search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-dceprc use a DATA_BLOB to hold the curren pdu in pipes_struct
[Samba/bjacke.git] / source3 / rpc_server / srv_pipe.c
bloba39ed93e718e0481111e62eda3e53b84b74d591e
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31 #include "srv_pipe_internal.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33 #include "../libcli/auth/schannel.h"
34 #include "../libcli/auth/spnego.h"
35 #include "../libcli/auth/ntlmssp.h"
36
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_RPC_SRV
39
40 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
41 {
42 struct auth_ntlmssp_state *a = auth->a_u.auth_ntlmssp_state;
43
44 if (a) {
45 auth_ntlmssp_end(&a);
46 }
47 auth->a_u.auth_ntlmssp_state = NULL;
48 }
49
50 static DATA_BLOB generic_session_key(void)
51 {
52 return data_blob("SystemLibraryDTC", 16);
53 }
54
55 /*******************************************************************
56 Generate the next PDU to be returned from the data in p->rdata.
57 Handle NTLMSSP.
58 ********************************************************************/
59
60 static bool create_next_pdu_ntlmssp(pipes_struct *p)
61 {
62 DATA_BLOB hdr;
63 uint8_t hdr_flags;
64 RPC_HDR_RESP hdr_resp;
65 uint32 ss_padding_len = 0;
66 uint32 data_space_available;
67 uint32 data_len_left;
68 uint32 data_len;
69 NTSTATUS status;
70 DATA_BLOB auth_blob;
71 RPC_HDR_AUTH auth_info;
72 uint8 auth_type, auth_level;
73 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
74 TALLOC_CTX *frame;
75
76 /*
77 * If we're in the fault state, keep returning fault PDU's until
78 * the pipe gets closed. JRA.
79 */
80
81 if(p->fault_state) {
82 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
83 return True;
84 }
85
86 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
87
88 /* Set up rpc header flags. */
89 if (p->out_data.data_sent_length == 0) {
90 hdr_flags = DCERPC_PFC_FLAG_FIRST;
91 } else {
92 hdr_flags = 0;
93 }
94
95 /*
96 * Work out how much we can fit in a single PDU.
97 */
98
99 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
100
101 /*
102 * Ensure there really is data left to send.
103 */
104
105 if(!data_len_left) {
106 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
107 return False;
108 }
109
110 /* Space available - not including padding. */
111 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN -
112 RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
113
114 /*
115 * The amount we send is the minimum of the available
116 * space and the amount left to send.
117 */
118
119 data_len = MIN(data_len_left, data_space_available);
120
121 /* Work out any padding alignment requirements. */
122 if ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE) {
123 ss_padding_len = SERVER_NDR_PADDING_SIZE -
124 ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE);
125 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
126 ss_padding_len ));
127 /* If we're over filling the packet, we need to make space
128 * for the padding at the end of the data. */
129 if (data_len + ss_padding_len > data_space_available) {
130 data_len -= SERVER_NDR_PADDING_SIZE;
131 }
132 }
133
134 /*
135 * Set up the alloc hint. This should be the data left to
136 * send.
137 */
138
139 hdr_resp.alloc_hint = data_len_left;
140
141 /*
142 * Work out if this PDU will be the last.
143 */
144 if (p->out_data.data_sent_length + data_len >=
145 prs_offset(&p->out_data.rdata)) {
146 hdr_flags |= DCERPC_PFC_FLAG_LAST;
147 }
148
149 /*
150 * Init the parse struct to point at the outgoing
151 * data.
152 */
153 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
154
155 status = dcerpc_push_ncacn_packet_header(
156 prs_get_mem_context(&p->out_data.frag),
157 DCERPC_PKT_RESPONSE,
158 hdr_flags,
159 RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
160 data_len + ss_padding_len +
161 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE,
162 NTLMSSP_SIG_SIZE,
163 p->hdr.call_id,
164 &hdr);
165 if (!NT_STATUS_IS_OK(status)) {
166 DEBUG(0, ("Failed to marshall RPC Header.\n"));
167 prs_mem_free(&p->out_data.frag);
168 return False;
169 }
170
171 /* Store the header in the data stream. */
172 if (!prs_copy_data_in(&p->out_data.frag,
173 (char *)hdr.data, hdr.length)) {
174 DEBUG(0, ("Out of memory.\n"));
175 prs_mem_free(&p->out_data.frag);
176 return False;
177 }
178
179 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
180 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
181 prs_mem_free(&p->out_data.frag);
182 return False;
183 }
184
185 /* Copy the data into the PDU. */
186
187 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
188 p->out_data.data_sent_length, data_len)) {
189 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
190 prs_mem_free(&p->out_data.frag);
191 return False;
192 }
193
194 /* Copy the sign/seal padding data. */
195 if (ss_padding_len) {
196 char pad[SERVER_NDR_PADDING_SIZE];
197
198 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
199 if (!prs_copy_data_in(&p->out_data.frag, pad,
200 ss_padding_len)) {
201 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
202 (unsigned int)ss_padding_len));
203 prs_mem_free(&p->out_data.frag);
204 return False;
205 }
206 }
207
208
209 /* Now write out the auth header and null blob. */
210 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
211 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
212 } else {
213 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
214 }
215 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
216 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
217 } else {
218 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
219 }
220
221 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
222
223 if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
224 &p->out_data.frag, 0)) {
225 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
226 prs_mem_free(&p->out_data.frag);
227 return False;
228 }
229
230 /* Generate the sign blob. */
231
232 frame = talloc_stackframe();
233 switch (p->auth.auth_level) {
234 case DCERPC_AUTH_LEVEL_PRIVACY:
235 /* Data portion is encrypted. */
236 status = auth_ntlmssp_seal_packet(
237 a, frame,
238 (uint8_t *)prs_data_p(&p->out_data.frag)
239 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
240 data_len + ss_padding_len,
241 (unsigned char *)prs_data_p(&p->out_data.frag),
242 (size_t)prs_offset(&p->out_data.frag),
243 &auth_blob);
244 if (!NT_STATUS_IS_OK(status)) {
245 talloc_free(frame);
246 prs_mem_free(&p->out_data.frag);
247 return False;
248 }
249 break;
250 case DCERPC_AUTH_LEVEL_INTEGRITY:
251 /* Data is signed. */
252 status = auth_ntlmssp_sign_packet(
253 a, frame,
254 (unsigned char *)prs_data_p(&p->out_data.frag)
255 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
256 data_len + ss_padding_len,
257 (unsigned char *)prs_data_p(&p->out_data.frag),
258 (size_t)prs_offset(&p->out_data.frag),
259 &auth_blob);
260 if (!NT_STATUS_IS_OK(status)) {
261 talloc_free(frame);
262 prs_mem_free(&p->out_data.frag);
263 return False;
264 }
265 break;
266 default:
267 talloc_free(frame);
268 prs_mem_free(&p->out_data.frag);
269 return False;
270 }
271
272 /* Append the auth blob. */
273 if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
274 NTLMSSP_SIG_SIZE)) {
275 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
276 (unsigned int)NTLMSSP_SIG_SIZE));
277 talloc_free(frame);
278 prs_mem_free(&p->out_data.frag);
279 return False;
280 }
281 talloc_free(frame);
282
283 /*
284 * Setup the counts for this PDU.
285 */
286
287 p->out_data.data_sent_length += data_len;
288 p->out_data.current_pdu_sent = 0;
289
290 return True;
291 }
292
293 /*******************************************************************
294 Generate the next PDU to be returned from the data in p->rdata.
295 Return an schannel authenticated fragment.
296 ********************************************************************/
297
298 static bool create_next_pdu_schannel(pipes_struct *p)
299 {
300 DATA_BLOB hdr;
301 uint8_t hdr_flags;
302 RPC_HDR_RESP hdr_resp;
303 uint32 ss_padding_len = 0;
304 uint32 data_len;
305 uint32 data_space_available;
306 uint32 data_len_left;
307 uint32 data_pos;
308 NTSTATUS status;
309
310 /*
311 * If we're in the fault state, keep returning fault PDU's until
312 * the pipe gets closed. JRA.
313 */
314
315 if(p->fault_state) {
316 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
317 return True;
318 }
319
320 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
321
322 /* Set up rpc header flags. */
323 if (p->out_data.data_sent_length == 0) {
324 hdr_flags = DCERPC_PFC_FLAG_FIRST;
325 } else {
326 hdr_flags = 0;
327 }
328
329 /*
330 * Work out how much we can fit in a single PDU.
331 */
332
333 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
334
335 /*
336 * Ensure there really is data left to send.
337 */
338
339 if(!data_len_left) {
340 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
341 return False;
342 }
343
344 /* Space available - not including padding. */
345 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
346 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
347 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
348
349 /*
350 * The amount we send is the minimum of the available
351 * space and the amount left to send.
352 */
353
354 data_len = MIN(data_len_left, data_space_available);
355
356 /* Work out any padding alignment requirements. */
357 if ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE) {
358 ss_padding_len = SERVER_NDR_PADDING_SIZE -
359 ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE);
360 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
361 ss_padding_len ));
362 /* If we're over filling the packet, we need to make space
363 * for the padding at the end of the data. */
364 if (data_len + ss_padding_len > data_space_available) {
365 data_len -= SERVER_NDR_PADDING_SIZE;
366 }
367 }
368
369 /*
370 * Set up the alloc hint. This should be the data left to
371 * send.
372 */
373
374 hdr_resp.alloc_hint = data_len_left;
375
376 /*
377 * Work out if this PDU will be the last.
378 */
379 if (p->out_data.data_sent_length + data_len >=
380 prs_offset(&p->out_data.rdata)) {
381 hdr_flags |= DCERPC_PFC_FLAG_LAST;
382 }
383
384 /*
385 * Init the parse struct to point at the outgoing
386 * data.
387 */
388 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
389
390 status = dcerpc_push_ncacn_packet_header(
391 prs_get_mem_context(&p->out_data.frag),
392 DCERPC_PKT_RESPONSE,
393 hdr_flags,
394 RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
395 data_len + ss_padding_len +
396 RPC_HDR_AUTH_LEN +
397 RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
398 RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
399 p->hdr.call_id,
400 &hdr);
401 if (!NT_STATUS_IS_OK(status)) {
402 DEBUG(0, ("Failed to marshall RPC Header.\n"));
403 prs_mem_free(&p->out_data.frag);
404 return False;
405 }
406
407 /* Store the header in the data stream. */
408 if (!prs_copy_data_in(&p->out_data.frag,
409 (char *)hdr.data, hdr.length)) {
410 DEBUG(0, ("Out of memory.\n"));
411 prs_mem_free(&p->out_data.frag);
412 return False;
413 }
414
415 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
416 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
417 prs_mem_free(&p->out_data.frag);
418 return False;
419 }
420
421 /* Store the current offset. */
422 data_pos = prs_offset(&p->out_data.frag);
423
424 /* Copy the data into the PDU. */
425
426 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
427 p->out_data.data_sent_length, data_len)) {
428 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
429 prs_mem_free(&p->out_data.frag);
430 return False;
431 }
432
433 /* Copy the sign/seal padding data. */
434 if (ss_padding_len) {
435 char pad[SERVER_NDR_PADDING_SIZE];
436 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
437 if (!prs_copy_data_in(&p->out_data.frag, pad,
438 ss_padding_len)) {
439 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
440 prs_mem_free(&p->out_data.frag);
441 return False;
442 }
443 }
444
445 {
446 /*
447 * Schannel processing.
448 */
449 RPC_HDR_AUTH auth_info;
450 DATA_BLOB blob;
451 uint8_t *data;
452
453 /* Check it's the type of reply we were expecting to decode */
454
455 init_rpc_hdr_auth(&auth_info,
456 DCERPC_AUTH_TYPE_SCHANNEL,
457 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
458 DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
459 ss_padding_len, 1);
460
461 if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
462 &p->out_data.frag, 0)) {
463 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
464 prs_mem_free(&p->out_data.frag);
465 return False;
466 }
467
468 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos;
469
470 switch (p->auth.auth_level) {
471 case DCERPC_AUTH_LEVEL_PRIVACY:
472 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
473 talloc_tos(),
474 true,
475 data,
476 data_len + ss_padding_len,
477 &blob);
478 break;
479 case DCERPC_AUTH_LEVEL_INTEGRITY:
480 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
481 talloc_tos(),
482 false,
483 data,
484 data_len + ss_padding_len,
485 &blob);
486 break;
487 default:
488 status = NT_STATUS_INTERNAL_ERROR;
489 break;
490 }
491
492 if (!NT_STATUS_IS_OK(status)) {
493 DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
494 nt_errstr(status)));
495 prs_mem_free(&p->out_data.frag);
496 return false;
497 }
498
499 /* Finally marshall the blob. */
500
501 if (DEBUGLEVEL >= 10) {
502 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
503 }
504
505 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
506 prs_mem_free(&p->out_data.frag);
507 return false;
508 }
509 }
510
511 /*
512 * Setup the counts for this PDU.
513 */
514
515 p->out_data.data_sent_length += data_len;
516 p->out_data.current_pdu_sent = 0;
517
518 return True;
519 }
520
521 /*******************************************************************
522 Generate the next PDU to be returned from the data in p->rdata.
523 No authentication done.
524 ********************************************************************/
525
526 static bool create_next_pdu_noauth(pipes_struct *p)
527 {
528 DATA_BLOB hdr;
529 uint8_t hdr_flags;
530 NTSTATUS status;
531 RPC_HDR_RESP hdr_resp;
532 uint32 data_len;
533 uint32 data_space_available;
534 uint32 data_len_left;
535
536 /*
537 * If we're in the fault state, keep returning fault PDU's until
538 * the pipe gets closed. JRA.
539 */
540
541 if(p->fault_state) {
542 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
543 return True;
544 }
545
546 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
547
548 /* Set up rpc header flags. */
549 if (p->out_data.data_sent_length == 0) {
550 hdr_flags = DCERPC_PFC_FLAG_FIRST;
551 } else {
552 hdr_flags = 0;
553 }
554
555 /*
556 * Work out how much we can fit in a single PDU.
557 */
558
559 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
560
561 /*
562 * Ensure there really is data left to send.
563 */
564
565 if(!data_len_left) {
566 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
567 return False;
568 }
569
570 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
571 - RPC_HDR_RESP_LEN;
572
573 /*
574 * The amount we send is the minimum of the available
575 * space and the amount left to send.
576 */
577
578 data_len = MIN(data_len_left, data_space_available);
579
580 /*
581 * Set up the alloc hint. This should be the data left to
582 * send.
583 */
584
585 hdr_resp.alloc_hint = data_len_left;
586
587 /*
588 * Work out if this PDU will be the last.
589 */
590 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
591 hdr_flags |= DCERPC_PFC_FLAG_LAST;
592 }
593
594 /*
595 * Init the parse struct to point at the outgoing
596 * data.
597 */
598 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
599
600 status = dcerpc_push_ncacn_packet_header(
601 prs_get_mem_context(&p->out_data.frag),
602 DCERPC_PKT_RESPONSE,
603 hdr_flags,
604 RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len,
605 0,
606 p->hdr.call_id,
607 &hdr);
608 if (!NT_STATUS_IS_OK(status)) {
609 DEBUG(0, ("Failed to marshall RPC Header.\n"));
610 prs_mem_free(&p->out_data.frag);
611 return False;
612 }
613
614 /* Store the header in the data stream. */
615 if (!prs_copy_data_in(&p->out_data.frag,
616 (char *)hdr.data, hdr.length)) {
617 DEBUG(0, ("Out of memory.\n"));
618 prs_mem_free(&p->out_data.frag);
619 return False;
620 }
621
622 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
623 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
624 prs_mem_free(&p->out_data.frag);
625 return False;
626 }
627
628 /* Copy the data into the PDU. */
629
630 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
631 p->out_data.data_sent_length, data_len)) {
632 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
633 prs_mem_free(&p->out_data.frag);
634 return False;
635 }
636
637 /*
638 * Setup the counts for this PDU.
639 */
640
641 p->out_data.data_sent_length += data_len;
642 p->out_data.current_pdu_sent = 0;
643
644 return True;
645 }
646
647 /*******************************************************************
648 Generate the next PDU to be returned from the data in p->rdata.
649 ********************************************************************/
650
651 bool create_next_pdu(pipes_struct *p)
652 {
653 switch(p->auth.auth_level) {
654 case DCERPC_AUTH_LEVEL_NONE:
655 case DCERPC_AUTH_LEVEL_CONNECT:
656 /* This is incorrect for auth level connect. Fixme. JRA */
657 return create_next_pdu_noauth(p);
658
659 default:
660 switch(p->auth.auth_type) {
661 case PIPE_AUTH_TYPE_NTLMSSP:
662 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
663 return create_next_pdu_ntlmssp(p);
664 case PIPE_AUTH_TYPE_SCHANNEL:
665 return create_next_pdu_schannel(p);
666 default:
667 break;
668 }
669 }
670
671 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
672 (unsigned int)p->auth.auth_level,
673 (unsigned int)p->auth.auth_type));
674 return False;
675 }
676
677 /*******************************************************************
678 Process an NTLMSSP authentication response.
679 If this function succeeds, the user has been authenticated
680 and their domain, name and calling workstation stored in
681 the pipe struct.
682 *******************************************************************/
683
684 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
685 {
686 DATA_BLOB session_key, reply;
687 NTSTATUS status;
688 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
689 bool ret;
690
691 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
692 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
693
694 ZERO_STRUCT(reply);
695
696 /* this has to be done as root in order to verify the password */
697 become_root();
698 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
699 unbecome_root();
700
701 /* Don't generate a reply. */
702 data_blob_free(&reply);
703
704 if (!NT_STATUS_IS_OK(status)) {
705 return False;
706 }
707
708 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
709 ensure the underlying NTLMSSP flags are also set. If not we should
710 refuse the bind. */
711
712 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
713 if (!auth_ntlmssp_negotiated_sign(a)) {
714 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
715 "but client declined signing.\n",
716 get_pipe_name_from_syntax(talloc_tos(),
717 &p->syntax)));
718 return False;
719 }
720 }
721 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
722 if (!auth_ntlmssp_negotiated_seal(a)) {
723 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
724 "but client declined sealing.\n",
725 get_pipe_name_from_syntax(talloc_tos(),
726 &p->syntax)));
727 return False;
728 }
729 }
730
731 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
732 "workstation: %s\n",
733 auth_ntlmssp_get_username(a),
734 auth_ntlmssp_get_domain(a),
735 auth_ntlmssp_get_client(a)));
736
737 TALLOC_FREE(p->server_info);
738
739 p->server_info = auth_ntlmssp_server_info(p, a);
740 if (p->server_info == NULL) {
741 DEBUG(0, ("auth_ntlmssp_server_info failed to obtain the server info for authenticated user\n"));
742 return false;
743 }
744
745 if (p->server_info->ptok == NULL) {
746 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
747 return False;
748 }
749
750 /*
751 * We're an authenticated bind over smb, so the session key needs to
752 * be set to "SystemLibraryDTC". Weird, but this is what Windows
753 * does. See the RPC-SAMBA3SESSIONKEY.
754 */
755
756 session_key = generic_session_key();
757 if (session_key.data == NULL) {
758 return False;
759 }
760
761 ret = server_info_set_session_key(p->server_info, session_key);
762
763 data_blob_free(&session_key);
764
765 return True;
766 }
767
768 /*******************************************************************
769 This is the "stage3" NTLMSSP response after a bind request and reply.
770 *******************************************************************/
771
772 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
773 {
774 struct dcerpc_auth auth_info;
775 uint32 pad = 0;
776 DATA_BLOB auth_blob;
777 uint32_t auth_len = p->hdr.auth_len;
778 NTSTATUS status;
779
780 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
781
782 if (auth_len == 0) {
783 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
784 goto err;
785 }
786
787 /* 4 bytes padding. */
788 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
789 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
790 goto err;
791 }
792
793 /* Ensure there's enough data for an authenticated request. */
794 if (RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + auth_len >
795 p->hdr.frag_len) {
796 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
797 "%u is too large.\n",
798 (unsigned int)auth_len ));
799 goto err;
800 }
801
802 /*
803 * Decode the authentication verifier response.
804 */
805
806 /* Pull the auth header and the following data into a blob. */
807 /* NB. The offset of the auth_header is relative to the *end*
808 * of the packet, not the start. Also, the length of the
809 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
810 * as the RPC header isn't included in rpc_in_p. */
811 if(!prs_set_offset(rpc_in_p,
812 p->hdr.frag_len - RPC_HEADER_LEN -
813 RPC_HDR_AUTH_LEN - auth_len)) {
814 DEBUG(0,("api_pipe_bind_auth3: cannot move "
815 "offset to %u.\n",
816 (unsigned int)(p->hdr.frag_len -
817 RPC_HDR_AUTH_LEN - auth_len) ));
818 goto err;
819 }
820
821 auth_blob = data_blob_const(prs_data_p(rpc_in_p)
822 + prs_offset(rpc_in_p),
823 prs_data_size(rpc_in_p)
824 - prs_offset(rpc_in_p));
825
826 status = dcerpc_pull_dcerpc_auth(prs_get_mem_context(rpc_in_p),
827 &auth_blob, &auth_info);
828 if (!NT_STATUS_IS_OK(status)) {
829 DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n"));
830 goto err;
831 }
832
833 /* We must NEVER look at auth_info->auth_pad_len here,
834 * as old Samba client code gets it wrong and sends it
835 * as zero. JRA.
836 */
837
838 if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
839 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
840 (unsigned int)auth_info.auth_type ));
841 return False;
842 }
843
844 /*
845 * The following call actually checks the challenge/response data.
846 * for correctness against the given DOMAIN\user name.
847 */
848
849 if (!pipe_ntlmssp_verify_final(p, &auth_info.credentials)) {
850 goto err;
851 }
852
853 p->pipe_bound = True;
854
855 return True;
856
857 err:
858
859 free_pipe_ntlmssp_auth_data(&p->auth);
860 p->auth.a_u.auth_ntlmssp_state = NULL;
861
862 return False;
863 }
864
865 /*******************************************************************
866 Marshall a bind_nak pdu.
867 *******************************************************************/
868
869 static bool setup_bind_nak(pipes_struct *p)
870 {
871 NTSTATUS status;
872 union dcerpc_payload u;
873 DATA_BLOB blob;
874
875 /* Free any memory in the current return data buffer. */
876 prs_mem_free(&p->out_data.rdata);
877
878 /*
879 * Marshall directly into the outgoing PDU space. We
880 * must do this as we need to set to the bind response
881 * header and are never sending more than one PDU here.
882 */
883
884 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
885
886 /*
887 * Initialize a bind_nak header.
888 */
889
890 ZERO_STRUCT(u);
891
892 u.bind_nak.reject_reason = 0;
893
894 status = dcerpc_push_ncacn_packet(p->mem_ctx,
895 DCERPC_PKT_BIND_NAK,
896 DCERPC_PFC_FLAG_FIRST |
897 DCERPC_PFC_FLAG_LAST,
898 0,
899 p->hdr.call_id,
900 u,
901 &blob);
902 if (!NT_STATUS_IS_OK(status)) {
903 prs_mem_free(&p->out_data.frag);
904 return False;
905 }
906
907 if (!prs_copy_data_in(&p->out_data.frag,
908 (char *)blob.data, blob.length)) {
909 prs_mem_free(&p->out_data.frag);
910 return False;
911 }
912
913 p->out_data.data_sent_length = 0;
914 p->out_data.current_pdu_sent = 0;
915
916 if (p->auth.auth_data_free_func) {
917 (*p->auth.auth_data_free_func)(&p->auth);
918 }
919 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
920 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
921 p->pipe_bound = False;
922
923 return True;
924 }
925
926 /*******************************************************************
927 Marshall a fault pdu.
928 *******************************************************************/
929
930 bool setup_fault_pdu(pipes_struct *p, NTSTATUS fault_status)
931 {
932 NTSTATUS status;
933 union dcerpc_payload u;
934 DATA_BLOB blob;
935
936 /* Free any memory in the current return data buffer. */
937 prs_mem_free(&p->out_data.rdata);
938
939 /*
940 * Marshall directly into the outgoing PDU space. We
941 * must do this as we need to set to the bind response
942 * header and are never sending more than one PDU here.
943 */
944
945 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
946
947 /*
948 * Initialize a fault header.
949 */
950
951 ZERO_STRUCT(u);
952
953 u.fault.status = NT_STATUS_V(fault_status);
954 u.fault._pad = data_blob_talloc_zero(p->mem_ctx, 4);
955
956 status = dcerpc_push_ncacn_packet(p->mem_ctx,
957 DCERPC_PKT_FAULT,
958 DCERPC_PFC_FLAG_FIRST |
959 DCERPC_PFC_FLAG_LAST |
960 DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
961 0,
962 p->hdr.call_id,
963 u,
964 &blob);
965 if (!NT_STATUS_IS_OK(status)) {
966 prs_mem_free(&p->out_data.frag);
967 return False;
968 }
969
970 if (!prs_copy_data_in(&p->out_data.frag,
971 (char *)blob.data, blob.length)) {
972 prs_mem_free(&p->out_data.frag);
973 return False;
974 }
975
976 p->out_data.data_sent_length = 0;
977 p->out_data.current_pdu_sent = 0;
978
979 return True;
980 }
981
982 /*******************************************************************
983 Ensure a bind request has the correct abstract & transfer interface.
984 Used to reject unknown binds from Win2k.
985 *******************************************************************/
986
987 static bool check_bind_req(struct pipes_struct *p,
988 struct ndr_syntax_id* abstract,
989 struct ndr_syntax_id* transfer,
990 uint32 context_id)
991 {
992 struct pipe_rpc_fns *context_fns;
993
994 DEBUG(3,("check_bind_req for %s\n",
995 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
996
997 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
998 if (rpc_srv_pipe_exists_by_id(abstract) &&
999 ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) {
1000 DEBUG(3, ("check_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1001 rpc_srv_get_pipe_cli_name(abstract),
1002 rpc_srv_get_pipe_srv_name(abstract)));
1003 } else {
1004 return false;
1005 }
1006
1007 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1008 if (context_fns == NULL) {
1009 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1010 return False;
1011 }
1012
1013 context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
1014 context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
1015 context_fns->context_id = context_id;
1016
1017 /* add to the list of open contexts */
1018
1019 DLIST_ADD( p->contexts, context_fns );
1020
1021 return True;
1022 }
1023
1024 /**
1025 * Is a named pipe known?
1026 * @param[in] cli_filename The pipe name requested by the client
1027 * @result Do we want to serve this?
1028 */
1029 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1030 {
1031 const char *pipename = cli_filename;
1032 NTSTATUS status;
1033
1034 if (strnequal(pipename, "\\PIPE\\", 6)) {
1035 pipename += 5;
1036 }
1037
1038 if (*pipename == '\\') {
1039 pipename += 1;
1040 }
1041
1042 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1043 DEBUG(10, ("refusing spoolss access\n"));
1044 return false;
1045 }
1046
1047 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
1048 return true;
1049 }
1050
1051 status = smb_probe_module("rpc", pipename);
1052 if (!NT_STATUS_IS_OK(status)) {
1053 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1054 return false;
1055 }
1056 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
1057
1058 /*
1059 * Scan the list again for the interface id
1060 */
1061 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
1062 return true;
1063 }
1064
1065 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
1066 pipename));
1067
1068 return false;
1069 }
1070
1071 /*******************************************************************
1072 Handle a SPNEGO krb5 bind auth.
1073 *******************************************************************/
1074
1075 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p,
1076 prs_struct *rpc_in_p,
1077 struct dcerpc_auth *pauth_info,
1078 DATA_BLOB *psecblob,
1079 prs_struct *pout_auth)
1080 {
1081 return False;
1082 }
1083
1084 /*******************************************************************
1085 Handle the first part of a SPNEGO bind auth.
1086 *******************************************************************/
1087
1088 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p,
1089 prs_struct *rpc_in_p,
1090 uint32_t ss_padding_len,
1091 struct dcerpc_auth *pauth_info,
1092 prs_struct *pout_auth)
1093 {
1094 DATA_BLOB blob;
1095 DATA_BLOB secblob;
1096 DATA_BLOB response;
1097 DATA_BLOB chal;
1098 char *OIDs[ASN1_MAX_OIDS];
1099 int i;
1100 NTSTATUS status;
1101 bool got_kerberos_mechanism = false;
1102 struct auth_ntlmssp_state *a = NULL;
1103
1104 ZERO_STRUCT(secblob);
1105 ZERO_STRUCT(chal);
1106 ZERO_STRUCT(response);
1107
1108 if (pauth_info->credentials.data[0] != ASN1_APPLICATION(0)) {
1109 goto err;
1110 }
1111
1112 /* parse out the OIDs and the first sec blob */
1113 if (!parse_negTokenTarg(pauth_info->credentials, OIDs, &secblob)) {
1114 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1115 goto err;
1116 }
1117
1118 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1119 got_kerberos_mechanism = true;
1120 }
1121
1122 for (i=0;OIDs[i];i++) {
1123 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1124 TALLOC_FREE(OIDs[i]);
1125 }
1126 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1127
1128 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1129 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1130 data_blob_free(&secblob);
1131 return ret;
1132 }
1133
1134 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1135 /* Free any previous auth type. */
1136 free_pipe_ntlmssp_auth_data(&p->auth);
1137 }
1138
1139 if (!got_kerberos_mechanism) {
1140 /* Initialize the NTLM engine. */
1141 status = auth_ntlmssp_start(&a);
1142 if (!NT_STATUS_IS_OK(status)) {
1143 goto err;
1144 }
1145
1146 switch (pauth_info->auth_level) {
1147 case DCERPC_AUTH_LEVEL_INTEGRITY:
1148 auth_ntlmssp_want_sign(a);
1149 break;
1150 case DCERPC_AUTH_LEVEL_PRIVACY:
1151 auth_ntlmssp_want_seal(a);
1152 break;
1153 default:
1154 break;
1155 }
1156 /*
1157 * Pass the first security blob of data to it.
1158 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1159 * which means we need another packet to complete the bind.
1160 */
1161
1162 status = auth_ntlmssp_update(a, secblob, &chal);
1163
1164 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1165 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1166 goto err;
1167 }
1168
1169 /* Generate the response blob we need for step 2 of the bind. */
1170 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1171 } else {
1172 /*
1173 * SPNEGO negotiate down to NTLMSSP. The subsequent
1174 * code to process follow-up packets is not complete
1175 * yet. JRA.
1176 */
1177 response = spnego_gen_auth_response(NULL,
1178 NT_STATUS_MORE_PROCESSING_REQUIRED,
1179 OID_NTLMSSP);
1180 }
1181
1182 /* auth_pad_len will be handled by the caller */
1183
1184 status = dcerpc_push_dcerpc_auth(prs_get_mem_context(pout_auth),
1185 DCERPC_AUTH_TYPE_SPNEGO,
1186 pauth_info->auth_level,
1187 ss_padding_len,
1188 1, /* auth_context_id */
1189 &response,
1190 &blob);
1191 if (!NT_STATUS_IS_OK(status)) {
1192 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1193 goto err;
1194 }
1195
1196 /* Copy the blob into the pout_auth parse struct */
1197 if (!prs_copy_data_in(pout_auth, (char *)blob.data, blob.length)) {
1198 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1199 goto err;
1200 }
1201
1202 p->auth.a_u.auth_ntlmssp_state = a;
1203 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1204 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1205
1206 data_blob_free(&secblob);
1207 data_blob_free(&chal);
1208 data_blob_free(&response);
1209
1210 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1211 return True;
1212
1213 err:
1214
1215 data_blob_free(&secblob);
1216 data_blob_free(&chal);
1217 data_blob_free(&response);
1218
1219 p->auth.a_u.auth_ntlmssp_state = NULL;
1220
1221 return False;
1222 }
1223
1224 /*******************************************************************
1225 Handle the second part of a SPNEGO bind auth.
1226 *******************************************************************/
1227
1228 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1229 uint32_t ss_padding_len,
1230 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1231 {
1232 RPC_HDR_AUTH auth_info;
1233 DATA_BLOB spnego_blob;
1234 DATA_BLOB auth_blob;
1235 DATA_BLOB auth_reply;
1236 DATA_BLOB response;
1237 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
1238
1239 ZERO_STRUCT(spnego_blob);
1240 ZERO_STRUCT(auth_blob);
1241 ZERO_STRUCT(auth_reply);
1242 ZERO_STRUCT(response);
1243
1244 /*
1245 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1246 * fail here as 'a' == NULL.
1247 */
1248 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1249 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1250 goto err;
1251 }
1252
1253 /* Grab the SPNEGO blob. */
1254 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1255
1256 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1257 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1258 (unsigned int)p->hdr.auth_len ));
1259 goto err;
1260 }
1261
1262 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1263 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1264 goto err;
1265 }
1266
1267 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1268 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1269 goto err;
1270 }
1271
1272 /*
1273 * The following call actually checks the challenge/response data.
1274 * for correctness against the given DOMAIN\user name.
1275 */
1276
1277 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1278 goto err;
1279 }
1280
1281 data_blob_free(&spnego_blob);
1282 data_blob_free(&auth_blob);
1283
1284 /* Generate the spnego "accept completed" blob - no incoming data. */
1285 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1286
1287 /* FIXME - add auth_pad_len here ! */
1288
1289 /* Copy the blob into the pout_auth parse struct */
1290 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO,
1291 pauth_info->auth_level, ss_padding_len, 1);
1292 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1293 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1294 goto err;
1295 }
1296
1297 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1298 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1299 goto err;
1300 }
1301
1302 data_blob_free(&auth_reply);
1303 data_blob_free(&response);
1304
1305 p->pipe_bound = True;
1306
1307 return True;
1308
1309 err:
1310
1311 data_blob_free(&spnego_blob);
1312 data_blob_free(&auth_blob);
1313 data_blob_free(&auth_reply);
1314 data_blob_free(&response);
1315
1316 free_pipe_ntlmssp_auth_data(&p->auth);
1317 p->auth.a_u.auth_ntlmssp_state = NULL;
1318
1319 return False;
1320 }
1321
1322 /*******************************************************************
1323 Handle an schannel bind auth.
1324 *******************************************************************/
1325
1326 static bool pipe_schannel_auth_bind(pipes_struct *p,
1327 prs_struct *rpc_in_p,
1328 uint32_t ss_padding_len,
1329 struct dcerpc_auth *auth_info,
1330 prs_struct *pout_auth)
1331 {
1332 DATA_BLOB auth_blob;
1333 struct NL_AUTH_MESSAGE neg;
1334 struct NL_AUTH_MESSAGE reply;
1335 bool ret;
1336 NTSTATUS status;
1337 struct netlogon_creds_CredentialState *creds;
1338 DATA_BLOB session_key;
1339 enum ndr_err_code ndr_err;
1340 DATA_BLOB blob;
1341
1342 ndr_err = ndr_pull_struct_blob(
1343 &auth_info->credentials,
1344 prs_get_mem_context(pout_auth), &neg,
1345 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1346 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1347 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1348 return false;
1349 }
1350
1351 if (DEBUGLEVEL >= 10) {
1352 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1353 }
1354
1355 if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1356 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1357 return false;
1358 }
1359
1360 /*
1361 * The neg.oem_netbios_computer.a key here must match the remote computer name
1362 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1363 * operations that use credentials.
1364 */
1365
1366 become_root();
1367 status = schannel_get_creds_state(p, lp_private_dir(),
1368 neg.oem_netbios_computer.a, &creds);
1369 unbecome_root();
1370
1371 if (!NT_STATUS_IS_OK(status)) {
1372 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1373 return False;
1374 }
1375
1376 p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
1377 if (!p->auth.a_u.schannel_auth) {
1378 TALLOC_FREE(creds);
1379 return False;
1380 }
1381
1382 p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
1383 p->auth.a_u.schannel_auth->seq_num = 0;
1384 p->auth.a_u.schannel_auth->initiator = false;
1385 p->auth.a_u.schannel_auth->creds = creds;
1386
1387 /*
1388 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1389 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1390 * struct of the person who opened the pipe. I need to test this further. JRA.
1391 *
1392 * VL. As we are mapping this to guest set the generic key
1393 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1394 * W2k3, as it does not allow schannel binds against SAMR and LSA
1395 * anymore.
1396 */
1397
1398 session_key = generic_session_key();
1399 if (session_key.data == NULL) {
1400 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1401 " key\n"));
1402 return false;
1403 }
1404
1405 ret = server_info_set_session_key(p->server_info, session_key);
1406
1407 data_blob_free(&session_key);
1408
1409 if (!ret) {
1410 DEBUG(0, ("server_info_set_session_key failed\n"));
1411 return false;
1412 }
1413
1414 /*** SCHANNEL verifier ***/
1415
1416 reply.MessageType = NL_NEGOTIATE_RESPONSE;
1417 reply.Flags = 0;
1418 reply.Buffer.dummy = 5; /* ??? actually I don't think
1419 * this has any meaning
1420 * here - gd */
1421
1422 ndr_err = ndr_push_struct_blob(&auth_blob, talloc_tos(), &reply,
1423 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1424 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1425 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1426 return false;
1427 }
1428
1429 if (DEBUGLEVEL >= 10) {
1430 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1431 }
1432
1433 status = dcerpc_push_dcerpc_auth(prs_get_mem_context(pout_auth),
1434 DCERPC_AUTH_TYPE_SCHANNEL,
1435 auth_info->auth_level,
1436 ss_padding_len,
1437 1, /* auth_context_id */
1438 &auth_blob,
1439 &blob);
1440 if (!NT_STATUS_IS_OK(status)) {
1441 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1442 return False;
1443 }
1444
1445 if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1446 return false;
1447 }
1448
1449 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1450 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1451
1452 /* We're finished with this bind - no more packets. */
1453 p->auth.auth_data_free_func = NULL;
1454 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1455
1456 p->pipe_bound = True;
1457
1458 return True;
1459 }
1460
1461 /*******************************************************************
1462 Handle an NTLMSSP bind auth.
1463 *******************************************************************/
1464
1465 static bool pipe_ntlmssp_auth_bind(pipes_struct *p,
1466 prs_struct *rpc_in_p,
1467 uint32_t ss_padding_len,
1468 struct dcerpc_auth *auth_info,
1469 prs_struct *pout_auth)
1470 {
1471 DATA_BLOB blob;
1472 DATA_BLOB response;
1473 NTSTATUS status;
1474 struct auth_ntlmssp_state *a = NULL;
1475
1476 ZERO_STRUCT(response);
1477
1478 if (strncmp((char *)auth_info->credentials.data, "NTLMSSP", 7) != 0) {
1479 DEBUG(0, ("Failed to read NTLMSSP in blob\n"));
1480 goto err;
1481 }
1482
1483 /* We have an NTLMSSP blob. */
1484 status = auth_ntlmssp_start(&a);
1485 if (!NT_STATUS_IS_OK(status)) {
1486 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1487 nt_errstr(status) ));
1488 goto err;
1489 }
1490
1491 switch (auth_info->auth_level) {
1492 case DCERPC_AUTH_LEVEL_INTEGRITY:
1493 auth_ntlmssp_want_sign(a);
1494 break;
1495 case DCERPC_AUTH_LEVEL_PRIVACY:
1496 auth_ntlmssp_want_seal(a);
1497 break;
1498 default:
1499 break;
1500 }
1501
1502 status = auth_ntlmssp_update(a, auth_info->credentials, &response);
1503 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1504 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1505 nt_errstr(status) ));
1506 goto err;
1507 }
1508
1509 status = dcerpc_push_dcerpc_auth(prs_get_mem_context(pout_auth),
1510 DCERPC_AUTH_TYPE_NTLMSSP,
1511 auth_info->auth_level,
1512 ss_padding_len,
1513 1, /* auth_context_id */
1514 &response,
1515 &blob);
1516 if (!NT_STATUS_IS_OK(status)) {
1517 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1518 goto err;
1519 }
1520
1521 /* Copy the blob into the pout_auth parse struct */
1522 if (!prs_copy_data_in(pout_auth, (char *)blob.data, blob.length)) {
1523 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1524 goto err;
1525 }
1526
1527 p->auth.a_u.auth_ntlmssp_state = a;
1528 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1529 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1530
1531 data_blob_free(&response);
1532
1533 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1534
1535 /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1536 return True;
1537
1538 err:
1539
1540 data_blob_free(&response);
1541
1542 free_pipe_ntlmssp_auth_data(&p->auth);
1543 p->auth.a_u.auth_ntlmssp_state = NULL;
1544 return False;
1545 }
1546
1547 /*******************************************************************
1548 Respond to a pipe bind request.
1549 *******************************************************************/
1550
1551 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1552 {
1553 RPC_HDR_BA hdr_ba;
1554 struct dcerpc_bind rpc_bind;
1555 DATA_BLOB blob_rb;
1556 struct dcerpc_auth auth_info;
1557 DATA_BLOB auth_blob;
1558 uint16 assoc_gid;
1559 fstring ack_pipe_name;
1560 prs_struct out_hdr_ba;
1561 prs_struct out_auth;
1562 int auth_len = 0;
1563 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1564 uint32_t ss_padding_len = 0;
1565 NTSTATUS status;
1566 struct ndr_syntax_id id;
1567
1568 /* No rebinds on a bound pipe - use alter context. */
1569 if (p->pipe_bound) {
1570 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1571 "pipe %s.\n",
1572 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1573 return setup_bind_nak(p);
1574 }
1575
1576 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1577
1578 /*
1579 * Marshall directly into the outgoing PDU space. We
1580 * must do this as we need to set to the bind response
1581 * header and are never sending more than one PDU here.
1582 */
1583
1584 /*
1585 * Setup the memory to marshall the ba header, and the
1586 * auth footers.
1587 */
1588
1589 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1590 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1591 prs_mem_free(&p->out_data.frag);
1592 return False;
1593 }
1594
1595 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1596 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1597 prs_mem_free(&p->out_data.frag);
1598 prs_mem_free(&out_hdr_ba);
1599 return False;
1600 }
1601
1602 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1603
1604 /* decode the bind request */
1605 blob_rb = data_blob_const(prs_data_p(rpc_in_p),
1606 prs_data_size(rpc_in_p));
1607 status = dcerpc_pull_dcerpc_bind(talloc_tos(), &blob_rb, &rpc_bind);
1608 if (!NT_STATUS_IS_OK(status)) {
1609 goto err_exit;
1610 }
1611
1612 if (rpc_bind.num_contexts == 0) {
1613 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1614 goto err_exit;
1615 }
1616
1617 /*
1618 * Try and find the correct pipe name to ensure
1619 * that this is a pipe name we support.
1620 */
1621 id = rpc_bind.ctx_list[0].abstract_syntax;
1622 if (rpc_srv_pipe_exists_by_id(&id)) {
1623 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1624 rpc_srv_get_pipe_cli_name(&id),
1625 rpc_srv_get_pipe_srv_name(&id)));
1626 } else {
1627 status = smb_probe_module(
1628 "rpc", get_pipe_name_from_syntax(
1629 talloc_tos(),
1630 &rpc_bind.ctx_list[0].abstract_syntax));
1631
1632 if (NT_STATUS_IS_ERR(status)) {
1633 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1634 get_pipe_name_from_syntax(
1635 talloc_tos(),
1636 &rpc_bind.ctx_list[0].abstract_syntax)));
1637 prs_mem_free(&p->out_data.frag);
1638 prs_mem_free(&out_hdr_ba);
1639 prs_mem_free(&out_auth);
1640
1641 return setup_bind_nak(p);
1642 }
1643
1644 if (rpc_srv_get_pipe_interface_by_cli_name(
1645 get_pipe_name_from_syntax(talloc_tos(),
1646 &p->syntax),
1647 &id)) {
1648 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1649 rpc_srv_get_pipe_cli_name(&id),
1650 rpc_srv_get_pipe_srv_name(&id)));
1651 } else {
1652 DEBUG(0, ("module %s doesn't provide functions for "
1653 "pipe %s!\n",
1654 get_pipe_name_from_syntax(talloc_tos(),
1655 &p->syntax),
1656 get_pipe_name_from_syntax(talloc_tos(),
1657 &p->syntax)));
1658 goto err_exit;
1659 }
1660 }
1661
1662 /* name has to be \PIPE\xxxxx */
1663 fstrcpy(ack_pipe_name, "\\PIPE\\");
1664 fstrcat(ack_pipe_name, rpc_srv_get_pipe_srv_name(&id));
1665
1666 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1667
1668 if (rpc_bind.assoc_group_id != 0) {
1669 assoc_gid = rpc_bind.assoc_group_id;
1670 } else {
1671 assoc_gid = 0x53f0;
1672 }
1673
1674
1675 /*
1676 * Create the bind response struct.
1677 */
1678
1679 /* If the requested abstract synt uuid doesn't match our client pipe,
1680 reject the bind_ack & set the transfer interface synt to all 0's,
1681 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1682 unknown to NT4)
1683 Needed when adding entries to a DACL from NT5 - SK */
1684
1685 if (check_bind_req(p,
1686 &rpc_bind.ctx_list[0].abstract_syntax,
1687 &rpc_bind.ctx_list[0].transfer_syntaxes[0],
1688 rpc_bind.ctx_list[0].context_id)) {
1689 init_rpc_hdr_ba(&hdr_ba,
1690 RPC_MAX_PDU_FRAG_LEN,
1691 RPC_MAX_PDU_FRAG_LEN,
1692 assoc_gid,
1693 ack_pipe_name,
1694 0x1, 0x0, 0x0,
1695 &rpc_bind.ctx_list[0].transfer_syntaxes[0]);
1696 } else {
1697 /* Rejection reason: abstract syntax not supported */
1698 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1699 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1700 ack_pipe_name, 0x1, 0x2, 0x1,
1701 &null_ndr_syntax_id);
1702 p->pipe_bound = False;
1703 }
1704
1705 /*
1706 * and marshall it.
1707 */
1708
1709 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1710 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1711 goto err_exit;
1712 }
1713
1714 /*
1715 * Check if this is an authenticated bind request.
1716 */
1717
1718 if (p->hdr.auth_len) {
1719 /*
1720 * Decode the authentication verifier.
1721 */
1722
1723 /* Work out any padding needed before the auth footer. */
1724 if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
1725 ss_padding_len = SERVER_NDR_PADDING_SIZE -
1726 ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
1727 DEBUG(10,("api_pipe_bind_req: auth pad_len = %u\n",
1728 (unsigned int)ss_padding_len ));
1729 }
1730
1731 /* Quick length check. Won't catch a bad auth footer,
1732 * prevents overrun. */
1733
1734 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
1735 DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
1736 "too long for fragment %u.\n",
1737 (unsigned int)p->hdr.auth_len,
1738 (unsigned int)p->hdr.frag_len ));
1739 goto err_exit;
1740 }
1741
1742 /* Pull the auth header and the following data into a blob. */
1743 /* NB. The offset of the auth_header is relative to the *end*
1744 * of the packet, not the start. Also, the length of the
1745 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
1746 * as the RPC header isn't included in rpc_in_p. */
1747 if(!prs_set_offset(rpc_in_p,
1748 p->hdr.frag_len - RPC_HEADER_LEN -
1749 RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
1750 DEBUG(0,("api_pipe_bind_req: cannot move "
1751 "offset to %u.\n",
1752 (unsigned int)(p->hdr.frag_len -
1753 RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
1754 goto err_exit;
1755 }
1756
1757 auth_blob = data_blob_const(prs_data_p(rpc_in_p)
1758 + prs_offset(rpc_in_p),
1759 prs_data_size(rpc_in_p)
1760 - prs_offset(rpc_in_p));
1761
1762 status = dcerpc_pull_dcerpc_auth(prs_get_mem_context(rpc_in_p),
1763 &auth_blob, &auth_info);
1764 if (!NT_STATUS_IS_OK(status)) {
1765 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1766 goto err_exit;
1767 }
1768
1769 auth_type = auth_info.auth_type;
1770
1771 /* Work out if we have to sign or seal etc. */
1772 switch (auth_info.auth_level) {
1773 case DCERPC_AUTH_LEVEL_INTEGRITY:
1774 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1775 break;
1776 case DCERPC_AUTH_LEVEL_PRIVACY:
1777 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1778 break;
1779 default:
1780 DEBUG(0, ("Unexpected auth level (%u).\n",
1781 (unsigned int)auth_info.auth_level ));
1782 goto err_exit;
1783 }
1784 } else {
1785 ZERO_STRUCT(auth_info);
1786 }
1787
1788 switch(auth_type) {
1789 case DCERPC_AUTH_TYPE_NTLMSSP:
1790 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p,
1791 ss_padding_len, &auth_info, &out_auth)) {
1792 goto err_exit;
1793 }
1794 assoc_gid = 0x7a77;
1795 break;
1796
1797 case DCERPC_AUTH_TYPE_SCHANNEL:
1798 if (!pipe_schannel_auth_bind(p, rpc_in_p,
1799 ss_padding_len, &auth_info, &out_auth)) {
1800 goto err_exit;
1801 }
1802 break;
1803
1804 case DCERPC_AUTH_TYPE_SPNEGO:
1805 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p,
1806 ss_padding_len, &auth_info, &out_auth)) {
1807 goto err_exit;
1808 }
1809 break;
1810
1811 case DCERPC_AUTH_TYPE_NONE:
1812 /* Unauthenticated bind request. */
1813 /* We're finished - no more packets. */
1814 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1815 /* We must set the pipe auth_level here also. */
1816 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1817 p->pipe_bound = True;
1818 /* The session key was initialized from the SMB
1819 * session in make_internal_rpc_pipe_p */
1820 ss_padding_len = 0;
1821 break;
1822
1823 default:
1824 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1825 goto err_exit;
1826 }
1827 /*
1828 * Create the header, now we know the length.
1829 */
1830
1831 if (prs_offset(&out_auth)) {
1832 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1833 }
1834
1835 init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1836 p->hdr.call_id,
1837 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) +
1838 ss_padding_len + prs_offset(&out_auth),
1839 auth_len);
1840
1841 /*
1842 * Marshall the header into the outgoing PDU.
1843 */
1844
1845 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1846 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1847 goto err_exit;
1848 }
1849
1850 /*
1851 * Now add the RPC_HDR_BA and any auth needed.
1852 */
1853
1854 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1855 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1856 goto err_exit;
1857 }
1858
1859 if (auth_len) {
1860 if (ss_padding_len) {
1861 char pad[SERVER_NDR_PADDING_SIZE];
1862 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1863 if (!prs_copy_data_in(&p->out_data.frag, pad,
1864 ss_padding_len)) {
1865 DEBUG(0,("api_pipe_bind_req: failed to add %u "
1866 "bytes of pad data.\n",
1867 (unsigned int)ss_padding_len));
1868 goto err_exit;
1869 }
1870 }
1871
1872 if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1873 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1874 goto err_exit;
1875 }
1876 }
1877
1878 /*
1879 * Setup the lengths for the initial reply.
1880 */
1881
1882 p->out_data.data_sent_length = 0;
1883 p->out_data.current_pdu_sent = 0;
1884
1885 prs_mem_free(&out_hdr_ba);
1886 prs_mem_free(&out_auth);
1887
1888 return True;
1889
1890 err_exit:
1891
1892 prs_mem_free(&p->out_data.frag);
1893 prs_mem_free(&out_hdr_ba);
1894 prs_mem_free(&out_auth);
1895 return setup_bind_nak(p);
1896 }
1897
1898 /****************************************************************************
1899 Deal with an alter context call. Can be third part of 3 leg auth request for
1900 SPNEGO calls.
1901 ****************************************************************************/
1902
1903 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1904 {
1905 RPC_HDR_BA hdr_ba;
1906 struct dcerpc_bind rpc_bind;
1907 DATA_BLOB blob_rb;
1908 RPC_HDR_AUTH auth_info;
1909 uint16 assoc_gid;
1910 fstring ack_pipe_name;
1911 prs_struct out_hdr_ba;
1912 prs_struct out_auth;
1913 int auth_len = 0;
1914 uint32_t ss_padding_len = 0;
1915 NTSTATUS status;
1916
1917 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1918
1919 /*
1920 * Marshall directly into the outgoing PDU space. We
1921 * must do this as we need to set to the bind response
1922 * header and are never sending more than one PDU here.
1923 */
1924
1925 /*
1926 * Setup the memory to marshall the ba header, and the
1927 * auth footers.
1928 */
1929
1930 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1931 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1932 prs_mem_free(&p->out_data.frag);
1933 return False;
1934 }
1935
1936 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1937 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1938 prs_mem_free(&p->out_data.frag);
1939 prs_mem_free(&out_hdr_ba);
1940 return False;
1941 }
1942
1943 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1944
1945 /* decode the alter context request */
1946 blob_rb = data_blob_const(prs_data_p(rpc_in_p),
1947 prs_data_size(rpc_in_p));
1948 status = dcerpc_pull_dcerpc_bind(talloc_tos(), &blob_rb, &rpc_bind);
1949 if (!NT_STATUS_IS_OK(status)) {
1950 goto err_exit;
1951 }
1952
1953 /* secondary address CAN be NULL
1954 * as the specs say it's ignored.
1955 * It MUST be NULL to have the spoolss working.
1956 */
1957 fstrcpy(ack_pipe_name,"");
1958
1959 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1960
1961 if (rpc_bind.assoc_group_id != 0) {
1962 assoc_gid = rpc_bind.assoc_group_id;
1963 } else {
1964 assoc_gid = 0x53f0;
1965 }
1966
1967 /*
1968 * Create the bind response struct.
1969 */
1970
1971 /* If the requested abstract synt uuid doesn't match our client pipe,
1972 reject the bind_ack & set the transfer interface synt to all 0's,
1973 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1974 unknown to NT4)
1975 Needed when adding entries to a DACL from NT5 - SK */
1976
1977 if (check_bind_req(p,
1978 &rpc_bind.ctx_list[0].abstract_syntax,
1979 &rpc_bind.ctx_list[0].transfer_syntaxes[0],
1980 rpc_bind.ctx_list[0].context_id)) {
1981 init_rpc_hdr_ba(&hdr_ba,
1982 RPC_MAX_PDU_FRAG_LEN,
1983 RPC_MAX_PDU_FRAG_LEN,
1984 assoc_gid,
1985 ack_pipe_name,
1986 0x1, 0x0, 0x0,
1987 &rpc_bind.ctx_list[0].transfer_syntaxes[0]);
1988 } else {
1989 /* Rejection reason: abstract syntax not supported */
1990 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1991 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1992 ack_pipe_name, 0x1, 0x2, 0x1,
1993 &null_ndr_syntax_id);
1994 p->pipe_bound = False;
1995 }
1996
1997 /*
1998 * and marshall it.
1999 */
2000
2001 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
2002 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
2003 goto err_exit;
2004 }
2005
2006
2007 /*
2008 * Check if this is an authenticated alter context request.
2009 */
2010
2011 if (p->hdr.auth_len != 0) {
2012 /*
2013 * Decode the authentication verifier.
2014 */
2015
2016 /* Work out any padding needed before the auth footer. */
2017 if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
2018 ss_padding_len = SERVER_NDR_PADDING_SIZE -
2019 ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
2020 DEBUG(10,("api_pipe_alter_context: auth pad_len = %u\n",
2021 (unsigned int)ss_padding_len ));
2022 }
2023
2024 /* Quick length check. Won't catch a bad auth footer,
2025 * prevents overrun. */
2026
2027 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
2028 DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
2029 "too long for fragment %u.\n",
2030 (unsigned int)p->hdr.auth_len,
2031 (unsigned int)p->hdr.frag_len ));
2032 goto err_exit;
2033 }
2034
2035 /* Pull the auth header and the following data into a blob. */
2036 /* NB. The offset of the auth_header is relative to the *end*
2037 * of the packet, not the start. Also, the length of the
2038 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2039 * as the RPC header isn't included in rpc_in_p. */
2040 if(!prs_set_offset(rpc_in_p,
2041 p->hdr.frag_len - RPC_HEADER_LEN -
2042 RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
2043 DEBUG(0,("api_alter_context: cannot move "
2044 "offset to %u.\n",
2045 (unsigned int)(p->hdr.frag_len -
2046 RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
2047 goto err_exit;
2048 }
2049
2050 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
2051 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
2052 goto err_exit;
2053 }
2054
2055 /*
2056 * Currently only the SPNEGO auth type uses the alter ctx
2057 * response in place of the NTLMSSP auth3 type.
2058 */
2059
2060 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
2061 /* We can only finish if the pipe is unbound. */
2062 if (!p->pipe_bound) {
2063 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p,
2064 ss_padding_len, &auth_info, &out_auth)) {
2065 goto err_exit;
2066 }
2067 } else {
2068 goto err_exit;
2069 }
2070 }
2071 } else {
2072 ZERO_STRUCT(auth_info);
2073 }
2074 /*
2075 * Create the header, now we know the length.
2076 */
2077
2078 if (prs_offset(&out_auth)) {
2079 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
2080 }
2081
2082 init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
2083 p->hdr.call_id,
2084 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
2085 auth_len);
2086
2087 /*
2088 * Marshall the header into the outgoing PDU.
2089 */
2090
2091 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
2092 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2093 goto err_exit;
2094 }
2095
2096 /*
2097 * Now add the RPC_HDR_BA and any auth needed.
2098 */
2099
2100 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
2101 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2102 goto err_exit;
2103 }
2104
2105 if (auth_len) {
2106 if (ss_padding_len) {
2107 char pad[SERVER_NDR_PADDING_SIZE];
2108 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
2109 if (!prs_copy_data_in(&p->out_data.frag, pad,
2110 ss_padding_len)) {
2111 DEBUG(0,("api_pipe_alter_context: failed to add %u "
2112 "bytes of pad data.\n",
2113 (unsigned int)ss_padding_len));
2114 goto err_exit;
2115 }
2116 }
2117
2118 if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
2119 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2120 goto err_exit;
2121 }
2122 }
2123
2124 /*
2125 * Setup the lengths for the initial reply.
2126 */
2127
2128 p->out_data.data_sent_length = 0;
2129 p->out_data.current_pdu_sent = 0;
2130
2131 prs_mem_free(&out_hdr_ba);
2132 prs_mem_free(&out_auth);
2133 return True;
2134
2135 err_exit:
2136
2137 prs_mem_free(&p->out_data.frag);
2138 prs_mem_free(&out_hdr_ba);
2139 prs_mem_free(&out_auth);
2140 return setup_bind_nak(p);
2141 }
2142
2143 /****************************************************************************
2144 Deal with NTLMSSP sign & seal processing on an RPC request.
2145 ****************************************************************************/
2146
2147 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2148 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2149 {
2150 RPC_HDR_AUTH auth_info;
2151 uint32 auth_len = p->hdr.auth_len;
2152 uint32 save_offset = prs_offset(rpc_in);
2153 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
2154 unsigned char *data = NULL;
2155 size_t data_len;
2156 unsigned char *full_packet_data = NULL;
2157 size_t full_packet_data_len;
2158 DATA_BLOB auth_blob;
2159
2160 *pstatus = NT_STATUS_OK;
2161
2162 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2163 return True;
2164 }
2165
2166 if (!a) {
2167 *pstatus = NT_STATUS_INVALID_PARAMETER;
2168 return False;
2169 }
2170
2171 /* Ensure there's enough data for an authenticated request. */
2172 if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN
2173 + auth_len > p->hdr.frag_len) {
2174 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2175 (unsigned int)auth_len ));
2176 *pstatus = NT_STATUS_INVALID_PARAMETER;
2177 return False;
2178 }
2179
2180 /*
2181 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2182 * after the RPC header.
2183 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2184 * functions as NTLMv2 checks the rpc headers also.
2185 * Both of these values include any auth_pad_len bytes.
2186 */
2187
2188 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2189 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2190
2191 full_packet_data = p->in_data.pdu.data;
2192 full_packet_data_len = p->hdr.frag_len - auth_len;
2193
2194 /* Pull the auth header and the following data into a blob. */
2195 /* NB. The offset of the auth_header is relative to the *end*
2196 * of the packet, not the start. Also, the length of the
2197 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2198 * as the RPC header isn't included in rpc_in_p. */
2199 if(!prs_set_offset(rpc_in,
2200 p->hdr.frag_len - RPC_HEADER_LEN -
2201 RPC_HDR_AUTH_LEN - auth_len)) {
2202 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move "
2203 "offset to %u.\n",
2204 (unsigned int)(p->hdr.frag_len -
2205 RPC_HDR_AUTH_LEN - auth_len) ));
2206 *pstatus = NT_STATUS_INVALID_PARAMETER;
2207 return False;
2208 }
2209
2210 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2211 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to "
2212 "unmarshall RPC_HDR_AUTH.\n"));
2213 *pstatus = NT_STATUS_INVALID_PARAMETER;
2214 return False;
2215 }
2216
2217 /* Ensure auth_pad_len fits into the packet. */
2218 if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
2219 RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
2220 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_info.auth_pad_len "
2221 "too large (%u), auth_len (%u), frag_len = (%u).\n",
2222 (unsigned int)auth_info.auth_pad_len,
2223 (unsigned int)auth_len,
2224 (unsigned int)p->hdr.frag_len ));
2225 *pstatus = NT_STATUS_INVALID_PARAMETER;
2226 return False;
2227 }
2228
2229 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2230 auth_blob.length = auth_len;
2231
2232 switch (p->auth.auth_level) {
2233 case DCERPC_AUTH_LEVEL_PRIVACY:
2234 /* Data is encrypted. */
2235 *pstatus = auth_ntlmssp_unseal_packet(a,
2236 data, data_len,
2237 full_packet_data,
2238 full_packet_data_len,
2239 &auth_blob);
2240 if (!NT_STATUS_IS_OK(*pstatus)) {
2241 return False;
2242 }
2243 break;
2244 case DCERPC_AUTH_LEVEL_INTEGRITY:
2245 /* Data is signed. */
2246 *pstatus = auth_ntlmssp_check_packet(a,
2247 data, data_len,
2248 full_packet_data,
2249 full_packet_data_len,
2250 &auth_blob);
2251 if (!NT_STATUS_IS_OK(*pstatus)) {
2252 return False;
2253 }
2254 break;
2255 default:
2256 *pstatus = NT_STATUS_INVALID_PARAMETER;
2257 return False;
2258 }
2259
2260 /*
2261 * Return the current pointer to the data offset.
2262 */
2263
2264 if(!prs_set_offset(rpc_in, save_offset)) {
2265 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2266 (unsigned int)save_offset ));
2267 *pstatus = NT_STATUS_INVALID_PARAMETER;
2268 return False;
2269 }
2270
2271 /*
2272 * Remember the padding length. We must remove it from the real data
2273 * stream once the sign/seal is done.
2274 */
2275
2276 *p_ss_padding_len = auth_info.auth_pad_len;
2277
2278 return True;
2279 }
2280
2281 /****************************************************************************
2282 Deal with schannel processing on an RPC request.
2283 ****************************************************************************/
2284
2285 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2286 {
2287 uint32 data_len;
2288 uint32 auth_len;
2289 uint32 save_offset = prs_offset(rpc_in);
2290 RPC_HDR_AUTH auth_info;
2291 DATA_BLOB blob;
2292 NTSTATUS status;
2293 uint8_t *data;
2294
2295 auth_len = p->hdr.auth_len;
2296
2297 if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2298 auth_len > RPC_HEADER_LEN +
2299 RPC_HDR_REQ_LEN +
2300 RPC_HDR_AUTH_LEN +
2301 auth_len) {
2302 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2303 return False;
2304 }
2305
2306 /*
2307 * The following is that length of the data we must verify or unseal.
2308 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2309 * preceeding the auth_data, but does include the auth_pad_len bytes.
2310 */
2311
2312 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2313 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2314 (unsigned int)p->hdr.frag_len,
2315 (unsigned int)auth_len ));
2316 return False;
2317 }
2318
2319 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2320 RPC_HDR_AUTH_LEN - auth_len;
2321
2322 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2323
2324 /* Pull the auth header and the following data into a blob. */
2325 /* NB. The offset of the auth_header is relative to the *end*
2326 * of the packet, not the start. Also, the length of the
2327 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2328 * as the RPC header isn't included in rpc_in_p. */
2329 if(!prs_set_offset(rpc_in,
2330 p->hdr.frag_len - RPC_HEADER_LEN -
2331 RPC_HDR_AUTH_LEN - auth_len)) {
2332 DEBUG(0,("api_pipe_schannel_process: cannot move "
2333 "offset to %u.\n",
2334 (unsigned int)(p->hdr.frag_len -
2335 RPC_HDR_AUTH_LEN - auth_len) ));
2336 return False;
2337 }
2338
2339 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2340 DEBUG(0,("api_pipe_schannel_process: failed to "
2341 "unmarshall RPC_HDR_AUTH.\n"));
2342 return False;
2343 }
2344
2345 /* Ensure auth_pad_len fits into the packet. */
2346 if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
2347 RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
2348 DEBUG(0,("api_pipe_schannel_process: auth_info.auth_pad_len "
2349 "too large (%u), auth_len (%u), frag_len = (%u).\n",
2350 (unsigned int)auth_info.auth_pad_len,
2351 (unsigned int)auth_len,
2352 (unsigned int)p->hdr.frag_len ));
2353 return False;
2354 }
2355
2356 if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2357 DEBUG(0,("Invalid auth info %d on schannel\n",
2358 auth_info.auth_type));
2359 return False;
2360 }
2361
2362 blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2363
2364 if (DEBUGLEVEL >= 10) {
2365 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
2366 }
2367
2368 data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN;
2369
2370 switch (auth_info.auth_level) {
2371 case DCERPC_AUTH_LEVEL_PRIVACY:
2372 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2373 talloc_tos(),
2374 true,
2375 data,
2376 data_len,
2377 &blob);
2378 break;
2379 case DCERPC_AUTH_LEVEL_INTEGRITY:
2380 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2381 talloc_tos(),
2382 false,
2383 data,
2384 data_len,
2385 &blob);
2386 break;
2387 default:
2388 status = NT_STATUS_INTERNAL_ERROR;
2389 break;
2390 }
2391
2392 if (!NT_STATUS_IS_OK(status)) {
2393 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
2394 return false;
2395 }
2396
2397 /*
2398 * Return the current pointer to the data offset.
2399 */
2400
2401 if(!prs_set_offset(rpc_in, save_offset)) {
2402 DEBUG(0,("failed to set offset back to %u\n",
2403 (unsigned int)save_offset ));
2404 return False;
2405 }
2406
2407 /*
2408 * Remember the padding length. We must remove it from the real data
2409 * stream once the sign/seal is done.
2410 */
2411
2412 *p_ss_padding_len = auth_info.auth_pad_len;
2413
2414 return True;
2415 }
2416
2417 /****************************************************************************
2418 Find the set of RPC functions associated with this context_id
2419 ****************************************************************************/
2420
2421 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2422 {
2423 PIPE_RPC_FNS *fns = NULL;
2424
2425 if ( !list ) {
2426 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2427 return NULL;
2428 }
2429
2430 for (fns=list; fns; fns=fns->next ) {
2431 if ( fns->context_id == context_id )
2432 return fns;
2433 }
2434 return NULL;
2435 }
2436
2437 /****************************************************************************
2438 Memory cleanup.
2439 ****************************************************************************/
2440
2441 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2442 {
2443 PIPE_RPC_FNS *tmp = list;
2444 PIPE_RPC_FNS *tmp2;
2445
2446 while (tmp) {
2447 tmp2 = tmp->next;
2448 SAFE_FREE(tmp);
2449 tmp = tmp2;
2450 }
2451
2452 return;
2453 }
2454
2455 static bool api_rpcTNP(pipes_struct *p,
2456 const struct api_struct *api_rpc_cmds, int n_cmds);
2457
2458 /****************************************************************************
2459 Find the correct RPC function to call for this request.
2460 If the pipe is authenticated then become the correct UNIX user
2461 before doing the call.
2462 ****************************************************************************/
2463
2464 bool api_pipe_request(pipes_struct *p)
2465 {
2466 bool ret = False;
2467 bool changed_user = False;
2468 PIPE_RPC_FNS *pipe_fns;
2469
2470 if (p->pipe_bound &&
2471 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2472 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2473 if(!become_authenticated_pipe_user(p)) {
2474 prs_mem_free(&p->out_data.rdata);
2475 return False;
2476 }
2477 changed_user = True;
2478 }
2479
2480 DEBUG(5, ("Requested \\PIPE\\%s\n",
2481 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2482
2483 /* get the set of RPC functions for this context */
2484
2485 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2486
2487 if ( pipe_fns ) {
2488 TALLOC_CTX *frame = talloc_stackframe();
2489 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2490 TALLOC_FREE(frame);
2491 }
2492 else {
2493 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2494 p->hdr_req.context_id,
2495 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2496 }
2497
2498 if (changed_user) {
2499 unbecome_authenticated_pipe_user();
2500 }
2501
2502 return ret;
2503 }
2504
2505 /*******************************************************************
2506 Calls the underlying RPC function for a named pipe.
2507 ********************************************************************/
2508
2509 static bool api_rpcTNP(pipes_struct *p,
2510 const struct api_struct *api_rpc_cmds, int n_cmds)
2511 {
2512 int fn_num;
2513 uint32 offset1, offset2;
2514
2515 /* interpret the command */
2516 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2517 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2518 p->hdr_req.opnum));
2519
2520 if (DEBUGLEVEL >= 50) {
2521 fstring name;
2522 slprintf(name, sizeof(name)-1, "in_%s",
2523 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2524 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2525 }
2526
2527 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2528 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2529 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2530 break;
2531 }
2532 }
2533
2534 if (fn_num == n_cmds) {
2535 /*
2536 * For an unknown RPC just return a fault PDU but
2537 * return True to allow RPC's on the pipe to continue
2538 * and not put the pipe into fault state. JRA.
2539 */
2540 DEBUG(4, ("unknown\n"));
2541 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2542 return True;
2543 }
2544
2545 offset1 = prs_offset(&p->out_data.rdata);
2546
2547 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2548 fn_num, api_rpc_cmds[fn_num].fn));
2549 /* do the actual command */
2550 if(!api_rpc_cmds[fn_num].fn(p)) {
2551 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2552 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2553 api_rpc_cmds[fn_num].name));
2554 prs_mem_free(&p->out_data.rdata);
2555 return False;
2556 }
2557
2558 if (p->bad_handle_fault_state) {
2559 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2560 p->bad_handle_fault_state = False;
2561 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2562 return True;
2563 }
2564
2565 if (p->rng_fault_state) {
2566 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2567 p->rng_fault_state = False;
2568 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2569 return True;
2570 }
2571
2572 offset2 = prs_offset(&p->out_data.rdata);
2573 prs_set_offset(&p->out_data.rdata, offset1);
2574 if (DEBUGLEVEL >= 50) {
2575 fstring name;
2576 slprintf(name, sizeof(name)-1, "out_%s",
2577 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2578 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2579 }
2580 prs_set_offset(&p->out_data.rdata, offset2);
2581
2582 DEBUG(5,("api_rpcTNP: called %s successfully\n",
2583 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2584
2585 /* Check for buffer underflow in rpc parsing */
2586
2587 if ((DEBUGLEVEL >= 10) &&
2588 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2589 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2590 char *data = (char *)SMB_MALLOC(data_len);
2591
2592 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2593 if (data) {
2594 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2595 SAFE_FREE(data);
2596 }
2597
2598 }
2599
2600 return True;
2601 }
stuff from bjacke