search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:smb_server: s/SMBkeepalive/NBSSkeepalive
[Samba/gebeck_regimport.git] / source3 / rpc_server / srv_pipe.c
blob5b2dcfdddbc1e5e75cef2eef6706b23f204525f5
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31 #include "system/filesys.h"
32 #include "srv_pipe_internal.h"
33 #include "../librpc/gen_ndr/ndr_schannel.h"
34 #include "../libcli/auth/schannel.h"
35 #include "../libcli/auth/spnego.h"
36 #include "dcesrv_ntlmssp.h"
37 #include "dcesrv_gssapi.h"
38 #include "dcesrv_spnego.h"
39 #include "rpc_server.h"
40 #include "rpc_dce.h"
41 #include "smbd/smbd.h"
42 #include "auth.h"
43 #include "ntdomain.h"
44 #include "rpc_server/srv_pipe.h"
45 #include "rpc_server/rpc_contexts.h"
46
47 #undef DBGC_CLASS
48 #define DBGC_CLASS DBGC_RPC_SRV
49
50 /**
51 * Dump everything from the start of the end up of the provided data
52 * into a file, but only at debug level >= 50
53 **/
54 static void dump_pdu_region(const char *name, int v,
55 DATA_BLOB *data, size_t start, size_t end)
56 {
57 int fd, i;
58 char *fname = NULL;
59 ssize_t sz;
60
61 if (DEBUGLEVEL < 50) return;
62
63 if (start > data->length || end > data->length || start > end) return;
64
65 for (i = 1; i < 100; i++) {
66 if (v != -1) {
67 fname = talloc_asprintf(talloc_tos(),
68 "/tmp/%s_%d.%d.prs",
69 name, v, i);
70 } else {
71 fname = talloc_asprintf(talloc_tos(),
72 "/tmp/%s_%d.prs",
73 name, i);
74 }
75 if (!fname) {
76 return;
77 }
78 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
79 if (fd != -1 || errno != EEXIST) break;
80 }
81 if (fd != -1) {
82 sz = write(fd, data->data + start, end - start);
83 i = close(fd);
84 if ((sz != end - start) || (i != 0) ) {
85 DEBUG(0, ("Error writing/closing %s: %ld!=%ld %d\n",
86 fname, (unsigned long)sz,
87 (unsigned long)end - start, i));
88 } else {
89 DEBUG(0,("created %s\n", fname));
90 }
91 }
92 TALLOC_FREE(fname);
93 }
94
95 static DATA_BLOB generic_session_key(void)
96 {
97 return data_blob_const("SystemLibraryDTC", 16);
98 }
99
100 /*******************************************************************
101 Generate the next PDU to be returned from the data.
102 ********************************************************************/
103
104 static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx,
105 struct pipe_auth_data *auth,
106 uint32_t call_id,
107 DATA_BLOB *rdata,
108 size_t data_sent_length,
109 DATA_BLOB *frag,
110 size_t *pdu_size)
111 {
112 union dcerpc_payload u;
113 uint8_t pfc_flags;
114 size_t data_left;
115 size_t data_to_send;
116 size_t frag_len;
117 size_t pad_len = 0;
118 size_t auth_len = 0;
119 NTSTATUS status;
120
121 ZERO_STRUCT(u.response);
122
123 /* Set up rpc packet pfc flags. */
124 if (data_sent_length == 0) {
125 pfc_flags = DCERPC_PFC_FLAG_FIRST;
126 } else {
127 pfc_flags = 0;
128 }
129
130 /* Work out how much we can fit in a single PDU. */
131 data_left = rdata->length - data_sent_length;
132
133 /* Ensure there really is data left to send. */
134 if (!data_left) {
135 DEBUG(0, ("No data left to send !\n"));
136 return NT_STATUS_BUFFER_TOO_SMALL;
137 }
138
139 status = dcerpc_guess_sizes(auth,
140 DCERPC_RESPONSE_LENGTH,
141 data_left,
142 RPC_MAX_PDU_FRAG_LEN,
143 SERVER_NDR_PADDING_SIZE,
144 &data_to_send, &frag_len,
145 &auth_len, &pad_len);
146 if (!NT_STATUS_IS_OK(status)) {
147 return status;
148 }
149
150 /* Set up the alloc hint. This should be the data left to send. */
151 u.response.alloc_hint = data_left;
152
153 /* Work out if this PDU will be the last. */
154 if (data_sent_length + data_to_send >= rdata->length) {
155 pfc_flags |= DCERPC_PFC_FLAG_LAST;
156 }
157
158 /* Prepare data to be NDR encoded. */
159 u.response.stub_and_verifier =
160 data_blob_const(rdata->data + data_sent_length, data_to_send);
161
162 /* Store the packet in the data stream. */
163 status = dcerpc_push_ncacn_packet(mem_ctx, DCERPC_PKT_RESPONSE,
164 pfc_flags, auth_len, call_id,
165 &u, frag);
166 if (!NT_STATUS_IS_OK(status)) {
167 DEBUG(0, ("Failed to marshall RPC Packet.\n"));
168 return status;
169 }
170
171 if (auth_len) {
172 /* Set the proper length on the pdu, including padding.
173 * Only needed if an auth trailer will be appended. */
174 dcerpc_set_frag_length(frag, frag->length
175 + pad_len
176 + DCERPC_AUTH_TRAILER_LENGTH
177 + auth_len);
178 }
179
180 if (auth_len) {
181 status = dcerpc_add_auth_footer(auth, pad_len, frag);
182 if (!NT_STATUS_IS_OK(status)) {
183 data_blob_free(frag);
184 return status;
185 }
186 }
187
188 *pdu_size = data_to_send;
189 return NT_STATUS_OK;
190 }
191
192 /*******************************************************************
193 Generate the next PDU to be returned from the data in p->rdata.
194 ********************************************************************/
195
196 bool create_next_pdu(struct pipes_struct *p)
197 {
198 size_t pdu_size = 0;
199 NTSTATUS status;
200
201 /*
202 * If we're in the fault state, keep returning fault PDU's until
203 * the pipe gets closed. JRA.
204 */
205 if (p->fault_state) {
206 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
207 return true;
208 }
209
210 status = create_next_packet(p->mem_ctx, &p->auth,
211 p->call_id, &p->out_data.rdata,
212 p->out_data.data_sent_length,
213 &p->out_data.frag, &pdu_size);
214 if (!NT_STATUS_IS_OK(status)) {
215 DEBUG(0, ("Failed to create packet with error %s, "
216 "(auth level %u / type %u)\n",
217 nt_errstr(status),
218 (unsigned int)p->auth.auth_level,
219 (unsigned int)p->auth.auth_type));
220 return false;
221 }
222
223 /* Setup the counts for this PDU. */
224 p->out_data.data_sent_length += pdu_size;
225 p->out_data.current_pdu_sent = 0;
226 return true;
227 }
228
229
230 static bool pipe_init_outgoing_data(struct pipes_struct *p);
231
232 /*******************************************************************
233 Marshall a bind_nak pdu.
234 *******************************************************************/
235
236 static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
237 {
238 NTSTATUS status;
239 union dcerpc_payload u;
240
241 /* Free any memory in the current return data buffer. */
242 pipe_init_outgoing_data(p);
243
244 /*
245 * Initialize a bind_nak header.
246 */
247
248 ZERO_STRUCT(u);
249
250 u.bind_nak.reject_reason = 0;
251
252 /*
253 * Marshall directly into the outgoing PDU space. We
254 * must do this as we need to set to the bind response
255 * header and are never sending more than one PDU here.
256 */
257
258 status = dcerpc_push_ncacn_packet(p->mem_ctx,
259 DCERPC_PKT_BIND_NAK,
260 DCERPC_PFC_FLAG_FIRST |
261 DCERPC_PFC_FLAG_LAST,
262 0,
263 pkt->call_id,
264 &u,
265 &p->out_data.frag);
266 if (!NT_STATUS_IS_OK(status)) {
267 return False;
268 }
269
270 p->out_data.data_sent_length = 0;
271 p->out_data.current_pdu_sent = 0;
272
273 TALLOC_FREE(p->auth.auth_ctx);
274 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
275 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
276 p->pipe_bound = False;
277
278 return True;
279 }
280
281 /*******************************************************************
282 Marshall a fault pdu.
283 *******************************************************************/
284
285 bool setup_fault_pdu(struct pipes_struct *p, NTSTATUS fault_status)
286 {
287 NTSTATUS status;
288 union dcerpc_payload u;
289
290 /* Free any memory in the current return data buffer. */
291 pipe_init_outgoing_data(p);
292
293 /*
294 * Initialize a fault header.
295 */
296
297 ZERO_STRUCT(u);
298
299 u.fault.status = NT_STATUS_V(fault_status);
300 u.fault._pad = data_blob_talloc_zero(p->mem_ctx, 4);
301
302 /*
303 * Marshall directly into the outgoing PDU space. We
304 * must do this as we need to set to the bind response
305 * header and are never sending more than one PDU here.
306 */
307
308 status = dcerpc_push_ncacn_packet(p->mem_ctx,
309 DCERPC_PKT_FAULT,
310 DCERPC_PFC_FLAG_FIRST |
311 DCERPC_PFC_FLAG_LAST |
312 DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
313 0,
314 p->call_id,
315 &u,
316 &p->out_data.frag);
317 if (!NT_STATUS_IS_OK(status)) {
318 return False;
319 }
320
321 p->out_data.data_sent_length = 0;
322 p->out_data.current_pdu_sent = 0;
323
324 return True;
325 }
326
327 /*******************************************************************
328 Ensure a bind request has the correct abstract & transfer interface.
329 Used to reject unknown binds from Win2k.
330 *******************************************************************/
331
332 static bool check_bind_req(struct pipes_struct *p,
333 struct ndr_syntax_id* abstract,
334 struct ndr_syntax_id* transfer,
335 uint32_t context_id)
336 {
337 struct pipe_rpc_fns *context_fns;
338 bool ok;
339
340 DEBUG(3,("check_bind_req for %s\n",
341 get_pipe_name_from_syntax(talloc_tos(), abstract)));
342
343 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
344 if (rpc_srv_pipe_exists_by_id(abstract) &&
345 ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) {
346 DEBUG(3, ("check_bind_req: %s -> %s rpc service\n",
347 rpc_srv_get_pipe_cli_name(abstract),
348 rpc_srv_get_pipe_srv_name(abstract)));
349 } else {
350 return false;
351 }
352
353 ok = init_pipe_handles(p, abstract);
354 if (!ok) {
355 DEBUG(1, ("Failed to init pipe handles!\n"));
356 return false;
357 }
358
359 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
360 if (context_fns == NULL) {
361 DEBUG(0,("check_bind_req: malloc() failed!\n"));
362 return False;
363 }
364
365 context_fns->next = context_fns->prev = NULL;
366 context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
367 context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
368 context_fns->context_id = context_id;
369 context_fns->syntax = *abstract;
370
371 /* add to the list of open contexts */
372
373 DLIST_ADD( p->contexts, context_fns );
374
375 return True;
376 }
377
378 /**
379 * Is a named pipe known?
380 * @param[in] cli_filename The pipe name requested by the client
381 * @result Do we want to serve this?
382 */
383 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
384 {
385 const char *pipename = cli_filename;
386 NTSTATUS status;
387
388 if (strnequal(pipename, "\\PIPE\\", 6)) {
389 pipename += 5;
390 }
391
392 if (*pipename == '\\') {
393 pipename += 1;
394 }
395
396 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
397 DEBUG(10, ("refusing spoolss access\n"));
398 return false;
399 }
400
401 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
402 return true;
403 }
404
405 status = smb_probe_module("rpc", pipename);
406 if (!NT_STATUS_IS_OK(status)) {
407 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
408 return false;
409 }
410 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
411
412 /*
413 * Scan the list again for the interface id
414 */
415 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
416 return true;
417 }
418
419 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
420 pipename));
421
422 return false;
423 }
424
425 /*******************************************************************
426 Handle the first part of a SPNEGO bind auth.
427 *******************************************************************/
428
429 static bool pipe_spnego_auth_bind(struct pipes_struct *p,
430 TALLOC_CTX *mem_ctx,
431 struct dcerpc_auth *auth_info,
432 DATA_BLOB *response)
433 {
434 struct spnego_context *spnego_ctx;
435 NTSTATUS status;
436
437 status = spnego_server_auth_start(p,
438 (auth_info->auth_level ==
439 DCERPC_AUTH_LEVEL_INTEGRITY),
440 (auth_info->auth_level ==
441 DCERPC_AUTH_LEVEL_PRIVACY),
442 true,
443 &auth_info->credentials,
444 response,
445 p->remote_address,
446 &spnego_ctx);
447 if (!NT_STATUS_IS_OK(status)) {
448 DEBUG(0, ("Failed SPNEGO negotiate (%s)\n",
449 nt_errstr(status)));
450 return false;
451 }
452
453 /* Make sure data is bound to the memctx, to be freed the caller */
454 talloc_steal(mem_ctx, response->data);
455
456 p->auth.auth_ctx = spnego_ctx;
457 p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO;
458
459 DEBUG(10, ("SPNEGO auth started\n"));
460
461 return true;
462 }
463
464 /*******************************************************************
465 Handle an schannel bind auth.
466 *******************************************************************/
467
468 static bool pipe_schannel_auth_bind(struct pipes_struct *p,
469 TALLOC_CTX *mem_ctx,
470 struct dcerpc_auth *auth_info,
471 DATA_BLOB *response)
472 {
473 struct NL_AUTH_MESSAGE neg;
474 struct NL_AUTH_MESSAGE reply;
475 bool ret;
476 NTSTATUS status;
477 struct netlogon_creds_CredentialState *creds;
478 enum ndr_err_code ndr_err;
479 struct schannel_state *schannel_auth;
480
481 ndr_err = ndr_pull_struct_blob(
482 &auth_info->credentials, mem_ctx, &neg,
483 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
484 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
485 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
486 return false;
487 }
488
489 if (DEBUGLEVEL >= 10) {
490 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
491 }
492
493 if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
494 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
495 return false;
496 }
497
498 /*
499 * The neg.oem_netbios_computer.a key here must match the remote computer name
500 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
501 * operations that use credentials.
502 */
503
504 become_root();
505 status = schannel_get_creds_state(p, lp_private_dir(),
506 neg.oem_netbios_computer.a, &creds);
507 unbecome_root();
508
509 if (!NT_STATUS_IS_OK(status)) {
510 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
511 return False;
512 }
513
514 schannel_auth = talloc(p, struct schannel_state);
515 if (!schannel_auth) {
516 TALLOC_FREE(creds);
517 return False;
518 }
519
520 schannel_auth->state = SCHANNEL_STATE_START;
521 schannel_auth->seq_num = 0;
522 schannel_auth->initiator = false;
523 schannel_auth->creds = creds;
524
525 /*
526 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
527 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
528 * struct of the person who opened the pipe. I need to test this further. JRA.
529 *
530 * VL. As we are mapping this to guest set the generic key
531 * "SystemLibraryDTC" key here. It's a bit difficult to test against
532 * W2k3, as it does not allow schannel binds against SAMR and LSA
533 * anymore.
534 */
535
536 ret = session_info_set_session_key(p->session_info, generic_session_key());
537
538 if (!ret) {
539 DEBUG(0, ("session_info_set_session_key failed\n"));
540 return false;
541 }
542
543 /*** SCHANNEL verifier ***/
544
545 reply.MessageType = NL_NEGOTIATE_RESPONSE;
546 reply.Flags = 0;
547 reply.Buffer.dummy = 5; /* ??? actually I don't think
548 * this has any meaning
549 * here - gd */
550
551 ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
552 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
553 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
554 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
555 return false;
556 }
557
558 if (DEBUGLEVEL >= 10) {
559 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
560 }
561
562 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
563 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
564
565 /* We're finished with this bind - no more packets. */
566 p->auth.auth_ctx = schannel_auth;
567 p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
568
569 p->pipe_bound = True;
570
571 return True;
572 }
573
574 /*******************************************************************
575 Handle an NTLMSSP bind auth.
576 *******************************************************************/
577
578 static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
579 TALLOC_CTX *mem_ctx,
580 struct dcerpc_auth *auth_info,
581 DATA_BLOB *response)
582 {
583 struct auth_ntlmssp_state *ntlmssp_state = NULL;
584 NTSTATUS status;
585
586 if (strncmp((char *)auth_info->credentials.data, "NTLMSSP", 7) != 0) {
587 DEBUG(0, ("Failed to read NTLMSSP in blob\n"));
588 return false;
589 }
590
591 /* We have an NTLMSSP blob. */
592 status = ntlmssp_server_auth_start(p,
593 (auth_info->auth_level ==
594 DCERPC_AUTH_LEVEL_INTEGRITY),
595 (auth_info->auth_level ==
596 DCERPC_AUTH_LEVEL_PRIVACY),
597 true,
598 &auth_info->credentials,
599 response,
600 p->remote_address,
601 &ntlmssp_state);
602 if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
603 DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n",
604 nt_errstr(status)));
605 return false;
606 }
607
608 /* Make sure data is bound to the memctx, to be freed the caller */
609 talloc_steal(mem_ctx, response->data);
610
611 p->auth.auth_ctx = ntlmssp_state;
612 p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
613
614 DEBUG(10, (__location__ ": NTLMSSP auth started\n"));
615
616 return true;
617 }
618
619 /*******************************************************************
620 Process an NTLMSSP authentication response.
621 If this function succeeds, the user has been authenticated
622 and their domain, name and calling workstation stored in
623 the pipe struct.
624 *******************************************************************/
625
626 static bool pipe_ntlmssp_verify_final(TALLOC_CTX *mem_ctx,
627 struct auth_ntlmssp_state *ntlmssp_ctx,
628 enum dcerpc_AuthLevel auth_level,
629 struct auth_serversupplied_info **session_info)
630 {
631 NTSTATUS status;
632 bool ret;
633
634 DEBUG(5, (__location__ ": checking user details\n"));
635
636 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
637 ensure the underlying NTLMSSP flags are also set. If not we should
638 refuse the bind. */
639
640 status = ntlmssp_server_check_flags(ntlmssp_ctx,
641 (auth_level ==
642 DCERPC_AUTH_LEVEL_INTEGRITY),
643 (auth_level ==
644 DCERPC_AUTH_LEVEL_PRIVACY));
645 if (!NT_STATUS_IS_OK(status)) {
646 DEBUG(0, (__location__ ": Client failed to negotatie proper "
647 "security for rpc connection\n"));
648 return false;
649 }
650
651 TALLOC_FREE(*session_info);
652
653 status = ntlmssp_server_get_user_info(ntlmssp_ctx,
654 mem_ctx, session_info);
655 if (!NT_STATUS_IS_OK(status)) {
656 DEBUG(0, (__location__ ": failed to obtain the server info "
657 "for authenticated user: %s\n", nt_errstr(status)));
658 return false;
659 }
660
661 if ((*session_info)->security_token == NULL) {
662 DEBUG(1, ("Auth module failed to provide nt_user_token\n"));
663 return false;
664 }
665
666 /*
667 * We're an authenticated bind over smb, so the session key needs to
668 * be set to "SystemLibraryDTC". Weird, but this is what Windows
669 * does. See the RPC-SAMBA3SESSIONKEY.
670 */
671
672 ret = session_info_set_session_key((*session_info), generic_session_key());
673 if (!ret) {
674 DEBUG(0, ("Failed to set session key!\n"));
675 return false;
676 }
677
678 return true;
679 }
680
681 /*******************************************************************
682 Handle a GSSAPI bind auth.
683 *******************************************************************/
684
685 static bool pipe_gssapi_auth_bind(struct pipes_struct *p,
686 TALLOC_CTX *mem_ctx,
687 struct dcerpc_auth *auth_info,
688 DATA_BLOB *response)
689 {
690 NTSTATUS status;
691 struct gse_context *gse_ctx = NULL;
692
693 status = gssapi_server_auth_start(p,
694 (auth_info->auth_level ==
695 DCERPC_AUTH_LEVEL_INTEGRITY),
696 (auth_info->auth_level ==
697 DCERPC_AUTH_LEVEL_PRIVACY),
698 true,
699 &auth_info->credentials,
700 response,
701 &gse_ctx);
702 if (!NT_STATUS_IS_OK(status)) {
703 DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n",
704 nt_errstr(status)));
705 goto err;
706 }
707
708 /* Make sure data is bound to the memctx, to be freed the caller */
709 talloc_steal(mem_ctx, response->data);
710
711 p->auth.auth_ctx = gse_ctx;
712 p->auth.auth_type = DCERPC_AUTH_TYPE_KRB5;
713
714 DEBUG(10, ("KRB5 auth started\n"));
715
716 return true;
717
718 err:
719 TALLOC_FREE(gse_ctx);
720 return false;
721 }
722
723 static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
724 struct gse_context *gse_ctx,
725 const struct tsocket_address *remote_address,
726 struct auth_serversupplied_info **session_info)
727 {
728 NTSTATUS status;
729 bool bret;
730
731 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
732 ensure the underlying flags are also set. If not we should
733 refuse the bind. */
734
735 status = gssapi_server_check_flags(gse_ctx);
736 if (!NT_STATUS_IS_OK(status)) {
737 DEBUG(0, ("Requested Security Layers not honored!\n"));
738 return status;
739 }
740
741 status = gssapi_server_get_user_info(gse_ctx, mem_ctx,
742 remote_address, session_info);
743 if (!NT_STATUS_IS_OK(status)) {
744 DEBUG(0, (__location__ ": failed to obtain the server info "
745 "for authenticated user: %s\n", nt_errstr(status)));
746 return status;
747 }
748
749 /*
750 * We're an authenticated bind over smb, so the session key needs to
751 * be set to "SystemLibraryDTC". Weird, but this is what Windows
752 * does. See the RPC-SAMBA3SESSIONKEY.
753 */
754
755 bret = session_info_set_session_key((*session_info), generic_session_key());
756 if (!bret) {
757 return NT_STATUS_ACCESS_DENIED;
758 }
759
760 return NT_STATUS_OK;
761 }
762
763 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
764 {
765 enum spnego_mech auth_type;
766 struct auth_ntlmssp_state *ntlmssp_ctx;
767 struct spnego_context *spnego_ctx;
768 struct gse_context *gse_ctx;
769 void *mech_ctx;
770 NTSTATUS status;
771
772 switch (p->auth.auth_type) {
773 case DCERPC_AUTH_TYPE_NTLMSSP:
774 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
775 struct auth_ntlmssp_state);
776 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
777 p->auth.auth_level,
778 &p->session_info)) {
779 return NT_STATUS_ACCESS_DENIED;
780 }
781 break;
782 case DCERPC_AUTH_TYPE_KRB5:
783 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
784 struct gse_context);
785 status = pipe_gssapi_verify_final(p, gse_ctx,
786 p->remote_address,
787 &p->session_info);
788 if (!NT_STATUS_IS_OK(status)) {
789 DEBUG(1, ("gssapi bind failed with: %s",
790 nt_errstr(status)));
791 return status;
792 }
793 break;
794 case DCERPC_AUTH_TYPE_SPNEGO:
795 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
796 struct spnego_context);
797 status = spnego_get_negotiated_mech(spnego_ctx,
798 &auth_type, &mech_ctx);
799 if (!NT_STATUS_IS_OK(status)) {
800 DEBUG(0, ("Bad SPNEGO state (%s)\n",
801 nt_errstr(status)));
802 return status;
803 }
804 switch(auth_type) {
805 case SPNEGO_KRB5:
806 gse_ctx = talloc_get_type_abort(mech_ctx,
807 struct gse_context);
808 status = pipe_gssapi_verify_final(p, gse_ctx,
809 p->remote_address,
810 &p->session_info);
811 if (!NT_STATUS_IS_OK(status)) {
812 DEBUG(1, ("gssapi bind failed with: %s",
813 nt_errstr(status)));
814 return status;
815 }
816 break;
817 case SPNEGO_NTLMSSP:
818 ntlmssp_ctx = talloc_get_type_abort(mech_ctx,
819 struct auth_ntlmssp_state);
820 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
821 p->auth.auth_level,
822 &p->session_info)) {
823 return NT_STATUS_ACCESS_DENIED;
824 }
825 break;
826 default:
827 DEBUG(0, (__location__ ": incorrect spnego type "
828 "(%d).\n", auth_type));
829 return NT_STATUS_ACCESS_DENIED;
830 }
831 break;
832 default:
833 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
834 (unsigned int)p->auth.auth_type));
835 return NT_STATUS_ACCESS_DENIED;
836 }
837
838 p->pipe_bound = true;
839
840 return NT_STATUS_OK;
841 }
842
843 /*******************************************************************
844 Respond to a pipe bind request.
845 *******************************************************************/
846
847 static bool api_pipe_bind_req(struct pipes_struct *p,
848 struct ncacn_packet *pkt)
849 {
850 struct dcerpc_auth auth_info;
851 uint16 assoc_gid;
852 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
853 NTSTATUS status;
854 struct ndr_syntax_id id;
855 union dcerpc_payload u;
856 struct dcerpc_ack_ctx bind_ack_ctx;
857 DATA_BLOB auth_resp = data_blob_null;
858 DATA_BLOB auth_blob = data_blob_null;
859
860 /* No rebinds on a bound pipe - use alter context. */
861 if (p->pipe_bound) {
862 DEBUG(2,("Rejecting bind request on bound rpc connection\n"));
863 return setup_bind_nak(p, pkt);
864 }
865
866 if (pkt->u.bind.num_contexts == 0) {
867 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
868 goto err_exit;
869 }
870
871 /*
872 * Try and find the correct pipe name to ensure
873 * that this is a pipe name we support.
874 */
875 id = pkt->u.bind.ctx_list[0].abstract_syntax;
876 if (rpc_srv_pipe_exists_by_id(&id)) {
877 DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
878 rpc_srv_get_pipe_cli_name(&id),
879 rpc_srv_get_pipe_srv_name(&id)));
880 } else {
881 status = smb_probe_module(
882 "rpc", get_pipe_name_from_syntax(
883 talloc_tos(),
884 &id));
885
886 if (NT_STATUS_IS_ERR(status)) {
887 DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
888 "%s in bind request.\n",
889 get_pipe_name_from_syntax(talloc_tos(), &id)));
890
891 return setup_bind_nak(p, pkt);
892 }
893
894 if (rpc_srv_get_pipe_interface_by_cli_name(
895 get_pipe_name_from_syntax(talloc_tos(),
896 &id),
897 &id)) {
898 DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
899 rpc_srv_get_pipe_cli_name(&id),
900 rpc_srv_get_pipe_srv_name(&id)));
901 } else {
902 DEBUG(0, ("module %s doesn't provide functions for "
903 "pipe %s!\n",
904 get_pipe_name_from_syntax(talloc_tos(), &id),
905 get_pipe_name_from_syntax(talloc_tos(), &id)));
906 return setup_bind_nak(p, pkt);
907 }
908 }
909
910 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
911
912 if (pkt->u.bind.assoc_group_id != 0) {
913 assoc_gid = pkt->u.bind.assoc_group_id;
914 } else {
915 assoc_gid = 0x53f0;
916 }
917
918 /*
919 * Create the bind response struct.
920 */
921
922 /* If the requested abstract synt uuid doesn't match our client pipe,
923 reject the bind_ack & set the transfer interface synt to all 0's,
924 ver 0 (observed when NT5 attempts to bind to abstract interfaces
925 unknown to NT4)
926 Needed when adding entries to a DACL from NT5 - SK */
927
928 if (check_bind_req(p,
929 &pkt->u.bind.ctx_list[0].abstract_syntax,
930 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
931 pkt->u.bind.ctx_list[0].context_id)) {
932
933 bind_ack_ctx.result = 0;
934 bind_ack_ctx.reason = 0;
935 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
936 } else {
937 p->pipe_bound = False;
938 /* Rejection reason: abstract syntax not supported */
939 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
940 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
941 bind_ack_ctx.syntax = null_ndr_syntax_id;
942 }
943
944 /*
945 * Check if this is an authenticated bind request.
946 */
947 if (pkt->auth_length) {
948 /* Quick length check. Won't catch a bad auth footer,
949 * prevents overrun. */
950
951 if (pkt->frag_length < RPC_HEADER_LEN +
952 DCERPC_AUTH_TRAILER_LENGTH +
953 pkt->auth_length) {
954 DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
955 "too long for fragment %u.\n",
956 (unsigned int)pkt->auth_length,
957 (unsigned int)pkt->frag_length));
958 goto err_exit;
959 }
960
961 /*
962 * Decode the authentication verifier.
963 */
964 status = dcerpc_pull_dcerpc_auth(pkt,
965 &pkt->u.bind.auth_info,
966 &auth_info, p->endian);
967 if (!NT_STATUS_IS_OK(status)) {
968 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
969 goto err_exit;
970 }
971
972 auth_type = auth_info.auth_type;
973
974 /* Work out if we have to sign or seal etc. */
975 switch (auth_info.auth_level) {
976 case DCERPC_AUTH_LEVEL_INTEGRITY:
977 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
978 break;
979 case DCERPC_AUTH_LEVEL_PRIVACY:
980 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
981 break;
982 case DCERPC_AUTH_LEVEL_CONNECT:
983 p->auth.auth_level = DCERPC_AUTH_LEVEL_CONNECT;
984 break;
985 default:
986 DEBUG(0, ("Unexpected auth level (%u).\n",
987 (unsigned int)auth_info.auth_level ));
988 goto err_exit;
989 }
990
991 switch (auth_type) {
992 case DCERPC_AUTH_TYPE_NTLMSSP:
993 if (!pipe_ntlmssp_auth_bind(p, pkt,
994 &auth_info, &auth_resp)) {
995 goto err_exit;
996 }
997 assoc_gid = 0x7a77;
998 break;
999
1000 case DCERPC_AUTH_TYPE_SCHANNEL:
1001 if (!pipe_schannel_auth_bind(p, pkt,
1002 &auth_info, &auth_resp)) {
1003 goto err_exit;
1004 }
1005 break;
1006
1007 case DCERPC_AUTH_TYPE_SPNEGO:
1008 if (!pipe_spnego_auth_bind(p, pkt,
1009 &auth_info, &auth_resp)) {
1010 goto err_exit;
1011 }
1012 break;
1013
1014 case DCERPC_AUTH_TYPE_KRB5:
1015 if (!pipe_gssapi_auth_bind(p, pkt,
1016 &auth_info, &auth_resp)) {
1017 goto err_exit;
1018 }
1019 break;
1020
1021 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
1022 if (p->transport == NCALRPC && p->ncalrpc_as_system) {
1023 TALLOC_FREE(p->session_info);
1024
1025 status = make_session_info_system(p,
1026 &p->session_info);
1027 if (!NT_STATUS_IS_OK(status)) {
1028 goto err_exit;
1029 }
1030
1031 auth_resp = data_blob_talloc(pkt,
1032 "NCALRPC_AUTH_OK",
1033 15);
1034
1035 p->auth.auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM;
1036 p->pipe_bound = true;
1037 } else {
1038 goto err_exit;
1039 }
1040 break;
1041
1042 case DCERPC_AUTH_TYPE_NONE:
1043 break;
1044
1045 default:
1046 DEBUG(0, ("Unknown auth type %x requested.\n", auth_type));
1047 goto err_exit;
1048 }
1049 }
1050
1051 if (auth_type == DCERPC_AUTH_TYPE_NONE) {
1052 /* Unauthenticated bind request. */
1053 /* We're finished - no more packets. */
1054 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
1055 /* We must set the pipe auth_level here also. */
1056 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1057 p->pipe_bound = True;
1058 /* The session key was initialized from the SMB
1059 * session in make_internal_rpc_pipe_p */
1060 }
1061
1062 ZERO_STRUCT(u.bind_ack);
1063 u.bind_ack.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1064 u.bind_ack.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1065 u.bind_ack.assoc_group_id = assoc_gid;
1066
1067 /* name has to be \PIPE\xxxxx */
1068 u.bind_ack.secondary_address =
1069 talloc_asprintf(pkt, "\\PIPE\\%s",
1070 rpc_srv_get_pipe_srv_name(&id));
1071 if (!u.bind_ack.secondary_address) {
1072 DEBUG(0, ("Out of memory!\n"));
1073 goto err_exit;
1074 }
1075 u.bind_ack.secondary_address_size =
1076 strlen(u.bind_ack.secondary_address) + 1;
1077
1078 u.bind_ack.num_results = 1;
1079 u.bind_ack.ctx_list = &bind_ack_ctx;
1080
1081 /* NOTE: We leave the auth_info empty so we can calculate the padding
1082 * later and then append the auth_info --simo */
1083
1084 /*
1085 * Marshall directly into the outgoing PDU space. We
1086 * must do this as we need to set to the bind response
1087 * header and are never sending more than one PDU here.
1088 */
1089
1090 status = dcerpc_push_ncacn_packet(p->mem_ctx,
1091 DCERPC_PKT_BIND_ACK,
1092 DCERPC_PFC_FLAG_FIRST |
1093 DCERPC_PFC_FLAG_LAST,
1094 auth_resp.length,
1095 pkt->call_id,
1096 &u,
1097 &p->out_data.frag);
1098 if (!NT_STATUS_IS_OK(status)) {
1099 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1100 nt_errstr(status)));
1101 }
1102
1103 if (auth_resp.length) {
1104
1105 status = dcerpc_push_dcerpc_auth(pkt,
1106 auth_type,
1107 auth_info.auth_level,
1108 0,
1109 1, /* auth_context_id */
1110 &auth_resp,
1111 &auth_blob);
1112 if (!NT_STATUS_IS_OK(status)) {
1113 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1114 goto err_exit;
1115 }
1116 }
1117
1118 /* Now that we have the auth len store it into the right place in
1119 * the dcerpc header */
1120 dcerpc_set_frag_length(&p->out_data.frag,
1121 p->out_data.frag.length + auth_blob.length);
1122
1123 if (auth_blob.length) {
1124
1125 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1126 auth_blob.data, auth_blob.length)) {
1127 DEBUG(0, ("Append of auth info failed.\n"));
1128 goto err_exit;
1129 }
1130 }
1131
1132 /*
1133 * Setup the lengths for the initial reply.
1134 */
1135
1136 p->out_data.data_sent_length = 0;
1137 p->out_data.current_pdu_sent = 0;
1138
1139 TALLOC_FREE(auth_blob.data);
1140 return True;
1141
1142 err_exit:
1143
1144 data_blob_free(&p->out_data.frag);
1145 TALLOC_FREE(auth_blob.data);
1146 return setup_bind_nak(p, pkt);
1147 }
1148
1149 /*******************************************************************
1150 This is the "stage3" response after a bind request and reply.
1151 *******************************************************************/
1152
1153 bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
1154 {
1155 struct dcerpc_auth auth_info;
1156 DATA_BLOB response = data_blob_null;
1157 struct auth_ntlmssp_state *ntlmssp_ctx;
1158 struct spnego_context *spnego_ctx;
1159 struct gse_context *gse_ctx;
1160 NTSTATUS status;
1161
1162 DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
1163
1164 if (pkt->auth_length == 0) {
1165 DEBUG(0, ("No auth field sent for bind request!\n"));
1166 goto err;
1167 }
1168
1169 /* Ensure there's enough data for an authenticated request. */
1170 if (pkt->frag_length < RPC_HEADER_LEN
1171 + DCERPC_AUTH_TRAILER_LENGTH
1172 + pkt->auth_length) {
1173 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
1174 "%u is too large.\n",
1175 (unsigned int)pkt->auth_length));
1176 goto err;
1177 }
1178
1179 /*
1180 * Decode the authentication verifier response.
1181 */
1182
1183 status = dcerpc_pull_dcerpc_auth(pkt,
1184 &pkt->u.auth3.auth_info,
1185 &auth_info, p->endian);
1186 if (!NT_STATUS_IS_OK(status)) {
1187 DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n"));
1188 goto err;
1189 }
1190
1191 /* We must NEVER look at auth_info->auth_pad_len here,
1192 * as old Samba client code gets it wrong and sends it
1193 * as zero. JRA.
1194 */
1195
1196 if (auth_info.auth_type != p->auth.auth_type) {
1197 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1198 "but auth was started as type %d!\n",
1199 auth_info.auth_type, p->auth.auth_type));
1200 goto err;
1201 }
1202
1203 switch (auth_info.auth_type) {
1204 case DCERPC_AUTH_TYPE_NTLMSSP:
1205 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1206 struct auth_ntlmssp_state);
1207 status = ntlmssp_server_step(ntlmssp_ctx,
1208 pkt, &auth_info.credentials,
1209 &response);
1210 break;
1211 case DCERPC_AUTH_TYPE_KRB5:
1212 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1213 struct gse_context);
1214 status = gssapi_server_step(gse_ctx,
1215 pkt, &auth_info.credentials,
1216 &response);
1217 break;
1218 case DCERPC_AUTH_TYPE_SPNEGO:
1219 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1220 struct spnego_context);
1221 status = spnego_server_step(spnego_ctx,
1222 pkt, &auth_info.credentials,
1223 &response);
1224 break;
1225 default:
1226 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
1227 (unsigned int)auth_info.auth_type));
1228 return false;
1229 }
1230
1231 if (NT_STATUS_EQUAL(status,
1232 NT_STATUS_MORE_PROCESSING_REQUIRED) ||
1233 response.length) {
1234 DEBUG(0, (__location__ ": This was supposed to be the final "
1235 "leg, but crypto machinery claims a response is "
1236 "needed, aborting auth!\n"));
1237 data_blob_free(&response);
1238 goto err;
1239 }
1240 if (!NT_STATUS_IS_OK(status)) {
1241 DEBUG(0, ("Auth failed (%s)\n", nt_errstr(status)));
1242 goto err;
1243 }
1244
1245 /* Now verify auth was indeed successful and extract server info */
1246 status = pipe_auth_verify_final(p);
1247 if (!NT_STATUS_IS_OK(status)) {
1248 DEBUG(0, ("Auth Verify failed (%s)\n", nt_errstr(status)));
1249 goto err;
1250 }
1251
1252 return true;
1253
1254 err:
1255
1256 TALLOC_FREE(p->auth.auth_ctx);
1257 return false;
1258 }
1259
1260 /****************************************************************************
1261 Deal with an alter context call. Can be third part of 3 leg auth request for
1262 SPNEGO calls.
1263 ****************************************************************************/
1264
1265 static bool api_pipe_alter_context(struct pipes_struct *p,
1266 struct ncacn_packet *pkt)
1267 {
1268 struct dcerpc_auth auth_info;
1269 uint16 assoc_gid;
1270 NTSTATUS status;
1271 union dcerpc_payload u;
1272 struct dcerpc_ack_ctx bind_ack_ctx;
1273 DATA_BLOB auth_resp = data_blob_null;
1274 DATA_BLOB auth_blob = data_blob_null;
1275 int pad_len = 0;
1276 struct auth_ntlmssp_state *ntlmssp_ctx;
1277 struct spnego_context *spnego_ctx;
1278 struct gse_context *gse_ctx;
1279
1280 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1281
1282 if (pkt->u.bind.assoc_group_id != 0) {
1283 assoc_gid = pkt->u.bind.assoc_group_id;
1284 } else {
1285 assoc_gid = 0x53f0;
1286 }
1287
1288 /*
1289 * Create the bind response struct.
1290 */
1291
1292 /* If the requested abstract synt uuid doesn't match our client pipe,
1293 reject the bind_ack & set the transfer interface synt to all 0's,
1294 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1295 unknown to NT4)
1296 Needed when adding entries to a DACL from NT5 - SK */
1297
1298 if (check_bind_req(p,
1299 &pkt->u.bind.ctx_list[0].abstract_syntax,
1300 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
1301 pkt->u.bind.ctx_list[0].context_id)) {
1302
1303 bind_ack_ctx.result = 0;
1304 bind_ack_ctx.reason = 0;
1305 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
1306 } else {
1307 p->pipe_bound = False;
1308 /* Rejection reason: abstract syntax not supported */
1309 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1310 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
1311 bind_ack_ctx.syntax = null_ndr_syntax_id;
1312 }
1313
1314 /*
1315 * Check if this is an authenticated alter context request.
1316 */
1317 if (pkt->auth_length) {
1318 /* Quick length check. Won't catch a bad auth footer,
1319 * prevents overrun. */
1320
1321 if (pkt->frag_length < RPC_HEADER_LEN +
1322 DCERPC_AUTH_TRAILER_LENGTH +
1323 pkt->auth_length) {
1324 DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
1325 "too long for fragment %u.\n",
1326 (unsigned int)pkt->auth_length,
1327 (unsigned int)pkt->frag_length ));
1328 goto err_exit;
1329 }
1330
1331 status = dcerpc_pull_dcerpc_auth(pkt,
1332 &pkt->u.bind.auth_info,
1333 &auth_info, p->endian);
1334 if (!NT_STATUS_IS_OK(status)) {
1335 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1336 goto err_exit;
1337 }
1338
1339 /* We can only finish if the pipe is unbound for now */
1340 if (p->pipe_bound) {
1341 DEBUG(0, (__location__ ": Pipe already bound, "
1342 "Altering Context not yet supported!\n"));
1343 goto err_exit;
1344 }
1345
1346 if (auth_info.auth_type != p->auth.auth_type) {
1347 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1348 "but auth was started as type %d!\n",
1349 auth_info.auth_type, p->auth.auth_type));
1350 goto err_exit;
1351 }
1352
1353
1354 switch (auth_info.auth_type) {
1355 case DCERPC_AUTH_TYPE_SPNEGO:
1356 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1357 struct spnego_context);
1358 status = spnego_server_step(spnego_ctx,
1359 pkt,
1360 &auth_info.credentials,
1361 &auth_resp);
1362 break;
1363
1364 case DCERPC_AUTH_TYPE_KRB5:
1365 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1366 struct gse_context);
1367 status = gssapi_server_step(gse_ctx,
1368 pkt,
1369 &auth_info.credentials,
1370 &auth_resp);
1371 break;
1372 case DCERPC_AUTH_TYPE_NTLMSSP:
1373 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1374 struct auth_ntlmssp_state);
1375 status = ntlmssp_server_step(ntlmssp_ctx,
1376 pkt,
1377 &auth_info.credentials,
1378 &auth_resp);
1379 break;
1380
1381 default:
1382 DEBUG(3, (__location__ ": Usupported auth type (%d) "
1383 "in alter-context call\n",
1384 auth_info.auth_type));
1385 goto err_exit;
1386 }
1387
1388 if (NT_STATUS_IS_OK(status)) {
1389 /* third leg of auth, verify auth info */
1390 status = pipe_auth_verify_final(p);
1391 if (!NT_STATUS_IS_OK(status)) {
1392 DEBUG(0, ("Auth Verify failed (%s)\n",
1393 nt_errstr(status)));
1394 goto err_exit;
1395 }
1396 } else if (NT_STATUS_EQUAL(status,
1397 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1398 DEBUG(10, ("More auth legs required.\n"));
1399 } else {
1400 DEBUG(0, ("Auth step returned an error (%s)\n",
1401 nt_errstr(status)));
1402 goto err_exit;
1403 }
1404 }
1405
1406 ZERO_STRUCT(u.alter_resp);
1407 u.alter_resp.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1408 u.alter_resp.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1409 u.alter_resp.assoc_group_id = assoc_gid;
1410
1411 /* secondary address CAN be NULL
1412 * as the specs say it's ignored.
1413 * It MUST be NULL to have the spoolss working.
1414 */
1415 u.alter_resp.secondary_address = "";
1416 u.alter_resp.secondary_address_size = 1;
1417
1418 u.alter_resp.num_results = 1;
1419 u.alter_resp.ctx_list = &bind_ack_ctx;
1420
1421 /* NOTE: We leave the auth_info empty so we can calculate the padding
1422 * later and then append the auth_info --simo */
1423
1424 /*
1425 * Marshall directly into the outgoing PDU space. We
1426 * must do this as we need to set to the bind response
1427 * header and are never sending more than one PDU here.
1428 */
1429
1430 status = dcerpc_push_ncacn_packet(p->mem_ctx,
1431 DCERPC_PKT_ALTER_RESP,
1432 DCERPC_PFC_FLAG_FIRST |
1433 DCERPC_PFC_FLAG_LAST,
1434 auth_resp.length,
1435 pkt->call_id,
1436 &u,
1437 &p->out_data.frag);
1438 if (!NT_STATUS_IS_OK(status)) {
1439 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1440 nt_errstr(status)));
1441 }
1442
1443 if (auth_resp.length) {
1444
1445 /* Work out any padding needed before the auth footer. */
1446 pad_len = p->out_data.frag.length % SERVER_NDR_PADDING_SIZE;
1447 if (pad_len) {
1448 pad_len = SERVER_NDR_PADDING_SIZE - pad_len;
1449 DEBUG(10, ("auth pad_len = %u\n",
1450 (unsigned int)pad_len));
1451 }
1452
1453 status = dcerpc_push_dcerpc_auth(pkt,
1454 auth_info.auth_type,
1455 auth_info.auth_level,
1456 pad_len,
1457 1, /* auth_context_id */
1458 &auth_resp,
1459 &auth_blob);
1460 if (!NT_STATUS_IS_OK(status)) {
1461 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1462 goto err_exit;
1463 }
1464 }
1465
1466 /* Now that we have the auth len store it into the right place in
1467 * the dcerpc header */
1468 dcerpc_set_frag_length(&p->out_data.frag,
1469 p->out_data.frag.length +
1470 pad_len + auth_blob.length);
1471
1472 if (auth_resp.length) {
1473 if (pad_len) {
1474 char pad[SERVER_NDR_PADDING_SIZE];
1475 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1476 if (!data_blob_append(p->mem_ctx,
1477 &p->out_data.frag,
1478 pad, pad_len)) {
1479 DEBUG(0, ("api_pipe_bind_req: failed to add "
1480 "%u bytes of pad data.\n",
1481 (unsigned int)pad_len));
1482 goto err_exit;
1483 }
1484 }
1485
1486 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1487 auth_blob.data, auth_blob.length)) {
1488 DEBUG(0, ("Append of auth info failed.\n"));
1489 goto err_exit;
1490 }
1491 }
1492
1493 /*
1494 * Setup the lengths for the initial reply.
1495 */
1496
1497 p->out_data.data_sent_length = 0;
1498 p->out_data.current_pdu_sent = 0;
1499
1500 TALLOC_FREE(auth_blob.data);
1501 return True;
1502
1503 err_exit:
1504
1505 data_blob_free(&p->out_data.frag);
1506 TALLOC_FREE(auth_blob.data);
1507 return setup_bind_nak(p, pkt);
1508 }
1509
1510 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1511 const struct api_struct *api_rpc_cmds, int n_cmds,
1512 const struct ndr_syntax_id *syntax);
1513
1514 /****************************************************************************
1515 Find the correct RPC function to call for this request.
1516 If the pipe is authenticated then become the correct UNIX user
1517 before doing the call.
1518 ****************************************************************************/
1519
1520 static bool api_pipe_request(struct pipes_struct *p,
1521 struct ncacn_packet *pkt)
1522 {
1523 bool ret = False;
1524 bool changed_user = False;
1525 PIPE_RPC_FNS *pipe_fns;
1526
1527 if (p->pipe_bound &&
1528 ((p->auth.auth_type == DCERPC_AUTH_TYPE_NTLMSSP) ||
1529 (p->auth.auth_type == DCERPC_AUTH_TYPE_KRB5) ||
1530 (p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO))) {
1531 if(!become_authenticated_pipe_user(p->session_info)) {
1532 data_blob_free(&p->out_data.rdata);
1533 return False;
1534 }
1535 changed_user = True;
1536 }
1537
1538 /* get the set of RPC functions for this context */
1539
1540 pipe_fns = find_pipe_fns_by_context(p->contexts,
1541 pkt->u.request.context_id);
1542
1543 if ( pipe_fns ) {
1544 TALLOC_CTX *frame = talloc_stackframe();
1545
1546 DEBUG(5, ("Requested %s rpc service\n",
1547 get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
1548
1549 ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds,
1550 &pipe_fns->syntax);
1551
1552 TALLOC_FREE(frame);
1553 }
1554 else {
1555 DEBUG(0, ("No rpc function table associated with context "
1556 "[%d]\n",
1557 pkt->u.request.context_id));
1558 }
1559
1560 if (changed_user) {
1561 unbecome_authenticated_pipe_user();
1562 }
1563
1564 return ret;
1565 }
1566
1567 /*******************************************************************
1568 Calls the underlying RPC function for a named pipe.
1569 ********************************************************************/
1570
1571 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1572 const struct api_struct *api_rpc_cmds, int n_cmds,
1573 const struct ndr_syntax_id *syntax)
1574 {
1575 int fn_num;
1576 uint32_t offset1;
1577
1578 /* interpret the command */
1579 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
1580 get_pipe_name_from_syntax(talloc_tos(), syntax),
1581 pkt->u.request.opnum));
1582
1583 if (DEBUGLEVEL >= 50) {
1584 fstring name;
1585 slprintf(name, sizeof(name)-1, "in_%s",
1586 get_pipe_name_from_syntax(talloc_tos(), syntax));
1587 dump_pdu_region(name, pkt->u.request.opnum,
1588 &p->in_data.data, 0,
1589 p->in_data.data.length);
1590 }
1591
1592 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1593 if (api_rpc_cmds[fn_num].opnum == pkt->u.request.opnum &&
1594 api_rpc_cmds[fn_num].fn != NULL) {
1595 DEBUG(3, ("api_rpcTNP: rpc command: %s\n",
1596 api_rpc_cmds[fn_num].name));
1597 break;
1598 }
1599 }
1600
1601 if (fn_num == n_cmds) {
1602 /*
1603 * For an unknown RPC just return a fault PDU but
1604 * return True to allow RPC's on the pipe to continue
1605 * and not put the pipe into fault state. JRA.
1606 */
1607 DEBUG(4, ("unknown\n"));
1608 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1609 return True;
1610 }
1611
1612 offset1 = p->out_data.rdata.length;
1613
1614 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1615 fn_num, api_rpc_cmds[fn_num].fn));
1616 /* do the actual command */
1617 if(!api_rpc_cmds[fn_num].fn(p)) {
1618 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
1619 get_pipe_name_from_syntax(talloc_tos(), syntax),
1620 api_rpc_cmds[fn_num].name));
1621 data_blob_free(&p->out_data.rdata);
1622 return False;
1623 }
1624
1625 if (p->bad_handle_fault_state) {
1626 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1627 p->bad_handle_fault_state = False;
1628 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
1629 return True;
1630 }
1631
1632 if (p->rng_fault_state) {
1633 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
1634 p->rng_fault_state = False;
1635 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1636 return True;
1637 }
1638
1639 if (DEBUGLEVEL >= 50) {
1640 fstring name;
1641 slprintf(name, sizeof(name)-1, "out_%s",
1642 get_pipe_name_from_syntax(talloc_tos(), syntax));
1643 dump_pdu_region(name, pkt->u.request.opnum,
1644 &p->out_data.rdata, offset1,
1645 p->out_data.rdata.length);
1646 }
1647
1648 DEBUG(5,("api_rpcTNP: called %s successfully\n",
1649 get_pipe_name_from_syntax(talloc_tos(), syntax)));
1650
1651 /* Check for buffer underflow in rpc parsing */
1652 if ((DEBUGLEVEL >= 10) &&
1653 (pkt->frag_length < p->in_data.data.length)) {
1654 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1655 dump_data(10, p->in_data.data.data + pkt->frag_length,
1656 p->in_data.data.length - pkt->frag_length);
1657 }
1658
1659 return True;
1660 }
1661
1662 /****************************************************************************
1663 Initialise an outgoing packet.
1664 ****************************************************************************/
1665
1666 static bool pipe_init_outgoing_data(struct pipes_struct *p)
1667 {
1668 output_data *o_data = &p->out_data;
1669
1670 /* Reset the offset counters. */
1671 o_data->data_sent_length = 0;
1672 o_data->current_pdu_sent = 0;
1673
1674 data_blob_free(&o_data->frag);
1675
1676 /* Free any memory in the current return data buffer. */
1677 data_blob_free(&o_data->rdata);
1678
1679 return True;
1680 }
1681
1682 /****************************************************************************
1683 Sets the fault state on incoming packets.
1684 ****************************************************************************/
1685
1686 void set_incoming_fault(struct pipes_struct *p)
1687 {
1688 data_blob_free(&p->in_data.data);
1689 p->in_data.pdu_needed_len = 0;
1690 p->in_data.pdu.length = 0;
1691 p->fault_state = True;
1692
1693 DEBUG(10, ("Setting fault state\n"));
1694 }
1695
1696 static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
1697 struct ncacn_packet *pkt,
1698 DATA_BLOB *raw_pkt)
1699 {
1700 NTSTATUS status;
1701 size_t hdr_size = DCERPC_REQUEST_LENGTH;
1702 size_t pad_len;
1703
1704 DEBUG(10, ("Checking request auth.\n"));
1705
1706 if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
1707 hdr_size += 16;
1708 }
1709
1710 /* in case of sealing this function will unseal the data in place */
1711 status = dcerpc_check_auth(auth, pkt,
1712 &pkt->u.request.stub_and_verifier,
1713 hdr_size, raw_pkt,
1714 &pad_len);
1715 if (!NT_STATUS_IS_OK(status)) {
1716 return status;
1717 }
1718
1719
1720 /* remove padding and auth trailer,
1721 * this way the caller will get just the data */
1722 if (pkt->auth_length) {
1723 size_t trail_len = pad_len
1724 + DCERPC_AUTH_TRAILER_LENGTH
1725 + pkt->auth_length;
1726 if (pkt->u.request.stub_and_verifier.length < trail_len) {
1727 return NT_STATUS_INFO_LENGTH_MISMATCH;
1728 }
1729 pkt->u.request.stub_and_verifier.length -= trail_len;
1730 }
1731
1732 return NT_STATUS_OK;
1733 }
1734
1735 /****************************************************************************
1736 Processes a request pdu. This will do auth processing if needed, and
1737 appends the data into the complete stream if the LAST flag is not set.
1738 ****************************************************************************/
1739
1740 static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
1741 {
1742 NTSTATUS status;
1743 DATA_BLOB data;
1744
1745 if (!p->pipe_bound) {
1746 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
1747 set_incoming_fault(p);
1748 return False;
1749 }
1750
1751 /* Store the opnum */
1752 p->opnum = pkt->u.request.opnum;
1753
1754 status = dcesrv_auth_request(&p->auth, pkt, &p->in_data.pdu);
1755 if (!NT_STATUS_IS_OK(status)) {
1756 DEBUG(0, ("Failed to check packet auth. (%s)\n",
1757 nt_errstr(status)));
1758 set_incoming_fault(p);
1759 return false;
1760 }
1761
1762 data = pkt->u.request.stub_and_verifier;
1763
1764 /*
1765 * Check the data length doesn't go over the 15Mb limit.
1766 * increased after observing a bug in the Windows NT 4.0 SP6a
1767 * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
1768 * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
1769 */
1770
1771 if (p->in_data.data.length + data.length > MAX_RPC_DATA_SIZE) {
1772 DEBUG(0, ("process_request_pdu: "
1773 "rpc data buffer too large (%u) + (%u)\n",
1774 (unsigned int)p->in_data.data.length,
1775 (unsigned int)data.length));
1776 set_incoming_fault(p);
1777 return False;
1778 }
1779
1780 /*
1781 * Append the data portion into the buffer and return.
1782 */
1783
1784 if (data.length) {
1785 if (!data_blob_append(p->mem_ctx, &p->in_data.data,
1786 data.data, data.length)) {
1787 DEBUG(0, ("Unable to append data size %u "
1788 "to parse buffer of size %u.\n",
1789 (unsigned int)data.length,
1790 (unsigned int)p->in_data.data.length));
1791 set_incoming_fault(p);
1792 return False;
1793 }
1794 }
1795
1796 if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
1797 bool ret = False;
1798 /*
1799 * Ok - we finally have a complete RPC stream.
1800 * Call the rpc command to process it.
1801 */
1802
1803 /*
1804 * Process the complete data stream here.
1805 */
1806 if (pipe_init_outgoing_data(p)) {
1807 ret = api_pipe_request(p, pkt);
1808 }
1809
1810 return ret;
1811 }
1812
1813 return True;
1814 }
1815
1816 /****************************************************************************
1817 Processes a finished PDU stored in p->in_data.pdu.
1818 ****************************************************************************/
1819
1820 void process_complete_pdu(struct pipes_struct *p)
1821 {
1822 struct ncacn_packet *pkt = NULL;
1823 NTSTATUS status;
1824 bool reply = False;
1825
1826 if(p->fault_state) {
1827 DEBUG(10,("RPC connection in fault state.\n"));
1828 goto done;
1829 }
1830
1831 pkt = talloc(p->mem_ctx, struct ncacn_packet);
1832 if (!pkt) {
1833 DEBUG(0, ("Out of memory!\n"));
1834 goto done;
1835 }
1836
1837 /*
1838 * Ensure we're using the corrent endianness for both the
1839 * RPC header flags and the raw data we will be reading from.
1840 */
1841 if (dcerpc_get_endian_flag(&p->in_data.pdu) & DCERPC_DREP_LE) {
1842 p->endian = RPC_LITTLE_ENDIAN;
1843 } else {
1844 p->endian = RPC_BIG_ENDIAN;
1845 }
1846 DEBUG(10, ("PDU is in %s Endian format!\n", p->endian?"Big":"Little"));
1847
1848 status = dcerpc_pull_ncacn_packet(pkt, &p->in_data.pdu,
1849 pkt, p->endian);
1850 if (!NT_STATUS_IS_OK(status)) {
1851 DEBUG(0, ("Failed to unmarshal rpc packet: %s!\n",
1852 nt_errstr(status)));
1853 goto done;
1854 }
1855
1856 /* Store the call_id */
1857 p->call_id = pkt->call_id;
1858
1859 DEBUG(10, ("Processing packet type %u\n", (unsigned int)pkt->ptype));
1860
1861 switch (pkt->ptype) {
1862 case DCERPC_PKT_REQUEST:
1863 reply = process_request_pdu(p, pkt);
1864 break;
1865
1866 case DCERPC_PKT_PING: /* CL request - ignore... */
1867 DEBUG(0, ("Error - Connectionless packet type %u received\n",
1868 (unsigned int)pkt->ptype));
1869 break;
1870
1871 case DCERPC_PKT_RESPONSE: /* No responses here. */
1872 DEBUG(0, ("Error - DCERPC_PKT_RESPONSE received from client"));
1873 break;
1874
1875 case DCERPC_PKT_FAULT:
1876 case DCERPC_PKT_WORKING:
1877 /* CL request - reply to a ping when a call in process. */
1878 case DCERPC_PKT_NOCALL:
1879 /* CL - server reply to a ping call. */
1880 case DCERPC_PKT_REJECT:
1881 case DCERPC_PKT_ACK:
1882 case DCERPC_PKT_CL_CANCEL:
1883 case DCERPC_PKT_FACK:
1884 case DCERPC_PKT_CANCEL_ACK:
1885 DEBUG(0, ("Error - Connectionless packet type %u received\n",
1886 (unsigned int)pkt->ptype));
1887 break;
1888
1889 case DCERPC_PKT_BIND:
1890 /*
1891 * We assume that a pipe bind is only in one pdu.
1892 */
1893 if (pipe_init_outgoing_data(p)) {
1894 reply = api_pipe_bind_req(p, pkt);
1895 }
1896 break;
1897
1898 case DCERPC_PKT_BIND_ACK:
1899 case DCERPC_PKT_BIND_NAK:
1900 DEBUG(0, ("Error - DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK "
1901 "packet type %u received.\n",
1902 (unsigned int)pkt->ptype));
1903 break;
1904
1905
1906 case DCERPC_PKT_ALTER:
1907 /*
1908 * We assume that a pipe bind is only in one pdu.
1909 */
1910 if (pipe_init_outgoing_data(p)) {
1911 reply = api_pipe_alter_context(p, pkt);
1912 }
1913 break;
1914
1915 case DCERPC_PKT_ALTER_RESP:
1916 DEBUG(0, ("Error - DCERPC_PKT_ALTER_RESP received: "
1917 "Should only be server -> client.\n"));
1918 break;
1919
1920 case DCERPC_PKT_AUTH3:
1921 /*
1922 * The third packet in an auth exchange.
1923 */
1924 if (pipe_init_outgoing_data(p)) {
1925 reply = api_pipe_bind_auth3(p, pkt);
1926 }
1927 break;
1928
1929 case DCERPC_PKT_SHUTDOWN:
1930 DEBUG(0, ("Error - DCERPC_PKT_SHUTDOWN received: "
1931 "Should only be server -> client.\n"));
1932 break;
1933
1934 case DCERPC_PKT_CO_CANCEL:
1935 /* For now just free all client data and continue
1936 * processing. */
1937 DEBUG(3,("process_complete_pdu: DCERPC_PKT_CO_CANCEL."
1938 " Abandoning rpc call.\n"));
1939 /* As we never do asynchronous RPC serving, we can
1940 * never cancel a call (as far as I know).
1941 * If we ever did we'd have to send a cancel_ack reply.
1942 * For now, just free all client data and continue
1943 * processing. */
1944 reply = True;
1945 break;
1946
1947 #if 0
1948 /* Enable this if we're doing async rpc. */
1949 /* We must check the outstanding callid matches. */
1950 if (pipe_init_outgoing_data(p)) {
1951 /* Send a cancel_ack PDU reply. */
1952 /* We should probably check the auth-verifier here. */
1953 reply = setup_cancel_ack_reply(p, pkt);
1954 }
1955 break;
1956 #endif
1957
1958 case DCERPC_PKT_ORPHANED:
1959 /* We should probably check the auth-verifier here.
1960 * For now just free all client data and continue
1961 * processing. */
1962 DEBUG(3, ("process_complete_pdu: DCERPC_PKT_ORPHANED."
1963 " Abandoning rpc call.\n"));
1964 reply = True;
1965 break;
1966
1967 default:
1968 DEBUG(0, ("process_complete_pdu: "
1969 "Unknown rpc type = %u received.\n",
1970 (unsigned int)pkt->ptype));
1971 break;
1972 }
1973
1974 done:
1975 if (!reply) {
1976 DEBUG(3,("DCE/RPC fault sent!"));
1977 set_incoming_fault(p);
1978 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1979 TALLOC_FREE(pkt);
1980 } else {
1981 /*
1982 * Reset the lengths. We're ready for a new pdu.
1983 */
1984 TALLOC_FREE(p->in_data.pdu.data);
1985 p->in_data.pdu_needed_len = 0;
1986 p->in_data.pdu.length = 0;
1987 }
1988
1989 TALLOC_FREE(pkt);
1990 }
1991
reg import