ntlmssp: Make the ntlmssp.h from source3/ a common header
[Samba/ekacnet.git] / source3 / rpc_server / srv_pipe.c
blobce087a4e034e52c30c0d23128a22b870e5e046b3
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
30 #include "includes.h"
31 #include "../librpc/gen_ndr/ndr_schannel.h"
32 #include "../libcli/auth/schannel.h"
33 #include "../libcli/auth/spnego.h"
34 #include "../libcli/auth/ntlmssp.h"
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_RPC_SRV
39 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
41 struct auth_ntlmssp_state *a = auth->a_u.auth_ntlmssp_state;
43 if (a) {
44 auth_ntlmssp_end(&a);
46 auth->a_u.auth_ntlmssp_state = NULL;
49 static DATA_BLOB generic_session_key(void)
51 return data_blob("SystemLibraryDTC", 16);
54 /*******************************************************************
55 Generate the next PDU to be returned from the data in p->rdata.
56 Handle NTLMSSP.
57 ********************************************************************/
59 static bool create_next_pdu_ntlmssp(pipes_struct *p)
61 RPC_HDR_RESP hdr_resp;
62 uint32 ss_padding_len = 0;
63 uint32 data_space_available;
64 uint32 data_len_left;
65 uint32 data_len;
66 NTSTATUS status;
67 DATA_BLOB auth_blob;
68 RPC_HDR_AUTH auth_info;
69 uint8 auth_type, auth_level;
70 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
73 * If we're in the fault state, keep returning fault PDU's until
74 * the pipe gets closed. JRA.
77 if(p->fault_state) {
78 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
79 return True;
82 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
84 /* Change the incoming request header to a response. */
85 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
87 /* Set up rpc header flags. */
88 if (p->out_data.data_sent_length == 0) {
89 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
90 } else {
91 p->hdr.flags = 0;
95 * Work out how much we can fit in a single PDU.
98 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
101 * Ensure there really is data left to send.
104 if(!data_len_left) {
105 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
106 return False;
109 /* Space available - not including padding. */
110 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN -
111 RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
114 * The amount we send is the minimum of the available
115 * space and the amount left to send.
118 data_len = MIN(data_len_left, data_space_available);
120 /* Work out any padding alignment requirements. */
121 if ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE) {
122 ss_padding_len = SERVER_NDR_PADDING_SIZE -
123 ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE);
124 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
125 ss_padding_len ));
126 /* If we're over filling the packet, we need to make space
127 * for the padding at the end of the data. */
128 if (data_len + ss_padding_len > data_space_available) {
129 data_len -= SERVER_NDR_PADDING_SIZE;
134 * Set up the alloc hint. This should be the data left to
135 * send.
138 hdr_resp.alloc_hint = data_len_left;
141 * Work out if this PDU will be the last.
144 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
145 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
149 * Set up the header lengths.
152 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
153 data_len + ss_padding_len +
154 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
155 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
159 * Init the parse struct to point at the outgoing
160 * data.
163 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
165 /* Store the header in the data stream. */
166 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
167 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
168 prs_mem_free(&p->out_data.frag);
169 return False;
172 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
173 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
174 prs_mem_free(&p->out_data.frag);
175 return False;
178 /* Copy the data into the PDU. */
180 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
181 p->out_data.data_sent_length, data_len)) {
182 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
183 prs_mem_free(&p->out_data.frag);
184 return False;
187 /* Copy the sign/seal padding data. */
188 if (ss_padding_len) {
189 char pad[SERVER_NDR_PADDING_SIZE];
191 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
192 if (!prs_copy_data_in(&p->out_data.frag, pad,
193 ss_padding_len)) {
194 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
195 (unsigned int)ss_padding_len));
196 prs_mem_free(&p->out_data.frag);
197 return False;
202 /* Now write out the auth header and null blob. */
203 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
204 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
205 } else {
206 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
208 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
209 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
210 } else {
211 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
214 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
216 if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
217 &p->out_data.frag, 0)) {
218 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
219 prs_mem_free(&p->out_data.frag);
220 return False;
223 /* Generate the sign blob. */
225 switch (p->auth.auth_level) {
226 case DCERPC_AUTH_LEVEL_PRIVACY:
227 /* Data portion is encrypted. */
228 status = auth_ntlmssp_seal_packet(
230 (uint8_t *)prs_data_p(&p->out_data.frag)
231 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
232 data_len + ss_padding_len,
233 (unsigned char *)prs_data_p(&p->out_data.frag),
234 (size_t)prs_offset(&p->out_data.frag),
235 &auth_blob);
236 if (!NT_STATUS_IS_OK(status)) {
237 data_blob_free(&auth_blob);
238 prs_mem_free(&p->out_data.frag);
239 return False;
241 break;
242 case DCERPC_AUTH_LEVEL_INTEGRITY:
243 /* Data is signed. */
244 status = auth_ntlmssp_sign_packet(
246 (unsigned char *)prs_data_p(&p->out_data.frag)
247 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
248 data_len + ss_padding_len,
249 (unsigned char *)prs_data_p(&p->out_data.frag),
250 (size_t)prs_offset(&p->out_data.frag),
251 &auth_blob);
252 if (!NT_STATUS_IS_OK(status)) {
253 data_blob_free(&auth_blob);
254 prs_mem_free(&p->out_data.frag);
255 return False;
257 break;
258 default:
259 prs_mem_free(&p->out_data.frag);
260 return False;
263 /* Append the auth blob. */
264 if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
265 NTLMSSP_SIG_SIZE)) {
266 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
267 (unsigned int)NTLMSSP_SIG_SIZE));
268 data_blob_free(&auth_blob);
269 prs_mem_free(&p->out_data.frag);
270 return False;
273 data_blob_free(&auth_blob);
276 * Setup the counts for this PDU.
279 p->out_data.data_sent_length += data_len;
280 p->out_data.current_pdu_sent = 0;
282 return True;
285 /*******************************************************************
286 Generate the next PDU to be returned from the data in p->rdata.
287 Return an schannel authenticated fragment.
288 ********************************************************************/
290 static bool create_next_pdu_schannel(pipes_struct *p)
292 RPC_HDR_RESP hdr_resp;
293 uint32 ss_padding_len = 0;
294 uint32 data_len;
295 uint32 data_space_available;
296 uint32 data_len_left;
297 uint32 data_pos;
298 NTSTATUS status;
301 * If we're in the fault state, keep returning fault PDU's until
302 * the pipe gets closed. JRA.
305 if(p->fault_state) {
306 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
307 return True;
310 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
312 /* Change the incoming request header to a response. */
313 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
315 /* Set up rpc header flags. */
316 if (p->out_data.data_sent_length == 0) {
317 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
318 } else {
319 p->hdr.flags = 0;
323 * Work out how much we can fit in a single PDU.
326 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
329 * Ensure there really is data left to send.
332 if(!data_len_left) {
333 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
334 return False;
337 /* Space available - not including padding. */
338 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
339 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
340 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
343 * The amount we send is the minimum of the available
344 * space and the amount left to send.
347 data_len = MIN(data_len_left, data_space_available);
349 /* Work out any padding alignment requirements. */
350 if ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE) {
351 ss_padding_len = SERVER_NDR_PADDING_SIZE -
352 ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE);
353 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
354 ss_padding_len ));
355 /* If we're over filling the packet, we need to make space
356 * for the padding at the end of the data. */
357 if (data_len + ss_padding_len > data_space_available) {
358 data_len -= SERVER_NDR_PADDING_SIZE;
363 * Set up the alloc hint. This should be the data left to
364 * send.
367 hdr_resp.alloc_hint = data_len_left;
370 * Work out if this PDU will be the last.
373 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
374 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
377 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
378 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
379 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
382 * Init the parse struct to point at the outgoing
383 * data.
386 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
388 /* Store the header in the data stream. */
389 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
390 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
391 prs_mem_free(&p->out_data.frag);
392 return False;
395 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
396 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
397 prs_mem_free(&p->out_data.frag);
398 return False;
401 /* Store the current offset. */
402 data_pos = prs_offset(&p->out_data.frag);
404 /* Copy the data into the PDU. */
406 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
407 p->out_data.data_sent_length, data_len)) {
408 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
409 prs_mem_free(&p->out_data.frag);
410 return False;
413 /* Copy the sign/seal padding data. */
414 if (ss_padding_len) {
415 char pad[SERVER_NDR_PADDING_SIZE];
416 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
417 if (!prs_copy_data_in(&p->out_data.frag, pad,
418 ss_padding_len)) {
419 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
420 prs_mem_free(&p->out_data.frag);
421 return False;
427 * Schannel processing.
429 RPC_HDR_AUTH auth_info;
430 DATA_BLOB blob;
431 uint8_t *data;
433 /* Check it's the type of reply we were expecting to decode */
435 init_rpc_hdr_auth(&auth_info,
436 DCERPC_AUTH_TYPE_SCHANNEL,
437 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
438 DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
439 ss_padding_len, 1);
441 if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
442 &p->out_data.frag, 0)) {
443 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
444 prs_mem_free(&p->out_data.frag);
445 return False;
448 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos;
450 switch (p->auth.auth_level) {
451 case DCERPC_AUTH_LEVEL_PRIVACY:
452 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
453 talloc_tos(),
454 true,
455 data,
456 data_len + ss_padding_len,
457 &blob);
458 break;
459 case DCERPC_AUTH_LEVEL_INTEGRITY:
460 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
461 talloc_tos(),
462 false,
463 data,
464 data_len + ss_padding_len,
465 &blob);
466 break;
467 default:
468 status = NT_STATUS_INTERNAL_ERROR;
469 break;
472 if (!NT_STATUS_IS_OK(status)) {
473 DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
474 nt_errstr(status)));
475 prs_mem_free(&p->out_data.frag);
476 return false;
479 /* Finally marshall the blob. */
481 if (DEBUGLEVEL >= 10) {
482 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
485 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
486 prs_mem_free(&p->out_data.frag);
487 return false;
492 * Setup the counts for this PDU.
495 p->out_data.data_sent_length += data_len;
496 p->out_data.current_pdu_sent = 0;
498 return True;
501 /*******************************************************************
502 Generate the next PDU to be returned from the data in p->rdata.
503 No authentication done.
504 ********************************************************************/
506 static bool create_next_pdu_noauth(pipes_struct *p)
508 RPC_HDR_RESP hdr_resp;
509 uint32 data_len;
510 uint32 data_space_available;
511 uint32 data_len_left;
514 * If we're in the fault state, keep returning fault PDU's until
515 * the pipe gets closed. JRA.
518 if(p->fault_state) {
519 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
520 return True;
523 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
525 /* Change the incoming request header to a response. */
526 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
528 /* Set up rpc header flags. */
529 if (p->out_data.data_sent_length == 0) {
530 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
531 } else {
532 p->hdr.flags = 0;
536 * Work out how much we can fit in a single PDU.
539 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
542 * Ensure there really is data left to send.
545 if(!data_len_left) {
546 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
547 return False;
550 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
551 - RPC_HDR_RESP_LEN;
554 * The amount we send is the minimum of the available
555 * space and the amount left to send.
558 data_len = MIN(data_len_left, data_space_available);
561 * Set up the alloc hint. This should be the data left to
562 * send.
565 hdr_resp.alloc_hint = data_len_left;
568 * Work out if this PDU will be the last.
571 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
572 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
576 * Set up the header lengths.
579 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
580 p->hdr.auth_len = 0;
583 * Init the parse struct to point at the outgoing
584 * data.
587 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
589 /* Store the header in the data stream. */
590 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
591 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
592 prs_mem_free(&p->out_data.frag);
593 return False;
596 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
597 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
598 prs_mem_free(&p->out_data.frag);
599 return False;
602 /* Copy the data into the PDU. */
604 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
605 p->out_data.data_sent_length, data_len)) {
606 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
607 prs_mem_free(&p->out_data.frag);
608 return False;
612 * Setup the counts for this PDU.
615 p->out_data.data_sent_length += data_len;
616 p->out_data.current_pdu_sent = 0;
618 return True;
621 /*******************************************************************
622 Generate the next PDU to be returned from the data in p->rdata.
623 ********************************************************************/
625 bool create_next_pdu(pipes_struct *p)
627 switch(p->auth.auth_level) {
628 case DCERPC_AUTH_LEVEL_NONE:
629 case DCERPC_AUTH_LEVEL_CONNECT:
630 /* This is incorrect for auth level connect. Fixme. JRA */
631 return create_next_pdu_noauth(p);
633 default:
634 switch(p->auth.auth_type) {
635 case PIPE_AUTH_TYPE_NTLMSSP:
636 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
637 return create_next_pdu_ntlmssp(p);
638 case PIPE_AUTH_TYPE_SCHANNEL:
639 return create_next_pdu_schannel(p);
640 default:
641 break;
645 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
646 (unsigned int)p->auth.auth_level,
647 (unsigned int)p->auth.auth_type));
648 return False;
651 /*******************************************************************
652 Process an NTLMSSP authentication response.
653 If this function succeeds, the user has been authenticated
654 and their domain, name and calling workstation stored in
655 the pipe struct.
656 *******************************************************************/
658 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
660 DATA_BLOB session_key, reply;
661 NTSTATUS status;
662 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
663 bool ret;
665 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
666 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
668 ZERO_STRUCT(reply);
670 /* this has to be done as root in order to verify the password */
671 become_root();
672 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
673 unbecome_root();
675 /* Don't generate a reply. */
676 data_blob_free(&reply);
678 if (!NT_STATUS_IS_OK(status)) {
679 return False;
682 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
683 ensure the underlying NTLMSSP flags are also set. If not we should
684 refuse the bind. */
686 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
687 if (!auth_ntlmssp_negotiated_sign(a)) {
688 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
689 "but client declined signing.\n",
690 get_pipe_name_from_syntax(talloc_tos(),
691 &p->syntax)));
692 return False;
695 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
696 if (!auth_ntlmssp_negotiated_seal(a)) {
697 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
698 "but client declined sealing.\n",
699 get_pipe_name_from_syntax(talloc_tos(),
700 &p->syntax)));
701 return False;
705 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
706 "workstation: %s\n",
707 auth_ntlmssp_get_username(a),
708 auth_ntlmssp_get_domain(a),
709 auth_ntlmssp_get_client(a)));
711 TALLOC_FREE(p->server_info);
713 p->server_info = auth_ntlmssp_server_info(p, a);
714 if (p->server_info == NULL) {
715 DEBUG(0, ("auth_ntlmssp_server_info failed to obtain the server info for authenticated user\n"));
716 return false;
719 if (p->server_info->ptok == NULL) {
720 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
721 return False;
725 * We're an authenticated bind over smb, so the session key needs to
726 * be set to "SystemLibraryDTC". Weird, but this is what Windows
727 * does. See the RPC-SAMBA3SESSIONKEY.
730 session_key = generic_session_key();
731 if (session_key.data == NULL) {
732 return False;
735 ret = server_info_set_session_key(p->server_info, session_key);
737 data_blob_free(&session_key);
739 return True;
742 /*******************************************************************
743 The switch table for the pipe names and the functions to handle them.
744 *******************************************************************/
746 struct rpc_table {
747 struct {
748 const char *clnt;
749 const char *srv;
750 } pipe;
751 struct ndr_syntax_id rpc_interface;
752 const struct api_struct *cmds;
753 int n_cmds;
756 static struct rpc_table *rpc_lookup;
757 static int rpc_lookup_size;
759 /*******************************************************************
760 This is the "stage3" NTLMSSP response after a bind request and reply.
761 *******************************************************************/
763 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
765 RPC_HDR_AUTH auth_info;
766 uint32 pad = 0;
767 DATA_BLOB blob;
768 uint32_t auth_len = p->hdr.auth_len;
770 ZERO_STRUCT(blob);
772 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
774 if (auth_len == 0) {
775 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
776 goto err;
779 /* 4 bytes padding. */
780 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
781 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
782 goto err;
785 /* Ensure there's enough data for an authenticated request. */
786 if (RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + auth_len >
787 p->hdr.frag_len) {
788 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
789 "%u is too large.\n",
790 (unsigned int)auth_len ));
791 goto err;
795 * Decode the authentication verifier response.
798 /* Pull the auth header and the following data into a blob. */
799 /* NB. The offset of the auth_header is relative to the *end*
800 * of the packet, not the start. Also, the length of the
801 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
802 * as the RPC header isn't included in rpc_in_p. */
803 if(!prs_set_offset(rpc_in_p,
804 p->hdr.frag_len - RPC_HEADER_LEN -
805 RPC_HDR_AUTH_LEN - auth_len)) {
806 DEBUG(0,("api_pipe_bind_auth3: cannot move "
807 "offset to %u.\n",
808 (unsigned int)(p->hdr.frag_len -
809 RPC_HDR_AUTH_LEN - auth_len) ));
810 goto err;
813 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in_p, 0)) {
814 DEBUG(0,("api_pipe_bind_auth3: failed to "
815 "unmarshall RPC_HDR_AUTH.\n"));
816 goto err;
819 /* We must NEVER look at auth_info->auth_pad_len here,
820 * as old Samba client code gets it wrong and sends it
821 * as zero. JRA.
824 if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
825 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
826 (unsigned int)auth_info.auth_type ));
827 return False;
830 blob = data_blob(NULL,p->hdr.auth_len);
832 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
833 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
834 (unsigned int)p->hdr.auth_len ));
835 goto err;
839 * The following call actually checks the challenge/response data.
840 * for correctness against the given DOMAIN\user name.
843 if (!pipe_ntlmssp_verify_final(p, &blob)) {
844 goto err;
847 data_blob_free(&blob);
849 p->pipe_bound = True;
851 return True;
853 err:
855 data_blob_free(&blob);
856 free_pipe_ntlmssp_auth_data(&p->auth);
857 p->auth.a_u.auth_ntlmssp_state = NULL;
859 return False;
862 /*******************************************************************
863 Marshall a bind_nak pdu.
864 *******************************************************************/
866 static bool setup_bind_nak(pipes_struct *p)
868 RPC_HDR nak_hdr;
869 uint16 zero = 0;
871 /* Free any memory in the current return data buffer. */
872 prs_mem_free(&p->out_data.rdata);
875 * Marshall directly into the outgoing PDU space. We
876 * must do this as we need to set to the bind response
877 * header and are never sending more than one PDU here.
880 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
883 * Initialize a bind_nak header.
886 init_rpc_hdr(&nak_hdr, DCERPC_PKT_BIND_NAK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
887 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
890 * Marshall the header into the outgoing PDU.
893 if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
894 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
895 prs_mem_free(&p->out_data.frag);
896 return False;
900 * Now add the reject reason.
903 if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
904 prs_mem_free(&p->out_data.frag);
905 return False;
908 p->out_data.data_sent_length = 0;
909 p->out_data.current_pdu_sent = 0;
911 if (p->auth.auth_data_free_func) {
912 (*p->auth.auth_data_free_func)(&p->auth);
914 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
915 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
916 p->pipe_bound = False;
918 return True;
921 /*******************************************************************
922 Marshall a fault pdu.
923 *******************************************************************/
925 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
927 RPC_HDR fault_hdr;
928 RPC_HDR_RESP hdr_resp;
929 RPC_HDR_FAULT fault_resp;
931 /* Free any memory in the current return data buffer. */
932 prs_mem_free(&p->out_data.rdata);
935 * Marshall directly into the outgoing PDU space. We
936 * must do this as we need to set to the bind response
937 * header and are never sending more than one PDU here.
940 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
943 * Initialize a fault header.
946 init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
947 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
950 * Initialize the HDR_RESP and FAULT parts of the PDU.
953 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
955 fault_resp.status = status;
956 fault_resp.reserved = 0;
959 * Marshall the header into the outgoing PDU.
962 if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
963 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
964 prs_mem_free(&p->out_data.frag);
965 return False;
968 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
969 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
970 prs_mem_free(&p->out_data.frag);
971 return False;
974 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
975 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
976 prs_mem_free(&p->out_data.frag);
977 return False;
980 p->out_data.data_sent_length = 0;
981 p->out_data.current_pdu_sent = 0;
983 return True;
986 #if 0
987 /*******************************************************************
988 Marshall a cancel_ack pdu.
989 We should probably check the auth-verifier here.
990 *******************************************************************/
992 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
994 prs_struct outgoing_pdu;
995 RPC_HDR ack_reply_hdr;
997 /* Free any memory in the current return data buffer. */
998 prs_mem_free(&p->out_data.rdata);
1001 * Marshall directly into the outgoing PDU space. We
1002 * must do this as we need to set to the bind response
1003 * header and are never sending more than one PDU here.
1006 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
1007 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1010 * Initialize a cancel_ack header.
1013 init_rpc_hdr(&ack_reply_hdr, DCERPC_PKT_CANCEL_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1014 p->hdr.call_id, RPC_HEADER_LEN, 0);
1017 * Marshall the header into the outgoing PDU.
1020 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
1021 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
1022 prs_mem_free(&outgoing_pdu);
1023 return False;
1026 p->out_data.data_sent_length = 0;
1027 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
1028 p->out_data.current_pdu_sent = 0;
1030 prs_mem_free(&outgoing_pdu);
1031 return True;
1033 #endif
1035 /*******************************************************************
1036 Ensure a bind request has the correct abstract & transfer interface.
1037 Used to reject unknown binds from Win2k.
1038 *******************************************************************/
1040 static bool check_bind_req(struct pipes_struct *p,
1041 struct ndr_syntax_id* abstract,
1042 struct ndr_syntax_id* transfer,
1043 uint32 context_id)
1045 int i=0;
1046 struct pipe_rpc_fns *context_fns;
1048 DEBUG(3,("check_bind_req for %s\n",
1049 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1051 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
1053 for (i=0; i<rpc_lookup_size; i++) {
1054 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
1055 if (ndr_syntax_id_equal(
1056 abstract, &rpc_lookup[i].rpc_interface)
1057 && ndr_syntax_id_equal(
1058 transfer, &ndr_transfer_syntax)) {
1059 break;
1063 if (i == rpc_lookup_size) {
1064 return false;
1067 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1068 if (context_fns == NULL) {
1069 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1070 return False;
1073 context_fns->cmds = rpc_lookup[i].cmds;
1074 context_fns->n_cmds = rpc_lookup[i].n_cmds;
1075 context_fns->context_id = context_id;
1077 /* add to the list of open contexts */
1079 DLIST_ADD( p->contexts, context_fns );
1081 return True;
1084 /*******************************************************************
1085 Register commands to an RPC pipe
1086 *******************************************************************/
1088 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1089 const struct ndr_interface_table *iface,
1090 const struct api_struct *cmds, int size)
1092 struct rpc_table *rpc_entry;
1094 if (!clnt || !srv || !cmds) {
1095 return NT_STATUS_INVALID_PARAMETER;
1098 if (version != SMB_RPC_INTERFACE_VERSION) {
1099 DEBUG(0,("Can't register rpc commands!\n"
1100 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1101 ", while this version of samba uses version %d!\n",
1102 version,SMB_RPC_INTERFACE_VERSION));
1103 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1106 /* TODO:
1108 * we still need to make sure that don't register the same commands twice!!!
1110 * --metze
1113 /* We use a temporary variable because this call can fail and
1114 rpc_lookup will still be valid afterwards. It could then succeed if
1115 called again later */
1116 rpc_lookup_size++;
1117 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1118 if (NULL == rpc_entry) {
1119 rpc_lookup_size--;
1120 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1121 return NT_STATUS_NO_MEMORY;
1122 } else {
1123 rpc_lookup = rpc_entry;
1126 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1127 ZERO_STRUCTP(rpc_entry);
1128 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1129 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1130 rpc_entry->rpc_interface = iface->syntax_id;
1131 rpc_entry->cmds = cmds;
1132 rpc_entry->n_cmds = size;
1134 return NT_STATUS_OK;
1138 * Is a named pipe known?
1139 * @param[in] cli_filename The pipe name requested by the client
1140 * @result Do we want to serve this?
1142 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1144 const char *pipename = cli_filename;
1145 int i;
1146 NTSTATUS status;
1148 if (strnequal(pipename, "\\PIPE\\", 6)) {
1149 pipename += 5;
1152 if (*pipename == '\\') {
1153 pipename += 1;
1156 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1157 DEBUG(10, ("refusing spoolss access\n"));
1158 return false;
1161 for (i=0; i<rpc_lookup_size; i++) {
1162 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1163 *syntax = rpc_lookup[i].rpc_interface;
1164 return true;
1168 status = smb_probe_module("rpc", pipename);
1169 if (!NT_STATUS_IS_OK(status)) {
1170 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1171 return false;
1173 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
1176 * Scan the list again for the interface id
1179 for (i=0; i<rpc_lookup_size; i++) {
1180 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1181 *syntax = rpc_lookup[i].rpc_interface;
1182 return true;
1186 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
1187 pipename));
1189 return false;
1192 /*******************************************************************
1193 Handle a SPNEGO krb5 bind auth.
1194 *******************************************************************/
1196 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1197 DATA_BLOB *psecblob, prs_struct *pout_auth)
1199 return False;
1202 /*******************************************************************
1203 Handle the first part of a SPNEGO bind auth.
1204 *******************************************************************/
1206 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1207 uint32_t ss_padding_len,
1208 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1210 DATA_BLOB blob;
1211 DATA_BLOB secblob;
1212 DATA_BLOB response;
1213 DATA_BLOB chal;
1214 char *OIDs[ASN1_MAX_OIDS];
1215 int i;
1216 NTSTATUS status;
1217 bool got_kerberos_mechanism = false;
1218 struct auth_ntlmssp_state *a = NULL;
1219 RPC_HDR_AUTH auth_info;
1221 ZERO_STRUCT(secblob);
1222 ZERO_STRUCT(chal);
1223 ZERO_STRUCT(response);
1225 /* Grab the SPNEGO blob. */
1226 blob = data_blob(NULL,p->hdr.auth_len);
1228 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1229 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1230 (unsigned int)p->hdr.auth_len ));
1231 goto err;
1234 if (blob.data[0] != ASN1_APPLICATION(0)) {
1235 goto err;
1238 /* parse out the OIDs and the first sec blob */
1239 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1240 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1241 goto err;
1244 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1245 got_kerberos_mechanism = true;
1248 for (i=0;OIDs[i];i++) {
1249 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1250 TALLOC_FREE(OIDs[i]);
1252 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1254 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1255 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1256 data_blob_free(&secblob);
1257 data_blob_free(&blob);
1258 return ret;
1261 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1262 /* Free any previous auth type. */
1263 free_pipe_ntlmssp_auth_data(&p->auth);
1266 if (!got_kerberos_mechanism) {
1267 /* Initialize the NTLM engine. */
1268 status = auth_ntlmssp_start(&a);
1269 if (!NT_STATUS_IS_OK(status)) {
1270 goto err;
1274 * Pass the first security blob of data to it.
1275 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1276 * which means we need another packet to complete the bind.
1279 status = auth_ntlmssp_update(a, secblob, &chal);
1281 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1282 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1283 goto err;
1286 /* Generate the response blob we need for step 2 of the bind. */
1287 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1288 } else {
1290 * SPNEGO negotiate down to NTLMSSP. The subsequent
1291 * code to process follow-up packets is not complete
1292 * yet. JRA.
1294 response = spnego_gen_auth_response(NULL,
1295 NT_STATUS_MORE_PROCESSING_REQUIRED,
1296 OID_NTLMSSP);
1299 /* auth_pad_len will be handled by the caller */
1301 /* Copy the blob into the pout_auth parse struct */
1302 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO,
1303 pauth_info->auth_level, ss_padding_len, 1);
1304 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1305 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1306 goto err;
1309 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1310 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1311 goto err;
1314 p->auth.a_u.auth_ntlmssp_state = a;
1315 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1316 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1318 data_blob_free(&blob);
1319 data_blob_free(&secblob);
1320 data_blob_free(&chal);
1321 data_blob_free(&response);
1323 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1324 return True;
1326 err:
1328 data_blob_free(&blob);
1329 data_blob_free(&secblob);
1330 data_blob_free(&chal);
1331 data_blob_free(&response);
1333 p->auth.a_u.auth_ntlmssp_state = NULL;
1335 return False;
1338 /*******************************************************************
1339 Handle the second part of a SPNEGO bind auth.
1340 *******************************************************************/
1342 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1343 uint32_t ss_padding_len,
1344 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1346 RPC_HDR_AUTH auth_info;
1347 DATA_BLOB spnego_blob;
1348 DATA_BLOB auth_blob;
1349 DATA_BLOB auth_reply;
1350 DATA_BLOB response;
1351 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
1353 ZERO_STRUCT(spnego_blob);
1354 ZERO_STRUCT(auth_blob);
1355 ZERO_STRUCT(auth_reply);
1356 ZERO_STRUCT(response);
1359 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1360 * fail here as 'a' == NULL.
1362 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1363 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1364 goto err;
1367 /* Grab the SPNEGO blob. */
1368 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1370 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1371 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1372 (unsigned int)p->hdr.auth_len ));
1373 goto err;
1376 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1377 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1378 goto err;
1381 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1382 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1383 goto err;
1387 * The following call actually checks the challenge/response data.
1388 * for correctness against the given DOMAIN\user name.
1391 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1392 goto err;
1395 data_blob_free(&spnego_blob);
1396 data_blob_free(&auth_blob);
1398 /* Generate the spnego "accept completed" blob - no incoming data. */
1399 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1401 /* FIXME - add auth_pad_len here ! */
1403 /* Copy the blob into the pout_auth parse struct */
1404 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO,
1405 pauth_info->auth_level, ss_padding_len, 1);
1406 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1407 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1408 goto err;
1411 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1412 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1413 goto err;
1416 data_blob_free(&auth_reply);
1417 data_blob_free(&response);
1419 p->pipe_bound = True;
1421 return True;
1423 err:
1425 data_blob_free(&spnego_blob);
1426 data_blob_free(&auth_blob);
1427 data_blob_free(&auth_reply);
1428 data_blob_free(&response);
1430 free_pipe_ntlmssp_auth_data(&p->auth);
1431 p->auth.a_u.auth_ntlmssp_state = NULL;
1433 return False;
1436 /*******************************************************************
1437 Handle an schannel bind auth.
1438 *******************************************************************/
1440 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1441 uint32_t ss_padding_len,
1442 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1444 RPC_HDR_AUTH auth_info;
1445 struct NL_AUTH_MESSAGE neg;
1446 struct NL_AUTH_MESSAGE reply;
1447 bool ret;
1448 NTSTATUS status;
1449 struct netlogon_creds_CredentialState *creds;
1450 DATA_BLOB session_key;
1451 enum ndr_err_code ndr_err;
1452 DATA_BLOB blob;
1454 blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1455 prs_data_size(rpc_in_p));
1457 ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), &neg,
1458 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1459 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1460 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1461 return false;
1464 if (DEBUGLEVEL >= 10) {
1465 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1468 if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1469 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1470 return false;
1474 * The neg.oem_netbios_computer.a key here must match the remote computer name
1475 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1476 * operations that use credentials.
1479 become_root();
1480 status = schannel_get_creds_state(p, lp_private_dir(),
1481 neg.oem_netbios_computer.a, &creds);
1482 unbecome_root();
1484 if (!NT_STATUS_IS_OK(status)) {
1485 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1486 return False;
1489 p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
1490 if (!p->auth.a_u.schannel_auth) {
1491 TALLOC_FREE(creds);
1492 return False;
1495 p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
1496 p->auth.a_u.schannel_auth->seq_num = 0;
1497 p->auth.a_u.schannel_auth->initiator = false;
1498 p->auth.a_u.schannel_auth->creds = creds;
1501 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1502 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1503 * struct of the person who opened the pipe. I need to test this further. JRA.
1505 * VL. As we are mapping this to guest set the generic key
1506 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1507 * W2k3, as it does not allow schannel binds against SAMR and LSA
1508 * anymore.
1511 session_key = generic_session_key();
1512 if (session_key.data == NULL) {
1513 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1514 " key\n"));
1515 return false;
1518 ret = server_info_set_session_key(p->server_info, session_key);
1520 data_blob_free(&session_key);
1522 if (!ret) {
1523 DEBUG(0, ("server_info_set_session_key failed\n"));
1524 return false;
1527 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL,
1528 pauth_info->auth_level, ss_padding_len, 1);
1529 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1530 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1531 return False;
1534 /*** SCHANNEL verifier ***/
1536 reply.MessageType = NL_NEGOTIATE_RESPONSE;
1537 reply.Flags = 0;
1538 reply.Buffer.dummy = 5; /* ??? actually I don't think
1539 * this has any meaning
1540 * here - gd */
1542 ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), &reply,
1543 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1544 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1545 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1546 return false;
1549 if (DEBUGLEVEL >= 10) {
1550 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1553 if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1554 return false;
1557 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1558 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1560 /* We're finished with this bind - no more packets. */
1561 p->auth.auth_data_free_func = NULL;
1562 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1564 p->pipe_bound = True;
1566 return True;
1569 /*******************************************************************
1570 Handle an NTLMSSP bind auth.
1571 *******************************************************************/
1573 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1574 uint32_t ss_padding_len,
1575 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1577 RPC_HDR_AUTH auth_info;
1578 DATA_BLOB blob;
1579 DATA_BLOB response;
1580 NTSTATUS status;
1581 struct auth_ntlmssp_state *a = NULL;
1583 ZERO_STRUCT(blob);
1584 ZERO_STRUCT(response);
1586 /* Grab the NTLMSSP blob. */
1587 blob = data_blob(NULL,p->hdr.auth_len);
1589 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1590 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1591 (unsigned int)p->hdr.auth_len ));
1592 goto err;
1595 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1596 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1597 goto err;
1600 /* We have an NTLMSSP blob. */
1601 status = auth_ntlmssp_start(&a);
1602 if (!NT_STATUS_IS_OK(status)) {
1603 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1604 nt_errstr(status) ));
1605 goto err;
1608 status = auth_ntlmssp_update(a, blob, &response);
1609 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1610 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1611 nt_errstr(status) ));
1612 goto err;
1615 data_blob_free(&blob);
1617 /* Copy the blob into the pout_auth parse struct */
1618 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP,
1619 pauth_info->auth_level, ss_padding_len, 1);
1620 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1621 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1622 goto err;
1625 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1626 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1627 goto err;
1630 p->auth.a_u.auth_ntlmssp_state = a;
1631 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1632 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1634 data_blob_free(&blob);
1635 data_blob_free(&response);
1637 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1639 /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1640 return True;
1642 err:
1644 data_blob_free(&blob);
1645 data_blob_free(&response);
1647 free_pipe_ntlmssp_auth_data(&p->auth);
1648 p->auth.a_u.auth_ntlmssp_state = NULL;
1649 return False;
1652 /*******************************************************************
1653 Respond to a pipe bind request.
1654 *******************************************************************/
1656 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1658 RPC_HDR_BA hdr_ba;
1659 RPC_HDR_RB hdr_rb;
1660 RPC_HDR_AUTH auth_info;
1661 uint16 assoc_gid;
1662 fstring ack_pipe_name;
1663 prs_struct out_hdr_ba;
1664 prs_struct out_auth;
1665 int i = 0;
1666 int auth_len = 0;
1667 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1668 uint32_t ss_padding_len = 0;
1670 /* No rebinds on a bound pipe - use alter context. */
1671 if (p->pipe_bound) {
1672 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1673 "pipe %s.\n",
1674 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1675 return setup_bind_nak(p);
1678 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1681 * Marshall directly into the outgoing PDU space. We
1682 * must do this as we need to set to the bind response
1683 * header and are never sending more than one PDU here.
1687 * Setup the memory to marshall the ba header, and the
1688 * auth footers.
1691 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1692 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1693 prs_mem_free(&p->out_data.frag);
1694 return False;
1697 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1698 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1699 prs_mem_free(&p->out_data.frag);
1700 prs_mem_free(&out_hdr_ba);
1701 return False;
1704 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1706 ZERO_STRUCT(hdr_rb);
1708 /* decode the bind request */
1710 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1711 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1712 "struct.\n"));
1713 goto err_exit;
1716 if (hdr_rb.num_contexts == 0) {
1717 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1718 goto err_exit;
1722 * Try and find the correct pipe name to ensure
1723 * that this is a pipe name we support.
1726 for (i = 0; i < rpc_lookup_size; i++) {
1727 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1728 &hdr_rb.rpc_context[0].abstract)) {
1729 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1730 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1731 break;
1735 if (i == rpc_lookup_size) {
1736 NTSTATUS status;
1738 status = smb_probe_module(
1739 "rpc", get_pipe_name_from_syntax(
1740 talloc_tos(),
1741 &hdr_rb.rpc_context[0].abstract));
1743 if (NT_STATUS_IS_ERR(status)) {
1744 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1745 get_pipe_name_from_syntax(
1746 talloc_tos(),
1747 &hdr_rb.rpc_context[0].abstract)));
1748 prs_mem_free(&p->out_data.frag);
1749 prs_mem_free(&out_hdr_ba);
1750 prs_mem_free(&out_auth);
1752 return setup_bind_nak(p);
1755 for (i = 0; i < rpc_lookup_size; i++) {
1756 if (strequal(rpc_lookup[i].pipe.clnt,
1757 get_pipe_name_from_syntax(talloc_tos(),
1758 &p->syntax))) {
1759 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1760 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1761 break;
1765 if (i == rpc_lookup_size) {
1766 DEBUG(0, ("module %s doesn't provide functions for "
1767 "pipe %s!\n",
1768 get_pipe_name_from_syntax(talloc_tos(),
1769 &p->syntax),
1770 get_pipe_name_from_syntax(talloc_tos(),
1771 &p->syntax)));
1772 goto err_exit;
1776 /* name has to be \PIPE\xxxxx */
1777 fstrcpy(ack_pipe_name, "\\PIPE\\");
1778 fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1780 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1782 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1785 * Create the bind response struct.
1788 /* If the requested abstract synt uuid doesn't match our client pipe,
1789 reject the bind_ack & set the transfer interface synt to all 0's,
1790 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1791 unknown to NT4)
1792 Needed when adding entries to a DACL from NT5 - SK */
1794 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1795 hdr_rb.rpc_context[0].context_id )) {
1796 init_rpc_hdr_ba(&hdr_ba,
1797 RPC_MAX_PDU_FRAG_LEN,
1798 RPC_MAX_PDU_FRAG_LEN,
1799 assoc_gid,
1800 ack_pipe_name,
1801 0x1, 0x0, 0x0,
1802 &hdr_rb.rpc_context[0].transfer[0]);
1803 } else {
1804 /* Rejection reason: abstract syntax not supported */
1805 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1806 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1807 ack_pipe_name, 0x1, 0x2, 0x1,
1808 &null_ndr_syntax_id);
1809 p->pipe_bound = False;
1813 * and marshall it.
1816 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1817 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1818 goto err_exit;
1822 * Check if this is an authenticated bind request.
1825 if (p->hdr.auth_len) {
1827 * Decode the authentication verifier.
1830 /* Work out any padding needed before the auth footer. */
1831 if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
1832 ss_padding_len = SERVER_NDR_PADDING_SIZE -
1833 ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
1834 DEBUG(10,("api_pipe_bind_req: auth pad_len = %u\n",
1835 (unsigned int)ss_padding_len ));
1838 /* Quick length check. Won't catch a bad auth footer,
1839 * prevents overrun. */
1841 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
1842 DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
1843 "too long for fragment %u.\n",
1844 (unsigned int)p->hdr.auth_len,
1845 (unsigned int)p->hdr.frag_len ));
1846 goto err_exit;
1849 /* Pull the auth header and the following data into a blob. */
1850 /* NB. The offset of the auth_header is relative to the *end*
1851 * of the packet, not the start. Also, the length of the
1852 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
1853 * as the RPC header isn't included in rpc_in_p. */
1854 if(!prs_set_offset(rpc_in_p,
1855 p->hdr.frag_len - RPC_HEADER_LEN -
1856 RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
1857 DEBUG(0,("api_pipe_bind_req: cannot move "
1858 "offset to %u.\n",
1859 (unsigned int)(p->hdr.frag_len -
1860 RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
1861 goto err_exit;
1864 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1865 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1866 goto err_exit;
1869 auth_type = auth_info.auth_type;
1871 /* Work out if we have to sign or seal etc. */
1872 switch (auth_info.auth_level) {
1873 case DCERPC_AUTH_LEVEL_INTEGRITY:
1874 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1875 break;
1876 case DCERPC_AUTH_LEVEL_PRIVACY:
1877 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1878 break;
1879 default:
1880 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1881 (unsigned int)auth_info.auth_level ));
1882 goto err_exit;
1884 } else {
1885 ZERO_STRUCT(auth_info);
1888 switch(auth_type) {
1889 case DCERPC_AUTH_TYPE_NTLMSSP:
1890 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p,
1891 ss_padding_len, &auth_info, &out_auth)) {
1892 goto err_exit;
1894 assoc_gid = 0x7a77;
1895 break;
1897 case DCERPC_AUTH_TYPE_SCHANNEL:
1898 if (!pipe_schannel_auth_bind(p, rpc_in_p,
1899 ss_padding_len, &auth_info, &out_auth)) {
1900 goto err_exit;
1902 break;
1904 case DCERPC_AUTH_TYPE_SPNEGO:
1905 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p,
1906 ss_padding_len, &auth_info, &out_auth)) {
1907 goto err_exit;
1909 break;
1911 case DCERPC_AUTH_TYPE_NONE:
1912 /* Unauthenticated bind request. */
1913 /* We're finished - no more packets. */
1914 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1915 /* We must set the pipe auth_level here also. */
1916 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1917 p->pipe_bound = True;
1918 /* The session key was initialized from the SMB
1919 * session in make_internal_rpc_pipe_p */
1920 ss_padding_len = 0;
1921 break;
1923 default:
1924 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1925 goto err_exit;
1928 * Create the header, now we know the length.
1931 if (prs_offset(&out_auth)) {
1932 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1935 init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1936 p->hdr.call_id,
1937 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) +
1938 ss_padding_len + prs_offset(&out_auth),
1939 auth_len);
1942 * Marshall the header into the outgoing PDU.
1945 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1946 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1947 goto err_exit;
1951 * Now add the RPC_HDR_BA and any auth needed.
1954 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1955 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1956 goto err_exit;
1959 if (auth_len) {
1960 if (ss_padding_len) {
1961 char pad[SERVER_NDR_PADDING_SIZE];
1962 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1963 if (!prs_copy_data_in(&p->out_data.frag, pad,
1964 ss_padding_len)) {
1965 DEBUG(0,("api_pipe_bind_req: failed to add %u "
1966 "bytes of pad data.\n",
1967 (unsigned int)ss_padding_len));
1968 goto err_exit;
1972 if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1973 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1974 goto err_exit;
1979 * Setup the lengths for the initial reply.
1982 p->out_data.data_sent_length = 0;
1983 p->out_data.current_pdu_sent = 0;
1985 prs_mem_free(&out_hdr_ba);
1986 prs_mem_free(&out_auth);
1988 return True;
1990 err_exit:
1992 prs_mem_free(&p->out_data.frag);
1993 prs_mem_free(&out_hdr_ba);
1994 prs_mem_free(&out_auth);
1995 return setup_bind_nak(p);
1998 /****************************************************************************
1999 Deal with an alter context call. Can be third part of 3 leg auth request for
2000 SPNEGO calls.
2001 ****************************************************************************/
2003 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
2005 RPC_HDR_BA hdr_ba;
2006 RPC_HDR_RB hdr_rb;
2007 RPC_HDR_AUTH auth_info;
2008 uint16 assoc_gid;
2009 fstring ack_pipe_name;
2010 prs_struct out_hdr_ba;
2011 prs_struct out_auth;
2012 int auth_len = 0;
2013 uint32_t ss_padding_len = 0;
2015 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
2018 * Marshall directly into the outgoing PDU space. We
2019 * must do this as we need to set to the bind response
2020 * header and are never sending more than one PDU here.
2024 * Setup the memory to marshall the ba header, and the
2025 * auth footers.
2028 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
2029 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
2030 prs_mem_free(&p->out_data.frag);
2031 return False;
2034 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
2035 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
2036 prs_mem_free(&p->out_data.frag);
2037 prs_mem_free(&out_hdr_ba);
2038 return False;
2041 ZERO_STRUCT(hdr_rb);
2043 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
2045 /* decode the alter context request */
2046 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
2047 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
2048 goto err_exit;
2051 /* secondary address CAN be NULL
2052 * as the specs say it's ignored.
2053 * It MUST be NULL to have the spoolss working.
2055 fstrcpy(ack_pipe_name,"");
2057 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
2059 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
2062 * Create the bind response struct.
2065 /* If the requested abstract synt uuid doesn't match our client pipe,
2066 reject the bind_ack & set the transfer interface synt to all 0's,
2067 ver 0 (observed when NT5 attempts to bind to abstract interfaces
2068 unknown to NT4)
2069 Needed when adding entries to a DACL from NT5 - SK */
2071 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
2072 hdr_rb.rpc_context[0].context_id )) {
2073 init_rpc_hdr_ba(&hdr_ba,
2074 RPC_MAX_PDU_FRAG_LEN,
2075 RPC_MAX_PDU_FRAG_LEN,
2076 assoc_gid,
2077 ack_pipe_name,
2078 0x1, 0x0, 0x0,
2079 &hdr_rb.rpc_context[0].transfer[0]);
2080 } else {
2081 /* Rejection reason: abstract syntax not supported */
2082 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
2083 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
2084 ack_pipe_name, 0x1, 0x2, 0x1,
2085 &null_ndr_syntax_id);
2086 p->pipe_bound = False;
2090 * and marshall it.
2093 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
2094 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
2095 goto err_exit;
2100 * Check if this is an authenticated alter context request.
2103 if (p->hdr.auth_len != 0) {
2105 * Decode the authentication verifier.
2108 /* Work out any padding needed before the auth footer. */
2109 if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
2110 ss_padding_len = SERVER_NDR_PADDING_SIZE -
2111 ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
2112 DEBUG(10,("api_pipe_alter_context: auth pad_len = %u\n",
2113 (unsigned int)ss_padding_len ));
2116 /* Quick length check. Won't catch a bad auth footer,
2117 * prevents overrun. */
2119 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
2120 DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
2121 "too long for fragment %u.\n",
2122 (unsigned int)p->hdr.auth_len,
2123 (unsigned int)p->hdr.frag_len ));
2124 goto err_exit;
2127 /* Pull the auth header and the following data into a blob. */
2128 /* NB. The offset of the auth_header is relative to the *end*
2129 * of the packet, not the start. Also, the length of the
2130 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2131 * as the RPC header isn't included in rpc_in_p. */
2132 if(!prs_set_offset(rpc_in_p,
2133 p->hdr.frag_len - RPC_HEADER_LEN -
2134 RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
2135 DEBUG(0,("api_alter_context: cannot move "
2136 "offset to %u.\n",
2137 (unsigned int)(p->hdr.frag_len -
2138 RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
2139 goto err_exit;
2142 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
2143 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
2144 goto err_exit;
2148 * Currently only the SPNEGO auth type uses the alter ctx
2149 * response in place of the NTLMSSP auth3 type.
2152 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
2153 /* We can only finish if the pipe is unbound. */
2154 if (!p->pipe_bound) {
2155 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p,
2156 ss_padding_len, &auth_info, &out_auth)) {
2157 goto err_exit;
2159 } else {
2160 goto err_exit;
2163 } else {
2164 ZERO_STRUCT(auth_info);
2167 * Create the header, now we know the length.
2170 if (prs_offset(&out_auth)) {
2171 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
2174 init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
2175 p->hdr.call_id,
2176 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
2177 auth_len);
2180 * Marshall the header into the outgoing PDU.
2183 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
2184 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2185 goto err_exit;
2189 * Now add the RPC_HDR_BA and any auth needed.
2192 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
2193 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2194 goto err_exit;
2197 if (auth_len) {
2198 if (ss_padding_len) {
2199 char pad[SERVER_NDR_PADDING_SIZE];
2200 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
2201 if (!prs_copy_data_in(&p->out_data.frag, pad,
2202 ss_padding_len)) {
2203 DEBUG(0,("api_pipe_alter_context: failed to add %u "
2204 "bytes of pad data.\n",
2205 (unsigned int)ss_padding_len));
2206 goto err_exit;
2210 if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
2211 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2212 goto err_exit;
2217 * Setup the lengths for the initial reply.
2220 p->out_data.data_sent_length = 0;
2221 p->out_data.current_pdu_sent = 0;
2223 prs_mem_free(&out_hdr_ba);
2224 prs_mem_free(&out_auth);
2226 return True;
2228 err_exit:
2230 prs_mem_free(&p->out_data.frag);
2231 prs_mem_free(&out_hdr_ba);
2232 prs_mem_free(&out_auth);
2233 return setup_bind_nak(p);
2236 /****************************************************************************
2237 Deal with NTLMSSP sign & seal processing on an RPC request.
2238 ****************************************************************************/
2240 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2241 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2243 RPC_HDR_AUTH auth_info;
2244 uint32 auth_len = p->hdr.auth_len;
2245 uint32 save_offset = prs_offset(rpc_in);
2246 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
2247 unsigned char *data = NULL;
2248 size_t data_len;
2249 unsigned char *full_packet_data = NULL;
2250 size_t full_packet_data_len;
2251 DATA_BLOB auth_blob;
2253 *pstatus = NT_STATUS_OK;
2255 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2256 return True;
2259 if (!a) {
2260 *pstatus = NT_STATUS_INVALID_PARAMETER;
2261 return False;
2264 /* Ensure there's enough data for an authenticated request. */
2265 if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN
2266 + auth_len > p->hdr.frag_len) {
2267 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2268 (unsigned int)auth_len ));
2269 *pstatus = NT_STATUS_INVALID_PARAMETER;
2270 return False;
2274 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2275 * after the RPC header.
2276 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2277 * functions as NTLMv2 checks the rpc headers also.
2278 * Both of these values include any auth_pad_len bytes.
2281 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2282 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2284 full_packet_data = p->in_data.current_in_pdu;
2285 full_packet_data_len = p->hdr.frag_len - auth_len;
2287 /* Pull the auth header and the following data into a blob. */
2288 /* NB. The offset of the auth_header is relative to the *end*
2289 * of the packet, not the start. Also, the length of the
2290 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2291 * as the RPC header isn't included in rpc_in_p. */
2292 if(!prs_set_offset(rpc_in,
2293 p->hdr.frag_len - RPC_HEADER_LEN -
2294 RPC_HDR_AUTH_LEN - auth_len)) {
2295 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move "
2296 "offset to %u.\n",
2297 (unsigned int)(p->hdr.frag_len -
2298 RPC_HDR_AUTH_LEN - auth_len) ));
2299 *pstatus = NT_STATUS_INVALID_PARAMETER;
2300 return False;
2303 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2304 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to "
2305 "unmarshall RPC_HDR_AUTH.\n"));
2306 *pstatus = NT_STATUS_INVALID_PARAMETER;
2307 return False;
2310 /* Ensure auth_pad_len fits into the packet. */
2311 if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
2312 RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
2313 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_info.auth_pad_len "
2314 "too large (%u), auth_len (%u), frag_len = (%u).\n",
2315 (unsigned int)auth_info.auth_pad_len,
2316 (unsigned int)auth_len,
2317 (unsigned int)p->hdr.frag_len ));
2318 *pstatus = NT_STATUS_INVALID_PARAMETER;
2319 return False;
2322 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2323 auth_blob.length = auth_len;
2325 switch (p->auth.auth_level) {
2326 case DCERPC_AUTH_LEVEL_PRIVACY:
2327 /* Data is encrypted. */
2328 *pstatus = auth_ntlmssp_unseal_packet(a,
2329 data, data_len,
2330 full_packet_data,
2331 full_packet_data_len,
2332 &auth_blob);
2333 if (!NT_STATUS_IS_OK(*pstatus)) {
2334 return False;
2336 break;
2337 case DCERPC_AUTH_LEVEL_INTEGRITY:
2338 /* Data is signed. */
2339 *pstatus = auth_ntlmssp_check_packet(a,
2340 data, data_len,
2341 full_packet_data,
2342 full_packet_data_len,
2343 &auth_blob);
2344 if (!NT_STATUS_IS_OK(*pstatus)) {
2345 return False;
2347 break;
2348 default:
2349 *pstatus = NT_STATUS_INVALID_PARAMETER;
2350 return False;
2354 * Return the current pointer to the data offset.
2357 if(!prs_set_offset(rpc_in, save_offset)) {
2358 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2359 (unsigned int)save_offset ));
2360 *pstatus = NT_STATUS_INVALID_PARAMETER;
2361 return False;
2365 * Remember the padding length. We must remove it from the real data
2366 * stream once the sign/seal is done.
2369 *p_ss_padding_len = auth_info.auth_pad_len;
2371 return True;
2374 /****************************************************************************
2375 Deal with schannel processing on an RPC request.
2376 ****************************************************************************/
2378 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2380 uint32 data_len;
2381 uint32 auth_len;
2382 uint32 save_offset = prs_offset(rpc_in);
2383 RPC_HDR_AUTH auth_info;
2384 DATA_BLOB blob;
2385 NTSTATUS status;
2386 uint8_t *data;
2388 auth_len = p->hdr.auth_len;
2390 if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2391 auth_len > RPC_HEADER_LEN +
2392 RPC_HDR_REQ_LEN +
2393 RPC_HDR_AUTH_LEN +
2394 auth_len) {
2395 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2396 return False;
2400 * The following is that length of the data we must verify or unseal.
2401 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2402 * preceeding the auth_data, but does include the auth_pad_len bytes.
2405 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2406 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2407 (unsigned int)p->hdr.frag_len,
2408 (unsigned int)auth_len ));
2409 return False;
2412 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2413 RPC_HDR_AUTH_LEN - auth_len;
2415 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2417 /* Pull the auth header and the following data into a blob. */
2418 /* NB. The offset of the auth_header is relative to the *end*
2419 * of the packet, not the start. Also, the length of the
2420 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2421 * as the RPC header isn't included in rpc_in_p. */
2422 if(!prs_set_offset(rpc_in,
2423 p->hdr.frag_len - RPC_HEADER_LEN -
2424 RPC_HDR_AUTH_LEN - auth_len)) {
2425 DEBUG(0,("api_pipe_schannel_process: cannot move "
2426 "offset to %u.\n",
2427 (unsigned int)(p->hdr.frag_len -
2428 RPC_HDR_AUTH_LEN - auth_len) ));
2429 return False;
2432 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2433 DEBUG(0,("api_pipe_schannel_process: failed to "
2434 "unmarshall RPC_HDR_AUTH.\n"));
2435 return False;
2438 /* Ensure auth_pad_len fits into the packet. */
2439 if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
2440 RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
2441 DEBUG(0,("api_pipe_schannel_process: auth_info.auth_pad_len "
2442 "too large (%u), auth_len (%u), frag_len = (%u).\n",
2443 (unsigned int)auth_info.auth_pad_len,
2444 (unsigned int)auth_len,
2445 (unsigned int)p->hdr.frag_len ));
2446 return False;
2449 if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2450 DEBUG(0,("Invalid auth info %d on schannel\n",
2451 auth_info.auth_type));
2452 return False;
2455 blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2457 if (DEBUGLEVEL >= 10) {
2458 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
2461 data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN;
2463 switch (auth_info.auth_level) {
2464 case DCERPC_AUTH_LEVEL_PRIVACY:
2465 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2466 talloc_tos(),
2467 true,
2468 data,
2469 data_len,
2470 &blob);
2471 break;
2472 case DCERPC_AUTH_LEVEL_INTEGRITY:
2473 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2474 talloc_tos(),
2475 false,
2476 data,
2477 data_len,
2478 &blob);
2479 break;
2480 default:
2481 status = NT_STATUS_INTERNAL_ERROR;
2482 break;
2485 if (!NT_STATUS_IS_OK(status)) {
2486 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
2487 return false;
2491 * Return the current pointer to the data offset.
2494 if(!prs_set_offset(rpc_in, save_offset)) {
2495 DEBUG(0,("failed to set offset back to %u\n",
2496 (unsigned int)save_offset ));
2497 return False;
2501 * Remember the padding length. We must remove it from the real data
2502 * stream once the sign/seal is done.
2505 *p_ss_padding_len = auth_info.auth_pad_len;
2507 return True;
2510 /****************************************************************************
2511 Find the set of RPC functions associated with this context_id
2512 ****************************************************************************/
2514 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2516 PIPE_RPC_FNS *fns = NULL;
2518 if ( !list ) {
2519 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2520 return NULL;
2523 for (fns=list; fns; fns=fns->next ) {
2524 if ( fns->context_id == context_id )
2525 return fns;
2527 return NULL;
2530 /****************************************************************************
2531 Memory cleanup.
2532 ****************************************************************************/
2534 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2536 PIPE_RPC_FNS *tmp = list;
2537 PIPE_RPC_FNS *tmp2;
2539 while (tmp) {
2540 tmp2 = tmp->next;
2541 SAFE_FREE(tmp);
2542 tmp = tmp2;
2545 return;
2548 static bool api_rpcTNP(pipes_struct *p,
2549 const struct api_struct *api_rpc_cmds, int n_cmds);
2551 /****************************************************************************
2552 Find the correct RPC function to call for this request.
2553 If the pipe is authenticated then become the correct UNIX user
2554 before doing the call.
2555 ****************************************************************************/
2557 bool api_pipe_request(pipes_struct *p)
2559 bool ret = False;
2560 bool changed_user = False;
2561 PIPE_RPC_FNS *pipe_fns;
2563 if (p->pipe_bound &&
2564 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2565 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2566 if(!become_authenticated_pipe_user(p)) {
2567 prs_mem_free(&p->out_data.rdata);
2568 return False;
2570 changed_user = True;
2573 DEBUG(5, ("Requested \\PIPE\\%s\n",
2574 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2576 /* get the set of RPC functions for this context */
2578 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2580 if ( pipe_fns ) {
2581 TALLOC_CTX *frame = talloc_stackframe();
2582 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2583 TALLOC_FREE(frame);
2585 else {
2586 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2587 p->hdr_req.context_id,
2588 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2591 if (changed_user) {
2592 unbecome_authenticated_pipe_user();
2595 return ret;
2598 /*******************************************************************
2599 Calls the underlying RPC function for a named pipe.
2600 ********************************************************************/
2602 static bool api_rpcTNP(pipes_struct *p,
2603 const struct api_struct *api_rpc_cmds, int n_cmds)
2605 int fn_num;
2606 uint32 offset1, offset2;
2608 /* interpret the command */
2609 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2610 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2611 p->hdr_req.opnum));
2613 if (DEBUGLEVEL >= 50) {
2614 fstring name;
2615 slprintf(name, sizeof(name)-1, "in_%s",
2616 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2617 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2620 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2621 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2622 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2623 break;
2627 if (fn_num == n_cmds) {
2629 * For an unknown RPC just return a fault PDU but
2630 * return True to allow RPC's on the pipe to continue
2631 * and not put the pipe into fault state. JRA.
2633 DEBUG(4, ("unknown\n"));
2634 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2635 return True;
2638 offset1 = prs_offset(&p->out_data.rdata);
2640 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2641 fn_num, api_rpc_cmds[fn_num].fn));
2642 /* do the actual command */
2643 if(!api_rpc_cmds[fn_num].fn(p)) {
2644 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2645 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2646 api_rpc_cmds[fn_num].name));
2647 prs_mem_free(&p->out_data.rdata);
2648 return False;
2651 if (p->bad_handle_fault_state) {
2652 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2653 p->bad_handle_fault_state = False;
2654 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2655 return True;
2658 if (p->rng_fault_state) {
2659 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2660 p->rng_fault_state = False;
2661 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2662 return True;
2665 offset2 = prs_offset(&p->out_data.rdata);
2666 prs_set_offset(&p->out_data.rdata, offset1);
2667 if (DEBUGLEVEL >= 50) {
2668 fstring name;
2669 slprintf(name, sizeof(name)-1, "out_%s",
2670 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2671 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2673 prs_set_offset(&p->out_data.rdata, offset2);
2675 DEBUG(5,("api_rpcTNP: called %s successfully\n",
2676 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2678 /* Check for buffer underflow in rpc parsing */
2680 if ((DEBUGLEVEL >= 10) &&
2681 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2682 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2683 char *data = (char *)SMB_MALLOC(data_len);
2685 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2686 if (data) {
2687 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2688 SAFE_FREE(data);
2693 return True;