search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove smb_np_struct
[Samba/gebeck_regimport.git] / source3 / rpc_server / srv_pipe.c
blobbe7d3db4443e4d4bc6d2ad55e7d50e7e45f47d05
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31
32 extern struct current_user current_user;
33
34 #undef DBGC_CLASS
35 #define DBGC_CLASS DBGC_RPC_SRV
36
37 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
38 {
39 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
40
41 if (a) {
42 auth_ntlmssp_end(&a);
43 }
44 auth->a_u.auth_ntlmssp_state = NULL;
45 }
46
47 static DATA_BLOB generic_session_key(void)
48 {
49 return data_blob("SystemLibraryDTC", 16);
50 }
51
52 /*******************************************************************
53 Generate the next PDU to be returned from the data in p->rdata.
54 Handle NTLMSSP.
55 ********************************************************************/
56
57 static bool create_next_pdu_ntlmssp(pipes_struct *p)
58 {
59 RPC_HDR_RESP hdr_resp;
60 uint32 ss_padding_len = 0;
61 uint32 data_space_available;
62 uint32 data_len_left;
63 uint32 data_len;
64 prs_struct outgoing_pdu;
65 NTSTATUS status;
66 DATA_BLOB auth_blob;
67 RPC_HDR_AUTH auth_info;
68 uint8 auth_type, auth_level;
69 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
70
71 /*
72 * If we're in the fault state, keep returning fault PDU's until
73 * the pipe gets closed. JRA.
74 */
75
76 if(p->fault_state) {
77 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
78 return True;
79 }
80
81 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
82
83 /* Change the incoming request header to a response. */
84 p->hdr.pkt_type = RPC_RESPONSE;
85
86 /* Set up rpc header flags. */
87 if (p->out_data.data_sent_length == 0) {
88 p->hdr.flags = RPC_FLG_FIRST;
89 } else {
90 p->hdr.flags = 0;
91 }
92
93 /*
94 * Work out how much we can fit in a single PDU.
95 */
96
97 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
98
99 /*
100 * Ensure there really is data left to send.
101 */
102
103 if(!data_len_left) {
104 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
105 return False;
106 }
107
108 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
109 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
110
111 /*
112 * The amount we send is the minimum of the available
113 * space and the amount left to send.
114 */
115
116 data_len = MIN(data_len_left, data_space_available);
117
118 /*
119 * Set up the alloc hint. This should be the data left to
120 * send.
121 */
122
123 hdr_resp.alloc_hint = data_len_left;
124
125 /*
126 * Work out if this PDU will be the last.
127 */
128
129 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
130 p->hdr.flags |= RPC_FLG_LAST;
131 if (data_len_left % 8) {
132 ss_padding_len = 8 - (data_len_left % 8);
133 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
134 ss_padding_len ));
135 }
136 }
137
138 /*
139 * Set up the header lengths.
140 */
141
142 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
143 data_len + ss_padding_len +
144 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
145 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
146
147
148 /*
149 * Init the parse struct to point at the outgoing
150 * data.
151 */
152
153 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
154 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
155
156 /* Store the header in the data stream. */
157 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
158 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
159 prs_mem_free(&outgoing_pdu);
160 return False;
161 }
162
163 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
164 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
165 prs_mem_free(&outgoing_pdu);
166 return False;
167 }
168
169 /* Copy the data into the PDU. */
170
171 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
172 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
173 prs_mem_free(&outgoing_pdu);
174 return False;
175 }
176
177 /* Copy the sign/seal padding data. */
178 if (ss_padding_len) {
179 char pad[8];
180
181 memset(pad, '\0', 8);
182 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
183 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
184 (unsigned int)ss_padding_len));
185 prs_mem_free(&outgoing_pdu);
186 return False;
187 }
188 }
189
190
191 /* Now write out the auth header and null blob. */
192 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
193 auth_type = RPC_NTLMSSP_AUTH_TYPE;
194 } else {
195 auth_type = RPC_SPNEGO_AUTH_TYPE;
196 }
197 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
198 auth_level = RPC_AUTH_LEVEL_PRIVACY;
199 } else {
200 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
201 }
202
203 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
204 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
205 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
206 prs_mem_free(&outgoing_pdu);
207 return False;
208 }
209
210 /* Generate the sign blob. */
211
212 switch (p->auth.auth_level) {
213 case PIPE_AUTH_LEVEL_PRIVACY:
214 /* Data portion is encrypted. */
215 status = ntlmssp_seal_packet(a->ntlmssp_state,
216 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
217 data_len + ss_padding_len,
218 (unsigned char *)prs_data_p(&outgoing_pdu),
219 (size_t)prs_offset(&outgoing_pdu),
220 &auth_blob);
221 if (!NT_STATUS_IS_OK(status)) {
222 data_blob_free(&auth_blob);
223 prs_mem_free(&outgoing_pdu);
224 return False;
225 }
226 break;
227 case PIPE_AUTH_LEVEL_INTEGRITY:
228 /* Data is signed. */
229 status = ntlmssp_sign_packet(a->ntlmssp_state,
230 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
231 data_len + ss_padding_len,
232 (unsigned char *)prs_data_p(&outgoing_pdu),
233 (size_t)prs_offset(&outgoing_pdu),
234 &auth_blob);
235 if (!NT_STATUS_IS_OK(status)) {
236 data_blob_free(&auth_blob);
237 prs_mem_free(&outgoing_pdu);
238 return False;
239 }
240 break;
241 default:
242 prs_mem_free(&outgoing_pdu);
243 return False;
244 }
245
246 /* Append the auth blob. */
247 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
248 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
249 (unsigned int)NTLMSSP_SIG_SIZE));
250 data_blob_free(&auth_blob);
251 prs_mem_free(&outgoing_pdu);
252 return False;
253 }
254
255 data_blob_free(&auth_blob);
256
257 /*
258 * Setup the counts for this PDU.
259 */
260
261 p->out_data.data_sent_length += data_len;
262 p->out_data.current_pdu_len = p->hdr.frag_len;
263 p->out_data.current_pdu_sent = 0;
264
265 prs_mem_free(&outgoing_pdu);
266 return True;
267 }
268
269 /*******************************************************************
270 Generate the next PDU to be returned from the data in p->rdata.
271 Return an schannel authenticated fragment.
272 ********************************************************************/
273
274 static bool create_next_pdu_schannel(pipes_struct *p)
275 {
276 RPC_HDR_RESP hdr_resp;
277 uint32 ss_padding_len = 0;
278 uint32 data_len;
279 uint32 data_space_available;
280 uint32 data_len_left;
281 prs_struct outgoing_pdu;
282 uint32 data_pos;
283
284 /*
285 * If we're in the fault state, keep returning fault PDU's until
286 * the pipe gets closed. JRA.
287 */
288
289 if(p->fault_state) {
290 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
291 return True;
292 }
293
294 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
295
296 /* Change the incoming request header to a response. */
297 p->hdr.pkt_type = RPC_RESPONSE;
298
299 /* Set up rpc header flags. */
300 if (p->out_data.data_sent_length == 0) {
301 p->hdr.flags = RPC_FLG_FIRST;
302 } else {
303 p->hdr.flags = 0;
304 }
305
306 /*
307 * Work out how much we can fit in a single PDU.
308 */
309
310 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
311
312 /*
313 * Ensure there really is data left to send.
314 */
315
316 if(!data_len_left) {
317 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
318 return False;
319 }
320
321 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
322 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
323
324 /*
325 * The amount we send is the minimum of the available
326 * space and the amount left to send.
327 */
328
329 data_len = MIN(data_len_left, data_space_available);
330
331 /*
332 * Set up the alloc hint. This should be the data left to
333 * send.
334 */
335
336 hdr_resp.alloc_hint = data_len_left;
337
338 /*
339 * Work out if this PDU will be the last.
340 */
341
342 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
343 p->hdr.flags |= RPC_FLG_LAST;
344 if (data_len_left % 8) {
345 ss_padding_len = 8 - (data_len_left % 8);
346 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
347 ss_padding_len ));
348 }
349 }
350
351 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
352 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
353 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
354
355 /*
356 * Init the parse struct to point at the outgoing
357 * data.
358 */
359
360 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
361 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
362
363 /* Store the header in the data stream. */
364 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
365 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
366 prs_mem_free(&outgoing_pdu);
367 return False;
368 }
369
370 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
371 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
372 prs_mem_free(&outgoing_pdu);
373 return False;
374 }
375
376 /* Store the current offset. */
377 data_pos = prs_offset(&outgoing_pdu);
378
379 /* Copy the data into the PDU. */
380
381 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
382 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
383 prs_mem_free(&outgoing_pdu);
384 return False;
385 }
386
387 /* Copy the sign/seal padding data. */
388 if (ss_padding_len) {
389 char pad[8];
390 memset(pad, '\0', 8);
391 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
392 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
393 prs_mem_free(&outgoing_pdu);
394 return False;
395 }
396 }
397
398 {
399 /*
400 * Schannel processing.
401 */
402 char *data;
403 RPC_HDR_AUTH auth_info;
404 RPC_AUTH_SCHANNEL_CHK verf;
405
406 data = prs_data_p(&outgoing_pdu) + data_pos;
407 /* Check it's the type of reply we were expecting to decode */
408
409 init_rpc_hdr_auth(&auth_info,
410 RPC_SCHANNEL_AUTH_TYPE,
411 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
412 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
413 ss_padding_len, 1);
414
415 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
416 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
417 prs_mem_free(&outgoing_pdu);
418 return False;
419 }
420
421 schannel_encode(p->auth.a_u.schannel_auth,
422 p->auth.auth_level,
423 SENDER_IS_ACCEPTOR,
424 &verf, data, data_len + ss_padding_len);
425
426 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
427 &verf, &outgoing_pdu, 0)) {
428 prs_mem_free(&outgoing_pdu);
429 return False;
430 }
431
432 p->auth.a_u.schannel_auth->seq_num++;
433 }
434
435 /*
436 * Setup the counts for this PDU.
437 */
438
439 p->out_data.data_sent_length += data_len;
440 p->out_data.current_pdu_len = p->hdr.frag_len;
441 p->out_data.current_pdu_sent = 0;
442
443 prs_mem_free(&outgoing_pdu);
444 return True;
445 }
446
447 /*******************************************************************
448 Generate the next PDU to be returned from the data in p->rdata.
449 No authentication done.
450 ********************************************************************/
451
452 static bool create_next_pdu_noauth(pipes_struct *p)
453 {
454 RPC_HDR_RESP hdr_resp;
455 uint32 data_len;
456 uint32 data_space_available;
457 uint32 data_len_left;
458 prs_struct outgoing_pdu;
459
460 /*
461 * If we're in the fault state, keep returning fault PDU's until
462 * the pipe gets closed. JRA.
463 */
464
465 if(p->fault_state) {
466 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
467 return True;
468 }
469
470 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
471
472 /* Change the incoming request header to a response. */
473 p->hdr.pkt_type = RPC_RESPONSE;
474
475 /* Set up rpc header flags. */
476 if (p->out_data.data_sent_length == 0) {
477 p->hdr.flags = RPC_FLG_FIRST;
478 } else {
479 p->hdr.flags = 0;
480 }
481
482 /*
483 * Work out how much we can fit in a single PDU.
484 */
485
486 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
487
488 /*
489 * Ensure there really is data left to send.
490 */
491
492 if(!data_len_left) {
493 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
494 return False;
495 }
496
497 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
498
499 /*
500 * The amount we send is the minimum of the available
501 * space and the amount left to send.
502 */
503
504 data_len = MIN(data_len_left, data_space_available);
505
506 /*
507 * Set up the alloc hint. This should be the data left to
508 * send.
509 */
510
511 hdr_resp.alloc_hint = data_len_left;
512
513 /*
514 * Work out if this PDU will be the last.
515 */
516
517 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
518 p->hdr.flags |= RPC_FLG_LAST;
519 }
520
521 /*
522 * Set up the header lengths.
523 */
524
525 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
526 p->hdr.auth_len = 0;
527
528 /*
529 * Init the parse struct to point at the outgoing
530 * data.
531 */
532
533 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
534 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
535
536 /* Store the header in the data stream. */
537 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
538 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
539 prs_mem_free(&outgoing_pdu);
540 return False;
541 }
542
543 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
544 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
545 prs_mem_free(&outgoing_pdu);
546 return False;
547 }
548
549 /* Copy the data into the PDU. */
550
551 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
552 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
553 prs_mem_free(&outgoing_pdu);
554 return False;
555 }
556
557 /*
558 * Setup the counts for this PDU.
559 */
560
561 p->out_data.data_sent_length += data_len;
562 p->out_data.current_pdu_len = p->hdr.frag_len;
563 p->out_data.current_pdu_sent = 0;
564
565 prs_mem_free(&outgoing_pdu);
566 return True;
567 }
568
569 /*******************************************************************
570 Generate the next PDU to be returned from the data in p->rdata.
571 ********************************************************************/
572
573 bool create_next_pdu(pipes_struct *p)
574 {
575 switch(p->auth.auth_level) {
576 case PIPE_AUTH_LEVEL_NONE:
577 case PIPE_AUTH_LEVEL_CONNECT:
578 /* This is incorrect for auth level connect. Fixme. JRA */
579 return create_next_pdu_noauth(p);
580
581 default:
582 switch(p->auth.auth_type) {
583 case PIPE_AUTH_TYPE_NTLMSSP:
584 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
585 return create_next_pdu_ntlmssp(p);
586 case PIPE_AUTH_TYPE_SCHANNEL:
587 return create_next_pdu_schannel(p);
588 default:
589 break;
590 }
591 }
592
593 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
594 (unsigned int)p->auth.auth_level,
595 (unsigned int)p->auth.auth_type));
596 return False;
597 }
598
599 /*******************************************************************
600 Process an NTLMSSP authentication response.
601 If this function succeeds, the user has been authenticated
602 and their domain, name and calling workstation stored in
603 the pipe struct.
604 *******************************************************************/
605
606 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
607 {
608 DATA_BLOB session_key, reply;
609 NTSTATUS status;
610 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
611 bool ret;
612
613 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
614
615 ZERO_STRUCT(reply);
616
617 /* Set up for non-authenticated user. */
618 TALLOC_FREE(p->pipe_user.nt_user_token);
619 p->pipe_user.ut.ngroups = 0;
620 SAFE_FREE( p->pipe_user.ut.groups);
621
622 /* this has to be done as root in order to verify the password */
623 become_root();
624 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
625 unbecome_root();
626
627 /* Don't generate a reply. */
628 data_blob_free(&reply);
629
630 if (!NT_STATUS_IS_OK(status)) {
631 return False;
632 }
633
634 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
635 ensure the underlying NTLMSSP flags are also set. If not we should
636 refuse the bind. */
637
638 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
639 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
640 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
641 "but client declined signing.\n",
642 p->name ));
643 return False;
644 }
645 }
646 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
647 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
648 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
649 "but client declined sealing.\n",
650 p->name ));
651 return False;
652 }
653 }
654
655 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
656 "workstation: %s\n", a->ntlmssp_state->user,
657 a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
658
659 /*
660 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
661 */
662
663 p->pipe_user.ut.uid = a->server_info->utok.uid;
664 p->pipe_user.ut.gid = a->server_info->utok.gid;
665
666 p->pipe_user.ut.ngroups = a->server_info->utok.ngroups;
667 if (p->pipe_user.ut.ngroups) {
668 if (!(p->pipe_user.ut.groups = (gid_t *)memdup(
669 a->server_info->utok.groups,
670 sizeof(gid_t) * p->pipe_user.ut.ngroups))) {
671 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
672 return False;
673 }
674 }
675
676 if (a->server_info->ptok) {
677 p->pipe_user.nt_user_token =
678 dup_nt_token(NULL, a->server_info->ptok);
679 } else {
680 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
681 p->pipe_user.nt_user_token = NULL;
682 return False;
683 }
684
685 TALLOC_FREE(p->server_info);
686
687 p->server_info = copy_serverinfo(p, a->server_info);
688 if (p->server_info == NULL) {
689 DEBUG(0, ("copy_serverinfo failed\n"));
690 return false;
691 }
692
693 /*
694 * We're an authenticated bind over smb, so the session key needs to
695 * be set to "SystemLibraryDTC". Weird, but this is what Windows
696 * does. See the RPC-SAMBA3SESSIONKEY.
697 */
698
699 session_key = generic_session_key();
700 if (session_key.data == NULL) {
701 return False;
702 }
703
704 ret = server_info_set_session_key(p->server_info, session_key);
705
706 data_blob_free(&session_key);
707
708 return True;
709 }
710
711 /*******************************************************************
712 The switch table for the pipe names and the functions to handle them.
713 *******************************************************************/
714
715 struct rpc_table {
716 struct {
717 const char *clnt;
718 const char *srv;
719 } pipe;
720 struct ndr_syntax_id rpc_interface;
721 const struct api_struct *cmds;
722 int n_cmds;
723 };
724
725 static struct rpc_table *rpc_lookup;
726 static int rpc_lookup_size;
727
728 /*******************************************************************
729 This is the "stage3" NTLMSSP response after a bind request and reply.
730 *******************************************************************/
731
732 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
733 {
734 RPC_HDR_AUTH auth_info;
735 uint32 pad;
736 DATA_BLOB blob;
737
738 ZERO_STRUCT(blob);
739
740 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
741
742 if (p->hdr.auth_len == 0) {
743 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
744 goto err;
745 }
746
747 /* 4 bytes padding. */
748 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
749 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
750 goto err;
751 }
752
753 /*
754 * Decode the authentication verifier response.
755 */
756
757 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
758 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
759 goto err;
760 }
761
762 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
763 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
764 (unsigned int)auth_info.auth_type ));
765 return False;
766 }
767
768 blob = data_blob(NULL,p->hdr.auth_len);
769
770 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
771 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
772 (unsigned int)p->hdr.auth_len ));
773 goto err;
774 }
775
776 /*
777 * The following call actually checks the challenge/response data.
778 * for correctness against the given DOMAIN\user name.
779 */
780
781 if (!pipe_ntlmssp_verify_final(p, &blob)) {
782 goto err;
783 }
784
785 data_blob_free(&blob);
786
787 p->pipe_bound = True;
788
789 return True;
790
791 err:
792
793 data_blob_free(&blob);
794 free_pipe_ntlmssp_auth_data(&p->auth);
795 p->auth.a_u.auth_ntlmssp_state = NULL;
796
797 return False;
798 }
799
800 /*******************************************************************
801 Marshall a bind_nak pdu.
802 *******************************************************************/
803
804 static bool setup_bind_nak(pipes_struct *p)
805 {
806 prs_struct outgoing_rpc;
807 RPC_HDR nak_hdr;
808 uint16 zero = 0;
809
810 /* Free any memory in the current return data buffer. */
811 prs_mem_free(&p->out_data.rdata);
812
813 /*
814 * Marshall directly into the outgoing PDU space. We
815 * must do this as we need to set to the bind response
816 * header and are never sending more than one PDU here.
817 */
818
819 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
820 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
821
822 /*
823 * Initialize a bind_nak header.
824 */
825
826 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
827 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
828
829 /*
830 * Marshall the header into the outgoing PDU.
831 */
832
833 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
834 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
835 prs_mem_free(&outgoing_rpc);
836 return False;
837 }
838
839 /*
840 * Now add the reject reason.
841 */
842
843 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
844 prs_mem_free(&outgoing_rpc);
845 return False;
846 }
847
848 p->out_data.data_sent_length = 0;
849 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
850 p->out_data.current_pdu_sent = 0;
851
852 if (p->auth.auth_data_free_func) {
853 (*p->auth.auth_data_free_func)(&p->auth);
854 }
855 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
856 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
857 p->pipe_bound = False;
858
859 return True;
860 }
861
862 /*******************************************************************
863 Marshall a fault pdu.
864 *******************************************************************/
865
866 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
867 {
868 prs_struct outgoing_pdu;
869 RPC_HDR fault_hdr;
870 RPC_HDR_RESP hdr_resp;
871 RPC_HDR_FAULT fault_resp;
872
873 /* Free any memory in the current return data buffer. */
874 prs_mem_free(&p->out_data.rdata);
875
876 /*
877 * Marshall directly into the outgoing PDU space. We
878 * must do this as we need to set to the bind response
879 * header and are never sending more than one PDU here.
880 */
881
882 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
883 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
884
885 /*
886 * Initialize a fault header.
887 */
888
889 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
890 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
891
892 /*
893 * Initialize the HDR_RESP and FAULT parts of the PDU.
894 */
895
896 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
897
898 fault_resp.status = status;
899 fault_resp.reserved = 0;
900
901 /*
902 * Marshall the header into the outgoing PDU.
903 */
904
905 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
906 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
907 prs_mem_free(&outgoing_pdu);
908 return False;
909 }
910
911 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
912 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
913 prs_mem_free(&outgoing_pdu);
914 return False;
915 }
916
917 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
918 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
919 prs_mem_free(&outgoing_pdu);
920 return False;
921 }
922
923 p->out_data.data_sent_length = 0;
924 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
925 p->out_data.current_pdu_sent = 0;
926
927 prs_mem_free(&outgoing_pdu);
928 return True;
929 }
930
931 #if 0
932 /*******************************************************************
933 Marshall a cancel_ack pdu.
934 We should probably check the auth-verifier here.
935 *******************************************************************/
936
937 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
938 {
939 prs_struct outgoing_pdu;
940 RPC_HDR ack_reply_hdr;
941
942 /* Free any memory in the current return data buffer. */
943 prs_mem_free(&p->out_data.rdata);
944
945 /*
946 * Marshall directly into the outgoing PDU space. We
947 * must do this as we need to set to the bind response
948 * header and are never sending more than one PDU here.
949 */
950
951 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
952 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
953
954 /*
955 * Initialize a cancel_ack header.
956 */
957
958 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
959 p->hdr.call_id, RPC_HEADER_LEN, 0);
960
961 /*
962 * Marshall the header into the outgoing PDU.
963 */
964
965 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
966 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
967 prs_mem_free(&outgoing_pdu);
968 return False;
969 }
970
971 p->out_data.data_sent_length = 0;
972 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
973 p->out_data.current_pdu_sent = 0;
974
975 prs_mem_free(&outgoing_pdu);
976 return True;
977 }
978 #endif
979
980 /*******************************************************************
981 Ensure a bind request has the correct abstract & transfer interface.
982 Used to reject unknown binds from Win2k.
983 *******************************************************************/
984
985 bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
986 RPC_IFACE* transfer, uint32 context_id)
987 {
988 int i=0;
989 struct pipe_rpc_fns *context_fns;
990
991 DEBUG(3,("check_bind_req for %s\n", p->name));
992
993 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
994
995 for (i=0; i<rpc_lookup_size; i++) {
996 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
997 if (strequal(rpc_lookup[i].pipe.clnt, p->name)
998 && ndr_syntax_id_equal(
999 abstract, &rpc_lookup[i].rpc_interface)
1000 && ndr_syntax_id_equal(
1001 transfer, &ndr_transfer_syntax)) {
1002 break;
1003 }
1004 }
1005
1006 if (i == rpc_lookup_size) {
1007 return false;
1008 }
1009
1010 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1011 if (context_fns == NULL) {
1012 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1013 return False;
1014 }
1015
1016 context_fns->cmds = rpc_lookup[i].cmds;
1017 context_fns->n_cmds = rpc_lookup[i].n_cmds;
1018 context_fns->context_id = context_id;
1019
1020 /* add to the list of open contexts */
1021
1022 DLIST_ADD( p->contexts, context_fns );
1023
1024 return True;
1025 }
1026
1027 /*******************************************************************
1028 Register commands to an RPC pipe
1029 *******************************************************************/
1030
1031 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt,
1032 const char *srv,
1033 const struct ndr_syntax_id *interface,
1034 const struct api_struct *cmds, int size)
1035 {
1036 struct rpc_table *rpc_entry;
1037
1038 if (!clnt || !srv || !cmds) {
1039 return NT_STATUS_INVALID_PARAMETER;
1040 }
1041
1042 if (version != SMB_RPC_INTERFACE_VERSION) {
1043 DEBUG(0,("Can't register rpc commands!\n"
1044 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1045 ", while this version of samba uses version %d!\n",
1046 version,SMB_RPC_INTERFACE_VERSION));
1047 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1048 }
1049
1050 /* TODO:
1051 *
1052 * we still need to make sure that don't register the same commands twice!!!
1053 *
1054 * --metze
1055 */
1056
1057 /* We use a temporary variable because this call can fail and
1058 rpc_lookup will still be valid afterwards. It could then succeed if
1059 called again later */
1060 rpc_lookup_size++;
1061 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1062 if (NULL == rpc_entry) {
1063 rpc_lookup_size--;
1064 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1065 return NT_STATUS_NO_MEMORY;
1066 } else {
1067 rpc_lookup = rpc_entry;
1068 }
1069
1070 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1071 ZERO_STRUCTP(rpc_entry);
1072 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1073 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1074 rpc_entry->rpc_interface = *interface;
1075 rpc_entry->cmds = cmds;
1076 rpc_entry->n_cmds = size;
1077
1078 return NT_STATUS_OK;
1079 }
1080
1081 /**
1082 * Is a named pipe known?
1083 * @param[in] cli_filename The pipe name requested by the client
1084 * @result Do we want to serve this?
1085 */
1086 bool is_known_pipename(const char *cli_filename)
1087 {
1088 const char *pipename = cli_filename;
1089 int i;
1090
1091 if (strnequal(pipename, "\\PIPE\\", 6)) {
1092 pipename += 5;
1093 }
1094
1095 if (*pipename == '\\') {
1096 pipename += 1;
1097 }
1098
1099 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1100 DEBUG(10, ("refusing spoolss access\n"));
1101 return false;
1102 }
1103
1104 for (i=0; i<rpc_lookup_size; i++) {
1105 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1106 return true;
1107 }
1108 }
1109
1110 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1111 return false;
1112 }
1113
1114 /*******************************************************************
1115 Handle a SPNEGO krb5 bind auth.
1116 *******************************************************************/
1117
1118 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1119 DATA_BLOB *psecblob, prs_struct *pout_auth)
1120 {
1121 return False;
1122 }
1123
1124 /*******************************************************************
1125 Handle the first part of a SPNEGO bind auth.
1126 *******************************************************************/
1127
1128 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1129 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1130 {
1131 DATA_BLOB blob;
1132 DATA_BLOB secblob;
1133 DATA_BLOB response;
1134 DATA_BLOB chal;
1135 char *OIDs[ASN1_MAX_OIDS];
1136 int i;
1137 NTSTATUS status;
1138 bool got_kerberos_mechanism = false;
1139 AUTH_NTLMSSP_STATE *a = NULL;
1140 RPC_HDR_AUTH auth_info;
1141
1142 ZERO_STRUCT(secblob);
1143 ZERO_STRUCT(chal);
1144 ZERO_STRUCT(response);
1145
1146 /* Grab the SPNEGO blob. */
1147 blob = data_blob(NULL,p->hdr.auth_len);
1148
1149 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1150 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1151 (unsigned int)p->hdr.auth_len ));
1152 goto err;
1153 }
1154
1155 if (blob.data[0] != ASN1_APPLICATION(0)) {
1156 goto err;
1157 }
1158
1159 /* parse out the OIDs and the first sec blob */
1160 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1161 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1162 goto err;
1163 }
1164
1165 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1166 got_kerberos_mechanism = true;
1167 }
1168
1169 for (i=0;OIDs[i];i++) {
1170 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1171 SAFE_FREE(OIDs[i]);
1172 }
1173 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1174
1175 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1176 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1177 data_blob_free(&secblob);
1178 data_blob_free(&blob);
1179 return ret;
1180 }
1181
1182 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1183 /* Free any previous auth type. */
1184 free_pipe_ntlmssp_auth_data(&p->auth);
1185 }
1186
1187 if (!got_kerberos_mechanism) {
1188 /* Initialize the NTLM engine. */
1189 status = auth_ntlmssp_start(&a);
1190 if (!NT_STATUS_IS_OK(status)) {
1191 goto err;
1192 }
1193
1194 /*
1195 * Pass the first security blob of data to it.
1196 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1197 * which means we need another packet to complete the bind.
1198 */
1199
1200 status = auth_ntlmssp_update(a, secblob, &chal);
1201
1202 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1203 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1204 goto err;
1205 }
1206
1207 /* Generate the response blob we need for step 2 of the bind. */
1208 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1209 } else {
1210 /*
1211 * SPNEGO negotiate down to NTLMSSP. The subsequent
1212 * code to process follow-up packets is not complete
1213 * yet. JRA.
1214 */
1215 response = spnego_gen_auth_response(NULL,
1216 NT_STATUS_MORE_PROCESSING_REQUIRED,
1217 OID_NTLMSSP);
1218 }
1219
1220 /* Copy the blob into the pout_auth parse struct */
1221 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1222 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1223 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1224 goto err;
1225 }
1226
1227 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1228 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1229 goto err;
1230 }
1231
1232 p->auth.a_u.auth_ntlmssp_state = a;
1233 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1234 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1235
1236 data_blob_free(&blob);
1237 data_blob_free(&secblob);
1238 data_blob_free(&chal);
1239 data_blob_free(&response);
1240
1241 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1242 return True;
1243
1244 err:
1245
1246 data_blob_free(&blob);
1247 data_blob_free(&secblob);
1248 data_blob_free(&chal);
1249 data_blob_free(&response);
1250
1251 p->auth.a_u.auth_ntlmssp_state = NULL;
1252
1253 return False;
1254 }
1255
1256 /*******************************************************************
1257 Handle the second part of a SPNEGO bind auth.
1258 *******************************************************************/
1259
1260 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1261 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1262 {
1263 RPC_HDR_AUTH auth_info;
1264 DATA_BLOB spnego_blob;
1265 DATA_BLOB auth_blob;
1266 DATA_BLOB auth_reply;
1267 DATA_BLOB response;
1268 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1269
1270 ZERO_STRUCT(spnego_blob);
1271 ZERO_STRUCT(auth_blob);
1272 ZERO_STRUCT(auth_reply);
1273 ZERO_STRUCT(response);
1274
1275 /*
1276 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1277 * fail here as 'a' == NULL.
1278 */
1279 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1280 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1281 goto err;
1282 }
1283
1284 /* Grab the SPNEGO blob. */
1285 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1286
1287 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1288 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1289 (unsigned int)p->hdr.auth_len ));
1290 goto err;
1291 }
1292
1293 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1294 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1295 goto err;
1296 }
1297
1298 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1299 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1300 goto err;
1301 }
1302
1303 /*
1304 * The following call actually checks the challenge/response data.
1305 * for correctness against the given DOMAIN\user name.
1306 */
1307
1308 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1309 goto err;
1310 }
1311
1312 data_blob_free(&spnego_blob);
1313 data_blob_free(&auth_blob);
1314
1315 /* Generate the spnego "accept completed" blob - no incoming data. */
1316 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1317
1318 /* Copy the blob into the pout_auth parse struct */
1319 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1320 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1321 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1322 goto err;
1323 }
1324
1325 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1326 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1327 goto err;
1328 }
1329
1330 data_blob_free(&auth_reply);
1331 data_blob_free(&response);
1332
1333 p->pipe_bound = True;
1334
1335 return True;
1336
1337 err:
1338
1339 data_blob_free(&spnego_blob);
1340 data_blob_free(&auth_blob);
1341 data_blob_free(&auth_reply);
1342 data_blob_free(&response);
1343
1344 free_pipe_ntlmssp_auth_data(&p->auth);
1345 p->auth.a_u.auth_ntlmssp_state = NULL;
1346
1347 return False;
1348 }
1349
1350 /*******************************************************************
1351 Handle an schannel bind auth.
1352 *******************************************************************/
1353
1354 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1355 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1356 {
1357 RPC_HDR_AUTH auth_info;
1358 RPC_AUTH_SCHANNEL_NEG neg;
1359 RPC_AUTH_VERIFIER auth_verifier;
1360 bool ret;
1361 struct dcinfo *pdcinfo;
1362 uint32 flags;
1363 DATA_BLOB session_key;
1364
1365 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1366 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1367 return False;
1368 }
1369
1370 /*
1371 * The neg.myname key here must match the remote computer name
1372 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1373 * operations that use credentials.
1374 */
1375
1376 become_root();
1377 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1378 unbecome_root();
1379
1380 if (!ret) {
1381 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1382 return False;
1383 }
1384
1385 p->auth.a_u.schannel_auth = talloc(p, struct schannel_auth_struct);
1386 if (!p->auth.a_u.schannel_auth) {
1387 TALLOC_FREE(pdcinfo);
1388 return False;
1389 }
1390
1391 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1392 memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1393 sizeof(pdcinfo->sess_key));
1394
1395 TALLOC_FREE(pdcinfo);
1396
1397 p->auth.a_u.schannel_auth->seq_num = 0;
1398
1399 /*
1400 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1401 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1402 * struct of the person who opened the pipe. I need to test this further. JRA.
1403 *
1404 * VL. As we are mapping this to guest set the generic key
1405 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1406 * W2k3, as it does not allow schannel binds against SAMR and LSA
1407 * anymore.
1408 */
1409
1410 session_key = generic_session_key();
1411 if (session_key.data == NULL) {
1412 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1413 " key\n"));
1414 return false;
1415 }
1416
1417 ret = server_info_set_session_key(p->server_info, session_key);
1418
1419 data_blob_free(&session_key);
1420
1421 if (!ret) {
1422 DEBUG(0, ("server_info_set_session_key failed\n"));
1423 return false;
1424 }
1425
1426 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1427 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1428 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1429 return False;
1430 }
1431
1432 /*** SCHANNEL verifier ***/
1433
1434 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1435 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1436 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1437 return False;
1438 }
1439
1440 prs_align(pout_auth);
1441
1442 flags = 5;
1443 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1444 return False;
1445 }
1446
1447 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1448 neg.domain, neg.myname));
1449
1450 /* We're finished with this bind - no more packets. */
1451 p->auth.auth_data_free_func = NULL;
1452 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1453
1454 p->pipe_bound = True;
1455
1456 return True;
1457 }
1458
1459 /*******************************************************************
1460 Handle an NTLMSSP bind auth.
1461 *******************************************************************/
1462
1463 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1464 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1465 {
1466 RPC_HDR_AUTH auth_info;
1467 DATA_BLOB blob;
1468 DATA_BLOB response;
1469 NTSTATUS status;
1470 AUTH_NTLMSSP_STATE *a = NULL;
1471
1472 ZERO_STRUCT(blob);
1473 ZERO_STRUCT(response);
1474
1475 /* Grab the NTLMSSP blob. */
1476 blob = data_blob(NULL,p->hdr.auth_len);
1477
1478 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1479 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1480 (unsigned int)p->hdr.auth_len ));
1481 goto err;
1482 }
1483
1484 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1485 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1486 goto err;
1487 }
1488
1489 /* We have an NTLMSSP blob. */
1490 status = auth_ntlmssp_start(&a);
1491 if (!NT_STATUS_IS_OK(status)) {
1492 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1493 nt_errstr(status) ));
1494 goto err;
1495 }
1496
1497 status = auth_ntlmssp_update(a, blob, &response);
1498 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1499 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1500 nt_errstr(status) ));
1501 goto err;
1502 }
1503
1504 data_blob_free(&blob);
1505
1506 /* Copy the blob into the pout_auth parse struct */
1507 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1508 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1509 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1510 goto err;
1511 }
1512
1513 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1514 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1515 goto err;
1516 }
1517
1518 p->auth.a_u.auth_ntlmssp_state = a;
1519 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1520 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1521
1522 data_blob_free(&blob);
1523 data_blob_free(&response);
1524
1525 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1526
1527 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1528 return True;
1529
1530 err:
1531
1532 data_blob_free(&blob);
1533 data_blob_free(&response);
1534
1535 free_pipe_ntlmssp_auth_data(&p->auth);
1536 p->auth.a_u.auth_ntlmssp_state = NULL;
1537 return False;
1538 }
1539
1540 /*******************************************************************
1541 Respond to a pipe bind request.
1542 *******************************************************************/
1543
1544 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1545 {
1546 RPC_HDR_BA hdr_ba;
1547 RPC_HDR_RB hdr_rb;
1548 RPC_HDR_AUTH auth_info;
1549 uint16 assoc_gid;
1550 fstring ack_pipe_name;
1551 prs_struct out_hdr_ba;
1552 prs_struct out_auth;
1553 prs_struct outgoing_rpc;
1554 int i = 0;
1555 int auth_len = 0;
1556 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1557
1558 /* No rebinds on a bound pipe - use alter context. */
1559 if (p->pipe_bound) {
1560 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1561 return setup_bind_nak(p);
1562 }
1563
1564 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1565
1566 /*
1567 * Marshall directly into the outgoing PDU space. We
1568 * must do this as we need to set to the bind response
1569 * header and are never sending more than one PDU here.
1570 */
1571
1572 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1573
1574 /*
1575 * Setup the memory to marshall the ba header, and the
1576 * auth footers.
1577 */
1578
1579 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1580 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1581 prs_mem_free(&outgoing_rpc);
1582 return False;
1583 }
1584
1585 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1586 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1587 prs_mem_free(&outgoing_rpc);
1588 prs_mem_free(&out_hdr_ba);
1589 return False;
1590 }
1591
1592 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1593
1594 ZERO_STRUCT(hdr_rb);
1595
1596 /* decode the bind request */
1597
1598 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1599 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1600 "struct.\n"));
1601 goto err_exit;
1602 }
1603
1604 if (hdr_rb.num_contexts == 0) {
1605 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1606 goto err_exit;
1607 }
1608
1609 /*
1610 * Try and find the correct pipe name to ensure
1611 * that this is a pipe name we support.
1612 */
1613
1614 for (i = 0; i < rpc_lookup_size; i++) {
1615 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1616 &hdr_rb.rpc_context[0].abstract)) {
1617 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1618 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1619 fstrcpy(p->name, rpc_lookup[i].pipe.clnt);
1620 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1621 break;
1622 }
1623 }
1624
1625 if (i == rpc_lookup_size) {
1626 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1627 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1628 p->name ));
1629 prs_mem_free(&outgoing_rpc);
1630 prs_mem_free(&out_hdr_ba);
1631 prs_mem_free(&out_auth);
1632
1633 return setup_bind_nak(p);
1634 }
1635
1636 for (i = 0; i < rpc_lookup_size; i++) {
1637 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1638 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1639 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1640 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1641 break;
1642 }
1643 }
1644
1645 if (i == rpc_lookup_size) {
1646 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1647 goto err_exit;
1648 }
1649 }
1650
1651 /* name has to be \PIPE\xxxxx */
1652 fstrcpy(ack_pipe_name, "\\PIPE\\");
1653 fstrcat(ack_pipe_name, p->pipe_srv_name);
1654
1655 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1656
1657 /*
1658 * Check if this is an authenticated bind request.
1659 */
1660
1661 if (p->hdr.auth_len) {
1662 /*
1663 * Decode the authentication verifier.
1664 */
1665
1666 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1667 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1668 goto err_exit;
1669 }
1670
1671 auth_type = auth_info.auth_type;
1672
1673 /* Work out if we have to sign or seal etc. */
1674 switch (auth_info.auth_level) {
1675 case RPC_AUTH_LEVEL_INTEGRITY:
1676 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1677 break;
1678 case RPC_AUTH_LEVEL_PRIVACY:
1679 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1680 break;
1681 default:
1682 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1683 (unsigned int)auth_info.auth_level ));
1684 goto err_exit;
1685 }
1686 } else {
1687 ZERO_STRUCT(auth_info);
1688 }
1689
1690 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1691
1692 switch(auth_type) {
1693 case RPC_NTLMSSP_AUTH_TYPE:
1694 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1695 goto err_exit;
1696 }
1697 assoc_gid = 0x7a77;
1698 break;
1699
1700 case RPC_SCHANNEL_AUTH_TYPE:
1701 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1702 goto err_exit;
1703 }
1704 break;
1705
1706 case RPC_SPNEGO_AUTH_TYPE:
1707 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1708 goto err_exit;
1709 }
1710 break;
1711
1712 case RPC_ANONYMOUS_AUTH_TYPE:
1713 /* Unauthenticated bind request. */
1714 /* Get the authenticated pipe user from current_user */
1715 if (!copy_current_user(&p->pipe_user, &current_user)) {
1716 DEBUG(10, ("Could not copy current user\n"));
1717 goto err_exit;
1718 }
1719 /* We're finished - no more packets. */
1720 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1721 /* We must set the pipe auth_level here also. */
1722 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1723 p->pipe_bound = True;
1724 /* The session key was initialized from the SMB
1725 * session in make_internal_rpc_pipe_p */
1726 break;
1727
1728 default:
1729 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1730 goto err_exit;
1731 }
1732
1733 /*
1734 * Create the bind response struct.
1735 */
1736
1737 /* If the requested abstract synt uuid doesn't match our client pipe,
1738 reject the bind_ack & set the transfer interface synt to all 0's,
1739 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1740 unknown to NT4)
1741 Needed when adding entries to a DACL from NT5 - SK */
1742
1743 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1744 hdr_rb.rpc_context[0].context_id )) {
1745 init_rpc_hdr_ba(&hdr_ba,
1746 RPC_MAX_PDU_FRAG_LEN,
1747 RPC_MAX_PDU_FRAG_LEN,
1748 assoc_gid,
1749 ack_pipe_name,
1750 0x1, 0x0, 0x0,
1751 &hdr_rb.rpc_context[0].transfer[0]);
1752 } else {
1753 RPC_IFACE null_interface;
1754 ZERO_STRUCT(null_interface);
1755 /* Rejection reason: abstract syntax not supported */
1756 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1757 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1758 ack_pipe_name, 0x1, 0x2, 0x1,
1759 &null_interface);
1760 p->pipe_bound = False;
1761 }
1762
1763 /*
1764 * and marshall it.
1765 */
1766
1767 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1768 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1769 goto err_exit;
1770 }
1771
1772 /*
1773 * Create the header, now we know the length.
1774 */
1775
1776 if (prs_offset(&out_auth)) {
1777 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1778 }
1779
1780 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1781 p->hdr.call_id,
1782 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1783 auth_len);
1784
1785 /*
1786 * Marshall the header into the outgoing PDU.
1787 */
1788
1789 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1790 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1791 goto err_exit;
1792 }
1793
1794 /*
1795 * Now add the RPC_HDR_BA and any auth needed.
1796 */
1797
1798 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1799 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1800 goto err_exit;
1801 }
1802
1803 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1804 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1805 goto err_exit;
1806 }
1807
1808 /*
1809 * Setup the lengths for the initial reply.
1810 */
1811
1812 p->out_data.data_sent_length = 0;
1813 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1814 p->out_data.current_pdu_sent = 0;
1815
1816 prs_mem_free(&out_hdr_ba);
1817 prs_mem_free(&out_auth);
1818
1819 return True;
1820
1821 err_exit:
1822
1823 prs_mem_free(&outgoing_rpc);
1824 prs_mem_free(&out_hdr_ba);
1825 prs_mem_free(&out_auth);
1826 return setup_bind_nak(p);
1827 }
1828
1829 /****************************************************************************
1830 Deal with an alter context call. Can be third part of 3 leg auth request for
1831 SPNEGO calls.
1832 ****************************************************************************/
1833
1834 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1835 {
1836 RPC_HDR_BA hdr_ba;
1837 RPC_HDR_RB hdr_rb;
1838 RPC_HDR_AUTH auth_info;
1839 uint16 assoc_gid;
1840 fstring ack_pipe_name;
1841 prs_struct out_hdr_ba;
1842 prs_struct out_auth;
1843 prs_struct outgoing_rpc;
1844 int auth_len = 0;
1845
1846 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1847
1848 /*
1849 * Marshall directly into the outgoing PDU space. We
1850 * must do this as we need to set to the bind response
1851 * header and are never sending more than one PDU here.
1852 */
1853
1854 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1855
1856 /*
1857 * Setup the memory to marshall the ba header, and the
1858 * auth footers.
1859 */
1860
1861 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1862 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1863 prs_mem_free(&outgoing_rpc);
1864 return False;
1865 }
1866
1867 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1868 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1869 prs_mem_free(&outgoing_rpc);
1870 prs_mem_free(&out_hdr_ba);
1871 return False;
1872 }
1873
1874 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1875
1876 /* decode the alter context request */
1877 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1878 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1879 goto err_exit;
1880 }
1881
1882 /* secondary address CAN be NULL
1883 * as the specs say it's ignored.
1884 * It MUST be NULL to have the spoolss working.
1885 */
1886 fstrcpy(ack_pipe_name,"");
1887
1888 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1889
1890 /*
1891 * Check if this is an authenticated alter context request.
1892 */
1893
1894 if (p->hdr.auth_len != 0) {
1895 /*
1896 * Decode the authentication verifier.
1897 */
1898
1899 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1900 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1901 goto err_exit;
1902 }
1903
1904 /*
1905 * Currently only the SPNEGO auth type uses the alter ctx
1906 * response in place of the NTLMSSP auth3 type.
1907 */
1908
1909 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1910 /* We can only finish if the pipe is unbound. */
1911 if (!p->pipe_bound) {
1912 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1913 goto err_exit;
1914 }
1915 } else {
1916 goto err_exit;
1917 }
1918 }
1919 } else {
1920 ZERO_STRUCT(auth_info);
1921 }
1922
1923 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1924
1925 /*
1926 * Create the bind response struct.
1927 */
1928
1929 /* If the requested abstract synt uuid doesn't match our client pipe,
1930 reject the bind_ack & set the transfer interface synt to all 0's,
1931 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1932 unknown to NT4)
1933 Needed when adding entries to a DACL from NT5 - SK */
1934
1935 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1936 hdr_rb.rpc_context[0].context_id )) {
1937 init_rpc_hdr_ba(&hdr_ba,
1938 RPC_MAX_PDU_FRAG_LEN,
1939 RPC_MAX_PDU_FRAG_LEN,
1940 assoc_gid,
1941 ack_pipe_name,
1942 0x1, 0x0, 0x0,
1943 &hdr_rb.rpc_context[0].transfer[0]);
1944 } else {
1945 RPC_IFACE null_interface;
1946 ZERO_STRUCT(null_interface);
1947 /* Rejection reason: abstract syntax not supported */
1948 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1949 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1950 ack_pipe_name, 0x1, 0x2, 0x1,
1951 &null_interface);
1952 p->pipe_bound = False;
1953 }
1954
1955 /*
1956 * and marshall it.
1957 */
1958
1959 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1960 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1961 goto err_exit;
1962 }
1963
1964 /*
1965 * Create the header, now we know the length.
1966 */
1967
1968 if (prs_offset(&out_auth)) {
1969 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1970 }
1971
1972 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1973 p->hdr.call_id,
1974 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1975 auth_len);
1976
1977 /*
1978 * Marshall the header into the outgoing PDU.
1979 */
1980
1981 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1982 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1983 goto err_exit;
1984 }
1985
1986 /*
1987 * Now add the RPC_HDR_BA and any auth needed.
1988 */
1989
1990 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1991 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1992 goto err_exit;
1993 }
1994
1995 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1996 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1997 goto err_exit;
1998 }
1999
2000 /*
2001 * Setup the lengths for the initial reply.
2002 */
2003
2004 p->out_data.data_sent_length = 0;
2005 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
2006 p->out_data.current_pdu_sent = 0;
2007
2008 prs_mem_free(&out_hdr_ba);
2009 prs_mem_free(&out_auth);
2010
2011 return True;
2012
2013 err_exit:
2014
2015 prs_mem_free(&outgoing_rpc);
2016 prs_mem_free(&out_hdr_ba);
2017 prs_mem_free(&out_auth);
2018 return setup_bind_nak(p);
2019 }
2020
2021 /****************************************************************************
2022 Deal with NTLMSSP sign & seal processing on an RPC request.
2023 ****************************************************************************/
2024
2025 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2026 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2027 {
2028 RPC_HDR_AUTH auth_info;
2029 uint32 auth_len = p->hdr.auth_len;
2030 uint32 save_offset = prs_offset(rpc_in);
2031 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2032 unsigned char *data = NULL;
2033 size_t data_len;
2034 unsigned char *full_packet_data = NULL;
2035 size_t full_packet_data_len;
2036 DATA_BLOB auth_blob;
2037
2038 *pstatus = NT_STATUS_OK;
2039
2040 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
2041 return True;
2042 }
2043
2044 if (!a) {
2045 *pstatus = NT_STATUS_INVALID_PARAMETER;
2046 return False;
2047 }
2048
2049 /* Ensure there's enough data for an authenticated request. */
2050 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2051 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2052 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2053 (unsigned int)auth_len ));
2054 *pstatus = NT_STATUS_INVALID_PARAMETER;
2055 return False;
2056 }
2057
2058 /*
2059 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2060 * after the RPC header.
2061 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2062 * functions as NTLMv2 checks the rpc headers also.
2063 */
2064
2065 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2066 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2067
2068 full_packet_data = p->in_data.current_in_pdu;
2069 full_packet_data_len = p->hdr.frag_len - auth_len;
2070
2071 /* Pull the auth header and the following data into a blob. */
2072 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2073 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2074 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2075 *pstatus = NT_STATUS_INVALID_PARAMETER;
2076 return False;
2077 }
2078
2079 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2080 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2081 *pstatus = NT_STATUS_INVALID_PARAMETER;
2082 return False;
2083 }
2084
2085 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2086 auth_blob.length = auth_len;
2087
2088 switch (p->auth.auth_level) {
2089 case PIPE_AUTH_LEVEL_PRIVACY:
2090 /* Data is encrypted. */
2091 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2092 data, data_len,
2093 full_packet_data,
2094 full_packet_data_len,
2095 &auth_blob);
2096 if (!NT_STATUS_IS_OK(*pstatus)) {
2097 return False;
2098 }
2099 break;
2100 case PIPE_AUTH_LEVEL_INTEGRITY:
2101 /* Data is signed. */
2102 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2103 data, data_len,
2104 full_packet_data,
2105 full_packet_data_len,
2106 &auth_blob);
2107 if (!NT_STATUS_IS_OK(*pstatus)) {
2108 return False;
2109 }
2110 break;
2111 default:
2112 *pstatus = NT_STATUS_INVALID_PARAMETER;
2113 return False;
2114 }
2115
2116 /*
2117 * Return the current pointer to the data offset.
2118 */
2119
2120 if(!prs_set_offset(rpc_in, save_offset)) {
2121 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2122 (unsigned int)save_offset ));
2123 *pstatus = NT_STATUS_INVALID_PARAMETER;
2124 return False;
2125 }
2126
2127 /*
2128 * Remember the padding length. We must remove it from the real data
2129 * stream once the sign/seal is done.
2130 */
2131
2132 *p_ss_padding_len = auth_info.auth_pad_len;
2133
2134 return True;
2135 }
2136
2137 /****************************************************************************
2138 Deal with schannel processing on an RPC request.
2139 ****************************************************************************/
2140
2141 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2142 {
2143 uint32 data_len;
2144 uint32 auth_len;
2145 uint32 save_offset = prs_offset(rpc_in);
2146 RPC_HDR_AUTH auth_info;
2147 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2148
2149 auth_len = p->hdr.auth_len;
2150
2151 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2152 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2153 return False;
2154 }
2155
2156 /*
2157 * The following is that length of the data we must verify or unseal.
2158 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2159 * preceeding the auth_data.
2160 */
2161
2162 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2163 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2164 (unsigned int)p->hdr.frag_len,
2165 (unsigned int)auth_len ));
2166 return False;
2167 }
2168
2169 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2170 RPC_HDR_AUTH_LEN - auth_len;
2171
2172 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2173
2174 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2175 DEBUG(0,("cannot move offset to %u.\n",
2176 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2177 return False;
2178 }
2179
2180 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2181 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2182 return False;
2183 }
2184
2185 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2186 DEBUG(0,("Invalid auth info %d on schannel\n",
2187 auth_info.auth_type));
2188 return False;
2189 }
2190
2191 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2192 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2193 return False;
2194 }
2195
2196 if (!schannel_decode(p->auth.a_u.schannel_auth,
2197 p->auth.auth_level,
2198 SENDER_IS_INITIATOR,
2199 &schannel_chk,
2200 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2201 DEBUG(3,("failed to decode PDU\n"));
2202 return False;
2203 }
2204
2205 /*
2206 * Return the current pointer to the data offset.
2207 */
2208
2209 if(!prs_set_offset(rpc_in, save_offset)) {
2210 DEBUG(0,("failed to set offset back to %u\n",
2211 (unsigned int)save_offset ));
2212 return False;
2213 }
2214
2215 /* The sequence number gets incremented on both send and receive. */
2216 p->auth.a_u.schannel_auth->seq_num++;
2217
2218 /*
2219 * Remember the padding length. We must remove it from the real data
2220 * stream once the sign/seal is done.
2221 */
2222
2223 *p_ss_padding_len = auth_info.auth_pad_len;
2224
2225 return True;
2226 }
2227
2228 /****************************************************************************
2229 Return a user struct for a pipe user.
2230 ****************************************************************************/
2231
2232 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
2233 {
2234 if (p->pipe_bound &&
2235 (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP ||
2236 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2237 memcpy(user, &p->pipe_user, sizeof(struct current_user));
2238 } else {
2239 memcpy(user, &current_user, sizeof(struct current_user));
2240 }
2241
2242 return user;
2243 }
2244
2245 /****************************************************************************
2246 Find the set of RPC functions associated with this context_id
2247 ****************************************************************************/
2248
2249 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2250 {
2251 PIPE_RPC_FNS *fns = NULL;
2252 PIPE_RPC_FNS *tmp = NULL;
2253
2254 if ( !list ) {
2255 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2256 return NULL;
2257 }
2258
2259 for (tmp=list; tmp; tmp=tmp->next ) {
2260 if ( tmp->context_id == context_id )
2261 break;
2262 }
2263
2264 fns = tmp;
2265
2266 return fns;
2267 }
2268
2269 /****************************************************************************
2270 Memory cleanup.
2271 ****************************************************************************/
2272
2273 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2274 {
2275 PIPE_RPC_FNS *tmp = list;
2276 PIPE_RPC_FNS *tmp2;
2277
2278 while (tmp) {
2279 tmp2 = tmp->next;
2280 SAFE_FREE(tmp);
2281 tmp = tmp2;
2282 }
2283
2284 return;
2285 }
2286
2287 static bool api_rpcTNP(pipes_struct *p, const char *rpc_name,
2288 const struct api_struct *api_rpc_cmds, int n_cmds);
2289
2290 /****************************************************************************
2291 Find the correct RPC function to call for this request.
2292 If the pipe is authenticated then become the correct UNIX user
2293 before doing the call.
2294 ****************************************************************************/
2295
2296 bool api_pipe_request(pipes_struct *p)
2297 {
2298 bool ret = False;
2299 bool changed_user = False;
2300 PIPE_RPC_FNS *pipe_fns;
2301
2302 if (p->pipe_bound &&
2303 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2304 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2305 if(!become_authenticated_pipe_user(p)) {
2306 prs_mem_free(&p->out_data.rdata);
2307 return False;
2308 }
2309 changed_user = True;
2310 }
2311
2312 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2313
2314 /* get the set of RPC functions for this context */
2315
2316 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2317
2318 if ( pipe_fns ) {
2319 TALLOC_CTX *frame = talloc_stackframe();
2320 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2321 TALLOC_FREE(frame);
2322 }
2323 else {
2324 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2325 p->hdr_req.context_id, p->name));
2326 }
2327
2328 if (changed_user) {
2329 unbecome_authenticated_pipe_user();
2330 }
2331
2332 return ret;
2333 }
2334
2335 /*******************************************************************
2336 Calls the underlying RPC function for a named pipe.
2337 ********************************************************************/
2338
2339 static bool api_rpcTNP(pipes_struct *p, const char *rpc_name,
2340 const struct api_struct *api_rpc_cmds, int n_cmds)
2341 {
2342 int fn_num;
2343 fstring name;
2344 uint32 offset1, offset2;
2345
2346 /* interpret the command */
2347 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2348
2349 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2350 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2351
2352 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2353 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2354 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2355 break;
2356 }
2357 }
2358
2359 if (fn_num == n_cmds) {
2360 /*
2361 * For an unknown RPC just return a fault PDU but
2362 * return True to allow RPC's on the pipe to continue
2363 * and not put the pipe into fault state. JRA.
2364 */
2365 DEBUG(4, ("unknown\n"));
2366 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2367 return True;
2368 }
2369
2370 offset1 = prs_offset(&p->out_data.rdata);
2371
2372 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2373 fn_num, api_rpc_cmds[fn_num].fn));
2374 /* do the actual command */
2375 if(!api_rpc_cmds[fn_num].fn(p)) {
2376 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2377 prs_mem_free(&p->out_data.rdata);
2378 return False;
2379 }
2380
2381 if (p->bad_handle_fault_state) {
2382 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2383 p->bad_handle_fault_state = False;
2384 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2385 return True;
2386 }
2387
2388 if (p->rng_fault_state) {
2389 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2390 p->rng_fault_state = False;
2391 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2392 return True;
2393 }
2394
2395 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2396 offset2 = prs_offset(&p->out_data.rdata);
2397 prs_set_offset(&p->out_data.rdata, offset1);
2398 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2399 prs_set_offset(&p->out_data.rdata, offset2);
2400
2401 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2402
2403 /* Check for buffer underflow in rpc parsing */
2404
2405 if ((DEBUGLEVEL >= 10) &&
2406 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2407 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2408 char *data = (char *)SMB_MALLOC(data_len);
2409
2410 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2411 if (data) {
2412 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2413 SAFE_FREE(data);
2414 }
2415
2416 }
2417
2418 return True;
2419 }
reg import