search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "s3: Consolidate getting the name out of a pipes_struct"
[Samba/bb.git] / source3 / rpc_server / srv_pipe.c
blob90eb4f96c3f2d9cc2f12ab2cf35601a754e03c51
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31 #include "../libcli/auth/libcli_auth.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33 #include "../libcli/auth/schannel.h"
34 #include "../libcli/auth/schannel_proto.h"
35 #include "../libcli/auth/spnego.h"
36
37 extern struct current_user current_user;
38
39 #undef DBGC_CLASS
40 #define DBGC_CLASS DBGC_RPC_SRV
41
42 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
43 {
44 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
45
46 if (a) {
47 auth_ntlmssp_end(&a);
48 }
49 auth->a_u.auth_ntlmssp_state = NULL;
50 }
51
52 static DATA_BLOB generic_session_key(void)
53 {
54 return data_blob("SystemLibraryDTC", 16);
55 }
56
57 /*******************************************************************
58 Generate the next PDU to be returned from the data in p->rdata.
59 Handle NTLMSSP.
60 ********************************************************************/
61
62 static bool create_next_pdu_ntlmssp(pipes_struct *p)
63 {
64 RPC_HDR_RESP hdr_resp;
65 uint32 ss_padding_len = 0;
66 uint32 data_space_available;
67 uint32 data_len_left;
68 uint32 data_len;
69 NTSTATUS status;
70 DATA_BLOB auth_blob;
71 RPC_HDR_AUTH auth_info;
72 uint8 auth_type, auth_level;
73 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
74
75 /*
76 * If we're in the fault state, keep returning fault PDU's until
77 * the pipe gets closed. JRA.
78 */
79
80 if(p->fault_state) {
81 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
82 return True;
83 }
84
85 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
86
87 /* Change the incoming request header to a response. */
88 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
89
90 /* Set up rpc header flags. */
91 if (p->out_data.data_sent_length == 0) {
92 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
93 } else {
94 p->hdr.flags = 0;
95 }
96
97 /*
98 * Work out how much we can fit in a single PDU.
99 */
100
101 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
102
103 /*
104 * Ensure there really is data left to send.
105 */
106
107 if(!data_len_left) {
108 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
109 return False;
110 }
111
112 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
113 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
114
115 /*
116 * The amount we send is the minimum of the available
117 * space and the amount left to send.
118 */
119
120 data_len = MIN(data_len_left, data_space_available);
121
122 /*
123 * Set up the alloc hint. This should be the data left to
124 * send.
125 */
126
127 hdr_resp.alloc_hint = data_len_left;
128
129 /*
130 * Work out if this PDU will be the last.
131 */
132
133 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
134 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
135 if (data_len_left % 8) {
136 ss_padding_len = 8 - (data_len_left % 8);
137 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
138 ss_padding_len ));
139 }
140 }
141
142 /*
143 * Set up the header lengths.
144 */
145
146 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
147 data_len + ss_padding_len +
148 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
149 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
150
151
152 /*
153 * Init the parse struct to point at the outgoing
154 * data.
155 */
156
157 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
158
159 /* Store the header in the data stream. */
160 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
161 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
162 prs_mem_free(&p->out_data.frag);
163 return False;
164 }
165
166 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
167 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
168 prs_mem_free(&p->out_data.frag);
169 return False;
170 }
171
172 /* Copy the data into the PDU. */
173
174 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
175 p->out_data.data_sent_length, data_len)) {
176 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
177 prs_mem_free(&p->out_data.frag);
178 return False;
179 }
180
181 /* Copy the sign/seal padding data. */
182 if (ss_padding_len) {
183 char pad[8];
184
185 memset(pad, '\0', 8);
186 if (!prs_copy_data_in(&p->out_data.frag, pad,
187 ss_padding_len)) {
188 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
189 (unsigned int)ss_padding_len));
190 prs_mem_free(&p->out_data.frag);
191 return False;
192 }
193 }
194
195
196 /* Now write out the auth header and null blob. */
197 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
198 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
199 } else {
200 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
201 }
202 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
203 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
204 } else {
205 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
206 }
207
208 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
209 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &p->out_data.frag,
210 0)) {
211 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
212 prs_mem_free(&p->out_data.frag);
213 return False;
214 }
215
216 /* Generate the sign blob. */
217
218 switch (p->auth.auth_level) {
219 case DCERPC_AUTH_LEVEL_PRIVACY:
220 /* Data portion is encrypted. */
221 status = ntlmssp_seal_packet(
222 a->ntlmssp_state,
223 (uint8_t *)prs_data_p(&p->out_data.frag)
224 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
225 data_len + ss_padding_len,
226 (unsigned char *)prs_data_p(&p->out_data.frag),
227 (size_t)prs_offset(&p->out_data.frag),
228 &auth_blob);
229 if (!NT_STATUS_IS_OK(status)) {
230 data_blob_free(&auth_blob);
231 prs_mem_free(&p->out_data.frag);
232 return False;
233 }
234 break;
235 case DCERPC_AUTH_LEVEL_INTEGRITY:
236 /* Data is signed. */
237 status = ntlmssp_sign_packet(
238 a->ntlmssp_state,
239 (unsigned char *)prs_data_p(&p->out_data.frag)
240 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
241 data_len + ss_padding_len,
242 (unsigned char *)prs_data_p(&p->out_data.frag),
243 (size_t)prs_offset(&p->out_data.frag),
244 &auth_blob);
245 if (!NT_STATUS_IS_OK(status)) {
246 data_blob_free(&auth_blob);
247 prs_mem_free(&p->out_data.frag);
248 return False;
249 }
250 break;
251 default:
252 prs_mem_free(&p->out_data.frag);
253 return False;
254 }
255
256 /* Append the auth blob. */
257 if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
258 NTLMSSP_SIG_SIZE)) {
259 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
260 (unsigned int)NTLMSSP_SIG_SIZE));
261 data_blob_free(&auth_blob);
262 prs_mem_free(&p->out_data.frag);
263 return False;
264 }
265
266 data_blob_free(&auth_blob);
267
268 /*
269 * Setup the counts for this PDU.
270 */
271
272 p->out_data.data_sent_length += data_len;
273 p->out_data.current_pdu_sent = 0;
274
275 return True;
276 }
277
278 /*******************************************************************
279 Generate the next PDU to be returned from the data in p->rdata.
280 Return an schannel authenticated fragment.
281 ********************************************************************/
282
283 static bool create_next_pdu_schannel(pipes_struct *p)
284 {
285 RPC_HDR_RESP hdr_resp;
286 uint32 ss_padding_len = 0;
287 uint32 data_len;
288 uint32 data_space_available;
289 uint32 data_len_left;
290 uint32 data_pos;
291 NTSTATUS status;
292
293 /*
294 * If we're in the fault state, keep returning fault PDU's until
295 * the pipe gets closed. JRA.
296 */
297
298 if(p->fault_state) {
299 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
300 return True;
301 }
302
303 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
304
305 /* Change the incoming request header to a response. */
306 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
307
308 /* Set up rpc header flags. */
309 if (p->out_data.data_sent_length == 0) {
310 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
311 } else {
312 p->hdr.flags = 0;
313 }
314
315 /*
316 * Work out how much we can fit in a single PDU.
317 */
318
319 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
320
321 /*
322 * Ensure there really is data left to send.
323 */
324
325 if(!data_len_left) {
326 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
327 return False;
328 }
329
330 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
331 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
332 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
333
334 /*
335 * The amount we send is the minimum of the available
336 * space and the amount left to send.
337 */
338
339 data_len = MIN(data_len_left, data_space_available);
340
341 /*
342 * Set up the alloc hint. This should be the data left to
343 * send.
344 */
345
346 hdr_resp.alloc_hint = data_len_left;
347
348 /*
349 * Work out if this PDU will be the last.
350 */
351
352 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
353 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
354 if (data_len_left % 8) {
355 ss_padding_len = 8 - (data_len_left % 8);
356 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
357 ss_padding_len ));
358 }
359 }
360
361 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
362 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
363 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
364
365 /*
366 * Init the parse struct to point at the outgoing
367 * data.
368 */
369
370 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
371
372 /* Store the header in the data stream. */
373 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
374 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
375 prs_mem_free(&p->out_data.frag);
376 return False;
377 }
378
379 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
380 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
381 prs_mem_free(&p->out_data.frag);
382 return False;
383 }
384
385 /* Store the current offset. */
386 data_pos = prs_offset(&p->out_data.frag);
387
388 /* Copy the data into the PDU. */
389
390 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
391 p->out_data.data_sent_length, data_len)) {
392 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
393 prs_mem_free(&p->out_data.frag);
394 return False;
395 }
396
397 /* Copy the sign/seal padding data. */
398 if (ss_padding_len) {
399 char pad[8];
400 memset(pad, '\0', 8);
401 if (!prs_copy_data_in(&p->out_data.frag, pad,
402 ss_padding_len)) {
403 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
404 prs_mem_free(&p->out_data.frag);
405 return False;
406 }
407 }
408
409 {
410 /*
411 * Schannel processing.
412 */
413 RPC_HDR_AUTH auth_info;
414 DATA_BLOB blob;
415 uint8_t *data;
416
417 /* Check it's the type of reply we were expecting to decode */
418
419 init_rpc_hdr_auth(&auth_info,
420 DCERPC_AUTH_TYPE_SCHANNEL,
421 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
422 DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
423 ss_padding_len, 1);
424
425 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
426 &p->out_data.frag, 0)) {
427 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
428 prs_mem_free(&p->out_data.frag);
429 return False;
430 }
431
432 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos;
433
434 switch (p->auth.auth_level) {
435 case DCERPC_AUTH_LEVEL_PRIVACY:
436 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
437 talloc_tos(),
438 true,
439 data,
440 data_len + ss_padding_len,
441 &blob);
442 break;
443 case DCERPC_AUTH_LEVEL_INTEGRITY:
444 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
445 talloc_tos(),
446 false,
447 data,
448 data_len + ss_padding_len,
449 &blob);
450 break;
451 default:
452 status = NT_STATUS_INTERNAL_ERROR;
453 break;
454 }
455
456 if (!NT_STATUS_IS_OK(status)) {
457 DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
458 nt_errstr(status)));
459 prs_mem_free(&p->out_data.frag);
460 return false;
461 }
462
463 /* Finally marshall the blob. */
464
465 if (DEBUGLEVEL >= 10) {
466 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
467 }
468
469 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
470 prs_mem_free(&p->out_data.frag);
471 return false;
472 }
473 }
474
475 /*
476 * Setup the counts for this PDU.
477 */
478
479 p->out_data.data_sent_length += data_len;
480 p->out_data.current_pdu_sent = 0;
481
482 return True;
483 }
484
485 /*******************************************************************
486 Generate the next PDU to be returned from the data in p->rdata.
487 No authentication done.
488 ********************************************************************/
489
490 static bool create_next_pdu_noauth(pipes_struct *p)
491 {
492 RPC_HDR_RESP hdr_resp;
493 uint32 data_len;
494 uint32 data_space_available;
495 uint32 data_len_left;
496
497 /*
498 * If we're in the fault state, keep returning fault PDU's until
499 * the pipe gets closed. JRA.
500 */
501
502 if(p->fault_state) {
503 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
504 return True;
505 }
506
507 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
508
509 /* Change the incoming request header to a response. */
510 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
511
512 /* Set up rpc header flags. */
513 if (p->out_data.data_sent_length == 0) {
514 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
515 } else {
516 p->hdr.flags = 0;
517 }
518
519 /*
520 * Work out how much we can fit in a single PDU.
521 */
522
523 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
524
525 /*
526 * Ensure there really is data left to send.
527 */
528
529 if(!data_len_left) {
530 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
531 return False;
532 }
533
534 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
535 - RPC_HDR_RESP_LEN;
536
537 /*
538 * The amount we send is the minimum of the available
539 * space and the amount left to send.
540 */
541
542 data_len = MIN(data_len_left, data_space_available);
543
544 /*
545 * Set up the alloc hint. This should be the data left to
546 * send.
547 */
548
549 hdr_resp.alloc_hint = data_len_left;
550
551 /*
552 * Work out if this PDU will be the last.
553 */
554
555 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
556 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
557 }
558
559 /*
560 * Set up the header lengths.
561 */
562
563 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
564 p->hdr.auth_len = 0;
565
566 /*
567 * Init the parse struct to point at the outgoing
568 * data.
569 */
570
571 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
572
573 /* Store the header in the data stream. */
574 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
575 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
576 prs_mem_free(&p->out_data.frag);
577 return False;
578 }
579
580 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
581 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
582 prs_mem_free(&p->out_data.frag);
583 return False;
584 }
585
586 /* Copy the data into the PDU. */
587
588 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
589 p->out_data.data_sent_length, data_len)) {
590 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
591 prs_mem_free(&p->out_data.frag);
592 return False;
593 }
594
595 /*
596 * Setup the counts for this PDU.
597 */
598
599 p->out_data.data_sent_length += data_len;
600 p->out_data.current_pdu_sent = 0;
601
602 return True;
603 }
604
605 /*******************************************************************
606 Generate the next PDU to be returned from the data in p->rdata.
607 ********************************************************************/
608
609 bool create_next_pdu(pipes_struct *p)
610 {
611 switch(p->auth.auth_level) {
612 case DCERPC_AUTH_LEVEL_NONE:
613 case DCERPC_AUTH_LEVEL_CONNECT:
614 /* This is incorrect for auth level connect. Fixme. JRA */
615 return create_next_pdu_noauth(p);
616
617 default:
618 switch(p->auth.auth_type) {
619 case PIPE_AUTH_TYPE_NTLMSSP:
620 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
621 return create_next_pdu_ntlmssp(p);
622 case PIPE_AUTH_TYPE_SCHANNEL:
623 return create_next_pdu_schannel(p);
624 default:
625 break;
626 }
627 }
628
629 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
630 (unsigned int)p->auth.auth_level,
631 (unsigned int)p->auth.auth_type));
632 return False;
633 }
634
635 /*******************************************************************
636 Process an NTLMSSP authentication response.
637 If this function succeeds, the user has been authenticated
638 and their domain, name and calling workstation stored in
639 the pipe struct.
640 *******************************************************************/
641
642 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
643 {
644 DATA_BLOB session_key, reply;
645 NTSTATUS status;
646 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
647 bool ret;
648
649 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
650 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
651
652 ZERO_STRUCT(reply);
653
654 /* this has to be done as root in order to verify the password */
655 become_root();
656 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
657 unbecome_root();
658
659 /* Don't generate a reply. */
660 data_blob_free(&reply);
661
662 if (!NT_STATUS_IS_OK(status)) {
663 return False;
664 }
665
666 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
667 ensure the underlying NTLMSSP flags are also set. If not we should
668 refuse the bind. */
669
670 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
671 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
672 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
673 "but client declined signing.\n",
674 get_pipe_name_from_syntax(talloc_tos(),
675 &p->syntax)));
676 return False;
677 }
678 }
679 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
680 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
681 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
682 "but client declined sealing.\n",
683 get_pipe_name_from_syntax(talloc_tos(),
684 &p->syntax)));
685 return False;
686 }
687 }
688
689 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
690 "workstation: %s\n", a->ntlmssp_state->user,
691 a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
692
693 if (a->server_info->ptok == NULL) {
694 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
695 return False;
696 }
697
698 TALLOC_FREE(p->server_info);
699
700 p->server_info = copy_serverinfo(p, a->server_info);
701 if (p->server_info == NULL) {
702 DEBUG(0, ("copy_serverinfo failed\n"));
703 return false;
704 }
705
706 /*
707 * We're an authenticated bind over smb, so the session key needs to
708 * be set to "SystemLibraryDTC". Weird, but this is what Windows
709 * does. See the RPC-SAMBA3SESSIONKEY.
710 */
711
712 session_key = generic_session_key();
713 if (session_key.data == NULL) {
714 return False;
715 }
716
717 ret = server_info_set_session_key(p->server_info, session_key);
718
719 data_blob_free(&session_key);
720
721 return True;
722 }
723
724 /*******************************************************************
725 The switch table for the pipe names and the functions to handle them.
726 *******************************************************************/
727
728 struct rpc_table {
729 struct {
730 const char *clnt;
731 const char *srv;
732 } pipe;
733 struct ndr_syntax_id rpc_interface;
734 const struct api_struct *cmds;
735 int n_cmds;
736 };
737
738 static struct rpc_table *rpc_lookup;
739 static int rpc_lookup_size;
740
741 /*******************************************************************
742 This is the "stage3" NTLMSSP response after a bind request and reply.
743 *******************************************************************/
744
745 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
746 {
747 RPC_HDR_AUTH auth_info;
748 uint32 pad = 0;
749 DATA_BLOB blob;
750
751 ZERO_STRUCT(blob);
752
753 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
754
755 if (p->hdr.auth_len == 0) {
756 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
757 goto err;
758 }
759
760 /* 4 bytes padding. */
761 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
762 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
763 goto err;
764 }
765
766 /*
767 * Decode the authentication verifier response.
768 */
769
770 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
771 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
772 goto err;
773 }
774
775 if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
776 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
777 (unsigned int)auth_info.auth_type ));
778 return False;
779 }
780
781 blob = data_blob(NULL,p->hdr.auth_len);
782
783 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
784 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
785 (unsigned int)p->hdr.auth_len ));
786 goto err;
787 }
788
789 /*
790 * The following call actually checks the challenge/response data.
791 * for correctness against the given DOMAIN\user name.
792 */
793
794 if (!pipe_ntlmssp_verify_final(p, &blob)) {
795 goto err;
796 }
797
798 data_blob_free(&blob);
799
800 p->pipe_bound = True;
801
802 return True;
803
804 err:
805
806 data_blob_free(&blob);
807 free_pipe_ntlmssp_auth_data(&p->auth);
808 p->auth.a_u.auth_ntlmssp_state = NULL;
809
810 return False;
811 }
812
813 /*******************************************************************
814 Marshall a bind_nak pdu.
815 *******************************************************************/
816
817 static bool setup_bind_nak(pipes_struct *p)
818 {
819 RPC_HDR nak_hdr;
820 uint16 zero = 0;
821
822 /* Free any memory in the current return data buffer. */
823 prs_mem_free(&p->out_data.rdata);
824
825 /*
826 * Marshall directly into the outgoing PDU space. We
827 * must do this as we need to set to the bind response
828 * header and are never sending more than one PDU here.
829 */
830
831 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
832
833 /*
834 * Initialize a bind_nak header.
835 */
836
837 init_rpc_hdr(&nak_hdr, DCERPC_PKT_BIND_NAK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
838 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
839
840 /*
841 * Marshall the header into the outgoing PDU.
842 */
843
844 if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
845 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
846 prs_mem_free(&p->out_data.frag);
847 return False;
848 }
849
850 /*
851 * Now add the reject reason.
852 */
853
854 if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
855 prs_mem_free(&p->out_data.frag);
856 return False;
857 }
858
859 p->out_data.data_sent_length = 0;
860 p->out_data.current_pdu_sent = 0;
861
862 if (p->auth.auth_data_free_func) {
863 (*p->auth.auth_data_free_func)(&p->auth);
864 }
865 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
866 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
867 p->pipe_bound = False;
868
869 return True;
870 }
871
872 /*******************************************************************
873 Marshall a fault pdu.
874 *******************************************************************/
875
876 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
877 {
878 RPC_HDR fault_hdr;
879 RPC_HDR_RESP hdr_resp;
880 RPC_HDR_FAULT fault_resp;
881
882 /* Free any memory in the current return data buffer. */
883 prs_mem_free(&p->out_data.rdata);
884
885 /*
886 * Marshall directly into the outgoing PDU space. We
887 * must do this as we need to set to the bind response
888 * header and are never sending more than one PDU here.
889 */
890
891 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
892
893 /*
894 * Initialize a fault header.
895 */
896
897 init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
898 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
899
900 /*
901 * Initialize the HDR_RESP and FAULT parts of the PDU.
902 */
903
904 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
905
906 fault_resp.status = status;
907 fault_resp.reserved = 0;
908
909 /*
910 * Marshall the header into the outgoing PDU.
911 */
912
913 if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
914 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
915 prs_mem_free(&p->out_data.frag);
916 return False;
917 }
918
919 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
920 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
921 prs_mem_free(&p->out_data.frag);
922 return False;
923 }
924
925 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
926 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
927 prs_mem_free(&p->out_data.frag);
928 return False;
929 }
930
931 p->out_data.data_sent_length = 0;
932 p->out_data.current_pdu_sent = 0;
933
934 return True;
935 }
936
937 #if 0
938 /*******************************************************************
939 Marshall a cancel_ack pdu.
940 We should probably check the auth-verifier here.
941 *******************************************************************/
942
943 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
944 {
945 prs_struct outgoing_pdu;
946 RPC_HDR ack_reply_hdr;
947
948 /* Free any memory in the current return data buffer. */
949 prs_mem_free(&p->out_data.rdata);
950
951 /*
952 * Marshall directly into the outgoing PDU space. We
953 * must do this as we need to set to the bind response
954 * header and are never sending more than one PDU here.
955 */
956
957 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
958 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
959
960 /*
961 * Initialize a cancel_ack header.
962 */
963
964 init_rpc_hdr(&ack_reply_hdr, DCERPC_PKT_CANCEL_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
965 p->hdr.call_id, RPC_HEADER_LEN, 0);
966
967 /*
968 * Marshall the header into the outgoing PDU.
969 */
970
971 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
972 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
973 prs_mem_free(&outgoing_pdu);
974 return False;
975 }
976
977 p->out_data.data_sent_length = 0;
978 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
979 p->out_data.current_pdu_sent = 0;
980
981 prs_mem_free(&outgoing_pdu);
982 return True;
983 }
984 #endif
985
986 /*******************************************************************
987 Ensure a bind request has the correct abstract & transfer interface.
988 Used to reject unknown binds from Win2k.
989 *******************************************************************/
990
991 static bool check_bind_req(struct pipes_struct *p,
992 struct ndr_syntax_id* abstract,
993 struct ndr_syntax_id* transfer,
994 uint32 context_id)
995 {
996 int i=0;
997 struct pipe_rpc_fns *context_fns;
998
999 DEBUG(3,("check_bind_req for %s\n",
1000 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1001
1002 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
1003
1004 for (i=0; i<rpc_lookup_size; i++) {
1005 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
1006 if (ndr_syntax_id_equal(
1007 abstract, &rpc_lookup[i].rpc_interface)
1008 && ndr_syntax_id_equal(
1009 transfer, &ndr_transfer_syntax)) {
1010 break;
1011 }
1012 }
1013
1014 if (i == rpc_lookup_size) {
1015 return false;
1016 }
1017
1018 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1019 if (context_fns == NULL) {
1020 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1021 return False;
1022 }
1023
1024 context_fns->cmds = rpc_lookup[i].cmds;
1025 context_fns->n_cmds = rpc_lookup[i].n_cmds;
1026 context_fns->context_id = context_id;
1027
1028 /* add to the list of open contexts */
1029
1030 DLIST_ADD( p->contexts, context_fns );
1031
1032 return True;
1033 }
1034
1035 /*******************************************************************
1036 Register commands to an RPC pipe
1037 *******************************************************************/
1038
1039 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1040 const struct ndr_interface_table *iface,
1041 const struct api_struct *cmds, int size)
1042 {
1043 struct rpc_table *rpc_entry;
1044
1045 if (!clnt || !srv || !cmds) {
1046 return NT_STATUS_INVALID_PARAMETER;
1047 }
1048
1049 if (version != SMB_RPC_INTERFACE_VERSION) {
1050 DEBUG(0,("Can't register rpc commands!\n"
1051 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1052 ", while this version of samba uses version %d!\n",
1053 version,SMB_RPC_INTERFACE_VERSION));
1054 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1055 }
1056
1057 /* TODO:
1058 *
1059 * we still need to make sure that don't register the same commands twice!!!
1060 *
1061 * --metze
1062 */
1063
1064 /* We use a temporary variable because this call can fail and
1065 rpc_lookup will still be valid afterwards. It could then succeed if
1066 called again later */
1067 rpc_lookup_size++;
1068 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1069 if (NULL == rpc_entry) {
1070 rpc_lookup_size--;
1071 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1072 return NT_STATUS_NO_MEMORY;
1073 } else {
1074 rpc_lookup = rpc_entry;
1075 }
1076
1077 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1078 ZERO_STRUCTP(rpc_entry);
1079 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1080 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1081 rpc_entry->rpc_interface = iface->syntax_id;
1082 rpc_entry->cmds = cmds;
1083 rpc_entry->n_cmds = size;
1084
1085 return NT_STATUS_OK;
1086 }
1087
1088 /**
1089 * Is a named pipe known?
1090 * @param[in] cli_filename The pipe name requested by the client
1091 * @result Do we want to serve this?
1092 */
1093 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1094 {
1095 const char *pipename = cli_filename;
1096 int i;
1097 NTSTATUS status;
1098
1099 if (strnequal(pipename, "\\PIPE\\", 6)) {
1100 pipename += 5;
1101 }
1102
1103 if (*pipename == '\\') {
1104 pipename += 1;
1105 }
1106
1107 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1108 DEBUG(10, ("refusing spoolss access\n"));
1109 return false;
1110 }
1111
1112 for (i=0; i<rpc_lookup_size; i++) {
1113 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1114 *syntax = rpc_lookup[i].rpc_interface;
1115 return true;
1116 }
1117 }
1118
1119 status = smb_probe_module("rpc", pipename);
1120 if (!NT_STATUS_IS_OK(status)) {
1121 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1122 return false;
1123 }
1124 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
1125
1126 /*
1127 * Scan the list again for the interface id
1128 */
1129
1130 for (i=0; i<rpc_lookup_size; i++) {
1131 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1132 *syntax = rpc_lookup[i].rpc_interface;
1133 return true;
1134 }
1135 }
1136
1137 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
1138 pipename));
1139
1140 return false;
1141 }
1142
1143 /*******************************************************************
1144 Handle a SPNEGO krb5 bind auth.
1145 *******************************************************************/
1146
1147 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1148 DATA_BLOB *psecblob, prs_struct *pout_auth)
1149 {
1150 return False;
1151 }
1152
1153 /*******************************************************************
1154 Handle the first part of a SPNEGO bind auth.
1155 *******************************************************************/
1156
1157 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1158 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1159 {
1160 DATA_BLOB blob;
1161 DATA_BLOB secblob;
1162 DATA_BLOB response;
1163 DATA_BLOB chal;
1164 char *OIDs[ASN1_MAX_OIDS];
1165 int i;
1166 NTSTATUS status;
1167 bool got_kerberos_mechanism = false;
1168 AUTH_NTLMSSP_STATE *a = NULL;
1169 RPC_HDR_AUTH auth_info;
1170
1171 ZERO_STRUCT(secblob);
1172 ZERO_STRUCT(chal);
1173 ZERO_STRUCT(response);
1174
1175 /* Grab the SPNEGO blob. */
1176 blob = data_blob(NULL,p->hdr.auth_len);
1177
1178 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1179 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1180 (unsigned int)p->hdr.auth_len ));
1181 goto err;
1182 }
1183
1184 if (blob.data[0] != ASN1_APPLICATION(0)) {
1185 goto err;
1186 }
1187
1188 /* parse out the OIDs and the first sec blob */
1189 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1190 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1191 goto err;
1192 }
1193
1194 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1195 got_kerberos_mechanism = true;
1196 }
1197
1198 for (i=0;OIDs[i];i++) {
1199 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1200 TALLOC_FREE(OIDs[i]);
1201 }
1202 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1203
1204 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1205 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1206 data_blob_free(&secblob);
1207 data_blob_free(&blob);
1208 return ret;
1209 }
1210
1211 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1212 /* Free any previous auth type. */
1213 free_pipe_ntlmssp_auth_data(&p->auth);
1214 }
1215
1216 if (!got_kerberos_mechanism) {
1217 /* Initialize the NTLM engine. */
1218 status = auth_ntlmssp_start(&a);
1219 if (!NT_STATUS_IS_OK(status)) {
1220 goto err;
1221 }
1222
1223 /*
1224 * Pass the first security blob of data to it.
1225 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1226 * which means we need another packet to complete the bind.
1227 */
1228
1229 status = auth_ntlmssp_update(a, secblob, &chal);
1230
1231 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1232 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1233 goto err;
1234 }
1235
1236 /* Generate the response blob we need for step 2 of the bind. */
1237 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1238 } else {
1239 /*
1240 * SPNEGO negotiate down to NTLMSSP. The subsequent
1241 * code to process follow-up packets is not complete
1242 * yet. JRA.
1243 */
1244 response = spnego_gen_auth_response(NULL,
1245 NT_STATUS_MORE_PROCESSING_REQUIRED,
1246 OID_NTLMSSP);
1247 }
1248
1249 /* Copy the blob into the pout_auth parse struct */
1250 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1251 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1252 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1253 goto err;
1254 }
1255
1256 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1257 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1258 goto err;
1259 }
1260
1261 p->auth.a_u.auth_ntlmssp_state = a;
1262 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1263 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1264
1265 data_blob_free(&blob);
1266 data_blob_free(&secblob);
1267 data_blob_free(&chal);
1268 data_blob_free(&response);
1269
1270 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1271 return True;
1272
1273 err:
1274
1275 data_blob_free(&blob);
1276 data_blob_free(&secblob);
1277 data_blob_free(&chal);
1278 data_blob_free(&response);
1279
1280 p->auth.a_u.auth_ntlmssp_state = NULL;
1281
1282 return False;
1283 }
1284
1285 /*******************************************************************
1286 Handle the second part of a SPNEGO bind auth.
1287 *******************************************************************/
1288
1289 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1290 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1291 {
1292 RPC_HDR_AUTH auth_info;
1293 DATA_BLOB spnego_blob;
1294 DATA_BLOB auth_blob;
1295 DATA_BLOB auth_reply;
1296 DATA_BLOB response;
1297 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1298
1299 ZERO_STRUCT(spnego_blob);
1300 ZERO_STRUCT(auth_blob);
1301 ZERO_STRUCT(auth_reply);
1302 ZERO_STRUCT(response);
1303
1304 /*
1305 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1306 * fail here as 'a' == NULL.
1307 */
1308 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1309 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1310 goto err;
1311 }
1312
1313 /* Grab the SPNEGO blob. */
1314 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1315
1316 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1317 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1318 (unsigned int)p->hdr.auth_len ));
1319 goto err;
1320 }
1321
1322 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1323 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1324 goto err;
1325 }
1326
1327 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1328 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1329 goto err;
1330 }
1331
1332 /*
1333 * The following call actually checks the challenge/response data.
1334 * for correctness against the given DOMAIN\user name.
1335 */
1336
1337 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1338 goto err;
1339 }
1340
1341 data_blob_free(&spnego_blob);
1342 data_blob_free(&auth_blob);
1343
1344 /* Generate the spnego "accept completed" blob - no incoming data. */
1345 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1346
1347 /* Copy the blob into the pout_auth parse struct */
1348 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1349 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1350 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1351 goto err;
1352 }
1353
1354 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1355 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1356 goto err;
1357 }
1358
1359 data_blob_free(&auth_reply);
1360 data_blob_free(&response);
1361
1362 p->pipe_bound = True;
1363
1364 return True;
1365
1366 err:
1367
1368 data_blob_free(&spnego_blob);
1369 data_blob_free(&auth_blob);
1370 data_blob_free(&auth_reply);
1371 data_blob_free(&response);
1372
1373 free_pipe_ntlmssp_auth_data(&p->auth);
1374 p->auth.a_u.auth_ntlmssp_state = NULL;
1375
1376 return False;
1377 }
1378
1379 /*******************************************************************
1380 Handle an schannel bind auth.
1381 *******************************************************************/
1382
1383 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1384 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1385 {
1386 RPC_HDR_AUTH auth_info;
1387 struct NL_AUTH_MESSAGE neg;
1388 struct NL_AUTH_MESSAGE reply;
1389 bool ret;
1390 NTSTATUS status;
1391 struct netlogon_creds_CredentialState *creds;
1392 DATA_BLOB session_key;
1393 enum ndr_err_code ndr_err;
1394 DATA_BLOB blob;
1395
1396 blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1397 prs_data_size(rpc_in_p));
1398
1399 ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg,
1400 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1401 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1402 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1403 return false;
1404 }
1405
1406 if (DEBUGLEVEL >= 10) {
1407 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1408 }
1409
1410 if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1411 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1412 return false;
1413 }
1414
1415 /*
1416 * The neg.oem_netbios_computer.a key here must match the remote computer name
1417 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1418 * operations that use credentials.
1419 */
1420
1421 become_root();
1422 status = schannel_fetch_session_key(p,
1423 neg.oem_netbios_computer.a,
1424 &creds);
1425 unbecome_root();
1426
1427 if (!NT_STATUS_IS_OK(status)) {
1428 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1429 return False;
1430 }
1431
1432 p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
1433 if (!p->auth.a_u.schannel_auth) {
1434 TALLOC_FREE(creds);
1435 return False;
1436 }
1437
1438 p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
1439 p->auth.a_u.schannel_auth->seq_num = 0;
1440 p->auth.a_u.schannel_auth->initiator = false;
1441 p->auth.a_u.schannel_auth->creds = creds;
1442
1443 /*
1444 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1445 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1446 * struct of the person who opened the pipe. I need to test this further. JRA.
1447 *
1448 * VL. As we are mapping this to guest set the generic key
1449 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1450 * W2k3, as it does not allow schannel binds against SAMR and LSA
1451 * anymore.
1452 */
1453
1454 session_key = generic_session_key();
1455 if (session_key.data == NULL) {
1456 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1457 " key\n"));
1458 return false;
1459 }
1460
1461 ret = server_info_set_session_key(p->server_info, session_key);
1462
1463 data_blob_free(&session_key);
1464
1465 if (!ret) {
1466 DEBUG(0, ("server_info_set_session_key failed\n"));
1467 return false;
1468 }
1469
1470 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1471 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1472 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1473 return False;
1474 }
1475
1476 /*** SCHANNEL verifier ***/
1477
1478 reply.MessageType = NL_NEGOTIATE_RESPONSE;
1479 reply.Flags = 0;
1480 reply.Buffer.dummy = 5; /* ??? actually I don't think
1481 * this has any meaning
1482 * here - gd */
1483
1484 ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &reply,
1485 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1486 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1487 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1488 return false;
1489 }
1490
1491 if (DEBUGLEVEL >= 10) {
1492 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1493 }
1494
1495 if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1496 return false;
1497 }
1498
1499 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1500 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1501
1502 /* We're finished with this bind - no more packets. */
1503 p->auth.auth_data_free_func = NULL;
1504 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1505
1506 p->pipe_bound = True;
1507
1508 return True;
1509 }
1510
1511 /*******************************************************************
1512 Handle an NTLMSSP bind auth.
1513 *******************************************************************/
1514
1515 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1516 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1517 {
1518 RPC_HDR_AUTH auth_info;
1519 DATA_BLOB blob;
1520 DATA_BLOB response;
1521 NTSTATUS status;
1522 AUTH_NTLMSSP_STATE *a = NULL;
1523
1524 ZERO_STRUCT(blob);
1525 ZERO_STRUCT(response);
1526
1527 /* Grab the NTLMSSP blob. */
1528 blob = data_blob(NULL,p->hdr.auth_len);
1529
1530 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1531 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1532 (unsigned int)p->hdr.auth_len ));
1533 goto err;
1534 }
1535
1536 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1537 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1538 goto err;
1539 }
1540
1541 /* We have an NTLMSSP blob. */
1542 status = auth_ntlmssp_start(&a);
1543 if (!NT_STATUS_IS_OK(status)) {
1544 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1545 nt_errstr(status) ));
1546 goto err;
1547 }
1548
1549 status = auth_ntlmssp_update(a, blob, &response);
1550 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1551 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1552 nt_errstr(status) ));
1553 goto err;
1554 }
1555
1556 data_blob_free(&blob);
1557
1558 /* Copy the blob into the pout_auth parse struct */
1559 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1560 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1561 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1562 goto err;
1563 }
1564
1565 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1566 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1567 goto err;
1568 }
1569
1570 p->auth.a_u.auth_ntlmssp_state = a;
1571 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1572 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1573
1574 data_blob_free(&blob);
1575 data_blob_free(&response);
1576
1577 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1578
1579 /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1580 return True;
1581
1582 err:
1583
1584 data_blob_free(&blob);
1585 data_blob_free(&response);
1586
1587 free_pipe_ntlmssp_auth_data(&p->auth);
1588 p->auth.a_u.auth_ntlmssp_state = NULL;
1589 return False;
1590 }
1591
1592 /*******************************************************************
1593 Respond to a pipe bind request.
1594 *******************************************************************/
1595
1596 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1597 {
1598 RPC_HDR_BA hdr_ba;
1599 RPC_HDR_RB hdr_rb;
1600 RPC_HDR_AUTH auth_info;
1601 uint16 assoc_gid;
1602 fstring ack_pipe_name;
1603 prs_struct out_hdr_ba;
1604 prs_struct out_auth;
1605 int i = 0;
1606 int auth_len = 0;
1607 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1608
1609 /* No rebinds on a bound pipe - use alter context. */
1610 if (p->pipe_bound) {
1611 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1612 "pipe %s.\n",
1613 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1614 return setup_bind_nak(p);
1615 }
1616
1617 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1618
1619 /*
1620 * Marshall directly into the outgoing PDU space. We
1621 * must do this as we need to set to the bind response
1622 * header and are never sending more than one PDU here.
1623 */
1624
1625 /*
1626 * Setup the memory to marshall the ba header, and the
1627 * auth footers.
1628 */
1629
1630 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1631 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1632 prs_mem_free(&p->out_data.frag);
1633 return False;
1634 }
1635
1636 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1637 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1638 prs_mem_free(&p->out_data.frag);
1639 prs_mem_free(&out_hdr_ba);
1640 return False;
1641 }
1642
1643 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1644
1645 ZERO_STRUCT(hdr_rb);
1646
1647 /* decode the bind request */
1648
1649 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1650 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1651 "struct.\n"));
1652 goto err_exit;
1653 }
1654
1655 if (hdr_rb.num_contexts == 0) {
1656 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1657 goto err_exit;
1658 }
1659
1660 /*
1661 * Try and find the correct pipe name to ensure
1662 * that this is a pipe name we support.
1663 */
1664
1665 for (i = 0; i < rpc_lookup_size; i++) {
1666 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1667 &hdr_rb.rpc_context[0].abstract)) {
1668 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1669 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1670 break;
1671 }
1672 }
1673
1674 if (i == rpc_lookup_size) {
1675 NTSTATUS status;
1676
1677 status = smb_probe_module(
1678 "rpc", get_pipe_name_from_syntax(
1679 talloc_tos(),
1680 &hdr_rb.rpc_context[0].abstract));
1681
1682 if (NT_STATUS_IS_ERR(status)) {
1683 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1684 get_pipe_name_from_syntax(
1685 talloc_tos(),
1686 &hdr_rb.rpc_context[0].abstract)));
1687 prs_mem_free(&p->out_data.frag);
1688 prs_mem_free(&out_hdr_ba);
1689 prs_mem_free(&out_auth);
1690
1691 return setup_bind_nak(p);
1692 }
1693
1694 for (i = 0; i < rpc_lookup_size; i++) {
1695 if (strequal(rpc_lookup[i].pipe.clnt,
1696 get_pipe_name_from_syntax(talloc_tos(),
1697 &p->syntax))) {
1698 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1699 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1700 break;
1701 }
1702 }
1703
1704 if (i == rpc_lookup_size) {
1705 DEBUG(0, ("module %s doesn't provide functions for "
1706 "pipe %s!\n",
1707 get_pipe_name_from_syntax(talloc_tos(),
1708 &p->syntax),
1709 get_pipe_name_from_syntax(talloc_tos(),
1710 &p->syntax)));
1711 goto err_exit;
1712 }
1713 }
1714
1715 /* name has to be \PIPE\xxxxx */
1716 fstrcpy(ack_pipe_name, "\\PIPE\\");
1717 fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1718
1719 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1720
1721 /*
1722 * Check if this is an authenticated bind request.
1723 */
1724
1725 if (p->hdr.auth_len) {
1726 /*
1727 * Decode the authentication verifier.
1728 */
1729
1730 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1731 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1732 goto err_exit;
1733 }
1734
1735 auth_type = auth_info.auth_type;
1736
1737 /* Work out if we have to sign or seal etc. */
1738 switch (auth_info.auth_level) {
1739 case DCERPC_AUTH_LEVEL_INTEGRITY:
1740 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1741 break;
1742 case DCERPC_AUTH_LEVEL_PRIVACY:
1743 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1744 break;
1745 default:
1746 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1747 (unsigned int)auth_info.auth_level ));
1748 goto err_exit;
1749 }
1750 } else {
1751 ZERO_STRUCT(auth_info);
1752 }
1753
1754 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1755
1756 switch(auth_type) {
1757 case DCERPC_AUTH_TYPE_NTLMSSP:
1758 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1759 goto err_exit;
1760 }
1761 assoc_gid = 0x7a77;
1762 break;
1763
1764 case DCERPC_AUTH_TYPE_SCHANNEL:
1765 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1766 goto err_exit;
1767 }
1768 break;
1769
1770 case DCERPC_AUTH_TYPE_SPNEGO:
1771 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1772 goto err_exit;
1773 }
1774 break;
1775
1776 case DCERPC_AUTH_TYPE_NONE:
1777 /* Unauthenticated bind request. */
1778 /* We're finished - no more packets. */
1779 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1780 /* We must set the pipe auth_level here also. */
1781 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1782 p->pipe_bound = True;
1783 /* The session key was initialized from the SMB
1784 * session in make_internal_rpc_pipe_p */
1785 break;
1786
1787 default:
1788 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1789 goto err_exit;
1790 }
1791
1792 /*
1793 * Create the bind response struct.
1794 */
1795
1796 /* If the requested abstract synt uuid doesn't match our client pipe,
1797 reject the bind_ack & set the transfer interface synt to all 0's,
1798 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1799 unknown to NT4)
1800 Needed when adding entries to a DACL from NT5 - SK */
1801
1802 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1803 hdr_rb.rpc_context[0].context_id )) {
1804 init_rpc_hdr_ba(&hdr_ba,
1805 RPC_MAX_PDU_FRAG_LEN,
1806 RPC_MAX_PDU_FRAG_LEN,
1807 assoc_gid,
1808 ack_pipe_name,
1809 0x1, 0x0, 0x0,
1810 &hdr_rb.rpc_context[0].transfer[0]);
1811 } else {
1812 /* Rejection reason: abstract syntax not supported */
1813 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1814 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1815 ack_pipe_name, 0x1, 0x2, 0x1,
1816 &null_ndr_syntax_id);
1817 p->pipe_bound = False;
1818 }
1819
1820 /*
1821 * and marshall it.
1822 */
1823
1824 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1825 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1826 goto err_exit;
1827 }
1828
1829 /*
1830 * Create the header, now we know the length.
1831 */
1832
1833 if (prs_offset(&out_auth)) {
1834 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1835 }
1836
1837 init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1838 p->hdr.call_id,
1839 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1840 auth_len);
1841
1842 /*
1843 * Marshall the header into the outgoing PDU.
1844 */
1845
1846 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1847 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1848 goto err_exit;
1849 }
1850
1851 /*
1852 * Now add the RPC_HDR_BA and any auth needed.
1853 */
1854
1855 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1856 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1857 goto err_exit;
1858 }
1859
1860 if (auth_len && !prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1861 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1862 goto err_exit;
1863 }
1864
1865 /*
1866 * Setup the lengths for the initial reply.
1867 */
1868
1869 p->out_data.data_sent_length = 0;
1870 p->out_data.current_pdu_sent = 0;
1871
1872 prs_mem_free(&out_hdr_ba);
1873 prs_mem_free(&out_auth);
1874
1875 return True;
1876
1877 err_exit:
1878
1879 prs_mem_free(&p->out_data.frag);
1880 prs_mem_free(&out_hdr_ba);
1881 prs_mem_free(&out_auth);
1882 return setup_bind_nak(p);
1883 }
1884
1885 /****************************************************************************
1886 Deal with an alter context call. Can be third part of 3 leg auth request for
1887 SPNEGO calls.
1888 ****************************************************************************/
1889
1890 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1891 {
1892 RPC_HDR_BA hdr_ba;
1893 RPC_HDR_RB hdr_rb;
1894 RPC_HDR_AUTH auth_info;
1895 uint16 assoc_gid;
1896 fstring ack_pipe_name;
1897 prs_struct out_hdr_ba;
1898 prs_struct out_auth;
1899 int auth_len = 0;
1900
1901 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1902
1903 /*
1904 * Marshall directly into the outgoing PDU space. We
1905 * must do this as we need to set to the bind response
1906 * header and are never sending more than one PDU here.
1907 */
1908
1909 /*
1910 * Setup the memory to marshall the ba header, and the
1911 * auth footers.
1912 */
1913
1914 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1915 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1916 prs_mem_free(&p->out_data.frag);
1917 return False;
1918 }
1919
1920 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1921 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1922 prs_mem_free(&p->out_data.frag);
1923 prs_mem_free(&out_hdr_ba);
1924 return False;
1925 }
1926
1927 ZERO_STRUCT(hdr_rb);
1928
1929 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1930
1931 /* decode the alter context request */
1932 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1933 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1934 goto err_exit;
1935 }
1936
1937 /* secondary address CAN be NULL
1938 * as the specs say it's ignored.
1939 * It MUST be NULL to have the spoolss working.
1940 */
1941 fstrcpy(ack_pipe_name,"");
1942
1943 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1944
1945 /*
1946 * Check if this is an authenticated alter context request.
1947 */
1948
1949 if (p->hdr.auth_len != 0) {
1950 /*
1951 * Decode the authentication verifier.
1952 */
1953
1954 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1955 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1956 goto err_exit;
1957 }
1958
1959 /*
1960 * Currently only the SPNEGO auth type uses the alter ctx
1961 * response in place of the NTLMSSP auth3 type.
1962 */
1963
1964 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
1965 /* We can only finish if the pipe is unbound. */
1966 if (!p->pipe_bound) {
1967 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1968 goto err_exit;
1969 }
1970 } else {
1971 goto err_exit;
1972 }
1973 }
1974 } else {
1975 ZERO_STRUCT(auth_info);
1976 }
1977
1978 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1979
1980 /*
1981 * Create the bind response struct.
1982 */
1983
1984 /* If the requested abstract synt uuid doesn't match our client pipe,
1985 reject the bind_ack & set the transfer interface synt to all 0's,
1986 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1987 unknown to NT4)
1988 Needed when adding entries to a DACL from NT5 - SK */
1989
1990 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1991 hdr_rb.rpc_context[0].context_id )) {
1992 init_rpc_hdr_ba(&hdr_ba,
1993 RPC_MAX_PDU_FRAG_LEN,
1994 RPC_MAX_PDU_FRAG_LEN,
1995 assoc_gid,
1996 ack_pipe_name,
1997 0x1, 0x0, 0x0,
1998 &hdr_rb.rpc_context[0].transfer[0]);
1999 } else {
2000 /* Rejection reason: abstract syntax not supported */
2001 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
2002 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
2003 ack_pipe_name, 0x1, 0x2, 0x1,
2004 &null_ndr_syntax_id);
2005 p->pipe_bound = False;
2006 }
2007
2008 /*
2009 * and marshall it.
2010 */
2011
2012 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
2013 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
2014 goto err_exit;
2015 }
2016
2017 /*
2018 * Create the header, now we know the length.
2019 */
2020
2021 if (prs_offset(&out_auth)) {
2022 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
2023 }
2024
2025 init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
2026 p->hdr.call_id,
2027 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
2028 auth_len);
2029
2030 /*
2031 * Marshall the header into the outgoing PDU.
2032 */
2033
2034 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
2035 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2036 goto err_exit;
2037 }
2038
2039 /*
2040 * Now add the RPC_HDR_BA and any auth needed.
2041 */
2042
2043 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
2044 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2045 goto err_exit;
2046 }
2047
2048 if (auth_len && !prs_append_prs_data(&p->out_data.frag, &out_auth)) {
2049 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2050 goto err_exit;
2051 }
2052
2053 /*
2054 * Setup the lengths for the initial reply.
2055 */
2056
2057 p->out_data.data_sent_length = 0;
2058 p->out_data.current_pdu_sent = 0;
2059
2060 prs_mem_free(&out_hdr_ba);
2061 prs_mem_free(&out_auth);
2062
2063 return True;
2064
2065 err_exit:
2066
2067 prs_mem_free(&p->out_data.frag);
2068 prs_mem_free(&out_hdr_ba);
2069 prs_mem_free(&out_auth);
2070 return setup_bind_nak(p);
2071 }
2072
2073 /****************************************************************************
2074 Deal with NTLMSSP sign & seal processing on an RPC request.
2075 ****************************************************************************/
2076
2077 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2078 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2079 {
2080 RPC_HDR_AUTH auth_info;
2081 uint32 auth_len = p->hdr.auth_len;
2082 uint32 save_offset = prs_offset(rpc_in);
2083 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2084 unsigned char *data = NULL;
2085 size_t data_len;
2086 unsigned char *full_packet_data = NULL;
2087 size_t full_packet_data_len;
2088 DATA_BLOB auth_blob;
2089
2090 *pstatus = NT_STATUS_OK;
2091
2092 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2093 return True;
2094 }
2095
2096 if (!a) {
2097 *pstatus = NT_STATUS_INVALID_PARAMETER;
2098 return False;
2099 }
2100
2101 /* Ensure there's enough data for an authenticated request. */
2102 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2103 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2104 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2105 (unsigned int)auth_len ));
2106 *pstatus = NT_STATUS_INVALID_PARAMETER;
2107 return False;
2108 }
2109
2110 /*
2111 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2112 * after the RPC header.
2113 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2114 * functions as NTLMv2 checks the rpc headers also.
2115 */
2116
2117 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2118 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2119
2120 full_packet_data = p->in_data.current_in_pdu;
2121 full_packet_data_len = p->hdr.frag_len - auth_len;
2122
2123 /* Pull the auth header and the following data into a blob. */
2124 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2125 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2126 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2127 *pstatus = NT_STATUS_INVALID_PARAMETER;
2128 return False;
2129 }
2130
2131 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2132 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2133 *pstatus = NT_STATUS_INVALID_PARAMETER;
2134 return False;
2135 }
2136
2137 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2138 auth_blob.length = auth_len;
2139
2140 switch (p->auth.auth_level) {
2141 case DCERPC_AUTH_LEVEL_PRIVACY:
2142 /* Data is encrypted. */
2143 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2144 data, data_len,
2145 full_packet_data,
2146 full_packet_data_len,
2147 &auth_blob);
2148 if (!NT_STATUS_IS_OK(*pstatus)) {
2149 return False;
2150 }
2151 break;
2152 case DCERPC_AUTH_LEVEL_INTEGRITY:
2153 /* Data is signed. */
2154 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2155 data, data_len,
2156 full_packet_data,
2157 full_packet_data_len,
2158 &auth_blob);
2159 if (!NT_STATUS_IS_OK(*pstatus)) {
2160 return False;
2161 }
2162 break;
2163 default:
2164 *pstatus = NT_STATUS_INVALID_PARAMETER;
2165 return False;
2166 }
2167
2168 /*
2169 * Return the current pointer to the data offset.
2170 */
2171
2172 if(!prs_set_offset(rpc_in, save_offset)) {
2173 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2174 (unsigned int)save_offset ));
2175 *pstatus = NT_STATUS_INVALID_PARAMETER;
2176 return False;
2177 }
2178
2179 /*
2180 * Remember the padding length. We must remove it from the real data
2181 * stream once the sign/seal is done.
2182 */
2183
2184 *p_ss_padding_len = auth_info.auth_pad_len;
2185
2186 return True;
2187 }
2188
2189 /****************************************************************************
2190 Deal with schannel processing on an RPC request.
2191 ****************************************************************************/
2192
2193 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2194 {
2195 uint32 data_len;
2196 uint32 auth_len;
2197 uint32 save_offset = prs_offset(rpc_in);
2198 RPC_HDR_AUTH auth_info;
2199 DATA_BLOB blob;
2200 NTSTATUS status;
2201 uint8_t *data;
2202
2203 auth_len = p->hdr.auth_len;
2204
2205 if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2206 auth_len > RPC_HEADER_LEN +
2207 RPC_HDR_REQ_LEN +
2208 RPC_HDR_AUTH_LEN +
2209 auth_len) {
2210 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2211 return False;
2212 }
2213
2214 /*
2215 * The following is that length of the data we must verify or unseal.
2216 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2217 * preceeding the auth_data.
2218 */
2219
2220 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2221 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2222 (unsigned int)p->hdr.frag_len,
2223 (unsigned int)auth_len ));
2224 return False;
2225 }
2226
2227 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2228 RPC_HDR_AUTH_LEN - auth_len;
2229
2230 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2231
2232 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2233 DEBUG(0,("cannot move offset to %u.\n",
2234 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2235 return False;
2236 }
2237
2238 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2239 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2240 return False;
2241 }
2242
2243 if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2244 DEBUG(0,("Invalid auth info %d on schannel\n",
2245 auth_info.auth_type));
2246 return False;
2247 }
2248
2249 blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2250
2251 if (DEBUGLEVEL >= 10) {
2252 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
2253 }
2254
2255 data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN;
2256
2257 switch (auth_info.auth_level) {
2258 case DCERPC_AUTH_LEVEL_PRIVACY:
2259 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2260 talloc_tos(),
2261 true,
2262 data,
2263 data_len,
2264 &blob);
2265 break;
2266 case DCERPC_AUTH_LEVEL_INTEGRITY:
2267 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2268 talloc_tos(),
2269 false,
2270 data,
2271 data_len,
2272 &blob);
2273 break;
2274 default:
2275 status = NT_STATUS_INTERNAL_ERROR;
2276 break;
2277 }
2278
2279 if (!NT_STATUS_IS_OK(status)) {
2280 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
2281 return false;
2282 }
2283
2284 /*
2285 * Return the current pointer to the data offset.
2286 */
2287
2288 if(!prs_set_offset(rpc_in, save_offset)) {
2289 DEBUG(0,("failed to set offset back to %u\n",
2290 (unsigned int)save_offset ));
2291 return False;
2292 }
2293
2294 /*
2295 * Remember the padding length. We must remove it from the real data
2296 * stream once the sign/seal is done.
2297 */
2298
2299 *p_ss_padding_len = auth_info.auth_pad_len;
2300
2301 return True;
2302 }
2303
2304 /****************************************************************************
2305 Find the set of RPC functions associated with this context_id
2306 ****************************************************************************/
2307
2308 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2309 {
2310 PIPE_RPC_FNS *fns = NULL;
2311
2312 if ( !list ) {
2313 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2314 return NULL;
2315 }
2316
2317 for (fns=list; fns; fns=fns->next ) {
2318 if ( fns->context_id == context_id )
2319 return fns;
2320 }
2321 return NULL;
2322 }
2323
2324 /****************************************************************************
2325 Memory cleanup.
2326 ****************************************************************************/
2327
2328 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2329 {
2330 PIPE_RPC_FNS *tmp = list;
2331 PIPE_RPC_FNS *tmp2;
2332
2333 while (tmp) {
2334 tmp2 = tmp->next;
2335 SAFE_FREE(tmp);
2336 tmp = tmp2;
2337 }
2338
2339 return;
2340 }
2341
2342 static bool api_rpcTNP(pipes_struct *p,
2343 const struct api_struct *api_rpc_cmds, int n_cmds);
2344
2345 /****************************************************************************
2346 Find the correct RPC function to call for this request.
2347 If the pipe is authenticated then become the correct UNIX user
2348 before doing the call.
2349 ****************************************************************************/
2350
2351 bool api_pipe_request(pipes_struct *p)
2352 {
2353 bool ret = False;
2354 bool changed_user = False;
2355 PIPE_RPC_FNS *pipe_fns;
2356
2357 if (p->pipe_bound &&
2358 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2359 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2360 if(!become_authenticated_pipe_user(p)) {
2361 prs_mem_free(&p->out_data.rdata);
2362 return False;
2363 }
2364 changed_user = True;
2365 }
2366
2367 DEBUG(5, ("Requested \\PIPE\\%s\n",
2368 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2369
2370 /* get the set of RPC functions for this context */
2371
2372 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2373
2374 if ( pipe_fns ) {
2375 TALLOC_CTX *frame = talloc_stackframe();
2376 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2377 TALLOC_FREE(frame);
2378 }
2379 else {
2380 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2381 p->hdr_req.context_id,
2382 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2383 }
2384
2385 if (changed_user) {
2386 unbecome_authenticated_pipe_user();
2387 }
2388
2389 return ret;
2390 }
2391
2392 /*******************************************************************
2393 Calls the underlying RPC function for a named pipe.
2394 ********************************************************************/
2395
2396 static bool api_rpcTNP(pipes_struct *p,
2397 const struct api_struct *api_rpc_cmds, int n_cmds)
2398 {
2399 int fn_num;
2400 uint32 offset1, offset2;
2401
2402 /* interpret the command */
2403 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2404 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2405 p->hdr_req.opnum));
2406
2407 if (DEBUGLEVEL >= 50) {
2408 fstring name;
2409 slprintf(name, sizeof(name)-1, "in_%s",
2410 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2411 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2412 }
2413
2414 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2415 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2416 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2417 break;
2418 }
2419 }
2420
2421 if (fn_num == n_cmds) {
2422 /*
2423 * For an unknown RPC just return a fault PDU but
2424 * return True to allow RPC's on the pipe to continue
2425 * and not put the pipe into fault state. JRA.
2426 */
2427 DEBUG(4, ("unknown\n"));
2428 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2429 return True;
2430 }
2431
2432 offset1 = prs_offset(&p->out_data.rdata);
2433
2434 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2435 fn_num, api_rpc_cmds[fn_num].fn));
2436 /* do the actual command */
2437 if(!api_rpc_cmds[fn_num].fn(p)) {
2438 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2439 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2440 api_rpc_cmds[fn_num].name));
2441 prs_mem_free(&p->out_data.rdata);
2442 return False;
2443 }
2444
2445 if (p->bad_handle_fault_state) {
2446 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2447 p->bad_handle_fault_state = False;
2448 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2449 return True;
2450 }
2451
2452 if (p->rng_fault_state) {
2453 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2454 p->rng_fault_state = False;
2455 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2456 return True;
2457 }
2458
2459 offset2 = prs_offset(&p->out_data.rdata);
2460 prs_set_offset(&p->out_data.rdata, offset1);
2461 if (DEBUGLEVEL >= 50) {
2462 fstring name;
2463 slprintf(name, sizeof(name)-1, "out_%s",
2464 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2465 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2466 }
2467 prs_set_offset(&p->out_data.rdata, offset2);
2468
2469 DEBUG(5,("api_rpcTNP: called %s successfully\n",
2470 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2471
2472 /* Check for buffer underflow in rpc parsing */
2473
2474 if ((DEBUGLEVEL >= 10) &&
2475 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2476 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2477 char *data = (char *)SMB_MALLOC(data_len);
2478
2479 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2480 if (data) {
2481 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2482 SAFE_FREE(data);
2483 }
2484
2485 }
2486
2487 return True;
2488 }