREE(data);
2452 }
2453
2454 }
2455
2456 return True;
2457 }
aatanasov's samba4 branch