search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3/docs: Fix typo.
[Samba/gebeck_regimport.git] / source3 / rpc_server / srv_pipe.c
blobf3ee18da5a50f1f85d3c40861e2cb1103b8087f5
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31
32 extern struct current_user current_user;
33
34 #undef DBGC_CLASS
35 #define DBGC_CLASS DBGC_RPC_SRV
36
37 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
38 {
39 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
40
41 if (a) {
42 auth_ntlmssp_end(&a);
43 }
44 auth->a_u.auth_ntlmssp_state = NULL;
45 }
46
47 static DATA_BLOB generic_session_key(void)
48 {
49 return data_blob("SystemLibraryDTC", 16);
50 }
51
52 /*******************************************************************
53 Generate the next PDU to be returned from the data in p->rdata.
54 Handle NTLMSSP.
55 ********************************************************************/
56
57 static bool create_next_pdu_ntlmssp(pipes_struct *p)
58 {
59 RPC_HDR_RESP hdr_resp;
60 uint32 ss_padding_len = 0;
61 uint32 data_space_available;
62 uint32 data_len_left;
63 uint32 data_len;
64 NTSTATUS status;
65 DATA_BLOB auth_blob;
66 RPC_HDR_AUTH auth_info;
67 uint8 auth_type, auth_level;
68 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
69
70 /*
71 * If we're in the fault state, keep returning fault PDU's until
72 * the pipe gets closed. JRA.
73 */
74
75 if(p->fault_state) {
76 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
77 return True;
78 }
79
80 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
81
82 /* Change the incoming request header to a response. */
83 p->hdr.pkt_type = RPC_RESPONSE;
84
85 /* Set up rpc header flags. */
86 if (p->out_data.data_sent_length == 0) {
87 p->hdr.flags = RPC_FLG_FIRST;
88 } else {
89 p->hdr.flags = 0;
90 }
91
92 /*
93 * Work out how much we can fit in a single PDU.
94 */
95
96 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
97
98 /*
99 * Ensure there really is data left to send.
100 */
101
102 if(!data_len_left) {
103 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
104 return False;
105 }
106
107 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
108 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
109
110 /*
111 * The amount we send is the minimum of the available
112 * space and the amount left to send.
113 */
114
115 data_len = MIN(data_len_left, data_space_available);
116
117 /*
118 * Set up the alloc hint. This should be the data left to
119 * send.
120 */
121
122 hdr_resp.alloc_hint = data_len_left;
123
124 /*
125 * Work out if this PDU will be the last.
126 */
127
128 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
129 p->hdr.flags |= RPC_FLG_LAST;
130 if (data_len_left % 8) {
131 ss_padding_len = 8 - (data_len_left % 8);
132 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
133 ss_padding_len ));
134 }
135 }
136
137 /*
138 * Set up the header lengths.
139 */
140
141 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
142 data_len + ss_padding_len +
143 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
144 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
145
146
147 /*
148 * Init the parse struct to point at the outgoing
149 * data.
150 */
151
152 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
153
154 /* Store the header in the data stream. */
155 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
156 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
157 prs_mem_free(&p->out_data.frag);
158 return False;
159 }
160
161 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
162 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
163 prs_mem_free(&p->out_data.frag);
164 return False;
165 }
166
167 /* Copy the data into the PDU. */
168
169 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
170 p->out_data.data_sent_length, data_len)) {
171 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
172 prs_mem_free(&p->out_data.frag);
173 return False;
174 }
175
176 /* Copy the sign/seal padding data. */
177 if (ss_padding_len) {
178 char pad[8];
179
180 memset(pad, '\0', 8);
181 if (!prs_copy_data_in(&p->out_data.frag, pad,
182 ss_padding_len)) {
183 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
184 (unsigned int)ss_padding_len));
185 prs_mem_free(&p->out_data.frag);
186 return False;
187 }
188 }
189
190
191 /* Now write out the auth header and null blob. */
192 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
193 auth_type = RPC_NTLMSSP_AUTH_TYPE;
194 } else {
195 auth_type = RPC_SPNEGO_AUTH_TYPE;
196 }
197 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
198 auth_level = RPC_AUTH_LEVEL_PRIVACY;
199 } else {
200 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
201 }
202
203 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
204 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &p->out_data.frag,
205 0)) {
206 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
207 prs_mem_free(&p->out_data.frag);
208 return False;
209 }
210
211 /* Generate the sign blob. */
212
213 switch (p->auth.auth_level) {
214 case PIPE_AUTH_LEVEL_PRIVACY:
215 /* Data portion is encrypted. */
216 status = ntlmssp_seal_packet(
217 a->ntlmssp_state,
218 (uint8_t *)prs_data_p(&p->out_data.frag)
219 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
220 data_len + ss_padding_len,
221 (unsigned char *)prs_data_p(&p->out_data.frag),
222 (size_t)prs_offset(&p->out_data.frag),
223 &auth_blob);
224 if (!NT_STATUS_IS_OK(status)) {
225 data_blob_free(&auth_blob);
226 prs_mem_free(&p->out_data.frag);
227 return False;
228 }
229 break;
230 case PIPE_AUTH_LEVEL_INTEGRITY:
231 /* Data is signed. */
232 status = ntlmssp_sign_packet(
233 a->ntlmssp_state,
234 (unsigned char *)prs_data_p(&p->out_data.frag)
235 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
236 data_len + ss_padding_len,
237 (unsigned char *)prs_data_p(&p->out_data.frag),
238 (size_t)prs_offset(&p->out_data.frag),
239 &auth_blob);
240 if (!NT_STATUS_IS_OK(status)) {
241 data_blob_free(&auth_blob);
242 prs_mem_free(&p->out_data.frag);
243 return False;
244 }
245 break;
246 default:
247 prs_mem_free(&p->out_data.frag);
248 return False;
249 }
250
251 /* Append the auth blob. */
252 if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
253 NTLMSSP_SIG_SIZE)) {
254 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
255 (unsigned int)NTLMSSP_SIG_SIZE));
256 data_blob_free(&auth_blob);
257 prs_mem_free(&p->out_data.frag);
258 return False;
259 }
260
261 data_blob_free(&auth_blob);
262
263 /*
264 * Setup the counts for this PDU.
265 */
266
267 p->out_data.data_sent_length += data_len;
268 p->out_data.current_pdu_sent = 0;
269
270 return True;
271 }
272
273 /*******************************************************************
274 Generate the next PDU to be returned from the data in p->rdata.
275 Return an schannel authenticated fragment.
276 ********************************************************************/
277
278 static bool create_next_pdu_schannel(pipes_struct *p)
279 {
280 RPC_HDR_RESP hdr_resp;
281 uint32 ss_padding_len = 0;
282 uint32 data_len;
283 uint32 data_space_available;
284 uint32 data_len_left;
285 uint32 data_pos;
286
287 /*
288 * If we're in the fault state, keep returning fault PDU's until
289 * the pipe gets closed. JRA.
290 */
291
292 if(p->fault_state) {
293 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
294 return True;
295 }
296
297 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
298
299 /* Change the incoming request header to a response. */
300 p->hdr.pkt_type = RPC_RESPONSE;
301
302 /* Set up rpc header flags. */
303 if (p->out_data.data_sent_length == 0) {
304 p->hdr.flags = RPC_FLG_FIRST;
305 } else {
306 p->hdr.flags = 0;
307 }
308
309 /*
310 * Work out how much we can fit in a single PDU.
311 */
312
313 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
314
315 /*
316 * Ensure there really is data left to send.
317 */
318
319 if(!data_len_left) {
320 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
321 return False;
322 }
323
324 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
325 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
326 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
327
328 /*
329 * The amount we send is the minimum of the available
330 * space and the amount left to send.
331 */
332
333 data_len = MIN(data_len_left, data_space_available);
334
335 /*
336 * Set up the alloc hint. This should be the data left to
337 * send.
338 */
339
340 hdr_resp.alloc_hint = data_len_left;
341
342 /*
343 * Work out if this PDU will be the last.
344 */
345
346 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
347 p->hdr.flags |= RPC_FLG_LAST;
348 if (data_len_left % 8) {
349 ss_padding_len = 8 - (data_len_left % 8);
350 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
351 ss_padding_len ));
352 }
353 }
354
355 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
356 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
357 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
358
359 /*
360 * Init the parse struct to point at the outgoing
361 * data.
362 */
363
364 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
365
366 /* Store the header in the data stream. */
367 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
368 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
369 prs_mem_free(&p->out_data.frag);
370 return False;
371 }
372
373 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
374 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
375 prs_mem_free(&p->out_data.frag);
376 return False;
377 }
378
379 /* Store the current offset. */
380 data_pos = prs_offset(&p->out_data.frag);
381
382 /* Copy the data into the PDU. */
383
384 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
385 p->out_data.data_sent_length, data_len)) {
386 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
387 prs_mem_free(&p->out_data.frag);
388 return False;
389 }
390
391 /* Copy the sign/seal padding data. */
392 if (ss_padding_len) {
393 char pad[8];
394 memset(pad, '\0', 8);
395 if (!prs_copy_data_in(&p->out_data.frag, pad,
396 ss_padding_len)) {
397 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
398 prs_mem_free(&p->out_data.frag);
399 return False;
400 }
401 }
402
403 {
404 /*
405 * Schannel processing.
406 */
407 RPC_HDR_AUTH auth_info;
408 RPC_AUTH_SCHANNEL_CHK verf;
409
410 /* Check it's the type of reply we were expecting to decode */
411
412 init_rpc_hdr_auth(&auth_info,
413 RPC_SCHANNEL_AUTH_TYPE,
414 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
415 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
416 ss_padding_len, 1);
417
418 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
419 &p->out_data.frag, 0)) {
420 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
421 prs_mem_free(&p->out_data.frag);
422 return False;
423 }
424
425 schannel_encode(p->auth.a_u.schannel_auth,
426 p->auth.auth_level, SENDER_IS_ACCEPTOR, &verf,
427 prs_data_p(&p->out_data.frag) + data_pos,
428 data_len + ss_padding_len);
429
430 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
431 &verf, &p->out_data.frag, 0)) {
432 prs_mem_free(&p->out_data.frag);
433 return False;
434 }
435
436 p->auth.a_u.schannel_auth->seq_num++;
437 }
438
439 /*
440 * Setup the counts for this PDU.
441 */
442
443 p->out_data.data_sent_length += data_len;
444 p->out_data.current_pdu_sent = 0;
445
446 return True;
447 }
448
449 /*******************************************************************
450 Generate the next PDU to be returned from the data in p->rdata.
451 No authentication done.
452 ********************************************************************/
453
454 static bool create_next_pdu_noauth(pipes_struct *p)
455 {
456 RPC_HDR_RESP hdr_resp;
457 uint32 data_len;
458 uint32 data_space_available;
459 uint32 data_len_left;
460
461 /*
462 * If we're in the fault state, keep returning fault PDU's until
463 * the pipe gets closed. JRA.
464 */
465
466 if(p->fault_state) {
467 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
468 return True;
469 }
470
471 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
472
473 /* Change the incoming request header to a response. */
474 p->hdr.pkt_type = RPC_RESPONSE;
475
476 /* Set up rpc header flags. */
477 if (p->out_data.data_sent_length == 0) {
478 p->hdr.flags = RPC_FLG_FIRST;
479 } else {
480 p->hdr.flags = 0;
481 }
482
483 /*
484 * Work out how much we can fit in a single PDU.
485 */
486
487 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
488
489 /*
490 * Ensure there really is data left to send.
491 */
492
493 if(!data_len_left) {
494 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
495 return False;
496 }
497
498 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
499 - RPC_HDR_RESP_LEN;
500
501 /*
502 * The amount we send is the minimum of the available
503 * space and the amount left to send.
504 */
505
506 data_len = MIN(data_len_left, data_space_available);
507
508 /*
509 * Set up the alloc hint. This should be the data left to
510 * send.
511 */
512
513 hdr_resp.alloc_hint = data_len_left;
514
515 /*
516 * Work out if this PDU will be the last.
517 */
518
519 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
520 p->hdr.flags |= RPC_FLG_LAST;
521 }
522
523 /*
524 * Set up the header lengths.
525 */
526
527 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
528 p->hdr.auth_len = 0;
529
530 /*
531 * Init the parse struct to point at the outgoing
532 * data.
533 */
534
535 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
536
537 /* Store the header in the data stream. */
538 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
539 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
540 prs_mem_free(&p->out_data.frag);
541 return False;
542 }
543
544 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
545 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
546 prs_mem_free(&p->out_data.frag);
547 return False;
548 }
549
550 /* Copy the data into the PDU. */
551
552 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
553 p->out_data.data_sent_length, data_len)) {
554 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
555 prs_mem_free(&p->out_data.frag);
556 return False;
557 }
558
559 /*
560 * Setup the counts for this PDU.
561 */
562
563 p->out_data.data_sent_length += data_len;
564 p->out_data.current_pdu_sent = 0;
565
566 return True;
567 }
568
569 /*******************************************************************
570 Generate the next PDU to be returned from the data in p->rdata.
571 ********************************************************************/
572
573 bool create_next_pdu(pipes_struct *p)
574 {
575 switch(p->auth.auth_level) {
576 case PIPE_AUTH_LEVEL_NONE:
577 case PIPE_AUTH_LEVEL_CONNECT:
578 /* This is incorrect for auth level connect. Fixme. JRA */
579 return create_next_pdu_noauth(p);
580
581 default:
582 switch(p->auth.auth_type) {
583 case PIPE_AUTH_TYPE_NTLMSSP:
584 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
585 return create_next_pdu_ntlmssp(p);
586 case PIPE_AUTH_TYPE_SCHANNEL:
587 return create_next_pdu_schannel(p);
588 default:
589 break;
590 }
591 }
592
593 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
594 (unsigned int)p->auth.auth_level,
595 (unsigned int)p->auth.auth_type));
596 return False;
597 }
598
599 /*******************************************************************
600 Process an NTLMSSP authentication response.
601 If this function succeeds, the user has been authenticated
602 and their domain, name and calling workstation stored in
603 the pipe struct.
604 *******************************************************************/
605
606 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
607 {
608 DATA_BLOB session_key, reply;
609 NTSTATUS status;
610 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
611 bool ret;
612
613 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
614 get_pipe_name_from_iface(&p->syntax)));
615
616 ZERO_STRUCT(reply);
617
618 /* this has to be done as root in order to verify the password */
619 become_root();
620 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
621 unbecome_root();
622
623 /* Don't generate a reply. */
624 data_blob_free(&reply);
625
626 if (!NT_STATUS_IS_OK(status)) {
627 return False;
628 }
629
630 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
631 ensure the underlying NTLMSSP flags are also set. If not we should
632 refuse the bind. */
633
634 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
635 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
636 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
637 "but client declined signing.\n",
638 get_pipe_name_from_iface(&p->syntax)));
639 return False;
640 }
641 }
642 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
643 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
644 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
645 "but client declined sealing.\n",
646 get_pipe_name_from_iface(&p->syntax)));
647 return False;
648 }
649 }
650
651 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
652 "workstation: %s\n", a->ntlmssp_state->user,
653 a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
654
655 if (a->server_info->ptok == NULL) {
656 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
657 return False;
658 }
659
660 TALLOC_FREE(p->server_info);
661
662 p->server_info = copy_serverinfo(p, a->server_info);
663 if (p->server_info == NULL) {
664 DEBUG(0, ("copy_serverinfo failed\n"));
665 return false;
666 }
667
668 /*
669 * We're an authenticated bind over smb, so the session key needs to
670 * be set to "SystemLibraryDTC". Weird, but this is what Windows
671 * does. See the RPC-SAMBA3SESSIONKEY.
672 */
673
674 session_key = generic_session_key();
675 if (session_key.data == NULL) {
676 return False;
677 }
678
679 ret = server_info_set_session_key(p->server_info, session_key);
680
681 data_blob_free(&session_key);
682
683 return True;
684 }
685
686 /*******************************************************************
687 The switch table for the pipe names and the functions to handle them.
688 *******************************************************************/
689
690 struct rpc_table {
691 struct {
692 const char *clnt;
693 const char *srv;
694 } pipe;
695 struct ndr_syntax_id rpc_interface;
696 const struct api_struct *cmds;
697 int n_cmds;
698 };
699
700 static struct rpc_table *rpc_lookup;
701 static int rpc_lookup_size;
702
703 /*******************************************************************
704 This is the "stage3" NTLMSSP response after a bind request and reply.
705 *******************************************************************/
706
707 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
708 {
709 RPC_HDR_AUTH auth_info;
710 uint32 pad = 0;
711 DATA_BLOB blob;
712
713 ZERO_STRUCT(blob);
714
715 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
716
717 if (p->hdr.auth_len == 0) {
718 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
719 goto err;
720 }
721
722 /* 4 bytes padding. */
723 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
724 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
725 goto err;
726 }
727
728 /*
729 * Decode the authentication verifier response.
730 */
731
732 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
733 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
734 goto err;
735 }
736
737 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
738 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
739 (unsigned int)auth_info.auth_type ));
740 return False;
741 }
742
743 blob = data_blob(NULL,p->hdr.auth_len);
744
745 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
746 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
747 (unsigned int)p->hdr.auth_len ));
748 goto err;
749 }
750
751 /*
752 * The following call actually checks the challenge/response data.
753 * for correctness against the given DOMAIN\user name.
754 */
755
756 if (!pipe_ntlmssp_verify_final(p, &blob)) {
757 goto err;
758 }
759
760 data_blob_free(&blob);
761
762 p->pipe_bound = True;
763
764 return True;
765
766 err:
767
768 data_blob_free(&blob);
769 free_pipe_ntlmssp_auth_data(&p->auth);
770 p->auth.a_u.auth_ntlmssp_state = NULL;
771
772 return False;
773 }
774
775 /*******************************************************************
776 Marshall a bind_nak pdu.
777 *******************************************************************/
778
779 static bool setup_bind_nak(pipes_struct *p)
780 {
781 RPC_HDR nak_hdr;
782 uint16 zero = 0;
783
784 /* Free any memory in the current return data buffer. */
785 prs_mem_free(&p->out_data.rdata);
786
787 /*
788 * Marshall directly into the outgoing PDU space. We
789 * must do this as we need to set to the bind response
790 * header and are never sending more than one PDU here.
791 */
792
793 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
794
795 /*
796 * Initialize a bind_nak header.
797 */
798
799 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
800 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
801
802 /*
803 * Marshall the header into the outgoing PDU.
804 */
805
806 if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
807 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
808 prs_mem_free(&p->out_data.frag);
809 return False;
810 }
811
812 /*
813 * Now add the reject reason.
814 */
815
816 if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
817 prs_mem_free(&p->out_data.frag);
818 return False;
819 }
820
821 p->out_data.data_sent_length = 0;
822 p->out_data.current_pdu_sent = 0;
823
824 if (p->auth.auth_data_free_func) {
825 (*p->auth.auth_data_free_func)(&p->auth);
826 }
827 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
828 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
829 p->pipe_bound = False;
830
831 return True;
832 }
833
834 /*******************************************************************
835 Marshall a fault pdu.
836 *******************************************************************/
837
838 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
839 {
840 RPC_HDR fault_hdr;
841 RPC_HDR_RESP hdr_resp;
842 RPC_HDR_FAULT fault_resp;
843
844 /* Free any memory in the current return data buffer. */
845 prs_mem_free(&p->out_data.rdata);
846
847 /*
848 * Marshall directly into the outgoing PDU space. We
849 * must do this as we need to set to the bind response
850 * header and are never sending more than one PDU here.
851 */
852
853 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
854
855 /*
856 * Initialize a fault header.
857 */
858
859 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
860 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
861
862 /*
863 * Initialize the HDR_RESP and FAULT parts of the PDU.
864 */
865
866 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
867
868 fault_resp.status = status;
869 fault_resp.reserved = 0;
870
871 /*
872 * Marshall the header into the outgoing PDU.
873 */
874
875 if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
876 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
877 prs_mem_free(&p->out_data.frag);
878 return False;
879 }
880
881 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
882 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
883 prs_mem_free(&p->out_data.frag);
884 return False;
885 }
886
887 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
888 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
889 prs_mem_free(&p->out_data.frag);
890 return False;
891 }
892
893 p->out_data.data_sent_length = 0;
894 p->out_data.current_pdu_sent = 0;
895
896 return True;
897 }
898
899 #if 0
900 /*******************************************************************
901 Marshall a cancel_ack pdu.
902 We should probably check the auth-verifier here.
903 *******************************************************************/
904
905 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
906 {
907 prs_struct outgoing_pdu;
908 RPC_HDR ack_reply_hdr;
909
910 /* Free any memory in the current return data buffer. */
911 prs_mem_free(&p->out_data.rdata);
912
913 /*
914 * Marshall directly into the outgoing PDU space. We
915 * must do this as we need to set to the bind response
916 * header and are never sending more than one PDU here.
917 */
918
919 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
920 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
921
922 /*
923 * Initialize a cancel_ack header.
924 */
925
926 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
927 p->hdr.call_id, RPC_HEADER_LEN, 0);
928
929 /*
930 * Marshall the header into the outgoing PDU.
931 */
932
933 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
934 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
935 prs_mem_free(&outgoing_pdu);
936 return False;
937 }
938
939 p->out_data.data_sent_length = 0;
940 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
941 p->out_data.current_pdu_sent = 0;
942
943 prs_mem_free(&outgoing_pdu);
944 return True;
945 }
946 #endif
947
948 /*******************************************************************
949 Ensure a bind request has the correct abstract & transfer interface.
950 Used to reject unknown binds from Win2k.
951 *******************************************************************/
952
953 bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
954 RPC_IFACE* transfer, uint32 context_id)
955 {
956 int i=0;
957 struct pipe_rpc_fns *context_fns;
958
959 DEBUG(3,("check_bind_req for %s\n",
960 get_pipe_name_from_iface(&p->syntax)));
961
962 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
963
964 for (i=0; i<rpc_lookup_size; i++) {
965 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
966 if (ndr_syntax_id_equal(
967 abstract, &rpc_lookup[i].rpc_interface)
968 && ndr_syntax_id_equal(
969 transfer, &ndr_transfer_syntax)) {
970 break;
971 }
972 }
973
974 if (i == rpc_lookup_size) {
975 return false;
976 }
977
978 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
979 if (context_fns == NULL) {
980 DEBUG(0,("check_bind_req: malloc() failed!\n"));
981 return False;
982 }
983
984 context_fns->cmds = rpc_lookup[i].cmds;
985 context_fns->n_cmds = rpc_lookup[i].n_cmds;
986 context_fns->context_id = context_id;
987
988 /* add to the list of open contexts */
989
990 DLIST_ADD( p->contexts, context_fns );
991
992 return True;
993 }
994
995 /*******************************************************************
996 Register commands to an RPC pipe
997 *******************************************************************/
998
999 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1000 const struct ndr_interface_table *iface,
1001 const struct api_struct *cmds, int size)
1002 {
1003 struct rpc_table *rpc_entry;
1004
1005 if (!clnt || !srv || !cmds) {
1006 return NT_STATUS_INVALID_PARAMETER;
1007 }
1008
1009 if (version != SMB_RPC_INTERFACE_VERSION) {
1010 DEBUG(0,("Can't register rpc commands!\n"
1011 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1012 ", while this version of samba uses version %d!\n",
1013 version,SMB_RPC_INTERFACE_VERSION));
1014 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1015 }
1016
1017 /* TODO:
1018 *
1019 * we still need to make sure that don't register the same commands twice!!!
1020 *
1021 * --metze
1022 */
1023
1024 /* We use a temporary variable because this call can fail and
1025 rpc_lookup will still be valid afterwards. It could then succeed if
1026 called again later */
1027 rpc_lookup_size++;
1028 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1029 if (NULL == rpc_entry) {
1030 rpc_lookup_size--;
1031 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1032 return NT_STATUS_NO_MEMORY;
1033 } else {
1034 rpc_lookup = rpc_entry;
1035 }
1036
1037 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1038 ZERO_STRUCTP(rpc_entry);
1039 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1040 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1041 rpc_entry->rpc_interface = iface->syntax_id;
1042 rpc_entry->cmds = cmds;
1043 rpc_entry->n_cmds = size;
1044
1045 return NT_STATUS_OK;
1046 }
1047
1048 /**
1049 * Is a named pipe known?
1050 * @param[in] cli_filename The pipe name requested by the client
1051 * @result Do we want to serve this?
1052 */
1053 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1054 {
1055 const char *pipename = cli_filename;
1056 int i;
1057
1058 if (strnequal(pipename, "\\PIPE\\", 6)) {
1059 pipename += 5;
1060 }
1061
1062 if (*pipename == '\\') {
1063 pipename += 1;
1064 }
1065
1066 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1067 DEBUG(10, ("refusing spoolss access\n"));
1068 return false;
1069 }
1070
1071 for (i=0; i<rpc_lookup_size; i++) {
1072 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1073 *syntax = rpc_lookup[i].rpc_interface;
1074 return true;
1075 }
1076 }
1077
1078 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1079 return false;
1080 }
1081
1082 /*******************************************************************
1083 Handle a SPNEGO krb5 bind auth.
1084 *******************************************************************/
1085
1086 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1087 DATA_BLOB *psecblob, prs_struct *pout_auth)
1088 {
1089 return False;
1090 }
1091
1092 /*******************************************************************
1093 Handle the first part of a SPNEGO bind auth.
1094 *******************************************************************/
1095
1096 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1097 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1098 {
1099 DATA_BLOB blob;
1100 DATA_BLOB secblob;
1101 DATA_BLOB response;
1102 DATA_BLOB chal;
1103 char *OIDs[ASN1_MAX_OIDS];
1104 int i;
1105 NTSTATUS status;
1106 bool got_kerberos_mechanism = false;
1107 AUTH_NTLMSSP_STATE *a = NULL;
1108 RPC_HDR_AUTH auth_info;
1109
1110 ZERO_STRUCT(secblob);
1111 ZERO_STRUCT(chal);
1112 ZERO_STRUCT(response);
1113
1114 /* Grab the SPNEGO blob. */
1115 blob = data_blob(NULL,p->hdr.auth_len);
1116
1117 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1118 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1119 (unsigned int)p->hdr.auth_len ));
1120 goto err;
1121 }
1122
1123 if (blob.data[0] != ASN1_APPLICATION(0)) {
1124 goto err;
1125 }
1126
1127 /* parse out the OIDs and the first sec blob */
1128 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1129 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1130 goto err;
1131 }
1132
1133 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1134 got_kerberos_mechanism = true;
1135 }
1136
1137 for (i=0;OIDs[i];i++) {
1138 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1139 TALLOC_FREE(OIDs[i]);
1140 }
1141 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1142
1143 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1144 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1145 data_blob_free(&secblob);
1146 data_blob_free(&blob);
1147 return ret;
1148 }
1149
1150 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1151 /* Free any previous auth type. */
1152 free_pipe_ntlmssp_auth_data(&p->auth);
1153 }
1154
1155 if (!got_kerberos_mechanism) {
1156 /* Initialize the NTLM engine. */
1157 status = auth_ntlmssp_start(&a);
1158 if (!NT_STATUS_IS_OK(status)) {
1159 goto err;
1160 }
1161
1162 /*
1163 * Pass the first security blob of data to it.
1164 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1165 * which means we need another packet to complete the bind.
1166 */
1167
1168 status = auth_ntlmssp_update(a, secblob, &chal);
1169
1170 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1171 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1172 goto err;
1173 }
1174
1175 /* Generate the response blob we need for step 2 of the bind. */
1176 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1177 } else {
1178 /*
1179 * SPNEGO negotiate down to NTLMSSP. The subsequent
1180 * code to process follow-up packets is not complete
1181 * yet. JRA.
1182 */
1183 response = spnego_gen_auth_response(NULL,
1184 NT_STATUS_MORE_PROCESSING_REQUIRED,
1185 OID_NTLMSSP);
1186 }
1187
1188 /* Copy the blob into the pout_auth parse struct */
1189 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1190 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1191 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1192 goto err;
1193 }
1194
1195 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1196 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1197 goto err;
1198 }
1199
1200 p->auth.a_u.auth_ntlmssp_state = a;
1201 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1202 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1203
1204 data_blob_free(&blob);
1205 data_blob_free(&secblob);
1206 data_blob_free(&chal);
1207 data_blob_free(&response);
1208
1209 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1210 return True;
1211
1212 err:
1213
1214 data_blob_free(&blob);
1215 data_blob_free(&secblob);
1216 data_blob_free(&chal);
1217 data_blob_free(&response);
1218
1219 p->auth.a_u.auth_ntlmssp_state = NULL;
1220
1221 return False;
1222 }
1223
1224 /*******************************************************************
1225 Handle the second part of a SPNEGO bind auth.
1226 *******************************************************************/
1227
1228 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1229 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1230 {
1231 RPC_HDR_AUTH auth_info;
1232 DATA_BLOB spnego_blob;
1233 DATA_BLOB auth_blob;
1234 DATA_BLOB auth_reply;
1235 DATA_BLOB response;
1236 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1237
1238 ZERO_STRUCT(spnego_blob);
1239 ZERO_STRUCT(auth_blob);
1240 ZERO_STRUCT(auth_reply);
1241 ZERO_STRUCT(response);
1242
1243 /*
1244 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1245 * fail here as 'a' == NULL.
1246 */
1247 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1248 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1249 goto err;
1250 }
1251
1252 /* Grab the SPNEGO blob. */
1253 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1254
1255 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1256 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1257 (unsigned int)p->hdr.auth_len ));
1258 goto err;
1259 }
1260
1261 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1262 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1263 goto err;
1264 }
1265
1266 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1267 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1268 goto err;
1269 }
1270
1271 /*
1272 * The following call actually checks the challenge/response data.
1273 * for correctness against the given DOMAIN\user name.
1274 */
1275
1276 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1277 goto err;
1278 }
1279
1280 data_blob_free(&spnego_blob);
1281 data_blob_free(&auth_blob);
1282
1283 /* Generate the spnego "accept completed" blob - no incoming data. */
1284 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1285
1286 /* Copy the blob into the pout_auth parse struct */
1287 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1288 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1289 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1290 goto err;
1291 }
1292
1293 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1294 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1295 goto err;
1296 }
1297
1298 data_blob_free(&auth_reply);
1299 data_blob_free(&response);
1300
1301 p->pipe_bound = True;
1302
1303 return True;
1304
1305 err:
1306
1307 data_blob_free(&spnego_blob);
1308 data_blob_free(&auth_blob);
1309 data_blob_free(&auth_reply);
1310 data_blob_free(&response);
1311
1312 free_pipe_ntlmssp_auth_data(&p->auth);
1313 p->auth.a_u.auth_ntlmssp_state = NULL;
1314
1315 return False;
1316 }
1317
1318 /*******************************************************************
1319 Handle an schannel bind auth.
1320 *******************************************************************/
1321
1322 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1323 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1324 {
1325 RPC_HDR_AUTH auth_info;
1326 RPC_AUTH_SCHANNEL_NEG neg;
1327 RPC_AUTH_VERIFIER auth_verifier;
1328 bool ret;
1329 struct dcinfo *pdcinfo;
1330 uint32 flags;
1331 DATA_BLOB session_key;
1332
1333 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1334 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1335 return False;
1336 }
1337
1338 /*
1339 * The neg.myname key here must match the remote computer name
1340 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1341 * operations that use credentials.
1342 */
1343
1344 become_root();
1345 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1346 unbecome_root();
1347
1348 if (!ret) {
1349 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1350 return False;
1351 }
1352
1353 p->auth.a_u.schannel_auth = talloc(p, struct schannel_auth_struct);
1354 if (!p->auth.a_u.schannel_auth) {
1355 TALLOC_FREE(pdcinfo);
1356 return False;
1357 }
1358
1359 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1360 memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1361 sizeof(pdcinfo->sess_key));
1362
1363 TALLOC_FREE(pdcinfo);
1364
1365 p->auth.a_u.schannel_auth->seq_num = 0;
1366
1367 /*
1368 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1369 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1370 * struct of the person who opened the pipe. I need to test this further. JRA.
1371 *
1372 * VL. As we are mapping this to guest set the generic key
1373 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1374 * W2k3, as it does not allow schannel binds against SAMR and LSA
1375 * anymore.
1376 */
1377
1378 session_key = generic_session_key();
1379 if (session_key.data == NULL) {
1380 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1381 " key\n"));
1382 return false;
1383 }
1384
1385 ret = server_info_set_session_key(p->server_info, session_key);
1386
1387 data_blob_free(&session_key);
1388
1389 if (!ret) {
1390 DEBUG(0, ("server_info_set_session_key failed\n"));
1391 return false;
1392 }
1393
1394 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1395 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1396 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1397 return False;
1398 }
1399
1400 /*** SCHANNEL verifier ***/
1401
1402 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1403 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1404 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1405 return False;
1406 }
1407
1408 prs_align(pout_auth);
1409
1410 flags = 5;
1411 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1412 return False;
1413 }
1414
1415 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1416 neg.domain, neg.myname));
1417
1418 /* We're finished with this bind - no more packets. */
1419 p->auth.auth_data_free_func = NULL;
1420 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1421
1422 p->pipe_bound = True;
1423
1424 return True;
1425 }
1426
1427 /*******************************************************************
1428 Handle an NTLMSSP bind auth.
1429 *******************************************************************/
1430
1431 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1432 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1433 {
1434 RPC_HDR_AUTH auth_info;
1435 DATA_BLOB blob;
1436 DATA_BLOB response;
1437 NTSTATUS status;
1438 AUTH_NTLMSSP_STATE *a = NULL;
1439
1440 ZERO_STRUCT(blob);
1441 ZERO_STRUCT(response);
1442
1443 /* Grab the NTLMSSP blob. */
1444 blob = data_blob(NULL,p->hdr.auth_len);
1445
1446 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1447 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1448 (unsigned int)p->hdr.auth_len ));
1449 goto err;
1450 }
1451
1452 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1453 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1454 goto err;
1455 }
1456
1457 /* We have an NTLMSSP blob. */
1458 status = auth_ntlmssp_start(&a);
1459 if (!NT_STATUS_IS_OK(status)) {
1460 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1461 nt_errstr(status) ));
1462 goto err;
1463 }
1464
1465 status = auth_ntlmssp_update(a, blob, &response);
1466 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1467 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1468 nt_errstr(status) ));
1469 goto err;
1470 }
1471
1472 data_blob_free(&blob);
1473
1474 /* Copy the blob into the pout_auth parse struct */
1475 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1476 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1477 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1478 goto err;
1479 }
1480
1481 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1482 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1483 goto err;
1484 }
1485
1486 p->auth.a_u.auth_ntlmssp_state = a;
1487 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1488 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1489
1490 data_blob_free(&blob);
1491 data_blob_free(&response);
1492
1493 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1494
1495 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1496 return True;
1497
1498 err:
1499
1500 data_blob_free(&blob);
1501 data_blob_free(&response);
1502
1503 free_pipe_ntlmssp_auth_data(&p->auth);
1504 p->auth.a_u.auth_ntlmssp_state = NULL;
1505 return False;
1506 }
1507
1508 /*******************************************************************
1509 Respond to a pipe bind request.
1510 *******************************************************************/
1511
1512 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1513 {
1514 RPC_HDR_BA hdr_ba;
1515 RPC_HDR_RB hdr_rb;
1516 RPC_HDR_AUTH auth_info;
1517 uint16 assoc_gid;
1518 fstring ack_pipe_name;
1519 prs_struct out_hdr_ba;
1520 prs_struct out_auth;
1521 int i = 0;
1522 int auth_len = 0;
1523 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1524
1525 /* No rebinds on a bound pipe - use alter context. */
1526 if (p->pipe_bound) {
1527 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1528 "pipe %s.\n", get_pipe_name_from_iface(&p->syntax)));
1529 return setup_bind_nak(p);
1530 }
1531
1532 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1533
1534 /*
1535 * Marshall directly into the outgoing PDU space. We
1536 * must do this as we need to set to the bind response
1537 * header and are never sending more than one PDU here.
1538 */
1539
1540 /*
1541 * Setup the memory to marshall the ba header, and the
1542 * auth footers.
1543 */
1544
1545 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1546 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1547 prs_mem_free(&p->out_data.frag);
1548 return False;
1549 }
1550
1551 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1552 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1553 prs_mem_free(&p->out_data.frag);
1554 prs_mem_free(&out_hdr_ba);
1555 return False;
1556 }
1557
1558 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1559
1560 ZERO_STRUCT(hdr_rb);
1561
1562 /* decode the bind request */
1563
1564 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1565 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1566 "struct.\n"));
1567 goto err_exit;
1568 }
1569
1570 if (hdr_rb.num_contexts == 0) {
1571 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1572 goto err_exit;
1573 }
1574
1575 /*
1576 * Try and find the correct pipe name to ensure
1577 * that this is a pipe name we support.
1578 */
1579
1580 for (i = 0; i < rpc_lookup_size; i++) {
1581 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1582 &hdr_rb.rpc_context[0].abstract)) {
1583 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1584 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1585 break;
1586 }
1587 }
1588
1589 if (i == rpc_lookup_size) {
1590 NTSTATUS status;
1591
1592 status = smb_probe_module(
1593 "rpc", get_pipe_name_from_iface(
1594 &hdr_rb.rpc_context[0].abstract));
1595
1596 if (NT_STATUS_IS_ERR(status)) {
1597 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1598 get_pipe_name_from_iface(&hdr_rb.rpc_context[0].abstract)));
1599 prs_mem_free(&p->out_data.frag);
1600 prs_mem_free(&out_hdr_ba);
1601 prs_mem_free(&out_auth);
1602
1603 return setup_bind_nak(p);
1604 }
1605
1606 for (i = 0; i < rpc_lookup_size; i++) {
1607 if (strequal(rpc_lookup[i].pipe.clnt,
1608 get_pipe_name_from_iface(&p->syntax))) {
1609 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1610 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1611 break;
1612 }
1613 }
1614
1615 if (i == rpc_lookup_size) {
1616 DEBUG(0, ("module %s doesn't provide functions for "
1617 "pipe %s!\n",
1618 get_pipe_name_from_iface(&p->syntax),
1619 get_pipe_name_from_iface(&p->syntax)));
1620 goto err_exit;
1621 }
1622 }
1623
1624 /* name has to be \PIPE\xxxxx */
1625 fstrcpy(ack_pipe_name, "\\PIPE\\");
1626 fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1627
1628 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1629
1630 /*
1631 * Check if this is an authenticated bind request.
1632 */
1633
1634 if (p->hdr.auth_len) {
1635 /*
1636 * Decode the authentication verifier.
1637 */
1638
1639 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1640 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1641 goto err_exit;
1642 }
1643
1644 auth_type = auth_info.auth_type;
1645
1646 /* Work out if we have to sign or seal etc. */
1647 switch (auth_info.auth_level) {
1648 case RPC_AUTH_LEVEL_INTEGRITY:
1649 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1650 break;
1651 case RPC_AUTH_LEVEL_PRIVACY:
1652 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1653 break;
1654 default:
1655 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1656 (unsigned int)auth_info.auth_level ));
1657 goto err_exit;
1658 }
1659 } else {
1660 ZERO_STRUCT(auth_info);
1661 }
1662
1663 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1664
1665 switch(auth_type) {
1666 case RPC_NTLMSSP_AUTH_TYPE:
1667 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1668 goto err_exit;
1669 }
1670 assoc_gid = 0x7a77;
1671 break;
1672
1673 case RPC_SCHANNEL_AUTH_TYPE:
1674 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1675 goto err_exit;
1676 }
1677 break;
1678
1679 case RPC_SPNEGO_AUTH_TYPE:
1680 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1681 goto err_exit;
1682 }
1683 break;
1684
1685 case RPC_ANONYMOUS_AUTH_TYPE:
1686 /* Unauthenticated bind request. */
1687 /* We're finished - no more packets. */
1688 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1689 /* We must set the pipe auth_level here also. */
1690 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1691 p->pipe_bound = True;
1692 /* The session key was initialized from the SMB
1693 * session in make_internal_rpc_pipe_p */
1694 break;
1695
1696 default:
1697 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1698 goto err_exit;
1699 }
1700
1701 /*
1702 * Create the bind response struct.
1703 */
1704
1705 /* If the requested abstract synt uuid doesn't match our client pipe,
1706 reject the bind_ack & set the transfer interface synt to all 0's,
1707 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1708 unknown to NT4)
1709 Needed when adding entries to a DACL from NT5 - SK */
1710
1711 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1712 hdr_rb.rpc_context[0].context_id )) {
1713 init_rpc_hdr_ba(&hdr_ba,
1714 RPC_MAX_PDU_FRAG_LEN,
1715 RPC_MAX_PDU_FRAG_LEN,
1716 assoc_gid,
1717 ack_pipe_name,
1718 0x1, 0x0, 0x0,
1719 &hdr_rb.rpc_context[0].transfer[0]);
1720 } else {
1721 RPC_IFACE null_interface;
1722 ZERO_STRUCT(null_interface);
1723 /* Rejection reason: abstract syntax not supported */
1724 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1725 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1726 ack_pipe_name, 0x1, 0x2, 0x1,
1727 &null_interface);
1728 p->pipe_bound = False;
1729 }
1730
1731 /*
1732 * and marshall it.
1733 */
1734
1735 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1736 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1737 goto err_exit;
1738 }
1739
1740 /*
1741 * Create the header, now we know the length.
1742 */
1743
1744 if (prs_offset(&out_auth)) {
1745 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1746 }
1747
1748 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1749 p->hdr.call_id,
1750 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1751 auth_len);
1752
1753 /*
1754 * Marshall the header into the outgoing PDU.
1755 */
1756
1757 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1758 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1759 goto err_exit;
1760 }
1761
1762 /*
1763 * Now add the RPC_HDR_BA and any auth needed.
1764 */
1765
1766 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1767 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1768 goto err_exit;
1769 }
1770
1771 if (auth_len && !prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1772 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1773 goto err_exit;
1774 }
1775
1776 /*
1777 * Setup the lengths for the initial reply.
1778 */
1779
1780 p->out_data.data_sent_length = 0;
1781 p->out_data.current_pdu_sent = 0;
1782
1783 prs_mem_free(&out_hdr_ba);
1784 prs_mem_free(&out_auth);
1785
1786 return True;
1787
1788 err_exit:
1789
1790 prs_mem_free(&p->out_data.frag);
1791 prs_mem_free(&out_hdr_ba);
1792 prs_mem_free(&out_auth);
1793 return setup_bind_nak(p);
1794 }
1795
1796 /****************************************************************************
1797 Deal with an alter context call. Can be third part of 3 leg auth request for
1798 SPNEGO calls.
1799 ****************************************************************************/
1800
1801 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1802 {
1803 RPC_HDR_BA hdr_ba;
1804 RPC_HDR_RB hdr_rb;
1805 RPC_HDR_AUTH auth_info;
1806 uint16 assoc_gid;
1807 fstring ack_pipe_name;
1808 prs_struct out_hdr_ba;
1809 prs_struct out_auth;
1810 int auth_len = 0;
1811
1812 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1813
1814 /*
1815 * Marshall directly into the outgoing PDU space. We
1816 * must do this as we need to set to the bind response
1817 * header and are never sending more than one PDU here.
1818 */
1819
1820 /*
1821 * Setup the memory to marshall the ba header, and the
1822 * auth footers.
1823 */
1824
1825 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1826 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1827 prs_mem_free(&p->out_data.frag);
1828 return False;
1829 }
1830
1831 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1832 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1833 prs_mem_free(&p->out_data.frag);
1834 prs_mem_free(&out_hdr_ba);
1835 return False;
1836 }
1837
1838 ZERO_STRUCT(hdr_rb);
1839
1840 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1841
1842 /* decode the alter context request */
1843 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1844 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1845 goto err_exit;
1846 }
1847
1848 /* secondary address CAN be NULL
1849 * as the specs say it's ignored.
1850 * It MUST be NULL to have the spoolss working.
1851 */
1852 fstrcpy(ack_pipe_name,"");
1853
1854 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1855
1856 /*
1857 * Check if this is an authenticated alter context request.
1858 */
1859
1860 if (p->hdr.auth_len != 0) {
1861 /*
1862 * Decode the authentication verifier.
1863 */
1864
1865 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1866 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1867 goto err_exit;
1868 }
1869
1870 /*
1871 * Currently only the SPNEGO auth type uses the alter ctx
1872 * response in place of the NTLMSSP auth3 type.
1873 */
1874
1875 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1876 /* We can only finish if the pipe is unbound. */
1877 if (!p->pipe_bound) {
1878 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1879 goto err_exit;
1880 }
1881 } else {
1882 goto err_exit;
1883 }
1884 }
1885 } else {
1886 ZERO_STRUCT(auth_info);
1887 }
1888
1889 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1890
1891 /*
1892 * Create the bind response struct.
1893 */
1894
1895 /* If the requested abstract synt uuid doesn't match our client pipe,
1896 reject the bind_ack & set the transfer interface synt to all 0's,
1897 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1898 unknown to NT4)
1899 Needed when adding entries to a DACL from NT5 - SK */
1900
1901 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1902 hdr_rb.rpc_context[0].context_id )) {
1903 init_rpc_hdr_ba(&hdr_ba,
1904 RPC_MAX_PDU_FRAG_LEN,
1905 RPC_MAX_PDU_FRAG_LEN,
1906 assoc_gid,
1907 ack_pipe_name,
1908 0x1, 0x0, 0x0,
1909 &hdr_rb.rpc_context[0].transfer[0]);
1910 } else {
1911 RPC_IFACE null_interface;
1912 ZERO_STRUCT(null_interface);
1913 /* Rejection reason: abstract syntax not supported */
1914 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1915 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1916 ack_pipe_name, 0x1, 0x2, 0x1,
1917 &null_interface);
1918 p->pipe_bound = False;
1919 }
1920
1921 /*
1922 * and marshall it.
1923 */
1924
1925 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1926 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1927 goto err_exit;
1928 }
1929
1930 /*
1931 * Create the header, now we know the length.
1932 */
1933
1934 if (prs_offset(&out_auth)) {
1935 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1936 }
1937
1938 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1939 p->hdr.call_id,
1940 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1941 auth_len);
1942
1943 /*
1944 * Marshall the header into the outgoing PDU.
1945 */
1946
1947 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1948 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1949 goto err_exit;
1950 }
1951
1952 /*
1953 * Now add the RPC_HDR_BA and any auth needed.
1954 */
1955
1956 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1957 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1958 goto err_exit;
1959 }
1960
1961 if (auth_len && !prs_append_prs_data(&p->out_data.frag, &out_auth)) {
1962 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1963 goto err_exit;
1964 }
1965
1966 /*
1967 * Setup the lengths for the initial reply.
1968 */
1969
1970 p->out_data.data_sent_length = 0;
1971 p->out_data.current_pdu_sent = 0;
1972
1973 prs_mem_free(&out_hdr_ba);
1974 prs_mem_free(&out_auth);
1975
1976 return True;
1977
1978 err_exit:
1979
1980 prs_mem_free(&p->out_data.frag);
1981 prs_mem_free(&out_hdr_ba);
1982 prs_mem_free(&out_auth);
1983 return setup_bind_nak(p);
1984 }
1985
1986 /****************************************************************************
1987 Deal with NTLMSSP sign & seal processing on an RPC request.
1988 ****************************************************************************/
1989
1990 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1991 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1992 {
1993 RPC_HDR_AUTH auth_info;
1994 uint32 auth_len = p->hdr.auth_len;
1995 uint32 save_offset = prs_offset(rpc_in);
1996 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1997 unsigned char *data = NULL;
1998 size_t data_len;
1999 unsigned char *full_packet_data = NULL;
2000 size_t full_packet_data_len;
2001 DATA_BLOB auth_blob;
2002
2003 *pstatus = NT_STATUS_OK;
2004
2005 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
2006 return True;
2007 }
2008
2009 if (!a) {
2010 *pstatus = NT_STATUS_INVALID_PARAMETER;
2011 return False;
2012 }
2013
2014 /* Ensure there's enough data for an authenticated request. */
2015 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2016 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2017 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2018 (unsigned int)auth_len ));
2019 *pstatus = NT_STATUS_INVALID_PARAMETER;
2020 return False;
2021 }
2022
2023 /*
2024 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2025 * after the RPC header.
2026 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2027 * functions as NTLMv2 checks the rpc headers also.
2028 */
2029
2030 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2031 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2032
2033 full_packet_data = p->in_data.current_in_pdu;
2034 full_packet_data_len = p->hdr.frag_len - auth_len;
2035
2036 /* Pull the auth header and the following data into a blob. */
2037 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2038 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2039 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2040 *pstatus = NT_STATUS_INVALID_PARAMETER;
2041 return False;
2042 }
2043
2044 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2045 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2046 *pstatus = NT_STATUS_INVALID_PARAMETER;
2047 return False;
2048 }
2049
2050 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2051 auth_blob.length = auth_len;
2052
2053 switch (p->auth.auth_level) {
2054 case PIPE_AUTH_LEVEL_PRIVACY:
2055 /* Data is encrypted. */
2056 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2057 data, data_len,
2058 full_packet_data,
2059 full_packet_data_len,
2060 &auth_blob);
2061 if (!NT_STATUS_IS_OK(*pstatus)) {
2062 return False;
2063 }
2064 break;
2065 case PIPE_AUTH_LEVEL_INTEGRITY:
2066 /* Data is signed. */
2067 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2068 data, data_len,
2069 full_packet_data,
2070 full_packet_data_len,
2071 &auth_blob);
2072 if (!NT_STATUS_IS_OK(*pstatus)) {
2073 return False;
2074 }
2075 break;
2076 default:
2077 *pstatus = NT_STATUS_INVALID_PARAMETER;
2078 return False;
2079 }
2080
2081 /*
2082 * Return the current pointer to the data offset.
2083 */
2084
2085 if(!prs_set_offset(rpc_in, save_offset)) {
2086 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2087 (unsigned int)save_offset ));
2088 *pstatus = NT_STATUS_INVALID_PARAMETER;
2089 return False;
2090 }
2091
2092 /*
2093 * Remember the padding length. We must remove it from the real data
2094 * stream once the sign/seal is done.
2095 */
2096
2097 *p_ss_padding_len = auth_info.auth_pad_len;
2098
2099 return True;
2100 }
2101
2102 /****************************************************************************
2103 Deal with schannel processing on an RPC request.
2104 ****************************************************************************/
2105
2106 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2107 {
2108 uint32 data_len;
2109 uint32 auth_len;
2110 uint32 save_offset = prs_offset(rpc_in);
2111 RPC_HDR_AUTH auth_info;
2112 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2113
2114 auth_len = p->hdr.auth_len;
2115
2116 if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2117 auth_len > RPC_HEADER_LEN +
2118 RPC_HDR_REQ_LEN +
2119 RPC_HDR_AUTH_LEN +
2120 auth_len) {
2121 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2122 return False;
2123 }
2124
2125 /*
2126 * The following is that length of the data we must verify or unseal.
2127 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2128 * preceeding the auth_data.
2129 */
2130
2131 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2132 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2133 (unsigned int)p->hdr.frag_len,
2134 (unsigned int)auth_len ));
2135 return False;
2136 }
2137
2138 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2139 RPC_HDR_AUTH_LEN - auth_len;
2140
2141 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2142
2143 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2144 DEBUG(0,("cannot move offset to %u.\n",
2145 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2146 return False;
2147 }
2148
2149 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2150 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2151 return False;
2152 }
2153
2154 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2155 DEBUG(0,("Invalid auth info %d on schannel\n",
2156 auth_info.auth_type));
2157 return False;
2158 }
2159
2160 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2161 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2162 return False;
2163 }
2164
2165 if (!schannel_decode(p->auth.a_u.schannel_auth,
2166 p->auth.auth_level,
2167 SENDER_IS_INITIATOR,
2168 &schannel_chk,
2169 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2170 DEBUG(3,("failed to decode PDU\n"));
2171 return False;
2172 }
2173
2174 /*
2175 * Return the current pointer to the data offset.
2176 */
2177
2178 if(!prs_set_offset(rpc_in, save_offset)) {
2179 DEBUG(0,("failed to set offset back to %u\n",
2180 (unsigned int)save_offset ));
2181 return False;
2182 }
2183
2184 /* The sequence number gets incremented on both send and receive. */
2185 p->auth.a_u.schannel_auth->seq_num++;
2186
2187 /*
2188 * Remember the padding length. We must remove it from the real data
2189 * stream once the sign/seal is done.
2190 */
2191
2192 *p_ss_padding_len = auth_info.auth_pad_len;
2193
2194 return True;
2195 }
2196
2197 /****************************************************************************
2198 Find the set of RPC functions associated with this context_id
2199 ****************************************************************************/
2200
2201 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2202 {
2203 PIPE_RPC_FNS *fns = NULL;
2204
2205 if ( !list ) {
2206 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2207 return NULL;
2208 }
2209
2210 for (fns=list; fns; fns=fns->next ) {
2211 if ( fns->context_id == context_id )
2212 return fns;
2213 }
2214 return NULL;
2215 }
2216
2217 /****************************************************************************
2218 Memory cleanup.
2219 ****************************************************************************/
2220
2221 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2222 {
2223 PIPE_RPC_FNS *tmp = list;
2224 PIPE_RPC_FNS *tmp2;
2225
2226 while (tmp) {
2227 tmp2 = tmp->next;
2228 SAFE_FREE(tmp);
2229 tmp = tmp2;
2230 }
2231
2232 return;
2233 }
2234
2235 static bool api_rpcTNP(pipes_struct *p,
2236 const struct api_struct *api_rpc_cmds, int n_cmds);
2237
2238 /****************************************************************************
2239 Find the correct RPC function to call for this request.
2240 If the pipe is authenticated then become the correct UNIX user
2241 before doing the call.
2242 ****************************************************************************/
2243
2244 bool api_pipe_request(pipes_struct *p)
2245 {
2246 bool ret = False;
2247 bool changed_user = False;
2248 PIPE_RPC_FNS *pipe_fns;
2249
2250 if (p->pipe_bound &&
2251 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2252 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2253 if(!become_authenticated_pipe_user(p)) {
2254 prs_mem_free(&p->out_data.rdata);
2255 return False;
2256 }
2257 changed_user = True;
2258 }
2259
2260 DEBUG(5, ("Requested \\PIPE\\%s\n",
2261 get_pipe_name_from_iface(&p->syntax)));
2262
2263 /* get the set of RPC functions for this context */
2264
2265 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2266
2267 if ( pipe_fns ) {
2268 TALLOC_CTX *frame = talloc_stackframe();
2269 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2270 TALLOC_FREE(frame);
2271 }
2272 else {
2273 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2274 p->hdr_req.context_id,
2275 get_pipe_name_from_iface(&p->syntax)));
2276 }
2277
2278 if (changed_user) {
2279 unbecome_authenticated_pipe_user();
2280 }
2281
2282 return ret;
2283 }
2284
2285 /*******************************************************************
2286 Calls the underlying RPC function for a named pipe.
2287 ********************************************************************/
2288
2289 static bool api_rpcTNP(pipes_struct *p,
2290 const struct api_struct *api_rpc_cmds, int n_cmds)
2291 {
2292 int fn_num;
2293 uint32 offset1, offset2;
2294
2295 /* interpret the command */
2296 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2297 get_pipe_name_from_iface(&p->syntax), p->hdr_req.opnum));
2298
2299 if (DEBUGLEVEL >= 50) {
2300 fstring name;
2301 slprintf(name, sizeof(name)-1, "in_%s",
2302 get_pipe_name_from_iface(&p->syntax));
2303 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2304 }
2305
2306 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2307 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2308 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2309 break;
2310 }
2311 }
2312
2313 if (fn_num == n_cmds) {
2314 /*
2315 * For an unknown RPC just return a fault PDU but
2316 * return True to allow RPC's on the pipe to continue
2317 * and not put the pipe into fault state. JRA.
2318 */
2319 DEBUG(4, ("unknown\n"));
2320 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2321 return True;
2322 }
2323
2324 offset1 = prs_offset(&p->out_data.rdata);
2325
2326 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2327 fn_num, api_rpc_cmds[fn_num].fn));
2328 /* do the actual command */
2329 if(!api_rpc_cmds[fn_num].fn(p)) {
2330 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2331 get_pipe_name_from_iface(&p->syntax),
2332 api_rpc_cmds[fn_num].name));
2333 prs_mem_free(&p->out_data.rdata);
2334 return False;
2335 }
2336
2337 if (p->bad_handle_fault_state) {
2338 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2339 p->bad_handle_fault_state = False;
2340 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2341 return True;
2342 }
2343
2344 if (p->rng_fault_state) {
2345 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2346 p->rng_fault_state = False;
2347 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2348 return True;
2349 }
2350
2351 offset2 = prs_offset(&p->out_data.rdata);
2352 prs_set_offset(&p->out_data.rdata, offset1);
2353 if (DEBUGLEVEL >= 50) {
2354 fstring name;
2355 slprintf(name, sizeof(name)-1, "out_%s",
2356 get_pipe_name_from_iface(&p->syntax));
2357 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2358 }
2359 prs_set_offset(&p->out_data.rdata, offset2);
2360
2361 DEBUG(5,("api_rpcTNP: called %s successfully\n",
2362 get_pipe_name_from_iface(&p->syntax)));
2363
2364 /* Check for buffer underflow in rpc parsing */
2365
2366 if ((DEBUGLEVEL >= 10) &&
2367 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2368 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2369 char *data = (char *)SMB_MALLOC(data_len);
2370
2371 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2372 if (data) {
2373 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2374 SAFE_FREE(data);
2375 }
2376
2377 }
2378
2379 return True;
2380 }
reg import