2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
31 #include "srv_pipe_internal.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33 #include "../libcli/auth/schannel.h"
34 #include "../libcli/auth/spnego.h"
35 #include "dcesrv_ntlmssp.h"
36 #include "dcesrv_gssapi.h"
37 #include "dcesrv_spnego.h"
38 #include "rpc_server.h"
42 #define DBGC_CLASS DBGC_RPC_SRV
45 * Dump everything from the start of the end up of the provided data
46 * into a file, but only at debug level >= 50
48 static void dump_pdu_region(const char *name
, int v
,
49 DATA_BLOB
*data
, size_t start
, size_t end
)
55 if (DEBUGLEVEL
< 50) return;
57 if (start
> data
->length
|| end
> data
->length
|| start
> end
) return;
59 for (i
= 1; i
< 100; i
++) {
61 fname
= talloc_asprintf(talloc_tos(),
65 fname
= talloc_asprintf(talloc_tos(),
72 fd
= open(fname
, O_WRONLY
|O_CREAT
|O_EXCL
, 0644);
73 if (fd
!= -1 || errno
!= EEXIST
) break;
76 sz
= write(fd
, data
->data
+ start
, end
- start
);
78 if ((sz
!= end
- start
) || (i
!= 0) ) {
79 DEBUG(0, ("Error writing/closing %s: %ld!=%ld %d\n",
80 fname
, (unsigned long)sz
,
81 (unsigned long)end
- start
, i
));
83 DEBUG(0,("created %s\n", fname
));
89 static DATA_BLOB
generic_session_key(void)
91 return data_blob("SystemLibraryDTC", 16);
94 /*******************************************************************
95 Generate the next PDU to be returned from the data.
96 ********************************************************************/
98 static NTSTATUS
create_next_packet(TALLOC_CTX
*mem_ctx
,
99 struct pipe_auth_data
*auth
,
102 size_t data_sent_length
,
106 union dcerpc_payload u
;
115 ZERO_STRUCT(u
.response
);
117 /* Set up rpc packet pfc flags. */
118 if (data_sent_length
== 0) {
119 pfc_flags
= DCERPC_PFC_FLAG_FIRST
;
124 /* Work out how much we can fit in a single PDU. */
125 data_left
= rdata
->length
- data_sent_length
;
127 /* Ensure there really is data left to send. */
129 DEBUG(0, ("No data left to send !\n"));
130 return NT_STATUS_BUFFER_TOO_SMALL
;
133 status
= dcerpc_guess_sizes(auth
,
134 DCERPC_RESPONSE_LENGTH
,
136 RPC_MAX_PDU_FRAG_LEN
,
137 SERVER_NDR_PADDING_SIZE
,
138 &data_to_send
, &frag_len
,
139 &auth_len
, &pad_len
);
140 if (!NT_STATUS_IS_OK(status
)) {
144 /* Set up the alloc hint. This should be the data left to send. */
145 u
.response
.alloc_hint
= data_left
;
147 /* Work out if this PDU will be the last. */
148 if (data_sent_length
+ data_to_send
>= rdata
->length
) {
149 pfc_flags
|= DCERPC_PFC_FLAG_LAST
;
152 /* Prepare data to be NDR encoded. */
153 u
.response
.stub_and_verifier
=
154 data_blob_const(rdata
->data
+ data_sent_length
, data_to_send
);
156 /* Store the packet in the data stream. */
157 status
= dcerpc_push_ncacn_packet(mem_ctx
, DCERPC_PKT_RESPONSE
,
158 pfc_flags
, auth_len
, call_id
,
160 if (!NT_STATUS_IS_OK(status
)) {
161 DEBUG(0, ("Failed to marshall RPC Packet.\n"));
166 /* Set the proper length on the pdu, including padding.
167 * Only needed if an auth trailer will be appended. */
168 dcerpc_set_frag_length(frag
, frag
->length
170 + DCERPC_AUTH_TRAILER_LENGTH
175 status
= dcerpc_add_auth_footer(auth
, pad_len
, frag
);
176 if (!NT_STATUS_IS_OK(status
)) {
177 data_blob_free(frag
);
182 *pdu_size
= data_to_send
;
186 /*******************************************************************
187 Generate the next PDU to be returned from the data in p->rdata.
188 ********************************************************************/
190 bool create_next_pdu(struct pipes_struct
*p
)
196 * If we're in the fault state, keep returning fault PDU's until
197 * the pipe gets closed. JRA.
199 if (p
->fault_state
) {
200 setup_fault_pdu(p
, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR
));
204 status
= create_next_packet(p
->mem_ctx
, &p
->auth
,
205 p
->call_id
, &p
->out_data
.rdata
,
206 p
->out_data
.data_sent_length
,
207 &p
->out_data
.frag
, &pdu_size
);
208 if (!NT_STATUS_IS_OK(status
)) {
209 DEBUG(0, ("Failed to create packet with error %s, "
210 "(auth level %u / type %u)\n",
212 (unsigned int)p
->auth
.auth_level
,
213 (unsigned int)p
->auth
.auth_type
));
217 /* Setup the counts for this PDU. */
218 p
->out_data
.data_sent_length
+= pdu_size
;
219 p
->out_data
.current_pdu_sent
= 0;
224 static bool pipe_init_outgoing_data(struct pipes_struct
*p
);
226 /*******************************************************************
227 Marshall a bind_nak pdu.
228 *******************************************************************/
230 static bool setup_bind_nak(struct pipes_struct
*p
, struct ncacn_packet
*pkt
)
233 union dcerpc_payload u
;
235 /* Free any memory in the current return data buffer. */
236 pipe_init_outgoing_data(p
);
239 * Initialize a bind_nak header.
244 u
.bind_nak
.reject_reason
= 0;
247 * Marshall directly into the outgoing PDU space. We
248 * must do this as we need to set to the bind response
249 * header and are never sending more than one PDU here.
252 status
= dcerpc_push_ncacn_packet(p
->mem_ctx
,
254 DCERPC_PFC_FLAG_FIRST
|
255 DCERPC_PFC_FLAG_LAST
,
260 if (!NT_STATUS_IS_OK(status
)) {
264 p
->out_data
.data_sent_length
= 0;
265 p
->out_data
.current_pdu_sent
= 0;
267 TALLOC_FREE(p
->auth
.auth_ctx
);
268 p
->auth
.auth_level
= DCERPC_AUTH_LEVEL_NONE
;
269 p
->auth
.auth_type
= DCERPC_AUTH_TYPE_NONE
;
270 p
->pipe_bound
= False
;
275 /*******************************************************************
276 Marshall a fault pdu.
277 *******************************************************************/
279 bool setup_fault_pdu(struct pipes_struct
*p
, NTSTATUS fault_status
)
282 union dcerpc_payload u
;
284 /* Free any memory in the current return data buffer. */
285 pipe_init_outgoing_data(p
);
288 * Initialize a fault header.
293 u
.fault
.status
= NT_STATUS_V(fault_status
);
294 u
.fault
._pad
= data_blob_talloc_zero(p
->mem_ctx
, 4);
297 * Marshall directly into the outgoing PDU space. We
298 * must do this as we need to set to the bind response
299 * header and are never sending more than one PDU here.
302 status
= dcerpc_push_ncacn_packet(p
->mem_ctx
,
304 DCERPC_PFC_FLAG_FIRST
|
305 DCERPC_PFC_FLAG_LAST
|
306 DCERPC_PFC_FLAG_DID_NOT_EXECUTE
,
311 if (!NT_STATUS_IS_OK(status
)) {
315 p
->out_data
.data_sent_length
= 0;
316 p
->out_data
.current_pdu_sent
= 0;
321 /*******************************************************************
322 Ensure a bind request has the correct abstract & transfer interface.
323 Used to reject unknown binds from Win2k.
324 *******************************************************************/
326 static bool check_bind_req(struct pipes_struct
*p
,
327 struct ndr_syntax_id
* abstract
,
328 struct ndr_syntax_id
* transfer
,
331 struct pipe_rpc_fns
*context_fns
;
333 DEBUG(3,("check_bind_req for %s\n",
334 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
)));
336 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
337 if (rpc_srv_pipe_exists_by_id(abstract
) &&
338 ndr_syntax_id_equal(transfer
, &ndr_transfer_syntax
)) {
339 DEBUG(3, ("check_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
340 rpc_srv_get_pipe_cli_name(abstract
),
341 rpc_srv_get_pipe_srv_name(abstract
)));
346 context_fns
= SMB_MALLOC_P(struct pipe_rpc_fns
);
347 if (context_fns
== NULL
) {
348 DEBUG(0,("check_bind_req: malloc() failed!\n"));
352 context_fns
->next
= context_fns
->prev
= NULL
;
353 context_fns
->n_cmds
= rpc_srv_get_pipe_num_cmds(abstract
);
354 context_fns
->cmds
= rpc_srv_get_pipe_cmds(abstract
);
355 context_fns
->context_id
= context_id
;
357 /* add to the list of open contexts */
359 DLIST_ADD( p
->contexts
, context_fns
);
365 * Is a named pipe known?
366 * @param[in] cli_filename The pipe name requested by the client
367 * @result Do we want to serve this?
369 bool is_known_pipename(const char *cli_filename
, struct ndr_syntax_id
*syntax
)
371 const char *pipename
= cli_filename
;
374 if (strnequal(pipename
, "\\PIPE\\", 6)) {
378 if (*pipename
== '\\') {
382 if (lp_disable_spoolss() && strequal(pipename
, "spoolss")) {
383 DEBUG(10, ("refusing spoolss access\n"));
387 if (rpc_srv_get_pipe_interface_by_cli_name(pipename
, syntax
)) {
391 status
= smb_probe_module("rpc", pipename
);
392 if (!NT_STATUS_IS_OK(status
)) {
393 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename
));
396 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename
));
399 * Scan the list again for the interface id
401 if (rpc_srv_get_pipe_interface_by_cli_name(pipename
, syntax
)) {
405 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
411 /*******************************************************************
412 Handle the first part of a SPNEGO bind auth.
413 *******************************************************************/
415 static bool pipe_spnego_auth_bind(struct pipes_struct
*p
,
417 struct dcerpc_auth
*auth_info
,
420 struct spnego_context
*spnego_ctx
;
423 status
= spnego_server_auth_start(p
,
424 (auth_info
->auth_level
==
425 DCERPC_AUTH_LEVEL_INTEGRITY
),
426 (auth_info
->auth_level
==
427 DCERPC_AUTH_LEVEL_PRIVACY
),
429 &auth_info
->credentials
,
432 if (!NT_STATUS_IS_OK(status
)) {
433 DEBUG(0, ("Failed SPNEGO negotiate (%s)\n",
438 /* Make sure data is bound to the memctx, to be freed the caller */
439 talloc_steal(mem_ctx
, response
->data
);
441 p
->auth
.auth_ctx
= spnego_ctx
;
442 p
->auth
.auth_type
= DCERPC_AUTH_TYPE_SPNEGO
;
444 DEBUG(10, ("SPNEGO auth started\n"));
449 /*******************************************************************
450 Handle an schannel bind auth.
451 *******************************************************************/
453 static bool pipe_schannel_auth_bind(struct pipes_struct
*p
,
455 struct dcerpc_auth
*auth_info
,
458 struct NL_AUTH_MESSAGE neg
;
459 struct NL_AUTH_MESSAGE reply
;
462 struct netlogon_creds_CredentialState
*creds
;
463 DATA_BLOB session_key
;
464 enum ndr_err_code ndr_err
;
465 struct schannel_state
*schannel_auth
;
467 ndr_err
= ndr_pull_struct_blob(
468 &auth_info
->credentials
, mem_ctx
, &neg
,
469 (ndr_pull_flags_fn_t
)ndr_pull_NL_AUTH_MESSAGE
);
470 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
471 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
475 if (DEBUGLEVEL
>= 10) {
476 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE
, &neg
);
479 if (!(neg
.Flags
& NL_FLAG_OEM_NETBIOS_COMPUTER_NAME
)) {
480 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
485 * The neg.oem_netbios_computer.a key here must match the remote computer name
486 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
487 * operations that use credentials.
491 status
= schannel_get_creds_state(p
, lp_private_dir(),
492 neg
.oem_netbios_computer
.a
, &creds
);
495 if (!NT_STATUS_IS_OK(status
)) {
496 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
500 schannel_auth
= talloc(p
, struct schannel_state
);
501 if (!schannel_auth
) {
506 schannel_auth
->state
= SCHANNEL_STATE_START
;
507 schannel_auth
->seq_num
= 0;
508 schannel_auth
->initiator
= false;
509 schannel_auth
->creds
= creds
;
512 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
513 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
514 * struct of the person who opened the pipe. I need to test this further. JRA.
516 * VL. As we are mapping this to guest set the generic key
517 * "SystemLibraryDTC" key here. It's a bit difficult to test against
518 * W2k3, as it does not allow schannel binds against SAMR and LSA
522 session_key
= generic_session_key();
523 if (session_key
.data
== NULL
) {
524 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
529 ret
= server_info_set_session_key(p
->server_info
, session_key
);
531 data_blob_free(&session_key
);
534 DEBUG(0, ("server_info_set_session_key failed\n"));
538 /*** SCHANNEL verifier ***/
540 reply
.MessageType
= NL_NEGOTIATE_RESPONSE
;
542 reply
.Buffer
.dummy
= 5; /* ??? actually I don't think
543 * this has any meaning
546 ndr_err
= ndr_push_struct_blob(response
, mem_ctx
, &reply
,
547 (ndr_push_flags_fn_t
)ndr_push_NL_AUTH_MESSAGE
);
548 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
549 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
553 if (DEBUGLEVEL
>= 10) {
554 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE
, &reply
);
557 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
558 neg
.oem_netbios_domain
.a
, neg
.oem_netbios_computer
.a
));
560 /* We're finished with this bind - no more packets. */
561 p
->auth
.auth_ctx
= schannel_auth
;
562 p
->auth
.auth_type
= DCERPC_AUTH_TYPE_SCHANNEL
;
564 p
->pipe_bound
= True
;
569 /*******************************************************************
570 Handle an NTLMSSP bind auth.
571 *******************************************************************/
573 static bool pipe_ntlmssp_auth_bind(struct pipes_struct
*p
,
575 struct dcerpc_auth
*auth_info
,
578 struct auth_ntlmssp_state
*ntlmssp_state
= NULL
;
581 if (strncmp((char *)auth_info
->credentials
.data
, "NTLMSSP", 7) != 0) {
582 DEBUG(0, ("Failed to read NTLMSSP in blob\n"));
586 /* We have an NTLMSSP blob. */
587 status
= ntlmssp_server_auth_start(p
,
588 (auth_info
->auth_level
==
589 DCERPC_AUTH_LEVEL_INTEGRITY
),
590 (auth_info
->auth_level
==
591 DCERPC_AUTH_LEVEL_PRIVACY
),
593 &auth_info
->credentials
,
596 if (!NT_STATUS_EQUAL(status
, NT_STATUS_OK
)) {
597 DEBUG(0, (__location__
": auth_ntlmssp_start failed: %s\n",
602 /* Make sure data is bound to the memctx, to be freed the caller */
603 talloc_steal(mem_ctx
, response
->data
);
605 p
->auth
.auth_ctx
= ntlmssp_state
;
606 p
->auth
.auth_type
= DCERPC_AUTH_TYPE_NTLMSSP
;
608 DEBUG(10, (__location__
": NTLMSSP auth started\n"));
613 /*******************************************************************
614 Process an NTLMSSP authentication response.
615 If this function succeeds, the user has been authenticated
616 and their domain, name and calling workstation stored in
618 *******************************************************************/
620 static bool pipe_ntlmssp_verify_final(TALLOC_CTX
*mem_ctx
,
621 struct auth_ntlmssp_state
*ntlmssp_ctx
,
622 enum dcerpc_AuthLevel auth_level
,
623 struct client_address
*client_id
,
624 struct ndr_syntax_id
*syntax
,
625 struct auth_serversupplied_info
**server_info
)
627 DATA_BLOB session_key
;
631 DEBUG(5, (__location__
": pipe %s checking user details\n",
632 get_pipe_name_from_syntax(talloc_tos(), syntax
)));
634 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
635 ensure the underlying NTLMSSP flags are also set. If not we should
638 status
= ntlmssp_server_check_flags(ntlmssp_ctx
,
640 DCERPC_AUTH_LEVEL_INTEGRITY
),
642 DCERPC_AUTH_LEVEL_PRIVACY
));
643 if (!NT_STATUS_IS_OK(status
)) {
644 DEBUG(0, (__location__
": Client failed to negotatie proper "
645 "security for pipe %s\n",
646 get_pipe_name_from_syntax(talloc_tos(), syntax
)));
650 TALLOC_FREE(*server_info
);
652 status
= ntlmssp_server_get_user_info(ntlmssp_ctx
,
653 mem_ctx
, server_info
);
654 if (!NT_STATUS_IS_OK(status
)) {
655 DEBUG(0, (__location__
": failed to obtain the server info "
656 "for authenticated user: %s\n", nt_errstr(status
)));
660 if ((*server_info
)->ptok
== NULL
) {
661 DEBUG(1, ("Auth module failed to provide nt_user_token\n"));
666 * We're an authenticated bind over smb, so the session key needs to
667 * be set to "SystemLibraryDTC". Weird, but this is what Windows
668 * does. See the RPC-SAMBA3SESSIONKEY.
671 session_key
= generic_session_key();
672 if (session_key
.data
== NULL
) {
676 ret
= server_info_set_session_key((*server_info
), session_key
);
677 data_blob_free(&session_key
);
679 DEBUG(0, ("Failed to set session key!\n"));
686 /*******************************************************************
687 Handle a GSSAPI bind auth.
688 *******************************************************************/
690 static bool pipe_gssapi_auth_bind(struct pipes_struct
*p
,
692 struct dcerpc_auth
*auth_info
,
696 struct gse_context
*gse_ctx
= NULL
;
698 status
= gssapi_server_auth_start(p
,
699 (auth_info
->auth_level
==
700 DCERPC_AUTH_LEVEL_INTEGRITY
),
701 (auth_info
->auth_level
==
702 DCERPC_AUTH_LEVEL_PRIVACY
),
704 &auth_info
->credentials
,
707 if (!NT_STATUS_IS_OK(status
)) {
708 DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n",
713 /* Make sure data is bound to the memctx, to be freed the caller */
714 talloc_steal(mem_ctx
, response
->data
);
716 p
->auth
.auth_ctx
= gse_ctx
;
717 p
->auth
.auth_type
= DCERPC_AUTH_TYPE_KRB5
;
719 DEBUG(10, ("KRB5 auth started\n"));
724 TALLOC_FREE(gse_ctx
);
728 static NTSTATUS
pipe_gssapi_verify_final(TALLOC_CTX
*mem_ctx
,
729 struct gse_context
*gse_ctx
,
730 struct client_address
*client_id
,
731 struct auth_serversupplied_info
**server_info
)
733 DATA_BLOB session_key
;
737 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
738 ensure the underlying flags are also set. If not we should
741 status
= gssapi_server_check_flags(gse_ctx
);
742 if (!NT_STATUS_IS_OK(status
)) {
743 DEBUG(0, ("Requested Security Layers not honored!\n"));
747 status
= gssapi_server_get_user_info(gse_ctx
, mem_ctx
,
748 client_id
, server_info
);
749 if (!NT_STATUS_IS_OK(status
)) {
750 DEBUG(0, (__location__
": failed to obtain the server info "
751 "for authenticated user: %s\n", nt_errstr(status
)));
755 if ((*server_info
)->ptok
== NULL
) {
756 status
= create_local_token(*server_info
);
757 if (!NT_STATUS_IS_OK(status
)) {
758 DEBUG(1, ("Failed to create local user token (%s)\n",
760 status
= NT_STATUS_ACCESS_DENIED
;
765 /* TODO: this is what the ntlmssp code does with the session_key, check
766 * it is ok with gssapi too */
768 * We're an authenticated bind over smb, so the session key needs to
769 * be set to "SystemLibraryDTC". Weird, but this is what Windows
770 * does. See the RPC-SAMBA3SESSIONKEY.
773 session_key
= generic_session_key();
774 if (session_key
.data
== NULL
) {
775 return NT_STATUS_ACCESS_DENIED
;
778 bret
= server_info_set_session_key((*server_info
), session_key
);
779 data_blob_free(&session_key
);
781 return NT_STATUS_ACCESS_DENIED
;
787 static NTSTATUS
pipe_auth_verify_final(struct pipes_struct
*p
)
789 enum spnego_mech auth_type
;
790 struct auth_ntlmssp_state
*ntlmssp_ctx
;
791 struct spnego_context
*spnego_ctx
;
792 struct gse_context
*gse_ctx
;
796 switch (p
->auth
.auth_type
) {
797 case DCERPC_AUTH_TYPE_NTLMSSP
:
798 ntlmssp_ctx
= talloc_get_type_abort(p
->auth
.auth_ctx
,
799 struct auth_ntlmssp_state
);
800 if (!pipe_ntlmssp_verify_final(p
, ntlmssp_ctx
,
802 p
->client_id
, &p
->syntax
,
804 return NT_STATUS_ACCESS_DENIED
;
807 case DCERPC_AUTH_TYPE_KRB5
:
808 gse_ctx
= talloc_get_type_abort(p
->auth
.auth_ctx
,
810 status
= pipe_gssapi_verify_final(p
, gse_ctx
,
813 if (!NT_STATUS_IS_OK(status
)) {
814 DEBUG(1, ("gssapi bind failed with: %s",
819 case DCERPC_AUTH_TYPE_SPNEGO
:
820 spnego_ctx
= talloc_get_type_abort(p
->auth
.auth_ctx
,
821 struct spnego_context
);
822 status
= spnego_get_negotiated_mech(spnego_ctx
,
823 &auth_type
, &mech_ctx
);
824 if (!NT_STATUS_IS_OK(status
)) {
825 DEBUG(0, ("Bad SPNEGO state (%s)\n",
831 gse_ctx
= talloc_get_type_abort(mech_ctx
,
833 status
= pipe_gssapi_verify_final(p
, gse_ctx
,
836 if (!NT_STATUS_IS_OK(status
)) {
837 DEBUG(1, ("gssapi bind failed with: %s",
843 ntlmssp_ctx
= talloc_get_type_abort(mech_ctx
,
844 struct auth_ntlmssp_state
);
845 if (!pipe_ntlmssp_verify_final(p
, ntlmssp_ctx
,
850 return NT_STATUS_ACCESS_DENIED
;
854 DEBUG(0, (__location__
": incorrect spnego type "
855 "(%d).\n", auth_type
));
856 return NT_STATUS_ACCESS_DENIED
;
860 DEBUG(0, (__location__
": incorrect auth type (%u).\n",
861 (unsigned int)p
->auth
.auth_type
));
862 return NT_STATUS_ACCESS_DENIED
;
865 p
->pipe_bound
= true;
870 /*******************************************************************
871 Respond to a pipe bind request.
872 *******************************************************************/
874 static bool api_pipe_bind_req(struct pipes_struct
*p
,
875 struct ncacn_packet
*pkt
)
877 struct dcerpc_auth auth_info
;
879 unsigned int auth_type
= DCERPC_AUTH_TYPE_NONE
;
881 struct ndr_syntax_id id
;
882 union dcerpc_payload u
;
883 struct dcerpc_ack_ctx bind_ack_ctx
;
884 DATA_BLOB auth_resp
= data_blob_null
;
885 DATA_BLOB auth_blob
= data_blob_null
;
887 /* No rebinds on a bound pipe - use alter context. */
889 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
891 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
)));
892 return setup_bind_nak(p
, pkt
);
895 if (pkt
->u
.bind
.num_contexts
== 0) {
896 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
901 * Try and find the correct pipe name to ensure
902 * that this is a pipe name we support.
904 id
= pkt
->u
.bind
.ctx_list
[0].abstract_syntax
;
905 if (rpc_srv_pipe_exists_by_id(&id
)) {
906 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
907 rpc_srv_get_pipe_cli_name(&id
),
908 rpc_srv_get_pipe_srv_name(&id
)));
910 status
= smb_probe_module(
911 "rpc", get_pipe_name_from_syntax(
913 &pkt
->u
.bind
.ctx_list
[0].abstract_syntax
));
915 if (NT_STATUS_IS_ERR(status
)) {
916 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
917 get_pipe_name_from_syntax(
919 &pkt
->u
.bind
.ctx_list
[0].abstract_syntax
)));
921 return setup_bind_nak(p
, pkt
);
924 if (rpc_srv_get_pipe_interface_by_cli_name(
925 get_pipe_name_from_syntax(talloc_tos(),
928 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
929 rpc_srv_get_pipe_cli_name(&id
),
930 rpc_srv_get_pipe_srv_name(&id
)));
932 DEBUG(0, ("module %s doesn't provide functions for "
934 get_pipe_name_from_syntax(talloc_tos(),
936 get_pipe_name_from_syntax(talloc_tos(),
938 return setup_bind_nak(p
, pkt
);
942 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__
));
944 if (pkt
->u
.bind
.assoc_group_id
!= 0) {
945 assoc_gid
= pkt
->u
.bind
.assoc_group_id
;
951 * Create the bind response struct.
954 /* If the requested abstract synt uuid doesn't match our client pipe,
955 reject the bind_ack & set the transfer interface synt to all 0's,
956 ver 0 (observed when NT5 attempts to bind to abstract interfaces
958 Needed when adding entries to a DACL from NT5 - SK */
960 if (check_bind_req(p
,
961 &pkt
->u
.bind
.ctx_list
[0].abstract_syntax
,
962 &pkt
->u
.bind
.ctx_list
[0].transfer_syntaxes
[0],
963 pkt
->u
.bind
.ctx_list
[0].context_id
)) {
965 bind_ack_ctx
.result
= 0;
966 bind_ack_ctx
.reason
= 0;
967 bind_ack_ctx
.syntax
= pkt
->u
.bind
.ctx_list
[0].transfer_syntaxes
[0];
969 p
->pipe_bound
= False
;
970 /* Rejection reason: abstract syntax not supported */
971 bind_ack_ctx
.result
= DCERPC_BIND_PROVIDER_REJECT
;
972 bind_ack_ctx
.reason
= DCERPC_BIND_REASON_ASYNTAX
;
973 bind_ack_ctx
.syntax
= null_ndr_syntax_id
;
977 * Check if this is an authenticated bind request.
979 if (pkt
->auth_length
) {
980 /* Quick length check. Won't catch a bad auth footer,
981 * prevents overrun. */
983 if (pkt
->frag_length
< RPC_HEADER_LEN
+
984 DCERPC_AUTH_TRAILER_LENGTH
+
986 DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
987 "too long for fragment %u.\n",
988 (unsigned int)pkt
->auth_length
,
989 (unsigned int)pkt
->frag_length
));
994 * Decode the authentication verifier.
996 status
= dcerpc_pull_dcerpc_auth(pkt
,
997 &pkt
->u
.bind
.auth_info
,
998 &auth_info
, p
->endian
);
999 if (!NT_STATUS_IS_OK(status
)) {
1000 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1004 auth_type
= auth_info
.auth_type
;
1006 /* Work out if we have to sign or seal etc. */
1007 switch (auth_info
.auth_level
) {
1008 case DCERPC_AUTH_LEVEL_INTEGRITY
:
1009 p
->auth
.auth_level
= DCERPC_AUTH_LEVEL_INTEGRITY
;
1011 case DCERPC_AUTH_LEVEL_PRIVACY
:
1012 p
->auth
.auth_level
= DCERPC_AUTH_LEVEL_PRIVACY
;
1015 DEBUG(0, ("Unexpected auth level (%u).\n",
1016 (unsigned int)auth_info
.auth_level
));
1020 switch (auth_type
) {
1021 case DCERPC_AUTH_TYPE_NTLMSSP
:
1022 if (!pipe_ntlmssp_auth_bind(p
, pkt
,
1023 &auth_info
, &auth_resp
)) {
1029 case DCERPC_AUTH_TYPE_SCHANNEL
:
1030 if (!pipe_schannel_auth_bind(p
, pkt
,
1031 &auth_info
, &auth_resp
)) {
1036 case DCERPC_AUTH_TYPE_SPNEGO
:
1037 if (!pipe_spnego_auth_bind(p
, pkt
,
1038 &auth_info
, &auth_resp
)) {
1043 case DCERPC_AUTH_TYPE_KRB5
:
1044 if (!pipe_gssapi_auth_bind(p
, pkt
,
1045 &auth_info
, &auth_resp
)) {
1050 case DCERPC_AUTH_TYPE_NONE
:
1054 DEBUG(0, ("Unknown auth type %x requested.\n", auth_type
));
1059 if (auth_type
== DCERPC_AUTH_TYPE_NONE
) {
1060 /* Unauthenticated bind request. */
1061 /* We're finished - no more packets. */
1062 p
->auth
.auth_type
= DCERPC_AUTH_TYPE_NONE
;
1063 /* We must set the pipe auth_level here also. */
1064 p
->auth
.auth_level
= DCERPC_AUTH_LEVEL_NONE
;
1065 p
->pipe_bound
= True
;
1066 /* The session key was initialized from the SMB
1067 * session in make_internal_rpc_pipe_p */
1070 ZERO_STRUCT(u
.bind_ack
);
1071 u
.bind_ack
.max_xmit_frag
= RPC_MAX_PDU_FRAG_LEN
;
1072 u
.bind_ack
.max_recv_frag
= RPC_MAX_PDU_FRAG_LEN
;
1073 u
.bind_ack
.assoc_group_id
= assoc_gid
;
1075 /* name has to be \PIPE\xxxxx */
1076 u
.bind_ack
.secondary_address
=
1077 talloc_asprintf(pkt
, "\\PIPE\\%s",
1078 rpc_srv_get_pipe_srv_name(&id
));
1079 if (!u
.bind_ack
.secondary_address
) {
1080 DEBUG(0, ("Out of memory!\n"));
1083 u
.bind_ack
.secondary_address_size
=
1084 strlen(u
.bind_ack
.secondary_address
) + 1;
1086 u
.bind_ack
.num_results
= 1;
1087 u
.bind_ack
.ctx_list
= &bind_ack_ctx
;
1089 /* NOTE: We leave the auth_info empty so we can calculate the padding
1090 * later and then append the auth_info --simo */
1093 * Marshall directly into the outgoing PDU space. We
1094 * must do this as we need to set to the bind response
1095 * header and are never sending more than one PDU here.
1098 status
= dcerpc_push_ncacn_packet(p
->mem_ctx
,
1099 DCERPC_PKT_BIND_ACK
,
1100 DCERPC_PFC_FLAG_FIRST
|
1101 DCERPC_PFC_FLAG_LAST
,
1106 if (!NT_STATUS_IS_OK(status
)) {
1107 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1108 nt_errstr(status
)));
1111 if (auth_resp
.length
) {
1113 status
= dcerpc_push_dcerpc_auth(pkt
,
1115 auth_info
.auth_level
,
1117 1, /* auth_context_id */
1120 if (!NT_STATUS_IS_OK(status
)) {
1121 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1126 /* Now that we have the auth len store it into the right place in
1127 * the dcerpc header */
1128 dcerpc_set_frag_length(&p
->out_data
.frag
,
1129 p
->out_data
.frag
.length
+ auth_blob
.length
);
1131 if (auth_blob
.length
) {
1133 if (!data_blob_append(p
->mem_ctx
, &p
->out_data
.frag
,
1134 auth_blob
.data
, auth_blob
.length
)) {
1135 DEBUG(0, ("Append of auth info failed.\n"));
1141 * Setup the lengths for the initial reply.
1144 p
->out_data
.data_sent_length
= 0;
1145 p
->out_data
.current_pdu_sent
= 0;
1147 TALLOC_FREE(auth_blob
.data
);
1152 data_blob_free(&p
->out_data
.frag
);
1153 TALLOC_FREE(auth_blob
.data
);
1154 return setup_bind_nak(p
, pkt
);
1157 /*******************************************************************
1158 This is the "stage3" response after a bind request and reply.
1159 *******************************************************************/
1161 bool api_pipe_bind_auth3(struct pipes_struct
*p
, struct ncacn_packet
*pkt
)
1163 struct dcerpc_auth auth_info
;
1164 DATA_BLOB response
= data_blob_null
;
1165 struct auth_ntlmssp_state
*ntlmssp_ctx
;
1166 struct spnego_context
*spnego_ctx
;
1167 struct gse_context
*gse_ctx
;
1170 DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__
));
1172 if (pkt
->auth_length
== 0) {
1173 DEBUG(0, ("No auth field sent for bind request!\n"));
1177 /* Ensure there's enough data for an authenticated request. */
1178 if (pkt
->frag_length
< RPC_HEADER_LEN
1179 + DCERPC_AUTH_TRAILER_LENGTH
1180 + pkt
->auth_length
) {
1181 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
1182 "%u is too large.\n",
1183 (unsigned int)pkt
->auth_length
));
1188 * Decode the authentication verifier response.
1191 status
= dcerpc_pull_dcerpc_auth(pkt
,
1192 &pkt
->u
.auth3
.auth_info
,
1193 &auth_info
, p
->endian
);
1194 if (!NT_STATUS_IS_OK(status
)) {
1195 DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n"));
1199 /* We must NEVER look at auth_info->auth_pad_len here,
1200 * as old Samba client code gets it wrong and sends it
1204 switch (auth_info
.auth_type
) {
1205 case DCERPC_AUTH_TYPE_NTLMSSP
:
1206 ntlmssp_ctx
= talloc_get_type_abort(p
->auth
.auth_ctx
,
1207 struct auth_ntlmssp_state
);
1208 status
= ntlmssp_server_step(ntlmssp_ctx
,
1209 pkt
, &auth_info
.credentials
,
1212 case DCERPC_AUTH_TYPE_KRB5
:
1213 gse_ctx
= talloc_get_type_abort(p
->auth
.auth_ctx
,
1214 struct gse_context
);
1215 status
= gssapi_server_step(gse_ctx
,
1216 pkt
, &auth_info
.credentials
,
1219 case DCERPC_AUTH_TYPE_SPNEGO
:
1220 spnego_ctx
= talloc_get_type_abort(p
->auth
.auth_ctx
,
1221 struct spnego_context
);
1222 status
= spnego_server_step(spnego_ctx
,
1223 pkt
, &auth_info
.credentials
,
1227 DEBUG(0, (__location__
": incorrect auth type (%u).\n",
1228 (unsigned int)auth_info
.auth_type
));
1232 if (NT_STATUS_EQUAL(status
,
1233 NT_STATUS_MORE_PROCESSING_REQUIRED
) ||
1235 DEBUG(0, (__location__
": This was supposed to be the final "
1236 "leg, but crypto machinery claims a response is "
1237 "needed, aborting auth!\n"));
1238 data_blob_free(&response
);
1241 if (!NT_STATUS_IS_OK(status
)) {
1242 DEBUG(0, ("Auth failed (%s)\n", nt_errstr(status
)));
1246 /* Now verify auth was indeed successful and extract server info */
1247 status
= pipe_auth_verify_final(p
);
1248 if (!NT_STATUS_IS_OK(status
)) {
1249 DEBUG(0, ("Auth Verify failed (%s)\n", nt_errstr(status
)));
1257 TALLOC_FREE(p
->auth
.auth_ctx
);
1261 /****************************************************************************
1262 Deal with an alter context call. Can be third part of 3 leg auth request for
1264 ****************************************************************************/
1266 static bool api_pipe_alter_context(struct pipes_struct
*p
,
1267 struct ncacn_packet
*pkt
)
1269 struct dcerpc_auth auth_info
;
1272 union dcerpc_payload u
;
1273 struct dcerpc_ack_ctx bind_ack_ctx
;
1274 DATA_BLOB auth_resp
= data_blob_null
;
1275 DATA_BLOB auth_blob
= data_blob_null
;
1277 struct auth_ntlmssp_state
*ntlmssp_ctx
;
1278 struct spnego_context
*spnego_ctx
;
1279 struct gse_context
*gse_ctx
;
1281 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__
));
1283 if (pkt
->u
.bind
.assoc_group_id
!= 0) {
1284 assoc_gid
= pkt
->u
.bind
.assoc_group_id
;
1290 * Create the bind response struct.
1293 /* If the requested abstract synt uuid doesn't match our client pipe,
1294 reject the bind_ack & set the transfer interface synt to all 0's,
1295 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1297 Needed when adding entries to a DACL from NT5 - SK */
1299 if (check_bind_req(p
,
1300 &pkt
->u
.bind
.ctx_list
[0].abstract_syntax
,
1301 &pkt
->u
.bind
.ctx_list
[0].transfer_syntaxes
[0],
1302 pkt
->u
.bind
.ctx_list
[0].context_id
)) {
1304 bind_ack_ctx
.result
= 0;
1305 bind_ack_ctx
.reason
= 0;
1306 bind_ack_ctx
.syntax
= pkt
->u
.bind
.ctx_list
[0].transfer_syntaxes
[0];
1308 p
->pipe_bound
= False
;
1309 /* Rejection reason: abstract syntax not supported */
1310 bind_ack_ctx
.result
= DCERPC_BIND_PROVIDER_REJECT
;
1311 bind_ack_ctx
.reason
= DCERPC_BIND_REASON_ASYNTAX
;
1312 bind_ack_ctx
.syntax
= null_ndr_syntax_id
;
1316 * Check if this is an authenticated alter context request.
1318 if (pkt
->auth_length
) {
1319 /* Quick length check. Won't catch a bad auth footer,
1320 * prevents overrun. */
1322 if (pkt
->frag_length
< RPC_HEADER_LEN
+
1323 DCERPC_AUTH_TRAILER_LENGTH
+
1325 DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
1326 "too long for fragment %u.\n",
1327 (unsigned int)pkt
->auth_length
,
1328 (unsigned int)pkt
->frag_length
));
1332 status
= dcerpc_pull_dcerpc_auth(pkt
,
1333 &pkt
->u
.bind
.auth_info
,
1334 &auth_info
, p
->endian
);
1335 if (!NT_STATUS_IS_OK(status
)) {
1336 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1340 /* We can only finish if the pipe is unbound for now */
1341 if (p
->pipe_bound
) {
1342 DEBUG(0, (__location__
": Pipe already bound, "
1343 "Altering Context not yet supported!\n"));
1347 switch (auth_info
.auth_type
) {
1348 case DCERPC_AUTH_TYPE_SPNEGO
:
1349 spnego_ctx
= talloc_get_type_abort(p
->auth
.auth_ctx
,
1350 struct spnego_context
);
1351 status
= spnego_server_step(spnego_ctx
,
1353 &auth_info
.credentials
,
1357 case DCERPC_AUTH_TYPE_KRB5
:
1358 gse_ctx
= talloc_get_type_abort(p
->auth
.auth_ctx
,
1359 struct gse_context
);
1360 status
= gssapi_server_step(gse_ctx
,
1362 &auth_info
.credentials
,
1365 case DCERPC_AUTH_TYPE_NTLMSSP
:
1366 ntlmssp_ctx
= talloc_get_type_abort(p
->auth
.auth_ctx
,
1367 struct auth_ntlmssp_state
);
1368 status
= ntlmssp_server_step(ntlmssp_ctx
,
1370 &auth_info
.credentials
,
1375 DEBUG(3, (__location__
": Usupported auth type (%d) "
1376 "in alter-context call\n",
1377 auth_info
.auth_type
));
1381 if (NT_STATUS_IS_OK(status
)) {
1382 /* third leg of auth, verify auth info */
1383 status
= pipe_auth_verify_final(p
);
1384 if (!NT_STATUS_IS_OK(status
)) {
1385 DEBUG(0, ("Auth Verify failed (%s)\n",
1386 nt_errstr(status
)));
1389 } else if (NT_STATUS_EQUAL(status
,
1390 NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
1391 DEBUG(10, ("More auth legs required.\n"));
1393 DEBUG(0, ("Auth step returned an error (%s)\n",
1394 nt_errstr(status
)));
1399 ZERO_STRUCT(u
.alter_resp
);
1400 u
.alter_resp
.max_xmit_frag
= RPC_MAX_PDU_FRAG_LEN
;
1401 u
.alter_resp
.max_recv_frag
= RPC_MAX_PDU_FRAG_LEN
;
1402 u
.alter_resp
.assoc_group_id
= assoc_gid
;
1404 /* secondary address CAN be NULL
1405 * as the specs say it's ignored.
1406 * It MUST be NULL to have the spoolss working.
1408 u
.alter_resp
.secondary_address
= "";
1409 u
.alter_resp
.secondary_address_size
= 1;
1411 u
.alter_resp
.num_results
= 1;
1412 u
.alter_resp
.ctx_list
= &bind_ack_ctx
;
1414 /* NOTE: We leave the auth_info empty so we can calculate the padding
1415 * later and then append the auth_info --simo */
1418 * Marshall directly into the outgoing PDU space. We
1419 * must do this as we need to set to the bind response
1420 * header and are never sending more than one PDU here.
1423 status
= dcerpc_push_ncacn_packet(p
->mem_ctx
,
1424 DCERPC_PKT_ALTER_RESP
,
1425 DCERPC_PFC_FLAG_FIRST
|
1426 DCERPC_PFC_FLAG_LAST
,
1431 if (!NT_STATUS_IS_OK(status
)) {
1432 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1433 nt_errstr(status
)));
1436 if (auth_resp
.length
) {
1438 /* Work out any padding needed before the auth footer. */
1439 pad_len
= p
->out_data
.frag
.length
% SERVER_NDR_PADDING_SIZE
;
1441 pad_len
= SERVER_NDR_PADDING_SIZE
- pad_len
;
1442 DEBUG(10, ("auth pad_len = %u\n",
1443 (unsigned int)pad_len
));
1446 status
= dcerpc_push_dcerpc_auth(pkt
,
1447 auth_info
.auth_type
,
1448 auth_info
.auth_level
,
1450 1, /* auth_context_id */
1453 if (!NT_STATUS_IS_OK(status
)) {
1454 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1459 /* Now that we have the auth len store it into the right place in
1460 * the dcerpc header */
1461 dcerpc_set_frag_length(&p
->out_data
.frag
,
1462 p
->out_data
.frag
.length
+
1463 pad_len
+ auth_blob
.length
);
1465 if (auth_resp
.length
) {
1467 char pad
[SERVER_NDR_PADDING_SIZE
];
1468 memset(pad
, '\0', SERVER_NDR_PADDING_SIZE
);
1469 if (!data_blob_append(p
->mem_ctx
,
1472 DEBUG(0, ("api_pipe_bind_req: failed to add "
1473 "%u bytes of pad data.\n",
1474 (unsigned int)pad_len
));
1479 if (!data_blob_append(p
->mem_ctx
, &p
->out_data
.frag
,
1480 auth_blob
.data
, auth_blob
.length
)) {
1481 DEBUG(0, ("Append of auth info failed.\n"));
1487 * Setup the lengths for the initial reply.
1490 p
->out_data
.data_sent_length
= 0;
1491 p
->out_data
.current_pdu_sent
= 0;
1493 TALLOC_FREE(auth_blob
.data
);
1498 data_blob_free(&p
->out_data
.frag
);
1499 TALLOC_FREE(auth_blob
.data
);
1500 return setup_bind_nak(p
, pkt
);
1503 /****************************************************************************
1504 Find the set of RPC functions associated with this context_id
1505 ****************************************************************************/
1507 static PIPE_RPC_FNS
* find_pipe_fns_by_context( PIPE_RPC_FNS
*list
, uint32 context_id
)
1509 PIPE_RPC_FNS
*fns
= NULL
;
1512 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
1516 for (fns
=list
; fns
; fns
=fns
->next
) {
1517 if ( fns
->context_id
== context_id
)
1523 static bool api_rpcTNP(struct pipes_struct
*p
, struct ncacn_packet
*pkt
,
1524 const struct api_struct
*api_rpc_cmds
, int n_cmds
);
1526 /****************************************************************************
1527 Find the correct RPC function to call for this request.
1528 If the pipe is authenticated then become the correct UNIX user
1529 before doing the call.
1530 ****************************************************************************/
1532 static bool api_pipe_request(struct pipes_struct
*p
,
1533 struct ncacn_packet
*pkt
)
1536 bool changed_user
= False
;
1537 PIPE_RPC_FNS
*pipe_fns
;
1539 if (p
->pipe_bound
&&
1540 ((p
->auth
.auth_type
== DCERPC_AUTH_TYPE_NTLMSSP
) ||
1541 (p
->auth
.auth_type
== DCERPC_AUTH_TYPE_KRB5
) ||
1542 (p
->auth
.auth_type
== DCERPC_AUTH_TYPE_SPNEGO
))) {
1543 if(!become_authenticated_pipe_user(p
)) {
1544 data_blob_free(&p
->out_data
.rdata
);
1547 changed_user
= True
;
1550 DEBUG(5, ("Requested \\PIPE\\%s\n",
1551 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
)));
1553 /* get the set of RPC functions for this context */
1555 pipe_fns
= find_pipe_fns_by_context(p
->contexts
,
1556 pkt
->u
.request
.context_id
);
1559 TALLOC_CTX
*frame
= talloc_stackframe();
1560 ret
= api_rpcTNP(p
, pkt
, pipe_fns
->cmds
, pipe_fns
->n_cmds
);
1564 DEBUG(0, ("No rpc function table associated with context "
1565 "[%d] on pipe [%s]\n",
1566 pkt
->u
.request
.context_id
,
1567 get_pipe_name_from_syntax(talloc_tos(),
1572 unbecome_authenticated_pipe_user();
1578 /*******************************************************************
1579 Calls the underlying RPC function for a named pipe.
1580 ********************************************************************/
1582 static bool api_rpcTNP(struct pipes_struct
*p
, struct ncacn_packet
*pkt
,
1583 const struct api_struct
*api_rpc_cmds
, int n_cmds
)
1588 /* interpret the command */
1589 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
1590 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
),
1591 pkt
->u
.request
.opnum
));
1593 if (DEBUGLEVEL
>= 50) {
1595 slprintf(name
, sizeof(name
)-1, "in_%s",
1596 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
));
1597 dump_pdu_region(name
, pkt
->u
.request
.opnum
,
1598 &p
->in_data
.data
, 0,
1599 p
->in_data
.data
.length
);
1602 for (fn_num
= 0; fn_num
< n_cmds
; fn_num
++) {
1603 if (api_rpc_cmds
[fn_num
].opnum
== pkt
->u
.request
.opnum
&&
1604 api_rpc_cmds
[fn_num
].fn
!= NULL
) {
1605 DEBUG(3, ("api_rpcTNP: rpc command: %s\n",
1606 api_rpc_cmds
[fn_num
].name
));
1611 if (fn_num
== n_cmds
) {
1613 * For an unknown RPC just return a fault PDU but
1614 * return True to allow RPC's on the pipe to continue
1615 * and not put the pipe into fault state. JRA.
1617 DEBUG(4, ("unknown\n"));
1618 setup_fault_pdu(p
, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR
));
1622 offset1
= p
->out_data
.rdata
.length
;
1624 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1625 fn_num
, api_rpc_cmds
[fn_num
].fn
));
1626 /* do the actual command */
1627 if(!api_rpc_cmds
[fn_num
].fn(p
)) {
1628 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
1629 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
),
1630 api_rpc_cmds
[fn_num
].name
));
1631 data_blob_free(&p
->out_data
.rdata
);
1635 if (p
->bad_handle_fault_state
) {
1636 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1637 p
->bad_handle_fault_state
= False
;
1638 setup_fault_pdu(p
, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH
));
1642 if (p
->rng_fault_state
) {
1643 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
1644 p
->rng_fault_state
= False
;
1645 setup_fault_pdu(p
, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR
));
1649 if (DEBUGLEVEL
>= 50) {
1651 slprintf(name
, sizeof(name
)-1, "out_%s",
1652 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
));
1653 dump_pdu_region(name
, pkt
->u
.request
.opnum
,
1654 &p
->out_data
.rdata
, offset1
,
1655 p
->out_data
.rdata
.length
);
1658 DEBUG(5,("api_rpcTNP: called %s successfully\n",
1659 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
)));
1661 /* Check for buffer underflow in rpc parsing */
1662 if ((DEBUGLEVEL
>= 10) &&
1663 (pkt
->frag_length
< p
->in_data
.data
.length
)) {
1664 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1665 dump_data(10, p
->in_data
.data
.data
+ pkt
->frag_length
,
1666 p
->in_data
.data
.length
- pkt
->frag_length
);
1672 /****************************************************************************
1673 Initialise an outgoing packet.
1674 ****************************************************************************/
1676 static bool pipe_init_outgoing_data(struct pipes_struct
*p
)
1678 output_data
*o_data
= &p
->out_data
;
1680 /* Reset the offset counters. */
1681 o_data
->data_sent_length
= 0;
1682 o_data
->current_pdu_sent
= 0;
1684 data_blob_free(&o_data
->frag
);
1686 /* Free any memory in the current return data buffer. */
1687 data_blob_free(&o_data
->rdata
);
1692 /****************************************************************************
1693 Sets the fault state on incoming packets.
1694 ****************************************************************************/
1696 void set_incoming_fault(struct pipes_struct
*p
)
1698 data_blob_free(&p
->in_data
.data
);
1699 p
->in_data
.pdu_needed_len
= 0;
1700 p
->in_data
.pdu
.length
= 0;
1701 p
->fault_state
= True
;
1702 DEBUG(10, ("set_incoming_fault: Setting fault state on pipe %s\n",
1703 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
)));
1706 static NTSTATUS
dcesrv_auth_request(struct pipe_auth_data
*auth
,
1707 struct ncacn_packet
*pkt
,
1711 size_t hdr_size
= DCERPC_REQUEST_LENGTH
;
1714 DEBUG(10, ("Checking request auth.\n"));
1716 if (pkt
->pfc_flags
& DCERPC_PFC_FLAG_OBJECT_UUID
) {
1720 /* in case of sealing this function will unseal the data in place */
1721 status
= dcerpc_check_auth(auth
, pkt
,
1722 &pkt
->u
.request
.stub_and_verifier
,
1725 if (!NT_STATUS_IS_OK(status
)) {
1730 /* remove padding and auth trailer,
1731 * this way the caller will get just the data */
1732 if (pkt
->auth_length
) {
1733 size_t trail_len
= pad_len
1734 + DCERPC_AUTH_TRAILER_LENGTH
1736 if (pkt
->u
.request
.stub_and_verifier
.length
< trail_len
) {
1737 return NT_STATUS_INFO_LENGTH_MISMATCH
;
1739 pkt
->u
.request
.stub_and_verifier
.length
-= trail_len
;
1742 return NT_STATUS_OK
;
1745 /****************************************************************************
1746 Processes a request pdu. This will do auth processing if needed, and
1747 appends the data into the complete stream if the LAST flag is not set.
1748 ****************************************************************************/
1750 static bool process_request_pdu(struct pipes_struct
*p
, struct ncacn_packet
*pkt
)
1755 if (!p
->pipe_bound
) {
1756 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
1757 set_incoming_fault(p
);
1761 /* Store the opnum */
1762 p
->opnum
= pkt
->u
.request
.opnum
;
1764 status
= dcesrv_auth_request(&p
->auth
, pkt
, &p
->in_data
.pdu
);
1765 if (!NT_STATUS_IS_OK(status
)) {
1766 DEBUG(0, ("Failed to check packet auth. (%s)\n",
1767 nt_errstr(status
)));
1768 set_incoming_fault(p
);
1772 data
= pkt
->u
.request
.stub_and_verifier
;
1775 * Check the data length doesn't go over the 15Mb limit.
1776 * increased after observing a bug in the Windows NT 4.0 SP6a
1777 * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
1778 * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
1781 if (p
->in_data
.data
.length
+ data
.length
> MAX_RPC_DATA_SIZE
) {
1782 DEBUG(0, ("process_request_pdu: "
1783 "rpc data buffer too large (%u) + (%u)\n",
1784 (unsigned int)p
->in_data
.data
.length
,
1785 (unsigned int)data
.length
));
1786 set_incoming_fault(p
);
1791 * Append the data portion into the buffer and return.
1795 if (!data_blob_append(p
->mem_ctx
, &p
->in_data
.data
,
1796 data
.data
, data
.length
)) {
1797 DEBUG(0, ("Unable to append data size %u "
1798 "to parse buffer of size %u.\n",
1799 (unsigned int)data
.length
,
1800 (unsigned int)p
->in_data
.data
.length
));
1801 set_incoming_fault(p
);
1806 if (pkt
->pfc_flags
& DCERPC_PFC_FLAG_LAST
) {
1809 * Ok - we finally have a complete RPC stream.
1810 * Call the rpc command to process it.
1814 * Process the complete data stream here.
1816 if (pipe_init_outgoing_data(p
)) {
1817 ret
= api_pipe_request(p
, pkt
);
1826 /****************************************************************************
1827 Processes a finished PDU stored in p->in_data.pdu.
1828 ****************************************************************************/
1830 void process_complete_pdu(struct pipes_struct
*p
)
1832 struct ncacn_packet
*pkt
= NULL
;
1836 if(p
->fault_state
) {
1837 DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n",
1838 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
)));
1842 pkt
= talloc(p
->mem_ctx
, struct ncacn_packet
);
1844 DEBUG(0, ("Out of memory!\n"));
1849 * Ensure we're using the corrent endianness for both the
1850 * RPC header flags and the raw data we will be reading from.
1852 if (dcerpc_get_endian_flag(&p
->in_data
.pdu
) & DCERPC_DREP_LE
) {
1853 p
->endian
= RPC_LITTLE_ENDIAN
;
1855 p
->endian
= RPC_BIG_ENDIAN
;
1857 DEBUG(10, ("PDU is in %s Endian format!\n", p
->endian
?"Big":"Little"));
1859 status
= dcerpc_pull_ncacn_packet(pkt
, &p
->in_data
.pdu
,
1861 if (!NT_STATUS_IS_OK(status
)) {
1862 DEBUG(0, ("Failed to unmarshal rpc packet: %s!\n",
1863 nt_errstr(status
)));
1867 /* Store the call_id */
1868 p
->call_id
= pkt
->call_id
;
1870 DEBUG(10, ("Processing packet type %d\n", (int)pkt
->ptype
));
1872 switch (pkt
->ptype
) {
1873 case DCERPC_PKT_REQUEST
:
1874 reply
= process_request_pdu(p
, pkt
);
1877 case DCERPC_PKT_PING
: /* CL request - ignore... */
1878 DEBUG(0, ("process_complete_pdu: Error. "
1879 "Connectionless packet type %d received on "
1880 "pipe %s.\n", (int)pkt
->ptype
,
1881 get_pipe_name_from_syntax(talloc_tos(),
1885 case DCERPC_PKT_RESPONSE
: /* No responses here. */
1886 DEBUG(0, ("process_complete_pdu: Error. "
1887 "DCERPC_PKT_RESPONSE received from client "
1889 get_pipe_name_from_syntax(talloc_tos(),
1893 case DCERPC_PKT_FAULT
:
1894 case DCERPC_PKT_WORKING
:
1895 /* CL request - reply to a ping when a call in process. */
1896 case DCERPC_PKT_NOCALL
:
1897 /* CL - server reply to a ping call. */
1898 case DCERPC_PKT_REJECT
:
1899 case DCERPC_PKT_ACK
:
1900 case DCERPC_PKT_CL_CANCEL
:
1901 case DCERPC_PKT_FACK
:
1902 case DCERPC_PKT_CANCEL_ACK
:
1903 DEBUG(0, ("process_complete_pdu: Error. "
1904 "Connectionless packet type %u received on "
1905 "pipe %s.\n", (unsigned int)pkt
->ptype
,
1906 get_pipe_name_from_syntax(talloc_tos(),
1910 case DCERPC_PKT_BIND
:
1912 * We assume that a pipe bind is only in one pdu.
1914 if (pipe_init_outgoing_data(p
)) {
1915 reply
= api_pipe_bind_req(p
, pkt
);
1919 case DCERPC_PKT_BIND_ACK
:
1920 case DCERPC_PKT_BIND_NAK
:
1921 DEBUG(0, ("process_complete_pdu: Error. "
1922 "DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK "
1923 "packet type %u received on pipe %s.\n",
1924 (unsigned int)pkt
->ptype
,
1925 get_pipe_name_from_syntax(talloc_tos(),
1930 case DCERPC_PKT_ALTER
:
1932 * We assume that a pipe bind is only in one pdu.
1934 if (pipe_init_outgoing_data(p
)) {
1935 reply
= api_pipe_alter_context(p
, pkt
);
1939 case DCERPC_PKT_ALTER_RESP
:
1940 DEBUG(0, ("process_complete_pdu: Error. "
1941 "DCERPC_PKT_ALTER_RESP on pipe %s: "
1942 "Should only be server -> client.\n",
1943 get_pipe_name_from_syntax(talloc_tos(),
1947 case DCERPC_PKT_AUTH3
:
1949 * The third packet in an auth exchange.
1951 if (pipe_init_outgoing_data(p
)) {
1952 reply
= api_pipe_bind_auth3(p
, pkt
);
1956 case DCERPC_PKT_SHUTDOWN
:
1957 DEBUG(0, ("process_complete_pdu: Error. "
1958 "DCERPC_PKT_SHUTDOWN on pipe %s: "
1959 "Should only be server -> client.\n",
1960 get_pipe_name_from_syntax(talloc_tos(),
1964 case DCERPC_PKT_CO_CANCEL
:
1965 /* For now just free all client data and continue
1967 DEBUG(3,("process_complete_pdu: DCERPC_PKT_CO_CANCEL."
1968 " Abandoning rpc call.\n"));
1969 /* As we never do asynchronous RPC serving, we can
1970 * never cancel a call (as far as I know).
1971 * If we ever did we'd have to send a cancel_ack reply.
1972 * For now, just free all client data and continue
1978 /* Enable this if we're doing async rpc. */
1979 /* We must check the outstanding callid matches. */
1980 if (pipe_init_outgoing_data(p
)) {
1981 /* Send a cancel_ack PDU reply. */
1982 /* We should probably check the auth-verifier here. */
1983 reply
= setup_cancel_ack_reply(p
, pkt
);
1988 case DCERPC_PKT_ORPHANED
:
1989 /* We should probably check the auth-verifier here.
1990 * For now just free all client data and continue
1992 DEBUG(3, ("process_complete_pdu: DCERPC_PKT_ORPHANED."
1993 " Abandoning rpc call.\n"));
1998 DEBUG(0, ("process_complete_pdu: "
1999 "Unknown rpc type = %u received.\n",
2000 (unsigned int)pkt
->ptype
));
2006 DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on "
2007 "pipe %s\n", get_pipe_name_from_syntax(talloc_tos(),
2009 set_incoming_fault(p
);
2010 setup_fault_pdu(p
, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR
));
2014 * Reset the lengths. We're ready for a new pdu.
2016 TALLOC_FREE(p
->in_data
.pdu
.data
);
2017 p
->in_data
.pdu_needed_len
= 0;
2018 p
->in_data
.pdu
.length
= 0;