search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:dcerpc Use prs_parse_dcerpc_bind
[Samba/gbeck.git] / source3 / rpc_server / srv_pipe.c
bloba63e00a93ed531c89a0ac3c9c3b842fe30dec8d2
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31 #include "srv_pipe_internal.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33 #include "../libcli/auth/schannel.h"
34 #include "../libcli/auth/spnego.h"
35 #include "../libcli/auth/ntlmssp.h"
36
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_RPC_SRV
39
40 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
41 {
42 struct auth_ntlmssp_state *a = auth->a_u.auth_ntlmssp_state;
43
44 if (a) {
45 auth_ntlmssp_end(&a);
46 }
47 auth->a_u.auth_ntlmssp_state = NULL;
48 }
49
50 static DATA_BLOB generic_session_key(void)
51 {
52 return data_blob("SystemLibraryDTC", 16);
53 }
54
55 /*******************************************************************
56 Generate the next PDU to be returned from the data in p->rdata.
57 Handle NTLMSSP.
58 ********************************************************************/
59
60 static bool create_next_pdu_ntlmssp(pipes_struct *p)
61 {
62 RPC_HDR_RESP hdr_resp;
63 uint32 ss_padding_len = 0;
64 uint32 data_space_available;
65 uint32 data_len_left;
66 uint32 data_len;
67 NTSTATUS status;
68 DATA_BLOB auth_blob;
69 RPC_HDR_AUTH auth_info;
70 uint8 auth_type, auth_level;
71 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
72 TALLOC_CTX *frame;
73
74 /*
75 * If we're in the fault state, keep returning fault PDU's until
76 * the pipe gets closed. JRA.
77 */
78
79 if(p->fault_state) {
80 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
81 return True;
82 }
83
84 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
85
86 /* Change the incoming request header to a response. */
87 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
88
89 /* Set up rpc header flags. */
90 if (p->out_data.data_sent_length == 0) {
91 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
92 } else {
93 p->hdr.flags = 0;
94 }
95
96 /*
97 * Work out how much we can fit in a single PDU.
98 */
99
100 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
101
102 /*
103 * Ensure there really is data left to send.
104 */
105
106 if(!data_len_left) {
107 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
108 return False;
109 }
110
111 /* Space available - not including padding. */
112 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN -
113 RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
114
115 /*
116 * The amount we send is the minimum of the available
117 * space and the amount left to send.
118 */
119
120 data_len = MIN(data_len_left, data_space_available);
121
122 /* Work out any padding alignment requirements. */
123 if ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE) {
124 ss_padding_len = SERVER_NDR_PADDING_SIZE -
125 ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE);
126 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
127 ss_padding_len ));
128 /* If we're over filling the packet, we need to make space
129 * for the padding at the end of the data. */
130 if (data_len + ss_padding_len > data_space_available) {
131 data_len -= SERVER_NDR_PADDING_SIZE;
132 }
133 }
134
135 /*
136 * Set up the alloc hint. This should be the data left to
137 * send.
138 */
139
140 hdr_resp.alloc_hint = data_len_left;
141
142 /*
143 * Work out if this PDU will be the last.
144 */
145
146 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
147 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
148 }
149
150 /*
151 * Set up the header lengths.
152 */
153
154 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
155 data_len + ss_padding_len +
156 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
157 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
158
159
160 /*
161 * Init the parse struct to point at the outgoing
162 * data.
163 */
164
165 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
166
167 /* Store the header in the data stream. */
168 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
169 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
170 prs_mem_free(&p->out_data.frag);
171 return False;
172 }
173
174 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
175 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
176 prs_mem_free(&p->out_data.frag);
177 return False;
178 }
179
180 /* Copy the data into the PDU. */
181
182 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
183 p->out_data.data_sent_length, data_len)) {
184 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
185 prs_mem_free(&p->out_data.frag);
186 return False;
187 }
188
189 /* Copy the sign/seal padding data. */
190 if (ss_padding_len) {
191 char pad[SERVER_NDR_PADDING_SIZE];
192
193 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
194 if (!prs_copy_data_in(&p->out_data.frag, pad,
195 ss_padding_len)) {
196 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
197 (unsigned int)ss_padding_len));
198 prs_mem_free(&p->out_data.frag);
199 return False;
200 }
201 }
202
203
204 /* Now write out the auth header and null blob. */
205 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
206 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
207 } else {
208 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
209 }
210 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
211 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
212 } else {
213 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
214 }
215
216 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
217
218 if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
219 &p->out_data.frag, 0)) {
220 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
221 prs_mem_free(&p->out_data.frag);
222 return False;
223 }
224
225 /* Generate the sign blob. */
226
227 frame = talloc_stackframe();
228 switch (p->auth.auth_level) {
229 case DCERPC_AUTH_LEVEL_PRIVACY:
230 /* Data portion is encrypted. */
231 status = auth_ntlmssp_seal_packet(
232 a, frame,
233 (uint8_t *)prs_data_p(&p->out_data.frag)
234 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
235 data_len + ss_padding_len,
236 (unsigned char *)prs_data_p(&p->out_data.frag),
237 (size_t)prs_offset(&p->out_data.frag),
238 &auth_blob);
239 if (!NT_STATUS_IS_OK(status)) {
240 talloc_free(frame);
241 prs_mem_free(&p->out_data.frag);
242 return False;
243 }
244 break;
245 case DCERPC_AUTH_LEVEL_INTEGRITY:
246 /* Data is signed. */
247 status = auth_ntlmssp_sign_packet(
248 a, frame,
249 (unsigned char *)prs_data_p(&p->out_data.frag)
250 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
251 data_len + ss_padding_len,
252 (unsigned char *)prs_data_p(&p->out_data.frag),
253 (size_t)prs_offset(&p->out_data.frag),
254 &auth_blob);
255 if (!NT_STATUS_IS_OK(status)) {
256 talloc_free(frame);
257 prs_mem_free(&p->out_data.frag);
258 return False;
259 }
260 break;
261 default:
262 talloc_free(frame);
263 prs_mem_free(&p->out_data.frag);
264 return False;
265 }
266
267 /* Append the auth blob. */
268 if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
269 NTLMSSP_SIG_SIZE)) {
270 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
271 (unsigned int)NTLMSSP_SIG_SIZE));
272 talloc_free(frame);
273 prs_mem_free(&p->out_data.frag);
274 return False;
275 }
276 talloc_free(frame);
277
278 /*
279 * Setup the counts for this PDU.
280 */
281
282 p->out_data.data_sent_length += data_len;
283 p->out_data.current_pdu_sent = 0;
284
285 return True;
286 }
287
288 /*******************************************************************
289 Generate the next PDU to be returned from the data in p->rdata.
290 Return an schannel authenticated fragment.
291 ********************************************************************/
292
293 static bool create_next_pdu_schannel(pipes_struct *p)
294 {
295 RPC_HDR_RESP hdr_resp;
296 uint32 ss_padding_len = 0;
297 uint32 data_len;
298 uint32 data_space_available;
299 uint32 data_len_left;
300 uint32 data_pos;
301 NTSTATUS status;
302
303 /*
304 * If we're in the fault state, keep returning fault PDU's until
305 * the pipe gets closed. JRA.
306 */
307
308 if(p->fault_state) {
309 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
310 return True;
311 }
312
313 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
314
315 /* Change the incoming request header to a response. */
316 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
317
318 /* Set up rpc header flags. */
319 if (p->out_data.data_sent_length == 0) {
320 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
321 } else {
322 p->hdr.flags = 0;
323 }
324
325 /*
326 * Work out how much we can fit in a single PDU.
327 */
328
329 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
330
331 /*
332 * Ensure there really is data left to send.
333 */
334
335 if(!data_len_left) {
336 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
337 return False;
338 }
339
340 /* Space available - not including padding. */
341 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
342 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
343 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
344
345 /*
346 * The amount we send is the minimum of the available
347 * space and the amount left to send.
348 */
349
350 data_len = MIN(data_len_left, data_space_available);
351
352 /* Work out any padding alignment requirements. */
353 if ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE) {
354 ss_padding_len = SERVER_NDR_PADDING_SIZE -
355 ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE);
356 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
357 ss_padding_len ));
358 /* If we're over filling the packet, we need to make space
359 * for the padding at the end of the data. */
360 if (data_len + ss_padding_len > data_space_available) {
361 data_len -= SERVER_NDR_PADDING_SIZE;
362 }
363 }
364
365 /*
366 * Set up the alloc hint. This should be the data left to
367 * send.
368 */
369
370 hdr_resp.alloc_hint = data_len_left;
371
372 /*
373 * Work out if this PDU will be the last.
374 */
375
376 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
377 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
378 }
379
380 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
381 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
382 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
383
384 /*
385 * Init the parse struct to point at the outgoing
386 * data.
387 */
388
389 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
390
391 /* Store the header in the data stream. */
392 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
393 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
394 prs_mem_free(&p->out_data.frag);
395 return False;
396 }
397
398 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
399 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
400 prs_mem_free(&p->out_data.frag);
401 return False;
402 }
403
404 /* Store the current offset. */
405 data_pos = prs_offset(&p->out_data.frag);
406
407 /* Copy the data into the PDU. */
408
409 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
410 p->out_data.data_sent_length, data_len)) {
411 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
412 prs_mem_free(&p->out_data.frag);
413 return False;
414 }
415
416 /* Copy the sign/seal padding data. */
417 if (ss_padding_len) {
418 char pad[SERVER_NDR_PADDING_SIZE];
419 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
420 if (!prs_copy_data_in(&p->out_data.frag, pad,
421 ss_padding_len)) {
422 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
423 prs_mem_free(&p->out_data.frag);
424 return False;
425 }
426 }
427
428 {
429 /*
430 * Schannel processing.
431 */
432 RPC_HDR_AUTH auth_info;
433 DATA_BLOB blob;
434 uint8_t *data;
435
436 /* Check it's the type of reply we were expecting to decode */
437
438 init_rpc_hdr_auth(&auth_info,
439 DCERPC_AUTH_TYPE_SCHANNEL,
440 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
441 DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
442 ss_padding_len, 1);
443
444 if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
445 &p->out_data.frag, 0)) {
446 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
447 prs_mem_free(&p->out_data.frag);
448 return False;
449 }
450
451 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos;
452
453 switch (p->auth.auth_level) {
454 case DCERPC_AUTH_LEVEL_PRIVACY:
455 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
456 talloc_tos(),
457 true,
458 data,
459 data_len + ss_padding_len,
460 &blob);
461 break;
462 case DCERPC_AUTH_LEVEL_INTEGRITY:
463 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
464 talloc_tos(),
465 false,
466 data,
467 data_len + ss_padding_len,
468 &blob);
469 break;
470 default:
471 status = NT_STATUS_INTERNAL_ERROR;
472 break;
473 }
474
475 if (!NT_STATUS_IS_OK(status)) {
476 DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
477 nt_errstr(status)));
478 prs_mem_free(&p->out_data.frag);
479 return false;
480 }
481
482 /* Finally marshall the blob. */
483
484 if (DEBUGLEVEL >= 10) {
485 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
486 }
487
488 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
489 prs_mem_free(&p->out_data.frag);
490 return false;
491 }
492 }
493
494 /*
495 * Setup the counts for this PDU.
496 */
497
498 p->out_data.data_sent_length += data_len;
499 p->out_data.current_pdu_sent = 0;
500
501 return True;
502 }
503
504 /*******************************************************************
505 Generate the next PDU to be returned from the data in p->rdata.
506 No authentication done.
507 ********************************************************************/
508
509 static bool create_next_pdu_noauth(pipes_struct *p)
510 {
511 RPC_HDR_RESP hdr_resp;
512 uint32 data_len;
513 uint32 data_space_available;
514 uint32 data_len_left;
515
516 /*
517 * If we're in the fault state, keep returning fault PDU's until
518 * the pipe gets closed. JRA.
519 */
520
521 if(p->fault_state) {
522 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
523 return True;
524 }
525
526 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
527
528 /* Change the incoming request header to a response. */
529 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
530
531 /* Set up rpc header flags. */
532 if (p->out_data.data_sent_length == 0) {
533 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
534 } else {
535 p->hdr.flags = 0;
536 }
537
538 /*
539 * Work out how much we can fit in a single PDU.
540 */
541
542 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
543
544 /*
545 * Ensure there really is data left to send.
546 */
547
548 if(!data_len_left) {
549 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
550 return False;
551 }
552
553 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
554 - RPC_HDR_RESP_LEN;
555
556 /*
557 * The amount we send is the minimum of the available
558 * space and the amount left to send.
559 */
560
561 data_len = MIN(data_len_left, data_space_available);
562
563 /*
564 * Set up the alloc hint. This should be the data left to
565 * send.
566 */
567
568 hdr_resp.alloc_hint = data_len_left;
569
570 /*
571 * Work out if this PDU will be the last.
572 */
573
574 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
575 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
576 }
577
578 /*
579 * Set up the header lengths.
580 */
581
582 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
583 p->hdr.auth_len = 0;
584
585 /*
586 * Init the parse struct to point at the outgoing
587 * data.
588 */
589
590 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
591
592 /* Store the header in the data stream. */
593 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
594 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
595 prs_mem_free(&p->out_data.frag);
596 return False;
597 }
598
599 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
600 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
601 prs_mem_free(&p->out_data.frag);
602 return False;
603 }
604
605 /* Copy the data into the PDU. */
606
607 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
608 p->out_data.data_sent_length, data_len)) {
609 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
610 prs_mem_free(&p->out_data.frag);
611 return False;
612 }
613
614 /*
615 * Setup the counts for this PDU.
616 */
617
618 p->out_data.data_sent_length += data_len;
619 p->out_data.current_pdu_sent = 0;
620
621 return True;
622 }
623
624 /*******************************************************************
625 Generate the next PDU to be returned from the data in p->rdata.
626 ********************************************************************/
627
628 bool create_next_pdu(pipes_struct *p)
629 {
630 switch(p->auth.auth_level) {
631 case DCERPC_AUTH_LEVEL_NONE:
632 case DCERPC_AUTH_LEVEL_CONNECT:
633 /* This is incorrect for auth level connect. Fixme. JRA */
634 return create_next_pdu_noauth(p);
635
636 default:
637 switch(p->auth.auth_type) {
638 case PIPE_AUTH_TYPE_NTLMSSP:
639 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
640 return create_next_pdu_ntlmssp(p);
641 case PIPE_AUTH_TYPE_SCHANNEL:
642 return create_next_pdu_schannel(p);
643 default:
644 break;
645 }
646 }
647
648 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
649 (unsigned int)p->auth.auth_level,
650 (unsigned int)p->auth.auth_type));
651 return False;
652 }
653
654 /*******************************************************************
655 Process an NTLMSSP authentication response.
656 If this function succeeds, the user has been authenticated
657 and their domain, name and calling workstation stored in
658 the pipe struct.
659 *******************************************************************/
660
661 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
662 {
663 DATA_BLOB session_key, reply;
664 NTSTATUS status;
665 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
666 bool ret;
667
668 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
669 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
670
671 ZERO_STRUCT(reply);
672
673 /* this has to be done as root in order to verify the password */
674 become_root();
675 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
676 unbecome_root();
677
678 /* Don't generate a reply. */
679 data_blob_free(&reply);
680
681 if (!NT_STATUS_IS_OK(status)) {
682 return False;
683 }
684
685 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
686 ensure the underlying NTLMSSP flags are also set. If not we should
687 refuse the bind. */
688
689 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
690 if (!auth_ntlmssp_negotiated_sign(a)) {
691 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
692 "but client declined signing.\n",
693 get_pipe_name_from_syntax(talloc_tos(),
694 &p->syntax)));
695 return False;
696 }
697 }
698 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
699 if (!auth_ntlmssp_negotiated_seal(a)) {
700 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
701 "but client declined sealing.\n",
702 get_pipe_name_from_syntax(talloc_tos(),
703 &p->syntax)));
704 return False;
705 }
706 }
707
708 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
709 "workstation: %s\n",
710 auth_ntlmssp_get_username(a),
711 auth_ntlmssp_get_domain(a),
712 auth_ntlmssp_get_client(a)));
713
714 TALLOC_FREE(p->server_info);
715
716 p->server_info = auth_ntlmssp_server_info(p, a);
717 if (p->server_info == NULL) {
718 DEBUG(0, ("auth_ntlmssp_server_info failed to obtain the server info for authenticated user\n"));
719 return false;
720 }
721
722 if (p->server_info->ptok == NULL) {
723 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
724 return False;
725 }
726
727 /*
728 * We're an authenticated bind over smb, so the session key needs to
729 * be set to "SystemLibraryDTC". Weird, but this is what Windows
730 * does. See the RPC-SAMBA3SESSIONKEY.
731 */
732
733 session_key = generic_session_key();
734 if (session_key.data == NULL) {
735 return False;
736 }
737
738 ret = server_info_set_session_key(p->server_info, session_key);
739
740 data_blob_free(&session_key);
741
742 return True;
743 }
744
745 /*******************************************************************
746 This is the "stage3" NTLMSSP response after a bind request and reply.
747 *******************************************************************/
748
749 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
750 {
751 RPC_HDR_AUTH auth_info;
752 uint32 pad = 0;
753 DATA_BLOB blob;
754 uint32_t auth_len = p->hdr.auth_len;
755
756 ZERO_STRUCT(blob);
757
758 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
759
760 if (auth_len == 0) {
761 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
762 goto err;
763 }
764
765 /* 4 bytes padding. */
766 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
767 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
768 goto err;
769 }
770
771 /* Ensure there's enough data for an authenticated request. */
772 if (RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + auth_len >
773 p->hdr.frag_len) {
774 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
775 "%u is too large.\n",
776 (unsigned int)auth_len ));
777 goto err;
778 }
779
780 /*
781 * Decode the authentication verifier response.
782 */
783
784 /* Pull the auth header and the following data into a blob. */
785 /* NB. The offset of the auth_header is relative to the *end*
786 * of the packet, not the start. Also, the length of the
787 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
788 * as the RPC header isn't included in rpc_in_p. */
789 if(!prs_set_offset(rpc_in_p,
790 p->hdr.frag_len - RPC_HEADER_LEN -
791 RPC_HDR_AUTH_LEN - auth_len)) {
792 DEBUG(0,("api_pipe_bind_auth3: cannot move "
793 "offset to %u.\n",
794 (unsigned int)(p->hdr.frag_len -
795 RPC_HDR_AUTH_LEN - auth_len) ));
796 goto err;
797 }
798
799 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in_p, 0)) {
800 DEBUG(0,("api_pipe_bind_auth3: failed to "
801 "unmarshall RPC_HDR_AUTH.\n"));
802 goto err;
803 }
804
805 /* We must NEVER look at auth_info->auth_pad_len here,
806 * as old Samba client code gets it wrong and sends it
807 * as zero. JRA.
808 */
809
810 if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
811 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
812 (unsigned int)auth_info.auth_type ));
813 return False;
814 }
815
816 blob = data_blob(NULL,p->hdr.auth_len);
817
818 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
819 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
820 (unsigned int)p->hdr.auth_len ));
821 goto err;
822 }
823
824 /*
825 * The following call actually checks the challenge/response data.
826 * for correctness against the given DOMAIN\user name.
827 */
828
829 if (!pipe_ntlmssp_verify_final(p, &blob)) {
830 goto err;
831 }
832
833 data_blob_free(&blob);
834
835 p->pipe_bound = True;
836
837 return True;
838
839 err:
840
841 data_blob_free(&blob);
842 free_pipe_ntlmssp_auth_data(&p->auth);
843 p->auth.a_u.auth_ntlmssp_state = NULL;
844
845 return False;
846 }
847
848 /*******************************************************************
849 Marshall a bind_nak pdu.
850 *******************************************************************/
851
852 static bool setup_bind_nak(pipes_struct *p)
853 {
854 NTSTATUS status;
855 union dcerpc_payload u;
856 DATA_BLOB blob;
857
858 /* Free any memory in the current return data buffer. */
859 prs_mem_free(&p->out_data.rdata);
860
861 /*
862 * Marshall directly into the outgoing PDU space. We
863 * must do this as we need to set to the bind response
864 * header and are never sending more than one PDU here.
865 */
866
867 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
868
869 /*
870 * Initialize a bind_nak header.
871 */
872
873 ZERO_STRUCT(u);
874
875 u.bind_nak.reject_reason = 0;
876
877 status = dcerpc_push_ncacn_packet(p->mem_ctx,
878 DCERPC_PKT_BIND_NAK,
879 DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
880 RPC_HEADER_LEN + sizeof(uint16_t) /* FIXME - gd */,
881 0,
882 p->hdr.call_id,
883 u,
884 &blob);
885 if (!NT_STATUS_IS_OK(status)) {
886 prs_mem_free(&p->out_data.frag);
887 return False;
888 }
889
890 if (!prs_copy_data_in(&p->out_data.frag,
891 (char *)blob.data, blob.length)) {
892 prs_mem_free(&p->out_data.frag);
893 return False;
894 }
895
896 p->out_data.data_sent_length = 0;
897 p->out_data.current_pdu_sent = 0;
898
899 if (p->auth.auth_data_free_func) {
900 (*p->auth.auth_data_free_func)(&p->auth);
901 }
902 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
903 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
904 p->pipe_bound = False;
905
906 return True;
907 }
908
909 /*******************************************************************
910 Marshall a fault pdu.
911 *******************************************************************/
912
913 bool setup_fault_pdu(pipes_struct *p, NTSTATUS fault_status)
914 {
915 NTSTATUS status;
916 union dcerpc_payload u;
917 DATA_BLOB blob;
918
919 /* Free any memory in the current return data buffer. */
920 prs_mem_free(&p->out_data.rdata);
921
922 /*
923 * Marshall directly into the outgoing PDU space. We
924 * must do this as we need to set to the bind response
925 * header and are never sending more than one PDU here.
926 */
927
928 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
929
930 /*
931 * Initialize a fault header.
932 */
933
934 ZERO_STRUCT(u);
935
936 u.fault.status = NT_STATUS_V(fault_status);
937 u.fault._pad = data_blob_talloc_zero(p->mem_ctx, 4);
938
939 status = dcerpc_push_ncacn_packet(p->mem_ctx,
940 DCERPC_PKT_FAULT,
941 DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
942 RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN /* FIXME - gd */,
943 0,
944 p->hdr.call_id,
945 u,
946 &blob);
947 if (!NT_STATUS_IS_OK(status)) {
948 prs_mem_free(&p->out_data.frag);
949 return False;
950 }
951
952 if (!prs_copy_data_in(&p->out_data.frag,
953 (char *)blob.data, blob.length)) {
954 prs_mem_free(&p->out_data.frag);
955 return False;
956 }
957
958 p->out_data.data_sent_length = 0;
959 p->out_data.current_pdu_sent = 0;
960
961 return True;
962 }
963
964 /*******************************************************************
965 Ensure a bind request has the correct abstract & transfer interface.
966 Used to reject unknown binds from Win2k.
967 *******************************************************************/
968
969 static bool check_bind_req(struct pipes_struct *p,
970 struct ndr_syntax_id* abstract,
971 struct ndr_syntax_id* transfer,
972 uint32 context_id)
973 {
974 struct pipe_rpc_fns *context_fns;
975
976 DEBUG(3,("check_bind_req for %s\n",
977 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
978
979 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
980 if (rpc_srv_pipe_exists_by_id(abstract) &&
981 ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) {
982 DEBUG(3, ("check_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
983 rpc_srv_get_pipe_cli_name(abstract),
984 rpc_srv_get_pipe_srv_name(abstract)));
985 } else {
986 return false;
987 }
988
989 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
990 if (context_fns == NULL) {
991 DEBUG(0,("check_bind_req: malloc() failed!\n"));
992 return False;
993 }
994
995 context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
996 context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
997 context_fns->context_id = context_id;
998
999 /* add to the list of open contexts */
1000
1001 DLIST_ADD( p->contexts, context_fns );
1002
1003 return True;
1004 }
1005
1006 /**
1007 * Is a named pipe known?
1008 * @param[in] cli_filename The pipe name requested by the client
1009 * @result Do we want to serve this?
1010 */
1011 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1012 {
1013 const char *pipename = cli_filename;
1014 NTSTATUS status;
1015
1016 if (strnequal(pipename, "\\PIPE\\", 6)) {
1017 pipename += 5;
1018 }
1019
1020 if (*pipename == '\\') {
1021 pipename += 1;
1022 }
1023
1024 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1025 DEBUG(10, ("refusing spoolss access\n"));
1026 return false;
1027 }
1028
1029 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
1030 return true;
1031 }
1032
1033 status = smb_probe_module("rpc", pipename);
1034 if (!NT_STATUS_IS_OK(status)) {
1035 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1036 return false;
1037 }
1038 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
1039
1040 /*
1041 * Scan the list again for the interface id
1042 */
1043 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
1044 return true;
1045 }
1046
1047 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
1048 pipename));
1049
1050 return false;
1051 }
1052
1053 /*******************************************************************
1054 Handle a SPNEGO krb5 bind auth.
1055 *******************************************************************/
1056
1057 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1058 DATA_BLOB *psecblob, prs_struct *pout_auth)
1059 {
1060 return False;
1061 }
1062
1063 /*******************************************************************
1064 Handle the first part of a SPNEGO bind auth.
1065 *******************************************************************/
1066
1067 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1068 uint32_t ss_padding_len,
1069 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1070 {
1071 DATA_BLOB blob;
1072 DATA_BLOB secblob;
1073 DATA_BLOB response;
1074 DATA_BLOB chal;
1075 char *OIDs[ASN1_MAX_OIDS];
1076 int i;
1077 NTSTATUS status;
1078 bool got_kerberos_mechanism = false;
1079 struct auth_ntlmssp_state *a = NULL;
1080 RPC_HDR_AUTH auth_info;
1081
1082 ZERO_STRUCT(secblob);
1083 ZERO_STRUCT(chal);
1084 ZERO_STRUCT(response);
1085
1086 /* Grab the SPNEGO blob. */
1087 blob = data_blob(NULL,p->hdr.auth_len);
1088
1089 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1090 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1091 (unsigned int)p->hdr.auth_len ));
1092 goto err;
1093 }
1094
1095 if (blob.data[0] != ASN1_APPLICATION(0)) {
1096 goto err;
1097 }
1098
1099 /* parse out the OIDs and the first sec blob */
1100 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1101 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1102 goto err;
1103 }
1104
1105 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1106 got_kerberos_mechanism = true;
1107 }
1108
1109 for (i=0;OIDs[i];i++) {
1110 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1111 TALLOC_FREE(OIDs[i]);
1112 }
1113 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1114
1115 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1116 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1117 data_blob_free(&secblob);
1118 data_blob_free(&blob);
1119 return ret;
1120 }
1121
1122 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1123 /* Free any previous auth type. */
1124 free_pipe_ntlmssp_auth_data(&p->auth);
1125 }
1126
1127 if (!got_kerberos_mechanism) {
1128 /* Initialize the NTLM engine. */
1129 status = auth_ntlmssp_start(&a);
1130 if (!NT_STATUS_IS_OK(status)) {
1131 goto err;
1132 }
1133
1134 switch (pauth_info->auth_level) {
1135 case DCERPC_AUTH_LEVEL_INTEGRITY:
1136 auth_ntlmssp_want_sign(a);
1137 break;
1138 case DCERPC_AUTH_LEVEL_PRIVACY:
1139 auth_ntlmssp_want_seal(a);
1140 break;
1141 default:
1142 break;
1143 }
1144 /*
1145 * Pass the first security blob of data to it.
1146 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1147 * which means we need another packet to complete the bind.
1148 */
1149
1150 status = auth_ntlmssp_update(a, secblob, &chal);
1151
1152 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1153 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1154 goto err;
1155 }
1156
1157 /* Generate the response blob we need for step 2 of the bind. */
1158 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1159 } else {
1160 /*
1161 * SPNEGO negotiate down to NTLMSSP. The subsequent
1162 * code to process follow-up packets is not complete
1163 * yet. JRA.
1164 */
1165 response = spnego_gen_auth_response(NULL,
1166 NT_STATUS_MORE_PROCESSING_REQUIRED,
1167 OID_NTLMSSP);
1168 }
1169
1170 /* auth_pad_len will be handled by the caller */
1171
1172 /* Copy the blob into the pout_auth parse struct */
1173 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO,
1174 pauth_info->auth_level, ss_padding_len, 1);
1175 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1176 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1177 goto err;
1178 }
1179
1180 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1181 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1182 goto err;
1183 }
1184
1185 p->auth.a_u.auth_ntlmssp_state = a;
1186 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1187 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1188
1189 data_blob_free(&blob);
1190 data_blob_free(&secblob);
1191 data_blob_free(&chal);
1192 data_blob_free(&response);
1193
1194 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1195 return True;
1196
1197 err:
1198
1199 data_blob_free(&blob);
1200 data_blob_free(&secblob);
1201 data_blob_free(&chal);
1202 data_blob_free(&response);
1203
1204 p->auth.a_u.auth_ntlmssp_state = NULL;
1205
1206 return False;
1207 }
1208
1209 /*******************************************************************
1210 Handle the second part of a SPNEGO bind auth.
1211 *******************************************************************/
1212
1213 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1214 uint32_t ss_padding_len,
1215 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1216 {
1217 RPC_HDR_AUTH auth_info;
1218 DATA_BLOB spnego_blob;
1219 DATA_BLOB auth_blob;
1220 DATA_BLOB auth_reply;
1221 DATA_BLOB response;
1222 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
1223
1224 ZERO_STRUCT(spnego_blob);
1225 ZERO_STRUCT(auth_blob);
1226 ZERO_STRUCT(auth_reply);
1227 ZERO_STRUCT(response);
1228
1229 /*
1230 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1231 * fail here as 'a' == NULL.
1232 */
1233 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1234 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1235 goto err;
1236 }
1237
1238 /* Grab the SPNEGO blob. */
1239 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1240
1241 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1242 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1243 (unsigned int)p->hdr.auth_len ));
1244 goto err;
1245 }
1246
1247 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1248 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1249 goto err;
1250 }
1251
1252 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1253 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1254 goto err;
1255 }
1256
1257 /*
1258 * The following call actually checks the challenge/response data.
1259 * for correctness against the given DOMAIN\user name.
1260 */
1261
1262 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1263 goto err;
1264 }
1265
1266 data_blob_free(&spnego_blob);
1267 data_blob_free(&auth_blob);
1268
1269 /* Generate the spnego "accept completed" blob - no incoming data. */
1270 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1271
1272 /* FIXME - add auth_pad_len here ! */
1273
1274 /* Copy the blob into the pout_auth parse struct */
1275 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO,
1276 pauth_info->auth_level, ss_padding_len, 1);
1277 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1278 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1279 goto err;
1280 }
1281
1282 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1283 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1284 goto err;
1285 }
1286
1287 data_blob_free(&auth_reply);
1288 data_blob_free(&response);
1289
1290 p->pipe_bound = True;
1291
1292 return True;
1293
1294 err:
1295
1296 data_blob_free(&spnego_blob);
1297 data_blob_free(&auth_blob);
1298 data_blob_free(&auth_reply);
1299 data_blob_free(&response);
1300
1301 free_pipe_ntlmssp_auth_data(&p->auth);
1302 p->auth.a_u.auth_ntlmssp_state = NULL;
1303
1304 return False;
1305 }
1306
1307 /*******************************************************************
1308 Handle an schannel bind auth.
1309 *******************************************************************/
1310
1311 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1312 uint32_t ss_padding_len,
1313 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1314 {
1315 RPC_HDR_AUTH auth_info;
1316 struct NL_AUTH_MESSAGE neg;
1317 struct NL_AUTH_MESSAGE reply;
1318 bool ret;
1319 NTSTATUS status;
1320 struct netlogon_creds_CredentialState *creds;
1321 DATA_BLOB session_key;
1322 enum ndr_err_code ndr_err;
1323 DATA_BLOB blob;
1324
1325 blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1326 prs_data_size(rpc_in_p));
1327
1328 ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), &neg,
1329 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1330 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1331 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1332 return false;
1333 }
1334
1335 if (DEBUGLEVEL >= 10) {
1336 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1337 }
1338
1339 if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1340 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1341 return false;
1342 }
1343
1344 /*
1345 * The neg.oem_netbios_computer.a key here must match the remote computer name
1346 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1347 * operations that use credentials.
1348 */
1349
1350 become_root();
1351 status = schannel_get_creds_state(p, lp_private_dir(),
1352 neg.oem_netbios_computer.a, &creds);
1353 unbecome_root();
1354
1355 if (!NT_STATUS_IS_OK(status)) {
1356 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1357 return False;
1358 }
1359
1360 p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
1361 if (!p->auth.a_u.schannel_auth) {
1362 TALLOC_FREE(creds);
1363 return False;
1364 }
1365
1366 p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
1367 p->auth.a_u.schannel_auth->seq_num = 0;
1368 p->auth.a_u.schannel_auth->initiator = false;
1369 p->auth.a_u.schannel_auth->creds = creds;
1370
1371 /*
1372 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1373 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1374 * struct of the person who opened the pipe. I need to test this further. JRA.
1375 *
1376 * VL. As we are mapping this to guest set the generic key
1377 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1378 * W2k3, as it does not allow schannel binds against SAMR and LSA
1379 * anymore.
1380 */
1381
1382 session_key = generic_session_key();
1383 if (session_key.data == NULL) {
1384 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1385 " key\n"));
1386 return false;
1387 }
1388
1389 ret = server_info_set_session_key(p->server_info, session_key);
1390
1391 data_blob_free(&session_key);
1392
1393 if (!ret) {
1394 DEBUG(0, ("server_info_set_session_key failed\n"));
1395 return false;
1396 }
1397
1398 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL,
1399 pauth_info->auth_level, ss_padding_len, 1);
1400 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1401 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1402 return False;
1403 }
1404
1405 /*** SCHANNEL verifier ***/
1406
1407 reply.MessageType = NL_NEGOTIATE_RESPONSE;
1408 reply.Flags = 0;
1409 reply.Buffer.dummy = 5; /* ??? actually I don't think
1410 * this has any meaning
1411 * here - gd */
1412
1413 ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), &reply,
1414 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1415 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1416 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1417 return false;
1418 }
1419
1420 if (DEBUGLEVEL >= 10) {
1421 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1422 }
1423
1424 if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1425 return false;
1426 }
1427
1428 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1429 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1430
1431 /* We're finished with this bind - no more packets. */
1432 p->auth.auth_data_free_func = NULL;
1433 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1434
1435 p->pipe_bound = True;
1436
1437 return True;
1438 }
1439
1440 /*******************************************************************
1441 Handle an NTLMSSP bind auth.
1442 *******************************************************************/
1443
1444 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1445 uint32_t ss_padding_len,
1446 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1447 {
1448 RPC_HDR_AUTH auth_info;
1449 DATA_BLOB blob;
1450 DATA_BLOB response;
1451 NTSTATUS status;
1452 struct auth_ntlmssp_state *a = NULL;
1453
1454 ZERO_STRUCT(blob);
1455 ZERO_STRUCT(response);
1456
1457 /* Grab the NTLMSSP blob. */
1458 blob = data_blob(NULL,p->hdr.auth_len);
1459
1460 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1461 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1462 (unsigned int)p->hdr.auth_len ));
1463 goto err;
1464 }
1465
1466 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1467 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1468 goto err;
1469 }
1470
1471 /* We have an NTLMSSP blob. */
1472 status = auth_ntlmssp_start(&a);
1473 if (!NT_STATUS_IS_OK(status)) {
1474 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1475 nt_errstr(status) ));
1476 goto err;
1477 }
1478
1479 switch (pauth_info->auth_level) {
1480 case DCERPC_AUTH_LEVEL_INTEGRITY:
1481 auth_ntlmssp_want_sign(a);
1482 break;
1483 case DCERPC_AUTH_LEVEL_PRIVACY:
1484 auth_ntlmssp_want_seal(a);
1485 break;
1486 default:
1487 break;
1488 }
1489
1490 status = auth_ntlmssp_update(a, blob, &response);
1491 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1492 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1493 nt_errstr(status) ));
1494 goto err;
1495 }
1496
1497 data_blob_free(&blob);
1498
1499 /* Copy the blob into the pout_auth parse struct */
1500 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP,
1501 pauth_info->auth_level, ss_padding_len, 1);
1502 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1503 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1504 goto err;
1505 }
1506
1507 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1508 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1509 goto err;
1510 }
1511
1512 p->auth.a_u.auth_ntlmssp_state = a;
1513 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1514 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1515
1516 data_blob_free(&blob);
1517 data_blob_free(&response);
1518
1519 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1520
1521 /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1522 return True;
1523
1524 err:
1525
1526 data_blob_free(&blob);
1527 data_blob_free(&response);
1528
1529 free_pipe_ntlmssp_auth_data(&p->auth);
1530 p->auth.a_u.auth_ntlmssp_state = NULL;
1531 return False;
1532 }
1533
1534 /*******************************************************************
1535 Respond to a pipe bind request.
1536 *******************************************************************/
1537
1538 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1539 {
1540 RPC_HDR_BA hdr_ba;
1541 struct dcerpc_bind rpc_bind;
1542 DATA_BLOB blob_rb;
1543 RPC_HDR_AUTH auth_info;
1544 uint16 assoc_gid;
1545 fstring ack_pipe_name;
1546 prs_struct out_hdr_ba;
1547 prs_struct out_auth;
1548 int auth_len = 0;
1549 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1550 uint32_t ss_padding_len = 0;
1551 NTSTATUS status;
1552 struct ndr_syntax_id id;
1553
1554 /* No rebinds on a bound pipe - use alter context. */
1555 if (p->pipe_bound) {
1556 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1557 "pipe %s.\n",
1558 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1559 return setup_bind_nak(p);
1560 }
1561
1562 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1563
1564 /*
1565 * Marshall directly into the outgoing PDU space. We
1566 * must do this as we need to set to the bind response
1567 * header and are never sending more than one PDU here.
1568 */
1569
1570 /*
1571 * Setup the memory to marshall the ba header, and the
1572 * auth footers.
1573 */
1574
1575 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1576 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1577 prs_mem_free(&p->out_data.frag);
1578 return False;
1579 }
1580
1581 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1582 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1583 prs_mem_free(&p->out_data.frag);
1584 prs_mem_free(&out_hdr_ba);
1585 return False;
1586 }
1587
1588 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1589
1590 /* decode the bind request */
1591 blob_rb = data_blob_const(prs_data_p(rpc_in_p),
1592 prs_data_size(rpc_in_p));
1593 status = dcerpc_pull_dcerpc_bind(talloc_tos(), &blob_rb, &rpc_bind);
1594 if (!NT_STATUS_IS_OK(status)) {
1595 goto err_exit;
1596 }
1597
1598 if (rpc_bind.num_contexts == 0) {
1599 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1600 goto err_exit;
1601 }
1602
1603 /*
1604 * Try and find the correct pipe name to ensure
1605 * that this is a pipe name we support.
1606 */
1607 id = rpc_bind.ctx_list[0].abstract_syntax;
1608 if (rpc_srv_pipe_exists_by_id(&id)) {
1609 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1610 rpc_srv_get_pipe_cli_name(&id),
1611 rpc_srv_get_pipe_srv_name(&id)));
1612 } else {
1613 status = smb_probe_module(
1614 "rpc", get_pipe_name_from_syntax(
1615 talloc_tos(),
1616 &rpc_bind.ctx_list[0].abstract_syntax));
1617
1618 if (NT_STATUS_IS_ERR(status)) {
1619 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1620 get_pipe_name_from_syntax(
1621 talloc_tos(),
1622 &rpc_bind.ctx_list[0].abstract_syntax)));
1623 prs_mem_free(&p->out_data.frag);
1624 prs_mem_free(&out_hdr_ba);
1625 prs_mem_free(&out_auth);
1626
1627 return setup_bind_nak(p);
1628 }
1629
1630 if (rpc_srv_get_pipe_interface_by_cli_name(
1631 get_pipe_name_from_syntax(talloc_tos(),
1632 &p->syntax),
1633 &id)) {
1634 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1635 rpc_srv_get_pipe_cli_name(&id),
1636 rpc_srv_get_pipe_srv_name(&id)));
1637 } else {
1638 DEBUG(0, ("module %s doesn't provide functions for "
1639 "pipe %s!\n",
1640 get_pipe_name_from_syntax(talloc_tos(),
1641 &p->syntax),
1642 get_pipe_name_from_syntax(talloc_tos(),
1643 &p->syntax)));
1644 goto err_exit;
1645 }
1646 }
1647
1648 /* name has to be \PIPE\xxxxx */
1649 fstrcpy(ack_pipe_name, "\\PIPE\\");
1650 fstrcat(ack_pipe_name, rpc_srv_get_pipe_srv_name(&id));
1651
1652 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1653
1654 if (rpc_bind.assoc_group_id != 0) {
1655 assoc_gid = rpc_bind.assoc_group_id;
1656 } else {
1657 assoc_gid = 0x53f0;
1658 }
1659
1660
1661 /*
1662 * Create the bind response struct.
1663 */
1664
1665 /* If the requested abstract synt uuid doesn't match our client pipe,
1666 reject the bind_ack & set the transfer interface synt to all 0's,
1667 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1668 unknown to NT4)
1669 Needed when adding entries to a DACL from NT5 - SK */
1670
1671 if (check_bind_req(p,
1672 &rpc_bind.ctx_list[0].abstract_syntax,
1673 &rpc_bind.ctx_list[0].transfer_syntaxes[0],
1674 rpc_bind.ctx_list[0].context_id)) {
1675 init_rpc_hdr_ba(&hdr_ba,
1676 RPC_MAX_PDU_FRAG_LEN,
1677 RPC_MAX_PDU_FRAG_LEN,
1678 assoc_gid,
1679 ack_pipe_name,
1680 0x1, 0x0, 0x0,
1681 &rpc_bind.ctx_list[0].transfer_syntaxes[0]);
1682 } else {
1683 /* Rejection reason: abstract syntax not supported */
1684 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1685 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1686 ack_pipe_name, 0x1, 0x2, 0x1,
1687 &null_ndr_syntax_id);
1688 p->pipe_bound = False;
1689 }
1690
1691 /*
1692 * and marshall it.
1693 */
1694
1695 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1696 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1697 goto err_exit;
1698 }
1699
1700 /*
1701 * Check if this is an authenticated bind request.
1702 */
1703
1704 if (p->hdr.auth_len) {
1705 /*
1706 * Decode the authentication verifier.
1707 */
1708
1709 /* Work out any padding needed before the auth footer. */
1710 if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
1711 ss_padding_len = SERVER_NDR_PADDING_SIZE -
1712 ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
1713 DEBUG(10,("api_pipe_bind_req: auth pad_len = %u\n",
1714 (unsigned int)ss_padding_len ));
1715 }
1716
1717 /* Quick length check. Won't catch a bad auth footer,
1718 * prevents overrun. */
1719
1720 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
1721 DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
1722 "too long for fragment %u.\n",
1723 (unsigned int)p->hdr.auth_len,
1724 (unsigned int)p->hdr.frag_len ));
1725 goto err_exit;
1726 }
1727
1728 /* Pull the auth header and the following data into a blob. */
1729 /* NB. The offset of the auth_header is relative to the *end*
1730 * of the packet, not the start. Also, the length of the
1731 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
1732 * as the RPC header isn't included in rpc_in_p. */
1733 if(!prs_set_offset(rpc_in_p,
1734 p->hdr.frag_len - RPC_HEADER_LEN -
1735 RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
1736 DEBUG(0,("api_pipe_bind_req: cannot move "
1737 "offset to %u.\n",
1738 (unsigned int)(p->hdr.frag_len -
1739 RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
1740 goto err_exit;
1741 }
1742
1743 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1744 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1745 goto err_exit;
1746 }
1747
1748 auth_type = auth_info.auth_type;
1749
1750 /* Work out if we have to sign or seal etc. */
1751 switch (auth_info.auth_level) {
1752 case DCERPC_AUTH_LEVEL_INTEGRITY:
1753 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1754 break;
1755 case DCERPC_AUTH_LEVEL_PRIVACY:
1756 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1757 break;
1758 default:
1759 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1760 (unsigned int)auth_info.auth_level ));
1761 goto err_exit;
1762 }
1763 } else {
1764 ZERO_STRUCT(auth_info);
1765 }
1766
1767 switch(auth_type) {
1768 case DCERPC_AUTH_TYPE_NTLMSSP:
1769 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p,
1770 ss_padding_len, &auth_info, &out_auth)) {
1771 goto err_exit;
1772 }
1773 assoc_gid = 0x7a77;
1774 break;
1775
1776 case DCERPC_AUTH_TYPE_SCHANNEL:
1777 if (!pipe_schannel_auth_bind(p, rpc_in_p,
1778 ss_padding_len, &auth_info, &out_auth)) {
1779 goto err_exit;
1780 }
1781 break;
1782
1783 case DCERPC_AUTH_TYPE_SPNEGO:
1784 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p,
1785 ss_padding_len, &auth_info, &out_auth)) {
1786 goto err_exit;
1787 }
1788 break;
1789
1790 case DCERPC_AUTH_TYPE_NONE:
1791 /* Unauthenticated bind request. */
1792 /* We're finished - no more packets. */
1793 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1794 /* We must set the pipe auth_level here also. */
1795 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1796 p->pipe_bound = True;
1797 /* The session key was initialized from the SMB
1798 * session in make_internal_rpc_pipe_p */
1799 ss_padding_len = 0;
1800 break;
1801
1802 default:
1803 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1804 goto err_exit;
1805 }
1806 /*
1807 * Create the header, now we know the length.
1808 */
1809
1810 if (prs_offset(&out_auth)) {
1811 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1812 }
1813
1814 init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1815 p->hdr.call_id,
1816 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) +
1817 ss_padding_len + prs_offset(&out_auth),
1818 auth_len);
1819
1820 /*
1821 * Marshall the header into the outgoing PDU.
1822 */
1823
1824 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1825 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1826 goto err_exit;
1827 }
1828
1829 /*
1830 * Now add the RPC_HDR_BA and any auth needed.
1831 */
1832
1833 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1834 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1835 goto err_exit;
1836 }
1837
1838 if (auth_len) {
1839 if (ss_padding_len) {
1840 char pad[SERVER_NDR_PADDING_SIZE];
1841 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1842 if (!prs_copy_data_in(&p->out_data.frag, pad,
1843 ss_padding_len)) {
1844 DEBUG(0,("api_pipe_bind_req: failed to add %u "
1845 "bytes of pad data.\n",
1846 (unsigned int)ss_padding_len));
1847 goto err_exit;
1848 }
1849 }
1850
1851 if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1852 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1853 goto err_exit;
1854 }
1855 }
1856
1857 /*
1858 * Setup the lengths for the initial reply.
1859 */
1860
1861 p->out_data.data_sent_length = 0;
1862 p->out_data.current_pdu_sent = 0;
1863
1864 prs_mem_free(&out_hdr_ba);
1865 prs_mem_free(&out_auth);
1866
1867 return True;
1868
1869 err_exit:
1870
1871 prs_mem_free(&p->out_data.frag);
1872 prs_mem_free(&out_hdr_ba);
1873 prs_mem_free(&out_auth);
1874 return setup_bind_nak(p);
1875 }
1876
1877 /****************************************************************************
1878 Deal with an alter context call. Can be third part of 3 leg auth request for
1879 SPNEGO calls.
1880 ****************************************************************************/
1881
1882 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1883 {
1884 RPC_HDR_BA hdr_ba;
1885 struct dcerpc_bind rpc_bind;
1886 DATA_BLOB blob_rb;
1887 RPC_HDR_AUTH auth_info;
1888 uint16 assoc_gid;
1889 fstring ack_pipe_name;
1890 prs_struct out_hdr_ba;
1891 prs_struct out_auth;
1892 int auth_len = 0;
1893 uint32_t ss_padding_len = 0;
1894 NTSTATUS status;
1895
1896 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1897
1898 /*
1899 * Marshall directly into the outgoing PDU space. We
1900 * must do this as we need to set to the bind response
1901 * header and are never sending more than one PDU here.
1902 */
1903
1904 /*
1905 * Setup the memory to marshall the ba header, and the
1906 * auth footers.
1907 */
1908
1909 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1910 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1911 prs_mem_free(&p->out_data.frag);
1912 return False;
1913 }
1914
1915 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1916 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1917 prs_mem_free(&p->out_data.frag);
1918 prs_mem_free(&out_hdr_ba);
1919 return False;
1920 }
1921
1922 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1923
1924 /* decode the alter context request */
1925 blob_rb = data_blob_const(prs_data_p(rpc_in_p),
1926 prs_data_size(rpc_in_p));
1927 status = dcerpc_pull_dcerpc_bind(talloc_tos(), &blob_rb, &rpc_bind);
1928 if (!NT_STATUS_IS_OK(status)) {
1929 goto err_exit;
1930 }
1931
1932 /* secondary address CAN be NULL
1933 * as the specs say it's ignored.
1934 * It MUST be NULL to have the spoolss working.
1935 */
1936 fstrcpy(ack_pipe_name,"");
1937
1938 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1939
1940 if (rpc_bind.assoc_group_id != 0) {
1941 assoc_gid = rpc_bind.assoc_group_id;
1942 } else {
1943 assoc_gid = 0x53f0;
1944 }
1945
1946 /*
1947 * Create the bind response struct.
1948 */
1949
1950 /* If the requested abstract synt uuid doesn't match our client pipe,
1951 reject the bind_ack & set the transfer interface synt to all 0's,
1952 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1953 unknown to NT4)
1954 Needed when adding entries to a DACL from NT5 - SK */
1955
1956 if (check_bind_req(p,
1957 &rpc_bind.ctx_list[0].abstract_syntax,
1958 &rpc_bind.ctx_list[0].transfer_syntaxes[0],
1959 rpc_bind.ctx_list[0].context_id)) {
1960 init_rpc_hdr_ba(&hdr_ba,
1961 RPC_MAX_PDU_FRAG_LEN,
1962 RPC_MAX_PDU_FRAG_LEN,
1963 assoc_gid,
1964 ack_pipe_name,
1965 0x1, 0x0, 0x0,
1966 &rpc_bind.ctx_list[0].transfer_syntaxes[0]);
1967 } else {
1968 /* Rejection reason: abstract syntax not supported */
1969 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1970 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1971 ack_pipe_name, 0x1, 0x2, 0x1,
1972 &null_ndr_syntax_id);
1973 p->pipe_bound = False;
1974 }
1975
1976 /*
1977 * and marshall it.
1978 */
1979
1980 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1981 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1982 goto err_exit;
1983 }
1984
1985
1986 /*
1987 * Check if this is an authenticated alter context request.
1988 */
1989
1990 if (p->hdr.auth_len != 0) {
1991 /*
1992 * Decode the authentication verifier.
1993 */
1994
1995 /* Work out any padding needed before the auth footer. */
1996 if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
1997 ss_padding_len = SERVER_NDR_PADDING_SIZE -
1998 ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
1999 DEBUG(10,("api_pipe_alter_context: auth pad_len = %u\n",
2000 (unsigned int)ss_padding_len ));
2001 }
2002
2003 /* Quick length check. Won't catch a bad auth footer,
2004 * prevents overrun. */
2005
2006 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
2007 DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
2008 "too long for fragment %u.\n",
2009 (unsigned int)p->hdr.auth_len,
2010 (unsigned int)p->hdr.frag_len ));
2011 goto err_exit;
2012 }
2013
2014 /* Pull the auth header and the following data into a blob. */
2015 /* NB. The offset of the auth_header is relative to the *end*
2016 * of the packet, not the start. Also, the length of the
2017 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2018 * as the RPC header isn't included in rpc_in_p. */
2019 if(!prs_set_offset(rpc_in_p,
2020 p->hdr.frag_len - RPC_HEADER_LEN -
2021 RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
2022 DEBUG(0,("api_alter_context: cannot move "
2023 "offset to %u.\n",
2024 (unsigned int)(p->hdr.frag_len -
2025 RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
2026 goto err_exit;
2027 }
2028
2029 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
2030 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
2031 goto err_exit;
2032 }
2033
2034 /*
2035 * Currently only the SPNEGO auth type uses the alter ctx
2036 * response in place of the NTLMSSP auth3 type.
2037 */
2038
2039 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
2040 /* We can only finish if the pipe is unbound. */
2041 if (!p->pipe_bound) {
2042 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p,
2043 ss_padding_len, &auth_info, &out_auth)) {
2044 goto err_exit;
2045 }
2046 } else {
2047 goto err_exit;
2048 }
2049 }
2050 } else {
2051 ZERO_STRUCT(auth_info);
2052 }
2053 /*
2054 * Create the header, now we know the length.
2055 */
2056
2057 if (prs_offset(&out_auth)) {
2058 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
2059 }
2060
2061 init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
2062 p->hdr.call_id,
2063 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
2064 auth_len);
2065
2066 /*
2067 * Marshall the header into the outgoing PDU.
2068 */
2069
2070 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
2071 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2072 goto err_exit;
2073 }
2074
2075 /*
2076 * Now add the RPC_HDR_BA and any auth needed.
2077 */
2078
2079 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
2080 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2081 goto err_exit;
2082 }
2083
2084 if (auth_len) {
2085 if (ss_padding_len) {
2086 char pad[SERVER_NDR_PADDING_SIZE];
2087 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
2088 if (!prs_copy_data_in(&p->out_data.frag, pad,
2089 ss_padding_len)) {
2090 DEBUG(0,("api_pipe_alter_context: failed to add %u "
2091 "bytes of pad data.\n",
2092 (unsigned int)ss_padding_len));
2093 goto err_exit;
2094 }
2095 }
2096
2097 if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
2098 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2099 goto err_exit;
2100 }
2101 }
2102
2103 /*
2104 * Setup the lengths for the initial reply.
2105 */
2106
2107 p->out_data.data_sent_length = 0;
2108 p->out_data.current_pdu_sent = 0;
2109
2110 prs_mem_free(&out_hdr_ba);
2111 prs_mem_free(&out_auth);
2112 return True;
2113
2114 err_exit:
2115
2116 prs_mem_free(&p->out_data.frag);
2117 prs_mem_free(&out_hdr_ba);
2118 prs_mem_free(&out_auth);
2119 return setup_bind_nak(p);
2120 }
2121
2122 /****************************************************************************
2123 Deal with NTLMSSP sign & seal processing on an RPC request.
2124 ****************************************************************************/
2125
2126 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2127 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2128 {
2129 RPC_HDR_AUTH auth_info;
2130 uint32 auth_len = p->hdr.auth_len;
2131 uint32 save_offset = prs_offset(rpc_in);
2132 struct auth_ntlmssp_state *a = p->auth.a_u.auth_ntlmssp_state;
2133 unsigned char *data = NULL;
2134 size_t data_len;
2135 unsigned char *full_packet_data = NULL;
2136 size_t full_packet_data_len;
2137 DATA_BLOB auth_blob;
2138
2139 *pstatus = NT_STATUS_OK;
2140
2141 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2142 return True;
2143 }
2144
2145 if (!a) {
2146 *pstatus = NT_STATUS_INVALID_PARAMETER;
2147 return False;
2148 }
2149
2150 /* Ensure there's enough data for an authenticated request. */
2151 if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN
2152 + auth_len > p->hdr.frag_len) {
2153 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2154 (unsigned int)auth_len ));
2155 *pstatus = NT_STATUS_INVALID_PARAMETER;
2156 return False;
2157 }
2158
2159 /*
2160 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2161 * after the RPC header.
2162 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2163 * functions as NTLMv2 checks the rpc headers also.
2164 * Both of these values include any auth_pad_len bytes.
2165 */
2166
2167 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2168 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2169
2170 full_packet_data = p->in_data.current_in_pdu;
2171 full_packet_data_len = p->hdr.frag_len - auth_len;
2172
2173 /* Pull the auth header and the following data into a blob. */
2174 /* NB. The offset of the auth_header is relative to the *end*
2175 * of the packet, not the start. Also, the length of the
2176 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2177 * as the RPC header isn't included in rpc_in_p. */
2178 if(!prs_set_offset(rpc_in,
2179 p->hdr.frag_len - RPC_HEADER_LEN -
2180 RPC_HDR_AUTH_LEN - auth_len)) {
2181 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move "
2182 "offset to %u.\n",
2183 (unsigned int)(p->hdr.frag_len -
2184 RPC_HDR_AUTH_LEN - auth_len) ));
2185 *pstatus = NT_STATUS_INVALID_PARAMETER;
2186 return False;
2187 }
2188
2189 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2190 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to "
2191 "unmarshall RPC_HDR_AUTH.\n"));
2192 *pstatus = NT_STATUS_INVALID_PARAMETER;
2193 return False;
2194 }
2195
2196 /* Ensure auth_pad_len fits into the packet. */
2197 if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
2198 RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
2199 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_info.auth_pad_len "
2200 "too large (%u), auth_len (%u), frag_len = (%u).\n",
2201 (unsigned int)auth_info.auth_pad_len,
2202 (unsigned int)auth_len,
2203 (unsigned int)p->hdr.frag_len ));
2204 *pstatus = NT_STATUS_INVALID_PARAMETER;
2205 return False;
2206 }
2207
2208 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2209 auth_blob.length = auth_len;
2210
2211 switch (p->auth.auth_level) {
2212 case DCERPC_AUTH_LEVEL_PRIVACY:
2213 /* Data is encrypted. */
2214 *pstatus = auth_ntlmssp_unseal_packet(a,
2215 data, data_len,
2216 full_packet_data,
2217 full_packet_data_len,
2218 &auth_blob);
2219 if (!NT_STATUS_IS_OK(*pstatus)) {
2220 return False;
2221 }
2222 break;
2223 case DCERPC_AUTH_LEVEL_INTEGRITY:
2224 /* Data is signed. */
2225 *pstatus = auth_ntlmssp_check_packet(a,
2226 data, data_len,
2227 full_packet_data,
2228 full_packet_data_len,
2229 &auth_blob);
2230 if (!NT_STATUS_IS_OK(*pstatus)) {
2231 return False;
2232 }
2233 break;
2234 default:
2235 *pstatus = NT_STATUS_INVALID_PARAMETER;
2236 return False;
2237 }
2238
2239 /*
2240 * Return the current pointer to the data offset.
2241 */
2242
2243 if(!prs_set_offset(rpc_in, save_offset)) {
2244 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2245 (unsigned int)save_offset ));
2246 *pstatus = NT_STATUS_INVALID_PARAMETER;
2247 return False;
2248 }
2249
2250 /*
2251 * Remember the padding length. We must remove it from the real data
2252 * stream once the sign/seal is done.
2253 */
2254
2255 *p_ss_padding_len = auth_info.auth_pad_len;
2256
2257 return True;
2258 }
2259
2260 /****************************************************************************
2261 Deal with schannel processing on an RPC request.
2262 ****************************************************************************/
2263
2264 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2265 {
2266 uint32 data_len;
2267 uint32 auth_len;
2268 uint32 save_offset = prs_offset(rpc_in);
2269 RPC_HDR_AUTH auth_info;
2270 DATA_BLOB blob;
2271 NTSTATUS status;
2272 uint8_t *data;
2273
2274 auth_len = p->hdr.auth_len;
2275
2276 if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2277 auth_len > RPC_HEADER_LEN +
2278 RPC_HDR_REQ_LEN +
2279 RPC_HDR_AUTH_LEN +
2280 auth_len) {
2281 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2282 return False;
2283 }
2284
2285 /*
2286 * The following is that length of the data we must verify or unseal.
2287 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2288 * preceeding the auth_data, but does include the auth_pad_len bytes.
2289 */
2290
2291 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2292 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2293 (unsigned int)p->hdr.frag_len,
2294 (unsigned int)auth_len ));
2295 return False;
2296 }
2297
2298 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2299 RPC_HDR_AUTH_LEN - auth_len;
2300
2301 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2302
2303 /* Pull the auth header and the following data into a blob. */
2304 /* NB. The offset of the auth_header is relative to the *end*
2305 * of the packet, not the start. Also, the length of the
2306 * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2307 * as the RPC header isn't included in rpc_in_p. */
2308 if(!prs_set_offset(rpc_in,
2309 p->hdr.frag_len - RPC_HEADER_LEN -
2310 RPC_HDR_AUTH_LEN - auth_len)) {
2311 DEBUG(0,("api_pipe_schannel_process: cannot move "
2312 "offset to %u.\n",
2313 (unsigned int)(p->hdr.frag_len -
2314 RPC_HDR_AUTH_LEN - auth_len) ));
2315 return False;
2316 }
2317
2318 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2319 DEBUG(0,("api_pipe_schannel_process: failed to "
2320 "unmarshall RPC_HDR_AUTH.\n"));
2321 return False;
2322 }
2323
2324 /* Ensure auth_pad_len fits into the packet. */
2325 if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
2326 RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
2327 DEBUG(0,("api_pipe_schannel_process: auth_info.auth_pad_len "
2328 "too large (%u), auth_len (%u), frag_len = (%u).\n",
2329 (unsigned int)auth_info.auth_pad_len,
2330 (unsigned int)auth_len,
2331 (unsigned int)p->hdr.frag_len ));
2332 return False;
2333 }
2334
2335 if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2336 DEBUG(0,("Invalid auth info %d on schannel\n",
2337 auth_info.auth_type));
2338 return False;
2339 }
2340
2341 blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2342
2343 if (DEBUGLEVEL >= 10) {
2344 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
2345 }
2346
2347 data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN;
2348
2349 switch (auth_info.auth_level) {
2350 case DCERPC_AUTH_LEVEL_PRIVACY:
2351 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2352 talloc_tos(),
2353 true,
2354 data,
2355 data_len,
2356 &blob);
2357 break;
2358 case DCERPC_AUTH_LEVEL_INTEGRITY:
2359 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2360 talloc_tos(),
2361 false,
2362 data,
2363 data_len,
2364 &blob);
2365 break;
2366 default:
2367 status = NT_STATUS_INTERNAL_ERROR;
2368 break;
2369 }
2370
2371 if (!NT_STATUS_IS_OK(status)) {
2372 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
2373 return false;
2374 }
2375
2376 /*
2377 * Return the current pointer to the data offset.
2378 */
2379
2380 if(!prs_set_offset(rpc_in, save_offset)) {
2381 DEBUG(0,("failed to set offset back to %u\n",
2382 (unsigned int)save_offset ));
2383 return False;
2384 }
2385
2386 /*
2387 * Remember the padding length. We must remove it from the real data
2388 * stream once the sign/seal is done.
2389 */
2390
2391 *p_ss_padding_len = auth_info.auth_pad_len;
2392
2393 return True;
2394 }
2395
2396 /****************************************************************************
2397 Find the set of RPC functions associated with this context_id
2398 ****************************************************************************/
2399
2400 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2401 {
2402 PIPE_RPC_FNS *fns = NULL;
2403
2404 if ( !list ) {
2405 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2406 return NULL;
2407 }
2408
2409 for (fns=list; fns; fns=fns->next ) {
2410 if ( fns->context_id == context_id )
2411 return fns;
2412 }
2413 return NULL;
2414 }
2415
2416 /****************************************************************************
2417 Memory cleanup.
2418 ****************************************************************************/
2419
2420 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2421 {
2422 PIPE_RPC_FNS *tmp = list;
2423 PIPE_RPC_FNS *tmp2;
2424
2425 while (tmp) {
2426 tmp2 = tmp->next;
2427 SAFE_FREE(tmp);
2428 tmp = tmp2;
2429 }
2430
2431 return;
2432 }
2433
2434 static bool api_rpcTNP(pipes_struct *p,
2435 const struct api_struct *api_rpc_cmds, int n_cmds);
2436
2437 /****************************************************************************
2438 Find the correct RPC function to call for this request.
2439 If the pipe is authenticated then become the correct UNIX user
2440 before doing the call.
2441 ****************************************************************************/
2442
2443 bool api_pipe_request(pipes_struct *p)
2444 {
2445 bool ret = False;
2446 bool changed_user = False;
2447 PIPE_RPC_FNS *pipe_fns;
2448
2449 if (p->pipe_bound &&
2450 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2451 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2452 if(!become_authenticated_pipe_user(p)) {
2453 prs_mem_free(&p->out_data.rdata);
2454 return False;
2455 }
2456 changed_user = True;
2457 }
2458
2459 DEBUG(5, ("Requested \\PIPE\\%s\n",
2460 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2461
2462 /* get the set of RPC functions for this context */
2463
2464 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2465
2466 if ( pipe_fns ) {
2467 TALLOC_CTX *frame = talloc_stackframe();
2468 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2469 TALLOC_FREE(frame);
2470 }
2471 else {
2472 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2473 p->hdr_req.context_id,
2474 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2475 }
2476
2477 if (changed_user) {
2478 unbecome_authenticated_pipe_user();
2479 }
2480
2481 return ret;
2482 }
2483
2484 /*******************************************************************
2485 Calls the underlying RPC function for a named pipe.
2486 ********************************************************************/
2487
2488 static bool api_rpcTNP(pipes_struct *p,
2489 const struct api_struct *api_rpc_cmds, int n_cmds)
2490 {
2491 int fn_num;
2492 uint32 offset1, offset2;
2493
2494 /* interpret the command */
2495 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2496 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2497 p->hdr_req.opnum));
2498
2499 if (DEBUGLEVEL >= 50) {
2500 fstring name;
2501 slprintf(name, sizeof(name)-1, "in_%s",
2502 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2503 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2504 }
2505
2506 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2507 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2508 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2509 break;
2510 }
2511 }
2512
2513 if (fn_num == n_cmds) {
2514 /*
2515 * For an unknown RPC just return a fault PDU but
2516 * return True to allow RPC's on the pipe to continue
2517 * and not put the pipe into fault state. JRA.
2518 */
2519 DEBUG(4, ("unknown\n"));
2520 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2521 return True;
2522 }
2523
2524 offset1 = prs_offset(&p->out_data.rdata);
2525
2526 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2527 fn_num, api_rpc_cmds[fn_num].fn));
2528 /* do the actual command */
2529 if(!api_rpc_cmds[fn_num].fn(p)) {
2530 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2531 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2532 api_rpc_cmds[fn_num].name));
2533 prs_mem_free(&p->out_data.rdata);
2534 return False;
2535 }
2536
2537 if (p->bad_handle_fault_state) {
2538 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2539 p->bad_handle_fault_state = False;
2540 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2541 return True;
2542 }
2543
2544 if (p->rng_fault_state) {
2545 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2546 p->rng_fault_state = False;
2547 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2548 return True;
2549 }
2550
2551 offset2 = prs_offset(&p->out_data.rdata);
2552 prs_set_offset(&p->out_data.rdata, offset1);
2553 if (DEBUGLEVEL >= 50) {
2554 fstring name;
2555 slprintf(name, sizeof(name)-1, "out_%s",
2556 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2557 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2558 }
2559 prs_set_offset(&p->out_data.rdata, offset2);
2560
2561 DEBUG(5,("api_rpcTNP: called %s successfully\n",
2562 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2563
2564 /* Check for buffer underflow in rpc parsing */
2565
2566 if ((DEBUGLEVEL >= 10) &&
2567 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2568 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2569 char *data = (char *)SMB_MALLOC(data_len);
2570
2571 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2572 if (data) {
2573 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2574 SAFE_FREE(data);
2575 }
2576
2577 }
2578
2579 return True;
2580 }
WIP