search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:libsmb: add tstream_is_cli_np()
[Samba/gebeck_regimport.git] / source3 / rpc_server / srv_pipe.c
blob98de58c5574b70b5428bb54fcf2452f51667fb86
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31 #include "srv_pipe_internal.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33 #include "../libcli/auth/schannel.h"
34 #include "../libcli/auth/spnego.h"
35 #include "dcesrv_ntlmssp.h"
36 #include "dcesrv_gssapi.h"
37 #include "dcesrv_spnego.h"
38 #include "rpc_server.h"
39 #include "rpc_dce.h"
40
41 #undef DBGC_CLASS
42 #define DBGC_CLASS DBGC_RPC_SRV
43
44 /**
45 * Dump everything from the start of the end up of the provided data
46 * into a file, but only at debug level >= 50
47 **/
48 static void dump_pdu_region(const char *name, int v,
49 DATA_BLOB *data, size_t start, size_t end)
50 {
51 int fd, i;
52 char *fname = NULL;
53 ssize_t sz;
54
55 if (DEBUGLEVEL < 50) return;
56
57 if (start > data->length || end > data->length || start > end) return;
58
59 for (i = 1; i < 100; i++) {
60 if (v != -1) {
61 fname = talloc_asprintf(talloc_tos(),
62 "/tmp/%s_%d.%d.prs",
63 name, v, i);
64 } else {
65 fname = talloc_asprintf(talloc_tos(),
66 "/tmp/%s_%d.prs",
67 name, i);
68 }
69 if (!fname) {
70 return;
71 }
72 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
73 if (fd != -1 || errno != EEXIST) break;
74 }
75 if (fd != -1) {
76 sz = write(fd, data->data + start, end - start);
77 i = close(fd);
78 if ((sz != end - start) || (i != 0) ) {
79 DEBUG(0, ("Error writing/closing %s: %ld!=%ld %d\n",
80 fname, (unsigned long)sz,
81 (unsigned long)end - start, i));
82 } else {
83 DEBUG(0,("created %s\n", fname));
84 }
85 }
86 TALLOC_FREE(fname);
87 }
88
89 static DATA_BLOB generic_session_key(void)
90 {
91 return data_blob("SystemLibraryDTC", 16);
92 }
93
94 /*******************************************************************
95 Generate the next PDU to be returned from the data.
96 ********************************************************************/
97
98 static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx,
99 struct pipe_auth_data *auth,
100 uint32_t call_id,
101 DATA_BLOB *rdata,
102 size_t data_sent_length,
103 DATA_BLOB *frag,
104 size_t *pdu_size)
105 {
106 union dcerpc_payload u;
107 uint8_t pfc_flags;
108 size_t data_left;
109 size_t data_to_send;
110 size_t frag_len;
111 size_t pad_len = 0;
112 size_t auth_len = 0;
113 NTSTATUS status;
114
115 ZERO_STRUCT(u.response);
116
117 /* Set up rpc packet pfc flags. */
118 if (data_sent_length == 0) {
119 pfc_flags = DCERPC_PFC_FLAG_FIRST;
120 } else {
121 pfc_flags = 0;
122 }
123
124 /* Work out how much we can fit in a single PDU. */
125 data_left = rdata->length - data_sent_length;
126
127 /* Ensure there really is data left to send. */
128 if (!data_left) {
129 DEBUG(0, ("No data left to send !\n"));
130 return NT_STATUS_BUFFER_TOO_SMALL;
131 }
132
133 status = dcerpc_guess_sizes(auth,
134 DCERPC_RESPONSE_LENGTH,
135 data_left,
136 RPC_MAX_PDU_FRAG_LEN,
137 SERVER_NDR_PADDING_SIZE,
138 &data_to_send, &frag_len,
139 &auth_len, &pad_len);
140 if (!NT_STATUS_IS_OK(status)) {
141 return status;
142 }
143
144 /* Set up the alloc hint. This should be the data left to send. */
145 u.response.alloc_hint = data_left;
146
147 /* Work out if this PDU will be the last. */
148 if (data_sent_length + data_to_send >= rdata->length) {
149 pfc_flags |= DCERPC_PFC_FLAG_LAST;
150 }
151
152 /* Prepare data to be NDR encoded. */
153 u.response.stub_and_verifier =
154 data_blob_const(rdata->data + data_sent_length, data_to_send);
155
156 /* Store the packet in the data stream. */
157 status = dcerpc_push_ncacn_packet(mem_ctx, DCERPC_PKT_RESPONSE,
158 pfc_flags, auth_len, call_id,
159 &u, frag);
160 if (!NT_STATUS_IS_OK(status)) {
161 DEBUG(0, ("Failed to marshall RPC Packet.\n"));
162 return status;
163 }
164
165 if (auth_len) {
166 /* Set the proper length on the pdu, including padding.
167 * Only needed if an auth trailer will be appended. */
168 dcerpc_set_frag_length(frag, frag->length
169 + pad_len
170 + DCERPC_AUTH_TRAILER_LENGTH
171 + auth_len);
172 }
173
174 if (auth_len) {
175 status = dcerpc_add_auth_footer(auth, pad_len, frag);
176 if (!NT_STATUS_IS_OK(status)) {
177 data_blob_free(frag);
178 return status;
179 }
180 }
181
182 *pdu_size = data_to_send;
183 return NT_STATUS_OK;
184 }
185
186 /*******************************************************************
187 Generate the next PDU to be returned from the data in p->rdata.
188 ********************************************************************/
189
190 bool create_next_pdu(struct pipes_struct *p)
191 {
192 size_t pdu_size = 0;
193 NTSTATUS status;
194
195 /*
196 * If we're in the fault state, keep returning fault PDU's until
197 * the pipe gets closed. JRA.
198 */
199 if (p->fault_state) {
200 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
201 return true;
202 }
203
204 status = create_next_packet(p->mem_ctx, &p->auth,
205 p->call_id, &p->out_data.rdata,
206 p->out_data.data_sent_length,
207 &p->out_data.frag, &pdu_size);
208 if (!NT_STATUS_IS_OK(status)) {
209 DEBUG(0, ("Failed to create packet with error %s, "
210 "(auth level %u / type %u)\n",
211 nt_errstr(status),
212 (unsigned int)p->auth.auth_level,
213 (unsigned int)p->auth.auth_type));
214 return false;
215 }
216
217 /* Setup the counts for this PDU. */
218 p->out_data.data_sent_length += pdu_size;
219 p->out_data.current_pdu_sent = 0;
220 return true;
221 }
222
223
224 static bool pipe_init_outgoing_data(struct pipes_struct *p);
225
226 /*******************************************************************
227 Marshall a bind_nak pdu.
228 *******************************************************************/
229
230 static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
231 {
232 NTSTATUS status;
233 union dcerpc_payload u;
234
235 /* Free any memory in the current return data buffer. */
236 pipe_init_outgoing_data(p);
237
238 /*
239 * Initialize a bind_nak header.
240 */
241
242 ZERO_STRUCT(u);
243
244 u.bind_nak.reject_reason = 0;
245
246 /*
247 * Marshall directly into the outgoing PDU space. We
248 * must do this as we need to set to the bind response
249 * header and are never sending more than one PDU here.
250 */
251
252 status = dcerpc_push_ncacn_packet(p->mem_ctx,
253 DCERPC_PKT_BIND_NAK,
254 DCERPC_PFC_FLAG_FIRST |
255 DCERPC_PFC_FLAG_LAST,
256 0,
257 pkt->call_id,
258 &u,
259 &p->out_data.frag);
260 if (!NT_STATUS_IS_OK(status)) {
261 return False;
262 }
263
264 p->out_data.data_sent_length = 0;
265 p->out_data.current_pdu_sent = 0;
266
267 TALLOC_FREE(p->auth.auth_ctx);
268 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
269 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
270 p->pipe_bound = False;
271
272 return True;
273 }
274
275 /*******************************************************************
276 Marshall a fault pdu.
277 *******************************************************************/
278
279 bool setup_fault_pdu(struct pipes_struct *p, NTSTATUS fault_status)
280 {
281 NTSTATUS status;
282 union dcerpc_payload u;
283
284 /* Free any memory in the current return data buffer. */
285 pipe_init_outgoing_data(p);
286
287 /*
288 * Initialize a fault header.
289 */
290
291 ZERO_STRUCT(u);
292
293 u.fault.status = NT_STATUS_V(fault_status);
294 u.fault._pad = data_blob_talloc_zero(p->mem_ctx, 4);
295
296 /*
297 * Marshall directly into the outgoing PDU space. We
298 * must do this as we need to set to the bind response
299 * header and are never sending more than one PDU here.
300 */
301
302 status = dcerpc_push_ncacn_packet(p->mem_ctx,
303 DCERPC_PKT_FAULT,
304 DCERPC_PFC_FLAG_FIRST |
305 DCERPC_PFC_FLAG_LAST |
306 DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
307 0,
308 p->call_id,
309 &u,
310 &p->out_data.frag);
311 if (!NT_STATUS_IS_OK(status)) {
312 return False;
313 }
314
315 p->out_data.data_sent_length = 0;
316 p->out_data.current_pdu_sent = 0;
317
318 return True;
319 }
320
321 /*******************************************************************
322 Ensure a bind request has the correct abstract & transfer interface.
323 Used to reject unknown binds from Win2k.
324 *******************************************************************/
325
326 static bool check_bind_req(struct pipes_struct *p,
327 struct ndr_syntax_id* abstract,
328 struct ndr_syntax_id* transfer,
329 uint32 context_id)
330 {
331 struct pipe_rpc_fns *context_fns;
332
333 DEBUG(3,("check_bind_req for %s\n",
334 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
335
336 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
337 if (rpc_srv_pipe_exists_by_id(abstract) &&
338 ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) {
339 DEBUG(3, ("check_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
340 rpc_srv_get_pipe_cli_name(abstract),
341 rpc_srv_get_pipe_srv_name(abstract)));
342 } else {
343 return false;
344 }
345
346 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
347 if (context_fns == NULL) {
348 DEBUG(0,("check_bind_req: malloc() failed!\n"));
349 return False;
350 }
351
352 context_fns->next = context_fns->prev = NULL;
353 context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
354 context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
355 context_fns->context_id = context_id;
356
357 /* add to the list of open contexts */
358
359 DLIST_ADD( p->contexts, context_fns );
360
361 return True;
362 }
363
364 /**
365 * Is a named pipe known?
366 * @param[in] cli_filename The pipe name requested by the client
367 * @result Do we want to serve this?
368 */
369 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
370 {
371 const char *pipename = cli_filename;
372 NTSTATUS status;
373
374 if (strnequal(pipename, "\\PIPE\\", 6)) {
375 pipename += 5;
376 }
377
378 if (*pipename == '\\') {
379 pipename += 1;
380 }
381
382 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
383 DEBUG(10, ("refusing spoolss access\n"));
384 return false;
385 }
386
387 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
388 return true;
389 }
390
391 status = smb_probe_module("rpc", pipename);
392 if (!NT_STATUS_IS_OK(status)) {
393 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
394 return false;
395 }
396 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
397
398 /*
399 * Scan the list again for the interface id
400 */
401 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
402 return true;
403 }
404
405 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
406 pipename));
407
408 return false;
409 }
410
411 /*******************************************************************
412 Handle the first part of a SPNEGO bind auth.
413 *******************************************************************/
414
415 static bool pipe_spnego_auth_bind(struct pipes_struct *p,
416 TALLOC_CTX *mem_ctx,
417 struct dcerpc_auth *auth_info,
418 DATA_BLOB *response)
419 {
420 struct spnego_context *spnego_ctx;
421 NTSTATUS status;
422
423 status = spnego_server_auth_start(p,
424 (auth_info->auth_level ==
425 DCERPC_AUTH_LEVEL_INTEGRITY),
426 (auth_info->auth_level ==
427 DCERPC_AUTH_LEVEL_PRIVACY),
428 true,
429 &auth_info->credentials,
430 response,
431 &spnego_ctx);
432 if (!NT_STATUS_IS_OK(status)) {
433 DEBUG(0, ("Failed SPNEGO negotiate (%s)\n",
434 nt_errstr(status)));
435 return false;
436 }
437
438 /* Make sure data is bound to the memctx, to be freed the caller */
439 talloc_steal(mem_ctx, response->data);
440
441 p->auth.auth_ctx = spnego_ctx;
442 p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO;
443
444 DEBUG(10, ("SPNEGO auth started\n"));
445
446 return true;
447 }
448
449 /*******************************************************************
450 Handle an schannel bind auth.
451 *******************************************************************/
452
453 static bool pipe_schannel_auth_bind(struct pipes_struct *p,
454 TALLOC_CTX *mem_ctx,
455 struct dcerpc_auth *auth_info,
456 DATA_BLOB *response)
457 {
458 struct NL_AUTH_MESSAGE neg;
459 struct NL_AUTH_MESSAGE reply;
460 bool ret;
461 NTSTATUS status;
462 struct netlogon_creds_CredentialState *creds;
463 DATA_BLOB session_key;
464 enum ndr_err_code ndr_err;
465 struct schannel_state *schannel_auth;
466
467 ndr_err = ndr_pull_struct_blob(
468 &auth_info->credentials, mem_ctx, &neg,
469 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
470 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
471 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
472 return false;
473 }
474
475 if (DEBUGLEVEL >= 10) {
476 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
477 }
478
479 if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
480 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
481 return false;
482 }
483
484 /*
485 * The neg.oem_netbios_computer.a key here must match the remote computer name
486 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
487 * operations that use credentials.
488 */
489
490 become_root();
491 status = schannel_get_creds_state(p, lp_private_dir(),
492 neg.oem_netbios_computer.a, &creds);
493 unbecome_root();
494
495 if (!NT_STATUS_IS_OK(status)) {
496 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
497 return False;
498 }
499
500 schannel_auth = talloc(p, struct schannel_state);
501 if (!schannel_auth) {
502 TALLOC_FREE(creds);
503 return False;
504 }
505
506 schannel_auth->state = SCHANNEL_STATE_START;
507 schannel_auth->seq_num = 0;
508 schannel_auth->initiator = false;
509 schannel_auth->creds = creds;
510
511 /*
512 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
513 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
514 * struct of the person who opened the pipe. I need to test this further. JRA.
515 *
516 * VL. As we are mapping this to guest set the generic key
517 * "SystemLibraryDTC" key here. It's a bit difficult to test against
518 * W2k3, as it does not allow schannel binds against SAMR and LSA
519 * anymore.
520 */
521
522 session_key = generic_session_key();
523 if (session_key.data == NULL) {
524 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
525 " key\n"));
526 return false;
527 }
528
529 ret = server_info_set_session_key(p->server_info, session_key);
530
531 data_blob_free(&session_key);
532
533 if (!ret) {
534 DEBUG(0, ("server_info_set_session_key failed\n"));
535 return false;
536 }
537
538 /*** SCHANNEL verifier ***/
539
540 reply.MessageType = NL_NEGOTIATE_RESPONSE;
541 reply.Flags = 0;
542 reply.Buffer.dummy = 5; /* ??? actually I don't think
543 * this has any meaning
544 * here - gd */
545
546 ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
547 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
548 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
549 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
550 return false;
551 }
552
553 if (DEBUGLEVEL >= 10) {
554 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
555 }
556
557 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
558 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
559
560 /* We're finished with this bind - no more packets. */
561 p->auth.auth_ctx = schannel_auth;
562 p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
563
564 p->pipe_bound = True;
565
566 return True;
567 }
568
569 /*******************************************************************
570 Handle an NTLMSSP bind auth.
571 *******************************************************************/
572
573 static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
574 TALLOC_CTX *mem_ctx,
575 struct dcerpc_auth *auth_info,
576 DATA_BLOB *response)
577 {
578 struct auth_ntlmssp_state *ntlmssp_state = NULL;
579 NTSTATUS status;
580
581 if (strncmp((char *)auth_info->credentials.data, "NTLMSSP", 7) != 0) {
582 DEBUG(0, ("Failed to read NTLMSSP in blob\n"));
583 return false;
584 }
585
586 /* We have an NTLMSSP blob. */
587 status = ntlmssp_server_auth_start(p,
588 (auth_info->auth_level ==
589 DCERPC_AUTH_LEVEL_INTEGRITY),
590 (auth_info->auth_level ==
591 DCERPC_AUTH_LEVEL_PRIVACY),
592 true,
593 &auth_info->credentials,
594 response,
595 &ntlmssp_state);
596 if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
597 DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n",
598 nt_errstr(status)));
599 return false;
600 }
601
602 /* Make sure data is bound to the memctx, to be freed the caller */
603 talloc_steal(mem_ctx, response->data);
604
605 p->auth.auth_ctx = ntlmssp_state;
606 p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
607
608 DEBUG(10, (__location__ ": NTLMSSP auth started\n"));
609
610 return true;
611 }
612
613 /*******************************************************************
614 Process an NTLMSSP authentication response.
615 If this function succeeds, the user has been authenticated
616 and their domain, name and calling workstation stored in
617 the pipe struct.
618 *******************************************************************/
619
620 static bool pipe_ntlmssp_verify_final(TALLOC_CTX *mem_ctx,
621 struct auth_ntlmssp_state *ntlmssp_ctx,
622 enum dcerpc_AuthLevel auth_level,
623 struct client_address *client_id,
624 struct ndr_syntax_id *syntax,
625 struct auth_serversupplied_info **server_info)
626 {
627 DATA_BLOB session_key;
628 NTSTATUS status;
629 bool ret;
630
631 DEBUG(5, (__location__ ": pipe %s checking user details\n",
632 get_pipe_name_from_syntax(talloc_tos(), syntax)));
633
634 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
635 ensure the underlying NTLMSSP flags are also set. If not we should
636 refuse the bind. */
637
638 status = ntlmssp_server_check_flags(ntlmssp_ctx,
639 (auth_level ==
640 DCERPC_AUTH_LEVEL_INTEGRITY),
641 (auth_level ==
642 DCERPC_AUTH_LEVEL_PRIVACY));
643 if (!NT_STATUS_IS_OK(status)) {
644 DEBUG(0, (__location__ ": Client failed to negotatie proper "
645 "security for pipe %s\n",
646 get_pipe_name_from_syntax(talloc_tos(), syntax)));
647 return false;
648 }
649
650 TALLOC_FREE(*server_info);
651
652 status = ntlmssp_server_get_user_info(ntlmssp_ctx,
653 mem_ctx, server_info);
654 if (!NT_STATUS_IS_OK(status)) {
655 DEBUG(0, (__location__ ": failed to obtain the server info "
656 "for authenticated user: %s\n", nt_errstr(status)));
657 return false;
658 }
659
660 if ((*server_info)->ptok == NULL) {
661 DEBUG(1, ("Auth module failed to provide nt_user_token\n"));
662 return false;
663 }
664
665 /*
666 * We're an authenticated bind over smb, so the session key needs to
667 * be set to "SystemLibraryDTC". Weird, but this is what Windows
668 * does. See the RPC-SAMBA3SESSIONKEY.
669 */
670
671 session_key = generic_session_key();
672 if (session_key.data == NULL) {
673 return false;
674 }
675
676 ret = server_info_set_session_key((*server_info), session_key);
677 data_blob_free(&session_key);
678 if (!ret) {
679 DEBUG(0, ("Failed to set session key!\n"));
680 return false;
681 }
682
683 return true;
684 }
685
686 /*******************************************************************
687 Handle a GSSAPI bind auth.
688 *******************************************************************/
689
690 static bool pipe_gssapi_auth_bind(struct pipes_struct *p,
691 TALLOC_CTX *mem_ctx,
692 struct dcerpc_auth *auth_info,
693 DATA_BLOB *response)
694 {
695 NTSTATUS status;
696 struct gse_context *gse_ctx = NULL;
697
698 status = gssapi_server_auth_start(p,
699 (auth_info->auth_level ==
700 DCERPC_AUTH_LEVEL_INTEGRITY),
701 (auth_info->auth_level ==
702 DCERPC_AUTH_LEVEL_PRIVACY),
703 true,
704 &auth_info->credentials,
705 response,
706 &gse_ctx);
707 if (!NT_STATUS_IS_OK(status)) {
708 DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n",
709 nt_errstr(status)));
710 goto err;
711 }
712
713 /* Make sure data is bound to the memctx, to be freed the caller */
714 talloc_steal(mem_ctx, response->data);
715
716 p->auth.auth_ctx = gse_ctx;
717 p->auth.auth_type = DCERPC_AUTH_TYPE_KRB5;
718
719 DEBUG(10, ("KRB5 auth started\n"));
720
721 return true;
722
723 err:
724 TALLOC_FREE(gse_ctx);
725 return false;
726 }
727
728 static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
729 struct gse_context *gse_ctx,
730 struct client_address *client_id,
731 struct auth_serversupplied_info **server_info)
732 {
733 DATA_BLOB session_key;
734 NTSTATUS status;
735 bool bret;
736
737 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
738 ensure the underlying flags are also set. If not we should
739 refuse the bind. */
740
741 status = gssapi_server_check_flags(gse_ctx);
742 if (!NT_STATUS_IS_OK(status)) {
743 DEBUG(0, ("Requested Security Layers not honored!\n"));
744 return status;
745 }
746
747 status = gssapi_server_get_user_info(gse_ctx, mem_ctx,
748 client_id, server_info);
749 if (!NT_STATUS_IS_OK(status)) {
750 DEBUG(0, (__location__ ": failed to obtain the server info "
751 "for authenticated user: %s\n", nt_errstr(status)));
752 return status;
753 }
754
755 if ((*server_info)->ptok == NULL) {
756 status = create_local_token(*server_info);
757 if (!NT_STATUS_IS_OK(status)) {
758 DEBUG(1, ("Failed to create local user token (%s)\n",
759 nt_errstr(status)));
760 status = NT_STATUS_ACCESS_DENIED;
761 return status;
762 }
763 }
764
765 /* TODO: this is what the ntlmssp code does with the session_key, check
766 * it is ok with gssapi too */
767 /*
768 * We're an authenticated bind over smb, so the session key needs to
769 * be set to "SystemLibraryDTC". Weird, but this is what Windows
770 * does. See the RPC-SAMBA3SESSIONKEY.
771 */
772
773 session_key = generic_session_key();
774 if (session_key.data == NULL) {
775 return NT_STATUS_ACCESS_DENIED;
776 }
777
778 bret = server_info_set_session_key((*server_info), session_key);
779 data_blob_free(&session_key);
780 if (!bret) {
781 return NT_STATUS_ACCESS_DENIED;
782 }
783
784 return NT_STATUS_OK;
785 }
786
787 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
788 {
789 enum spnego_mech auth_type;
790 struct auth_ntlmssp_state *ntlmssp_ctx;
791 struct spnego_context *spnego_ctx;
792 struct gse_context *gse_ctx;
793 void *mech_ctx;
794 NTSTATUS status;
795
796 switch (p->auth.auth_type) {
797 case DCERPC_AUTH_TYPE_NTLMSSP:
798 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
799 struct auth_ntlmssp_state);
800 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
801 p->auth.auth_level,
802 p->client_id, &p->syntax,
803 &p->server_info)) {
804 return NT_STATUS_ACCESS_DENIED;
805 }
806 break;
807 case DCERPC_AUTH_TYPE_KRB5:
808 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
809 struct gse_context);
810 status = pipe_gssapi_verify_final(p, gse_ctx,
811 p->client_id,
812 &p->server_info);
813 if (!NT_STATUS_IS_OK(status)) {
814 DEBUG(1, ("gssapi bind failed with: %s",
815 nt_errstr(status)));
816 return status;
817 }
818 break;
819 case DCERPC_AUTH_TYPE_SPNEGO:
820 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
821 struct spnego_context);
822 status = spnego_get_negotiated_mech(spnego_ctx,
823 &auth_type, &mech_ctx);
824 if (!NT_STATUS_IS_OK(status)) {
825 DEBUG(0, ("Bad SPNEGO state (%s)\n",
826 nt_errstr(status)));
827 return status;
828 }
829 switch(auth_type) {
830 case SPNEGO_KRB5:
831 gse_ctx = talloc_get_type_abort(mech_ctx,
832 struct gse_context);
833 status = pipe_gssapi_verify_final(p, gse_ctx,
834 p->client_id,
835 &p->server_info);
836 if (!NT_STATUS_IS_OK(status)) {
837 DEBUG(1, ("gssapi bind failed with: %s",
838 nt_errstr(status)));
839 return status;
840 }
841 break;
842 case SPNEGO_NTLMSSP:
843 ntlmssp_ctx = talloc_get_type_abort(mech_ctx,
844 struct auth_ntlmssp_state);
845 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
846 p->auth.auth_level,
847 p->client_id,
848 &p->syntax,
849 &p->server_info)) {
850 return NT_STATUS_ACCESS_DENIED;
851 }
852 break;
853 default:
854 DEBUG(0, (__location__ ": incorrect spnego type "
855 "(%d).\n", auth_type));
856 return NT_STATUS_ACCESS_DENIED;
857 }
858 break;
859 default:
860 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
861 (unsigned int)p->auth.auth_type));
862 return NT_STATUS_ACCESS_DENIED;
863 }
864
865 p->pipe_bound = true;
866
867 return NT_STATUS_OK;
868 }
869
870 /*******************************************************************
871 Respond to a pipe bind request.
872 *******************************************************************/
873
874 static bool api_pipe_bind_req(struct pipes_struct *p,
875 struct ncacn_packet *pkt)
876 {
877 struct dcerpc_auth auth_info;
878 uint16 assoc_gid;
879 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
880 NTSTATUS status;
881 struct ndr_syntax_id id;
882 union dcerpc_payload u;
883 struct dcerpc_ack_ctx bind_ack_ctx;
884 DATA_BLOB auth_resp = data_blob_null;
885 DATA_BLOB auth_blob = data_blob_null;
886
887 /* No rebinds on a bound pipe - use alter context. */
888 if (p->pipe_bound) {
889 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
890 "pipe %s.\n",
891 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
892 return setup_bind_nak(p, pkt);
893 }
894
895 if (pkt->u.bind.num_contexts == 0) {
896 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
897 goto err_exit;
898 }
899
900 /*
901 * Try and find the correct pipe name to ensure
902 * that this is a pipe name we support.
903 */
904 id = pkt->u.bind.ctx_list[0].abstract_syntax;
905 if (rpc_srv_pipe_exists_by_id(&id)) {
906 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
907 rpc_srv_get_pipe_cli_name(&id),
908 rpc_srv_get_pipe_srv_name(&id)));
909 } else {
910 status = smb_probe_module(
911 "rpc", get_pipe_name_from_syntax(
912 talloc_tos(),
913 &pkt->u.bind.ctx_list[0].abstract_syntax));
914
915 if (NT_STATUS_IS_ERR(status)) {
916 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
917 get_pipe_name_from_syntax(
918 talloc_tos(),
919 &pkt->u.bind.ctx_list[0].abstract_syntax)));
920
921 return setup_bind_nak(p, pkt);
922 }
923
924 if (rpc_srv_get_pipe_interface_by_cli_name(
925 get_pipe_name_from_syntax(talloc_tos(),
926 &p->syntax),
927 &id)) {
928 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
929 rpc_srv_get_pipe_cli_name(&id),
930 rpc_srv_get_pipe_srv_name(&id)));
931 } else {
932 DEBUG(0, ("module %s doesn't provide functions for "
933 "pipe %s!\n",
934 get_pipe_name_from_syntax(talloc_tos(),
935 &p->syntax),
936 get_pipe_name_from_syntax(talloc_tos(),
937 &p->syntax)));
938 return setup_bind_nak(p, pkt);
939 }
940 }
941
942 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
943
944 if (pkt->u.bind.assoc_group_id != 0) {
945 assoc_gid = pkt->u.bind.assoc_group_id;
946 } else {
947 assoc_gid = 0x53f0;
948 }
949
950 /*
951 * Create the bind response struct.
952 */
953
954 /* If the requested abstract synt uuid doesn't match our client pipe,
955 reject the bind_ack & set the transfer interface synt to all 0's,
956 ver 0 (observed when NT5 attempts to bind to abstract interfaces
957 unknown to NT4)
958 Needed when adding entries to a DACL from NT5 - SK */
959
960 if (check_bind_req(p,
961 &pkt->u.bind.ctx_list[0].abstract_syntax,
962 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
963 pkt->u.bind.ctx_list[0].context_id)) {
964
965 bind_ack_ctx.result = 0;
966 bind_ack_ctx.reason = 0;
967 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
968 } else {
969 p->pipe_bound = False;
970 /* Rejection reason: abstract syntax not supported */
971 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
972 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
973 bind_ack_ctx.syntax = null_ndr_syntax_id;
974 }
975
976 /*
977 * Check if this is an authenticated bind request.
978 */
979 if (pkt->auth_length) {
980 /* Quick length check. Won't catch a bad auth footer,
981 * prevents overrun. */
982
983 if (pkt->frag_length < RPC_HEADER_LEN +
984 DCERPC_AUTH_TRAILER_LENGTH +
985 pkt->auth_length) {
986 DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
987 "too long for fragment %u.\n",
988 (unsigned int)pkt->auth_length,
989 (unsigned int)pkt->frag_length));
990 goto err_exit;
991 }
992
993 /*
994 * Decode the authentication verifier.
995 */
996 status = dcerpc_pull_dcerpc_auth(pkt,
997 &pkt->u.bind.auth_info,
998 &auth_info, p->endian);
999 if (!NT_STATUS_IS_OK(status)) {
1000 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1001 goto err_exit;
1002 }
1003
1004 auth_type = auth_info.auth_type;
1005
1006 /* Work out if we have to sign or seal etc. */
1007 switch (auth_info.auth_level) {
1008 case DCERPC_AUTH_LEVEL_INTEGRITY:
1009 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1010 break;
1011 case DCERPC_AUTH_LEVEL_PRIVACY:
1012 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1013 break;
1014 default:
1015 DEBUG(0, ("Unexpected auth level (%u).\n",
1016 (unsigned int)auth_info.auth_level ));
1017 goto err_exit;
1018 }
1019
1020 switch (auth_type) {
1021 case DCERPC_AUTH_TYPE_NTLMSSP:
1022 if (!pipe_ntlmssp_auth_bind(p, pkt,
1023 &auth_info, &auth_resp)) {
1024 goto err_exit;
1025 }
1026 assoc_gid = 0x7a77;
1027 break;
1028
1029 case DCERPC_AUTH_TYPE_SCHANNEL:
1030 if (!pipe_schannel_auth_bind(p, pkt,
1031 &auth_info, &auth_resp)) {
1032 goto err_exit;
1033 }
1034 break;
1035
1036 case DCERPC_AUTH_TYPE_SPNEGO:
1037 if (!pipe_spnego_auth_bind(p, pkt,
1038 &auth_info, &auth_resp)) {
1039 goto err_exit;
1040 }
1041 break;
1042
1043 case DCERPC_AUTH_TYPE_KRB5:
1044 if (!pipe_gssapi_auth_bind(p, pkt,
1045 &auth_info, &auth_resp)) {
1046 goto err_exit;
1047 }
1048 break;
1049
1050 case DCERPC_AUTH_TYPE_NONE:
1051 break;
1052
1053 default:
1054 DEBUG(0, ("Unknown auth type %x requested.\n", auth_type));
1055 goto err_exit;
1056 }
1057 }
1058
1059 if (auth_type == DCERPC_AUTH_TYPE_NONE) {
1060 /* Unauthenticated bind request. */
1061 /* We're finished - no more packets. */
1062 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
1063 /* We must set the pipe auth_level here also. */
1064 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1065 p->pipe_bound = True;
1066 /* The session key was initialized from the SMB
1067 * session in make_internal_rpc_pipe_p */
1068 }
1069
1070 ZERO_STRUCT(u.bind_ack);
1071 u.bind_ack.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1072 u.bind_ack.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1073 u.bind_ack.assoc_group_id = assoc_gid;
1074
1075 /* name has to be \PIPE\xxxxx */
1076 u.bind_ack.secondary_address =
1077 talloc_asprintf(pkt, "\\PIPE\\%s",
1078 rpc_srv_get_pipe_srv_name(&id));
1079 if (!u.bind_ack.secondary_address) {
1080 DEBUG(0, ("Out of memory!\n"));
1081 goto err_exit;
1082 }
1083 u.bind_ack.secondary_address_size =
1084 strlen(u.bind_ack.secondary_address) + 1;
1085
1086 u.bind_ack.num_results = 1;
1087 u.bind_ack.ctx_list = &bind_ack_ctx;
1088
1089 /* NOTE: We leave the auth_info empty so we can calculate the padding
1090 * later and then append the auth_info --simo */
1091
1092 /*
1093 * Marshall directly into the outgoing PDU space. We
1094 * must do this as we need to set to the bind response
1095 * header and are never sending more than one PDU here.
1096 */
1097
1098 status = dcerpc_push_ncacn_packet(p->mem_ctx,
1099 DCERPC_PKT_BIND_ACK,
1100 DCERPC_PFC_FLAG_FIRST |
1101 DCERPC_PFC_FLAG_LAST,
1102 auth_resp.length,
1103 pkt->call_id,
1104 &u,
1105 &p->out_data.frag);
1106 if (!NT_STATUS_IS_OK(status)) {
1107 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1108 nt_errstr(status)));
1109 }
1110
1111 if (auth_resp.length) {
1112
1113 status = dcerpc_push_dcerpc_auth(pkt,
1114 auth_type,
1115 auth_info.auth_level,
1116 0,
1117 1, /* auth_context_id */
1118 &auth_resp,
1119 &auth_blob);
1120 if (!NT_STATUS_IS_OK(status)) {
1121 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1122 goto err_exit;
1123 }
1124 }
1125
1126 /* Now that we have the auth len store it into the right place in
1127 * the dcerpc header */
1128 dcerpc_set_frag_length(&p->out_data.frag,
1129 p->out_data.frag.length + auth_blob.length);
1130
1131 if (auth_blob.length) {
1132
1133 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1134 auth_blob.data, auth_blob.length)) {
1135 DEBUG(0, ("Append of auth info failed.\n"));
1136 goto err_exit;
1137 }
1138 }
1139
1140 /*
1141 * Setup the lengths for the initial reply.
1142 */
1143
1144 p->out_data.data_sent_length = 0;
1145 p->out_data.current_pdu_sent = 0;
1146
1147 TALLOC_FREE(auth_blob.data);
1148 return True;
1149
1150 err_exit:
1151
1152 data_blob_free(&p->out_data.frag);
1153 TALLOC_FREE(auth_blob.data);
1154 return setup_bind_nak(p, pkt);
1155 }
1156
1157 /*******************************************************************
1158 This is the "stage3" response after a bind request and reply.
1159 *******************************************************************/
1160
1161 bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
1162 {
1163 struct dcerpc_auth auth_info;
1164 DATA_BLOB response = data_blob_null;
1165 struct auth_ntlmssp_state *ntlmssp_ctx;
1166 struct spnego_context *spnego_ctx;
1167 struct gse_context *gse_ctx;
1168 NTSTATUS status;
1169
1170 DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
1171
1172 if (pkt->auth_length == 0) {
1173 DEBUG(0, ("No auth field sent for bind request!\n"));
1174 goto err;
1175 }
1176
1177 /* Ensure there's enough data for an authenticated request. */
1178 if (pkt->frag_length < RPC_HEADER_LEN
1179 + DCERPC_AUTH_TRAILER_LENGTH
1180 + pkt->auth_length) {
1181 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
1182 "%u is too large.\n",
1183 (unsigned int)pkt->auth_length));
1184 goto err;
1185 }
1186
1187 /*
1188 * Decode the authentication verifier response.
1189 */
1190
1191 status = dcerpc_pull_dcerpc_auth(pkt,
1192 &pkt->u.auth3.auth_info,
1193 &auth_info, p->endian);
1194 if (!NT_STATUS_IS_OK(status)) {
1195 DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n"));
1196 goto err;
1197 }
1198
1199 /* We must NEVER look at auth_info->auth_pad_len here,
1200 * as old Samba client code gets it wrong and sends it
1201 * as zero. JRA.
1202 */
1203
1204 if (auth_info.auth_type != p->auth.auth_type) {
1205 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1206 "but auth was started as type %d!\n",
1207 auth_info.auth_type, p->auth.auth_type));
1208 goto err;
1209 }
1210
1211 switch (auth_info.auth_type) {
1212 case DCERPC_AUTH_TYPE_NTLMSSP:
1213 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1214 struct auth_ntlmssp_state);
1215 status = ntlmssp_server_step(ntlmssp_ctx,
1216 pkt, &auth_info.credentials,
1217 &response);
1218 break;
1219 case DCERPC_AUTH_TYPE_KRB5:
1220 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1221 struct gse_context);
1222 status = gssapi_server_step(gse_ctx,
1223 pkt, &auth_info.credentials,
1224 &response);
1225 break;
1226 case DCERPC_AUTH_TYPE_SPNEGO:
1227 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1228 struct spnego_context);
1229 status = spnego_server_step(spnego_ctx,
1230 pkt, &auth_info.credentials,
1231 &response);
1232 break;
1233 default:
1234 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
1235 (unsigned int)auth_info.auth_type));
1236 return false;
1237 }
1238
1239 if (NT_STATUS_EQUAL(status,
1240 NT_STATUS_MORE_PROCESSING_REQUIRED) ||
1241 response.length) {
1242 DEBUG(0, (__location__ ": This was supposed to be the final "
1243 "leg, but crypto machinery claims a response is "
1244 "needed, aborting auth!\n"));
1245 data_blob_free(&response);
1246 goto err;
1247 }
1248 if (!NT_STATUS_IS_OK(status)) {
1249 DEBUG(0, ("Auth failed (%s)\n", nt_errstr(status)));
1250 goto err;
1251 }
1252
1253 /* Now verify auth was indeed successful and extract server info */
1254 status = pipe_auth_verify_final(p);
1255 if (!NT_STATUS_IS_OK(status)) {
1256 DEBUG(0, ("Auth Verify failed (%s)\n", nt_errstr(status)));
1257 goto err;
1258 }
1259
1260 return true;
1261
1262 err:
1263
1264 TALLOC_FREE(p->auth.auth_ctx);
1265 return false;
1266 }
1267
1268 /****************************************************************************
1269 Deal with an alter context call. Can be third part of 3 leg auth request for
1270 SPNEGO calls.
1271 ****************************************************************************/
1272
1273 static bool api_pipe_alter_context(struct pipes_struct *p,
1274 struct ncacn_packet *pkt)
1275 {
1276 struct dcerpc_auth auth_info;
1277 uint16 assoc_gid;
1278 NTSTATUS status;
1279 union dcerpc_payload u;
1280 struct dcerpc_ack_ctx bind_ack_ctx;
1281 DATA_BLOB auth_resp = data_blob_null;
1282 DATA_BLOB auth_blob = data_blob_null;
1283 int pad_len = 0;
1284 struct auth_ntlmssp_state *ntlmssp_ctx;
1285 struct spnego_context *spnego_ctx;
1286 struct gse_context *gse_ctx;
1287
1288 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1289
1290 if (pkt->u.bind.assoc_group_id != 0) {
1291 assoc_gid = pkt->u.bind.assoc_group_id;
1292 } else {
1293 assoc_gid = 0x53f0;
1294 }
1295
1296 /*
1297 * Create the bind response struct.
1298 */
1299
1300 /* If the requested abstract synt uuid doesn't match our client pipe,
1301 reject the bind_ack & set the transfer interface synt to all 0's,
1302 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1303 unknown to NT4)
1304 Needed when adding entries to a DACL from NT5 - SK */
1305
1306 if (check_bind_req(p,
1307 &pkt->u.bind.ctx_list[0].abstract_syntax,
1308 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
1309 pkt->u.bind.ctx_list[0].context_id)) {
1310
1311 bind_ack_ctx.result = 0;
1312 bind_ack_ctx.reason = 0;
1313 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
1314 } else {
1315 p->pipe_bound = False;
1316 /* Rejection reason: abstract syntax not supported */
1317 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1318 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
1319 bind_ack_ctx.syntax = null_ndr_syntax_id;
1320 }
1321
1322 /*
1323 * Check if this is an authenticated alter context request.
1324 */
1325 if (pkt->auth_length) {
1326 /* Quick length check. Won't catch a bad auth footer,
1327 * prevents overrun. */
1328
1329 if (pkt->frag_length < RPC_HEADER_LEN +
1330 DCERPC_AUTH_TRAILER_LENGTH +
1331 pkt->auth_length) {
1332 DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
1333 "too long for fragment %u.\n",
1334 (unsigned int)pkt->auth_length,
1335 (unsigned int)pkt->frag_length ));
1336 goto err_exit;
1337 }
1338
1339 status = dcerpc_pull_dcerpc_auth(pkt,
1340 &pkt->u.bind.auth_info,
1341 &auth_info, p->endian);
1342 if (!NT_STATUS_IS_OK(status)) {
1343 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1344 goto err_exit;
1345 }
1346
1347 /* We can only finish if the pipe is unbound for now */
1348 if (p->pipe_bound) {
1349 DEBUG(0, (__location__ ": Pipe already bound, "
1350 "Altering Context not yet supported!\n"));
1351 goto err_exit;
1352 }
1353
1354 if (auth_info.auth_type != p->auth.auth_type) {
1355 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1356 "but auth was started as type %d!\n",
1357 auth_info.auth_type, p->auth.auth_type));
1358 goto err_exit;
1359 }
1360
1361
1362 switch (auth_info.auth_type) {
1363 case DCERPC_AUTH_TYPE_SPNEGO:
1364 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1365 struct spnego_context);
1366 status = spnego_server_step(spnego_ctx,
1367 pkt,
1368 &auth_info.credentials,
1369 &auth_resp);
1370 break;
1371
1372 case DCERPC_AUTH_TYPE_KRB5:
1373 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1374 struct gse_context);
1375 status = gssapi_server_step(gse_ctx,
1376 pkt,
1377 &auth_info.credentials,
1378 &auth_resp);
1379 break;
1380 case DCERPC_AUTH_TYPE_NTLMSSP:
1381 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1382 struct auth_ntlmssp_state);
1383 status = ntlmssp_server_step(ntlmssp_ctx,
1384 pkt,
1385 &auth_info.credentials,
1386 &auth_resp);
1387 break;
1388
1389 default:
1390 DEBUG(3, (__location__ ": Usupported auth type (%d) "
1391 "in alter-context call\n",
1392 auth_info.auth_type));
1393 goto err_exit;
1394 }
1395
1396 if (NT_STATUS_IS_OK(status)) {
1397 /* third leg of auth, verify auth info */
1398 status = pipe_auth_verify_final(p);
1399 if (!NT_STATUS_IS_OK(status)) {
1400 DEBUG(0, ("Auth Verify failed (%s)\n",
1401 nt_errstr(status)));
1402 goto err_exit;
1403 }
1404 } else if (NT_STATUS_EQUAL(status,
1405 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1406 DEBUG(10, ("More auth legs required.\n"));
1407 } else {
1408 DEBUG(0, ("Auth step returned an error (%s)\n",
1409 nt_errstr(status)));
1410 goto err_exit;
1411 }
1412 }
1413
1414 ZERO_STRUCT(u.alter_resp);
1415 u.alter_resp.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1416 u.alter_resp.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1417 u.alter_resp.assoc_group_id = assoc_gid;
1418
1419 /* secondary address CAN be NULL
1420 * as the specs say it's ignored.
1421 * It MUST be NULL to have the spoolss working.
1422 */
1423 u.alter_resp.secondary_address = "";
1424 u.alter_resp.secondary_address_size = 1;
1425
1426 u.alter_resp.num_results = 1;
1427 u.alter_resp.ctx_list = &bind_ack_ctx;
1428
1429 /* NOTE: We leave the auth_info empty so we can calculate the padding
1430 * later and then append the auth_info --simo */
1431
1432 /*
1433 * Marshall directly into the outgoing PDU space. We
1434 * must do this as we need to set to the bind response
1435 * header and are never sending more than one PDU here.
1436 */
1437
1438 status = dcerpc_push_ncacn_packet(p->mem_ctx,
1439 DCERPC_PKT_ALTER_RESP,
1440 DCERPC_PFC_FLAG_FIRST |
1441 DCERPC_PFC_FLAG_LAST,
1442 auth_resp.length,
1443 pkt->call_id,
1444 &u,
1445 &p->out_data.frag);
1446 if (!NT_STATUS_IS_OK(status)) {
1447 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1448 nt_errstr(status)));
1449 }
1450
1451 if (auth_resp.length) {
1452
1453 /* Work out any padding needed before the auth footer. */
1454 pad_len = p->out_data.frag.length % SERVER_NDR_PADDING_SIZE;
1455 if (pad_len) {
1456 pad_len = SERVER_NDR_PADDING_SIZE - pad_len;
1457 DEBUG(10, ("auth pad_len = %u\n",
1458 (unsigned int)pad_len));
1459 }
1460
1461 status = dcerpc_push_dcerpc_auth(pkt,
1462 auth_info.auth_type,
1463 auth_info.auth_level,
1464 pad_len,
1465 1, /* auth_context_id */
1466 &auth_resp,
1467 &auth_blob);
1468 if (!NT_STATUS_IS_OK(status)) {
1469 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1470 goto err_exit;
1471 }
1472 }
1473
1474 /* Now that we have the auth len store it into the right place in
1475 * the dcerpc header */
1476 dcerpc_set_frag_length(&p->out_data.frag,
1477 p->out_data.frag.length +
1478 pad_len + auth_blob.length);
1479
1480 if (auth_resp.length) {
1481 if (pad_len) {
1482 char pad[SERVER_NDR_PADDING_SIZE];
1483 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1484 if (!data_blob_append(p->mem_ctx,
1485 &p->out_data.frag,
1486 pad, pad_len)) {
1487 DEBUG(0, ("api_pipe_bind_req: failed to add "
1488 "%u bytes of pad data.\n",
1489 (unsigned int)pad_len));
1490 goto err_exit;
1491 }
1492 }
1493
1494 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1495 auth_blob.data, auth_blob.length)) {
1496 DEBUG(0, ("Append of auth info failed.\n"));
1497 goto err_exit;
1498 }
1499 }
1500
1501 /*
1502 * Setup the lengths for the initial reply.
1503 */
1504
1505 p->out_data.data_sent_length = 0;
1506 p->out_data.current_pdu_sent = 0;
1507
1508 TALLOC_FREE(auth_blob.data);
1509 return True;
1510
1511 err_exit:
1512
1513 data_blob_free(&p->out_data.frag);
1514 TALLOC_FREE(auth_blob.data);
1515 return setup_bind_nak(p, pkt);
1516 }
1517
1518 /****************************************************************************
1519 Find the set of RPC functions associated with this context_id
1520 ****************************************************************************/
1521
1522 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
1523 {
1524 PIPE_RPC_FNS *fns = NULL;
1525
1526 if ( !list ) {
1527 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
1528 return NULL;
1529 }
1530
1531 for (fns=list; fns; fns=fns->next ) {
1532 if ( fns->context_id == context_id )
1533 return fns;
1534 }
1535 return NULL;
1536 }
1537
1538 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1539 const struct api_struct *api_rpc_cmds, int n_cmds);
1540
1541 /****************************************************************************
1542 Find the correct RPC function to call for this request.
1543 If the pipe is authenticated then become the correct UNIX user
1544 before doing the call.
1545 ****************************************************************************/
1546
1547 static bool api_pipe_request(struct pipes_struct *p,
1548 struct ncacn_packet *pkt)
1549 {
1550 bool ret = False;
1551 bool changed_user = False;
1552 PIPE_RPC_FNS *pipe_fns;
1553
1554 if (p->pipe_bound &&
1555 ((p->auth.auth_type == DCERPC_AUTH_TYPE_NTLMSSP) ||
1556 (p->auth.auth_type == DCERPC_AUTH_TYPE_KRB5) ||
1557 (p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO))) {
1558 if(!become_authenticated_pipe_user(p)) {
1559 data_blob_free(&p->out_data.rdata);
1560 return False;
1561 }
1562 changed_user = True;
1563 }
1564
1565 DEBUG(5, ("Requested \\PIPE\\%s\n",
1566 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1567
1568 /* get the set of RPC functions for this context */
1569
1570 pipe_fns = find_pipe_fns_by_context(p->contexts,
1571 pkt->u.request.context_id);
1572
1573 if ( pipe_fns ) {
1574 TALLOC_CTX *frame = talloc_stackframe();
1575 ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds);
1576 TALLOC_FREE(frame);
1577 }
1578 else {
1579 DEBUG(0, ("No rpc function table associated with context "
1580 "[%d] on pipe [%s]\n",
1581 pkt->u.request.context_id,
1582 get_pipe_name_from_syntax(talloc_tos(),
1583 &p->syntax)));
1584 }
1585
1586 if (changed_user) {
1587 unbecome_authenticated_pipe_user();
1588 }
1589
1590 return ret;
1591 }
1592
1593 /*******************************************************************
1594 Calls the underlying RPC function for a named pipe.
1595 ********************************************************************/
1596
1597 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1598 const struct api_struct *api_rpc_cmds, int n_cmds)
1599 {
1600 int fn_num;
1601 uint32_t offset1;
1602
1603 /* interpret the command */
1604 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
1605 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
1606 pkt->u.request.opnum));
1607
1608 if (DEBUGLEVEL >= 50) {
1609 fstring name;
1610 slprintf(name, sizeof(name)-1, "in_%s",
1611 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
1612 dump_pdu_region(name, pkt->u.request.opnum,
1613 &p->in_data.data, 0,
1614 p->in_data.data.length);
1615 }
1616
1617 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1618 if (api_rpc_cmds[fn_num].opnum == pkt->u.request.opnum &&
1619 api_rpc_cmds[fn_num].fn != NULL) {
1620 DEBUG(3, ("api_rpcTNP: rpc command: %s\n",
1621 api_rpc_cmds[fn_num].name));
1622 break;
1623 }
1624 }
1625
1626 if (fn_num == n_cmds) {
1627 /*
1628 * For an unknown RPC just return a fault PDU but
1629 * return True to allow RPC's on the pipe to continue
1630 * and not put the pipe into fault state. JRA.
1631 */
1632 DEBUG(4, ("unknown\n"));
1633 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1634 return True;
1635 }
1636
1637 offset1 = p->out_data.rdata.length;
1638
1639 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1640 fn_num, api_rpc_cmds[fn_num].fn));
1641 /* do the actual command */
1642 if(!api_rpc_cmds[fn_num].fn(p)) {
1643 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
1644 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
1645 api_rpc_cmds[fn_num].name));
1646 data_blob_free(&p->out_data.rdata);
1647 return False;
1648 }
1649
1650 if (p->bad_handle_fault_state) {
1651 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1652 p->bad_handle_fault_state = False;
1653 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
1654 return True;
1655 }
1656
1657 if (p->rng_fault_state) {
1658 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
1659 p->rng_fault_state = False;
1660 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1661 return True;
1662 }
1663
1664 if (DEBUGLEVEL >= 50) {
1665 fstring name;
1666 slprintf(name, sizeof(name)-1, "out_%s",
1667 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
1668 dump_pdu_region(name, pkt->u.request.opnum,
1669 &p->out_data.rdata, offset1,
1670 p->out_data.rdata.length);
1671 }
1672
1673 DEBUG(5,("api_rpcTNP: called %s successfully\n",
1674 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1675
1676 /* Check for buffer underflow in rpc parsing */
1677 if ((DEBUGLEVEL >= 10) &&
1678 (pkt->frag_length < p->in_data.data.length)) {
1679 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1680 dump_data(10, p->in_data.data.data + pkt->frag_length,
1681 p->in_data.data.length - pkt->frag_length);
1682 }
1683
1684 return True;
1685 }
1686
1687 /****************************************************************************
1688 Initialise an outgoing packet.
1689 ****************************************************************************/
1690
1691 static bool pipe_init_outgoing_data(struct pipes_struct *p)
1692 {
1693 output_data *o_data = &p->out_data;
1694
1695 /* Reset the offset counters. */
1696 o_data->data_sent_length = 0;
1697 o_data->current_pdu_sent = 0;
1698
1699 data_blob_free(&o_data->frag);
1700
1701 /* Free any memory in the current return data buffer. */
1702 data_blob_free(&o_data->rdata);
1703
1704 return True;
1705 }
1706
1707 /****************************************************************************
1708 Sets the fault state on incoming packets.
1709 ****************************************************************************/
1710
1711 void set_incoming_fault(struct pipes_struct *p)
1712 {
1713 data_blob_free(&p->in_data.data);
1714 p->in_data.pdu_needed_len = 0;
1715 p->in_data.pdu.length = 0;
1716 p->fault_state = True;
1717 DEBUG(10, ("set_incoming_fault: Setting fault state on pipe %s\n",
1718 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1719 }
1720
1721 static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
1722 struct ncacn_packet *pkt,
1723 DATA_BLOB *raw_pkt)
1724 {
1725 NTSTATUS status;
1726 size_t hdr_size = DCERPC_REQUEST_LENGTH;
1727 size_t pad_len;
1728
1729 DEBUG(10, ("Checking request auth.\n"));
1730
1731 if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
1732 hdr_size += 16;
1733 }
1734
1735 /* in case of sealing this function will unseal the data in place */
1736 status = dcerpc_check_auth(auth, pkt,
1737 &pkt->u.request.stub_and_verifier,
1738 hdr_size, raw_pkt,
1739 &pad_len);
1740 if (!NT_STATUS_IS_OK(status)) {
1741 return status;
1742 }
1743
1744
1745 /* remove padding and auth trailer,
1746 * this way the caller will get just the data */
1747 if (pkt->auth_length) {
1748 size_t trail_len = pad_len
1749 + DCERPC_AUTH_TRAILER_LENGTH
1750 + pkt->auth_length;
1751 if (pkt->u.request.stub_and_verifier.length < trail_len) {
1752 return NT_STATUS_INFO_LENGTH_MISMATCH;
1753 }
1754 pkt->u.request.stub_and_verifier.length -= trail_len;
1755 }
1756
1757 return NT_STATUS_OK;
1758 }
1759
1760 /****************************************************************************
1761 Processes a request pdu. This will do auth processing if needed, and
1762 appends the data into the complete stream if the LAST flag is not set.
1763 ****************************************************************************/
1764
1765 static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
1766 {
1767 NTSTATUS status;
1768 DATA_BLOB data;
1769
1770 if (!p->pipe_bound) {
1771 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
1772 set_incoming_fault(p);
1773 return False;
1774 }
1775
1776 /* Store the opnum */
1777 p->opnum = pkt->u.request.opnum;
1778
1779 status = dcesrv_auth_request(&p->auth, pkt, &p->in_data.pdu);
1780 if (!NT_STATUS_IS_OK(status)) {
1781 DEBUG(0, ("Failed to check packet auth. (%s)\n",
1782 nt_errstr(status)));
1783 set_incoming_fault(p);
1784 return false;
1785 }
1786
1787 data = pkt->u.request.stub_and_verifier;
1788
1789 /*
1790 * Check the data length doesn't go over the 15Mb limit.
1791 * increased after observing a bug in the Windows NT 4.0 SP6a
1792 * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
1793 * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
1794 */
1795
1796 if (p->in_data.data.length + data.length > MAX_RPC_DATA_SIZE) {
1797 DEBUG(0, ("process_request_pdu: "
1798 "rpc data buffer too large (%u) + (%u)\n",
1799 (unsigned int)p->in_data.data.length,
1800 (unsigned int)data.length));
1801 set_incoming_fault(p);
1802 return False;
1803 }
1804
1805 /*
1806 * Append the data portion into the buffer and return.
1807 */
1808
1809 if (data.length) {
1810 if (!data_blob_append(p->mem_ctx, &p->in_data.data,
1811 data.data, data.length)) {
1812 DEBUG(0, ("Unable to append data size %u "
1813 "to parse buffer of size %u.\n",
1814 (unsigned int)data.length,
1815 (unsigned int)p->in_data.data.length));
1816 set_incoming_fault(p);
1817 return False;
1818 }
1819 }
1820
1821 if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
1822 bool ret = False;
1823 /*
1824 * Ok - we finally have a complete RPC stream.
1825 * Call the rpc command to process it.
1826 */
1827
1828 /*
1829 * Process the complete data stream here.
1830 */
1831 if (pipe_init_outgoing_data(p)) {
1832 ret = api_pipe_request(p, pkt);
1833 }
1834
1835 return ret;
1836 }
1837
1838 return True;
1839 }
1840
1841 /****************************************************************************
1842 Processes a finished PDU stored in p->in_data.pdu.
1843 ****************************************************************************/
1844
1845 void process_complete_pdu(struct pipes_struct *p)
1846 {
1847 struct ncacn_packet *pkt = NULL;
1848 NTSTATUS status;
1849 bool reply = False;
1850
1851 if(p->fault_state) {
1852 DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n",
1853 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1854 goto done;
1855 }
1856
1857 pkt = talloc(p->mem_ctx, struct ncacn_packet);
1858 if (!pkt) {
1859 DEBUG(0, ("Out of memory!\n"));
1860 goto done;
1861 }
1862
1863 /*
1864 * Ensure we're using the corrent endianness for both the
1865 * RPC header flags and the raw data we will be reading from.
1866 */
1867 if (dcerpc_get_endian_flag(&p->in_data.pdu) & DCERPC_DREP_LE) {
1868 p->endian = RPC_LITTLE_ENDIAN;
1869 } else {
1870 p->endian = RPC_BIG_ENDIAN;
1871 }
1872 DEBUG(10, ("PDU is in %s Endian format!\n", p->endian?"Big":"Little"));
1873
1874 status = dcerpc_pull_ncacn_packet(pkt, &p->in_data.pdu,
1875 pkt, p->endian);
1876 if (!NT_STATUS_IS_OK(status)) {
1877 DEBUG(0, ("Failed to unmarshal rpc packet: %s!\n",
1878 nt_errstr(status)));
1879 goto done;
1880 }
1881
1882 /* Store the call_id */
1883 p->call_id = pkt->call_id;
1884
1885 DEBUG(10, ("Processing packet type %d\n", (int)pkt->ptype));
1886
1887 switch (pkt->ptype) {
1888 case DCERPC_PKT_REQUEST:
1889 reply = process_request_pdu(p, pkt);
1890 break;
1891
1892 case DCERPC_PKT_PING: /* CL request - ignore... */
1893 DEBUG(0, ("process_complete_pdu: Error. "
1894 "Connectionless packet type %d received on "
1895 "pipe %s.\n", (int)pkt->ptype,
1896 get_pipe_name_from_syntax(talloc_tos(),
1897 &p->syntax)));
1898 break;
1899
1900 case DCERPC_PKT_RESPONSE: /* No responses here. */
1901 DEBUG(0, ("process_complete_pdu: Error. "
1902 "DCERPC_PKT_RESPONSE received from client "
1903 "on pipe %s.\n",
1904 get_pipe_name_from_syntax(talloc_tos(),
1905 &p->syntax)));
1906 break;
1907
1908 case DCERPC_PKT_FAULT:
1909 case DCERPC_PKT_WORKING:
1910 /* CL request - reply to a ping when a call in process. */
1911 case DCERPC_PKT_NOCALL:
1912 /* CL - server reply to a ping call. */
1913 case DCERPC_PKT_REJECT:
1914 case DCERPC_PKT_ACK:
1915 case DCERPC_PKT_CL_CANCEL:
1916 case DCERPC_PKT_FACK:
1917 case DCERPC_PKT_CANCEL_ACK:
1918 DEBUG(0, ("process_complete_pdu: Error. "
1919 "Connectionless packet type %u received on "
1920 "pipe %s.\n", (unsigned int)pkt->ptype,
1921 get_pipe_name_from_syntax(talloc_tos(),
1922 &p->syntax)));
1923 break;
1924
1925 case DCERPC_PKT_BIND:
1926 /*
1927 * We assume that a pipe bind is only in one pdu.
1928 */
1929 if (pipe_init_outgoing_data(p)) {
1930 reply = api_pipe_bind_req(p, pkt);
1931 }
1932 break;
1933
1934 case DCERPC_PKT_BIND_ACK:
1935 case DCERPC_PKT_BIND_NAK:
1936 DEBUG(0, ("process_complete_pdu: Error. "
1937 "DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK "
1938 "packet type %u received on pipe %s.\n",
1939 (unsigned int)pkt->ptype,
1940 get_pipe_name_from_syntax(talloc_tos(),
1941 &p->syntax)));
1942 break;
1943
1944
1945 case DCERPC_PKT_ALTER:
1946 /*
1947 * We assume that a pipe bind is only in one pdu.
1948 */
1949 if (pipe_init_outgoing_data(p)) {
1950 reply = api_pipe_alter_context(p, pkt);
1951 }
1952 break;
1953
1954 case DCERPC_PKT_ALTER_RESP:
1955 DEBUG(0, ("process_complete_pdu: Error. "
1956 "DCERPC_PKT_ALTER_RESP on pipe %s: "
1957 "Should only be server -> client.\n",
1958 get_pipe_name_from_syntax(talloc_tos(),
1959 &p->syntax)));
1960 break;
1961
1962 case DCERPC_PKT_AUTH3:
1963 /*
1964 * The third packet in an auth exchange.
1965 */
1966 if (pipe_init_outgoing_data(p)) {
1967 reply = api_pipe_bind_auth3(p, pkt);
1968 }
1969 break;
1970
1971 case DCERPC_PKT_SHUTDOWN:
1972 DEBUG(0, ("process_complete_pdu: Error. "
1973 "DCERPC_PKT_SHUTDOWN on pipe %s: "
1974 "Should only be server -> client.\n",
1975 get_pipe_name_from_syntax(talloc_tos(),
1976 &p->syntax)));
1977 break;
1978
1979 case DCERPC_PKT_CO_CANCEL:
1980 /* For now just free all client data and continue
1981 * processing. */
1982 DEBUG(3,("process_complete_pdu: DCERPC_PKT_CO_CANCEL."
1983 " Abandoning rpc call.\n"));
1984 /* As we never do asynchronous RPC serving, we can
1985 * never cancel a call (as far as I know).
1986 * If we ever did we'd have to send a cancel_ack reply.
1987 * For now, just free all client data and continue
1988 * processing. */
1989 reply = True;
1990 break;
1991
1992 #if 0
1993 /* Enable this if we're doing async rpc. */
1994 /* We must check the outstanding callid matches. */
1995 if (pipe_init_outgoing_data(p)) {
1996 /* Send a cancel_ack PDU reply. */
1997 /* We should probably check the auth-verifier here. */
1998 reply = setup_cancel_ack_reply(p, pkt);
1999 }
2000 break;
2001 #endif
2002
2003 case DCERPC_PKT_ORPHANED:
2004 /* We should probably check the auth-verifier here.
2005 * For now just free all client data and continue
2006 * processing. */
2007 DEBUG(3, ("process_complete_pdu: DCERPC_PKT_ORPHANED."
2008 " Abandoning rpc call.\n"));
2009 reply = True;
2010 break;
2011
2012 default:
2013 DEBUG(0, ("process_complete_pdu: "
2014 "Unknown rpc type = %u received.\n",
2015 (unsigned int)pkt->ptype));
2016 break;
2017 }
2018
2019 done:
2020 if (!reply) {
2021 DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on "
2022 "pipe %s\n", get_pipe_name_from_syntax(talloc_tos(),
2023 &p->syntax)));
2024 set_incoming_fault(p);
2025 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2026 TALLOC_FREE(pkt);
2027 } else {
2028 /*
2029 * Reset the lengths. We're ready for a new pdu.
2030 */
2031 TALLOC_FREE(p->in_data.pdu.data);
2032 p->in_data.pdu_needed_len = 0;
2033 p->in_data.pdu.length = 0;
2034 }
2035
2036 TALLOC_FREE(pkt);
2037 }
2038
reg import