search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4
[Samba/bb.git] / source3 / rpc_server / srv_pipe.c
blobb615080d3496597fd6ed7d1df2cc50300f2894a1
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 */
20
21 /* this module apparently provides an implementation of DCE/RPC over a
22 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
23 * documentation are available (in on-line form) from the X-Open group.
24 *
25 * this module should provide a level of abstraction between SMB
26 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
27 * data copies, and network traffic.
28 *
29 */
30
31 #include "includes.h"
32
33 extern struct pipe_id_info pipe_names[];
34 extern struct current_user current_user;
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_RPC_SRV
38
39 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
40 {
41 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
42
43 if (a) {
44 auth_ntlmssp_end(&a);
45 }
46 auth->a_u.auth_ntlmssp_state = NULL;
47 }
48
49 /*******************************************************************
50 Generate the next PDU to be returned from the data in p->rdata.
51 Handle NTLMSSP.
52 ********************************************************************/
53
54 static BOOL create_next_pdu_ntlmssp(pipes_struct *p)
55 {
56 RPC_HDR_RESP hdr_resp;
57 uint32 ss_padding_len = 0;
58 uint32 data_space_available;
59 uint32 data_len_left;
60 uint32 data_len;
61 prs_struct outgoing_pdu;
62 NTSTATUS status;
63 DATA_BLOB auth_blob;
64 RPC_HDR_AUTH auth_info;
65 uint8 auth_type, auth_level;
66 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
67
68 /*
69 * If we're in the fault state, keep returning fault PDU's until
70 * the pipe gets closed. JRA.
71 */
72
73 if(p->fault_state) {
74 setup_fault_pdu(p, NT_STATUS(0x1c010002));
75 return True;
76 }
77
78 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
79
80 /* Change the incoming request header to a response. */
81 p->hdr.pkt_type = RPC_RESPONSE;
82
83 /* Set up rpc header flags. */
84 if (p->out_data.data_sent_length == 0) {
85 p->hdr.flags = RPC_FLG_FIRST;
86 } else {
87 p->hdr.flags = 0;
88 }
89
90 /*
91 * Work out how much we can fit in a single PDU.
92 */
93
94 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
95
96 /*
97 * Ensure there really is data left to send.
98 */
99
100 if(!data_len_left) {
101 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
102 return False;
103 }
104
105 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
106 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
107
108 /*
109 * The amount we send is the minimum of the available
110 * space and the amount left to send.
111 */
112
113 data_len = MIN(data_len_left, data_space_available);
114
115 /*
116 * Set up the alloc hint. This should be the data left to
117 * send.
118 */
119
120 hdr_resp.alloc_hint = data_len_left;
121
122 /*
123 * Work out if this PDU will be the last.
124 */
125
126 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
127 p->hdr.flags |= RPC_FLG_LAST;
128 if (data_len_left % 8) {
129 ss_padding_len = 8 - (data_len_left % 8);
130 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
131 ss_padding_len ));
132 }
133 }
134
135 /*
136 * Set up the header lengths.
137 */
138
139 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
140 data_len + ss_padding_len +
141 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
142 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
143
144
145 /*
146 * Init the parse struct to point at the outgoing
147 * data.
148 */
149
150 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
151 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
152
153 /* Store the header in the data stream. */
154 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
155 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
156 prs_mem_free(&outgoing_pdu);
157 return False;
158 }
159
160 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
161 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
162 prs_mem_free(&outgoing_pdu);
163 return False;
164 }
165
166 /* Copy the data into the PDU. */
167
168 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
169 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
170 prs_mem_free(&outgoing_pdu);
171 return False;
172 }
173
174 /* Copy the sign/seal padding data. */
175 if (ss_padding_len) {
176 char pad[8];
177
178 memset(pad, '\0', 8);
179 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
180 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
181 (unsigned int)ss_padding_len));
182 prs_mem_free(&outgoing_pdu);
183 return False;
184 }
185 }
186
187
188 /* Now write out the auth header and null blob. */
189 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
190 auth_type = RPC_NTLMSSP_AUTH_TYPE;
191 } else {
192 auth_type = RPC_SPNEGO_AUTH_TYPE;
193 }
194 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
195 auth_level = RPC_AUTH_LEVEL_PRIVACY;
196 } else {
197 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
198 }
199
200 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
201 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
202 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
203 prs_mem_free(&outgoing_pdu);
204 return False;
205 }
206
207 /* Generate the sign blob. */
208
209 switch (p->auth.auth_level) {
210 case PIPE_AUTH_LEVEL_PRIVACY:
211 /* Data portion is encrypted. */
212 status = ntlmssp_seal_packet(a->ntlmssp_state,
213 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
214 data_len + ss_padding_len,
215 (unsigned char *)prs_data_p(&outgoing_pdu),
216 (size_t)prs_offset(&outgoing_pdu),
217 &auth_blob);
218 if (!NT_STATUS_IS_OK(status)) {
219 data_blob_free(&auth_blob);
220 prs_mem_free(&outgoing_pdu);
221 return False;
222 }
223 break;
224 case PIPE_AUTH_LEVEL_INTEGRITY:
225 /* Data is signed. */
226 status = ntlmssp_sign_packet(a->ntlmssp_state,
227 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
228 data_len + ss_padding_len,
229 (unsigned char *)prs_data_p(&outgoing_pdu),
230 (size_t)prs_offset(&outgoing_pdu),
231 &auth_blob);
232 if (!NT_STATUS_IS_OK(status)) {
233 data_blob_free(&auth_blob);
234 prs_mem_free(&outgoing_pdu);
235 return False;
236 }
237 break;
238 default:
239 prs_mem_free(&outgoing_pdu);
240 return False;
241 }
242
243 /* Append the auth blob. */
244 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
245 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
246 (unsigned int)NTLMSSP_SIG_SIZE));
247 data_blob_free(&auth_blob);
248 prs_mem_free(&outgoing_pdu);
249 return False;
250 }
251
252 data_blob_free(&auth_blob);
253
254 /*
255 * Setup the counts for this PDU.
256 */
257
258 p->out_data.data_sent_length += data_len;
259 p->out_data.current_pdu_len = p->hdr.frag_len;
260 p->out_data.current_pdu_sent = 0;
261
262 prs_mem_free(&outgoing_pdu);
263 return True;
264 }
265
266 /*******************************************************************
267 Generate the next PDU to be returned from the data in p->rdata.
268 Return an schannel authenticated fragment.
269 ********************************************************************/
270
271 static BOOL create_next_pdu_schannel(pipes_struct *p)
272 {
273 RPC_HDR_RESP hdr_resp;
274 uint32 ss_padding_len = 0;
275 uint32 data_len;
276 uint32 data_space_available;
277 uint32 data_len_left;
278 prs_struct outgoing_pdu;
279 uint32 data_pos;
280
281 /*
282 * If we're in the fault state, keep returning fault PDU's until
283 * the pipe gets closed. JRA.
284 */
285
286 if(p->fault_state) {
287 setup_fault_pdu(p, NT_STATUS(0x1c010002));
288 return True;
289 }
290
291 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
292
293 /* Change the incoming request header to a response. */
294 p->hdr.pkt_type = RPC_RESPONSE;
295
296 /* Set up rpc header flags. */
297 if (p->out_data.data_sent_length == 0) {
298 p->hdr.flags = RPC_FLG_FIRST;
299 } else {
300 p->hdr.flags = 0;
301 }
302
303 /*
304 * Work out how much we can fit in a single PDU.
305 */
306
307 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
308
309 /*
310 * Ensure there really is data left to send.
311 */
312
313 if(!data_len_left) {
314 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
315 return False;
316 }
317
318 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
319 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
320
321 /*
322 * The amount we send is the minimum of the available
323 * space and the amount left to send.
324 */
325
326 data_len = MIN(data_len_left, data_space_available);
327
328 /*
329 * Set up the alloc hint. This should be the data left to
330 * send.
331 */
332
333 hdr_resp.alloc_hint = data_len_left;
334
335 /*
336 * Work out if this PDU will be the last.
337 */
338
339 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
340 p->hdr.flags |= RPC_FLG_LAST;
341 if (data_len_left % 8) {
342 ss_padding_len = 8 - (data_len_left % 8);
343 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
344 ss_padding_len ));
345 }
346 }
347
348 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
349 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
350 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
351
352 /*
353 * Init the parse struct to point at the outgoing
354 * data.
355 */
356
357 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
358 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
359
360 /* Store the header in the data stream. */
361 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
362 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
363 prs_mem_free(&outgoing_pdu);
364 return False;
365 }
366
367 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
368 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
369 prs_mem_free(&outgoing_pdu);
370 return False;
371 }
372
373 /* Store the current offset. */
374 data_pos = prs_offset(&outgoing_pdu);
375
376 /* Copy the data into the PDU. */
377
378 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
379 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
380 prs_mem_free(&outgoing_pdu);
381 return False;
382 }
383
384 /* Copy the sign/seal padding data. */
385 if (ss_padding_len) {
386 char pad[8];
387 memset(pad, '\0', 8);
388 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
389 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
390 prs_mem_free(&outgoing_pdu);
391 return False;
392 }
393 }
394
395 {
396 /*
397 * Schannel processing.
398 */
399 char *data;
400 RPC_HDR_AUTH auth_info;
401 RPC_AUTH_SCHANNEL_CHK verf;
402
403 data = prs_data_p(&outgoing_pdu) + data_pos;
404 /* Check it's the type of reply we were expecting to decode */
405
406 init_rpc_hdr_auth(&auth_info,
407 RPC_SCHANNEL_AUTH_TYPE,
408 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
409 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
410 ss_padding_len, 1);
411
412 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
413 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
414 prs_mem_free(&outgoing_pdu);
415 return False;
416 }
417
418 schannel_encode(p->auth.a_u.schannel_auth,
419 p->auth.auth_level,
420 SENDER_IS_ACCEPTOR,
421 &verf, data, data_len + ss_padding_len);
422
423 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
424 &verf, &outgoing_pdu, 0)) {
425 prs_mem_free(&outgoing_pdu);
426 return False;
427 }
428
429 p->auth.a_u.schannel_auth->seq_num++;
430 }
431
432 /*
433 * Setup the counts for this PDU.
434 */
435
436 p->out_data.data_sent_length += data_len;
437 p->out_data.current_pdu_len = p->hdr.frag_len;
438 p->out_data.current_pdu_sent = 0;
439
440 prs_mem_free(&outgoing_pdu);
441 return True;
442 }
443
444 /*******************************************************************
445 Generate the next PDU to be returned from the data in p->rdata.
446 No authentication done.
447 ********************************************************************/
448
449 static BOOL create_next_pdu_noauth(pipes_struct *p)
450 {
451 RPC_HDR_RESP hdr_resp;
452 uint32 data_len;
453 uint32 data_space_available;
454 uint32 data_len_left;
455 prs_struct outgoing_pdu;
456
457 /*
458 * If we're in the fault state, keep returning fault PDU's until
459 * the pipe gets closed. JRA.
460 */
461
462 if(p->fault_state) {
463 setup_fault_pdu(p, NT_STATUS(0x1c010002));
464 return True;
465 }
466
467 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
468
469 /* Change the incoming request header to a response. */
470 p->hdr.pkt_type = RPC_RESPONSE;
471
472 /* Set up rpc header flags. */
473 if (p->out_data.data_sent_length == 0) {
474 p->hdr.flags = RPC_FLG_FIRST;
475 } else {
476 p->hdr.flags = 0;
477 }
478
479 /*
480 * Work out how much we can fit in a single PDU.
481 */
482
483 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
484
485 /*
486 * Ensure there really is data left to send.
487 */
488
489 if(!data_len_left) {
490 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
491 return False;
492 }
493
494 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
495
496 /*
497 * The amount we send is the minimum of the available
498 * space and the amount left to send.
499 */
500
501 data_len = MIN(data_len_left, data_space_available);
502
503 /*
504 * Set up the alloc hint. This should be the data left to
505 * send.
506 */
507
508 hdr_resp.alloc_hint = data_len_left;
509
510 /*
511 * Work out if this PDU will be the last.
512 */
513
514 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
515 p->hdr.flags |= RPC_FLG_LAST;
516 }
517
518 /*
519 * Set up the header lengths.
520 */
521
522 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
523 p->hdr.auth_len = 0;
524
525 /*
526 * Init the parse struct to point at the outgoing
527 * data.
528 */
529
530 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
531 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
532
533 /* Store the header in the data stream. */
534 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
535 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
536 prs_mem_free(&outgoing_pdu);
537 return False;
538 }
539
540 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
541 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
542 prs_mem_free(&outgoing_pdu);
543 return False;
544 }
545
546 /* Copy the data into the PDU. */
547
548 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
549 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
550 prs_mem_free(&outgoing_pdu);
551 return False;
552 }
553
554 /*
555 * Setup the counts for this PDU.
556 */
557
558 p->out_data.data_sent_length += data_len;
559 p->out_data.current_pdu_len = p->hdr.frag_len;
560 p->out_data.current_pdu_sent = 0;
561
562 prs_mem_free(&outgoing_pdu);
563 return True;
564 }
565
566 /*******************************************************************
567 Generate the next PDU to be returned from the data in p->rdata.
568 ********************************************************************/
569
570 BOOL create_next_pdu(pipes_struct *p)
571 {
572 switch(p->auth.auth_level) {
573 case PIPE_AUTH_LEVEL_NONE:
574 case PIPE_AUTH_LEVEL_CONNECT:
575 /* This is incorrect for auth level connect. Fixme. JRA */
576 return create_next_pdu_noauth(p);
577
578 default:
579 switch(p->auth.auth_type) {
580 case PIPE_AUTH_TYPE_NTLMSSP:
581 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
582 return create_next_pdu_ntlmssp(p);
583 case PIPE_AUTH_TYPE_SCHANNEL:
584 return create_next_pdu_schannel(p);
585 default:
586 break;
587 }
588 }
589
590 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
591 (unsigned int)p->auth.auth_level,
592 (unsigned int)p->auth.auth_type));
593 return False;
594 }
595
596 /*******************************************************************
597 Process an NTLMSSP authentication response.
598 If this function succeeds, the user has been authenticated
599 and their domain, name and calling workstation stored in
600 the pipe struct.
601 *******************************************************************/
602
603 static BOOL pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
604 {
605 DATA_BLOB reply;
606 NTSTATUS status;
607 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
608
609 DEBUG(5,("pipe_ntlmssp_verify_final: checking user details\n"));
610
611 ZERO_STRUCT(reply);
612
613 memset(p->user_name, '\0', sizeof(p->user_name));
614 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
615 memset(p->domain, '\0', sizeof(p->domain));
616 memset(p->wks, '\0', sizeof(p->wks));
617
618 /* Set up for non-authenticated user. */
619 delete_nt_token(&p->pipe_user.nt_user_token);
620 p->pipe_user.ngroups = 0;
621 SAFE_FREE( p->pipe_user.groups);
622
623 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
624
625 /* Don't generate a reply. */
626 data_blob_free(&reply);
627
628 if (!NT_STATUS_IS_OK(status)) {
629 return False;
630 }
631
632 fstrcpy(p->user_name, a->ntlmssp_state->user);
633 fstrcpy(p->pipe_user_name, a->server_info->unix_name);
634 fstrcpy(p->domain, a->ntlmssp_state->domain);
635 fstrcpy(p->wks, a->ntlmssp_state->workstation);
636
637 DEBUG(5,("pipe_ntlmssp_verify_final: OK: user: %s domain: %s workstation: %s\n",
638 p->user_name, p->domain, p->wks));
639
640 /*
641 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
642 */
643
644 p->pipe_user.uid = a->server_info->uid;
645 p->pipe_user.gid = a->server_info->gid;
646
647 /*
648 * Copy the session key from the ntlmssp state.
649 */
650
651 data_blob_free(&p->session_key);
652 p->session_key = data_blob(a->ntlmssp_state->session_key.data, a->ntlmssp_state->session_key.length);
653 if (!p->session_key.data) {
654 return False;
655 }
656
657 p->pipe_user.ngroups = a->server_info->n_groups;
658 if (p->pipe_user.ngroups) {
659 if (!(p->pipe_user.groups = memdup(a->server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
660 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
661 return False;
662 }
663 }
664
665 if (a->server_info->ptok) {
666 p->pipe_user.nt_user_token = dup_nt_token(a->server_info->ptok);
667 } else {
668 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
669 p->pipe_user.nt_user_token = NULL;
670 return False;
671 }
672
673 return True;
674 }
675
676 /*******************************************************************
677 The switch table for the pipe names and the functions to handle them.
678 *******************************************************************/
679
680 struct rpc_table {
681 struct {
682 const char *clnt;
683 const char *srv;
684 } pipe;
685 struct api_struct *cmds;
686 int n_cmds;
687 };
688
689 static struct rpc_table *rpc_lookup;
690 static int rpc_lookup_size;
691
692 /*******************************************************************
693 This is the "stage3" NTLMSSP response after a bind request and reply.
694 *******************************************************************/
695
696 BOOL api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
697 {
698 RPC_HDR_AUTH auth_info;
699 uint32 pad;
700 DATA_BLOB blob;
701
702 ZERO_STRUCT(blob);
703
704 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
705
706 if (p->hdr.auth_len == 0) {
707 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
708 goto err;
709 }
710
711 /* 4 bytes padding. */
712 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
713 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
714 goto err;
715 }
716
717 /*
718 * Decode the authentication verifier response.
719 */
720
721 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
722 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
723 goto err;
724 }
725
726 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
727 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
728 (unsigned int)auth_info.auth_type ));
729 return False;
730 }
731
732 blob = data_blob(NULL,p->hdr.auth_len);
733
734 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
735 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
736 (unsigned int)p->hdr.auth_len ));
737 goto err;
738 }
739
740 /*
741 * The following call actually checks the challenge/response data.
742 * for correctness against the given DOMAIN\user name.
743 */
744
745 if (!pipe_ntlmssp_verify_final(p, &blob)) {
746 goto err;
747 }
748
749 data_blob_free(&blob);
750
751 p->pipe_bound = True;
752
753 return True;
754
755 err:
756
757 data_blob_free(&blob);
758 free_pipe_ntlmssp_auth_data(&p->auth);
759 p->auth.a_u.auth_ntlmssp_state = NULL;
760
761 return False;
762 }
763
764 /*******************************************************************
765 Marshall a bind_nak pdu.
766 *******************************************************************/
767
768 static BOOL setup_bind_nak(pipes_struct *p)
769 {
770 prs_struct outgoing_rpc;
771 RPC_HDR nak_hdr;
772 uint16 zero = 0;
773
774 /* Free any memory in the current return data buffer. */
775 prs_mem_free(&p->out_data.rdata);
776
777 /*
778 * Marshall directly into the outgoing PDU space. We
779 * must do this as we need to set to the bind response
780 * header and are never sending more than one PDU here.
781 */
782
783 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
784 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
785
786 /*
787 * Initialize a bind_nak header.
788 */
789
790 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
791 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
792
793 /*
794 * Marshall the header into the outgoing PDU.
795 */
796
797 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
798 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
799 prs_mem_free(&outgoing_rpc);
800 return False;
801 }
802
803 /*
804 * Now add the reject reason.
805 */
806
807 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
808 prs_mem_free(&outgoing_rpc);
809 return False;
810 }
811
812 p->out_data.data_sent_length = 0;
813 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
814 p->out_data.current_pdu_sent = 0;
815
816 if (p->auth.auth_data_free_func) {
817 (*p->auth.auth_data_free_func)(&p->auth);
818 }
819 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
820 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
821 p->pipe_bound = False;
822
823 return True;
824 }
825
826 /*******************************************************************
827 Marshall a fault pdu.
828 *******************************************************************/
829
830 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
831 {
832 prs_struct outgoing_pdu;
833 RPC_HDR fault_hdr;
834 RPC_HDR_RESP hdr_resp;
835 RPC_HDR_FAULT fault_resp;
836
837 /* Free any memory in the current return data buffer. */
838 prs_mem_free(&p->out_data.rdata);
839
840 /*
841 * Marshall directly into the outgoing PDU space. We
842 * must do this as we need to set to the bind response
843 * header and are never sending more than one PDU here.
844 */
845
846 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
847 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
848
849 /*
850 * Initialize a fault header.
851 */
852
853 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
854 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
855
856 /*
857 * Initialize the HDR_RESP and FAULT parts of the PDU.
858 */
859
860 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
861
862 fault_resp.status = status;
863 fault_resp.reserved = 0;
864
865 /*
866 * Marshall the header into the outgoing PDU.
867 */
868
869 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
870 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
871 prs_mem_free(&outgoing_pdu);
872 return False;
873 }
874
875 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
876 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
877 prs_mem_free(&outgoing_pdu);
878 return False;
879 }
880
881 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
882 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
883 prs_mem_free(&outgoing_pdu);
884 return False;
885 }
886
887 p->out_data.data_sent_length = 0;
888 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
889 p->out_data.current_pdu_sent = 0;
890
891 prs_mem_free(&outgoing_pdu);
892 return True;
893 }
894
895 /*******************************************************************
896 Ensure a bind request has the correct abstract & transfer interface.
897 Used to reject unknown binds from Win2k.
898 *******************************************************************/
899
900 BOOL check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
901 RPC_IFACE* transfer, uint32 context_id)
902 {
903 char *pipe_name = p->name;
904 int i=0;
905 fstring pname;
906
907 fstrcpy(pname,"\\PIPE\\");
908 fstrcat(pname,pipe_name);
909
910 DEBUG(3,("check_bind_req for %s\n", pname));
911
912 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
913
914 for ( i=0; pipe_names[i].client_pipe; i++ ) {
915 DEBUG(10,("checking %s\n", pipe_names[i].client_pipe));
916 if ( strequal(pipe_names[i].client_pipe, pname)
917 && (abstract->version == pipe_names[i].abstr_syntax.version)
918 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct uuid)) == 0)
919 && (transfer->version == pipe_names[i].trans_syntax.version)
920 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(struct uuid)) == 0) ) {
921 struct api_struct *fns = NULL;
922 int n_fns = 0;
923 PIPE_RPC_FNS *context_fns;
924
925 if ( !(context_fns = SMB_MALLOC_P(PIPE_RPC_FNS)) ) {
926 DEBUG(0,("check_bind_req: malloc() failed!\n"));
927 return False;
928 }
929
930 /* save the RPC function table associated with this bind */
931
932 get_pipe_fns(i, &fns, &n_fns);
933
934 context_fns->cmds = fns;
935 context_fns->n_cmds = n_fns;
936 context_fns->context_id = context_id;
937
938 /* add to the list of open contexts */
939
940 DLIST_ADD( p->contexts, context_fns );
941
942 break;
943 }
944 }
945
946 if(pipe_names[i].client_pipe == NULL) {
947 return False;
948 }
949
950 return True;
951 }
952
953 /*******************************************************************
954 Register commands to an RPC pipe
955 *******************************************************************/
956
957 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
958 {
959 struct rpc_table *rpc_entry;
960
961 if (!clnt || !srv || !cmds) {
962 return NT_STATUS_INVALID_PARAMETER;
963 }
964
965 if (version != SMB_RPC_INTERFACE_VERSION) {
966 DEBUG(0,("Can't register rpc commands!\n"
967 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
968 ", while this version of samba uses version %d!\n",
969 version,SMB_RPC_INTERFACE_VERSION));
970 return NT_STATUS_OBJECT_TYPE_MISMATCH;
971 }
972
973 /* TODO:
974 *
975 * we still need to make sure that don't register the same commands twice!!!
976 *
977 * --metze
978 */
979
980 /* We use a temporary variable because this call can fail and
981 rpc_lookup will still be valid afterwards. It could then succeed if
982 called again later */
983 rpc_lookup_size++;
984 rpc_entry = SMB_REALLOC_ARRAY(rpc_lookup, struct rpc_table, rpc_lookup_size);
985 if (NULL == rpc_entry) {
986 rpc_lookup_size--;
987 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
988 return NT_STATUS_NO_MEMORY;
989 } else {
990 rpc_lookup = rpc_entry;
991 }
992
993 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
994 ZERO_STRUCTP(rpc_entry);
995 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
996 rpc_entry->pipe.srv = SMB_STRDUP(srv);
997 rpc_entry->cmds = SMB_REALLOC_ARRAY(rpc_entry->cmds, struct api_struct, rpc_entry->n_cmds + size);
998 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds, size * sizeof(struct api_struct));
999 rpc_entry->n_cmds += size;
1000
1001 return NT_STATUS_OK;
1002 }
1003
1004 /*******************************************************************
1005 Handle a SPNEGO krb5 bind auth.
1006 *******************************************************************/
1007
1008 static BOOL pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1009 DATA_BLOB *psecblob, prs_struct *pout_auth)
1010 {
1011 return False;
1012 }
1013
1014 /*******************************************************************
1015 Handle the first part of a SPNEGO bind auth.
1016 *******************************************************************/
1017
1018 static BOOL pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1019 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1020 {
1021 DATA_BLOB blob;
1022 DATA_BLOB secblob;
1023 DATA_BLOB response;
1024 DATA_BLOB chal;
1025 char *OIDs[ASN1_MAX_OIDS];
1026 int i;
1027 NTSTATUS status;
1028 BOOL got_kerberos_mechanism = False;
1029 AUTH_NTLMSSP_STATE *a = NULL;
1030 RPC_HDR_AUTH auth_info;
1031
1032 ZERO_STRUCT(secblob);
1033 ZERO_STRUCT(chal);
1034 ZERO_STRUCT(response);
1035
1036 /* Grab the SPNEGO blob. */
1037 blob = data_blob(NULL,p->hdr.auth_len);
1038
1039 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1040 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1041 (unsigned int)p->hdr.auth_len ));
1042 goto err;
1043 }
1044
1045 if (blob.data[0] != ASN1_APPLICATION(0)) {
1046 goto err;
1047 }
1048
1049 /* parse out the OIDs and the first sec blob */
1050 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1051 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1052 goto err;
1053 }
1054
1055 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1056 got_kerberos_mechanism = True;
1057 }
1058
1059 for (i=0;OIDs[i];i++) {
1060 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1061 SAFE_FREE(OIDs[i]);
1062 }
1063 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1064
1065 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1066 BOOL ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1067 data_blob_free(&secblob);
1068 data_blob_free(&blob);
1069 return ret;
1070 }
1071
1072 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1073 /* Free any previous auth type. */
1074 free_pipe_ntlmssp_auth_data(&p->auth);
1075 }
1076
1077 /* Initialize the NTLM engine. */
1078 status = auth_ntlmssp_start(&a);
1079 if (!NT_STATUS_IS_OK(status)) {
1080 goto err;
1081 }
1082
1083 /*
1084 * Pass the first security blob of data to it.
1085 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1086 * which means we need another packet to complete the bind.
1087 */
1088
1089 status = auth_ntlmssp_update(a, secblob, &chal);
1090
1091 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1092 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1093 goto err;
1094 }
1095
1096 /* Generate the response blob we need for step 2 of the bind. */
1097 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1098
1099 /* Copy the blob into the pout_auth parse struct */
1100 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1101 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1102 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1103 goto err;
1104 }
1105
1106 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1107 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1108 goto err;
1109 }
1110
1111 p->auth.a_u.auth_ntlmssp_state = a;
1112 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1113 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1114
1115 data_blob_free(&blob);
1116 data_blob_free(&secblob);
1117 data_blob_free(&chal);
1118 data_blob_free(&response);
1119
1120 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1121 return True;
1122
1123 err:
1124
1125 data_blob_free(&blob);
1126 data_blob_free(&secblob);
1127 data_blob_free(&chal);
1128 data_blob_free(&response);
1129
1130 p->auth.a_u.auth_ntlmssp_state = NULL;
1131
1132 return False;
1133 }
1134
1135 /*******************************************************************
1136 Handle the second part of a SPNEGO bind auth.
1137 *******************************************************************/
1138
1139 static BOOL pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1140 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1141 {
1142 DATA_BLOB spnego_blob, auth_blob, auth_reply;
1143 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1144
1145 ZERO_STRUCT(spnego_blob);
1146 ZERO_STRUCT(auth_blob);
1147 ZERO_STRUCT(auth_reply);
1148
1149 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1150 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1151 goto err;
1152 }
1153
1154 /* Grab the SPNEGO blob. */
1155 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1156
1157 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1158 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1159 (unsigned int)p->hdr.auth_len ));
1160 goto err;
1161 }
1162
1163 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1164 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1165 goto err;
1166 }
1167
1168 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1169 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1170 goto err;
1171 }
1172
1173 /*
1174 * The following call actually checks the challenge/response data.
1175 * for correctness against the given DOMAIN\user name.
1176 */
1177
1178 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1179 goto err;
1180 }
1181
1182 data_blob_free(&spnego_blob);
1183 data_blob_free(&auth_blob);
1184 data_blob_free(&auth_reply);
1185
1186 p->pipe_bound = True;
1187
1188 return True;
1189
1190 err:
1191
1192 data_blob_free(&spnego_blob);
1193 data_blob_free(&auth_blob);
1194 data_blob_free(&auth_reply);
1195
1196 free_pipe_ntlmssp_auth_data(&p->auth);
1197 p->auth.a_u.auth_ntlmssp_state = NULL;
1198
1199 return False;
1200 }
1201
1202 /*******************************************************************
1203 Handle an schannel bind auth.
1204 *******************************************************************/
1205
1206 static BOOL pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1207 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1208 {
1209 RPC_HDR_AUTH auth_info;
1210 RPC_AUTH_SCHANNEL_NEG neg;
1211 RPC_AUTH_VERIFIER auth_verifier;
1212 BOOL ret;
1213 struct dcinfo stored_dcinfo;
1214 uint32 flags;
1215
1216 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1217 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1218 return False;
1219 }
1220
1221 ZERO_STRUCT(stored_dcinfo);
1222
1223 become_root();
1224 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &stored_dcinfo);
1225 unbecome_root();
1226
1227 if (!ret) {
1228 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1229 return False;
1230 }
1231
1232 p->auth.a_u.schannel_auth = TALLOC_P(p->pipe_state_mem_ctx, struct schannel_auth_struct);
1233 if (!p->auth.a_u.schannel_auth) {
1234 return False;
1235 }
1236
1237 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1238 memcpy(p->auth.a_u.schannel_auth->sess_key, stored_dcinfo.sess_key, sizeof(stored_dcinfo.sess_key));
1239
1240 p->auth.a_u.schannel_auth->seq_num = 0;
1241
1242 /*
1243 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1244 * here ? We do that for NTLMSPP, but the session key is already set up from the vuser
1245 * struct of the person who opened the pipe. I need to test this further. JRA.
1246 */
1247
1248 /* The client opens a second RPC NETLOGON pipe without
1249 doing a auth2. The credentials for the schannel are
1250 re-used from the auth2 the client did before. */
1251 p->dc = TALLOC_ZERO_P(p->pipe_state_mem_ctx, struct dcinfo);
1252 if (!p->dc) {
1253 return False;
1254 }
1255 *p->dc = stored_dcinfo;
1256
1257 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1258 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1259 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1260 return False;
1261 }
1262
1263 /*** SCHANNEL verifier ***/
1264
1265 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1266 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1267 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1268 return False;
1269 }
1270
1271 prs_align(pout_auth);
1272
1273 flags = 5;
1274 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1275 return False;
1276 }
1277
1278 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1279 neg.domain, neg.myname));
1280
1281 /* We're finished with this bind - no more packets. */
1282 p->auth.auth_data_free_func = NULL;
1283 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1284
1285 p->pipe_bound = True;
1286
1287 return True;
1288 }
1289
1290 /*******************************************************************
1291 Handle an NTLMSSP bind auth.
1292 *******************************************************************/
1293
1294 static BOOL pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1295 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1296 {
1297 RPC_HDR_AUTH auth_info;
1298 DATA_BLOB blob;
1299 DATA_BLOB response;
1300 NTSTATUS status;
1301 AUTH_NTLMSSP_STATE *a = NULL;
1302
1303 ZERO_STRUCT(blob);
1304 ZERO_STRUCT(response);
1305
1306 /* Grab the NTLMSSP blob. */
1307 blob = data_blob(NULL,p->hdr.auth_len);
1308
1309 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1310 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1311 (unsigned int)p->hdr.auth_len ));
1312 goto err;
1313 }
1314
1315 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1316 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1317 goto err;
1318 }
1319
1320 /* We have an NTLMSSP blob. */
1321 status = auth_ntlmssp_start(&a);
1322 if (!NT_STATUS_IS_OK(status)) {
1323 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1324 nt_errstr(status) ));
1325 goto err;
1326 }
1327
1328 status = auth_ntlmssp_update(a, blob, &response);
1329 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1330 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1331 nt_errstr(status) ));
1332 goto err;
1333 }
1334
1335 data_blob_free(&blob);
1336
1337 /* Copy the blob into the pout_auth parse struct */
1338 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1339 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1340 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1341 goto err;
1342 }
1343
1344 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1345 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1346 goto err;
1347 }
1348
1349 p->auth.a_u.auth_ntlmssp_state = a;
1350 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1351 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1352
1353 data_blob_free(&blob);
1354 data_blob_free(&response);
1355
1356 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1357
1358 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1359 return True;
1360
1361 err:
1362
1363 data_blob_free(&blob);
1364 data_blob_free(&response);
1365
1366 free_pipe_ntlmssp_auth_data(&p->auth);
1367 p->auth.a_u.auth_ntlmssp_state = NULL;
1368 return False;
1369 }
1370
1371 /*******************************************************************
1372 Respond to a pipe bind request.
1373 *******************************************************************/
1374
1375 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1376 {
1377 RPC_HDR_BA hdr_ba;
1378 RPC_HDR_RB hdr_rb;
1379 RPC_HDR_AUTH auth_info;
1380 uint16 assoc_gid;
1381 fstring ack_pipe_name;
1382 prs_struct out_hdr_ba;
1383 prs_struct out_auth;
1384 prs_struct outgoing_rpc;
1385 int i = 0;
1386 int auth_len = 0;
1387 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1388
1389 /* No rebinds on a bound pipe - use alter context. */
1390 if (p->pipe_bound) {
1391 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1392 return setup_bind_nak(p);
1393 }
1394
1395 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1396
1397 /*
1398 * Marshall directly into the outgoing PDU space. We
1399 * must do this as we need to set to the bind response
1400 * header and are never sending more than one PDU here.
1401 */
1402
1403 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1404
1405 /*
1406 * Setup the memory to marshall the ba header, and the
1407 * auth footers.
1408 */
1409
1410 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1411 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1412 prs_mem_free(&outgoing_rpc);
1413 return False;
1414 }
1415
1416 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1417 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1418 prs_mem_free(&outgoing_rpc);
1419 prs_mem_free(&out_hdr_ba);
1420 return False;
1421 }
1422
1423 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1424
1425 /*
1426 * Try and find the correct pipe name to ensure
1427 * that this is a pipe name we support.
1428 */
1429
1430
1431 for (i = 0; i < rpc_lookup_size; i++) {
1432 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1433 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1434 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1435 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1436 break;
1437 }
1438 }
1439
1440 if (i == rpc_lookup_size) {
1441 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1442 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1443 p->name ));
1444 prs_mem_free(&outgoing_rpc);
1445 prs_mem_free(&out_hdr_ba);
1446 prs_mem_free(&out_auth);
1447
1448 return setup_bind_nak(p);
1449 }
1450
1451 for (i = 0; i < rpc_lookup_size; i++) {
1452 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1453 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1454 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1455 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1456 break;
1457 }
1458 }
1459
1460 if (i == rpc_lookup_size) {
1461 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1462 goto err_exit;
1463 }
1464 }
1465
1466 /* decode the bind request */
1467 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1468 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
1469 goto err_exit;
1470 }
1471
1472 /* name has to be \PIPE\xxxxx */
1473 fstrcpy(ack_pipe_name, "\\PIPE\\");
1474 fstrcat(ack_pipe_name, p->pipe_srv_name);
1475
1476 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1477
1478 /*
1479 * Check if this is an authenticated bind request.
1480 */
1481
1482 if (p->hdr.auth_len) {
1483 /*
1484 * Decode the authentication verifier.
1485 */
1486
1487 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1488 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1489 goto err_exit;
1490 }
1491
1492 auth_type = auth_info.auth_type;
1493
1494 /* Work out if we have to sign or seal etc. */
1495 switch (auth_info.auth_level) {
1496 case RPC_AUTH_LEVEL_INTEGRITY:
1497 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1498 break;
1499 case RPC_AUTH_LEVEL_PRIVACY:
1500 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1501 break;
1502 default:
1503 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1504 (unsigned int)auth_info.auth_level ));
1505 goto err_exit;
1506 }
1507 } else {
1508 ZERO_STRUCT(auth_info);
1509 }
1510
1511 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1512
1513 switch(auth_type) {
1514 case RPC_NTLMSSP_AUTH_TYPE:
1515 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1516 goto err_exit;
1517 }
1518 assoc_gid = 0x7a77;
1519 break;
1520
1521 case RPC_SCHANNEL_AUTH_TYPE:
1522 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1523 goto err_exit;
1524 }
1525 break;
1526
1527 case RPC_SPNEGO_AUTH_TYPE:
1528 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1529 goto err_exit;
1530 }
1531 break;
1532
1533 case RPC_ANONYMOUS_AUTH_TYPE:
1534 /* Unauthenticated bind request. */
1535 /* We're finished - no more packets. */
1536 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1537 /* We must set the pipe auth_level here also. */
1538 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1539 p->pipe_bound = True;
1540 break;
1541
1542 default:
1543 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1544 goto err_exit;
1545 }
1546
1547 /*
1548 * Create the bind response struct.
1549 */
1550
1551 /* If the requested abstract synt uuid doesn't match our client pipe,
1552 reject the bind_ack & set the transfer interface synt to all 0's,
1553 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1554 unknown to NT4)
1555 Needed when adding entries to a DACL from NT5 - SK */
1556
1557 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1558 hdr_rb.rpc_context[0].context_id )) {
1559 init_rpc_hdr_ba(&hdr_ba,
1560 RPC_MAX_PDU_FRAG_LEN,
1561 RPC_MAX_PDU_FRAG_LEN,
1562 assoc_gid,
1563 ack_pipe_name,
1564 0x1, 0x0, 0x0,
1565 &hdr_rb.rpc_context[0].transfer[0]);
1566 } else {
1567 RPC_IFACE null_interface;
1568 ZERO_STRUCT(null_interface);
1569 /* Rejection reason: abstract syntax not supported */
1570 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1571 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1572 ack_pipe_name, 0x1, 0x2, 0x1,
1573 &null_interface);
1574 p->pipe_bound = False;
1575 }
1576
1577 /*
1578 * and marshall it.
1579 */
1580
1581 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1582 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1583 goto err_exit;
1584 }
1585
1586 /*
1587 * Create the header, now we know the length.
1588 */
1589
1590 if (prs_offset(&out_auth)) {
1591 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1592 }
1593
1594 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1595 p->hdr.call_id,
1596 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1597 auth_len);
1598
1599 /*
1600 * Marshall the header into the outgoing PDU.
1601 */
1602
1603 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1604 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1605 goto err_exit;
1606 }
1607
1608 /*
1609 * Now add the RPC_HDR_BA and any auth needed.
1610 */
1611
1612 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1613 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1614 goto err_exit;
1615 }
1616
1617 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1618 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1619 goto err_exit;
1620 }
1621
1622 /*
1623 * Setup the lengths for the initial reply.
1624 */
1625
1626 p->out_data.data_sent_length = 0;
1627 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1628 p->out_data.current_pdu_sent = 0;
1629
1630 prs_mem_free(&out_hdr_ba);
1631 prs_mem_free(&out_auth);
1632
1633 return True;
1634
1635 err_exit:
1636
1637 prs_mem_free(&outgoing_rpc);
1638 prs_mem_free(&out_hdr_ba);
1639 prs_mem_free(&out_auth);
1640 return setup_bind_nak(p);
1641 }
1642
1643 /****************************************************************************
1644 Deal with an alter context call. Can be third part of 3 leg auth request for
1645 SPNEGO calls.
1646 ****************************************************************************/
1647
1648 BOOL api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1649 {
1650 RPC_HDR_BA hdr_ba;
1651 RPC_HDR_RB hdr_rb;
1652 RPC_HDR_AUTH auth_info;
1653 uint16 assoc_gid;
1654 fstring ack_pipe_name;
1655 prs_struct out_hdr_ba;
1656 prs_struct out_auth;
1657 prs_struct outgoing_rpc;
1658 int auth_len = 0;
1659
1660 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1661
1662 /*
1663 * Marshall directly into the outgoing PDU space. We
1664 * must do this as we need to set to the bind response
1665 * header and are never sending more than one PDU here.
1666 */
1667
1668 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1669
1670 /*
1671 * Setup the memory to marshall the ba header, and the
1672 * auth footers.
1673 */
1674
1675 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1676 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1677 prs_mem_free(&outgoing_rpc);
1678 return False;
1679 }
1680
1681 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1682 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1683 prs_mem_free(&outgoing_rpc);
1684 prs_mem_free(&out_hdr_ba);
1685 return False;
1686 }
1687
1688 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1689
1690 /* decode the alter context request */
1691 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1692 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1693 goto err_exit;
1694 }
1695
1696 /* secondary address CAN be NULL
1697 * as the specs say it's ignored.
1698 * It MUST be NULL to have the spoolss working.
1699 */
1700 fstrcpy(ack_pipe_name,"");
1701
1702 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1703
1704 /*
1705 * Check if this is an authenticated alter context request.
1706 */
1707
1708 if (p->hdr.auth_len != 0) {
1709 /*
1710 * Decode the authentication verifier.
1711 */
1712
1713 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1714 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1715 goto err_exit;
1716 }
1717
1718 /*
1719 * Currently only the SPNEGO auth type uses the alter ctx
1720 * response in place of the NTLMSSP auth3 type.
1721 */
1722
1723 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1724 /* We can only finish if the pipe is unbound. */
1725 if (!p->pipe_bound) {
1726 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1727 goto err_exit;
1728 }
1729 } else {
1730 goto err_exit;
1731 }
1732 }
1733 } else {
1734 ZERO_STRUCT(auth_info);
1735 }
1736
1737 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1738
1739 /*
1740 * Create the bind response struct.
1741 */
1742
1743 /* If the requested abstract synt uuid doesn't match our client pipe,
1744 reject the bind_ack & set the transfer interface synt to all 0's,
1745 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1746 unknown to NT4)
1747 Needed when adding entries to a DACL from NT5 - SK */
1748
1749 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1750 hdr_rb.rpc_context[0].context_id )) {
1751 init_rpc_hdr_ba(&hdr_ba,
1752 RPC_MAX_PDU_FRAG_LEN,
1753 RPC_MAX_PDU_FRAG_LEN,
1754 assoc_gid,
1755 ack_pipe_name,
1756 0x1, 0x0, 0x0,
1757 &hdr_rb.rpc_context[0].transfer[0]);
1758 } else {
1759 RPC_IFACE null_interface;
1760 ZERO_STRUCT(null_interface);
1761 /* Rejection reason: abstract syntax not supported */
1762 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1763 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1764 ack_pipe_name, 0x1, 0x2, 0x1,
1765 &null_interface);
1766 p->pipe_bound = False;
1767 }
1768
1769 /*
1770 * and marshall it.
1771 */
1772
1773 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1774 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1775 goto err_exit;
1776 }
1777
1778 /*
1779 * Create the header, now we know the length.
1780 */
1781
1782 if (prs_offset(&out_auth)) {
1783 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1784 }
1785
1786 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1787 p->hdr.call_id,
1788 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1789 auth_len);
1790
1791 /*
1792 * Marshall the header into the outgoing PDU.
1793 */
1794
1795 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1796 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1797 goto err_exit;
1798 }
1799
1800 /*
1801 * Now add the RPC_HDR_BA and any auth needed.
1802 */
1803
1804 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1805 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1806 goto err_exit;
1807 }
1808
1809 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1810 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1811 goto err_exit;
1812 }
1813
1814 /*
1815 * Setup the lengths for the initial reply.
1816 */
1817
1818 p->out_data.data_sent_length = 0;
1819 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1820 p->out_data.current_pdu_sent = 0;
1821
1822 prs_mem_free(&out_hdr_ba);
1823 prs_mem_free(&out_auth);
1824
1825 return True;
1826
1827 err_exit:
1828
1829 prs_mem_free(&outgoing_rpc);
1830 prs_mem_free(&out_hdr_ba);
1831 prs_mem_free(&out_auth);
1832 return setup_bind_nak(p);
1833 }
1834
1835 /****************************************************************************
1836 Deal with NTLMSSP sign & seal processing on an RPC request.
1837 ****************************************************************************/
1838
1839 BOOL api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1840 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1841 {
1842 RPC_HDR_AUTH auth_info;
1843 uint32 auth_len = p->hdr.auth_len;
1844 uint32 save_offset = prs_offset(rpc_in);
1845 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1846 unsigned char *data = NULL;
1847 size_t data_len;
1848 unsigned char *full_packet_data = NULL;
1849 size_t full_packet_data_len;
1850 DATA_BLOB auth_blob;
1851
1852 *pstatus = NT_STATUS_OK;
1853
1854 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
1855 return True;
1856 }
1857
1858 if (!a) {
1859 *pstatus = NT_STATUS_INVALID_PARAMETER;
1860 return False;
1861 }
1862
1863 /* Ensure there's enough data for an authenticated request. */
1864 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
1865 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
1866 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
1867 (unsigned int)auth_len ));
1868 *pstatus = NT_STATUS_INVALID_PARAMETER;
1869 return False;
1870 }
1871
1872 /*
1873 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
1874 * after the RPC header.
1875 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
1876 * functions as NTLMv2 checks the rpc headers also.
1877 */
1878
1879 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
1880 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
1881
1882 full_packet_data = p->in_data.current_in_pdu;
1883 full_packet_data_len = p->hdr.frag_len - auth_len;
1884
1885 /* Pull the auth header and the following data into a blob. */
1886 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
1887 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
1888 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
1889 *pstatus = NT_STATUS_INVALID_PARAMETER;
1890 return False;
1891 }
1892
1893 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1894 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1895 *pstatus = NT_STATUS_INVALID_PARAMETER;
1896 return False;
1897 }
1898
1899 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
1900 auth_blob.length = auth_len;
1901
1902 switch (p->auth.auth_level) {
1903 case PIPE_AUTH_LEVEL_PRIVACY:
1904 /* Data is encrypted. */
1905 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
1906 data, data_len,
1907 full_packet_data,
1908 full_packet_data_len,
1909 &auth_blob);
1910 if (!NT_STATUS_IS_OK(*pstatus)) {
1911 return False;
1912 }
1913 break;
1914 case PIPE_AUTH_LEVEL_INTEGRITY:
1915 /* Data is signed. */
1916 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
1917 data, data_len,
1918 full_packet_data,
1919 full_packet_data_len,
1920 &auth_blob);
1921 if (!NT_STATUS_IS_OK(*pstatus)) {
1922 return False;
1923 }
1924 break;
1925 default:
1926 *pstatus = NT_STATUS_INVALID_PARAMETER;
1927 return False;
1928 }
1929
1930 /*
1931 * Return the current pointer to the data offset.
1932 */
1933
1934 if(!prs_set_offset(rpc_in, save_offset)) {
1935 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1936 (unsigned int)save_offset ));
1937 *pstatus = NT_STATUS_INVALID_PARAMETER;
1938 return False;
1939 }
1940
1941 /*
1942 * Remember the padding length. We must remove it from the real data
1943 * stream once the sign/seal is done.
1944 */
1945
1946 *p_ss_padding_len = auth_info.auth_pad_len;
1947
1948 return True;
1949 }
1950
1951 /****************************************************************************
1952 Deal with schannel processing on an RPC request.
1953 ****************************************************************************/
1954
1955 BOOL api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
1956 {
1957 uint32 data_len;
1958 uint32 auth_len;
1959 uint32 save_offset = prs_offset(rpc_in);
1960 RPC_HDR_AUTH auth_info;
1961 RPC_AUTH_SCHANNEL_CHK schannel_chk;
1962
1963 auth_len = p->hdr.auth_len;
1964
1965 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
1966 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
1967 return False;
1968 }
1969
1970 /*
1971 * The following is that length of the data we must verify or unseal.
1972 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1973 * preceeding the auth_data.
1974 */
1975
1976 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
1977 DEBUG(0,("Incorrect frag %u, auth %u.\n",
1978 (unsigned int)p->hdr.frag_len,
1979 (unsigned int)auth_len ));
1980 return False;
1981 }
1982
1983 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1984 RPC_HDR_AUTH_LEN - auth_len;
1985
1986 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
1987
1988 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
1989 DEBUG(0,("cannot move offset to %u.\n",
1990 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
1991 return False;
1992 }
1993
1994 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1995 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
1996 return False;
1997 }
1998
1999 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2000 DEBUG(0,("Invalid auth info %d on schannel\n",
2001 auth_info.auth_type));
2002 return False;
2003 }
2004
2005 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2006 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2007 return False;
2008 }
2009
2010 if (!schannel_decode(p->auth.a_u.schannel_auth,
2011 p->auth.auth_level,
2012 SENDER_IS_INITIATOR,
2013 &schannel_chk,
2014 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2015 DEBUG(3,("failed to decode PDU\n"));
2016 return False;
2017 }
2018
2019 /*
2020 * Return the current pointer to the data offset.
2021 */
2022
2023 if(!prs_set_offset(rpc_in, save_offset)) {
2024 DEBUG(0,("failed to set offset back to %u\n",
2025 (unsigned int)save_offset ));
2026 return False;
2027 }
2028
2029 /* The sequence number gets incremented on both send and receive. */
2030 p->auth.a_u.schannel_auth->seq_num++;
2031
2032 /*
2033 * Remember the padding length. We must remove it from the real data
2034 * stream once the sign/seal is done.
2035 */
2036
2037 *p_ss_padding_len = auth_info.auth_pad_len;
2038
2039 return True;
2040 }
2041
2042 /****************************************************************************
2043 Return a user struct for a pipe user.
2044 ****************************************************************************/
2045
2046 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
2047 {
2048 if (p->pipe_bound &&
2049 (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP ||
2050 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2051 memcpy(user, &p->pipe_user, sizeof(struct current_user));
2052 } else {
2053 memcpy(user, &current_user, sizeof(struct current_user));
2054 }
2055
2056 return user;
2057 }
2058
2059 /****************************************************************************
2060 Find the set of RPC functions associated with this context_id
2061 ****************************************************************************/
2062
2063 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2064 {
2065 PIPE_RPC_FNS *fns = NULL;
2066 PIPE_RPC_FNS *tmp = NULL;
2067
2068 if ( !list ) {
2069 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2070 return NULL;
2071 }
2072
2073 for (tmp=list; tmp; tmp=tmp->next ) {
2074 if ( tmp->context_id == context_id )
2075 break;
2076 }
2077
2078 fns = tmp;
2079
2080 return fns;
2081 }
2082
2083 /****************************************************************************
2084 Memory cleanup.
2085 ****************************************************************************/
2086
2087 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2088 {
2089 PIPE_RPC_FNS *tmp = list;
2090 PIPE_RPC_FNS *tmp2;
2091
2092 while (tmp) {
2093 tmp2 = tmp->next;
2094 SAFE_FREE(tmp);
2095 tmp = tmp2;
2096 }
2097
2098 return;
2099 }
2100
2101 /****************************************************************************
2102 Find the correct RPC function to call for this request.
2103 If the pipe is authenticated then become the correct UNIX user
2104 before doing the call.
2105 ****************************************************************************/
2106
2107 BOOL api_pipe_request(pipes_struct *p)
2108 {
2109 BOOL ret = False;
2110 BOOL changed_user = False;
2111 PIPE_RPC_FNS *pipe_fns;
2112
2113 if (p->pipe_bound &&
2114 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2115 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2116 if(!become_authenticated_pipe_user(p)) {
2117 prs_mem_free(&p->out_data.rdata);
2118 return False;
2119 }
2120 changed_user = True;
2121 }
2122
2123 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2124
2125 /* get the set of RPC functions for this context */
2126
2127 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2128
2129 if ( pipe_fns ) {
2130 set_current_rpc_talloc(p->mem_ctx);
2131 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2132 set_current_rpc_talloc(NULL);
2133 }
2134 else {
2135 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2136 p->hdr_req.context_id, p->name));
2137 }
2138
2139 if (changed_user) {
2140 unbecome_authenticated_pipe_user();
2141 }
2142
2143 return ret;
2144 }
2145
2146 /*******************************************************************
2147 Calls the underlying RPC function for a named pipe.
2148 ********************************************************************/
2149
2150 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
2151 const struct api_struct *api_rpc_cmds, int n_cmds)
2152 {
2153 int fn_num;
2154 fstring name;
2155 uint32 offset1, offset2;
2156
2157 /* interpret the command */
2158 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2159
2160 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2161 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2162
2163 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2164 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2165 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2166 break;
2167 }
2168 }
2169
2170 if (fn_num == n_cmds) {
2171 /*
2172 * For an unknown RPC just return a fault PDU but
2173 * return True to allow RPC's on the pipe to continue
2174 * and not put the pipe into fault state. JRA.
2175 */
2176 DEBUG(4, ("unknown\n"));
2177 setup_fault_pdu(p, NT_STATUS(0x1c010002));
2178 return True;
2179 }
2180
2181 offset1 = prs_offset(&p->out_data.rdata);
2182
2183 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2184 fn_num, api_rpc_cmds[fn_num].fn));
2185 /* do the actual command */
2186 if(!api_rpc_cmds[fn_num].fn(p)) {
2187 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2188 prs_mem_free(&p->out_data.rdata);
2189 return False;
2190 }
2191
2192 if (p->bad_handle_fault_state) {
2193 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2194 p->bad_handle_fault_state = False;
2195 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
2196 return True;
2197 }
2198
2199 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2200 offset2 = prs_offset(&p->out_data.rdata);
2201 prs_set_offset(&p->out_data.rdata, offset1);
2202 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2203 prs_set_offset(&p->out_data.rdata, offset2);
2204
2205 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2206
2207 /* Check for buffer underflow in rpc parsing */
2208
2209 if ((DEBUGLEVEL >= 10) &&
2210 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2211 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2212 char *data = SMB_MALLOC(data_len);
2213
2214 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2215 if (data) {
2216 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2217 SAFE_FREE(data);
2218 }
2219
2220 }
2221
2222 return True;
2223 }
2224
2225 /*******************************************************************
2226 *******************************************************************/
2227
2228 void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
2229 {
2230 struct api_struct *cmds = NULL;
2231 int n_cmds = 0;
2232
2233 switch ( idx ) {
2234 case PI_LSARPC:
2235 lsa_get_pipe_fns( &cmds, &n_cmds );
2236 break;
2237 case PI_LSARPC_DS:
2238 lsa_ds_get_pipe_fns( &cmds, &n_cmds );
2239 break;
2240 case PI_SAMR:
2241 samr_get_pipe_fns( &cmds, &n_cmds );
2242 break;
2243 case PI_NETLOGON:
2244 netlog_get_pipe_fns( &cmds, &n_cmds );
2245 break;
2246 case PI_SRVSVC:
2247 srvsvc_get_pipe_fns( &cmds, &n_cmds );
2248 break;
2249 case PI_WKSSVC:
2250 wkssvc_get_pipe_fns( &cmds, &n_cmds );
2251 break;
2252 case PI_WINREG:
2253 reg_get_pipe_fns( &cmds, &n_cmds );
2254 break;
2255 case PI_SPOOLSS:
2256 spoolss_get_pipe_fns( &cmds, &n_cmds );
2257 break;
2258 case PI_NETDFS:
2259 netdfs_get_pipe_fns( &cmds, &n_cmds );
2260 break;
2261 case PI_SVCCTL:
2262 svcctl_get_pipe_fns( &cmds, &n_cmds );
2263 break;
2264 case PI_EVENTLOG:
2265 eventlog_get_pipe_fns( &cmds, &n_cmds );
2266 break;
2267 case PI_NTSVCS:
2268 ntsvcs_get_pipe_fns( &cmds, &n_cmds );
2269 break;
2270 #ifdef DEVELOPER
2271 case PI_ECHO:
2272 echo_get_pipe_fns( &cmds, &n_cmds );
2273 break;
2274 #endif
2275 default:
2276 DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));
2277 }
2278
2279 *fns = cmds;
2280 *n_fns = n_cmds;
2281
2282 return;
2283 }