search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Simplify the RPC servers: remove get_pipe_fns
[Samba/gebeck_regimport.git] / source3 / rpc_server / srv_pipe.c
blobfa8fffa3503641b33e60921cc4bb7632efb01725
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31
32 extern struct current_user current_user;
33
34 #undef DBGC_CLASS
35 #define DBGC_CLASS DBGC_RPC_SRV
36
37 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
38 {
39 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
40
41 if (a) {
42 auth_ntlmssp_end(&a);
43 }
44 auth->a_u.auth_ntlmssp_state = NULL;
45 }
46
47 static DATA_BLOB generic_session_key(void)
48 {
49 return data_blob("SystemLibraryDTC", 16);
50 }
51
52 /*******************************************************************
53 Generate the next PDU to be returned from the data in p->rdata.
54 Handle NTLMSSP.
55 ********************************************************************/
56
57 static bool create_next_pdu_ntlmssp(pipes_struct *p)
58 {
59 RPC_HDR_RESP hdr_resp;
60 uint32 ss_padding_len = 0;
61 uint32 data_space_available;
62 uint32 data_len_left;
63 uint32 data_len;
64 prs_struct outgoing_pdu;
65 NTSTATUS status;
66 DATA_BLOB auth_blob;
67 RPC_HDR_AUTH auth_info;
68 uint8 auth_type, auth_level;
69 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
70
71 /*
72 * If we're in the fault state, keep returning fault PDU's until
73 * the pipe gets closed. JRA.
74 */
75
76 if(p->fault_state) {
77 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
78 return True;
79 }
80
81 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
82
83 /* Change the incoming request header to a response. */
84 p->hdr.pkt_type = RPC_RESPONSE;
85
86 /* Set up rpc header flags. */
87 if (p->out_data.data_sent_length == 0) {
88 p->hdr.flags = RPC_FLG_FIRST;
89 } else {
90 p->hdr.flags = 0;
91 }
92
93 /*
94 * Work out how much we can fit in a single PDU.
95 */
96
97 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
98
99 /*
100 * Ensure there really is data left to send.
101 */
102
103 if(!data_len_left) {
104 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
105 return False;
106 }
107
108 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
109 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
110
111 /*
112 * The amount we send is the minimum of the available
113 * space and the amount left to send.
114 */
115
116 data_len = MIN(data_len_left, data_space_available);
117
118 /*
119 * Set up the alloc hint. This should be the data left to
120 * send.
121 */
122
123 hdr_resp.alloc_hint = data_len_left;
124
125 /*
126 * Work out if this PDU will be the last.
127 */
128
129 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
130 p->hdr.flags |= RPC_FLG_LAST;
131 if (data_len_left % 8) {
132 ss_padding_len = 8 - (data_len_left % 8);
133 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
134 ss_padding_len ));
135 }
136 }
137
138 /*
139 * Set up the header lengths.
140 */
141
142 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
143 data_len + ss_padding_len +
144 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
145 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
146
147
148 /*
149 * Init the parse struct to point at the outgoing
150 * data.
151 */
152
153 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
154 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
155
156 /* Store the header in the data stream. */
157 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
158 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
159 prs_mem_free(&outgoing_pdu);
160 return False;
161 }
162
163 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
164 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
165 prs_mem_free(&outgoing_pdu);
166 return False;
167 }
168
169 /* Copy the data into the PDU. */
170
171 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
172 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
173 prs_mem_free(&outgoing_pdu);
174 return False;
175 }
176
177 /* Copy the sign/seal padding data. */
178 if (ss_padding_len) {
179 char pad[8];
180
181 memset(pad, '\0', 8);
182 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
183 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
184 (unsigned int)ss_padding_len));
185 prs_mem_free(&outgoing_pdu);
186 return False;
187 }
188 }
189
190
191 /* Now write out the auth header and null blob. */
192 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
193 auth_type = RPC_NTLMSSP_AUTH_TYPE;
194 } else {
195 auth_type = RPC_SPNEGO_AUTH_TYPE;
196 }
197 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
198 auth_level = RPC_AUTH_LEVEL_PRIVACY;
199 } else {
200 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
201 }
202
203 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
204 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
205 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
206 prs_mem_free(&outgoing_pdu);
207 return False;
208 }
209
210 /* Generate the sign blob. */
211
212 switch (p->auth.auth_level) {
213 case PIPE_AUTH_LEVEL_PRIVACY:
214 /* Data portion is encrypted. */
215 status = ntlmssp_seal_packet(a->ntlmssp_state,
216 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
217 data_len + ss_padding_len,
218 (unsigned char *)prs_data_p(&outgoing_pdu),
219 (size_t)prs_offset(&outgoing_pdu),
220 &auth_blob);
221 if (!NT_STATUS_IS_OK(status)) {
222 data_blob_free(&auth_blob);
223 prs_mem_free(&outgoing_pdu);
224 return False;
225 }
226 break;
227 case PIPE_AUTH_LEVEL_INTEGRITY:
228 /* Data is signed. */
229 status = ntlmssp_sign_packet(a->ntlmssp_state,
230 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
231 data_len + ss_padding_len,
232 (unsigned char *)prs_data_p(&outgoing_pdu),
233 (size_t)prs_offset(&outgoing_pdu),
234 &auth_blob);
235 if (!NT_STATUS_IS_OK(status)) {
236 data_blob_free(&auth_blob);
237 prs_mem_free(&outgoing_pdu);
238 return False;
239 }
240 break;
241 default:
242 prs_mem_free(&outgoing_pdu);
243 return False;
244 }
245
246 /* Append the auth blob. */
247 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
248 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
249 (unsigned int)NTLMSSP_SIG_SIZE));
250 data_blob_free(&auth_blob);
251 prs_mem_free(&outgoing_pdu);
252 return False;
253 }
254
255 data_blob_free(&auth_blob);
256
257 /*
258 * Setup the counts for this PDU.
259 */
260
261 p->out_data.data_sent_length += data_len;
262 p->out_data.current_pdu_len = p->hdr.frag_len;
263 p->out_data.current_pdu_sent = 0;
264
265 prs_mem_free(&outgoing_pdu);
266 return True;
267 }
268
269 /*******************************************************************
270 Generate the next PDU to be returned from the data in p->rdata.
271 Return an schannel authenticated fragment.
272 ********************************************************************/
273
274 static bool create_next_pdu_schannel(pipes_struct *p)
275 {
276 RPC_HDR_RESP hdr_resp;
277 uint32 ss_padding_len = 0;
278 uint32 data_len;
279 uint32 data_space_available;
280 uint32 data_len_left;
281 prs_struct outgoing_pdu;
282 uint32 data_pos;
283
284 /*
285 * If we're in the fault state, keep returning fault PDU's until
286 * the pipe gets closed. JRA.
287 */
288
289 if(p->fault_state) {
290 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
291 return True;
292 }
293
294 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
295
296 /* Change the incoming request header to a response. */
297 p->hdr.pkt_type = RPC_RESPONSE;
298
299 /* Set up rpc header flags. */
300 if (p->out_data.data_sent_length == 0) {
301 p->hdr.flags = RPC_FLG_FIRST;
302 } else {
303 p->hdr.flags = 0;
304 }
305
306 /*
307 * Work out how much we can fit in a single PDU.
308 */
309
310 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
311
312 /*
313 * Ensure there really is data left to send.
314 */
315
316 if(!data_len_left) {
317 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
318 return False;
319 }
320
321 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
322 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
323
324 /*
325 * The amount we send is the minimum of the available
326 * space and the amount left to send.
327 */
328
329 data_len = MIN(data_len_left, data_space_available);
330
331 /*
332 * Set up the alloc hint. This should be the data left to
333 * send.
334 */
335
336 hdr_resp.alloc_hint = data_len_left;
337
338 /*
339 * Work out if this PDU will be the last.
340 */
341
342 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
343 p->hdr.flags |= RPC_FLG_LAST;
344 if (data_len_left % 8) {
345 ss_padding_len = 8 - (data_len_left % 8);
346 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
347 ss_padding_len ));
348 }
349 }
350
351 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
352 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
353 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
354
355 /*
356 * Init the parse struct to point at the outgoing
357 * data.
358 */
359
360 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
361 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
362
363 /* Store the header in the data stream. */
364 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
365 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
366 prs_mem_free(&outgoing_pdu);
367 return False;
368 }
369
370 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
371 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
372 prs_mem_free(&outgoing_pdu);
373 return False;
374 }
375
376 /* Store the current offset. */
377 data_pos = prs_offset(&outgoing_pdu);
378
379 /* Copy the data into the PDU. */
380
381 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
382 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
383 prs_mem_free(&outgoing_pdu);
384 return False;
385 }
386
387 /* Copy the sign/seal padding data. */
388 if (ss_padding_len) {
389 char pad[8];
390 memset(pad, '\0', 8);
391 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
392 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
393 prs_mem_free(&outgoing_pdu);
394 return False;
395 }
396 }
397
398 {
399 /*
400 * Schannel processing.
401 */
402 char *data;
403 RPC_HDR_AUTH auth_info;
404 RPC_AUTH_SCHANNEL_CHK verf;
405
406 data = prs_data_p(&outgoing_pdu) + data_pos;
407 /* Check it's the type of reply we were expecting to decode */
408
409 init_rpc_hdr_auth(&auth_info,
410 RPC_SCHANNEL_AUTH_TYPE,
411 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
412 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
413 ss_padding_len, 1);
414
415 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
416 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
417 prs_mem_free(&outgoing_pdu);
418 return False;
419 }
420
421 schannel_encode(p->auth.a_u.schannel_auth,
422 p->auth.auth_level,
423 SENDER_IS_ACCEPTOR,
424 &verf, data, data_len + ss_padding_len);
425
426 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
427 &verf, &outgoing_pdu, 0)) {
428 prs_mem_free(&outgoing_pdu);
429 return False;
430 }
431
432 p->auth.a_u.schannel_auth->seq_num++;
433 }
434
435 /*
436 * Setup the counts for this PDU.
437 */
438
439 p->out_data.data_sent_length += data_len;
440 p->out_data.current_pdu_len = p->hdr.frag_len;
441 p->out_data.current_pdu_sent = 0;
442
443 prs_mem_free(&outgoing_pdu);
444 return True;
445 }
446
447 /*******************************************************************
448 Generate the next PDU to be returned from the data in p->rdata.
449 No authentication done.
450 ********************************************************************/
451
452 static bool create_next_pdu_noauth(pipes_struct *p)
453 {
454 RPC_HDR_RESP hdr_resp;
455 uint32 data_len;
456 uint32 data_space_available;
457 uint32 data_len_left;
458 prs_struct outgoing_pdu;
459
460 /*
461 * If we're in the fault state, keep returning fault PDU's until
462 * the pipe gets closed. JRA.
463 */
464
465 if(p->fault_state) {
466 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
467 return True;
468 }
469
470 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
471
472 /* Change the incoming request header to a response. */
473 p->hdr.pkt_type = RPC_RESPONSE;
474
475 /* Set up rpc header flags. */
476 if (p->out_data.data_sent_length == 0) {
477 p->hdr.flags = RPC_FLG_FIRST;
478 } else {
479 p->hdr.flags = 0;
480 }
481
482 /*
483 * Work out how much we can fit in a single PDU.
484 */
485
486 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
487
488 /*
489 * Ensure there really is data left to send.
490 */
491
492 if(!data_len_left) {
493 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
494 return False;
495 }
496
497 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
498
499 /*
500 * The amount we send is the minimum of the available
501 * space and the amount left to send.
502 */
503
504 data_len = MIN(data_len_left, data_space_available);
505
506 /*
507 * Set up the alloc hint. This should be the data left to
508 * send.
509 */
510
511 hdr_resp.alloc_hint = data_len_left;
512
513 /*
514 * Work out if this PDU will be the last.
515 */
516
517 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
518 p->hdr.flags |= RPC_FLG_LAST;
519 }
520
521 /*
522 * Set up the header lengths.
523 */
524
525 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
526 p->hdr.auth_len = 0;
527
528 /*
529 * Init the parse struct to point at the outgoing
530 * data.
531 */
532
533 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
534 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
535
536 /* Store the header in the data stream. */
537 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
538 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
539 prs_mem_free(&outgoing_pdu);
540 return False;
541 }
542
543 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
544 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
545 prs_mem_free(&outgoing_pdu);
546 return False;
547 }
548
549 /* Copy the data into the PDU. */
550
551 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
552 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
553 prs_mem_free(&outgoing_pdu);
554 return False;
555 }
556
557 /*
558 * Setup the counts for this PDU.
559 */
560
561 p->out_data.data_sent_length += data_len;
562 p->out_data.current_pdu_len = p->hdr.frag_len;
563 p->out_data.current_pdu_sent = 0;
564
565 prs_mem_free(&outgoing_pdu);
566 return True;
567 }
568
569 /*******************************************************************
570 Generate the next PDU to be returned from the data in p->rdata.
571 ********************************************************************/
572
573 bool create_next_pdu(pipes_struct *p)
574 {
575 switch(p->auth.auth_level) {
576 case PIPE_AUTH_LEVEL_NONE:
577 case PIPE_AUTH_LEVEL_CONNECT:
578 /* This is incorrect for auth level connect. Fixme. JRA */
579 return create_next_pdu_noauth(p);
580
581 default:
582 switch(p->auth.auth_type) {
583 case PIPE_AUTH_TYPE_NTLMSSP:
584 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
585 return create_next_pdu_ntlmssp(p);
586 case PIPE_AUTH_TYPE_SCHANNEL:
587 return create_next_pdu_schannel(p);
588 default:
589 break;
590 }
591 }
592
593 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
594 (unsigned int)p->auth.auth_level,
595 (unsigned int)p->auth.auth_type));
596 return False;
597 }
598
599 /*******************************************************************
600 Process an NTLMSSP authentication response.
601 If this function succeeds, the user has been authenticated
602 and their domain, name and calling workstation stored in
603 the pipe struct.
604 *******************************************************************/
605
606 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
607 {
608 DATA_BLOB session_key, reply;
609 NTSTATUS status;
610 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
611 bool ret;
612
613 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
614
615 ZERO_STRUCT(reply);
616
617 /* Set up for non-authenticated user. */
618 TALLOC_FREE(p->pipe_user.nt_user_token);
619 p->pipe_user.ut.ngroups = 0;
620 SAFE_FREE( p->pipe_user.ut.groups);
621
622 /* this has to be done as root in order to verify the password */
623 become_root();
624 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
625 unbecome_root();
626
627 /* Don't generate a reply. */
628 data_blob_free(&reply);
629
630 if (!NT_STATUS_IS_OK(status)) {
631 return False;
632 }
633
634 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
635 ensure the underlying NTLMSSP flags are also set. If not we should
636 refuse the bind. */
637
638 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
639 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
640 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
641 "but client declined signing.\n",
642 p->name ));
643 return False;
644 }
645 }
646 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
647 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
648 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
649 "but client declined sealing.\n",
650 p->name ));
651 return False;
652 }
653 }
654
655 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
656 "workstation: %s\n", a->ntlmssp_state->user,
657 a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
658
659 /*
660 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
661 */
662
663 p->pipe_user.ut.uid = a->server_info->utok.uid;
664 p->pipe_user.ut.gid = a->server_info->utok.gid;
665
666 p->pipe_user.ut.ngroups = a->server_info->utok.ngroups;
667 if (p->pipe_user.ut.ngroups) {
668 if (!(p->pipe_user.ut.groups = (gid_t *)memdup(
669 a->server_info->utok.groups,
670 sizeof(gid_t) * p->pipe_user.ut.ngroups))) {
671 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
672 return False;
673 }
674 }
675
676 if (a->server_info->ptok) {
677 p->pipe_user.nt_user_token =
678 dup_nt_token(NULL, a->server_info->ptok);
679 } else {
680 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
681 p->pipe_user.nt_user_token = NULL;
682 return False;
683 }
684
685 TALLOC_FREE(p->server_info);
686
687 p->server_info = copy_serverinfo(p, a->server_info);
688 if (p->server_info == NULL) {
689 DEBUG(0, ("copy_serverinfo failed\n"));
690 return false;
691 }
692
693 /*
694 * We're an authenticated bind over smb, so the session key needs to
695 * be set to "SystemLibraryDTC". Weird, but this is what Windows
696 * does. See the RPC-SAMBA3SESSIONKEY.
697 */
698
699 session_key = generic_session_key();
700 if (session_key.data == NULL) {
701 return False;
702 }
703
704 ret = server_info_set_session_key(p->server_info, session_key);
705
706 data_blob_free(&session_key);
707
708 return True;
709 }
710
711 /*******************************************************************
712 The switch table for the pipe names and the functions to handle them.
713 *******************************************************************/
714
715 struct rpc_table {
716 struct {
717 const char *clnt;
718 const char *srv;
719 } pipe;
720 struct ndr_syntax_id rpc_interface;
721 const struct api_struct *cmds;
722 int n_cmds;
723 };
724
725 static struct rpc_table *rpc_lookup;
726 static int rpc_lookup_size;
727
728 /*******************************************************************
729 This is the "stage3" NTLMSSP response after a bind request and reply.
730 *******************************************************************/
731
732 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
733 {
734 RPC_HDR_AUTH auth_info;
735 uint32 pad;
736 DATA_BLOB blob;
737
738 ZERO_STRUCT(blob);
739
740 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
741
742 if (p->hdr.auth_len == 0) {
743 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
744 goto err;
745 }
746
747 /* 4 bytes padding. */
748 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
749 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
750 goto err;
751 }
752
753 /*
754 * Decode the authentication verifier response.
755 */
756
757 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
758 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
759 goto err;
760 }
761
762 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
763 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
764 (unsigned int)auth_info.auth_type ));
765 return False;
766 }
767
768 blob = data_blob(NULL,p->hdr.auth_len);
769
770 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
771 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
772 (unsigned int)p->hdr.auth_len ));
773 goto err;
774 }
775
776 /*
777 * The following call actually checks the challenge/response data.
778 * for correctness against the given DOMAIN\user name.
779 */
780
781 if (!pipe_ntlmssp_verify_final(p, &blob)) {
782 goto err;
783 }
784
785 data_blob_free(&blob);
786
787 p->pipe_bound = True;
788
789 return True;
790
791 err:
792
793 data_blob_free(&blob);
794 free_pipe_ntlmssp_auth_data(&p->auth);
795 p->auth.a_u.auth_ntlmssp_state = NULL;
796
797 return False;
798 }
799
800 /*******************************************************************
801 Marshall a bind_nak pdu.
802 *******************************************************************/
803
804 static bool setup_bind_nak(pipes_struct *p)
805 {
806 prs_struct outgoing_rpc;
807 RPC_HDR nak_hdr;
808 uint16 zero = 0;
809
810 /* Free any memory in the current return data buffer. */
811 prs_mem_free(&p->out_data.rdata);
812
813 /*
814 * Marshall directly into the outgoing PDU space. We
815 * must do this as we need to set to the bind response
816 * header and are never sending more than one PDU here.
817 */
818
819 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
820 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
821
822 /*
823 * Initialize a bind_nak header.
824 */
825
826 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
827 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
828
829 /*
830 * Marshall the header into the outgoing PDU.
831 */
832
833 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
834 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
835 prs_mem_free(&outgoing_rpc);
836 return False;
837 }
838
839 /*
840 * Now add the reject reason.
841 */
842
843 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
844 prs_mem_free(&outgoing_rpc);
845 return False;
846 }
847
848 p->out_data.data_sent_length = 0;
849 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
850 p->out_data.current_pdu_sent = 0;
851
852 if (p->auth.auth_data_free_func) {
853 (*p->auth.auth_data_free_func)(&p->auth);
854 }
855 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
856 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
857 p->pipe_bound = False;
858
859 return True;
860 }
861
862 /*******************************************************************
863 Marshall a fault pdu.
864 *******************************************************************/
865
866 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
867 {
868 prs_struct outgoing_pdu;
869 RPC_HDR fault_hdr;
870 RPC_HDR_RESP hdr_resp;
871 RPC_HDR_FAULT fault_resp;
872
873 /* Free any memory in the current return data buffer. */
874 prs_mem_free(&p->out_data.rdata);
875
876 /*
877 * Marshall directly into the outgoing PDU space. We
878 * must do this as we need to set to the bind response
879 * header and are never sending more than one PDU here.
880 */
881
882 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
883 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
884
885 /*
886 * Initialize a fault header.
887 */
888
889 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
890 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
891
892 /*
893 * Initialize the HDR_RESP and FAULT parts of the PDU.
894 */
895
896 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
897
898 fault_resp.status = status;
899 fault_resp.reserved = 0;
900
901 /*
902 * Marshall the header into the outgoing PDU.
903 */
904
905 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
906 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
907 prs_mem_free(&outgoing_pdu);
908 return False;
909 }
910
911 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
912 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
913 prs_mem_free(&outgoing_pdu);
914 return False;
915 }
916
917 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
918 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
919 prs_mem_free(&outgoing_pdu);
920 return False;
921 }
922
923 p->out_data.data_sent_length = 0;
924 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
925 p->out_data.current_pdu_sent = 0;
926
927 prs_mem_free(&outgoing_pdu);
928 return True;
929 }
930
931 #if 0
932 /*******************************************************************
933 Marshall a cancel_ack pdu.
934 We should probably check the auth-verifier here.
935 *******************************************************************/
936
937 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
938 {
939 prs_struct outgoing_pdu;
940 RPC_HDR ack_reply_hdr;
941
942 /* Free any memory in the current return data buffer. */
943 prs_mem_free(&p->out_data.rdata);
944
945 /*
946 * Marshall directly into the outgoing PDU space. We
947 * must do this as we need to set to the bind response
948 * header and are never sending more than one PDU here.
949 */
950
951 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
952 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
953
954 /*
955 * Initialize a cancel_ack header.
956 */
957
958 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
959 p->hdr.call_id, RPC_HEADER_LEN, 0);
960
961 /*
962 * Marshall the header into the outgoing PDU.
963 */
964
965 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
966 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
967 prs_mem_free(&outgoing_pdu);
968 return False;
969 }
970
971 p->out_data.data_sent_length = 0;
972 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
973 p->out_data.current_pdu_sent = 0;
974
975 prs_mem_free(&outgoing_pdu);
976 return True;
977 }
978 #endif
979
980 /*******************************************************************
981 Ensure a bind request has the correct abstract & transfer interface.
982 Used to reject unknown binds from Win2k.
983 *******************************************************************/
984
985 bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
986 RPC_IFACE* transfer, uint32 context_id)
987 {
988 int i=0;
989 struct pipe_rpc_fns *context_fns;
990
991 DEBUG(3,("check_bind_req for %s\n", p->name));
992
993 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
994
995 for (i=0; i<rpc_lookup_size; i++) {
996 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
997 if (strequal(rpc_lookup[i].pipe.clnt, p->name)
998 && ndr_syntax_id_equal(
999 abstract, &rpc_lookup[i].rpc_interface)
1000 && ndr_syntax_id_equal(
1001 transfer, &ndr_transfer_syntax)) {
1002 break;
1003 }
1004 }
1005
1006 if (i == rpc_lookup_size) {
1007 return false;
1008 }
1009
1010 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1011 if (context_fns == NULL) {
1012 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1013 return False;
1014 }
1015
1016 context_fns->cmds = rpc_lookup[i].cmds;
1017 context_fns->n_cmds = rpc_lookup[i].n_cmds;
1018 context_fns->context_id = context_id;
1019
1020 /* add to the list of open contexts */
1021
1022 DLIST_ADD( p->contexts, context_fns );
1023
1024 return True;
1025 }
1026
1027 /*******************************************************************
1028 Register commands to an RPC pipe
1029 *******************************************************************/
1030
1031 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt,
1032 const char *srv,
1033 const struct ndr_syntax_id *interface,
1034 const struct api_struct *cmds, int size)
1035 {
1036 struct rpc_table *rpc_entry;
1037
1038 if (!clnt || !srv || !cmds) {
1039 return NT_STATUS_INVALID_PARAMETER;
1040 }
1041
1042 if (version != SMB_RPC_INTERFACE_VERSION) {
1043 DEBUG(0,("Can't register rpc commands!\n"
1044 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1045 ", while this version of samba uses version %d!\n",
1046 version,SMB_RPC_INTERFACE_VERSION));
1047 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1048 }
1049
1050 /* TODO:
1051 *
1052 * we still need to make sure that don't register the same commands twice!!!
1053 *
1054 * --metze
1055 */
1056
1057 /* We use a temporary variable because this call can fail and
1058 rpc_lookup will still be valid afterwards. It could then succeed if
1059 called again later */
1060 rpc_lookup_size++;
1061 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1062 if (NULL == rpc_entry) {
1063 rpc_lookup_size--;
1064 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1065 return NT_STATUS_NO_MEMORY;
1066 } else {
1067 rpc_lookup = rpc_entry;
1068 }
1069
1070 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1071 ZERO_STRUCTP(rpc_entry);
1072 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1073 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1074 rpc_entry->rpc_interface = *interface;
1075 rpc_entry->cmds = cmds;
1076 rpc_entry->n_cmds = size;
1077
1078 return NT_STATUS_OK;
1079 }
1080
1081 /*******************************************************************
1082 Handle a SPNEGO krb5 bind auth.
1083 *******************************************************************/
1084
1085 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1086 DATA_BLOB *psecblob, prs_struct *pout_auth)
1087 {
1088 return False;
1089 }
1090
1091 /*******************************************************************
1092 Handle the first part of a SPNEGO bind auth.
1093 *******************************************************************/
1094
1095 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1096 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1097 {
1098 DATA_BLOB blob;
1099 DATA_BLOB secblob;
1100 DATA_BLOB response;
1101 DATA_BLOB chal;
1102 char *OIDs[ASN1_MAX_OIDS];
1103 int i;
1104 NTSTATUS status;
1105 bool got_kerberos_mechanism = false;
1106 AUTH_NTLMSSP_STATE *a = NULL;
1107 RPC_HDR_AUTH auth_info;
1108
1109 ZERO_STRUCT(secblob);
1110 ZERO_STRUCT(chal);
1111 ZERO_STRUCT(response);
1112
1113 /* Grab the SPNEGO blob. */
1114 blob = data_blob(NULL,p->hdr.auth_len);
1115
1116 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1117 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1118 (unsigned int)p->hdr.auth_len ));
1119 goto err;
1120 }
1121
1122 if (blob.data[0] != ASN1_APPLICATION(0)) {
1123 goto err;
1124 }
1125
1126 /* parse out the OIDs and the first sec blob */
1127 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1128 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1129 goto err;
1130 }
1131
1132 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1133 got_kerberos_mechanism = true;
1134 }
1135
1136 for (i=0;OIDs[i];i++) {
1137 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1138 SAFE_FREE(OIDs[i]);
1139 }
1140 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1141
1142 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1143 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1144 data_blob_free(&secblob);
1145 data_blob_free(&blob);
1146 return ret;
1147 }
1148
1149 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1150 /* Free any previous auth type. */
1151 free_pipe_ntlmssp_auth_data(&p->auth);
1152 }
1153
1154 if (!got_kerberos_mechanism) {
1155 /* Initialize the NTLM engine. */
1156 status = auth_ntlmssp_start(&a);
1157 if (!NT_STATUS_IS_OK(status)) {
1158 goto err;
1159 }
1160
1161 /*
1162 * Pass the first security blob of data to it.
1163 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1164 * which means we need another packet to complete the bind.
1165 */
1166
1167 status = auth_ntlmssp_update(a, secblob, &chal);
1168
1169 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1170 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1171 goto err;
1172 }
1173
1174 /* Generate the response blob we need for step 2 of the bind. */
1175 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1176 } else {
1177 /*
1178 * SPNEGO negotiate down to NTLMSSP. The subsequent
1179 * code to process follow-up packets is not complete
1180 * yet. JRA.
1181 */
1182 response = spnego_gen_auth_response(NULL,
1183 NT_STATUS_MORE_PROCESSING_REQUIRED,
1184 OID_NTLMSSP);
1185 }
1186
1187 /* Copy the blob into the pout_auth parse struct */
1188 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1189 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1190 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1191 goto err;
1192 }
1193
1194 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1195 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1196 goto err;
1197 }
1198
1199 p->auth.a_u.auth_ntlmssp_state = a;
1200 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1201 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1202
1203 data_blob_free(&blob);
1204 data_blob_free(&secblob);
1205 data_blob_free(&chal);
1206 data_blob_free(&response);
1207
1208 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1209 return True;
1210
1211 err:
1212
1213 data_blob_free(&blob);
1214 data_blob_free(&secblob);
1215 data_blob_free(&chal);
1216 data_blob_free(&response);
1217
1218 p->auth.a_u.auth_ntlmssp_state = NULL;
1219
1220 return False;
1221 }
1222
1223 /*******************************************************************
1224 Handle the second part of a SPNEGO bind auth.
1225 *******************************************************************/
1226
1227 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1228 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1229 {
1230 RPC_HDR_AUTH auth_info;
1231 DATA_BLOB spnego_blob;
1232 DATA_BLOB auth_blob;
1233 DATA_BLOB auth_reply;
1234 DATA_BLOB response;
1235 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1236
1237 ZERO_STRUCT(spnego_blob);
1238 ZERO_STRUCT(auth_blob);
1239 ZERO_STRUCT(auth_reply);
1240 ZERO_STRUCT(response);
1241
1242 /*
1243 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1244 * fail here as 'a' == NULL.
1245 */
1246 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1247 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1248 goto err;
1249 }
1250
1251 /* Grab the SPNEGO blob. */
1252 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1253
1254 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1255 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1256 (unsigned int)p->hdr.auth_len ));
1257 goto err;
1258 }
1259
1260 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1261 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1262 goto err;
1263 }
1264
1265 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1266 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1267 goto err;
1268 }
1269
1270 /*
1271 * The following call actually checks the challenge/response data.
1272 * for correctness against the given DOMAIN\user name.
1273 */
1274
1275 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1276 goto err;
1277 }
1278
1279 data_blob_free(&spnego_blob);
1280 data_blob_free(&auth_blob);
1281
1282 /* Generate the spnego "accept completed" blob - no incoming data. */
1283 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1284
1285 /* Copy the blob into the pout_auth parse struct */
1286 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1287 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1288 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1289 goto err;
1290 }
1291
1292 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1293 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1294 goto err;
1295 }
1296
1297 data_blob_free(&auth_reply);
1298 data_blob_free(&response);
1299
1300 p->pipe_bound = True;
1301
1302 return True;
1303
1304 err:
1305
1306 data_blob_free(&spnego_blob);
1307 data_blob_free(&auth_blob);
1308 data_blob_free(&auth_reply);
1309 data_blob_free(&response);
1310
1311 free_pipe_ntlmssp_auth_data(&p->auth);
1312 p->auth.a_u.auth_ntlmssp_state = NULL;
1313
1314 return False;
1315 }
1316
1317 /*******************************************************************
1318 Handle an schannel bind auth.
1319 *******************************************************************/
1320
1321 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1322 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1323 {
1324 RPC_HDR_AUTH auth_info;
1325 RPC_AUTH_SCHANNEL_NEG neg;
1326 RPC_AUTH_VERIFIER auth_verifier;
1327 bool ret;
1328 struct dcinfo *pdcinfo;
1329 uint32 flags;
1330 DATA_BLOB session_key;
1331
1332 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1333 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1334 return False;
1335 }
1336
1337 /*
1338 * The neg.myname key here must match the remote computer name
1339 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1340 * operations that use credentials.
1341 */
1342
1343 become_root();
1344 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1345 unbecome_root();
1346
1347 if (!ret) {
1348 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1349 return False;
1350 }
1351
1352 p->auth.a_u.schannel_auth = talloc(p, struct schannel_auth_struct);
1353 if (!p->auth.a_u.schannel_auth) {
1354 TALLOC_FREE(pdcinfo);
1355 return False;
1356 }
1357
1358 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1359 memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1360 sizeof(pdcinfo->sess_key));
1361
1362 TALLOC_FREE(pdcinfo);
1363
1364 p->auth.a_u.schannel_auth->seq_num = 0;
1365
1366 /*
1367 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1368 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1369 * struct of the person who opened the pipe. I need to test this further. JRA.
1370 *
1371 * VL. As we are mapping this to guest set the generic key
1372 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1373 * W2k3, as it does not allow schannel binds against SAMR and LSA
1374 * anymore.
1375 */
1376
1377 session_key = generic_session_key();
1378 if (session_key.data == NULL) {
1379 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1380 " key\n"));
1381 return false;
1382 }
1383
1384 ret = server_info_set_session_key(p->server_info, session_key);
1385
1386 data_blob_free(&session_key);
1387
1388 if (!ret) {
1389 DEBUG(0, ("server_info_set_session_key failed\n"));
1390 return false;
1391 }
1392
1393 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1394 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1395 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1396 return False;
1397 }
1398
1399 /*** SCHANNEL verifier ***/
1400
1401 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1402 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1403 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1404 return False;
1405 }
1406
1407 prs_align(pout_auth);
1408
1409 flags = 5;
1410 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1411 return False;
1412 }
1413
1414 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1415 neg.domain, neg.myname));
1416
1417 /* We're finished with this bind - no more packets. */
1418 p->auth.auth_data_free_func = NULL;
1419 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1420
1421 p->pipe_bound = True;
1422
1423 return True;
1424 }
1425
1426 /*******************************************************************
1427 Handle an NTLMSSP bind auth.
1428 *******************************************************************/
1429
1430 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1431 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1432 {
1433 RPC_HDR_AUTH auth_info;
1434 DATA_BLOB blob;
1435 DATA_BLOB response;
1436 NTSTATUS status;
1437 AUTH_NTLMSSP_STATE *a = NULL;
1438
1439 ZERO_STRUCT(blob);
1440 ZERO_STRUCT(response);
1441
1442 /* Grab the NTLMSSP blob. */
1443 blob = data_blob(NULL,p->hdr.auth_len);
1444
1445 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1446 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1447 (unsigned int)p->hdr.auth_len ));
1448 goto err;
1449 }
1450
1451 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1452 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1453 goto err;
1454 }
1455
1456 /* We have an NTLMSSP blob. */
1457 status = auth_ntlmssp_start(&a);
1458 if (!NT_STATUS_IS_OK(status)) {
1459 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1460 nt_errstr(status) ));
1461 goto err;
1462 }
1463
1464 status = auth_ntlmssp_update(a, blob, &response);
1465 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1466 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1467 nt_errstr(status) ));
1468 goto err;
1469 }
1470
1471 data_blob_free(&blob);
1472
1473 /* Copy the blob into the pout_auth parse struct */
1474 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1475 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1476 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1477 goto err;
1478 }
1479
1480 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1481 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1482 goto err;
1483 }
1484
1485 p->auth.a_u.auth_ntlmssp_state = a;
1486 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1487 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1488
1489 data_blob_free(&blob);
1490 data_blob_free(&response);
1491
1492 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1493
1494 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1495 return True;
1496
1497 err:
1498
1499 data_blob_free(&blob);
1500 data_blob_free(&response);
1501
1502 free_pipe_ntlmssp_auth_data(&p->auth);
1503 p->auth.a_u.auth_ntlmssp_state = NULL;
1504 return False;
1505 }
1506
1507 /*******************************************************************
1508 Respond to a pipe bind request.
1509 *******************************************************************/
1510
1511 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1512 {
1513 RPC_HDR_BA hdr_ba;
1514 RPC_HDR_RB hdr_rb;
1515 RPC_HDR_AUTH auth_info;
1516 uint16 assoc_gid;
1517 fstring ack_pipe_name;
1518 prs_struct out_hdr_ba;
1519 prs_struct out_auth;
1520 prs_struct outgoing_rpc;
1521 int i = 0;
1522 int auth_len = 0;
1523 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1524
1525 /* No rebinds on a bound pipe - use alter context. */
1526 if (p->pipe_bound) {
1527 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1528 return setup_bind_nak(p);
1529 }
1530
1531 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1532
1533 /*
1534 * Marshall directly into the outgoing PDU space. We
1535 * must do this as we need to set to the bind response
1536 * header and are never sending more than one PDU here.
1537 */
1538
1539 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1540
1541 /*
1542 * Setup the memory to marshall the ba header, and the
1543 * auth footers.
1544 */
1545
1546 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1547 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1548 prs_mem_free(&outgoing_rpc);
1549 return False;
1550 }
1551
1552 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1553 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1554 prs_mem_free(&outgoing_rpc);
1555 prs_mem_free(&out_hdr_ba);
1556 return False;
1557 }
1558
1559 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1560
1561 ZERO_STRUCT(hdr_rb);
1562
1563 /* decode the bind request */
1564
1565 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1566 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1567 "struct.\n"));
1568 goto err_exit;
1569 }
1570
1571 if (hdr_rb.num_contexts == 0) {
1572 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1573 goto err_exit;
1574 }
1575
1576 /*
1577 * Try and find the correct pipe name to ensure
1578 * that this is a pipe name we support.
1579 */
1580
1581 for (i = 0; i < rpc_lookup_size; i++) {
1582 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1583 &hdr_rb.rpc_context[0].abstract)) {
1584 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1585 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1586 fstrcpy(p->name, rpc_lookup[i].pipe.clnt);
1587 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1588 break;
1589 }
1590 }
1591
1592 if (i == rpc_lookup_size) {
1593 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1594 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1595 p->name ));
1596 prs_mem_free(&outgoing_rpc);
1597 prs_mem_free(&out_hdr_ba);
1598 prs_mem_free(&out_auth);
1599
1600 return setup_bind_nak(p);
1601 }
1602
1603 for (i = 0; i < rpc_lookup_size; i++) {
1604 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1605 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1606 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1607 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1608 break;
1609 }
1610 }
1611
1612 if (i == rpc_lookup_size) {
1613 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1614 goto err_exit;
1615 }
1616 }
1617
1618 /* name has to be \PIPE\xxxxx */
1619 fstrcpy(ack_pipe_name, "\\PIPE\\");
1620 fstrcat(ack_pipe_name, p->pipe_srv_name);
1621
1622 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1623
1624 /*
1625 * Check if this is an authenticated bind request.
1626 */
1627
1628 if (p->hdr.auth_len) {
1629 /*
1630 * Decode the authentication verifier.
1631 */
1632
1633 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1634 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1635 goto err_exit;
1636 }
1637
1638 auth_type = auth_info.auth_type;
1639
1640 /* Work out if we have to sign or seal etc. */
1641 switch (auth_info.auth_level) {
1642 case RPC_AUTH_LEVEL_INTEGRITY:
1643 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1644 break;
1645 case RPC_AUTH_LEVEL_PRIVACY:
1646 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1647 break;
1648 default:
1649 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1650 (unsigned int)auth_info.auth_level ));
1651 goto err_exit;
1652 }
1653 } else {
1654 ZERO_STRUCT(auth_info);
1655 }
1656
1657 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1658
1659 switch(auth_type) {
1660 case RPC_NTLMSSP_AUTH_TYPE:
1661 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1662 goto err_exit;
1663 }
1664 assoc_gid = 0x7a77;
1665 break;
1666
1667 case RPC_SCHANNEL_AUTH_TYPE:
1668 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1669 goto err_exit;
1670 }
1671 break;
1672
1673 case RPC_SPNEGO_AUTH_TYPE:
1674 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1675 goto err_exit;
1676 }
1677 break;
1678
1679 case RPC_ANONYMOUS_AUTH_TYPE:
1680 /* Unauthenticated bind request. */
1681 /* Get the authenticated pipe user from current_user */
1682 if (!copy_current_user(&p->pipe_user, &current_user)) {
1683 DEBUG(10, ("Could not copy current user\n"));
1684 goto err_exit;
1685 }
1686 /* We're finished - no more packets. */
1687 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1688 /* We must set the pipe auth_level here also. */
1689 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1690 p->pipe_bound = True;
1691 /* The session key was initialized from the SMB
1692 * session in make_internal_rpc_pipe_p */
1693 break;
1694
1695 default:
1696 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1697 goto err_exit;
1698 }
1699
1700 /*
1701 * Create the bind response struct.
1702 */
1703
1704 /* If the requested abstract synt uuid doesn't match our client pipe,
1705 reject the bind_ack & set the transfer interface synt to all 0's,
1706 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1707 unknown to NT4)
1708 Needed when adding entries to a DACL from NT5 - SK */
1709
1710 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1711 hdr_rb.rpc_context[0].context_id )) {
1712 init_rpc_hdr_ba(&hdr_ba,
1713 RPC_MAX_PDU_FRAG_LEN,
1714 RPC_MAX_PDU_FRAG_LEN,
1715 assoc_gid,
1716 ack_pipe_name,
1717 0x1, 0x0, 0x0,
1718 &hdr_rb.rpc_context[0].transfer[0]);
1719 } else {
1720 RPC_IFACE null_interface;
1721 ZERO_STRUCT(null_interface);
1722 /* Rejection reason: abstract syntax not supported */
1723 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1724 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1725 ack_pipe_name, 0x1, 0x2, 0x1,
1726 &null_interface);
1727 p->pipe_bound = False;
1728 }
1729
1730 /*
1731 * and marshall it.
1732 */
1733
1734 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1735 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1736 goto err_exit;
1737 }
1738
1739 /*
1740 * Create the header, now we know the length.
1741 */
1742
1743 if (prs_offset(&out_auth)) {
1744 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1745 }
1746
1747 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1748 p->hdr.call_id,
1749 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1750 auth_len);
1751
1752 /*
1753 * Marshall the header into the outgoing PDU.
1754 */
1755
1756 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1757 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1758 goto err_exit;
1759 }
1760
1761 /*
1762 * Now add the RPC_HDR_BA and any auth needed.
1763 */
1764
1765 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1766 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1767 goto err_exit;
1768 }
1769
1770 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1771 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1772 goto err_exit;
1773 }
1774
1775 /*
1776 * Setup the lengths for the initial reply.
1777 */
1778
1779 p->out_data.data_sent_length = 0;
1780 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1781 p->out_data.current_pdu_sent = 0;
1782
1783 prs_mem_free(&out_hdr_ba);
1784 prs_mem_free(&out_auth);
1785
1786 return True;
1787
1788 err_exit:
1789
1790 prs_mem_free(&outgoing_rpc);
1791 prs_mem_free(&out_hdr_ba);
1792 prs_mem_free(&out_auth);
1793 return setup_bind_nak(p);
1794 }
1795
1796 /****************************************************************************
1797 Deal with an alter context call. Can be third part of 3 leg auth request for
1798 SPNEGO calls.
1799 ****************************************************************************/
1800
1801 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1802 {
1803 RPC_HDR_BA hdr_ba;
1804 RPC_HDR_RB hdr_rb;
1805 RPC_HDR_AUTH auth_info;
1806 uint16 assoc_gid;
1807 fstring ack_pipe_name;
1808 prs_struct out_hdr_ba;
1809 prs_struct out_auth;
1810 prs_struct outgoing_rpc;
1811 int auth_len = 0;
1812
1813 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1814
1815 /*
1816 * Marshall directly into the outgoing PDU space. We
1817 * must do this as we need to set to the bind response
1818 * header and are never sending more than one PDU here.
1819 */
1820
1821 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1822
1823 /*
1824 * Setup the memory to marshall the ba header, and the
1825 * auth footers.
1826 */
1827
1828 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1829 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1830 prs_mem_free(&outgoing_rpc);
1831 return False;
1832 }
1833
1834 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1835 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1836 prs_mem_free(&outgoing_rpc);
1837 prs_mem_free(&out_hdr_ba);
1838 return False;
1839 }
1840
1841 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1842
1843 /* decode the alter context request */
1844 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1845 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1846 goto err_exit;
1847 }
1848
1849 /* secondary address CAN be NULL
1850 * as the specs say it's ignored.
1851 * It MUST be NULL to have the spoolss working.
1852 */
1853 fstrcpy(ack_pipe_name,"");
1854
1855 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1856
1857 /*
1858 * Check if this is an authenticated alter context request.
1859 */
1860
1861 if (p->hdr.auth_len != 0) {
1862 /*
1863 * Decode the authentication verifier.
1864 */
1865
1866 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1867 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1868 goto err_exit;
1869 }
1870
1871 /*
1872 * Currently only the SPNEGO auth type uses the alter ctx
1873 * response in place of the NTLMSSP auth3 type.
1874 */
1875
1876 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1877 /* We can only finish if the pipe is unbound. */
1878 if (!p->pipe_bound) {
1879 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1880 goto err_exit;
1881 }
1882 } else {
1883 goto err_exit;
1884 }
1885 }
1886 } else {
1887 ZERO_STRUCT(auth_info);
1888 }
1889
1890 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1891
1892 /*
1893 * Create the bind response struct.
1894 */
1895
1896 /* If the requested abstract synt uuid doesn't match our client pipe,
1897 reject the bind_ack & set the transfer interface synt to all 0's,
1898 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1899 unknown to NT4)
1900 Needed when adding entries to a DACL from NT5 - SK */
1901
1902 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1903 hdr_rb.rpc_context[0].context_id )) {
1904 init_rpc_hdr_ba(&hdr_ba,
1905 RPC_MAX_PDU_FRAG_LEN,
1906 RPC_MAX_PDU_FRAG_LEN,
1907 assoc_gid,
1908 ack_pipe_name,
1909 0x1, 0x0, 0x0,
1910 &hdr_rb.rpc_context[0].transfer[0]);
1911 } else {
1912 RPC_IFACE null_interface;
1913 ZERO_STRUCT(null_interface);
1914 /* Rejection reason: abstract syntax not supported */
1915 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1916 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1917 ack_pipe_name, 0x1, 0x2, 0x1,
1918 &null_interface);
1919 p->pipe_bound = False;
1920 }
1921
1922 /*
1923 * and marshall it.
1924 */
1925
1926 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1927 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1928 goto err_exit;
1929 }
1930
1931 /*
1932 * Create the header, now we know the length.
1933 */
1934
1935 if (prs_offset(&out_auth)) {
1936 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1937 }
1938
1939 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1940 p->hdr.call_id,
1941 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1942 auth_len);
1943
1944 /*
1945 * Marshall the header into the outgoing PDU.
1946 */
1947
1948 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1949 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1950 goto err_exit;
1951 }
1952
1953 /*
1954 * Now add the RPC_HDR_BA and any auth needed.
1955 */
1956
1957 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1958 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1959 goto err_exit;
1960 }
1961
1962 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1963 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1964 goto err_exit;
1965 }
1966
1967 /*
1968 * Setup the lengths for the initial reply.
1969 */
1970
1971 p->out_data.data_sent_length = 0;
1972 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1973 p->out_data.current_pdu_sent = 0;
1974
1975 prs_mem_free(&out_hdr_ba);
1976 prs_mem_free(&out_auth);
1977
1978 return True;
1979
1980 err_exit:
1981
1982 prs_mem_free(&outgoing_rpc);
1983 prs_mem_free(&out_hdr_ba);
1984 prs_mem_free(&out_auth);
1985 return setup_bind_nak(p);
1986 }
1987
1988 /****************************************************************************
1989 Deal with NTLMSSP sign & seal processing on an RPC request.
1990 ****************************************************************************/
1991
1992 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1993 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1994 {
1995 RPC_HDR_AUTH auth_info;
1996 uint32 auth_len = p->hdr.auth_len;
1997 uint32 save_offset = prs_offset(rpc_in);
1998 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1999 unsigned char *data = NULL;
2000 size_t data_len;
2001 unsigned char *full_packet_data = NULL;
2002 size_t full_packet_data_len;
2003 DATA_BLOB auth_blob;
2004
2005 *pstatus = NT_STATUS_OK;
2006
2007 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
2008 return True;
2009 }
2010
2011 if (!a) {
2012 *pstatus = NT_STATUS_INVALID_PARAMETER;
2013 return False;
2014 }
2015
2016 /* Ensure there's enough data for an authenticated request. */
2017 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2018 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2019 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2020 (unsigned int)auth_len ));
2021 *pstatus = NT_STATUS_INVALID_PARAMETER;
2022 return False;
2023 }
2024
2025 /*
2026 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2027 * after the RPC header.
2028 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2029 * functions as NTLMv2 checks the rpc headers also.
2030 */
2031
2032 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2033 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2034
2035 full_packet_data = p->in_data.current_in_pdu;
2036 full_packet_data_len = p->hdr.frag_len - auth_len;
2037
2038 /* Pull the auth header and the following data into a blob. */
2039 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2040 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2041 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2042 *pstatus = NT_STATUS_INVALID_PARAMETER;
2043 return False;
2044 }
2045
2046 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2047 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2048 *pstatus = NT_STATUS_INVALID_PARAMETER;
2049 return False;
2050 }
2051
2052 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2053 auth_blob.length = auth_len;
2054
2055 switch (p->auth.auth_level) {
2056 case PIPE_AUTH_LEVEL_PRIVACY:
2057 /* Data is encrypted. */
2058 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2059 data, data_len,
2060 full_packet_data,
2061 full_packet_data_len,
2062 &auth_blob);
2063 if (!NT_STATUS_IS_OK(*pstatus)) {
2064 return False;
2065 }
2066 break;
2067 case PIPE_AUTH_LEVEL_INTEGRITY:
2068 /* Data is signed. */
2069 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2070 data, data_len,
2071 full_packet_data,
2072 full_packet_data_len,
2073 &auth_blob);
2074 if (!NT_STATUS_IS_OK(*pstatus)) {
2075 return False;
2076 }
2077 break;
2078 default:
2079 *pstatus = NT_STATUS_INVALID_PARAMETER;
2080 return False;
2081 }
2082
2083 /*
2084 * Return the current pointer to the data offset.
2085 */
2086
2087 if(!prs_set_offset(rpc_in, save_offset)) {
2088 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2089 (unsigned int)save_offset ));
2090 *pstatus = NT_STATUS_INVALID_PARAMETER;
2091 return False;
2092 }
2093
2094 /*
2095 * Remember the padding length. We must remove it from the real data
2096 * stream once the sign/seal is done.
2097 */
2098
2099 *p_ss_padding_len = auth_info.auth_pad_len;
2100
2101 return True;
2102 }
2103
2104 /****************************************************************************
2105 Deal with schannel processing on an RPC request.
2106 ****************************************************************************/
2107
2108 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2109 {
2110 uint32 data_len;
2111 uint32 auth_len;
2112 uint32 save_offset = prs_offset(rpc_in);
2113 RPC_HDR_AUTH auth_info;
2114 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2115
2116 auth_len = p->hdr.auth_len;
2117
2118 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2119 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2120 return False;
2121 }
2122
2123 /*
2124 * The following is that length of the data we must verify or unseal.
2125 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2126 * preceeding the auth_data.
2127 */
2128
2129 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2130 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2131 (unsigned int)p->hdr.frag_len,
2132 (unsigned int)auth_len ));
2133 return False;
2134 }
2135
2136 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2137 RPC_HDR_AUTH_LEN - auth_len;
2138
2139 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2140
2141 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2142 DEBUG(0,("cannot move offset to %u.\n",
2143 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2144 return False;
2145 }
2146
2147 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2148 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2149 return False;
2150 }
2151
2152 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2153 DEBUG(0,("Invalid auth info %d on schannel\n",
2154 auth_info.auth_type));
2155 return False;
2156 }
2157
2158 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2159 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2160 return False;
2161 }
2162
2163 if (!schannel_decode(p->auth.a_u.schannel_auth,
2164 p->auth.auth_level,
2165 SENDER_IS_INITIATOR,
2166 &schannel_chk,
2167 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2168 DEBUG(3,("failed to decode PDU\n"));
2169 return False;
2170 }
2171
2172 /*
2173 * Return the current pointer to the data offset.
2174 */
2175
2176 if(!prs_set_offset(rpc_in, save_offset)) {
2177 DEBUG(0,("failed to set offset back to %u\n",
2178 (unsigned int)save_offset ));
2179 return False;
2180 }
2181
2182 /* The sequence number gets incremented on both send and receive. */
2183 p->auth.a_u.schannel_auth->seq_num++;
2184
2185 /*
2186 * Remember the padding length. We must remove it from the real data
2187 * stream once the sign/seal is done.
2188 */
2189
2190 *p_ss_padding_len = auth_info.auth_pad_len;
2191
2192 return True;
2193 }
2194
2195 /****************************************************************************
2196 Return a user struct for a pipe user.
2197 ****************************************************************************/
2198
2199 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
2200 {
2201 if (p->pipe_bound &&
2202 (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP ||
2203 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2204 memcpy(user, &p->pipe_user, sizeof(struct current_user));
2205 } else {
2206 memcpy(user, &current_user, sizeof(struct current_user));
2207 }
2208
2209 return user;
2210 }
2211
2212 /****************************************************************************
2213 Find the set of RPC functions associated with this context_id
2214 ****************************************************************************/
2215
2216 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2217 {
2218 PIPE_RPC_FNS *fns = NULL;
2219 PIPE_RPC_FNS *tmp = NULL;
2220
2221 if ( !list ) {
2222 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2223 return NULL;
2224 }
2225
2226 for (tmp=list; tmp; tmp=tmp->next ) {
2227 if ( tmp->context_id == context_id )
2228 break;
2229 }
2230
2231 fns = tmp;
2232
2233 return fns;
2234 }
2235
2236 /****************************************************************************
2237 Memory cleanup.
2238 ****************************************************************************/
2239
2240 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2241 {
2242 PIPE_RPC_FNS *tmp = list;
2243 PIPE_RPC_FNS *tmp2;
2244
2245 while (tmp) {
2246 tmp2 = tmp->next;
2247 SAFE_FREE(tmp);
2248 tmp = tmp2;
2249 }
2250
2251 return;
2252 }
2253
2254 /****************************************************************************
2255 Find the correct RPC function to call for this request.
2256 If the pipe is authenticated then become the correct UNIX user
2257 before doing the call.
2258 ****************************************************************************/
2259
2260 bool api_pipe_request(pipes_struct *p)
2261 {
2262 bool ret = False;
2263 bool changed_user = False;
2264 PIPE_RPC_FNS *pipe_fns;
2265
2266 if (p->pipe_bound &&
2267 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2268 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2269 if(!become_authenticated_pipe_user(p)) {
2270 prs_mem_free(&p->out_data.rdata);
2271 return False;
2272 }
2273 changed_user = True;
2274 }
2275
2276 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2277
2278 /* get the set of RPC functions for this context */
2279
2280 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2281
2282 if ( pipe_fns ) {
2283 TALLOC_CTX *frame = talloc_stackframe();
2284 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2285 TALLOC_FREE(frame);
2286 }
2287 else {
2288 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2289 p->hdr_req.context_id, p->name));
2290 }
2291
2292 if (changed_user) {
2293 unbecome_authenticated_pipe_user();
2294 }
2295
2296 return ret;
2297 }
2298
2299 /*******************************************************************
2300 Calls the underlying RPC function for a named pipe.
2301 ********************************************************************/
2302
2303 bool api_rpcTNP(pipes_struct *p, const char *rpc_name,
2304 const struct api_struct *api_rpc_cmds, int n_cmds)
2305 {
2306 int fn_num;
2307 fstring name;
2308 uint32 offset1, offset2;
2309
2310 /* interpret the command */
2311 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2312
2313 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2314 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2315
2316 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2317 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2318 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2319 break;
2320 }
2321 }
2322
2323 if (fn_num == n_cmds) {
2324 /*
2325 * For an unknown RPC just return a fault PDU but
2326 * return True to allow RPC's on the pipe to continue
2327 * and not put the pipe into fault state. JRA.
2328 */
2329 DEBUG(4, ("unknown\n"));
2330 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2331 return True;
2332 }
2333
2334 offset1 = prs_offset(&p->out_data.rdata);
2335
2336 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2337 fn_num, api_rpc_cmds[fn_num].fn));
2338 /* do the actual command */
2339 if(!api_rpc_cmds[fn_num].fn(p)) {
2340 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2341 prs_mem_free(&p->out_data.rdata);
2342 return False;
2343 }
2344
2345 if (p->bad_handle_fault_state) {
2346 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2347 p->bad_handle_fault_state = False;
2348 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2349 return True;
2350 }
2351
2352 if (p->rng_fault_state) {
2353 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2354 p->rng_fault_state = False;
2355 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2356 return True;
2357 }
2358
2359 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2360 offset2 = prs_offset(&p->out_data.rdata);
2361 prs_set_offset(&p->out_data.rdata, offset1);
2362 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2363 prs_set_offset(&p->out_data.rdata, offset2);
2364
2365 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2366
2367 /* Check for buffer underflow in rpc parsing */
2368
2369 if ((DEBUGLEVEL >= 10) &&
2370 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2371 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2372 char *data = (char *)SMB_MALLOC(data_len);
2373
2374 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2375 if (data) {
2376 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2377 SAFE_FREE(data);
2378 }
2379
2380 }
2381
2382 return True;
2383 }
reg import