search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
examples/VFS: fix skel_transparent.c in reference to shadow_copy changes
[Samba/gebeck_regimport.git] / source3 / rpc_server / srv_pipe.c
blobfc08d56b1e97dc00a3fbfa50de0b33ef0efa04e6
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31 #include "system/filesys.h"
32 #include "srv_pipe_internal.h"
33 #include "../librpc/gen_ndr/ndr_schannel.h"
34 #include "../libcli/auth/schannel.h"
35 #include "../libcli/auth/spnego.h"
36 #include "dcesrv_ntlmssp.h"
37 #include "dcesrv_gssapi.h"
38 #include "dcesrv_spnego.h"
39 #include "rpc_server.h"
40 #include "rpc_dce.h"
41 #include "smbd/smbd.h"
42 #include "auth.h"
43 #include "ntdomain.h"
44 #include "rpc_server/srv_pipe.h"
45 #include "rpc_server/rpc_contexts.h"
46
47 #undef DBGC_CLASS
48 #define DBGC_CLASS DBGC_RPC_SRV
49
50 /**
51 * Dump everything from the start of the end up of the provided data
52 * into a file, but only at debug level >= 50
53 **/
54 static void dump_pdu_region(const char *name, int v,
55 DATA_BLOB *data, size_t start, size_t end)
56 {
57 int fd, i;
58 char *fname = NULL;
59 ssize_t sz;
60
61 if (DEBUGLEVEL < 50) return;
62
63 if (start > data->length || end > data->length || start > end) return;
64
65 for (i = 1; i < 100; i++) {
66 if (v != -1) {
67 fname = talloc_asprintf(talloc_tos(),
68 "/tmp/%s_%d.%d.prs",
69 name, v, i);
70 } else {
71 fname = talloc_asprintf(talloc_tos(),
72 "/tmp/%s_%d.prs",
73 name, i);
74 }
75 if (!fname) {
76 return;
77 }
78 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
79 if (fd != -1 || errno != EEXIST) break;
80 }
81 if (fd != -1) {
82 sz = write(fd, data->data + start, end - start);
83 i = close(fd);
84 if ((sz != end - start) || (i != 0) ) {
85 DEBUG(0, ("Error writing/closing %s: %ld!=%ld %d\n",
86 fname, (unsigned long)sz,
87 (unsigned long)end - start, i));
88 } else {
89 DEBUG(0,("created %s\n", fname));
90 }
91 }
92 TALLOC_FREE(fname);
93 }
94
95 static DATA_BLOB generic_session_key(void)
96 {
97 return data_blob_const("SystemLibraryDTC", 16);
98 }
99
100 /*******************************************************************
101 Generate the next PDU to be returned from the data.
102 ********************************************************************/
103
104 static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx,
105 struct pipe_auth_data *auth,
106 uint32_t call_id,
107 DATA_BLOB *rdata,
108 size_t data_sent_length,
109 DATA_BLOB *frag,
110 size_t *pdu_size)
111 {
112 union dcerpc_payload u;
113 uint8_t pfc_flags;
114 size_t data_left;
115 size_t data_to_send;
116 size_t frag_len;
117 size_t pad_len = 0;
118 size_t auth_len = 0;
119 NTSTATUS status;
120
121 ZERO_STRUCT(u.response);
122
123 /* Set up rpc packet pfc flags. */
124 if (data_sent_length == 0) {
125 pfc_flags = DCERPC_PFC_FLAG_FIRST;
126 } else {
127 pfc_flags = 0;
128 }
129
130 /* Work out how much we can fit in a single PDU. */
131 data_left = rdata->length - data_sent_length;
132
133 /* Ensure there really is data left to send. */
134 if (!data_left) {
135 DEBUG(0, ("No data left to send !\n"));
136 return NT_STATUS_BUFFER_TOO_SMALL;
137 }
138
139 status = dcerpc_guess_sizes(auth,
140 DCERPC_RESPONSE_LENGTH,
141 data_left,
142 RPC_MAX_PDU_FRAG_LEN,
143 SERVER_NDR_PADDING_SIZE,
144 &data_to_send, &frag_len,
145 &auth_len, &pad_len);
146 if (!NT_STATUS_IS_OK(status)) {
147 return status;
148 }
149
150 /* Set up the alloc hint. This should be the data left to send. */
151 u.response.alloc_hint = data_left;
152
153 /* Work out if this PDU will be the last. */
154 if (data_sent_length + data_to_send >= rdata->length) {
155 pfc_flags |= DCERPC_PFC_FLAG_LAST;
156 }
157
158 /* Prepare data to be NDR encoded. */
159 u.response.stub_and_verifier =
160 data_blob_const(rdata->data + data_sent_length, data_to_send);
161
162 /* Store the packet in the data stream. */
163 status = dcerpc_push_ncacn_packet(mem_ctx, DCERPC_PKT_RESPONSE,
164 pfc_flags, auth_len, call_id,
165 &u, frag);
166 if (!NT_STATUS_IS_OK(status)) {
167 DEBUG(0, ("Failed to marshall RPC Packet.\n"));
168 return status;
169 }
170
171 if (auth_len) {
172 /* Set the proper length on the pdu, including padding.
173 * Only needed if an auth trailer will be appended. */
174 dcerpc_set_frag_length(frag, frag->length
175 + pad_len
176 + DCERPC_AUTH_TRAILER_LENGTH
177 + auth_len);
178 }
179
180 if (auth_len) {
181 status = dcerpc_add_auth_footer(auth, pad_len, frag);
182 if (!NT_STATUS_IS_OK(status)) {
183 data_blob_free(frag);
184 return status;
185 }
186 }
187
188 *pdu_size = data_to_send;
189 return NT_STATUS_OK;
190 }
191
192 /*******************************************************************
193 Generate the next PDU to be returned from the data in p->rdata.
194 ********************************************************************/
195
196 bool create_next_pdu(struct pipes_struct *p)
197 {
198 size_t pdu_size = 0;
199 NTSTATUS status;
200
201 /*
202 * If we're in the fault state, keep returning fault PDU's until
203 * the pipe gets closed. JRA.
204 */
205 if (p->fault_state) {
206 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
207 return true;
208 }
209
210 status = create_next_packet(p->mem_ctx, &p->auth,
211 p->call_id, &p->out_data.rdata,
212 p->out_data.data_sent_length,
213 &p->out_data.frag, &pdu_size);
214 if (!NT_STATUS_IS_OK(status)) {
215 DEBUG(0, ("Failed to create packet with error %s, "
216 "(auth level %u / type %u)\n",
217 nt_errstr(status),
218 (unsigned int)p->auth.auth_level,
219 (unsigned int)p->auth.auth_type));
220 return false;
221 }
222
223 /* Setup the counts for this PDU. */
224 p->out_data.data_sent_length += pdu_size;
225 p->out_data.current_pdu_sent = 0;
226 return true;
227 }
228
229
230 static bool pipe_init_outgoing_data(struct pipes_struct *p);
231
232 /*******************************************************************
233 Marshall a bind_nak pdu.
234 *******************************************************************/
235
236 static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
237 {
238 NTSTATUS status;
239 union dcerpc_payload u;
240
241 /* Free any memory in the current return data buffer. */
242 pipe_init_outgoing_data(p);
243
244 /*
245 * Initialize a bind_nak header.
246 */
247
248 ZERO_STRUCT(u);
249
250 u.bind_nak.reject_reason = 0;
251
252 /*
253 * Marshall directly into the outgoing PDU space. We
254 * must do this as we need to set to the bind response
255 * header and are never sending more than one PDU here.
256 */
257
258 status = dcerpc_push_ncacn_packet(p->mem_ctx,
259 DCERPC_PKT_BIND_NAK,
260 DCERPC_PFC_FLAG_FIRST |
261 DCERPC_PFC_FLAG_LAST,
262 0,
263 pkt->call_id,
264 &u,
265 &p->out_data.frag);
266 if (!NT_STATUS_IS_OK(status)) {
267 return False;
268 }
269
270 p->out_data.data_sent_length = 0;
271 p->out_data.current_pdu_sent = 0;
272
273 TALLOC_FREE(p->auth.auth_ctx);
274 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
275 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
276 p->pipe_bound = False;
277
278 return True;
279 }
280
281 /*******************************************************************
282 Marshall a fault pdu.
283 *******************************************************************/
284
285 bool setup_fault_pdu(struct pipes_struct *p, NTSTATUS fault_status)
286 {
287 NTSTATUS status;
288 union dcerpc_payload u;
289
290 /* Free any memory in the current return data buffer. */
291 pipe_init_outgoing_data(p);
292
293 /*
294 * Initialize a fault header.
295 */
296
297 ZERO_STRUCT(u);
298
299 u.fault.status = NT_STATUS_V(fault_status);
300 u.fault._pad = data_blob_talloc_zero(p->mem_ctx, 4);
301
302 /*
303 * Marshall directly into the outgoing PDU space. We
304 * must do this as we need to set to the bind response
305 * header and are never sending more than one PDU here.
306 */
307
308 status = dcerpc_push_ncacn_packet(p->mem_ctx,
309 DCERPC_PKT_FAULT,
310 DCERPC_PFC_FLAG_FIRST |
311 DCERPC_PFC_FLAG_LAST |
312 DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
313 0,
314 p->call_id,
315 &u,
316 &p->out_data.frag);
317 if (!NT_STATUS_IS_OK(status)) {
318 return False;
319 }
320
321 p->out_data.data_sent_length = 0;
322 p->out_data.current_pdu_sent = 0;
323
324 return True;
325 }
326
327 /*******************************************************************
328 Ensure a bind request has the correct abstract & transfer interface.
329 Used to reject unknown binds from Win2k.
330 *******************************************************************/
331
332 static bool check_bind_req(struct pipes_struct *p,
333 struct ndr_syntax_id* abstract,
334 struct ndr_syntax_id* transfer,
335 uint32_t context_id)
336 {
337 struct pipe_rpc_fns *context_fns;
338 bool ok;
339
340 DEBUG(3,("check_bind_req for %s\n",
341 get_pipe_name_from_syntax(talloc_tos(), abstract)));
342
343 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
344 if (rpc_srv_pipe_exists_by_id(abstract) &&
345 ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) {
346 DEBUG(3, ("check_bind_req: %s -> %s rpc service\n",
347 rpc_srv_get_pipe_cli_name(abstract),
348 rpc_srv_get_pipe_srv_name(abstract)));
349 } else {
350 return false;
351 }
352
353 ok = init_pipe_handles(p, abstract);
354 if (!ok) {
355 DEBUG(1, ("Failed to init pipe handles!\n"));
356 return false;
357 }
358
359 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
360 if (context_fns == NULL) {
361 DEBUG(0,("check_bind_req: malloc() failed!\n"));
362 return False;
363 }
364
365 context_fns->next = context_fns->prev = NULL;
366 context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
367 context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
368 context_fns->context_id = context_id;
369 context_fns->syntax = *abstract;
370
371 /* add to the list of open contexts */
372
373 DLIST_ADD( p->contexts, context_fns );
374
375 return True;
376 }
377
378 /**
379 * Is a named pipe known?
380 * @param[in] cli_filename The pipe name requested by the client
381 * @result Do we want to serve this?
382 */
383 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
384 {
385 const char *pipename = cli_filename;
386 NTSTATUS status;
387
388 if (strnequal(pipename, "\\PIPE\\", 6)) {
389 pipename += 5;
390 }
391
392 if (*pipename == '\\') {
393 pipename += 1;
394 }
395
396 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
397 DEBUG(10, ("refusing spoolss access\n"));
398 return false;
399 }
400
401 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
402 return true;
403 }
404
405 status = smb_probe_module("rpc", pipename);
406 if (!NT_STATUS_IS_OK(status)) {
407 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
408 return false;
409 }
410 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
411
412 /*
413 * Scan the list again for the interface id
414 */
415 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
416 return true;
417 }
418
419 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
420 pipename));
421
422 return false;
423 }
424
425 /*******************************************************************
426 Handle the first part of a SPNEGO bind auth.
427 *******************************************************************/
428
429 static bool pipe_spnego_auth_bind(struct pipes_struct *p,
430 TALLOC_CTX *mem_ctx,
431 struct dcerpc_auth *auth_info,
432 DATA_BLOB *response)
433 {
434 struct spnego_context *spnego_ctx;
435 NTSTATUS status;
436
437 status = spnego_server_auth_start(p,
438 (auth_info->auth_level ==
439 DCERPC_AUTH_LEVEL_INTEGRITY),
440 (auth_info->auth_level ==
441 DCERPC_AUTH_LEVEL_PRIVACY),
442 true,
443 &auth_info->credentials,
444 response,
445 &spnego_ctx);
446 if (!NT_STATUS_IS_OK(status)) {
447 DEBUG(0, ("Failed SPNEGO negotiate (%s)\n",
448 nt_errstr(status)));
449 return false;
450 }
451
452 /* Make sure data is bound to the memctx, to be freed the caller */
453 talloc_steal(mem_ctx, response->data);
454
455 p->auth.auth_ctx = spnego_ctx;
456 p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO;
457
458 DEBUG(10, ("SPNEGO auth started\n"));
459
460 return true;
461 }
462
463 /*******************************************************************
464 Handle an schannel bind auth.
465 *******************************************************************/
466
467 static bool pipe_schannel_auth_bind(struct pipes_struct *p,
468 TALLOC_CTX *mem_ctx,
469 struct dcerpc_auth *auth_info,
470 DATA_BLOB *response)
471 {
472 struct NL_AUTH_MESSAGE neg;
473 struct NL_AUTH_MESSAGE reply;
474 bool ret;
475 NTSTATUS status;
476 struct netlogon_creds_CredentialState *creds;
477 enum ndr_err_code ndr_err;
478 struct schannel_state *schannel_auth;
479
480 ndr_err = ndr_pull_struct_blob(
481 &auth_info->credentials, mem_ctx, &neg,
482 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
483 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
484 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
485 return false;
486 }
487
488 if (DEBUGLEVEL >= 10) {
489 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
490 }
491
492 if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
493 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
494 return false;
495 }
496
497 /*
498 * The neg.oem_netbios_computer.a key here must match the remote computer name
499 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
500 * operations that use credentials.
501 */
502
503 become_root();
504 status = schannel_get_creds_state(p, lp_private_dir(),
505 neg.oem_netbios_computer.a, &creds);
506 unbecome_root();
507
508 if (!NT_STATUS_IS_OK(status)) {
509 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
510 return False;
511 }
512
513 schannel_auth = talloc(p, struct schannel_state);
514 if (!schannel_auth) {
515 TALLOC_FREE(creds);
516 return False;
517 }
518
519 schannel_auth->state = SCHANNEL_STATE_START;
520 schannel_auth->seq_num = 0;
521 schannel_auth->initiator = false;
522 schannel_auth->creds = creds;
523
524 /*
525 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
526 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
527 * struct of the person who opened the pipe. I need to test this further. JRA.
528 *
529 * VL. As we are mapping this to guest set the generic key
530 * "SystemLibraryDTC" key here. It's a bit difficult to test against
531 * W2k3, as it does not allow schannel binds against SAMR and LSA
532 * anymore.
533 */
534
535 ret = session_info_set_session_key(p->session_info, generic_session_key());
536
537 if (!ret) {
538 DEBUG(0, ("session_info_set_session_key failed\n"));
539 return false;
540 }
541
542 /*** SCHANNEL verifier ***/
543
544 reply.MessageType = NL_NEGOTIATE_RESPONSE;
545 reply.Flags = 0;
546 reply.Buffer.dummy = 5; /* ??? actually I don't think
547 * this has any meaning
548 * here - gd */
549
550 ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
551 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
552 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
553 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
554 return false;
555 }
556
557 if (DEBUGLEVEL >= 10) {
558 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
559 }
560
561 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
562 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
563
564 /* We're finished with this bind - no more packets. */
565 p->auth.auth_ctx = schannel_auth;
566 p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
567
568 p->pipe_bound = True;
569
570 return True;
571 }
572
573 /*******************************************************************
574 Handle an NTLMSSP bind auth.
575 *******************************************************************/
576
577 static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
578 TALLOC_CTX *mem_ctx,
579 struct dcerpc_auth *auth_info,
580 DATA_BLOB *response)
581 {
582 struct auth_ntlmssp_state *ntlmssp_state = NULL;
583 NTSTATUS status;
584
585 if (strncmp((char *)auth_info->credentials.data, "NTLMSSP", 7) != 0) {
586 DEBUG(0, ("Failed to read NTLMSSP in blob\n"));
587 return false;
588 }
589
590 /* We have an NTLMSSP blob. */
591 status = ntlmssp_server_auth_start(p,
592 (auth_info->auth_level ==
593 DCERPC_AUTH_LEVEL_INTEGRITY),
594 (auth_info->auth_level ==
595 DCERPC_AUTH_LEVEL_PRIVACY),
596 true,
597 &auth_info->credentials,
598 response,
599 &ntlmssp_state);
600 if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
601 DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n",
602 nt_errstr(status)));
603 return false;
604 }
605
606 /* Make sure data is bound to the memctx, to be freed the caller */
607 talloc_steal(mem_ctx, response->data);
608
609 p->auth.auth_ctx = ntlmssp_state;
610 p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
611
612 DEBUG(10, (__location__ ": NTLMSSP auth started\n"));
613
614 return true;
615 }
616
617 /*******************************************************************
618 Process an NTLMSSP authentication response.
619 If this function succeeds, the user has been authenticated
620 and their domain, name and calling workstation stored in
621 the pipe struct.
622 *******************************************************************/
623
624 static bool pipe_ntlmssp_verify_final(TALLOC_CTX *mem_ctx,
625 struct auth_ntlmssp_state *ntlmssp_ctx,
626 enum dcerpc_AuthLevel auth_level,
627 struct client_address *client_id,
628 struct auth_serversupplied_info **session_info)
629 {
630 NTSTATUS status;
631 bool ret;
632
633 DEBUG(5, (__location__ ": checking user details\n"));
634
635 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
636 ensure the underlying NTLMSSP flags are also set. If not we should
637 refuse the bind. */
638
639 status = ntlmssp_server_check_flags(ntlmssp_ctx,
640 (auth_level ==
641 DCERPC_AUTH_LEVEL_INTEGRITY),
642 (auth_level ==
643 DCERPC_AUTH_LEVEL_PRIVACY));
644 if (!NT_STATUS_IS_OK(status)) {
645 DEBUG(0, (__location__ ": Client failed to negotatie proper "
646 "security for rpc connection\n"));
647 return false;
648 }
649
650 TALLOC_FREE(*session_info);
651
652 status = ntlmssp_server_get_user_info(ntlmssp_ctx,
653 mem_ctx, session_info);
654 if (!NT_STATUS_IS_OK(status)) {
655 DEBUG(0, (__location__ ": failed to obtain the server info "
656 "for authenticated user: %s\n", nt_errstr(status)));
657 return false;
658 }
659
660 if ((*session_info)->security_token == NULL) {
661 DEBUG(1, ("Auth module failed to provide nt_user_token\n"));
662 return false;
663 }
664
665 /*
666 * We're an authenticated bind over smb, so the session key needs to
667 * be set to "SystemLibraryDTC". Weird, but this is what Windows
668 * does. See the RPC-SAMBA3SESSIONKEY.
669 */
670
671 ret = session_info_set_session_key((*session_info), generic_session_key());
672 if (!ret) {
673 DEBUG(0, ("Failed to set session key!\n"));
674 return false;
675 }
676
677 return true;
678 }
679
680 /*******************************************************************
681 Handle a GSSAPI bind auth.
682 *******************************************************************/
683
684 static bool pipe_gssapi_auth_bind(struct pipes_struct *p,
685 TALLOC_CTX *mem_ctx,
686 struct dcerpc_auth *auth_info,
687 DATA_BLOB *response)
688 {
689 NTSTATUS status;
690 struct gse_context *gse_ctx = NULL;
691
692 status = gssapi_server_auth_start(p,
693 (auth_info->auth_level ==
694 DCERPC_AUTH_LEVEL_INTEGRITY),
695 (auth_info->auth_level ==
696 DCERPC_AUTH_LEVEL_PRIVACY),
697 true,
698 &auth_info->credentials,
699 response,
700 &gse_ctx);
701 if (!NT_STATUS_IS_OK(status)) {
702 DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n",
703 nt_errstr(status)));
704 goto err;
705 }
706
707 /* Make sure data is bound to the memctx, to be freed the caller */
708 talloc_steal(mem_ctx, response->data);
709
710 p->auth.auth_ctx = gse_ctx;
711 p->auth.auth_type = DCERPC_AUTH_TYPE_KRB5;
712
713 DEBUG(10, ("KRB5 auth started\n"));
714
715 return true;
716
717 err:
718 TALLOC_FREE(gse_ctx);
719 return false;
720 }
721
722 static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
723 struct gse_context *gse_ctx,
724 struct client_address *client_id,
725 struct auth_serversupplied_info **session_info)
726 {
727 NTSTATUS status;
728 bool bret;
729
730 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
731 ensure the underlying flags are also set. If not we should
732 refuse the bind. */
733
734 status = gssapi_server_check_flags(gse_ctx);
735 if (!NT_STATUS_IS_OK(status)) {
736 DEBUG(0, ("Requested Security Layers not honored!\n"));
737 return status;
738 }
739
740 status = gssapi_server_get_user_info(gse_ctx, mem_ctx,
741 client_id, session_info);
742 if (!NT_STATUS_IS_OK(status)) {
743 DEBUG(0, (__location__ ": failed to obtain the server info "
744 "for authenticated user: %s\n", nt_errstr(status)));
745 return status;
746 }
747
748 /*
749 * We're an authenticated bind over smb, so the session key needs to
750 * be set to "SystemLibraryDTC". Weird, but this is what Windows
751 * does. See the RPC-SAMBA3SESSIONKEY.
752 */
753
754 bret = session_info_set_session_key((*session_info), generic_session_key());
755 if (!bret) {
756 return NT_STATUS_ACCESS_DENIED;
757 }
758
759 return NT_STATUS_OK;
760 }
761
762 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
763 {
764 enum spnego_mech auth_type;
765 struct auth_ntlmssp_state *ntlmssp_ctx;
766 struct spnego_context *spnego_ctx;
767 struct gse_context *gse_ctx;
768 void *mech_ctx;
769 NTSTATUS status;
770
771 switch (p->auth.auth_type) {
772 case DCERPC_AUTH_TYPE_NTLMSSP:
773 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
774 struct auth_ntlmssp_state);
775 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
776 p->auth.auth_level,
777 p->client_id,
778 &p->session_info)) {
779 return NT_STATUS_ACCESS_DENIED;
780 }
781 break;
782 case DCERPC_AUTH_TYPE_KRB5:
783 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
784 struct gse_context);
785 status = pipe_gssapi_verify_final(p, gse_ctx,
786 p->client_id,
787 &p->session_info);
788 if (!NT_STATUS_IS_OK(status)) {
789 DEBUG(1, ("gssapi bind failed with: %s",
790 nt_errstr(status)));
791 return status;
792 }
793 break;
794 case DCERPC_AUTH_TYPE_SPNEGO:
795 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
796 struct spnego_context);
797 status = spnego_get_negotiated_mech(spnego_ctx,
798 &auth_type, &mech_ctx);
799 if (!NT_STATUS_IS_OK(status)) {
800 DEBUG(0, ("Bad SPNEGO state (%s)\n",
801 nt_errstr(status)));
802 return status;
803 }
804 switch(auth_type) {
805 case SPNEGO_KRB5:
806 gse_ctx = talloc_get_type_abort(mech_ctx,
807 struct gse_context);
808 status = pipe_gssapi_verify_final(p, gse_ctx,
809 p->client_id,
810 &p->session_info);
811 if (!NT_STATUS_IS_OK(status)) {
812 DEBUG(1, ("gssapi bind failed with: %s",
813 nt_errstr(status)));
814 return status;
815 }
816 break;
817 case SPNEGO_NTLMSSP:
818 ntlmssp_ctx = talloc_get_type_abort(mech_ctx,
819 struct auth_ntlmssp_state);
820 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
821 p->auth.auth_level,
822 p->client_id,
823 &p->session_info)) {
824 return NT_STATUS_ACCESS_DENIED;
825 }
826 break;
827 default:
828 DEBUG(0, (__location__ ": incorrect spnego type "
829 "(%d).\n", auth_type));
830 return NT_STATUS_ACCESS_DENIED;
831 }
832 break;
833 default:
834 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
835 (unsigned int)p->auth.auth_type));
836 return NT_STATUS_ACCESS_DENIED;
837 }
838
839 p->pipe_bound = true;
840
841 return NT_STATUS_OK;
842 }
843
844 /*******************************************************************
845 Respond to a pipe bind request.
846 *******************************************************************/
847
848 static bool api_pipe_bind_req(struct pipes_struct *p,
849 struct ncacn_packet *pkt)
850 {
851 struct dcerpc_auth auth_info;
852 uint16 assoc_gid;
853 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
854 NTSTATUS status;
855 struct ndr_syntax_id id;
856 union dcerpc_payload u;
857 struct dcerpc_ack_ctx bind_ack_ctx;
858 DATA_BLOB auth_resp = data_blob_null;
859 DATA_BLOB auth_blob = data_blob_null;
860
861 /* No rebinds on a bound pipe - use alter context. */
862 if (p->pipe_bound) {
863 DEBUG(2,("Rejecting bind request on bound rpc connection\n"));
864 return setup_bind_nak(p, pkt);
865 }
866
867 if (pkt->u.bind.num_contexts == 0) {
868 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
869 goto err_exit;
870 }
871
872 /*
873 * Try and find the correct pipe name to ensure
874 * that this is a pipe name we support.
875 */
876 id = pkt->u.bind.ctx_list[0].abstract_syntax;
877 if (rpc_srv_pipe_exists_by_id(&id)) {
878 DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
879 rpc_srv_get_pipe_cli_name(&id),
880 rpc_srv_get_pipe_srv_name(&id)));
881 } else {
882 status = smb_probe_module(
883 "rpc", get_pipe_name_from_syntax(
884 talloc_tos(),
885 &id));
886
887 if (NT_STATUS_IS_ERR(status)) {
888 DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
889 "%s in bind request.\n",
890 get_pipe_name_from_syntax(talloc_tos(), &id)));
891
892 return setup_bind_nak(p, pkt);
893 }
894
895 if (rpc_srv_get_pipe_interface_by_cli_name(
896 get_pipe_name_from_syntax(talloc_tos(),
897 &id),
898 &id)) {
899 DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
900 rpc_srv_get_pipe_cli_name(&id),
901 rpc_srv_get_pipe_srv_name(&id)));
902 } else {
903 DEBUG(0, ("module %s doesn't provide functions for "
904 "pipe %s!\n",
905 get_pipe_name_from_syntax(talloc_tos(), &id),
906 get_pipe_name_from_syntax(talloc_tos(), &id)));
907 return setup_bind_nak(p, pkt);
908 }
909 }
910
911 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
912
913 if (pkt->u.bind.assoc_group_id != 0) {
914 assoc_gid = pkt->u.bind.assoc_group_id;
915 } else {
916 assoc_gid = 0x53f0;
917 }
918
919 /*
920 * Create the bind response struct.
921 */
922
923 /* If the requested abstract synt uuid doesn't match our client pipe,
924 reject the bind_ack & set the transfer interface synt to all 0's,
925 ver 0 (observed when NT5 attempts to bind to abstract interfaces
926 unknown to NT4)
927 Needed when adding entries to a DACL from NT5 - SK */
928
929 if (check_bind_req(p,
930 &pkt->u.bind.ctx_list[0].abstract_syntax,
931 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
932 pkt->u.bind.ctx_list[0].context_id)) {
933
934 bind_ack_ctx.result = 0;
935 bind_ack_ctx.reason = 0;
936 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
937 } else {
938 p->pipe_bound = False;
939 /* Rejection reason: abstract syntax not supported */
940 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
941 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
942 bind_ack_ctx.syntax = null_ndr_syntax_id;
943 }
944
945 /*
946 * Check if this is an authenticated bind request.
947 */
948 if (pkt->auth_length) {
949 /* Quick length check. Won't catch a bad auth footer,
950 * prevents overrun. */
951
952 if (pkt->frag_length < RPC_HEADER_LEN +
953 DCERPC_AUTH_TRAILER_LENGTH +
954 pkt->auth_length) {
955 DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
956 "too long for fragment %u.\n",
957 (unsigned int)pkt->auth_length,
958 (unsigned int)pkt->frag_length));
959 goto err_exit;
960 }
961
962 /*
963 * Decode the authentication verifier.
964 */
965 status = dcerpc_pull_dcerpc_auth(pkt,
966 &pkt->u.bind.auth_info,
967 &auth_info, p->endian);
968 if (!NT_STATUS_IS_OK(status)) {
969 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
970 goto err_exit;
971 }
972
973 auth_type = auth_info.auth_type;
974
975 /* Work out if we have to sign or seal etc. */
976 switch (auth_info.auth_level) {
977 case DCERPC_AUTH_LEVEL_INTEGRITY:
978 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
979 break;
980 case DCERPC_AUTH_LEVEL_PRIVACY:
981 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
982 break;
983 case DCERPC_AUTH_LEVEL_CONNECT:
984 p->auth.auth_level = DCERPC_AUTH_LEVEL_CONNECT;
985 break;
986 default:
987 DEBUG(0, ("Unexpected auth level (%u).\n",
988 (unsigned int)auth_info.auth_level ));
989 goto err_exit;
990 }
991
992 switch (auth_type) {
993 case DCERPC_AUTH_TYPE_NTLMSSP:
994 if (!pipe_ntlmssp_auth_bind(p, pkt,
995 &auth_info, &auth_resp)) {
996 goto err_exit;
997 }
998 assoc_gid = 0x7a77;
999 break;
1000
1001 case DCERPC_AUTH_TYPE_SCHANNEL:
1002 if (!pipe_schannel_auth_bind(p, pkt,
1003 &auth_info, &auth_resp)) {
1004 goto err_exit;
1005 }
1006 break;
1007
1008 case DCERPC_AUTH_TYPE_SPNEGO:
1009 if (!pipe_spnego_auth_bind(p, pkt,
1010 &auth_info, &auth_resp)) {
1011 goto err_exit;
1012 }
1013 break;
1014
1015 case DCERPC_AUTH_TYPE_KRB5:
1016 if (!pipe_gssapi_auth_bind(p, pkt,
1017 &auth_info, &auth_resp)) {
1018 goto err_exit;
1019 }
1020 break;
1021
1022 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
1023 if (p->transport == NCALRPC && p->ncalrpc_as_system) {
1024 TALLOC_FREE(p->session_info);
1025
1026 status = make_session_info_system(p,
1027 &p->session_info);
1028 if (!NT_STATUS_IS_OK(status)) {
1029 goto err_exit;
1030 }
1031
1032 auth_resp = data_blob_talloc(pkt,
1033 "NCALRPC_AUTH_OK",
1034 15);
1035
1036 p->auth.auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM;
1037 p->pipe_bound = true;
1038 } else {
1039 goto err_exit;
1040 }
1041 break;
1042
1043 case DCERPC_AUTH_TYPE_NONE:
1044 break;
1045
1046 default:
1047 DEBUG(0, ("Unknown auth type %x requested.\n", auth_type));
1048 goto err_exit;
1049 }
1050 }
1051
1052 if (auth_type == DCERPC_AUTH_TYPE_NONE) {
1053 /* Unauthenticated bind request. */
1054 /* We're finished - no more packets. */
1055 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
1056 /* We must set the pipe auth_level here also. */
1057 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1058 p->pipe_bound = True;
1059 /* The session key was initialized from the SMB
1060 * session in make_internal_rpc_pipe_p */
1061 }
1062
1063 ZERO_STRUCT(u.bind_ack);
1064 u.bind_ack.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1065 u.bind_ack.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1066 u.bind_ack.assoc_group_id = assoc_gid;
1067
1068 /* name has to be \PIPE\xxxxx */
1069 u.bind_ack.secondary_address =
1070 talloc_asprintf(pkt, "\\PIPE\\%s",
1071 rpc_srv_get_pipe_srv_name(&id));
1072 if (!u.bind_ack.secondary_address) {
1073 DEBUG(0, ("Out of memory!\n"));
1074 goto err_exit;
1075 }
1076 u.bind_ack.secondary_address_size =
1077 strlen(u.bind_ack.secondary_address) + 1;
1078
1079 u.bind_ack.num_results = 1;
1080 u.bind_ack.ctx_list = &bind_ack_ctx;
1081
1082 /* NOTE: We leave the auth_info empty so we can calculate the padding
1083 * later and then append the auth_info --simo */
1084
1085 /*
1086 * Marshall directly into the outgoing PDU space. We
1087 * must do this as we need to set to the bind response
1088 * header and are never sending more than one PDU here.
1089 */
1090
1091 status = dcerpc_push_ncacn_packet(p->mem_ctx,
1092 DCERPC_PKT_BIND_ACK,
1093 DCERPC_PFC_FLAG_FIRST |
1094 DCERPC_PFC_FLAG_LAST,
1095 auth_resp.length,
1096 pkt->call_id,
1097 &u,
1098 &p->out_data.frag);
1099 if (!NT_STATUS_IS_OK(status)) {
1100 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1101 nt_errstr(status)));
1102 }
1103
1104 if (auth_resp.length) {
1105
1106 status = dcerpc_push_dcerpc_auth(pkt,
1107 auth_type,
1108 auth_info.auth_level,
1109 0,
1110 1, /* auth_context_id */
1111 &auth_resp,
1112 &auth_blob);
1113 if (!NT_STATUS_IS_OK(status)) {
1114 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1115 goto err_exit;
1116 }
1117 }
1118
1119 /* Now that we have the auth len store it into the right place in
1120 * the dcerpc header */
1121 dcerpc_set_frag_length(&p->out_data.frag,
1122 p->out_data.frag.length + auth_blob.length);
1123
1124 if (auth_blob.length) {
1125
1126 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1127 auth_blob.data, auth_blob.length)) {
1128 DEBUG(0, ("Append of auth info failed.\n"));
1129 goto err_exit;
1130 }
1131 }
1132
1133 /*
1134 * Setup the lengths for the initial reply.
1135 */
1136
1137 p->out_data.data_sent_length = 0;
1138 p->out_data.current_pdu_sent = 0;
1139
1140 TALLOC_FREE(auth_blob.data);
1141 return True;
1142
1143 err_exit:
1144
1145 data_blob_free(&p->out_data.frag);
1146 TALLOC_FREE(auth_blob.data);
1147 return setup_bind_nak(p, pkt);
1148 }
1149
1150 /*******************************************************************
1151 This is the "stage3" response after a bind request and reply.
1152 *******************************************************************/
1153
1154 bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
1155 {
1156 struct dcerpc_auth auth_info;
1157 DATA_BLOB response = data_blob_null;
1158 struct auth_ntlmssp_state *ntlmssp_ctx;
1159 struct spnego_context *spnego_ctx;
1160 struct gse_context *gse_ctx;
1161 NTSTATUS status;
1162
1163 DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
1164
1165 if (pkt->auth_length == 0) {
1166 DEBUG(0, ("No auth field sent for bind request!\n"));
1167 goto err;
1168 }
1169
1170 /* Ensure there's enough data for an authenticated request. */
1171 if (pkt->frag_length < RPC_HEADER_LEN
1172 + DCERPC_AUTH_TRAILER_LENGTH
1173 + pkt->auth_length) {
1174 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
1175 "%u is too large.\n",
1176 (unsigned int)pkt->auth_length));
1177 goto err;
1178 }
1179
1180 /*
1181 * Decode the authentication verifier response.
1182 */
1183
1184 status = dcerpc_pull_dcerpc_auth(pkt,
1185 &pkt->u.auth3.auth_info,
1186 &auth_info, p->endian);
1187 if (!NT_STATUS_IS_OK(status)) {
1188 DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n"));
1189 goto err;
1190 }
1191
1192 /* We must NEVER look at auth_info->auth_pad_len here,
1193 * as old Samba client code gets it wrong and sends it
1194 * as zero. JRA.
1195 */
1196
1197 if (auth_info.auth_type != p->auth.auth_type) {
1198 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1199 "but auth was started as type %d!\n",
1200 auth_info.auth_type, p->auth.auth_type));
1201 goto err;
1202 }
1203
1204 switch (auth_info.auth_type) {
1205 case DCERPC_AUTH_TYPE_NTLMSSP:
1206 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1207 struct auth_ntlmssp_state);
1208 status = ntlmssp_server_step(ntlmssp_ctx,
1209 pkt, &auth_info.credentials,
1210 &response);
1211 break;
1212 case DCERPC_AUTH_TYPE_KRB5:
1213 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1214 struct gse_context);
1215 status = gssapi_server_step(gse_ctx,
1216 pkt, &auth_info.credentials,
1217 &response);
1218 break;
1219 case DCERPC_AUTH_TYPE_SPNEGO:
1220 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1221 struct spnego_context);
1222 status = spnego_server_step(spnego_ctx,
1223 pkt, &auth_info.credentials,
1224 &response);
1225 break;
1226 default:
1227 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
1228 (unsigned int)auth_info.auth_type));
1229 return false;
1230 }
1231
1232 if (NT_STATUS_EQUAL(status,
1233 NT_STATUS_MORE_PROCESSING_REQUIRED) ||
1234 response.length) {
1235 DEBUG(0, (__location__ ": This was supposed to be the final "
1236 "leg, but crypto machinery claims a response is "
1237 "needed, aborting auth!\n"));
1238 data_blob_free(&response);
1239 goto err;
1240 }
1241 if (!NT_STATUS_IS_OK(status)) {
1242 DEBUG(0, ("Auth failed (%s)\n", nt_errstr(status)));
1243 goto err;
1244 }
1245
1246 /* Now verify auth was indeed successful and extract server info */
1247 status = pipe_auth_verify_final(p);
1248 if (!NT_STATUS_IS_OK(status)) {
1249 DEBUG(0, ("Auth Verify failed (%s)\n", nt_errstr(status)));
1250 goto err;
1251 }
1252
1253 return true;
1254
1255 err:
1256
1257 TALLOC_FREE(p->auth.auth_ctx);
1258 return false;
1259 }
1260
1261 /****************************************************************************
1262 Deal with an alter context call. Can be third part of 3 leg auth request for
1263 SPNEGO calls.
1264 ****************************************************************************/
1265
1266 static bool api_pipe_alter_context(struct pipes_struct *p,
1267 struct ncacn_packet *pkt)
1268 {
1269 struct dcerpc_auth auth_info;
1270 uint16 assoc_gid;
1271 NTSTATUS status;
1272 union dcerpc_payload u;
1273 struct dcerpc_ack_ctx bind_ack_ctx;
1274 DATA_BLOB auth_resp = data_blob_null;
1275 DATA_BLOB auth_blob = data_blob_null;
1276 int pad_len = 0;
1277 struct auth_ntlmssp_state *ntlmssp_ctx;
1278 struct spnego_context *spnego_ctx;
1279 struct gse_context *gse_ctx;
1280
1281 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1282
1283 if (pkt->u.bind.assoc_group_id != 0) {
1284 assoc_gid = pkt->u.bind.assoc_group_id;
1285 } else {
1286 assoc_gid = 0x53f0;
1287 }
1288
1289 /*
1290 * Create the bind response struct.
1291 */
1292
1293 /* If the requested abstract synt uuid doesn't match our client pipe,
1294 reject the bind_ack & set the transfer interface synt to all 0's,
1295 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1296 unknown to NT4)
1297 Needed when adding entries to a DACL from NT5 - SK */
1298
1299 if (check_bind_req(p,
1300 &pkt->u.bind.ctx_list[0].abstract_syntax,
1301 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
1302 pkt->u.bind.ctx_list[0].context_id)) {
1303
1304 bind_ack_ctx.result = 0;
1305 bind_ack_ctx.reason = 0;
1306 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
1307 } else {
1308 p->pipe_bound = False;
1309 /* Rejection reason: abstract syntax not supported */
1310 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1311 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
1312 bind_ack_ctx.syntax = null_ndr_syntax_id;
1313 }
1314
1315 /*
1316 * Check if this is an authenticated alter context request.
1317 */
1318 if (pkt->auth_length) {
1319 /* Quick length check. Won't catch a bad auth footer,
1320 * prevents overrun. */
1321
1322 if (pkt->frag_length < RPC_HEADER_LEN +
1323 DCERPC_AUTH_TRAILER_LENGTH +
1324 pkt->auth_length) {
1325 DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
1326 "too long for fragment %u.\n",
1327 (unsigned int)pkt->auth_length,
1328 (unsigned int)pkt->frag_length ));
1329 goto err_exit;
1330 }
1331
1332 status = dcerpc_pull_dcerpc_auth(pkt,
1333 &pkt->u.bind.auth_info,
1334 &auth_info, p->endian);
1335 if (!NT_STATUS_IS_OK(status)) {
1336 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1337 goto err_exit;
1338 }
1339
1340 /* We can only finish if the pipe is unbound for now */
1341 if (p->pipe_bound) {
1342 DEBUG(0, (__location__ ": Pipe already bound, "
1343 "Altering Context not yet supported!\n"));
1344 goto err_exit;
1345 }
1346
1347 if (auth_info.auth_type != p->auth.auth_type) {
1348 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1349 "but auth was started as type %d!\n",
1350 auth_info.auth_type, p->auth.auth_type));
1351 goto err_exit;
1352 }
1353
1354
1355 switch (auth_info.auth_type) {
1356 case DCERPC_AUTH_TYPE_SPNEGO:
1357 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1358 struct spnego_context);
1359 status = spnego_server_step(spnego_ctx,
1360 pkt,
1361 &auth_info.credentials,
1362 &auth_resp);
1363 break;
1364
1365 case DCERPC_AUTH_TYPE_KRB5:
1366 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1367 struct gse_context);
1368 status = gssapi_server_step(gse_ctx,
1369 pkt,
1370 &auth_info.credentials,
1371 &auth_resp);
1372 break;
1373 case DCERPC_AUTH_TYPE_NTLMSSP:
1374 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1375 struct auth_ntlmssp_state);
1376 status = ntlmssp_server_step(ntlmssp_ctx,
1377 pkt,
1378 &auth_info.credentials,
1379 &auth_resp);
1380 break;
1381
1382 default:
1383 DEBUG(3, (__location__ ": Usupported auth type (%d) "
1384 "in alter-context call\n",
1385 auth_info.auth_type));
1386 goto err_exit;
1387 }
1388
1389 if (NT_STATUS_IS_OK(status)) {
1390 /* third leg of auth, verify auth info */
1391 status = pipe_auth_verify_final(p);
1392 if (!NT_STATUS_IS_OK(status)) {
1393 DEBUG(0, ("Auth Verify failed (%s)\n",
1394 nt_errstr(status)));
1395 goto err_exit;
1396 }
1397 } else if (NT_STATUS_EQUAL(status,
1398 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1399 DEBUG(10, ("More auth legs required.\n"));
1400 } else {
1401 DEBUG(0, ("Auth step returned an error (%s)\n",
1402 nt_errstr(status)));
1403 goto err_exit;
1404 }
1405 }
1406
1407 ZERO_STRUCT(u.alter_resp);
1408 u.alter_resp.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1409 u.alter_resp.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1410 u.alter_resp.assoc_group_id = assoc_gid;
1411
1412 /* secondary address CAN be NULL
1413 * as the specs say it's ignored.
1414 * It MUST be NULL to have the spoolss working.
1415 */
1416 u.alter_resp.secondary_address = "";
1417 u.alter_resp.secondary_address_size = 1;
1418
1419 u.alter_resp.num_results = 1;
1420 u.alter_resp.ctx_list = &bind_ack_ctx;
1421
1422 /* NOTE: We leave the auth_info empty so we can calculate the padding
1423 * later and then append the auth_info --simo */
1424
1425 /*
1426 * Marshall directly into the outgoing PDU space. We
1427 * must do this as we need to set to the bind response
1428 * header and are never sending more than one PDU here.
1429 */
1430
1431 status = dcerpc_push_ncacn_packet(p->mem_ctx,
1432 DCERPC_PKT_ALTER_RESP,
1433 DCERPC_PFC_FLAG_FIRST |
1434 DCERPC_PFC_FLAG_LAST,
1435 auth_resp.length,
1436 pkt->call_id,
1437 &u,
1438 &p->out_data.frag);
1439 if (!NT_STATUS_IS_OK(status)) {
1440 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1441 nt_errstr(status)));
1442 }
1443
1444 if (auth_resp.length) {
1445
1446 /* Work out any padding needed before the auth footer. */
1447 pad_len = p->out_data.frag.length % SERVER_NDR_PADDING_SIZE;
1448 if (pad_len) {
1449 pad_len = SERVER_NDR_PADDING_SIZE - pad_len;
1450 DEBUG(10, ("auth pad_len = %u\n",
1451 (unsigned int)pad_len));
1452 }
1453
1454 status = dcerpc_push_dcerpc_auth(pkt,
1455 auth_info.auth_type,
1456 auth_info.auth_level,
1457 pad_len,
1458 1, /* auth_context_id */
1459 &auth_resp,
1460 &auth_blob);
1461 if (!NT_STATUS_IS_OK(status)) {
1462 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1463 goto err_exit;
1464 }
1465 }
1466
1467 /* Now that we have the auth len store it into the right place in
1468 * the dcerpc header */
1469 dcerpc_set_frag_length(&p->out_data.frag,
1470 p->out_data.frag.length +
1471 pad_len + auth_blob.length);
1472
1473 if (auth_resp.length) {
1474 if (pad_len) {
1475 char pad[SERVER_NDR_PADDING_SIZE];
1476 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1477 if (!data_blob_append(p->mem_ctx,
1478 &p->out_data.frag,
1479 pad, pad_len)) {
1480 DEBUG(0, ("api_pipe_bind_req: failed to add "
1481 "%u bytes of pad data.\n",
1482 (unsigned int)pad_len));
1483 goto err_exit;
1484 }
1485 }
1486
1487 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1488 auth_blob.data, auth_blob.length)) {
1489 DEBUG(0, ("Append of auth info failed.\n"));
1490 goto err_exit;
1491 }
1492 }
1493
1494 /*
1495 * Setup the lengths for the initial reply.
1496 */
1497
1498 p->out_data.data_sent_length = 0;
1499 p->out_data.current_pdu_sent = 0;
1500
1501 TALLOC_FREE(auth_blob.data);
1502 return True;
1503
1504 err_exit:
1505
1506 data_blob_free(&p->out_data.frag);
1507 TALLOC_FREE(auth_blob.data);
1508 return setup_bind_nak(p, pkt);
1509 }
1510
1511 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1512 const struct api_struct *api_rpc_cmds, int n_cmds,
1513 const struct ndr_syntax_id *syntax);
1514
1515 /****************************************************************************
1516 Find the correct RPC function to call for this request.
1517 If the pipe is authenticated then become the correct UNIX user
1518 before doing the call.
1519 ****************************************************************************/
1520
1521 static bool api_pipe_request(struct pipes_struct *p,
1522 struct ncacn_packet *pkt)
1523 {
1524 bool ret = False;
1525 bool changed_user = False;
1526 PIPE_RPC_FNS *pipe_fns;
1527
1528 if (p->pipe_bound &&
1529 ((p->auth.auth_type == DCERPC_AUTH_TYPE_NTLMSSP) ||
1530 (p->auth.auth_type == DCERPC_AUTH_TYPE_KRB5) ||
1531 (p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO))) {
1532 if(!become_authenticated_pipe_user(p->session_info)) {
1533 data_blob_free(&p->out_data.rdata);
1534 return False;
1535 }
1536 changed_user = True;
1537 }
1538
1539 /* get the set of RPC functions for this context */
1540
1541 pipe_fns = find_pipe_fns_by_context(p->contexts,
1542 pkt->u.request.context_id);
1543
1544 if ( pipe_fns ) {
1545 TALLOC_CTX *frame = talloc_stackframe();
1546
1547 DEBUG(5, ("Requested %s rpc service\n",
1548 get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
1549
1550 ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds,
1551 &pipe_fns->syntax);
1552
1553 TALLOC_FREE(frame);
1554 }
1555 else {
1556 DEBUG(0, ("No rpc function table associated with context "
1557 "[%d]\n",
1558 pkt->u.request.context_id));
1559 }
1560
1561 if (changed_user) {
1562 unbecome_authenticated_pipe_user();
1563 }
1564
1565 return ret;
1566 }
1567
1568 /*******************************************************************
1569 Calls the underlying RPC function for a named pipe.
1570 ********************************************************************/
1571
1572 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1573 const struct api_struct *api_rpc_cmds, int n_cmds,
1574 const struct ndr_syntax_id *syntax)
1575 {
1576 int fn_num;
1577 uint32_t offset1;
1578
1579 /* interpret the command */
1580 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
1581 get_pipe_name_from_syntax(talloc_tos(), syntax),
1582 pkt->u.request.opnum));
1583
1584 if (DEBUGLEVEL >= 50) {
1585 fstring name;
1586 slprintf(name, sizeof(name)-1, "in_%s",
1587 get_pipe_name_from_syntax(talloc_tos(), syntax));
1588 dump_pdu_region(name, pkt->u.request.opnum,
1589 &p->in_data.data, 0,
1590 p->in_data.data.length);
1591 }
1592
1593 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1594 if (api_rpc_cmds[fn_num].opnum == pkt->u.request.opnum &&
1595 api_rpc_cmds[fn_num].fn != NULL) {
1596 DEBUG(3, ("api_rpcTNP: rpc command: %s\n",
1597 api_rpc_cmds[fn_num].name));
1598 break;
1599 }
1600 }
1601
1602 if (fn_num == n_cmds) {
1603 /*
1604 * For an unknown RPC just return a fault PDU but
1605 * return True to allow RPC's on the pipe to continue
1606 * and not put the pipe into fault state. JRA.
1607 */
1608 DEBUG(4, ("unknown\n"));
1609 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1610 return True;
1611 }
1612
1613 offset1 = p->out_data.rdata.length;
1614
1615 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1616 fn_num, api_rpc_cmds[fn_num].fn));
1617 /* do the actual command */
1618 if(!api_rpc_cmds[fn_num].fn(p)) {
1619 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
1620 get_pipe_name_from_syntax(talloc_tos(), syntax),
1621 api_rpc_cmds[fn_num].name));
1622 data_blob_free(&p->out_data.rdata);
1623 return False;
1624 }
1625
1626 if (p->bad_handle_fault_state) {
1627 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1628 p->bad_handle_fault_state = False;
1629 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
1630 return True;
1631 }
1632
1633 if (p->rng_fault_state) {
1634 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
1635 p->rng_fault_state = False;
1636 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1637 return True;
1638 }
1639
1640 if (DEBUGLEVEL >= 50) {
1641 fstring name;
1642 slprintf(name, sizeof(name)-1, "out_%s",
1643 get_pipe_name_from_syntax(talloc_tos(), syntax));
1644 dump_pdu_region(name, pkt->u.request.opnum,
1645 &p->out_data.rdata, offset1,
1646 p->out_data.rdata.length);
1647 }
1648
1649 DEBUG(5,("api_rpcTNP: called %s successfully\n",
1650 get_pipe_name_from_syntax(talloc_tos(), syntax)));
1651
1652 /* Check for buffer underflow in rpc parsing */
1653 if ((DEBUGLEVEL >= 10) &&
1654 (pkt->frag_length < p->in_data.data.length)) {
1655 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1656 dump_data(10, p->in_data.data.data + pkt->frag_length,
1657 p->in_data.data.length - pkt->frag_length);
1658 }
1659
1660 return True;
1661 }
1662
1663 /****************************************************************************
1664 Initialise an outgoing packet.
1665 ****************************************************************************/
1666
1667 static bool pipe_init_outgoing_data(struct pipes_struct *p)
1668 {
1669 output_data *o_data = &p->out_data;
1670
1671 /* Reset the offset counters. */
1672 o_data->data_sent_length = 0;
1673 o_data->current_pdu_sent = 0;
1674
1675 data_blob_free(&o_data->frag);
1676
1677 /* Free any memory in the current return data buffer. */
1678 data_blob_free(&o_data->rdata);
1679
1680 return True;
1681 }
1682
1683 /****************************************************************************
1684 Sets the fault state on incoming packets.
1685 ****************************************************************************/
1686
1687 void set_incoming_fault(struct pipes_struct *p)
1688 {
1689 data_blob_free(&p->in_data.data);
1690 p->in_data.pdu_needed_len = 0;
1691 p->in_data.pdu.length = 0;
1692 p->fault_state = True;
1693
1694 DEBUG(10, ("Setting fault state\n"));
1695 }
1696
1697 static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
1698 struct ncacn_packet *pkt,
1699 DATA_BLOB *raw_pkt)
1700 {
1701 NTSTATUS status;
1702 size_t hdr_size = DCERPC_REQUEST_LENGTH;
1703 size_t pad_len;
1704
1705 DEBUG(10, ("Checking request auth.\n"));
1706
1707 if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
1708 hdr_size += 16;
1709 }
1710
1711 /* in case of sealing this function will unseal the data in place */
1712 status = dcerpc_check_auth(auth, pkt,
1713 &pkt->u.request.stub_and_verifier,
1714 hdr_size, raw_pkt,
1715 &pad_len);
1716 if (!NT_STATUS_IS_OK(status)) {
1717 return status;
1718 }
1719
1720
1721 /* remove padding and auth trailer,
1722 * this way the caller will get just the data */
1723 if (pkt->auth_length) {
1724 size_t trail_len = pad_len
1725 + DCERPC_AUTH_TRAILER_LENGTH
1726 + pkt->auth_length;
1727 if (pkt->u.request.stub_and_verifier.length < trail_len) {
1728 return NT_STATUS_INFO_LENGTH_MISMATCH;
1729 }
1730 pkt->u.request.stub_and_verifier.length -= trail_len;
1731 }
1732
1733 return NT_STATUS_OK;
1734 }
1735
1736 /****************************************************************************
1737 Processes a request pdu. This will do auth processing if needed, and
1738 appends the data into the complete stream if the LAST flag is not set.
1739 ****************************************************************************/
1740
1741 static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
1742 {
1743 NTSTATUS status;
1744 DATA_BLOB data;
1745
1746 if (!p->pipe_bound) {
1747 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
1748 set_incoming_fault(p);
1749 return False;
1750 }
1751
1752 /* Store the opnum */
1753 p->opnum = pkt->u.request.opnum;
1754
1755 status = dcesrv_auth_request(&p->auth, pkt, &p->in_data.pdu);
1756 if (!NT_STATUS_IS_OK(status)) {
1757 DEBUG(0, ("Failed to check packet auth. (%s)\n",
1758 nt_errstr(status)));
1759 set_incoming_fault(p);
1760 return false;
1761 }
1762
1763 data = pkt->u.request.stub_and_verifier;
1764
1765 /*
1766 * Check the data length doesn't go over the 15Mb limit.
1767 * increased after observing a bug in the Windows NT 4.0 SP6a
1768 * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
1769 * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
1770 */
1771
1772 if (p->in_data.data.length + data.length > MAX_RPC_DATA_SIZE) {
1773 DEBUG(0, ("process_request_pdu: "
1774 "rpc data buffer too large (%u) + (%u)\n",
1775 (unsigned int)p->in_data.data.length,
1776 (unsigned int)data.length));
1777 set_incoming_fault(p);
1778 return False;
1779 }
1780
1781 /*
1782 * Append the data portion into the buffer and return.
1783 */
1784
1785 if (data.length) {
1786 if (!data_blob_append(p->mem_ctx, &p->in_data.data,
1787 data.data, data.length)) {
1788 DEBUG(0, ("Unable to append data size %u "
1789 "to parse buffer of size %u.\n",
1790 (unsigned int)data.length,
1791 (unsigned int)p->in_data.data.length));
1792 set_incoming_fault(p);
1793 return False;
1794 }
1795 }
1796
1797 if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
1798 bool ret = False;
1799 /*
1800 * Ok - we finally have a complete RPC stream.
1801 * Call the rpc command to process it.
1802 */
1803
1804 /*
1805 * Process the complete data stream here.
1806 */
1807 if (pipe_init_outgoing_data(p)) {
1808 ret = api_pipe_request(p, pkt);
1809 }
1810
1811 return ret;
1812 }
1813
1814 return True;
1815 }
1816
1817 /****************************************************************************
1818 Processes a finished PDU stored in p->in_data.pdu.
1819 ****************************************************************************/
1820
1821 void process_complete_pdu(struct pipes_struct *p)
1822 {
1823 struct ncacn_packet *pkt = NULL;
1824 NTSTATUS status;
1825 bool reply = False;
1826
1827 if(p->fault_state) {
1828 DEBUG(10,("RPC connection in fault state.\n"));
1829 goto done;
1830 }
1831
1832 pkt = talloc(p->mem_ctx, struct ncacn_packet);
1833 if (!pkt) {
1834 DEBUG(0, ("Out of memory!\n"));
1835 goto done;
1836 }
1837
1838 /*
1839 * Ensure we're using the corrent endianness for both the
1840 * RPC header flags and the raw data we will be reading from.
1841 */
1842 if (dcerpc_get_endian_flag(&p->in_data.pdu) & DCERPC_DREP_LE) {
1843 p->endian = RPC_LITTLE_ENDIAN;
1844 } else {
1845 p->endian = RPC_BIG_ENDIAN;
1846 }
1847 DEBUG(10, ("PDU is in %s Endian format!\n", p->endian?"Big":"Little"));
1848
1849 status = dcerpc_pull_ncacn_packet(pkt, &p->in_data.pdu,
1850 pkt, p->endian);
1851 if (!NT_STATUS_IS_OK(status)) {
1852 DEBUG(0, ("Failed to unmarshal rpc packet: %s!\n",
1853 nt_errstr(status)));
1854 goto done;
1855 }
1856
1857 /* Store the call_id */
1858 p->call_id = pkt->call_id;
1859
1860 DEBUG(10, ("Processing packet type %u\n", (unsigned int)pkt->ptype));
1861
1862 switch (pkt->ptype) {
1863 case DCERPC_PKT_REQUEST:
1864 reply = process_request_pdu(p, pkt);
1865 break;
1866
1867 case DCERPC_PKT_PING: /* CL request - ignore... */
1868 DEBUG(0, ("Error - Connectionless packet type %u received\n",
1869 (unsigned int)pkt->ptype));
1870 break;
1871
1872 case DCERPC_PKT_RESPONSE: /* No responses here. */
1873 DEBUG(0, ("Error - DCERPC_PKT_RESPONSE received from client"));
1874 break;
1875
1876 case DCERPC_PKT_FAULT:
1877 case DCERPC_PKT_WORKING:
1878 /* CL request - reply to a ping when a call in process. */
1879 case DCERPC_PKT_NOCALL:
1880 /* CL - server reply to a ping call. */
1881 case DCERPC_PKT_REJECT:
1882 case DCERPC_PKT_ACK:
1883 case DCERPC_PKT_CL_CANCEL:
1884 case DCERPC_PKT_FACK:
1885 case DCERPC_PKT_CANCEL_ACK:
1886 DEBUG(0, ("Error - Connectionless packet type %u received\n",
1887 (unsigned int)pkt->ptype));
1888 break;
1889
1890 case DCERPC_PKT_BIND:
1891 /*
1892 * We assume that a pipe bind is only in one pdu.
1893 */
1894 if (pipe_init_outgoing_data(p)) {
1895 reply = api_pipe_bind_req(p, pkt);
1896 }
1897 break;
1898
1899 case DCERPC_PKT_BIND_ACK:
1900 case DCERPC_PKT_BIND_NAK:
1901 DEBUG(0, ("Error - DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK "
1902 "packet type %u received.\n",
1903 (unsigned int)pkt->ptype));
1904 break;
1905
1906
1907 case DCERPC_PKT_ALTER:
1908 /*
1909 * We assume that a pipe bind is only in one pdu.
1910 */
1911 if (pipe_init_outgoing_data(p)) {
1912 reply = api_pipe_alter_context(p, pkt);
1913 }
1914 break;
1915
1916 case DCERPC_PKT_ALTER_RESP:
1917 DEBUG(0, ("Error - DCERPC_PKT_ALTER_RESP received: "
1918 "Should only be server -> client.\n"));
1919 break;
1920
1921 case DCERPC_PKT_AUTH3:
1922 /*
1923 * The third packet in an auth exchange.
1924 */
1925 if (pipe_init_outgoing_data(p)) {
1926 reply = api_pipe_bind_auth3(p, pkt);
1927 }
1928 break;
1929
1930 case DCERPC_PKT_SHUTDOWN:
1931 DEBUG(0, ("Error - DCERPC_PKT_SHUTDOWN received: "
1932 "Should only be server -> client.\n"));
1933 break;
1934
1935 case DCERPC_PKT_CO_CANCEL:
1936 /* For now just free all client data and continue
1937 * processing. */
1938 DEBUG(3,("process_complete_pdu: DCERPC_PKT_CO_CANCEL."
1939 " Abandoning rpc call.\n"));
1940 /* As we never do asynchronous RPC serving, we can
1941 * never cancel a call (as far as I know).
1942 * If we ever did we'd have to send a cancel_ack reply.
1943 * For now, just free all client data and continue
1944 * processing. */
1945 reply = True;
1946 break;
1947
1948 #if 0
1949 /* Enable this if we're doing async rpc. */
1950 /* We must check the outstanding callid matches. */
1951 if (pipe_init_outgoing_data(p)) {
1952 /* Send a cancel_ack PDU reply. */
1953 /* We should probably check the auth-verifier here. */
1954 reply = setup_cancel_ack_reply(p, pkt);
1955 }
1956 break;
1957 #endif
1958
1959 case DCERPC_PKT_ORPHANED:
1960 /* We should probably check the auth-verifier here.
1961 * For now just free all client data and continue
1962 * processing. */
1963 DEBUG(3, ("process_complete_pdu: DCERPC_PKT_ORPHANED."
1964 " Abandoning rpc call.\n"));
1965 reply = True;
1966 break;
1967
1968 default:
1969 DEBUG(0, ("process_complete_pdu: "
1970 "Unknown rpc type = %u received.\n",
1971 (unsigned int)pkt->ptype));
1972 break;
1973 }
1974
1975 done:
1976 if (!reply) {
1977 DEBUG(3,("DCE/RPC fault sent!"));
1978 set_incoming_fault(p);
1979 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1980 TALLOC_FREE(pkt);
1981 } else {
1982 /*
1983 * Reset the lengths. We're ready for a new pdu.
1984 */
1985 TALLOC_FREE(p->in_data.pdu.data);
1986 p->in_data.pdu_needed_len = 0;
1987 p->in_data.pdu.length = 0;
1988 }
1989
1990 TALLOC_FREE(pkt);
1991 }
1992
reg import