search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tiny simplification
[Samba/gebeck_regimport.git] / source3 / rpc_server / srv_pipe.c
blob8c7c43f686dd680fd6c7239caf9792b57fb5dcf4
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31
32 extern struct pipe_id_info pipe_names[];
33 extern struct current_user current_user;
34
35 #undef DBGC_CLASS
36 #define DBGC_CLASS DBGC_RPC_SRV
37
38 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
39 {
40 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
41
42 if (a) {
43 auth_ntlmssp_end(&a);
44 }
45 auth->a_u.auth_ntlmssp_state = NULL;
46 }
47
48 static DATA_BLOB generic_session_key(void)
49 {
50 return data_blob("SystemLibraryDTC", 16);
51 }
52
53 /*******************************************************************
54 Generate the next PDU to be returned from the data in p->rdata.
55 Handle NTLMSSP.
56 ********************************************************************/
57
58 static bool create_next_pdu_ntlmssp(pipes_struct *p)
59 {
60 RPC_HDR_RESP hdr_resp;
61 uint32 ss_padding_len = 0;
62 uint32 data_space_available;
63 uint32 data_len_left;
64 uint32 data_len;
65 prs_struct outgoing_pdu;
66 NTSTATUS status;
67 DATA_BLOB auth_blob;
68 RPC_HDR_AUTH auth_info;
69 uint8 auth_type, auth_level;
70 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
71
72 /*
73 * If we're in the fault state, keep returning fault PDU's until
74 * the pipe gets closed. JRA.
75 */
76
77 if(p->fault_state) {
78 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
79 return True;
80 }
81
82 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
83
84 /* Change the incoming request header to a response. */
85 p->hdr.pkt_type = RPC_RESPONSE;
86
87 /* Set up rpc header flags. */
88 if (p->out_data.data_sent_length == 0) {
89 p->hdr.flags = RPC_FLG_FIRST;
90 } else {
91 p->hdr.flags = 0;
92 }
93
94 /*
95 * Work out how much we can fit in a single PDU.
96 */
97
98 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
99
100 /*
101 * Ensure there really is data left to send.
102 */
103
104 if(!data_len_left) {
105 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
106 return False;
107 }
108
109 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
110 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
111
112 /*
113 * The amount we send is the minimum of the available
114 * space and the amount left to send.
115 */
116
117 data_len = MIN(data_len_left, data_space_available);
118
119 /*
120 * Set up the alloc hint. This should be the data left to
121 * send.
122 */
123
124 hdr_resp.alloc_hint = data_len_left;
125
126 /*
127 * Work out if this PDU will be the last.
128 */
129
130 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
131 p->hdr.flags |= RPC_FLG_LAST;
132 if (data_len_left % 8) {
133 ss_padding_len = 8 - (data_len_left % 8);
134 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
135 ss_padding_len ));
136 }
137 }
138
139 /*
140 * Set up the header lengths.
141 */
142
143 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
144 data_len + ss_padding_len +
145 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
146 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
147
148
149 /*
150 * Init the parse struct to point at the outgoing
151 * data.
152 */
153
154 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
155 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
156
157 /* Store the header in the data stream. */
158 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
159 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
160 prs_mem_free(&outgoing_pdu);
161 return False;
162 }
163
164 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
165 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
166 prs_mem_free(&outgoing_pdu);
167 return False;
168 }
169
170 /* Copy the data into the PDU. */
171
172 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
173 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
174 prs_mem_free(&outgoing_pdu);
175 return False;
176 }
177
178 /* Copy the sign/seal padding data. */
179 if (ss_padding_len) {
180 char pad[8];
181
182 memset(pad, '\0', 8);
183 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
184 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
185 (unsigned int)ss_padding_len));
186 prs_mem_free(&outgoing_pdu);
187 return False;
188 }
189 }
190
191
192 /* Now write out the auth header and null blob. */
193 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
194 auth_type = RPC_NTLMSSP_AUTH_TYPE;
195 } else {
196 auth_type = RPC_SPNEGO_AUTH_TYPE;
197 }
198 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
199 auth_level = RPC_AUTH_LEVEL_PRIVACY;
200 } else {
201 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
202 }
203
204 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
205 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
206 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
207 prs_mem_free(&outgoing_pdu);
208 return False;
209 }
210
211 /* Generate the sign blob. */
212
213 switch (p->auth.auth_level) {
214 case PIPE_AUTH_LEVEL_PRIVACY:
215 /* Data portion is encrypted. */
216 status = ntlmssp_seal_packet(a->ntlmssp_state,
217 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
218 data_len + ss_padding_len,
219 (unsigned char *)prs_data_p(&outgoing_pdu),
220 (size_t)prs_offset(&outgoing_pdu),
221 &auth_blob);
222 if (!NT_STATUS_IS_OK(status)) {
223 data_blob_free(&auth_blob);
224 prs_mem_free(&outgoing_pdu);
225 return False;
226 }
227 break;
228 case PIPE_AUTH_LEVEL_INTEGRITY:
229 /* Data is signed. */
230 status = ntlmssp_sign_packet(a->ntlmssp_state,
231 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
232 data_len + ss_padding_len,
233 (unsigned char *)prs_data_p(&outgoing_pdu),
234 (size_t)prs_offset(&outgoing_pdu),
235 &auth_blob);
236 if (!NT_STATUS_IS_OK(status)) {
237 data_blob_free(&auth_blob);
238 prs_mem_free(&outgoing_pdu);
239 return False;
240 }
241 break;
242 default:
243 prs_mem_free(&outgoing_pdu);
244 return False;
245 }
246
247 /* Append the auth blob. */
248 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
249 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
250 (unsigned int)NTLMSSP_SIG_SIZE));
251 data_blob_free(&auth_blob);
252 prs_mem_free(&outgoing_pdu);
253 return False;
254 }
255
256 data_blob_free(&auth_blob);
257
258 /*
259 * Setup the counts for this PDU.
260 */
261
262 p->out_data.data_sent_length += data_len;
263 p->out_data.current_pdu_len = p->hdr.frag_len;
264 p->out_data.current_pdu_sent = 0;
265
266 prs_mem_free(&outgoing_pdu);
267 return True;
268 }
269
270 /*******************************************************************
271 Generate the next PDU to be returned from the data in p->rdata.
272 Return an schannel authenticated fragment.
273 ********************************************************************/
274
275 static bool create_next_pdu_schannel(pipes_struct *p)
276 {
277 RPC_HDR_RESP hdr_resp;
278 uint32 ss_padding_len = 0;
279 uint32 data_len;
280 uint32 data_space_available;
281 uint32 data_len_left;
282 prs_struct outgoing_pdu;
283 uint32 data_pos;
284
285 /*
286 * If we're in the fault state, keep returning fault PDU's until
287 * the pipe gets closed. JRA.
288 */
289
290 if(p->fault_state) {
291 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
292 return True;
293 }
294
295 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
296
297 /* Change the incoming request header to a response. */
298 p->hdr.pkt_type = RPC_RESPONSE;
299
300 /* Set up rpc header flags. */
301 if (p->out_data.data_sent_length == 0) {
302 p->hdr.flags = RPC_FLG_FIRST;
303 } else {
304 p->hdr.flags = 0;
305 }
306
307 /*
308 * Work out how much we can fit in a single PDU.
309 */
310
311 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
312
313 /*
314 * Ensure there really is data left to send.
315 */
316
317 if(!data_len_left) {
318 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
319 return False;
320 }
321
322 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
323 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
324
325 /*
326 * The amount we send is the minimum of the available
327 * space and the amount left to send.
328 */
329
330 data_len = MIN(data_len_left, data_space_available);
331
332 /*
333 * Set up the alloc hint. This should be the data left to
334 * send.
335 */
336
337 hdr_resp.alloc_hint = data_len_left;
338
339 /*
340 * Work out if this PDU will be the last.
341 */
342
343 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
344 p->hdr.flags |= RPC_FLG_LAST;
345 if (data_len_left % 8) {
346 ss_padding_len = 8 - (data_len_left % 8);
347 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
348 ss_padding_len ));
349 }
350 }
351
352 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
353 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
354 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
355
356 /*
357 * Init the parse struct to point at the outgoing
358 * data.
359 */
360
361 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
362 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
363
364 /* Store the header in the data stream. */
365 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
366 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
367 prs_mem_free(&outgoing_pdu);
368 return False;
369 }
370
371 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
372 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
373 prs_mem_free(&outgoing_pdu);
374 return False;
375 }
376
377 /* Store the current offset. */
378 data_pos = prs_offset(&outgoing_pdu);
379
380 /* Copy the data into the PDU. */
381
382 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
383 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
384 prs_mem_free(&outgoing_pdu);
385 return False;
386 }
387
388 /* Copy the sign/seal padding data. */
389 if (ss_padding_len) {
390 char pad[8];
391 memset(pad, '\0', 8);
392 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
393 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
394 prs_mem_free(&outgoing_pdu);
395 return False;
396 }
397 }
398
399 {
400 /*
401 * Schannel processing.
402 */
403 char *data;
404 RPC_HDR_AUTH auth_info;
405 RPC_AUTH_SCHANNEL_CHK verf;
406
407 data = prs_data_p(&outgoing_pdu) + data_pos;
408 /* Check it's the type of reply we were expecting to decode */
409
410 init_rpc_hdr_auth(&auth_info,
411 RPC_SCHANNEL_AUTH_TYPE,
412 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
413 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
414 ss_padding_len, 1);
415
416 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
417 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
418 prs_mem_free(&outgoing_pdu);
419 return False;
420 }
421
422 schannel_encode(p->auth.a_u.schannel_auth,
423 p->auth.auth_level,
424 SENDER_IS_ACCEPTOR,
425 &verf, data, data_len + ss_padding_len);
426
427 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
428 &verf, &outgoing_pdu, 0)) {
429 prs_mem_free(&outgoing_pdu);
430 return False;
431 }
432
433 p->auth.a_u.schannel_auth->seq_num++;
434 }
435
436 /*
437 * Setup the counts for this PDU.
438 */
439
440 p->out_data.data_sent_length += data_len;
441 p->out_data.current_pdu_len = p->hdr.frag_len;
442 p->out_data.current_pdu_sent = 0;
443
444 prs_mem_free(&outgoing_pdu);
445 return True;
446 }
447
448 /*******************************************************************
449 Generate the next PDU to be returned from the data in p->rdata.
450 No authentication done.
451 ********************************************************************/
452
453 static bool create_next_pdu_noauth(pipes_struct *p)
454 {
455 RPC_HDR_RESP hdr_resp;
456 uint32 data_len;
457 uint32 data_space_available;
458 uint32 data_len_left;
459 prs_struct outgoing_pdu;
460
461 /*
462 * If we're in the fault state, keep returning fault PDU's until
463 * the pipe gets closed. JRA.
464 */
465
466 if(p->fault_state) {
467 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
468 return True;
469 }
470
471 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
472
473 /* Change the incoming request header to a response. */
474 p->hdr.pkt_type = RPC_RESPONSE;
475
476 /* Set up rpc header flags. */
477 if (p->out_data.data_sent_length == 0) {
478 p->hdr.flags = RPC_FLG_FIRST;
479 } else {
480 p->hdr.flags = 0;
481 }
482
483 /*
484 * Work out how much we can fit in a single PDU.
485 */
486
487 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
488
489 /*
490 * Ensure there really is data left to send.
491 */
492
493 if(!data_len_left) {
494 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
495 return False;
496 }
497
498 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
499
500 /*
501 * The amount we send is the minimum of the available
502 * space and the amount left to send.
503 */
504
505 data_len = MIN(data_len_left, data_space_available);
506
507 /*
508 * Set up the alloc hint. This should be the data left to
509 * send.
510 */
511
512 hdr_resp.alloc_hint = data_len_left;
513
514 /*
515 * Work out if this PDU will be the last.
516 */
517
518 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
519 p->hdr.flags |= RPC_FLG_LAST;
520 }
521
522 /*
523 * Set up the header lengths.
524 */
525
526 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
527 p->hdr.auth_len = 0;
528
529 /*
530 * Init the parse struct to point at the outgoing
531 * data.
532 */
533
534 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
535 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
536
537 /* Store the header in the data stream. */
538 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
539 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
540 prs_mem_free(&outgoing_pdu);
541 return False;
542 }
543
544 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
545 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
546 prs_mem_free(&outgoing_pdu);
547 return False;
548 }
549
550 /* Copy the data into the PDU. */
551
552 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
553 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
554 prs_mem_free(&outgoing_pdu);
555 return False;
556 }
557
558 /*
559 * Setup the counts for this PDU.
560 */
561
562 p->out_data.data_sent_length += data_len;
563 p->out_data.current_pdu_len = p->hdr.frag_len;
564 p->out_data.current_pdu_sent = 0;
565
566 prs_mem_free(&outgoing_pdu);
567 return True;
568 }
569
570 /*******************************************************************
571 Generate the next PDU to be returned from the data in p->rdata.
572 ********************************************************************/
573
574 bool create_next_pdu(pipes_struct *p)
575 {
576 switch(p->auth.auth_level) {
577 case PIPE_AUTH_LEVEL_NONE:
578 case PIPE_AUTH_LEVEL_CONNECT:
579 /* This is incorrect for auth level connect. Fixme. JRA */
580 return create_next_pdu_noauth(p);
581
582 default:
583 switch(p->auth.auth_type) {
584 case PIPE_AUTH_TYPE_NTLMSSP:
585 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
586 return create_next_pdu_ntlmssp(p);
587 case PIPE_AUTH_TYPE_SCHANNEL:
588 return create_next_pdu_schannel(p);
589 default:
590 break;
591 }
592 }
593
594 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
595 (unsigned int)p->auth.auth_level,
596 (unsigned int)p->auth.auth_type));
597 return False;
598 }
599
600 /*******************************************************************
601 Process an NTLMSSP authentication response.
602 If this function succeeds, the user has been authenticated
603 and their domain, name and calling workstation stored in
604 the pipe struct.
605 *******************************************************************/
606
607 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
608 {
609 DATA_BLOB reply;
610 NTSTATUS status;
611 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
612
613 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
614
615 ZERO_STRUCT(reply);
616
617 memset(p->user_name, '\0', sizeof(p->user_name));
618 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
619 memset(p->domain, '\0', sizeof(p->domain));
620 memset(p->wks, '\0', sizeof(p->wks));
621
622 /* Set up for non-authenticated user. */
623 TALLOC_FREE(p->pipe_user.nt_user_token);
624 p->pipe_user.ut.ngroups = 0;
625 SAFE_FREE( p->pipe_user.ut.groups);
626
627 /* this has to be done as root in order to verify the password */
628 become_root();
629 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
630 unbecome_root();
631
632 /* Don't generate a reply. */
633 data_blob_free(&reply);
634
635 if (!NT_STATUS_IS_OK(status)) {
636 return False;
637 }
638
639 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
640 ensure the underlying NTLMSSP flags are also set. If not we should
641 refuse the bind. */
642
643 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
644 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
645 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
646 "but client declined signing.\n",
647 p->name ));
648 return False;
649 }
650 }
651 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
652 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
653 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
654 "but client declined sealing.\n",
655 p->name ));
656 return False;
657 }
658 }
659
660 fstrcpy(p->user_name, a->ntlmssp_state->user);
661 fstrcpy(p->pipe_user_name, a->server_info->unix_name);
662 fstrcpy(p->domain, a->ntlmssp_state->domain);
663 fstrcpy(p->wks, a->ntlmssp_state->workstation);
664
665 DEBUG(5,("pipe_ntlmssp_verify_final: OK: user: %s domain: %s workstation: %s\n",
666 p->user_name, p->domain, p->wks));
667
668 /*
669 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
670 */
671
672 p->pipe_user.ut.uid = a->server_info->uid;
673 p->pipe_user.ut.gid = a->server_info->gid;
674
675 /*
676 * We're an authenticated bind over smbd, so the session key needs to
677 * be set to "SystemLibraryDTC". Weird, but this is what Windows
678 * does. See the RPC-SAMBA3SESSIONKEY.
679 */
680
681 data_blob_free(&p->session_key);
682 p->session_key = generic_session_key();
683 if (!p->session_key.data) {
684 return False;
685 }
686
687 p->pipe_user.ut.ngroups = a->server_info->n_groups;
688 if (p->pipe_user.ut.ngroups) {
689 if (!(p->pipe_user.ut.groups = (gid_t *)memdup(a->server_info->groups,
690 sizeof(gid_t) * p->pipe_user.ut.ngroups))) {
691 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
692 return False;
693 }
694 }
695
696 if (a->server_info->ptok) {
697 p->pipe_user.nt_user_token =
698 dup_nt_token(NULL, a->server_info->ptok);
699 } else {
700 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
701 p->pipe_user.nt_user_token = NULL;
702 return False;
703 }
704
705 return True;
706 }
707
708 /*******************************************************************
709 The switch table for the pipe names and the functions to handle them.
710 *******************************************************************/
711
712 struct rpc_table {
713 struct {
714 const char *clnt;
715 const char *srv;
716 } pipe;
717 const struct api_struct *cmds;
718 int n_cmds;
719 };
720
721 static struct rpc_table *rpc_lookup;
722 static int rpc_lookup_size;
723
724 /*******************************************************************
725 This is the "stage3" NTLMSSP response after a bind request and reply.
726 *******************************************************************/
727
728 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
729 {
730 RPC_HDR_AUTH auth_info;
731 uint32 pad;
732 DATA_BLOB blob;
733
734 ZERO_STRUCT(blob);
735
736 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
737
738 if (p->hdr.auth_len == 0) {
739 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
740 goto err;
741 }
742
743 /* 4 bytes padding. */
744 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
745 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
746 goto err;
747 }
748
749 /*
750 * Decode the authentication verifier response.
751 */
752
753 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
754 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
755 goto err;
756 }
757
758 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
759 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
760 (unsigned int)auth_info.auth_type ));
761 return False;
762 }
763
764 blob = data_blob(NULL,p->hdr.auth_len);
765
766 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
767 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
768 (unsigned int)p->hdr.auth_len ));
769 goto err;
770 }
771
772 /*
773 * The following call actually checks the challenge/response data.
774 * for correctness against the given DOMAIN\user name.
775 */
776
777 if (!pipe_ntlmssp_verify_final(p, &blob)) {
778 goto err;
779 }
780
781 data_blob_free(&blob);
782
783 p->pipe_bound = True;
784
785 return True;
786
787 err:
788
789 data_blob_free(&blob);
790 free_pipe_ntlmssp_auth_data(&p->auth);
791 p->auth.a_u.auth_ntlmssp_state = NULL;
792
793 return False;
794 }
795
796 /*******************************************************************
797 Marshall a bind_nak pdu.
798 *******************************************************************/
799
800 static bool setup_bind_nak(pipes_struct *p)
801 {
802 prs_struct outgoing_rpc;
803 RPC_HDR nak_hdr;
804 uint16 zero = 0;
805
806 /* Free any memory in the current return data buffer. */
807 prs_mem_free(&p->out_data.rdata);
808
809 /*
810 * Marshall directly into the outgoing PDU space. We
811 * must do this as we need to set to the bind response
812 * header and are never sending more than one PDU here.
813 */
814
815 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
816 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
817
818 /*
819 * Initialize a bind_nak header.
820 */
821
822 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
823 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
824
825 /*
826 * Marshall the header into the outgoing PDU.
827 */
828
829 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
830 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
831 prs_mem_free(&outgoing_rpc);
832 return False;
833 }
834
835 /*
836 * Now add the reject reason.
837 */
838
839 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
840 prs_mem_free(&outgoing_rpc);
841 return False;
842 }
843
844 p->out_data.data_sent_length = 0;
845 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
846 p->out_data.current_pdu_sent = 0;
847
848 if (p->auth.auth_data_free_func) {
849 (*p->auth.auth_data_free_func)(&p->auth);
850 }
851 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
852 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
853 p->pipe_bound = False;
854
855 return True;
856 }
857
858 /*******************************************************************
859 Marshall a fault pdu.
860 *******************************************************************/
861
862 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
863 {
864 prs_struct outgoing_pdu;
865 RPC_HDR fault_hdr;
866 RPC_HDR_RESP hdr_resp;
867 RPC_HDR_FAULT fault_resp;
868
869 /* Free any memory in the current return data buffer. */
870 prs_mem_free(&p->out_data.rdata);
871
872 /*
873 * Marshall directly into the outgoing PDU space. We
874 * must do this as we need to set to the bind response
875 * header and are never sending more than one PDU here.
876 */
877
878 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
879 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
880
881 /*
882 * Initialize a fault header.
883 */
884
885 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
886 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
887
888 /*
889 * Initialize the HDR_RESP and FAULT parts of the PDU.
890 */
891
892 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
893
894 fault_resp.status = status;
895 fault_resp.reserved = 0;
896
897 /*
898 * Marshall the header into the outgoing PDU.
899 */
900
901 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
902 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
903 prs_mem_free(&outgoing_pdu);
904 return False;
905 }
906
907 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
908 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
909 prs_mem_free(&outgoing_pdu);
910 return False;
911 }
912
913 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
914 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
915 prs_mem_free(&outgoing_pdu);
916 return False;
917 }
918
919 p->out_data.data_sent_length = 0;
920 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
921 p->out_data.current_pdu_sent = 0;
922
923 prs_mem_free(&outgoing_pdu);
924 return True;
925 }
926
927 #if 0
928 /*******************************************************************
929 Marshall a cancel_ack pdu.
930 We should probably check the auth-verifier here.
931 *******************************************************************/
932
933 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
934 {
935 prs_struct outgoing_pdu;
936 RPC_HDR ack_reply_hdr;
937
938 /* Free any memory in the current return data buffer. */
939 prs_mem_free(&p->out_data.rdata);
940
941 /*
942 * Marshall directly into the outgoing PDU space. We
943 * must do this as we need to set to the bind response
944 * header and are never sending more than one PDU here.
945 */
946
947 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
948 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
949
950 /*
951 * Initialize a cancel_ack header.
952 */
953
954 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
955 p->hdr.call_id, RPC_HEADER_LEN, 0);
956
957 /*
958 * Marshall the header into the outgoing PDU.
959 */
960
961 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
962 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
963 prs_mem_free(&outgoing_pdu);
964 return False;
965 }
966
967 p->out_data.data_sent_length = 0;
968 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
969 p->out_data.current_pdu_sent = 0;
970
971 prs_mem_free(&outgoing_pdu);
972 return True;
973 }
974 #endif
975
976 /*******************************************************************
977 Ensure a bind request has the correct abstract & transfer interface.
978 Used to reject unknown binds from Win2k.
979 *******************************************************************/
980
981 bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
982 RPC_IFACE* transfer, uint32 context_id)
983 {
984 char *pipe_name = p->name;
985 int i=0;
986 fstring pname;
987
988 fstrcpy(pname,"\\PIPE\\");
989 fstrcat(pname,pipe_name);
990
991 DEBUG(3,("check_bind_req for %s\n", pname));
992
993 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
994
995 for ( i=0; pipe_names[i].client_pipe; i++ ) {
996 DEBUG(10,("checking %s\n", pipe_names[i].client_pipe));
997 if ( strequal(pipe_names[i].client_pipe, pname)
998 && (abstract->version == pipe_names[i].abstr_syntax.version)
999 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct GUID)) == 0)
1000 && (transfer->version == pipe_names[i].trans_syntax.version)
1001 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(struct GUID)) == 0) ) {
1002 struct api_struct *fns = NULL;
1003 int n_fns = 0;
1004 PIPE_RPC_FNS *context_fns;
1005
1006 if ( !(context_fns = SMB_MALLOC_P(PIPE_RPC_FNS)) ) {
1007 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1008 return False;
1009 }
1010
1011 /* save the RPC function table associated with this bind */
1012
1013 get_pipe_fns(i, &fns, &n_fns);
1014
1015 context_fns->cmds = fns;
1016 context_fns->n_cmds = n_fns;
1017 context_fns->context_id = context_id;
1018
1019 /* add to the list of open contexts */
1020
1021 DLIST_ADD( p->contexts, context_fns );
1022
1023 break;
1024 }
1025 }
1026
1027 if(pipe_names[i].client_pipe == NULL) {
1028 return False;
1029 }
1030
1031 return True;
1032 }
1033
1034 /*******************************************************************
1035 Register commands to an RPC pipe
1036 *******************************************************************/
1037
1038 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
1039 {
1040 struct rpc_table *rpc_entry;
1041
1042 if (!clnt || !srv || !cmds) {
1043 return NT_STATUS_INVALID_PARAMETER;
1044 }
1045
1046 if (version != SMB_RPC_INTERFACE_VERSION) {
1047 DEBUG(0,("Can't register rpc commands!\n"
1048 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1049 ", while this version of samba uses version %d!\n",
1050 version,SMB_RPC_INTERFACE_VERSION));
1051 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1052 }
1053
1054 /* TODO:
1055 *
1056 * we still need to make sure that don't register the same commands twice!!!
1057 *
1058 * --metze
1059 */
1060
1061 /* We use a temporary variable because this call can fail and
1062 rpc_lookup will still be valid afterwards. It could then succeed if
1063 called again later */
1064 rpc_lookup_size++;
1065 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1066 if (NULL == rpc_entry) {
1067 rpc_lookup_size--;
1068 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1069 return NT_STATUS_NO_MEMORY;
1070 } else {
1071 rpc_lookup = rpc_entry;
1072 }
1073
1074 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1075 ZERO_STRUCTP(rpc_entry);
1076 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1077 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1078 rpc_entry->cmds = cmds;
1079 rpc_entry->n_cmds = size;
1080
1081 return NT_STATUS_OK;
1082 }
1083
1084 /*******************************************************************
1085 Handle a SPNEGO krb5 bind auth.
1086 *******************************************************************/
1087
1088 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1089 DATA_BLOB *psecblob, prs_struct *pout_auth)
1090 {
1091 return False;
1092 }
1093
1094 /*******************************************************************
1095 Handle the first part of a SPNEGO bind auth.
1096 *******************************************************************/
1097
1098 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1099 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1100 {
1101 DATA_BLOB blob;
1102 DATA_BLOB secblob;
1103 DATA_BLOB response;
1104 DATA_BLOB chal;
1105 char *OIDs[ASN1_MAX_OIDS];
1106 int i;
1107 NTSTATUS status;
1108 bool got_kerberos_mechanism = False;
1109 AUTH_NTLMSSP_STATE *a = NULL;
1110 RPC_HDR_AUTH auth_info;
1111
1112 ZERO_STRUCT(secblob);
1113 ZERO_STRUCT(chal);
1114 ZERO_STRUCT(response);
1115
1116 /* Grab the SPNEGO blob. */
1117 blob = data_blob(NULL,p->hdr.auth_len);
1118
1119 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1120 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1121 (unsigned int)p->hdr.auth_len ));
1122 goto err;
1123 }
1124
1125 if (blob.data[0] != ASN1_APPLICATION(0)) {
1126 goto err;
1127 }
1128
1129 /* parse out the OIDs and the first sec blob */
1130 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1131 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1132 goto err;
1133 }
1134
1135 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1136 got_kerberos_mechanism = True;
1137 }
1138
1139 for (i=0;OIDs[i];i++) {
1140 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1141 SAFE_FREE(OIDs[i]);
1142 }
1143 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1144
1145 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1146 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1147 data_blob_free(&secblob);
1148 data_blob_free(&blob);
1149 return ret;
1150 }
1151
1152 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1153 /* Free any previous auth type. */
1154 free_pipe_ntlmssp_auth_data(&p->auth);
1155 }
1156
1157 /* Initialize the NTLM engine. */
1158 status = auth_ntlmssp_start(&a);
1159 if (!NT_STATUS_IS_OK(status)) {
1160 goto err;
1161 }
1162
1163 /*
1164 * Pass the first security blob of data to it.
1165 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1166 * which means we need another packet to complete the bind.
1167 */
1168
1169 status = auth_ntlmssp_update(a, secblob, &chal);
1170
1171 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1172 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1173 goto err;
1174 }
1175
1176 /* Generate the response blob we need for step 2 of the bind. */
1177 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1178
1179 /* Copy the blob into the pout_auth parse struct */
1180 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1181 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1182 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1183 goto err;
1184 }
1185
1186 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1187 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1188 goto err;
1189 }
1190
1191 p->auth.a_u.auth_ntlmssp_state = a;
1192 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1193 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1194
1195 data_blob_free(&blob);
1196 data_blob_free(&secblob);
1197 data_blob_free(&chal);
1198 data_blob_free(&response);
1199
1200 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1201 return True;
1202
1203 err:
1204
1205 data_blob_free(&blob);
1206 data_blob_free(&secblob);
1207 data_blob_free(&chal);
1208 data_blob_free(&response);
1209
1210 p->auth.a_u.auth_ntlmssp_state = NULL;
1211
1212 return False;
1213 }
1214
1215 /*******************************************************************
1216 Handle the second part of a SPNEGO bind auth.
1217 *******************************************************************/
1218
1219 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1220 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1221 {
1222 RPC_HDR_AUTH auth_info;
1223 DATA_BLOB spnego_blob;
1224 DATA_BLOB auth_blob;
1225 DATA_BLOB auth_reply;
1226 DATA_BLOB response;
1227 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1228
1229 ZERO_STRUCT(spnego_blob);
1230 ZERO_STRUCT(auth_blob);
1231 ZERO_STRUCT(auth_reply);
1232 ZERO_STRUCT(response);
1233
1234 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1235 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1236 goto err;
1237 }
1238
1239 /* Grab the SPNEGO blob. */
1240 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1241
1242 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1243 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1244 (unsigned int)p->hdr.auth_len ));
1245 goto err;
1246 }
1247
1248 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1249 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1250 goto err;
1251 }
1252
1253 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1254 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1255 goto err;
1256 }
1257
1258 /*
1259 * The following call actually checks the challenge/response data.
1260 * for correctness against the given DOMAIN\user name.
1261 */
1262
1263 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1264 goto err;
1265 }
1266
1267 data_blob_free(&spnego_blob);
1268 data_blob_free(&auth_blob);
1269
1270 /* Generate the spnego "accept completed" blob - no incoming data. */
1271 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1272
1273 /* Copy the blob into the pout_auth parse struct */
1274 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1275 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1276 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1277 goto err;
1278 }
1279
1280 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1281 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1282 goto err;
1283 }
1284
1285 data_blob_free(&auth_reply);
1286 data_blob_free(&response);
1287
1288 p->pipe_bound = True;
1289
1290 return True;
1291
1292 err:
1293
1294 data_blob_free(&spnego_blob);
1295 data_blob_free(&auth_blob);
1296 data_blob_free(&auth_reply);
1297 data_blob_free(&response);
1298
1299 free_pipe_ntlmssp_auth_data(&p->auth);
1300 p->auth.a_u.auth_ntlmssp_state = NULL;
1301
1302 return False;
1303 }
1304
1305 /*******************************************************************
1306 Handle an schannel bind auth.
1307 *******************************************************************/
1308
1309 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1310 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1311 {
1312 RPC_HDR_AUTH auth_info;
1313 RPC_AUTH_SCHANNEL_NEG neg;
1314 RPC_AUTH_VERIFIER auth_verifier;
1315 bool ret;
1316 struct dcinfo *pdcinfo;
1317 uint32 flags;
1318
1319 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1320 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1321 return False;
1322 }
1323
1324 /*
1325 * The neg.myname key here must match the remote computer name
1326 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1327 * operations that use credentials.
1328 */
1329
1330 become_root();
1331 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1332 unbecome_root();
1333
1334 if (!ret) {
1335 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1336 return False;
1337 }
1338
1339 p->auth.a_u.schannel_auth = TALLOC_P(p->pipe_state_mem_ctx, struct schannel_auth_struct);
1340 if (!p->auth.a_u.schannel_auth) {
1341 TALLOC_FREE(pdcinfo);
1342 return False;
1343 }
1344
1345 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1346 memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1347 sizeof(pdcinfo->sess_key));
1348
1349 TALLOC_FREE(pdcinfo);
1350
1351 p->auth.a_u.schannel_auth->seq_num = 0;
1352
1353 /*
1354 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1355 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1356 * struct of the person who opened the pipe. I need to test this further. JRA.
1357 *
1358 * VL. As we are mapping this to guest set the generic key
1359 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1360 * W2k3, as it does not allow schannel binds against SAMR and LSA
1361 * anymore.
1362 */
1363
1364 data_blob_free(&p->session_key);
1365 p->session_key = generic_session_key();
1366 if (p->session_key.data == NULL) {
1367 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1368 " key\n"));
1369 return False;
1370 }
1371
1372 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1373 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1374 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1375 return False;
1376 }
1377
1378 /*** SCHANNEL verifier ***/
1379
1380 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1381 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1382 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1383 return False;
1384 }
1385
1386 prs_align(pout_auth);
1387
1388 flags = 5;
1389 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1390 return False;
1391 }
1392
1393 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1394 neg.domain, neg.myname));
1395
1396 /* We're finished with this bind - no more packets. */
1397 p->auth.auth_data_free_func = NULL;
1398 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1399
1400 p->pipe_bound = True;
1401
1402 return True;
1403 }
1404
1405 /*******************************************************************
1406 Handle an NTLMSSP bind auth.
1407 *******************************************************************/
1408
1409 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1410 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1411 {
1412 RPC_HDR_AUTH auth_info;
1413 DATA_BLOB blob;
1414 DATA_BLOB response;
1415 NTSTATUS status;
1416 AUTH_NTLMSSP_STATE *a = NULL;
1417
1418 ZERO_STRUCT(blob);
1419 ZERO_STRUCT(response);
1420
1421 /* Grab the NTLMSSP blob. */
1422 blob = data_blob(NULL,p->hdr.auth_len);
1423
1424 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1425 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1426 (unsigned int)p->hdr.auth_len ));
1427 goto err;
1428 }
1429
1430 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1431 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1432 goto err;
1433 }
1434
1435 /* We have an NTLMSSP blob. */
1436 status = auth_ntlmssp_start(&a);
1437 if (!NT_STATUS_IS_OK(status)) {
1438 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1439 nt_errstr(status) ));
1440 goto err;
1441 }
1442
1443 status = auth_ntlmssp_update(a, blob, &response);
1444 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1445 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1446 nt_errstr(status) ));
1447 goto err;
1448 }
1449
1450 data_blob_free(&blob);
1451
1452 /* Copy the blob into the pout_auth parse struct */
1453 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1454 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1455 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1456 goto err;
1457 }
1458
1459 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1460 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1461 goto err;
1462 }
1463
1464 p->auth.a_u.auth_ntlmssp_state = a;
1465 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1466 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1467
1468 data_blob_free(&blob);
1469 data_blob_free(&response);
1470
1471 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1472
1473 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1474 return True;
1475
1476 err:
1477
1478 data_blob_free(&blob);
1479 data_blob_free(&response);
1480
1481 free_pipe_ntlmssp_auth_data(&p->auth);
1482 p->auth.a_u.auth_ntlmssp_state = NULL;
1483 return False;
1484 }
1485
1486 /*******************************************************************
1487 Respond to a pipe bind request.
1488 *******************************************************************/
1489
1490 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1491 {
1492 RPC_HDR_BA hdr_ba;
1493 RPC_HDR_RB hdr_rb;
1494 RPC_HDR_AUTH auth_info;
1495 uint16 assoc_gid;
1496 fstring ack_pipe_name;
1497 prs_struct out_hdr_ba;
1498 prs_struct out_auth;
1499 prs_struct outgoing_rpc;
1500 int i = 0;
1501 int auth_len = 0;
1502 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1503
1504 /* No rebinds on a bound pipe - use alter context. */
1505 if (p->pipe_bound) {
1506 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1507 return setup_bind_nak(p);
1508 }
1509
1510 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1511
1512 /*
1513 * Marshall directly into the outgoing PDU space. We
1514 * must do this as we need to set to the bind response
1515 * header and are never sending more than one PDU here.
1516 */
1517
1518 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1519
1520 /*
1521 * Setup the memory to marshall the ba header, and the
1522 * auth footers.
1523 */
1524
1525 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1526 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1527 prs_mem_free(&outgoing_rpc);
1528 return False;
1529 }
1530
1531 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1532 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1533 prs_mem_free(&outgoing_rpc);
1534 prs_mem_free(&out_hdr_ba);
1535 return False;
1536 }
1537
1538 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1539
1540 /*
1541 * Try and find the correct pipe name to ensure
1542 * that this is a pipe name we support.
1543 */
1544
1545
1546 for (i = 0; i < rpc_lookup_size; i++) {
1547 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1548 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1549 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1550 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1551 break;
1552 }
1553 }
1554
1555 if (i == rpc_lookup_size) {
1556 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1557 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1558 p->name ));
1559 prs_mem_free(&outgoing_rpc);
1560 prs_mem_free(&out_hdr_ba);
1561 prs_mem_free(&out_auth);
1562
1563 return setup_bind_nak(p);
1564 }
1565
1566 for (i = 0; i < rpc_lookup_size; i++) {
1567 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1568 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1569 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1570 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1571 break;
1572 }
1573 }
1574
1575 if (i == rpc_lookup_size) {
1576 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1577 goto err_exit;
1578 }
1579 }
1580
1581 /* decode the bind request */
1582 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1583 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
1584 goto err_exit;
1585 }
1586
1587 /* name has to be \PIPE\xxxxx */
1588 fstrcpy(ack_pipe_name, "\\PIPE\\");
1589 fstrcat(ack_pipe_name, p->pipe_srv_name);
1590
1591 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1592
1593 /*
1594 * Check if this is an authenticated bind request.
1595 */
1596
1597 if (p->hdr.auth_len) {
1598 /*
1599 * Decode the authentication verifier.
1600 */
1601
1602 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1603 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1604 goto err_exit;
1605 }
1606
1607 auth_type = auth_info.auth_type;
1608
1609 /* Work out if we have to sign or seal etc. */
1610 switch (auth_info.auth_level) {
1611 case RPC_AUTH_LEVEL_INTEGRITY:
1612 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1613 break;
1614 case RPC_AUTH_LEVEL_PRIVACY:
1615 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1616 break;
1617 default:
1618 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1619 (unsigned int)auth_info.auth_level ));
1620 goto err_exit;
1621 }
1622 } else {
1623 ZERO_STRUCT(auth_info);
1624 }
1625
1626 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1627
1628 switch(auth_type) {
1629 case RPC_NTLMSSP_AUTH_TYPE:
1630 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1631 goto err_exit;
1632 }
1633 assoc_gid = 0x7a77;
1634 break;
1635
1636 case RPC_SCHANNEL_AUTH_TYPE:
1637 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1638 goto err_exit;
1639 }
1640 break;
1641
1642 case RPC_SPNEGO_AUTH_TYPE:
1643 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1644 goto err_exit;
1645 }
1646 break;
1647
1648 case RPC_ANONYMOUS_AUTH_TYPE:
1649 /* Unauthenticated bind request. */
1650 /* Get the authenticated pipe user from current_user */
1651 if (!copy_current_user(&p->pipe_user, &current_user)) {
1652 DEBUG(10, ("Could not copy current user\n"));
1653 goto err_exit;
1654 }
1655 /* We're finished - no more packets. */
1656 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1657 /* We must set the pipe auth_level here also. */
1658 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1659 p->pipe_bound = True;
1660 /* The session key was initialized from the SMB
1661 * session in make_internal_rpc_pipe_p */
1662 break;
1663
1664 default:
1665 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1666 goto err_exit;
1667 }
1668
1669 /*
1670 * Create the bind response struct.
1671 */
1672
1673 /* If the requested abstract synt uuid doesn't match our client pipe,
1674 reject the bind_ack & set the transfer interface synt to all 0's,
1675 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1676 unknown to NT4)
1677 Needed when adding entries to a DACL from NT5 - SK */
1678
1679 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1680 hdr_rb.rpc_context[0].context_id )) {
1681 init_rpc_hdr_ba(&hdr_ba,
1682 RPC_MAX_PDU_FRAG_LEN,
1683 RPC_MAX_PDU_FRAG_LEN,
1684 assoc_gid,
1685 ack_pipe_name,
1686 0x1, 0x0, 0x0,
1687 &hdr_rb.rpc_context[0].transfer[0]);
1688 } else {
1689 RPC_IFACE null_interface;
1690 ZERO_STRUCT(null_interface);
1691 /* Rejection reason: abstract syntax not supported */
1692 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1693 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1694 ack_pipe_name, 0x1, 0x2, 0x1,
1695 &null_interface);
1696 p->pipe_bound = False;
1697 }
1698
1699 /*
1700 * and marshall it.
1701 */
1702
1703 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1704 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1705 goto err_exit;
1706 }
1707
1708 /*
1709 * Create the header, now we know the length.
1710 */
1711
1712 if (prs_offset(&out_auth)) {
1713 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1714 }
1715
1716 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1717 p->hdr.call_id,
1718 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1719 auth_len);
1720
1721 /*
1722 * Marshall the header into the outgoing PDU.
1723 */
1724
1725 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1726 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1727 goto err_exit;
1728 }
1729
1730 /*
1731 * Now add the RPC_HDR_BA and any auth needed.
1732 */
1733
1734 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1735 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1736 goto err_exit;
1737 }
1738
1739 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1740 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1741 goto err_exit;
1742 }
1743
1744 /*
1745 * Setup the lengths for the initial reply.
1746 */
1747
1748 p->out_data.data_sent_length = 0;
1749 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1750 p->out_data.current_pdu_sent = 0;
1751
1752 prs_mem_free(&out_hdr_ba);
1753 prs_mem_free(&out_auth);
1754
1755 return True;
1756
1757 err_exit:
1758
1759 prs_mem_free(&outgoing_rpc);
1760 prs_mem_free(&out_hdr_ba);
1761 prs_mem_free(&out_auth);
1762 return setup_bind_nak(p);
1763 }
1764
1765 /****************************************************************************
1766 Deal with an alter context call. Can be third part of 3 leg auth request for
1767 SPNEGO calls.
1768 ****************************************************************************/
1769
1770 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1771 {
1772 RPC_HDR_BA hdr_ba;
1773 RPC_HDR_RB hdr_rb;
1774 RPC_HDR_AUTH auth_info;
1775 uint16 assoc_gid;
1776 fstring ack_pipe_name;
1777 prs_struct out_hdr_ba;
1778 prs_struct out_auth;
1779 prs_struct outgoing_rpc;
1780 int auth_len = 0;
1781
1782 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1783
1784 /*
1785 * Marshall directly into the outgoing PDU space. We
1786 * must do this as we need to set to the bind response
1787 * header and are never sending more than one PDU here.
1788 */
1789
1790 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1791
1792 /*
1793 * Setup the memory to marshall the ba header, and the
1794 * auth footers.
1795 */
1796
1797 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1798 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1799 prs_mem_free(&outgoing_rpc);
1800 return False;
1801 }
1802
1803 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1804 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1805 prs_mem_free(&outgoing_rpc);
1806 prs_mem_free(&out_hdr_ba);
1807 return False;
1808 }
1809
1810 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1811
1812 /* decode the alter context request */
1813 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1814 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1815 goto err_exit;
1816 }
1817
1818 /* secondary address CAN be NULL
1819 * as the specs say it's ignored.
1820 * It MUST be NULL to have the spoolss working.
1821 */
1822 fstrcpy(ack_pipe_name,"");
1823
1824 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1825
1826 /*
1827 * Check if this is an authenticated alter context request.
1828 */
1829
1830 if (p->hdr.auth_len != 0) {
1831 /*
1832 * Decode the authentication verifier.
1833 */
1834
1835 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1836 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1837 goto err_exit;
1838 }
1839
1840 /*
1841 * Currently only the SPNEGO auth type uses the alter ctx
1842 * response in place of the NTLMSSP auth3 type.
1843 */
1844
1845 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1846 /* We can only finish if the pipe is unbound. */
1847 if (!p->pipe_bound) {
1848 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1849 goto err_exit;
1850 }
1851 } else {
1852 goto err_exit;
1853 }
1854 }
1855 } else {
1856 ZERO_STRUCT(auth_info);
1857 }
1858
1859 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1860
1861 /*
1862 * Create the bind response struct.
1863 */
1864
1865 /* If the requested abstract synt uuid doesn't match our client pipe,
1866 reject the bind_ack & set the transfer interface synt to all 0's,
1867 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1868 unknown to NT4)
1869 Needed when adding entries to a DACL from NT5 - SK */
1870
1871 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1872 hdr_rb.rpc_context[0].context_id )) {
1873 init_rpc_hdr_ba(&hdr_ba,
1874 RPC_MAX_PDU_FRAG_LEN,
1875 RPC_MAX_PDU_FRAG_LEN,
1876 assoc_gid,
1877 ack_pipe_name,
1878 0x1, 0x0, 0x0,
1879 &hdr_rb.rpc_context[0].transfer[0]);
1880 } else {
1881 RPC_IFACE null_interface;
1882 ZERO_STRUCT(null_interface);
1883 /* Rejection reason: abstract syntax not supported */
1884 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1885 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1886 ack_pipe_name, 0x1, 0x2, 0x1,
1887 &null_interface);
1888 p->pipe_bound = False;
1889 }
1890
1891 /*
1892 * and marshall it.
1893 */
1894
1895 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1896 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1897 goto err_exit;
1898 }
1899
1900 /*
1901 * Create the header, now we know the length.
1902 */
1903
1904 if (prs_offset(&out_auth)) {
1905 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1906 }
1907
1908 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1909 p->hdr.call_id,
1910 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1911 auth_len);
1912
1913 /*
1914 * Marshall the header into the outgoing PDU.
1915 */
1916
1917 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1918 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1919 goto err_exit;
1920 }
1921
1922 /*
1923 * Now add the RPC_HDR_BA and any auth needed.
1924 */
1925
1926 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1927 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1928 goto err_exit;
1929 }
1930
1931 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1932 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1933 goto err_exit;
1934 }
1935
1936 /*
1937 * Setup the lengths for the initial reply.
1938 */
1939
1940 p->out_data.data_sent_length = 0;
1941 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1942 p->out_data.current_pdu_sent = 0;
1943
1944 prs_mem_free(&out_hdr_ba);
1945 prs_mem_free(&out_auth);
1946
1947 return True;
1948
1949 err_exit:
1950
1951 prs_mem_free(&outgoing_rpc);
1952 prs_mem_free(&out_hdr_ba);
1953 prs_mem_free(&out_auth);
1954 return setup_bind_nak(p);
1955 }
1956
1957 /****************************************************************************
1958 Deal with NTLMSSP sign & seal processing on an RPC request.
1959 ****************************************************************************/
1960
1961 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1962 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1963 {
1964 RPC_HDR_AUTH auth_info;
1965 uint32 auth_len = p->hdr.auth_len;
1966 uint32 save_offset = prs_offset(rpc_in);
1967 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1968 unsigned char *data = NULL;
1969 size_t data_len;
1970 unsigned char *full_packet_data = NULL;
1971 size_t full_packet_data_len;
1972 DATA_BLOB auth_blob;
1973
1974 *pstatus = NT_STATUS_OK;
1975
1976 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
1977 return True;
1978 }
1979
1980 if (!a) {
1981 *pstatus = NT_STATUS_INVALID_PARAMETER;
1982 return False;
1983 }
1984
1985 /* Ensure there's enough data for an authenticated request. */
1986 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
1987 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
1988 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
1989 (unsigned int)auth_len ));
1990 *pstatus = NT_STATUS_INVALID_PARAMETER;
1991 return False;
1992 }
1993
1994 /*
1995 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
1996 * after the RPC header.
1997 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
1998 * functions as NTLMv2 checks the rpc headers also.
1999 */
2000
2001 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2002 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2003
2004 full_packet_data = p->in_data.current_in_pdu;
2005 full_packet_data_len = p->hdr.frag_len - auth_len;
2006
2007 /* Pull the auth header and the following data into a blob. */
2008 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2009 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2010 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2011 *pstatus = NT_STATUS_INVALID_PARAMETER;
2012 return False;
2013 }
2014
2015 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2016 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2017 *pstatus = NT_STATUS_INVALID_PARAMETER;
2018 return False;
2019 }
2020
2021 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2022 auth_blob.length = auth_len;
2023
2024 switch (p->auth.auth_level) {
2025 case PIPE_AUTH_LEVEL_PRIVACY:
2026 /* Data is encrypted. */
2027 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2028 data, data_len,
2029 full_packet_data,
2030 full_packet_data_len,
2031 &auth_blob);
2032 if (!NT_STATUS_IS_OK(*pstatus)) {
2033 return False;
2034 }
2035 break;
2036 case PIPE_AUTH_LEVEL_INTEGRITY:
2037 /* Data is signed. */
2038 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2039 data, data_len,
2040 full_packet_data,
2041 full_packet_data_len,
2042 &auth_blob);
2043 if (!NT_STATUS_IS_OK(*pstatus)) {
2044 return False;
2045 }
2046 break;
2047 default:
2048 *pstatus = NT_STATUS_INVALID_PARAMETER;
2049 return False;
2050 }
2051
2052 /*
2053 * Return the current pointer to the data offset.
2054 */
2055
2056 if(!prs_set_offset(rpc_in, save_offset)) {
2057 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2058 (unsigned int)save_offset ));
2059 *pstatus = NT_STATUS_INVALID_PARAMETER;
2060 return False;
2061 }
2062
2063 /*
2064 * Remember the padding length. We must remove it from the real data
2065 * stream once the sign/seal is done.
2066 */
2067
2068 *p_ss_padding_len = auth_info.auth_pad_len;
2069
2070 return True;
2071 }
2072
2073 /****************************************************************************
2074 Deal with schannel processing on an RPC request.
2075 ****************************************************************************/
2076
2077 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2078 {
2079 uint32 data_len;
2080 uint32 auth_len;
2081 uint32 save_offset = prs_offset(rpc_in);
2082 RPC_HDR_AUTH auth_info;
2083 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2084
2085 auth_len = p->hdr.auth_len;
2086
2087 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2088 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2089 return False;
2090 }
2091
2092 /*
2093 * The following is that length of the data we must verify or unseal.
2094 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2095 * preceeding the auth_data.
2096 */
2097
2098 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2099 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2100 (unsigned int)p->hdr.frag_len,
2101 (unsigned int)auth_len ));
2102 return False;
2103 }
2104
2105 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2106 RPC_HDR_AUTH_LEN - auth_len;
2107
2108 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2109
2110 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2111 DEBUG(0,("cannot move offset to %u.\n",
2112 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2113 return False;
2114 }
2115
2116 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2117 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2118 return False;
2119 }
2120
2121 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2122 DEBUG(0,("Invalid auth info %d on schannel\n",
2123 auth_info.auth_type));
2124 return False;
2125 }
2126
2127 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2128 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2129 return False;
2130 }
2131
2132 if (!schannel_decode(p->auth.a_u.schannel_auth,
2133 p->auth.auth_level,
2134 SENDER_IS_INITIATOR,
2135 &schannel_chk,
2136 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2137 DEBUG(3,("failed to decode PDU\n"));
2138 return False;
2139 }
2140
2141 /*
2142 * Return the current pointer to the data offset.
2143 */
2144
2145 if(!prs_set_offset(rpc_in, save_offset)) {
2146 DEBUG(0,("failed to set offset back to %u\n",
2147 (unsigned int)save_offset ));
2148 return False;
2149 }
2150
2151 /* The sequence number gets incremented on both send and receive. */
2152 p->auth.a_u.schannel_auth->seq_num++;
2153
2154 /*
2155 * Remember the padding length. We must remove it from the real data
2156 * stream once the sign/seal is done.
2157 */
2158
2159 *p_ss_padding_len = auth_info.auth_pad_len;
2160
2161 return True;
2162 }
2163
2164 /****************************************************************************
2165 Return a user struct for a pipe user.
2166 ****************************************************************************/
2167
2168 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
2169 {
2170 if (p->pipe_bound &&
2171 (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP ||
2172 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2173 memcpy(user, &p->pipe_user, sizeof(struct current_user));
2174 } else {
2175 memcpy(user, &current_user, sizeof(struct current_user));
2176 }
2177
2178 return user;
2179 }
2180
2181 /****************************************************************************
2182 Find the set of RPC functions associated with this context_id
2183 ****************************************************************************/
2184
2185 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2186 {
2187 PIPE_RPC_FNS *fns = NULL;
2188 PIPE_RPC_FNS *tmp = NULL;
2189
2190 if ( !list ) {
2191 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2192 return NULL;
2193 }
2194
2195 for (tmp=list; tmp; tmp=tmp->next ) {
2196 if ( tmp->context_id == context_id )
2197 break;
2198 }
2199
2200 fns = tmp;
2201
2202 return fns;
2203 }
2204
2205 /****************************************************************************
2206 Memory cleanup.
2207 ****************************************************************************/
2208
2209 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2210 {
2211 PIPE_RPC_FNS *tmp = list;
2212 PIPE_RPC_FNS *tmp2;
2213
2214 while (tmp) {
2215 tmp2 = tmp->next;
2216 SAFE_FREE(tmp);
2217 tmp = tmp2;
2218 }
2219
2220 return;
2221 }
2222
2223 /****************************************************************************
2224 Find the correct RPC function to call for this request.
2225 If the pipe is authenticated then become the correct UNIX user
2226 before doing the call.
2227 ****************************************************************************/
2228
2229 bool api_pipe_request(pipes_struct *p)
2230 {
2231 bool ret = False;
2232 bool changed_user = False;
2233 PIPE_RPC_FNS *pipe_fns;
2234
2235 if (p->pipe_bound &&
2236 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2237 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2238 if(!become_authenticated_pipe_user(p)) {
2239 prs_mem_free(&p->out_data.rdata);
2240 return False;
2241 }
2242 changed_user = True;
2243 }
2244
2245 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2246
2247 /* get the set of RPC functions for this context */
2248
2249 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2250
2251 if ( pipe_fns ) {
2252 TALLOC_CTX *frame = talloc_stackframe();
2253 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2254 TALLOC_FREE(frame);
2255 }
2256 else {
2257 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2258 p->hdr_req.context_id, p->name));
2259 }
2260
2261 if (changed_user) {
2262 unbecome_authenticated_pipe_user();
2263 }
2264
2265 return ret;
2266 }
2267
2268 /*******************************************************************
2269 Calls the underlying RPC function for a named pipe.
2270 ********************************************************************/
2271
2272 bool api_rpcTNP(pipes_struct *p, const char *rpc_name,
2273 const struct api_struct *api_rpc_cmds, int n_cmds)
2274 {
2275 int fn_num;
2276 fstring name;
2277 uint32 offset1, offset2;
2278
2279 /* interpret the command */
2280 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2281
2282 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2283 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2284
2285 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2286 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2287 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2288 break;
2289 }
2290 }
2291
2292 if (fn_num == n_cmds) {
2293 /*
2294 * For an unknown RPC just return a fault PDU but
2295 * return True to allow RPC's on the pipe to continue
2296 * and not put the pipe into fault state. JRA.
2297 */
2298 DEBUG(4, ("unknown\n"));
2299 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2300 return True;
2301 }
2302
2303 offset1 = prs_offset(&p->out_data.rdata);
2304
2305 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2306 fn_num, api_rpc_cmds[fn_num].fn));
2307 /* do the actual command */
2308 if(!api_rpc_cmds[fn_num].fn(p)) {
2309 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2310 prs_mem_free(&p->out_data.rdata);
2311 return False;
2312 }
2313
2314 if (p->bad_handle_fault_state) {
2315 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2316 p->bad_handle_fault_state = False;
2317 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2318 return True;
2319 }
2320
2321 if (p->rng_fault_state) {
2322 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2323 p->rng_fault_state = False;
2324 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2325 return True;
2326 }
2327
2328 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2329 offset2 = prs_offset(&p->out_data.rdata);
2330 prs_set_offset(&p->out_data.rdata, offset1);
2331 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2332 prs_set_offset(&p->out_data.rdata, offset2);
2333
2334 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2335
2336 /* Check for buffer underflow in rpc parsing */
2337
2338 if ((DEBUGLEVEL >= 10) &&
2339 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2340 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2341 char *data = (char *)SMB_MALLOC(data_len);
2342
2343 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2344 if (data) {
2345 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2346 SAFE_FREE(data);
2347 }
2348
2349 }
2350
2351 return True;
2352 }
2353
2354 /*******************************************************************
2355 *******************************************************************/
2356
2357 void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
2358 {
2359 struct api_struct *cmds = NULL;
2360 int n_cmds = 0;
2361
2362 switch ( idx ) {
2363 case PI_LSARPC:
2364 lsa_get_pipe_fns( &cmds, &n_cmds );
2365 break;
2366 case PI_DSSETUP:
2367 dssetup_get_pipe_fns( &cmds, &n_cmds );
2368 break;
2369 case PI_SAMR:
2370 samr2_get_pipe_fns( &cmds, &n_cmds );
2371 break;
2372 case PI_NETLOGON:
2373 netlog_get_pipe_fns( &cmds, &n_cmds );
2374 break;
2375 case PI_SRVSVC:
2376 srvsvc2_get_pipe_fns( &cmds, &n_cmds );
2377 break;
2378 case PI_WKSSVC:
2379 wkssvc_get_pipe_fns( &cmds, &n_cmds );
2380 break;
2381 case PI_WINREG:
2382 winreg_get_pipe_fns( &cmds, &n_cmds );
2383 break;
2384 case PI_SPOOLSS:
2385 spoolss_get_pipe_fns( &cmds, &n_cmds );
2386 break;
2387 case PI_NETDFS:
2388 netdfs_get_pipe_fns( &cmds, &n_cmds );
2389 break;
2390 case PI_SVCCTL:
2391 svcctl2_get_pipe_fns( &cmds, &n_cmds );
2392 break;
2393 case PI_EVENTLOG:
2394 eventlog2_get_pipe_fns( &cmds, &n_cmds );
2395 break;
2396 case PI_NTSVCS:
2397 ntsvcs_get_pipe_fns( &cmds, &n_cmds );
2398 break;
2399 #ifdef DEVELOPER
2400 case PI_RPCECHO:
2401 rpcecho_get_pipe_fns( &cmds, &n_cmds );
2402 break;
2403 #endif
2404 default:
2405 DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));
2406 }
2407
2408 *fns = cmds;
2409 *n_fns = n_cmds;
2410
2411 return;
2412 }
reg import