2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
31 #include "../libcli/auth/libcli_auth.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33 #include "../libcli/auth/schannel.h"
34 #include "../libcli/auth/schannel_proto.h"
35 #include "../libcli/auth/spnego.h"
37 extern struct current_user current_user
;
40 #define DBGC_CLASS DBGC_RPC_SRV
42 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data
*auth
)
44 AUTH_NTLMSSP_STATE
*a
= auth
->a_u
.auth_ntlmssp_state
;
49 auth
->a_u
.auth_ntlmssp_state
= NULL
;
52 static DATA_BLOB
generic_session_key(void)
54 return data_blob("SystemLibraryDTC", 16);
57 /*******************************************************************
58 Generate the next PDU to be returned from the data in p->rdata.
60 ********************************************************************/
62 static bool create_next_pdu_ntlmssp(pipes_struct
*p
)
64 RPC_HDR_RESP hdr_resp
;
65 uint32 ss_padding_len
= 0;
66 uint32 data_space_available
;
71 RPC_HDR_AUTH auth_info
;
72 uint8 auth_type
, auth_level
;
73 AUTH_NTLMSSP_STATE
*a
= p
->auth
.a_u
.auth_ntlmssp_state
;
76 * If we're in the fault state, keep returning fault PDU's until
77 * the pipe gets closed. JRA.
81 setup_fault_pdu(p
, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR
));
85 memset((char *)&hdr_resp
, '\0', sizeof(hdr_resp
));
87 /* Change the incoming request header to a response. */
88 p
->hdr
.pkt_type
= DCERPC_PKT_RESPONSE
;
90 /* Set up rpc header flags. */
91 if (p
->out_data
.data_sent_length
== 0) {
92 p
->hdr
.flags
= DCERPC_PFC_FLAG_FIRST
;
98 * Work out how much we can fit in a single PDU.
101 data_len_left
= prs_offset(&p
->out_data
.rdata
) - p
->out_data
.data_sent_length
;
104 * Ensure there really is data left to send.
108 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
112 data_space_available
= RPC_MAX_PDU_FRAG_LEN
- RPC_HEADER_LEN
113 - RPC_HDR_RESP_LEN
- RPC_HDR_AUTH_LEN
- NTLMSSP_SIG_SIZE
;
116 * The amount we send is the minimum of the available
117 * space and the amount left to send.
120 data_len
= MIN(data_len_left
, data_space_available
);
123 * Set up the alloc hint. This should be the data left to
127 hdr_resp
.alloc_hint
= data_len_left
;
130 * Work out if this PDU will be the last.
133 if(p
->out_data
.data_sent_length
+ data_len
>= prs_offset(&p
->out_data
.rdata
)) {
134 p
->hdr
.flags
|= DCERPC_PFC_FLAG_LAST
;
135 if (data_len_left
% 8) {
136 ss_padding_len
= 8 - (data_len_left
% 8);
137 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
143 * Set up the header lengths.
146 p
->hdr
.frag_len
= RPC_HEADER_LEN
+ RPC_HDR_RESP_LEN
+
147 data_len
+ ss_padding_len
+
148 RPC_HDR_AUTH_LEN
+ NTLMSSP_SIG_SIZE
;
149 p
->hdr
.auth_len
= NTLMSSP_SIG_SIZE
;
153 * Init the parse struct to point at the outgoing
157 prs_init_empty(&p
->out_data
.frag
, p
->mem_ctx
, MARSHALL
);
159 /* Store the header in the data stream. */
160 if(!smb_io_rpc_hdr("hdr", &p
->hdr
, &p
->out_data
.frag
, 0)) {
161 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
162 prs_mem_free(&p
->out_data
.frag
);
166 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp
, &p
->out_data
.frag
, 0)) {
167 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
168 prs_mem_free(&p
->out_data
.frag
);
172 /* Copy the data into the PDU. */
174 if(!prs_append_some_prs_data(&p
->out_data
.frag
, &p
->out_data
.rdata
,
175 p
->out_data
.data_sent_length
, data_len
)) {
176 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len
));
177 prs_mem_free(&p
->out_data
.frag
);
181 /* Copy the sign/seal padding data. */
182 if (ss_padding_len
) {
185 memset(pad
, '\0', 8);
186 if (!prs_copy_data_in(&p
->out_data
.frag
, pad
,
188 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
189 (unsigned int)ss_padding_len
));
190 prs_mem_free(&p
->out_data
.frag
);
196 /* Now write out the auth header and null blob. */
197 if (p
->auth
.auth_type
== PIPE_AUTH_TYPE_NTLMSSP
) {
198 auth_type
= DCERPC_AUTH_TYPE_NTLMSSP
;
200 auth_type
= DCERPC_AUTH_TYPE_SPNEGO
;
202 if (p
->auth
.auth_level
== DCERPC_AUTH_LEVEL_PRIVACY
) {
203 auth_level
= DCERPC_AUTH_LEVEL_PRIVACY
;
205 auth_level
= DCERPC_AUTH_LEVEL_INTEGRITY
;
208 init_rpc_hdr_auth(&auth_info
, auth_type
, auth_level
, ss_padding_len
, 1 /* context id. */);
209 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info
, &p
->out_data
.frag
,
211 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
212 prs_mem_free(&p
->out_data
.frag
);
216 /* Generate the sign blob. */
218 switch (p
->auth
.auth_level
) {
219 case DCERPC_AUTH_LEVEL_PRIVACY
:
220 /* Data portion is encrypted. */
221 status
= ntlmssp_seal_packet(
223 (uint8_t *)prs_data_p(&p
->out_data
.frag
)
224 + RPC_HEADER_LEN
+ RPC_HDR_RESP_LEN
,
225 data_len
+ ss_padding_len
,
226 (unsigned char *)prs_data_p(&p
->out_data
.frag
),
227 (size_t)prs_offset(&p
->out_data
.frag
),
229 if (!NT_STATUS_IS_OK(status
)) {
230 data_blob_free(&auth_blob
);
231 prs_mem_free(&p
->out_data
.frag
);
235 case DCERPC_AUTH_LEVEL_INTEGRITY
:
236 /* Data is signed. */
237 status
= ntlmssp_sign_packet(
239 (unsigned char *)prs_data_p(&p
->out_data
.frag
)
240 + RPC_HEADER_LEN
+ RPC_HDR_RESP_LEN
,
241 data_len
+ ss_padding_len
,
242 (unsigned char *)prs_data_p(&p
->out_data
.frag
),
243 (size_t)prs_offset(&p
->out_data
.frag
),
245 if (!NT_STATUS_IS_OK(status
)) {
246 data_blob_free(&auth_blob
);
247 prs_mem_free(&p
->out_data
.frag
);
252 prs_mem_free(&p
->out_data
.frag
);
256 /* Append the auth blob. */
257 if (!prs_copy_data_in(&p
->out_data
.frag
, (char *)auth_blob
.data
,
259 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
260 (unsigned int)NTLMSSP_SIG_SIZE
));
261 data_blob_free(&auth_blob
);
262 prs_mem_free(&p
->out_data
.frag
);
266 data_blob_free(&auth_blob
);
269 * Setup the counts for this PDU.
272 p
->out_data
.data_sent_length
+= data_len
;
273 p
->out_data
.current_pdu_sent
= 0;
278 /*******************************************************************
279 Generate the next PDU to be returned from the data in p->rdata.
280 Return an schannel authenticated fragment.
281 ********************************************************************/
283 static bool create_next_pdu_schannel(pipes_struct
*p
)
285 RPC_HDR_RESP hdr_resp
;
286 uint32 ss_padding_len
= 0;
288 uint32 data_space_available
;
289 uint32 data_len_left
;
294 * If we're in the fault state, keep returning fault PDU's until
295 * the pipe gets closed. JRA.
299 setup_fault_pdu(p
, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR
));
303 memset((char *)&hdr_resp
, '\0', sizeof(hdr_resp
));
305 /* Change the incoming request header to a response. */
306 p
->hdr
.pkt_type
= DCERPC_PKT_RESPONSE
;
308 /* Set up rpc header flags. */
309 if (p
->out_data
.data_sent_length
== 0) {
310 p
->hdr
.flags
= DCERPC_PFC_FLAG_FIRST
;
316 * Work out how much we can fit in a single PDU.
319 data_len_left
= prs_offset(&p
->out_data
.rdata
) - p
->out_data
.data_sent_length
;
322 * Ensure there really is data left to send.
326 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
330 data_space_available
= RPC_MAX_PDU_FRAG_LEN
- RPC_HEADER_LEN
331 - RPC_HDR_RESP_LEN
- RPC_HDR_AUTH_LEN
332 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN
;
335 * The amount we send is the minimum of the available
336 * space and the amount left to send.
339 data_len
= MIN(data_len_left
, data_space_available
);
342 * Set up the alloc hint. This should be the data left to
346 hdr_resp
.alloc_hint
= data_len_left
;
349 * Work out if this PDU will be the last.
352 if(p
->out_data
.data_sent_length
+ data_len
>= prs_offset(&p
->out_data
.rdata
)) {
353 p
->hdr
.flags
|= DCERPC_PFC_FLAG_LAST
;
354 if (data_len_left
% 8) {
355 ss_padding_len
= 8 - (data_len_left
% 8);
356 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
361 p
->hdr
.frag_len
= RPC_HEADER_LEN
+ RPC_HDR_RESP_LEN
+ data_len
+ ss_padding_len
+
362 RPC_HDR_AUTH_LEN
+ RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN
;
363 p
->hdr
.auth_len
= RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN
;
366 * Init the parse struct to point at the outgoing
370 prs_init_empty(&p
->out_data
.frag
, p
->mem_ctx
, MARSHALL
);
372 /* Store the header in the data stream. */
373 if(!smb_io_rpc_hdr("hdr", &p
->hdr
, &p
->out_data
.frag
, 0)) {
374 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
375 prs_mem_free(&p
->out_data
.frag
);
379 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp
, &p
->out_data
.frag
, 0)) {
380 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
381 prs_mem_free(&p
->out_data
.frag
);
385 /* Store the current offset. */
386 data_pos
= prs_offset(&p
->out_data
.frag
);
388 /* Copy the data into the PDU. */
390 if(!prs_append_some_prs_data(&p
->out_data
.frag
, &p
->out_data
.rdata
,
391 p
->out_data
.data_sent_length
, data_len
)) {
392 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len
));
393 prs_mem_free(&p
->out_data
.frag
);
397 /* Copy the sign/seal padding data. */
398 if (ss_padding_len
) {
400 memset(pad
, '\0', 8);
401 if (!prs_copy_data_in(&p
->out_data
.frag
, pad
,
403 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len
));
404 prs_mem_free(&p
->out_data
.frag
);
411 * Schannel processing.
413 RPC_HDR_AUTH auth_info
;
417 /* Check it's the type of reply we were expecting to decode */
419 init_rpc_hdr_auth(&auth_info
,
420 DCERPC_AUTH_TYPE_SCHANNEL
,
421 p
->auth
.auth_level
== DCERPC_AUTH_LEVEL_PRIVACY
?
422 DCERPC_AUTH_LEVEL_PRIVACY
: DCERPC_AUTH_LEVEL_INTEGRITY
,
425 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info
,
426 &p
->out_data
.frag
, 0)) {
427 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
428 prs_mem_free(&p
->out_data
.frag
);
432 data
= (uint8_t *)prs_data_p(&p
->out_data
.frag
) + data_pos
;
434 switch (p
->auth
.auth_level
) {
435 case DCERPC_AUTH_LEVEL_PRIVACY
:
436 status
= netsec_outgoing_packet(p
->auth
.a_u
.schannel_auth
,
440 data_len
+ ss_padding_len
,
443 case DCERPC_AUTH_LEVEL_INTEGRITY
:
444 status
= netsec_outgoing_packet(p
->auth
.a_u
.schannel_auth
,
448 data_len
+ ss_padding_len
,
452 status
= NT_STATUS_INTERNAL_ERROR
;
456 if (!NT_STATUS_IS_OK(status
)) {
457 DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
459 prs_mem_free(&p
->out_data
.frag
);
463 /* Finally marshall the blob. */
465 if (DEBUGLEVEL
>= 10) {
466 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob
);
469 if (!prs_copy_data_in(&p
->out_data
.frag
, (const char *)blob
.data
, blob
.length
)) {
470 prs_mem_free(&p
->out_data
.frag
);
476 * Setup the counts for this PDU.
479 p
->out_data
.data_sent_length
+= data_len
;
480 p
->out_data
.current_pdu_sent
= 0;
485 /*******************************************************************
486 Generate the next PDU to be returned from the data in p->rdata.
487 No authentication done.
488 ********************************************************************/
490 static bool create_next_pdu_noauth(pipes_struct
*p
)
492 RPC_HDR_RESP hdr_resp
;
494 uint32 data_space_available
;
495 uint32 data_len_left
;
498 * If we're in the fault state, keep returning fault PDU's until
499 * the pipe gets closed. JRA.
503 setup_fault_pdu(p
, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR
));
507 memset((char *)&hdr_resp
, '\0', sizeof(hdr_resp
));
509 /* Change the incoming request header to a response. */
510 p
->hdr
.pkt_type
= DCERPC_PKT_RESPONSE
;
512 /* Set up rpc header flags. */
513 if (p
->out_data
.data_sent_length
== 0) {
514 p
->hdr
.flags
= DCERPC_PFC_FLAG_FIRST
;
520 * Work out how much we can fit in a single PDU.
523 data_len_left
= prs_offset(&p
->out_data
.rdata
) - p
->out_data
.data_sent_length
;
526 * Ensure there really is data left to send.
530 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
534 data_space_available
= RPC_MAX_PDU_FRAG_LEN
- RPC_HEADER_LEN
538 * The amount we send is the minimum of the available
539 * space and the amount left to send.
542 data_len
= MIN(data_len_left
, data_space_available
);
545 * Set up the alloc hint. This should be the data left to
549 hdr_resp
.alloc_hint
= data_len_left
;
552 * Work out if this PDU will be the last.
555 if(p
->out_data
.data_sent_length
+ data_len
>= prs_offset(&p
->out_data
.rdata
)) {
556 p
->hdr
.flags
|= DCERPC_PFC_FLAG_LAST
;
560 * Set up the header lengths.
563 p
->hdr
.frag_len
= RPC_HEADER_LEN
+ RPC_HDR_RESP_LEN
+ data_len
;
567 * Init the parse struct to point at the outgoing
571 prs_init_empty(&p
->out_data
.frag
, p
->mem_ctx
, MARSHALL
);
573 /* Store the header in the data stream. */
574 if(!smb_io_rpc_hdr("hdr", &p
->hdr
, &p
->out_data
.frag
, 0)) {
575 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
576 prs_mem_free(&p
->out_data
.frag
);
580 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp
, &p
->out_data
.frag
, 0)) {
581 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
582 prs_mem_free(&p
->out_data
.frag
);
586 /* Copy the data into the PDU. */
588 if(!prs_append_some_prs_data(&p
->out_data
.frag
, &p
->out_data
.rdata
,
589 p
->out_data
.data_sent_length
, data_len
)) {
590 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len
));
591 prs_mem_free(&p
->out_data
.frag
);
596 * Setup the counts for this PDU.
599 p
->out_data
.data_sent_length
+= data_len
;
600 p
->out_data
.current_pdu_sent
= 0;
605 /*******************************************************************
606 Generate the next PDU to be returned from the data in p->rdata.
607 ********************************************************************/
609 bool create_next_pdu(pipes_struct
*p
)
611 switch(p
->auth
.auth_level
) {
612 case DCERPC_AUTH_LEVEL_NONE
:
613 case DCERPC_AUTH_LEVEL_CONNECT
:
614 /* This is incorrect for auth level connect. Fixme. JRA */
615 return create_next_pdu_noauth(p
);
618 switch(p
->auth
.auth_type
) {
619 case PIPE_AUTH_TYPE_NTLMSSP
:
620 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP
:
621 return create_next_pdu_ntlmssp(p
);
622 case PIPE_AUTH_TYPE_SCHANNEL
:
623 return create_next_pdu_schannel(p
);
629 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
630 (unsigned int)p
->auth
.auth_level
,
631 (unsigned int)p
->auth
.auth_type
));
635 /*******************************************************************
636 Process an NTLMSSP authentication response.
637 If this function succeeds, the user has been authenticated
638 and their domain, name and calling workstation stored in
640 *******************************************************************/
642 static bool pipe_ntlmssp_verify_final(pipes_struct
*p
, DATA_BLOB
*p_resp_blob
)
644 DATA_BLOB session_key
, reply
;
646 AUTH_NTLMSSP_STATE
*a
= p
->auth
.a_u
.auth_ntlmssp_state
;
649 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
650 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
)));
654 /* this has to be done as root in order to verify the password */
656 status
= auth_ntlmssp_update(a
, *p_resp_blob
, &reply
);
659 /* Don't generate a reply. */
660 data_blob_free(&reply
);
662 if (!NT_STATUS_IS_OK(status
)) {
666 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
667 ensure the underlying NTLMSSP flags are also set. If not we should
670 if (p
->auth
.auth_level
== DCERPC_AUTH_LEVEL_INTEGRITY
) {
671 if (!(a
->ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_SIGN
)) {
672 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
673 "but client declined signing.\n",
674 get_pipe_name_from_syntax(talloc_tos(),
679 if (p
->auth
.auth_level
== DCERPC_AUTH_LEVEL_PRIVACY
) {
680 if (!(a
->ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_SEAL
)) {
681 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
682 "but client declined sealing.\n",
683 get_pipe_name_from_syntax(talloc_tos(),
689 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
690 "workstation: %s\n", a
->ntlmssp_state
->user
,
691 a
->ntlmssp_state
->domain
, a
->ntlmssp_state
->workstation
));
693 if (a
->server_info
->ptok
== NULL
) {
694 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
698 TALLOC_FREE(p
->server_info
);
700 p
->server_info
= copy_serverinfo(p
, a
->server_info
);
701 if (p
->server_info
== NULL
) {
702 DEBUG(0, ("copy_serverinfo failed\n"));
707 * We're an authenticated bind over smb, so the session key needs to
708 * be set to "SystemLibraryDTC". Weird, but this is what Windows
709 * does. See the RPC-SAMBA3SESSIONKEY.
712 session_key
= generic_session_key();
713 if (session_key
.data
== NULL
) {
717 ret
= server_info_set_session_key(p
->server_info
, session_key
);
719 data_blob_free(&session_key
);
724 /*******************************************************************
725 The switch table for the pipe names and the functions to handle them.
726 *******************************************************************/
733 struct ndr_syntax_id rpc_interface
;
734 const struct api_struct
*cmds
;
738 static struct rpc_table
*rpc_lookup
;
739 static int rpc_lookup_size
;
741 /*******************************************************************
742 This is the "stage3" NTLMSSP response after a bind request and reply.
743 *******************************************************************/
745 bool api_pipe_bind_auth3(pipes_struct
*p
, prs_struct
*rpc_in_p
)
747 RPC_HDR_AUTH auth_info
;
753 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__
));
755 if (p
->hdr
.auth_len
== 0) {
756 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
760 /* 4 bytes padding. */
761 if (!prs_uint32("pad", rpc_in_p
, 0, &pad
)) {
762 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
767 * Decode the authentication verifier response.
770 if(!smb_io_rpc_hdr_auth("", &auth_info
, rpc_in_p
, 0)) {
771 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
775 if (auth_info
.auth_type
!= DCERPC_AUTH_TYPE_NTLMSSP
) {
776 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
777 (unsigned int)auth_info
.auth_type
));
781 blob
= data_blob(NULL
,p
->hdr
.auth_len
);
783 if (!prs_copy_data_out((char *)blob
.data
, rpc_in_p
, p
->hdr
.auth_len
)) {
784 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
785 (unsigned int)p
->hdr
.auth_len
));
790 * The following call actually checks the challenge/response data.
791 * for correctness against the given DOMAIN\user name.
794 if (!pipe_ntlmssp_verify_final(p
, &blob
)) {
798 data_blob_free(&blob
);
800 p
->pipe_bound
= True
;
806 data_blob_free(&blob
);
807 free_pipe_ntlmssp_auth_data(&p
->auth
);
808 p
->auth
.a_u
.auth_ntlmssp_state
= NULL
;
813 /*******************************************************************
814 Marshall a bind_nak pdu.
815 *******************************************************************/
817 static bool setup_bind_nak(pipes_struct
*p
)
822 /* Free any memory in the current return data buffer. */
823 prs_mem_free(&p
->out_data
.rdata
);
826 * Marshall directly into the outgoing PDU space. We
827 * must do this as we need to set to the bind response
828 * header and are never sending more than one PDU here.
831 prs_init_empty(&p
->out_data
.frag
, p
->mem_ctx
, MARSHALL
);
834 * Initialize a bind_nak header.
837 init_rpc_hdr(&nak_hdr
, DCERPC_PKT_BIND_NAK
, DCERPC_PFC_FLAG_FIRST
| DCERPC_PFC_FLAG_LAST
,
838 p
->hdr
.call_id
, RPC_HEADER_LEN
+ sizeof(uint16
), 0);
841 * Marshall the header into the outgoing PDU.
844 if(!smb_io_rpc_hdr("", &nak_hdr
, &p
->out_data
.frag
, 0)) {
845 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
846 prs_mem_free(&p
->out_data
.frag
);
851 * Now add the reject reason.
854 if(!prs_uint16("reject code", &p
->out_data
.frag
, 0, &zero
)) {
855 prs_mem_free(&p
->out_data
.frag
);
859 p
->out_data
.data_sent_length
= 0;
860 p
->out_data
.current_pdu_sent
= 0;
862 if (p
->auth
.auth_data_free_func
) {
863 (*p
->auth
.auth_data_free_func
)(&p
->auth
);
865 p
->auth
.auth_level
= DCERPC_AUTH_LEVEL_NONE
;
866 p
->auth
.auth_type
= PIPE_AUTH_TYPE_NONE
;
867 p
->pipe_bound
= False
;
872 /*******************************************************************
873 Marshall a fault pdu.
874 *******************************************************************/
876 bool setup_fault_pdu(pipes_struct
*p
, NTSTATUS status
)
879 RPC_HDR_RESP hdr_resp
;
880 RPC_HDR_FAULT fault_resp
;
882 /* Free any memory in the current return data buffer. */
883 prs_mem_free(&p
->out_data
.rdata
);
886 * Marshall directly into the outgoing PDU space. We
887 * must do this as we need to set to the bind response
888 * header and are never sending more than one PDU here.
891 prs_init_empty(&p
->out_data
.frag
, p
->mem_ctx
, MARSHALL
);
894 * Initialize a fault header.
897 init_rpc_hdr(&fault_hdr
, DCERPC_PKT_FAULT
, DCERPC_PFC_FLAG_FIRST
| DCERPC_PFC_FLAG_LAST
| DCERPC_PFC_FLAG_DID_NOT_EXECUTE
,
898 p
->hdr
.call_id
, RPC_HEADER_LEN
+ RPC_HDR_RESP_LEN
+ RPC_HDR_FAULT_LEN
, 0);
901 * Initialize the HDR_RESP and FAULT parts of the PDU.
904 memset((char *)&hdr_resp
, '\0', sizeof(hdr_resp
));
906 fault_resp
.status
= status
;
907 fault_resp
.reserved
= 0;
910 * Marshall the header into the outgoing PDU.
913 if(!smb_io_rpc_hdr("", &fault_hdr
, &p
->out_data
.frag
, 0)) {
914 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
915 prs_mem_free(&p
->out_data
.frag
);
919 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp
, &p
->out_data
.frag
, 0)) {
920 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
921 prs_mem_free(&p
->out_data
.frag
);
925 if(!smb_io_rpc_hdr_fault("fault", &fault_resp
, &p
->out_data
.frag
, 0)) {
926 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
927 prs_mem_free(&p
->out_data
.frag
);
931 p
->out_data
.data_sent_length
= 0;
932 p
->out_data
.current_pdu_sent
= 0;
938 /*******************************************************************
939 Marshall a cancel_ack pdu.
940 We should probably check the auth-verifier here.
941 *******************************************************************/
943 bool setup_cancel_ack_reply(pipes_struct
*p
, prs_struct
*rpc_in_p
)
945 prs_struct outgoing_pdu
;
946 RPC_HDR ack_reply_hdr
;
948 /* Free any memory in the current return data buffer. */
949 prs_mem_free(&p
->out_data
.rdata
);
952 * Marshall directly into the outgoing PDU space. We
953 * must do this as we need to set to the bind response
954 * header and are never sending more than one PDU here.
957 prs_init_empty( &outgoing_pdu
, p
->mem_ctx
, MARSHALL
);
958 prs_give_memory( &outgoing_pdu
, (char *)p
->out_data
.current_pdu
, sizeof(p
->out_data
.current_pdu
), False
);
961 * Initialize a cancel_ack header.
964 init_rpc_hdr(&ack_reply_hdr
, DCERPC_PKT_CANCEL_ACK
, DCERPC_PFC_FLAG_FIRST
| DCERPC_PFC_FLAG_LAST
,
965 p
->hdr
.call_id
, RPC_HEADER_LEN
, 0);
968 * Marshall the header into the outgoing PDU.
971 if(!smb_io_rpc_hdr("", &ack_reply_hdr
, &outgoing_pdu
, 0)) {
972 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
973 prs_mem_free(&outgoing_pdu
);
977 p
->out_data
.data_sent_length
= 0;
978 p
->out_data
.current_pdu_len
= prs_offset(&outgoing_pdu
);
979 p
->out_data
.current_pdu_sent
= 0;
981 prs_mem_free(&outgoing_pdu
);
986 /*******************************************************************
987 Ensure a bind request has the correct abstract & transfer interface.
988 Used to reject unknown binds from Win2k.
989 *******************************************************************/
991 static bool check_bind_req(struct pipes_struct
*p
,
992 struct ndr_syntax_id
* abstract
,
993 struct ndr_syntax_id
* transfer
,
997 struct pipe_rpc_fns
*context_fns
;
999 DEBUG(3,("check_bind_req for %s\n",
1000 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
)));
1002 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
1004 for (i
=0; i
<rpc_lookup_size
; i
++) {
1005 DEBUGADD(10, ("checking %s\n", rpc_lookup
[i
].pipe
.clnt
));
1006 if (ndr_syntax_id_equal(
1007 abstract
, &rpc_lookup
[i
].rpc_interface
)
1008 && ndr_syntax_id_equal(
1009 transfer
, &ndr_transfer_syntax
)) {
1014 if (i
== rpc_lookup_size
) {
1018 context_fns
= SMB_MALLOC_P(struct pipe_rpc_fns
);
1019 if (context_fns
== NULL
) {
1020 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1024 context_fns
->cmds
= rpc_lookup
[i
].cmds
;
1025 context_fns
->n_cmds
= rpc_lookup
[i
].n_cmds
;
1026 context_fns
->context_id
= context_id
;
1028 /* add to the list of open contexts */
1030 DLIST_ADD( p
->contexts
, context_fns
);
1035 /*******************************************************************
1036 Register commands to an RPC pipe
1037 *******************************************************************/
1039 NTSTATUS
rpc_srv_register(int version
, const char *clnt
, const char *srv
,
1040 const struct ndr_interface_table
*iface
,
1041 const struct api_struct
*cmds
, int size
)
1043 struct rpc_table
*rpc_entry
;
1045 if (!clnt
|| !srv
|| !cmds
) {
1046 return NT_STATUS_INVALID_PARAMETER
;
1049 if (version
!= SMB_RPC_INTERFACE_VERSION
) {
1050 DEBUG(0,("Can't register rpc commands!\n"
1051 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1052 ", while this version of samba uses version %d!\n",
1053 version
,SMB_RPC_INTERFACE_VERSION
));
1054 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
1059 * we still need to make sure that don't register the same commands twice!!!
1064 /* We use a temporary variable because this call can fail and
1065 rpc_lookup will still be valid afterwards. It could then succeed if
1066 called again later */
1068 rpc_entry
= SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup
, struct rpc_table
, rpc_lookup_size
);
1069 if (NULL
== rpc_entry
) {
1071 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1072 return NT_STATUS_NO_MEMORY
;
1074 rpc_lookup
= rpc_entry
;
1077 rpc_entry
= rpc_lookup
+ (rpc_lookup_size
- 1);
1078 ZERO_STRUCTP(rpc_entry
);
1079 rpc_entry
->pipe
.clnt
= SMB_STRDUP(clnt
);
1080 rpc_entry
->pipe
.srv
= SMB_STRDUP(srv
);
1081 rpc_entry
->rpc_interface
= iface
->syntax_id
;
1082 rpc_entry
->cmds
= cmds
;
1083 rpc_entry
->n_cmds
= size
;
1085 return NT_STATUS_OK
;
1089 * Is a named pipe known?
1090 * @param[in] cli_filename The pipe name requested by the client
1091 * @result Do we want to serve this?
1093 bool is_known_pipename(const char *cli_filename
, struct ndr_syntax_id
*syntax
)
1095 const char *pipename
= cli_filename
;
1099 if (strnequal(pipename
, "\\PIPE\\", 6)) {
1103 if (*pipename
== '\\') {
1107 if (lp_disable_spoolss() && strequal(pipename
, "spoolss")) {
1108 DEBUG(10, ("refusing spoolss access\n"));
1112 for (i
=0; i
<rpc_lookup_size
; i
++) {
1113 if (strequal(pipename
, rpc_lookup
[i
].pipe
.clnt
)) {
1114 *syntax
= rpc_lookup
[i
].rpc_interface
;
1119 status
= smb_probe_module("rpc", pipename
);
1120 if (!NT_STATUS_IS_OK(status
)) {
1121 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename
));
1124 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename
));
1127 * Scan the list again for the interface id
1130 for (i
=0; i
<rpc_lookup_size
; i
++) {
1131 if (strequal(pipename
, rpc_lookup
[i
].pipe
.clnt
)) {
1132 *syntax
= rpc_lookup
[i
].rpc_interface
;
1137 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
1143 /*******************************************************************
1144 Handle a SPNEGO krb5 bind auth.
1145 *******************************************************************/
1147 static bool pipe_spnego_auth_bind_kerberos(pipes_struct
*p
, prs_struct
*rpc_in_p
, RPC_HDR_AUTH
*pauth_info
,
1148 DATA_BLOB
*psecblob
, prs_struct
*pout_auth
)
1153 /*******************************************************************
1154 Handle the first part of a SPNEGO bind auth.
1155 *******************************************************************/
1157 static bool pipe_spnego_auth_bind_negotiate(pipes_struct
*p
, prs_struct
*rpc_in_p
,
1158 RPC_HDR_AUTH
*pauth_info
, prs_struct
*pout_auth
)
1164 char *OIDs
[ASN1_MAX_OIDS
];
1167 bool got_kerberos_mechanism
= false;
1168 AUTH_NTLMSSP_STATE
*a
= NULL
;
1169 RPC_HDR_AUTH auth_info
;
1171 ZERO_STRUCT(secblob
);
1173 ZERO_STRUCT(response
);
1175 /* Grab the SPNEGO blob. */
1176 blob
= data_blob(NULL
,p
->hdr
.auth_len
);
1178 if (!prs_copy_data_out((char *)blob
.data
, rpc_in_p
, p
->hdr
.auth_len
)) {
1179 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1180 (unsigned int)p
->hdr
.auth_len
));
1184 if (blob
.data
[0] != ASN1_APPLICATION(0)) {
1188 /* parse out the OIDs and the first sec blob */
1189 if (!parse_negTokenTarg(blob
, OIDs
, &secblob
)) {
1190 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1194 if (strcmp(OID_KERBEROS5
, OIDs
[0]) == 0 || strcmp(OID_KERBEROS5_OLD
, OIDs
[0]) == 0) {
1195 got_kerberos_mechanism
= true;
1198 for (i
=0;OIDs
[i
];i
++) {
1199 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs
[i
]));
1200 TALLOC_FREE(OIDs
[i
]);
1202 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob
.length
));
1204 if ( got_kerberos_mechanism
&& ((lp_security()==SEC_ADS
) || USE_KERBEROS_KEYTAB
) ) {
1205 bool ret
= pipe_spnego_auth_bind_kerberos(p
, rpc_in_p
, pauth_info
, &secblob
, pout_auth
);
1206 data_blob_free(&secblob
);
1207 data_blob_free(&blob
);
1211 if (p
->auth
.auth_type
== PIPE_AUTH_TYPE_SPNEGO_NTLMSSP
&& p
->auth
.a_u
.auth_ntlmssp_state
) {
1212 /* Free any previous auth type. */
1213 free_pipe_ntlmssp_auth_data(&p
->auth
);
1216 if (!got_kerberos_mechanism
) {
1217 /* Initialize the NTLM engine. */
1218 status
= auth_ntlmssp_start(&a
);
1219 if (!NT_STATUS_IS_OK(status
)) {
1224 * Pass the first security blob of data to it.
1225 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1226 * which means we need another packet to complete the bind.
1229 status
= auth_ntlmssp_update(a
, secblob
, &chal
);
1231 if (!NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
1232 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1236 /* Generate the response blob we need for step 2 of the bind. */
1237 response
= spnego_gen_auth_response(&chal
, status
, OID_NTLMSSP
);
1240 * SPNEGO negotiate down to NTLMSSP. The subsequent
1241 * code to process follow-up packets is not complete
1244 response
= spnego_gen_auth_response(NULL
,
1245 NT_STATUS_MORE_PROCESSING_REQUIRED
,
1249 /* Copy the blob into the pout_auth parse struct */
1250 init_rpc_hdr_auth(&auth_info
, DCERPC_AUTH_TYPE_SPNEGO
, pauth_info
->auth_level
, RPC_HDR_AUTH_LEN
, 1);
1251 if(!smb_io_rpc_hdr_auth("", &auth_info
, pout_auth
, 0)) {
1252 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1256 if (!prs_copy_data_in(pout_auth
, (char *)response
.data
, response
.length
)) {
1257 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1261 p
->auth
.a_u
.auth_ntlmssp_state
= a
;
1262 p
->auth
.auth_data_free_func
= &free_pipe_ntlmssp_auth_data
;
1263 p
->auth
.auth_type
= PIPE_AUTH_TYPE_SPNEGO_NTLMSSP
;
1265 data_blob_free(&blob
);
1266 data_blob_free(&secblob
);
1267 data_blob_free(&chal
);
1268 data_blob_free(&response
);
1270 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1275 data_blob_free(&blob
);
1276 data_blob_free(&secblob
);
1277 data_blob_free(&chal
);
1278 data_blob_free(&response
);
1280 p
->auth
.a_u
.auth_ntlmssp_state
= NULL
;
1285 /*******************************************************************
1286 Handle the second part of a SPNEGO bind auth.
1287 *******************************************************************/
1289 static bool pipe_spnego_auth_bind_continue(pipes_struct
*p
, prs_struct
*rpc_in_p
,
1290 RPC_HDR_AUTH
*pauth_info
, prs_struct
*pout_auth
)
1292 RPC_HDR_AUTH auth_info
;
1293 DATA_BLOB spnego_blob
;
1294 DATA_BLOB auth_blob
;
1295 DATA_BLOB auth_reply
;
1297 AUTH_NTLMSSP_STATE
*a
= p
->auth
.a_u
.auth_ntlmssp_state
;
1299 ZERO_STRUCT(spnego_blob
);
1300 ZERO_STRUCT(auth_blob
);
1301 ZERO_STRUCT(auth_reply
);
1302 ZERO_STRUCT(response
);
1305 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1306 * fail here as 'a' == NULL.
1308 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SPNEGO_NTLMSSP
|| !a
) {
1309 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1313 /* Grab the SPNEGO blob. */
1314 spnego_blob
= data_blob(NULL
,p
->hdr
.auth_len
);
1316 if (!prs_copy_data_out((char *)spnego_blob
.data
, rpc_in_p
, p
->hdr
.auth_len
)) {
1317 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1318 (unsigned int)p
->hdr
.auth_len
));
1322 if (spnego_blob
.data
[0] != ASN1_CONTEXT(1)) {
1323 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1327 if (!spnego_parse_auth(spnego_blob
, &auth_blob
)) {
1328 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1333 * The following call actually checks the challenge/response data.
1334 * for correctness against the given DOMAIN\user name.
1337 if (!pipe_ntlmssp_verify_final(p
, &auth_blob
)) {
1341 data_blob_free(&spnego_blob
);
1342 data_blob_free(&auth_blob
);
1344 /* Generate the spnego "accept completed" blob - no incoming data. */
1345 response
= spnego_gen_auth_response(&auth_reply
, NT_STATUS_OK
, OID_NTLMSSP
);
1347 /* Copy the blob into the pout_auth parse struct */
1348 init_rpc_hdr_auth(&auth_info
, DCERPC_AUTH_TYPE_SPNEGO
, pauth_info
->auth_level
, RPC_HDR_AUTH_LEN
, 1);
1349 if(!smb_io_rpc_hdr_auth("", &auth_info
, pout_auth
, 0)) {
1350 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1354 if (!prs_copy_data_in(pout_auth
, (char *)response
.data
, response
.length
)) {
1355 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1359 data_blob_free(&auth_reply
);
1360 data_blob_free(&response
);
1362 p
->pipe_bound
= True
;
1368 data_blob_free(&spnego_blob
);
1369 data_blob_free(&auth_blob
);
1370 data_blob_free(&auth_reply
);
1371 data_blob_free(&response
);
1373 free_pipe_ntlmssp_auth_data(&p
->auth
);
1374 p
->auth
.a_u
.auth_ntlmssp_state
= NULL
;
1379 /*******************************************************************
1380 Handle an schannel bind auth.
1381 *******************************************************************/
1383 static bool pipe_schannel_auth_bind(pipes_struct
*p
, prs_struct
*rpc_in_p
,
1384 RPC_HDR_AUTH
*pauth_info
, prs_struct
*pout_auth
)
1386 RPC_HDR_AUTH auth_info
;
1387 struct NL_AUTH_MESSAGE neg
;
1388 struct NL_AUTH_MESSAGE reply
;
1391 struct netlogon_creds_CredentialState
*creds
;
1392 DATA_BLOB session_key
;
1393 enum ndr_err_code ndr_err
;
1396 blob
= data_blob_const(prs_data_p(rpc_in_p
) + prs_offset(rpc_in_p
),
1397 prs_data_size(rpc_in_p
));
1399 ndr_err
= ndr_pull_struct_blob(&blob
, talloc_tos(), NULL
, &neg
,
1400 (ndr_pull_flags_fn_t
)ndr_pull_NL_AUTH_MESSAGE
);
1401 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
1402 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1406 if (DEBUGLEVEL
>= 10) {
1407 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE
, &neg
);
1410 if (!(neg
.Flags
& NL_FLAG_OEM_NETBIOS_COMPUTER_NAME
)) {
1411 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1416 * The neg.oem_netbios_computer.a key here must match the remote computer name
1417 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1418 * operations that use credentials.
1422 status
= schannel_fetch_session_key(p
,
1423 neg
.oem_netbios_computer
.a
,
1427 if (!NT_STATUS_IS_OK(status
)) {
1428 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1432 p
->auth
.a_u
.schannel_auth
= talloc(p
, struct schannel_state
);
1433 if (!p
->auth
.a_u
.schannel_auth
) {
1438 p
->auth
.a_u
.schannel_auth
->state
= SCHANNEL_STATE_START
;
1439 p
->auth
.a_u
.schannel_auth
->seq_num
= 0;
1440 p
->auth
.a_u
.schannel_auth
->initiator
= false;
1441 p
->auth
.a_u
.schannel_auth
->creds
= creds
;
1444 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1445 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1446 * struct of the person who opened the pipe. I need to test this further. JRA.
1448 * VL. As we are mapping this to guest set the generic key
1449 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1450 * W2k3, as it does not allow schannel binds against SAMR and LSA
1454 session_key
= generic_session_key();
1455 if (session_key
.data
== NULL
) {
1456 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1461 ret
= server_info_set_session_key(p
->server_info
, session_key
);
1463 data_blob_free(&session_key
);
1466 DEBUG(0, ("server_info_set_session_key failed\n"));
1470 init_rpc_hdr_auth(&auth_info
, DCERPC_AUTH_TYPE_SCHANNEL
, pauth_info
->auth_level
, RPC_HDR_AUTH_LEN
, 1);
1471 if(!smb_io_rpc_hdr_auth("", &auth_info
, pout_auth
, 0)) {
1472 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1476 /*** SCHANNEL verifier ***/
1478 reply
.MessageType
= NL_NEGOTIATE_RESPONSE
;
1480 reply
.Buffer
.dummy
= 5; /* ??? actually I don't think
1481 * this has any meaning
1484 ndr_err
= ndr_push_struct_blob(&blob
, talloc_tos(), NULL
, &reply
,
1485 (ndr_push_flags_fn_t
)ndr_push_NL_AUTH_MESSAGE
);
1486 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
1487 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1491 if (DEBUGLEVEL
>= 10) {
1492 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE
, &reply
);
1495 if (!prs_copy_data_in(pout_auth
, (const char *)blob
.data
, blob
.length
)) {
1499 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1500 neg
.oem_netbios_domain
.a
, neg
.oem_netbios_computer
.a
));
1502 /* We're finished with this bind - no more packets. */
1503 p
->auth
.auth_data_free_func
= NULL
;
1504 p
->auth
.auth_type
= PIPE_AUTH_TYPE_SCHANNEL
;
1506 p
->pipe_bound
= True
;
1511 /*******************************************************************
1512 Handle an NTLMSSP bind auth.
1513 *******************************************************************/
1515 static bool pipe_ntlmssp_auth_bind(pipes_struct
*p
, prs_struct
*rpc_in_p
,
1516 RPC_HDR_AUTH
*pauth_info
, prs_struct
*pout_auth
)
1518 RPC_HDR_AUTH auth_info
;
1522 AUTH_NTLMSSP_STATE
*a
= NULL
;
1525 ZERO_STRUCT(response
);
1527 /* Grab the NTLMSSP blob. */
1528 blob
= data_blob(NULL
,p
->hdr
.auth_len
);
1530 if (!prs_copy_data_out((char *)blob
.data
, rpc_in_p
, p
->hdr
.auth_len
)) {
1531 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1532 (unsigned int)p
->hdr
.auth_len
));
1536 if (strncmp((char *)blob
.data
, "NTLMSSP", 7) != 0) {
1537 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1541 /* We have an NTLMSSP blob. */
1542 status
= auth_ntlmssp_start(&a
);
1543 if (!NT_STATUS_IS_OK(status
)) {
1544 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1545 nt_errstr(status
) ));
1549 status
= auth_ntlmssp_update(a
, blob
, &response
);
1550 if (!NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
1551 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1552 nt_errstr(status
) ));
1556 data_blob_free(&blob
);
1558 /* Copy the blob into the pout_auth parse struct */
1559 init_rpc_hdr_auth(&auth_info
, DCERPC_AUTH_TYPE_NTLMSSP
, pauth_info
->auth_level
, RPC_HDR_AUTH_LEN
, 1);
1560 if(!smb_io_rpc_hdr_auth("", &auth_info
, pout_auth
, 0)) {
1561 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1565 if (!prs_copy_data_in(pout_auth
, (char *)response
.data
, response
.length
)) {
1566 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1570 p
->auth
.a_u
.auth_ntlmssp_state
= a
;
1571 p
->auth
.auth_data_free_func
= &free_pipe_ntlmssp_auth_data
;
1572 p
->auth
.auth_type
= PIPE_AUTH_TYPE_NTLMSSP
;
1574 data_blob_free(&blob
);
1575 data_blob_free(&response
);
1577 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1579 /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1584 data_blob_free(&blob
);
1585 data_blob_free(&response
);
1587 free_pipe_ntlmssp_auth_data(&p
->auth
);
1588 p
->auth
.a_u
.auth_ntlmssp_state
= NULL
;
1592 /*******************************************************************
1593 Respond to a pipe bind request.
1594 *******************************************************************/
1596 bool api_pipe_bind_req(pipes_struct
*p
, prs_struct
*rpc_in_p
)
1600 RPC_HDR_AUTH auth_info
;
1602 fstring ack_pipe_name
;
1603 prs_struct out_hdr_ba
;
1604 prs_struct out_auth
;
1607 unsigned int auth_type
= DCERPC_AUTH_TYPE_NONE
;
1609 /* No rebinds on a bound pipe - use alter context. */
1610 if (p
->pipe_bound
) {
1611 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1613 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
)));
1614 return setup_bind_nak(p
);
1617 prs_init_empty(&p
->out_data
.frag
, p
->mem_ctx
, MARSHALL
);
1620 * Marshall directly into the outgoing PDU space. We
1621 * must do this as we need to set to the bind response
1622 * header and are never sending more than one PDU here.
1626 * Setup the memory to marshall the ba header, and the
1630 if(!prs_init(&out_hdr_ba
, 1024, p
->mem_ctx
, MARSHALL
)) {
1631 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1632 prs_mem_free(&p
->out_data
.frag
);
1636 if(!prs_init(&out_auth
, 1024, p
->mem_ctx
, MARSHALL
)) {
1637 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1638 prs_mem_free(&p
->out_data
.frag
);
1639 prs_mem_free(&out_hdr_ba
);
1643 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__
));
1645 ZERO_STRUCT(hdr_rb
);
1647 /* decode the bind request */
1649 if(!smb_io_rpc_hdr_rb("", &hdr_rb
, rpc_in_p
, 0)) {
1650 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1655 if (hdr_rb
.num_contexts
== 0) {
1656 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1661 * Try and find the correct pipe name to ensure
1662 * that this is a pipe name we support.
1665 for (i
= 0; i
< rpc_lookup_size
; i
++) {
1666 if (ndr_syntax_id_equal(&rpc_lookup
[i
].rpc_interface
,
1667 &hdr_rb
.rpc_context
[0].abstract
)) {
1668 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1669 rpc_lookup
[i
].pipe
.clnt
, rpc_lookup
[i
].pipe
.srv
));
1674 if (i
== rpc_lookup_size
) {
1677 status
= smb_probe_module(
1678 "rpc", get_pipe_name_from_syntax(
1680 &hdr_rb
.rpc_context
[0].abstract
));
1682 if (NT_STATUS_IS_ERR(status
)) {
1683 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1684 get_pipe_name_from_syntax(
1686 &hdr_rb
.rpc_context
[0].abstract
)));
1687 prs_mem_free(&p
->out_data
.frag
);
1688 prs_mem_free(&out_hdr_ba
);
1689 prs_mem_free(&out_auth
);
1691 return setup_bind_nak(p
);
1694 for (i
= 0; i
< rpc_lookup_size
; i
++) {
1695 if (strequal(rpc_lookup
[i
].pipe
.clnt
,
1696 get_pipe_name_from_syntax(talloc_tos(),
1698 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1699 rpc_lookup
[i
].pipe
.clnt
, rpc_lookup
[i
].pipe
.srv
));
1704 if (i
== rpc_lookup_size
) {
1705 DEBUG(0, ("module %s doesn't provide functions for "
1707 get_pipe_name_from_syntax(talloc_tos(),
1709 get_pipe_name_from_syntax(talloc_tos(),
1715 /* name has to be \PIPE\xxxxx */
1716 fstrcpy(ack_pipe_name
, "\\PIPE\\");
1717 fstrcat(ack_pipe_name
, rpc_lookup
[i
].pipe
.srv
);
1719 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__
));
1722 * Check if this is an authenticated bind request.
1725 if (p
->hdr
.auth_len
) {
1727 * Decode the authentication verifier.
1730 if(!smb_io_rpc_hdr_auth("", &auth_info
, rpc_in_p
, 0)) {
1731 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1735 auth_type
= auth_info
.auth_type
;
1737 /* Work out if we have to sign or seal etc. */
1738 switch (auth_info
.auth_level
) {
1739 case DCERPC_AUTH_LEVEL_INTEGRITY
:
1740 p
->auth
.auth_level
= DCERPC_AUTH_LEVEL_INTEGRITY
;
1742 case DCERPC_AUTH_LEVEL_PRIVACY
:
1743 p
->auth
.auth_level
= DCERPC_AUTH_LEVEL_PRIVACY
;
1746 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1747 (unsigned int)auth_info
.auth_level
));
1751 ZERO_STRUCT(auth_info
);
1754 assoc_gid
= hdr_rb
.bba
.assoc_gid
? hdr_rb
.bba
.assoc_gid
: 0x53f0;
1757 case DCERPC_AUTH_TYPE_NTLMSSP
:
1758 if (!pipe_ntlmssp_auth_bind(p
, rpc_in_p
, &auth_info
, &out_auth
)) {
1764 case DCERPC_AUTH_TYPE_SCHANNEL
:
1765 if (!pipe_schannel_auth_bind(p
, rpc_in_p
, &auth_info
, &out_auth
)) {
1770 case DCERPC_AUTH_TYPE_SPNEGO
:
1771 if (!pipe_spnego_auth_bind_negotiate(p
, rpc_in_p
, &auth_info
, &out_auth
)) {
1776 case DCERPC_AUTH_TYPE_NONE
:
1777 /* Unauthenticated bind request. */
1778 /* We're finished - no more packets. */
1779 p
->auth
.auth_type
= PIPE_AUTH_TYPE_NONE
;
1780 /* We must set the pipe auth_level here also. */
1781 p
->auth
.auth_level
= DCERPC_AUTH_LEVEL_NONE
;
1782 p
->pipe_bound
= True
;
1783 /* The session key was initialized from the SMB
1784 * session in make_internal_rpc_pipe_p */
1788 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type
));
1793 * Create the bind response struct.
1796 /* If the requested abstract synt uuid doesn't match our client pipe,
1797 reject the bind_ack & set the transfer interface synt to all 0's,
1798 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1800 Needed when adding entries to a DACL from NT5 - SK */
1802 if(check_bind_req(p
, &hdr_rb
.rpc_context
[0].abstract
, &hdr_rb
.rpc_context
[0].transfer
[0],
1803 hdr_rb
.rpc_context
[0].context_id
)) {
1804 init_rpc_hdr_ba(&hdr_ba
,
1805 RPC_MAX_PDU_FRAG_LEN
,
1806 RPC_MAX_PDU_FRAG_LEN
,
1810 &hdr_rb
.rpc_context
[0].transfer
[0]);
1812 /* Rejection reason: abstract syntax not supported */
1813 init_rpc_hdr_ba(&hdr_ba
, RPC_MAX_PDU_FRAG_LEN
,
1814 RPC_MAX_PDU_FRAG_LEN
, assoc_gid
,
1815 ack_pipe_name
, 0x1, 0x2, 0x1,
1816 &null_ndr_syntax_id
);
1817 p
->pipe_bound
= False
;
1824 if(!smb_io_rpc_hdr_ba("", &hdr_ba
, &out_hdr_ba
, 0)) {
1825 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1830 * Create the header, now we know the length.
1833 if (prs_offset(&out_auth
)) {
1834 auth_len
= prs_offset(&out_auth
) - RPC_HDR_AUTH_LEN
;
1837 init_rpc_hdr(&p
->hdr
, DCERPC_PKT_BIND_ACK
, DCERPC_PFC_FLAG_FIRST
| DCERPC_PFC_FLAG_LAST
,
1839 RPC_HEADER_LEN
+ prs_offset(&out_hdr_ba
) + prs_offset(&out_auth
),
1843 * Marshall the header into the outgoing PDU.
1846 if(!smb_io_rpc_hdr("", &p
->hdr
, &p
->out_data
.frag
, 0)) {
1847 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1852 * Now add the RPC_HDR_BA and any auth needed.
1855 if(!prs_append_prs_data(&p
->out_data
.frag
, &out_hdr_ba
)) {
1856 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1860 if (auth_len
&& !prs_append_prs_data( &p
->out_data
.frag
, &out_auth
)) {
1861 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1866 * Setup the lengths for the initial reply.
1869 p
->out_data
.data_sent_length
= 0;
1870 p
->out_data
.current_pdu_sent
= 0;
1872 prs_mem_free(&out_hdr_ba
);
1873 prs_mem_free(&out_auth
);
1879 prs_mem_free(&p
->out_data
.frag
);
1880 prs_mem_free(&out_hdr_ba
);
1881 prs_mem_free(&out_auth
);
1882 return setup_bind_nak(p
);
1885 /****************************************************************************
1886 Deal with an alter context call. Can be third part of 3 leg auth request for
1888 ****************************************************************************/
1890 bool api_pipe_alter_context(pipes_struct
*p
, prs_struct
*rpc_in_p
)
1894 RPC_HDR_AUTH auth_info
;
1896 fstring ack_pipe_name
;
1897 prs_struct out_hdr_ba
;
1898 prs_struct out_auth
;
1901 prs_init_empty(&p
->out_data
.frag
, p
->mem_ctx
, MARSHALL
);
1904 * Marshall directly into the outgoing PDU space. We
1905 * must do this as we need to set to the bind response
1906 * header and are never sending more than one PDU here.
1910 * Setup the memory to marshall the ba header, and the
1914 if(!prs_init(&out_hdr_ba
, 1024, p
->mem_ctx
, MARSHALL
)) {
1915 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1916 prs_mem_free(&p
->out_data
.frag
);
1920 if(!prs_init(&out_auth
, 1024, p
->mem_ctx
, MARSHALL
)) {
1921 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1922 prs_mem_free(&p
->out_data
.frag
);
1923 prs_mem_free(&out_hdr_ba
);
1927 ZERO_STRUCT(hdr_rb
);
1929 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__
));
1931 /* decode the alter context request */
1932 if(!smb_io_rpc_hdr_rb("", &hdr_rb
, rpc_in_p
, 0)) {
1933 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1937 /* secondary address CAN be NULL
1938 * as the specs say it's ignored.
1939 * It MUST be NULL to have the spoolss working.
1941 fstrcpy(ack_pipe_name
,"");
1943 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__
));
1946 * Check if this is an authenticated alter context request.
1949 if (p
->hdr
.auth_len
!= 0) {
1951 * Decode the authentication verifier.
1954 if(!smb_io_rpc_hdr_auth("", &auth_info
, rpc_in_p
, 0)) {
1955 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1960 * Currently only the SPNEGO auth type uses the alter ctx
1961 * response in place of the NTLMSSP auth3 type.
1964 if (auth_info
.auth_type
== DCERPC_AUTH_TYPE_SPNEGO
) {
1965 /* We can only finish if the pipe is unbound. */
1966 if (!p
->pipe_bound
) {
1967 if (!pipe_spnego_auth_bind_continue(p
, rpc_in_p
, &auth_info
, &out_auth
)) {
1975 ZERO_STRUCT(auth_info
);
1978 assoc_gid
= hdr_rb
.bba
.assoc_gid
? hdr_rb
.bba
.assoc_gid
: 0x53f0;
1981 * Create the bind response struct.
1984 /* If the requested abstract synt uuid doesn't match our client pipe,
1985 reject the bind_ack & set the transfer interface synt to all 0's,
1986 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1988 Needed when adding entries to a DACL from NT5 - SK */
1990 if(check_bind_req(p
, &hdr_rb
.rpc_context
[0].abstract
, &hdr_rb
.rpc_context
[0].transfer
[0],
1991 hdr_rb
.rpc_context
[0].context_id
)) {
1992 init_rpc_hdr_ba(&hdr_ba
,
1993 RPC_MAX_PDU_FRAG_LEN
,
1994 RPC_MAX_PDU_FRAG_LEN
,
1998 &hdr_rb
.rpc_context
[0].transfer
[0]);
2000 /* Rejection reason: abstract syntax not supported */
2001 init_rpc_hdr_ba(&hdr_ba
, RPC_MAX_PDU_FRAG_LEN
,
2002 RPC_MAX_PDU_FRAG_LEN
, assoc_gid
,
2003 ack_pipe_name
, 0x1, 0x2, 0x1,
2004 &null_ndr_syntax_id
);
2005 p
->pipe_bound
= False
;
2012 if(!smb_io_rpc_hdr_ba("", &hdr_ba
, &out_hdr_ba
, 0)) {
2013 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
2018 * Create the header, now we know the length.
2021 if (prs_offset(&out_auth
)) {
2022 auth_len
= prs_offset(&out_auth
) - RPC_HDR_AUTH_LEN
;
2025 init_rpc_hdr(&p
->hdr
, DCERPC_PKT_ALTER_RESP
, DCERPC_PFC_FLAG_FIRST
| DCERPC_PFC_FLAG_LAST
,
2027 RPC_HEADER_LEN
+ prs_offset(&out_hdr_ba
) + prs_offset(&out_auth
),
2031 * Marshall the header into the outgoing PDU.
2034 if(!smb_io_rpc_hdr("", &p
->hdr
, &p
->out_data
.frag
, 0)) {
2035 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2040 * Now add the RPC_HDR_BA and any auth needed.
2043 if(!prs_append_prs_data(&p
->out_data
.frag
, &out_hdr_ba
)) {
2044 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2048 if (auth_len
&& !prs_append_prs_data(&p
->out_data
.frag
, &out_auth
)) {
2049 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2054 * Setup the lengths for the initial reply.
2057 p
->out_data
.data_sent_length
= 0;
2058 p
->out_data
.current_pdu_sent
= 0;
2060 prs_mem_free(&out_hdr_ba
);
2061 prs_mem_free(&out_auth
);
2067 prs_mem_free(&p
->out_data
.frag
);
2068 prs_mem_free(&out_hdr_ba
);
2069 prs_mem_free(&out_auth
);
2070 return setup_bind_nak(p
);
2073 /****************************************************************************
2074 Deal with NTLMSSP sign & seal processing on an RPC request.
2075 ****************************************************************************/
2077 bool api_pipe_ntlmssp_auth_process(pipes_struct
*p
, prs_struct
*rpc_in
,
2078 uint32
*p_ss_padding_len
, NTSTATUS
*pstatus
)
2080 RPC_HDR_AUTH auth_info
;
2081 uint32 auth_len
= p
->hdr
.auth_len
;
2082 uint32 save_offset
= prs_offset(rpc_in
);
2083 AUTH_NTLMSSP_STATE
*a
= p
->auth
.a_u
.auth_ntlmssp_state
;
2084 unsigned char *data
= NULL
;
2086 unsigned char *full_packet_data
= NULL
;
2087 size_t full_packet_data_len
;
2088 DATA_BLOB auth_blob
;
2090 *pstatus
= NT_STATUS_OK
;
2092 if (p
->auth
.auth_level
== DCERPC_AUTH_LEVEL_NONE
|| p
->auth
.auth_level
== DCERPC_AUTH_LEVEL_CONNECT
) {
2097 *pstatus
= NT_STATUS_INVALID_PARAMETER
;
2101 /* Ensure there's enough data for an authenticated request. */
2102 if ((auth_len
> RPC_MAX_SIGN_SIZE
) ||
2103 (RPC_HEADER_LEN
+ RPC_HDR_REQ_LEN
+ RPC_HDR_AUTH_LEN
+ auth_len
> p
->hdr
.frag_len
)) {
2104 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2105 (unsigned int)auth_len
));
2106 *pstatus
= NT_STATUS_INVALID_PARAMETER
;
2111 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2112 * after the RPC header.
2113 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2114 * functions as NTLMv2 checks the rpc headers also.
2117 data
= (unsigned char *)(prs_data_p(rpc_in
) + RPC_HDR_REQ_LEN
);
2118 data_len
= (size_t)(p
->hdr
.frag_len
- RPC_HEADER_LEN
- RPC_HDR_REQ_LEN
- RPC_HDR_AUTH_LEN
- auth_len
);
2120 full_packet_data
= p
->in_data
.current_in_pdu
;
2121 full_packet_data_len
= p
->hdr
.frag_len
- auth_len
;
2123 /* Pull the auth header and the following data into a blob. */
2124 if(!prs_set_offset(rpc_in
, RPC_HDR_REQ_LEN
+ data_len
)) {
2125 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2126 (unsigned int)RPC_HDR_REQ_LEN
+ (unsigned int)data_len
));
2127 *pstatus
= NT_STATUS_INVALID_PARAMETER
;
2131 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info
, rpc_in
, 0)) {
2132 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2133 *pstatus
= NT_STATUS_INVALID_PARAMETER
;
2137 auth_blob
.data
= (unsigned char *)prs_data_p(rpc_in
) + prs_offset(rpc_in
);
2138 auth_blob
.length
= auth_len
;
2140 switch (p
->auth
.auth_level
) {
2141 case DCERPC_AUTH_LEVEL_PRIVACY
:
2142 /* Data is encrypted. */
2143 *pstatus
= ntlmssp_unseal_packet(a
->ntlmssp_state
,
2146 full_packet_data_len
,
2148 if (!NT_STATUS_IS_OK(*pstatus
)) {
2152 case DCERPC_AUTH_LEVEL_INTEGRITY
:
2153 /* Data is signed. */
2154 *pstatus
= ntlmssp_check_packet(a
->ntlmssp_state
,
2157 full_packet_data_len
,
2159 if (!NT_STATUS_IS_OK(*pstatus
)) {
2164 *pstatus
= NT_STATUS_INVALID_PARAMETER
;
2169 * Return the current pointer to the data offset.
2172 if(!prs_set_offset(rpc_in
, save_offset
)) {
2173 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2174 (unsigned int)save_offset
));
2175 *pstatus
= NT_STATUS_INVALID_PARAMETER
;
2180 * Remember the padding length. We must remove it from the real data
2181 * stream once the sign/seal is done.
2184 *p_ss_padding_len
= auth_info
.auth_pad_len
;
2189 /****************************************************************************
2190 Deal with schannel processing on an RPC request.
2191 ****************************************************************************/
2193 bool api_pipe_schannel_process(pipes_struct
*p
, prs_struct
*rpc_in
, uint32
*p_ss_padding_len
)
2197 uint32 save_offset
= prs_offset(rpc_in
);
2198 RPC_HDR_AUTH auth_info
;
2203 auth_len
= p
->hdr
.auth_len
;
2205 if (auth_len
< RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN
||
2206 auth_len
> RPC_HEADER_LEN
+
2210 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len
));
2215 * The following is that length of the data we must verify or unseal.
2216 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2217 * preceeding the auth_data.
2220 if (p
->hdr
.frag_len
< RPC_HEADER_LEN
+ RPC_HDR_REQ_LEN
+ RPC_HDR_AUTH_LEN
+ auth_len
) {
2221 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2222 (unsigned int)p
->hdr
.frag_len
,
2223 (unsigned int)auth_len
));
2227 data_len
= p
->hdr
.frag_len
- RPC_HEADER_LEN
- RPC_HDR_REQ_LEN
-
2228 RPC_HDR_AUTH_LEN
- auth_len
;
2230 DEBUG(5,("data %d auth %d\n", data_len
, auth_len
));
2232 if(!prs_set_offset(rpc_in
, RPC_HDR_REQ_LEN
+ data_len
)) {
2233 DEBUG(0,("cannot move offset to %u.\n",
2234 (unsigned int)RPC_HDR_REQ_LEN
+ data_len
));
2238 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info
, rpc_in
, 0)) {
2239 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2243 if (auth_info
.auth_type
!= DCERPC_AUTH_TYPE_SCHANNEL
) {
2244 DEBUG(0,("Invalid auth info %d on schannel\n",
2245 auth_info
.auth_type
));
2249 blob
= data_blob_const(prs_data_p(rpc_in
) + prs_offset(rpc_in
), auth_len
);
2251 if (DEBUGLEVEL
>= 10) {
2252 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob
);
2255 data
= (uint8_t *)prs_data_p(rpc_in
)+RPC_HDR_REQ_LEN
;
2257 switch (auth_info
.auth_level
) {
2258 case DCERPC_AUTH_LEVEL_PRIVACY
:
2259 status
= netsec_incoming_packet(p
->auth
.a_u
.schannel_auth
,
2266 case DCERPC_AUTH_LEVEL_INTEGRITY
:
2267 status
= netsec_incoming_packet(p
->auth
.a_u
.schannel_auth
,
2275 status
= NT_STATUS_INTERNAL_ERROR
;
2279 if (!NT_STATUS_IS_OK(status
)) {
2280 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status
)));
2285 * Return the current pointer to the data offset.
2288 if(!prs_set_offset(rpc_in
, save_offset
)) {
2289 DEBUG(0,("failed to set offset back to %u\n",
2290 (unsigned int)save_offset
));
2295 * Remember the padding length. We must remove it from the real data
2296 * stream once the sign/seal is done.
2299 *p_ss_padding_len
= auth_info
.auth_pad_len
;
2304 /****************************************************************************
2305 Find the set of RPC functions associated with this context_id
2306 ****************************************************************************/
2308 static PIPE_RPC_FNS
* find_pipe_fns_by_context( PIPE_RPC_FNS
*list
, uint32 context_id
)
2310 PIPE_RPC_FNS
*fns
= NULL
;
2313 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2317 for (fns
=list
; fns
; fns
=fns
->next
) {
2318 if ( fns
->context_id
== context_id
)
2324 /****************************************************************************
2326 ****************************************************************************/
2328 void free_pipe_rpc_context( PIPE_RPC_FNS
*list
)
2330 PIPE_RPC_FNS
*tmp
= list
;
2342 static bool api_rpcTNP(pipes_struct
*p
,
2343 const struct api_struct
*api_rpc_cmds
, int n_cmds
);
2345 /****************************************************************************
2346 Find the correct RPC function to call for this request.
2347 If the pipe is authenticated then become the correct UNIX user
2348 before doing the call.
2349 ****************************************************************************/
2351 bool api_pipe_request(pipes_struct
*p
)
2354 bool changed_user
= False
;
2355 PIPE_RPC_FNS
*pipe_fns
;
2357 if (p
->pipe_bound
&&
2358 ((p
->auth
.auth_type
== PIPE_AUTH_TYPE_NTLMSSP
) ||
2359 (p
->auth
.auth_type
== PIPE_AUTH_TYPE_SPNEGO_NTLMSSP
))) {
2360 if(!become_authenticated_pipe_user(p
)) {
2361 prs_mem_free(&p
->out_data
.rdata
);
2364 changed_user
= True
;
2367 DEBUG(5, ("Requested \\PIPE\\%s\n",
2368 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
)));
2370 /* get the set of RPC functions for this context */
2372 pipe_fns
= find_pipe_fns_by_context(p
->contexts
, p
->hdr_req
.context_id
);
2375 TALLOC_CTX
*frame
= talloc_stackframe();
2376 ret
= api_rpcTNP(p
, pipe_fns
->cmds
, pipe_fns
->n_cmds
);
2380 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2381 p
->hdr_req
.context_id
,
2382 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
)));
2386 unbecome_authenticated_pipe_user();
2392 /*******************************************************************
2393 Calls the underlying RPC function for a named pipe.
2394 ********************************************************************/
2396 static bool api_rpcTNP(pipes_struct
*p
,
2397 const struct api_struct
*api_rpc_cmds
, int n_cmds
)
2400 uint32 offset1
, offset2
;
2402 /* interpret the command */
2403 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2404 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
),
2407 if (DEBUGLEVEL
>= 50) {
2409 slprintf(name
, sizeof(name
)-1, "in_%s",
2410 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
));
2411 prs_dump(name
, p
->hdr_req
.opnum
, &p
->in_data
.data
);
2414 for (fn_num
= 0; fn_num
< n_cmds
; fn_num
++) {
2415 if (api_rpc_cmds
[fn_num
].opnum
== p
->hdr_req
.opnum
&& api_rpc_cmds
[fn_num
].fn
!= NULL
) {
2416 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds
[fn_num
].name
));
2421 if (fn_num
== n_cmds
) {
2423 * For an unknown RPC just return a fault PDU but
2424 * return True to allow RPC's on the pipe to continue
2425 * and not put the pipe into fault state. JRA.
2427 DEBUG(4, ("unknown\n"));
2428 setup_fault_pdu(p
, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR
));
2432 offset1
= prs_offset(&p
->out_data
.rdata
);
2434 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2435 fn_num
, api_rpc_cmds
[fn_num
].fn
));
2436 /* do the actual command */
2437 if(!api_rpc_cmds
[fn_num
].fn(p
)) {
2438 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2439 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
),
2440 api_rpc_cmds
[fn_num
].name
));
2441 prs_mem_free(&p
->out_data
.rdata
);
2445 if (p
->bad_handle_fault_state
) {
2446 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2447 p
->bad_handle_fault_state
= False
;
2448 setup_fault_pdu(p
, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH
));
2452 if (p
->rng_fault_state
) {
2453 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2454 p
->rng_fault_state
= False
;
2455 setup_fault_pdu(p
, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR
));
2459 offset2
= prs_offset(&p
->out_data
.rdata
);
2460 prs_set_offset(&p
->out_data
.rdata
, offset1
);
2461 if (DEBUGLEVEL
>= 50) {
2463 slprintf(name
, sizeof(name
)-1, "out_%s",
2464 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
));
2465 prs_dump(name
, p
->hdr_req
.opnum
, &p
->out_data
.rdata
);
2467 prs_set_offset(&p
->out_data
.rdata
, offset2
);
2469 DEBUG(5,("api_rpcTNP: called %s successfully\n",
2470 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
)));
2472 /* Check for buffer underflow in rpc parsing */
2474 if ((DEBUGLEVEL
>= 10) &&
2475 (prs_offset(&p
->in_data
.data
) != prs_data_size(&p
->in_data
.data
))) {
2476 size_t data_len
= prs_data_size(&p
->in_data
.data
) - prs_offset(&p
->in_data
.data
);
2477 char *data
= (char *)SMB_MALLOC(data_len
);
2479 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2481 prs_uint8s(False
, "", &p
->in_data
.data
, 0, (unsigned char *)data
, (uint32
)data_len
);