search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[GLUE] Rsync SAMBA_3_2_0 SVN r25598 in order to create the v3-2-test branch.
[Samba/gebeck_regimport.git] / source3 / rpc_server / srv_pipe.c
blob72ce72fb28d6987d49c100bf15b4d05b6dc4e5c2
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31
32 extern struct pipe_id_info pipe_names[];
33 extern struct current_user current_user;
34
35 #undef DBGC_CLASS
36 #define DBGC_CLASS DBGC_RPC_SRV
37
38 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
39 {
40 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
41
42 if (a) {
43 auth_ntlmssp_end(&a);
44 }
45 auth->a_u.auth_ntlmssp_state = NULL;
46 }
47
48 /*******************************************************************
49 Generate the next PDU to be returned from the data in p->rdata.
50 Handle NTLMSSP.
51 ********************************************************************/
52
53 static BOOL create_next_pdu_ntlmssp(pipes_struct *p)
54 {
55 RPC_HDR_RESP hdr_resp;
56 uint32 ss_padding_len = 0;
57 uint32 data_space_available;
58 uint32 data_len_left;
59 uint32 data_len;
60 prs_struct outgoing_pdu;
61 NTSTATUS status;
62 DATA_BLOB auth_blob;
63 RPC_HDR_AUTH auth_info;
64 uint8 auth_type, auth_level;
65 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
66
67 /*
68 * If we're in the fault state, keep returning fault PDU's until
69 * the pipe gets closed. JRA.
70 */
71
72 if(p->fault_state) {
73 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
74 return True;
75 }
76
77 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
78
79 /* Change the incoming request header to a response. */
80 p->hdr.pkt_type = RPC_RESPONSE;
81
82 /* Set up rpc header flags. */
83 if (p->out_data.data_sent_length == 0) {
84 p->hdr.flags = RPC_FLG_FIRST;
85 } else {
86 p->hdr.flags = 0;
87 }
88
89 /*
90 * Work out how much we can fit in a single PDU.
91 */
92
93 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
94
95 /*
96 * Ensure there really is data left to send.
97 */
98
99 if(!data_len_left) {
100 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
101 return False;
102 }
103
104 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
105 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
106
107 /*
108 * The amount we send is the minimum of the available
109 * space and the amount left to send.
110 */
111
112 data_len = MIN(data_len_left, data_space_available);
113
114 /*
115 * Set up the alloc hint. This should be the data left to
116 * send.
117 */
118
119 hdr_resp.alloc_hint = data_len_left;
120
121 /*
122 * Work out if this PDU will be the last.
123 */
124
125 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
126 p->hdr.flags |= RPC_FLG_LAST;
127 if (data_len_left % 8) {
128 ss_padding_len = 8 - (data_len_left % 8);
129 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
130 ss_padding_len ));
131 }
132 }
133
134 /*
135 * Set up the header lengths.
136 */
137
138 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
139 data_len + ss_padding_len +
140 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
141 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
142
143
144 /*
145 * Init the parse struct to point at the outgoing
146 * data.
147 */
148
149 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
150 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
151
152 /* Store the header in the data stream. */
153 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
154 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
155 prs_mem_free(&outgoing_pdu);
156 return False;
157 }
158
159 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
160 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
161 prs_mem_free(&outgoing_pdu);
162 return False;
163 }
164
165 /* Copy the data into the PDU. */
166
167 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
168 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
169 prs_mem_free(&outgoing_pdu);
170 return False;
171 }
172
173 /* Copy the sign/seal padding data. */
174 if (ss_padding_len) {
175 char pad[8];
176
177 memset(pad, '\0', 8);
178 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
179 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
180 (unsigned int)ss_padding_len));
181 prs_mem_free(&outgoing_pdu);
182 return False;
183 }
184 }
185
186
187 /* Now write out the auth header and null blob. */
188 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
189 auth_type = RPC_NTLMSSP_AUTH_TYPE;
190 } else {
191 auth_type = RPC_SPNEGO_AUTH_TYPE;
192 }
193 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
194 auth_level = RPC_AUTH_LEVEL_PRIVACY;
195 } else {
196 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
197 }
198
199 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
200 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
201 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
202 prs_mem_free(&outgoing_pdu);
203 return False;
204 }
205
206 /* Generate the sign blob. */
207
208 switch (p->auth.auth_level) {
209 case PIPE_AUTH_LEVEL_PRIVACY:
210 /* Data portion is encrypted. */
211 status = ntlmssp_seal_packet(a->ntlmssp_state,
212 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
213 data_len + ss_padding_len,
214 (unsigned char *)prs_data_p(&outgoing_pdu),
215 (size_t)prs_offset(&outgoing_pdu),
216 &auth_blob);
217 if (!NT_STATUS_IS_OK(status)) {
218 data_blob_free(&auth_blob);
219 prs_mem_free(&outgoing_pdu);
220 return False;
221 }
222 break;
223 case PIPE_AUTH_LEVEL_INTEGRITY:
224 /* Data is signed. */
225 status = ntlmssp_sign_packet(a->ntlmssp_state,
226 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
227 data_len + ss_padding_len,
228 (unsigned char *)prs_data_p(&outgoing_pdu),
229 (size_t)prs_offset(&outgoing_pdu),
230 &auth_blob);
231 if (!NT_STATUS_IS_OK(status)) {
232 data_blob_free(&auth_blob);
233 prs_mem_free(&outgoing_pdu);
234 return False;
235 }
236 break;
237 default:
238 prs_mem_free(&outgoing_pdu);
239 return False;
240 }
241
242 /* Append the auth blob. */
243 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
244 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
245 (unsigned int)NTLMSSP_SIG_SIZE));
246 data_blob_free(&auth_blob);
247 prs_mem_free(&outgoing_pdu);
248 return False;
249 }
250
251 data_blob_free(&auth_blob);
252
253 /*
254 * Setup the counts for this PDU.
255 */
256
257 p->out_data.data_sent_length += data_len;
258 p->out_data.current_pdu_len = p->hdr.frag_len;
259 p->out_data.current_pdu_sent = 0;
260
261 prs_mem_free(&outgoing_pdu);
262 return True;
263 }
264
265 /*******************************************************************
266 Generate the next PDU to be returned from the data in p->rdata.
267 Return an schannel authenticated fragment.
268 ********************************************************************/
269
270 static BOOL create_next_pdu_schannel(pipes_struct *p)
271 {
272 RPC_HDR_RESP hdr_resp;
273 uint32 ss_padding_len = 0;
274 uint32 data_len;
275 uint32 data_space_available;
276 uint32 data_len_left;
277 prs_struct outgoing_pdu;
278 uint32 data_pos;
279
280 /*
281 * If we're in the fault state, keep returning fault PDU's until
282 * the pipe gets closed. JRA.
283 */
284
285 if(p->fault_state) {
286 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
287 return True;
288 }
289
290 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
291
292 /* Change the incoming request header to a response. */
293 p->hdr.pkt_type = RPC_RESPONSE;
294
295 /* Set up rpc header flags. */
296 if (p->out_data.data_sent_length == 0) {
297 p->hdr.flags = RPC_FLG_FIRST;
298 } else {
299 p->hdr.flags = 0;
300 }
301
302 /*
303 * Work out how much we can fit in a single PDU.
304 */
305
306 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
307
308 /*
309 * Ensure there really is data left to send.
310 */
311
312 if(!data_len_left) {
313 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
314 return False;
315 }
316
317 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
318 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
319
320 /*
321 * The amount we send is the minimum of the available
322 * space and the amount left to send.
323 */
324
325 data_len = MIN(data_len_left, data_space_available);
326
327 /*
328 * Set up the alloc hint. This should be the data left to
329 * send.
330 */
331
332 hdr_resp.alloc_hint = data_len_left;
333
334 /*
335 * Work out if this PDU will be the last.
336 */
337
338 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
339 p->hdr.flags |= RPC_FLG_LAST;
340 if (data_len_left % 8) {
341 ss_padding_len = 8 - (data_len_left % 8);
342 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
343 ss_padding_len ));
344 }
345 }
346
347 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
348 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
349 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
350
351 /*
352 * Init the parse struct to point at the outgoing
353 * data.
354 */
355
356 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
357 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
358
359 /* Store the header in the data stream. */
360 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
361 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
362 prs_mem_free(&outgoing_pdu);
363 return False;
364 }
365
366 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
367 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
368 prs_mem_free(&outgoing_pdu);
369 return False;
370 }
371
372 /* Store the current offset. */
373 data_pos = prs_offset(&outgoing_pdu);
374
375 /* Copy the data into the PDU. */
376
377 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
378 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
379 prs_mem_free(&outgoing_pdu);
380 return False;
381 }
382
383 /* Copy the sign/seal padding data. */
384 if (ss_padding_len) {
385 char pad[8];
386 memset(pad, '\0', 8);
387 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
388 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
389 prs_mem_free(&outgoing_pdu);
390 return False;
391 }
392 }
393
394 {
395 /*
396 * Schannel processing.
397 */
398 char *data;
399 RPC_HDR_AUTH auth_info;
400 RPC_AUTH_SCHANNEL_CHK verf;
401
402 data = prs_data_p(&outgoing_pdu) + data_pos;
403 /* Check it's the type of reply we were expecting to decode */
404
405 init_rpc_hdr_auth(&auth_info,
406 RPC_SCHANNEL_AUTH_TYPE,
407 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
408 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
409 ss_padding_len, 1);
410
411 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
412 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
413 prs_mem_free(&outgoing_pdu);
414 return False;
415 }
416
417 schannel_encode(p->auth.a_u.schannel_auth,
418 p->auth.auth_level,
419 SENDER_IS_ACCEPTOR,
420 &verf, data, data_len + ss_padding_len);
421
422 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
423 &verf, &outgoing_pdu, 0)) {
424 prs_mem_free(&outgoing_pdu);
425 return False;
426 }
427
428 p->auth.a_u.schannel_auth->seq_num++;
429 }
430
431 /*
432 * Setup the counts for this PDU.
433 */
434
435 p->out_data.data_sent_length += data_len;
436 p->out_data.current_pdu_len = p->hdr.frag_len;
437 p->out_data.current_pdu_sent = 0;
438
439 prs_mem_free(&outgoing_pdu);
440 return True;
441 }
442
443 /*******************************************************************
444 Generate the next PDU to be returned from the data in p->rdata.
445 No authentication done.
446 ********************************************************************/
447
448 static BOOL create_next_pdu_noauth(pipes_struct *p)
449 {
450 RPC_HDR_RESP hdr_resp;
451 uint32 data_len;
452 uint32 data_space_available;
453 uint32 data_len_left;
454 prs_struct outgoing_pdu;
455
456 /*
457 * If we're in the fault state, keep returning fault PDU's until
458 * the pipe gets closed. JRA.
459 */
460
461 if(p->fault_state) {
462 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
463 return True;
464 }
465
466 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
467
468 /* Change the incoming request header to a response. */
469 p->hdr.pkt_type = RPC_RESPONSE;
470
471 /* Set up rpc header flags. */
472 if (p->out_data.data_sent_length == 0) {
473 p->hdr.flags = RPC_FLG_FIRST;
474 } else {
475 p->hdr.flags = 0;
476 }
477
478 /*
479 * Work out how much we can fit in a single PDU.
480 */
481
482 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
483
484 /*
485 * Ensure there really is data left to send.
486 */
487
488 if(!data_len_left) {
489 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
490 return False;
491 }
492
493 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
494
495 /*
496 * The amount we send is the minimum of the available
497 * space and the amount left to send.
498 */
499
500 data_len = MIN(data_len_left, data_space_available);
501
502 /*
503 * Set up the alloc hint. This should be the data left to
504 * send.
505 */
506
507 hdr_resp.alloc_hint = data_len_left;
508
509 /*
510 * Work out if this PDU will be the last.
511 */
512
513 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
514 p->hdr.flags |= RPC_FLG_LAST;
515 }
516
517 /*
518 * Set up the header lengths.
519 */
520
521 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
522 p->hdr.auth_len = 0;
523
524 /*
525 * Init the parse struct to point at the outgoing
526 * data.
527 */
528
529 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
530 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
531
532 /* Store the header in the data stream. */
533 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
534 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
535 prs_mem_free(&outgoing_pdu);
536 return False;
537 }
538
539 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
540 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
541 prs_mem_free(&outgoing_pdu);
542 return False;
543 }
544
545 /* Copy the data into the PDU. */
546
547 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
548 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
549 prs_mem_free(&outgoing_pdu);
550 return False;
551 }
552
553 /*
554 * Setup the counts for this PDU.
555 */
556
557 p->out_data.data_sent_length += data_len;
558 p->out_data.current_pdu_len = p->hdr.frag_len;
559 p->out_data.current_pdu_sent = 0;
560
561 prs_mem_free(&outgoing_pdu);
562 return True;
563 }
564
565 /*******************************************************************
566 Generate the next PDU to be returned from the data in p->rdata.
567 ********************************************************************/
568
569 BOOL create_next_pdu(pipes_struct *p)
570 {
571 switch(p->auth.auth_level) {
572 case PIPE_AUTH_LEVEL_NONE:
573 case PIPE_AUTH_LEVEL_CONNECT:
574 /* This is incorrect for auth level connect. Fixme. JRA */
575 return create_next_pdu_noauth(p);
576
577 default:
578 switch(p->auth.auth_type) {
579 case PIPE_AUTH_TYPE_NTLMSSP:
580 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
581 return create_next_pdu_ntlmssp(p);
582 case PIPE_AUTH_TYPE_SCHANNEL:
583 return create_next_pdu_schannel(p);
584 default:
585 break;
586 }
587 }
588
589 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
590 (unsigned int)p->auth.auth_level,
591 (unsigned int)p->auth.auth_type));
592 return False;
593 }
594
595 /*******************************************************************
596 Process an NTLMSSP authentication response.
597 If this function succeeds, the user has been authenticated
598 and their domain, name and calling workstation stored in
599 the pipe struct.
600 *******************************************************************/
601
602 static BOOL pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
603 {
604 DATA_BLOB reply;
605 NTSTATUS status;
606 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
607
608 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
609
610 ZERO_STRUCT(reply);
611
612 memset(p->user_name, '\0', sizeof(p->user_name));
613 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
614 memset(p->domain, '\0', sizeof(p->domain));
615 memset(p->wks, '\0', sizeof(p->wks));
616
617 /* Set up for non-authenticated user. */
618 TALLOC_FREE(p->pipe_user.nt_user_token);
619 p->pipe_user.ut.ngroups = 0;
620 SAFE_FREE( p->pipe_user.ut.groups);
621
622 /* this has to be done as root in order to verify the password */
623 become_root();
624 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
625 unbecome_root();
626
627 /* Don't generate a reply. */
628 data_blob_free(&reply);
629
630 if (!NT_STATUS_IS_OK(status)) {
631 return False;
632 }
633
634 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
635 ensure the underlying NTLMSSP flags are also set. If not we should
636 refuse the bind. */
637
638 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
639 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
640 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
641 "but client declined signing.\n",
642 p->name ));
643 return False;
644 }
645 }
646 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
647 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
648 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
649 "but client declined sealing.\n",
650 p->name ));
651 return False;
652 }
653 }
654
655 fstrcpy(p->user_name, a->ntlmssp_state->user);
656 fstrcpy(p->pipe_user_name, a->server_info->unix_name);
657 fstrcpy(p->domain, a->ntlmssp_state->domain);
658 fstrcpy(p->wks, a->ntlmssp_state->workstation);
659
660 DEBUG(5,("pipe_ntlmssp_verify_final: OK: user: %s domain: %s workstation: %s\n",
661 p->user_name, p->domain, p->wks));
662
663 /*
664 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
665 */
666
667 p->pipe_user.ut.uid = a->server_info->uid;
668 p->pipe_user.ut.gid = a->server_info->gid;
669
670 /*
671 * Copy the session key from the ntlmssp state.
672 */
673
674 data_blob_free(&p->session_key);
675 p->session_key = data_blob(a->ntlmssp_state->session_key.data, a->ntlmssp_state->session_key.length);
676 if (!p->session_key.data) {
677 return False;
678 }
679
680 p->pipe_user.ut.ngroups = a->server_info->n_groups;
681 if (p->pipe_user.ut.ngroups) {
682 if (!(p->pipe_user.ut.groups = (gid_t *)memdup(a->server_info->groups,
683 sizeof(gid_t) * p->pipe_user.ut.ngroups))) {
684 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
685 return False;
686 }
687 }
688
689 if (a->server_info->ptok) {
690 p->pipe_user.nt_user_token =
691 dup_nt_token(NULL, a->server_info->ptok);
692 } else {
693 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
694 p->pipe_user.nt_user_token = NULL;
695 return False;
696 }
697
698 return True;
699 }
700
701 /*******************************************************************
702 The switch table for the pipe names and the functions to handle them.
703 *******************************************************************/
704
705 struct rpc_table {
706 struct {
707 const char *clnt;
708 const char *srv;
709 } pipe;
710 struct api_struct *cmds;
711 int n_cmds;
712 };
713
714 static struct rpc_table *rpc_lookup;
715 static int rpc_lookup_size;
716
717 /*******************************************************************
718 This is the "stage3" NTLMSSP response after a bind request and reply.
719 *******************************************************************/
720
721 BOOL api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
722 {
723 RPC_HDR_AUTH auth_info;
724 uint32 pad;
725 DATA_BLOB blob;
726
727 ZERO_STRUCT(blob);
728
729 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
730
731 if (p->hdr.auth_len == 0) {
732 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
733 goto err;
734 }
735
736 /* 4 bytes padding. */
737 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
738 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
739 goto err;
740 }
741
742 /*
743 * Decode the authentication verifier response.
744 */
745
746 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
747 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
748 goto err;
749 }
750
751 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
752 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
753 (unsigned int)auth_info.auth_type ));
754 return False;
755 }
756
757 blob = data_blob(NULL,p->hdr.auth_len);
758
759 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
760 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
761 (unsigned int)p->hdr.auth_len ));
762 goto err;
763 }
764
765 /*
766 * The following call actually checks the challenge/response data.
767 * for correctness against the given DOMAIN\user name.
768 */
769
770 if (!pipe_ntlmssp_verify_final(p, &blob)) {
771 goto err;
772 }
773
774 data_blob_free(&blob);
775
776 p->pipe_bound = True;
777
778 return True;
779
780 err:
781
782 data_blob_free(&blob);
783 free_pipe_ntlmssp_auth_data(&p->auth);
784 p->auth.a_u.auth_ntlmssp_state = NULL;
785
786 return False;
787 }
788
789 /*******************************************************************
790 Marshall a bind_nak pdu.
791 *******************************************************************/
792
793 static BOOL setup_bind_nak(pipes_struct *p)
794 {
795 prs_struct outgoing_rpc;
796 RPC_HDR nak_hdr;
797 uint16 zero = 0;
798
799 /* Free any memory in the current return data buffer. */
800 prs_mem_free(&p->out_data.rdata);
801
802 /*
803 * Marshall directly into the outgoing PDU space. We
804 * must do this as we need to set to the bind response
805 * header and are never sending more than one PDU here.
806 */
807
808 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
809 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
810
811 /*
812 * Initialize a bind_nak header.
813 */
814
815 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
816 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
817
818 /*
819 * Marshall the header into the outgoing PDU.
820 */
821
822 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
823 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
824 prs_mem_free(&outgoing_rpc);
825 return False;
826 }
827
828 /*
829 * Now add the reject reason.
830 */
831
832 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
833 prs_mem_free(&outgoing_rpc);
834 return False;
835 }
836
837 p->out_data.data_sent_length = 0;
838 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
839 p->out_data.current_pdu_sent = 0;
840
841 if (p->auth.auth_data_free_func) {
842 (*p->auth.auth_data_free_func)(&p->auth);
843 }
844 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
845 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
846 p->pipe_bound = False;
847
848 return True;
849 }
850
851 /*******************************************************************
852 Marshall a fault pdu.
853 *******************************************************************/
854
855 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
856 {
857 prs_struct outgoing_pdu;
858 RPC_HDR fault_hdr;
859 RPC_HDR_RESP hdr_resp;
860 RPC_HDR_FAULT fault_resp;
861
862 /* Free any memory in the current return data buffer. */
863 prs_mem_free(&p->out_data.rdata);
864
865 /*
866 * Marshall directly into the outgoing PDU space. We
867 * must do this as we need to set to the bind response
868 * header and are never sending more than one PDU here.
869 */
870
871 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
872 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
873
874 /*
875 * Initialize a fault header.
876 */
877
878 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
879 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
880
881 /*
882 * Initialize the HDR_RESP and FAULT parts of the PDU.
883 */
884
885 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
886
887 fault_resp.status = status;
888 fault_resp.reserved = 0;
889
890 /*
891 * Marshall the header into the outgoing PDU.
892 */
893
894 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
895 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
896 prs_mem_free(&outgoing_pdu);
897 return False;
898 }
899
900 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
901 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
902 prs_mem_free(&outgoing_pdu);
903 return False;
904 }
905
906 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
907 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
908 prs_mem_free(&outgoing_pdu);
909 return False;
910 }
911
912 p->out_data.data_sent_length = 0;
913 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
914 p->out_data.current_pdu_sent = 0;
915
916 prs_mem_free(&outgoing_pdu);
917 return True;
918 }
919
920 #if 0
921 /*******************************************************************
922 Marshall a cancel_ack pdu.
923 We should probably check the auth-verifier here.
924 *******************************************************************/
925
926 BOOL setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
927 {
928 prs_struct outgoing_pdu;
929 RPC_HDR ack_reply_hdr;
930
931 /* Free any memory in the current return data buffer. */
932 prs_mem_free(&p->out_data.rdata);
933
934 /*
935 * Marshall directly into the outgoing PDU space. We
936 * must do this as we need to set to the bind response
937 * header and are never sending more than one PDU here.
938 */
939
940 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
941 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
942
943 /*
944 * Initialize a cancel_ack header.
945 */
946
947 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
948 p->hdr.call_id, RPC_HEADER_LEN, 0);
949
950 /*
951 * Marshall the header into the outgoing PDU.
952 */
953
954 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
955 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
956 prs_mem_free(&outgoing_pdu);
957 return False;
958 }
959
960 p->out_data.data_sent_length = 0;
961 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
962 p->out_data.current_pdu_sent = 0;
963
964 prs_mem_free(&outgoing_pdu);
965 return True;
966 }
967 #endif
968
969 /*******************************************************************
970 Ensure a bind request has the correct abstract & transfer interface.
971 Used to reject unknown binds from Win2k.
972 *******************************************************************/
973
974 BOOL check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
975 RPC_IFACE* transfer, uint32 context_id)
976 {
977 char *pipe_name = p->name;
978 int i=0;
979 fstring pname;
980
981 fstrcpy(pname,"\\PIPE\\");
982 fstrcat(pname,pipe_name);
983
984 DEBUG(3,("check_bind_req for %s\n", pname));
985
986 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
987
988 for ( i=0; pipe_names[i].client_pipe; i++ ) {
989 DEBUG(10,("checking %s\n", pipe_names[i].client_pipe));
990 if ( strequal(pipe_names[i].client_pipe, pname)
991 && (abstract->version == pipe_names[i].abstr_syntax.version)
992 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct GUID)) == 0)
993 && (transfer->version == pipe_names[i].trans_syntax.version)
994 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(struct GUID)) == 0) ) {
995 struct api_struct *fns = NULL;
996 int n_fns = 0;
997 PIPE_RPC_FNS *context_fns;
998
999 if ( !(context_fns = SMB_MALLOC_P(PIPE_RPC_FNS)) ) {
1000 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1001 return False;
1002 }
1003
1004 /* save the RPC function table associated with this bind */
1005
1006 get_pipe_fns(i, &fns, &n_fns);
1007
1008 context_fns->cmds = fns;
1009 context_fns->n_cmds = n_fns;
1010 context_fns->context_id = context_id;
1011
1012 /* add to the list of open contexts */
1013
1014 DLIST_ADD( p->contexts, context_fns );
1015
1016 break;
1017 }
1018 }
1019
1020 if(pipe_names[i].client_pipe == NULL) {
1021 return False;
1022 }
1023
1024 return True;
1025 }
1026
1027 /*******************************************************************
1028 Register commands to an RPC pipe
1029 *******************************************************************/
1030
1031 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
1032 {
1033 struct rpc_table *rpc_entry;
1034
1035 if (!clnt || !srv || !cmds) {
1036 return NT_STATUS_INVALID_PARAMETER;
1037 }
1038
1039 if (version != SMB_RPC_INTERFACE_VERSION) {
1040 DEBUG(0,("Can't register rpc commands!\n"
1041 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1042 ", while this version of samba uses version %d!\n",
1043 version,SMB_RPC_INTERFACE_VERSION));
1044 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1045 }
1046
1047 /* TODO:
1048 *
1049 * we still need to make sure that don't register the same commands twice!!!
1050 *
1051 * --metze
1052 */
1053
1054 /* We use a temporary variable because this call can fail and
1055 rpc_lookup will still be valid afterwards. It could then succeed if
1056 called again later */
1057 rpc_lookup_size++;
1058 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1059 if (NULL == rpc_entry) {
1060 rpc_lookup_size--;
1061 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1062 return NT_STATUS_NO_MEMORY;
1063 } else {
1064 rpc_lookup = rpc_entry;
1065 }
1066
1067 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1068 ZERO_STRUCTP(rpc_entry);
1069 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1070 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1071 rpc_entry->cmds = SMB_REALLOC_ARRAY(rpc_entry->cmds, struct api_struct, rpc_entry->n_cmds + size);
1072 if (!rpc_entry->cmds) {
1073 return NT_STATUS_NO_MEMORY;
1074 }
1075 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds, size * sizeof(struct api_struct));
1076 rpc_entry->n_cmds += size;
1077
1078 return NT_STATUS_OK;
1079 }
1080
1081 /*******************************************************************
1082 Handle a SPNEGO krb5 bind auth.
1083 *******************************************************************/
1084
1085 static BOOL pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1086 DATA_BLOB *psecblob, prs_struct *pout_auth)
1087 {
1088 return False;
1089 }
1090
1091 /*******************************************************************
1092 Handle the first part of a SPNEGO bind auth.
1093 *******************************************************************/
1094
1095 static BOOL pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1096 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1097 {
1098 DATA_BLOB blob;
1099 DATA_BLOB secblob;
1100 DATA_BLOB response;
1101 DATA_BLOB chal;
1102 char *OIDs[ASN1_MAX_OIDS];
1103 int i;
1104 NTSTATUS status;
1105 BOOL got_kerberos_mechanism = False;
1106 AUTH_NTLMSSP_STATE *a = NULL;
1107 RPC_HDR_AUTH auth_info;
1108
1109 ZERO_STRUCT(secblob);
1110 ZERO_STRUCT(chal);
1111 ZERO_STRUCT(response);
1112
1113 /* Grab the SPNEGO blob. */
1114 blob = data_blob(NULL,p->hdr.auth_len);
1115
1116 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1117 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1118 (unsigned int)p->hdr.auth_len ));
1119 goto err;
1120 }
1121
1122 if (blob.data[0] != ASN1_APPLICATION(0)) {
1123 goto err;
1124 }
1125
1126 /* parse out the OIDs and the first sec blob */
1127 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1128 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1129 goto err;
1130 }
1131
1132 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1133 got_kerberos_mechanism = True;
1134 }
1135
1136 for (i=0;OIDs[i];i++) {
1137 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1138 SAFE_FREE(OIDs[i]);
1139 }
1140 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1141
1142 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1143 BOOL ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1144 data_blob_free(&secblob);
1145 data_blob_free(&blob);
1146 return ret;
1147 }
1148
1149 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1150 /* Free any previous auth type. */
1151 free_pipe_ntlmssp_auth_data(&p->auth);
1152 }
1153
1154 /* Initialize the NTLM engine. */
1155 status = auth_ntlmssp_start(&a);
1156 if (!NT_STATUS_IS_OK(status)) {
1157 goto err;
1158 }
1159
1160 /*
1161 * Pass the first security blob of data to it.
1162 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1163 * which means we need another packet to complete the bind.
1164 */
1165
1166 status = auth_ntlmssp_update(a, secblob, &chal);
1167
1168 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1169 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1170 goto err;
1171 }
1172
1173 /* Generate the response blob we need for step 2 of the bind. */
1174 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1175
1176 /* Copy the blob into the pout_auth parse struct */
1177 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1178 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1179 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1180 goto err;
1181 }
1182
1183 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1184 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1185 goto err;
1186 }
1187
1188 p->auth.a_u.auth_ntlmssp_state = a;
1189 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1190 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1191
1192 data_blob_free(&blob);
1193 data_blob_free(&secblob);
1194 data_blob_free(&chal);
1195 data_blob_free(&response);
1196
1197 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1198 return True;
1199
1200 err:
1201
1202 data_blob_free(&blob);
1203 data_blob_free(&secblob);
1204 data_blob_free(&chal);
1205 data_blob_free(&response);
1206
1207 p->auth.a_u.auth_ntlmssp_state = NULL;
1208
1209 return False;
1210 }
1211
1212 /*******************************************************************
1213 Handle the second part of a SPNEGO bind auth.
1214 *******************************************************************/
1215
1216 static BOOL pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1217 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1218 {
1219 RPC_HDR_AUTH auth_info;
1220 DATA_BLOB spnego_blob;
1221 DATA_BLOB auth_blob;
1222 DATA_BLOB auth_reply;
1223 DATA_BLOB response;
1224 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1225
1226 ZERO_STRUCT(spnego_blob);
1227 ZERO_STRUCT(auth_blob);
1228 ZERO_STRUCT(auth_reply);
1229 ZERO_STRUCT(response);
1230
1231 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1232 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1233 goto err;
1234 }
1235
1236 /* Grab the SPNEGO blob. */
1237 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1238
1239 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1240 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1241 (unsigned int)p->hdr.auth_len ));
1242 goto err;
1243 }
1244
1245 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1246 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1247 goto err;
1248 }
1249
1250 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1251 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1252 goto err;
1253 }
1254
1255 /*
1256 * The following call actually checks the challenge/response data.
1257 * for correctness against the given DOMAIN\user name.
1258 */
1259
1260 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1261 goto err;
1262 }
1263
1264 data_blob_free(&spnego_blob);
1265 data_blob_free(&auth_blob);
1266
1267 /* Generate the spnego "accept completed" blob - no incoming data. */
1268 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1269
1270 /* Copy the blob into the pout_auth parse struct */
1271 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1272 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1273 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1274 goto err;
1275 }
1276
1277 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1278 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1279 goto err;
1280 }
1281
1282 data_blob_free(&auth_reply);
1283 data_blob_free(&response);
1284
1285 p->pipe_bound = True;
1286
1287 return True;
1288
1289 err:
1290
1291 data_blob_free(&spnego_blob);
1292 data_blob_free(&auth_blob);
1293 data_blob_free(&auth_reply);
1294 data_blob_free(&response);
1295
1296 free_pipe_ntlmssp_auth_data(&p->auth);
1297 p->auth.a_u.auth_ntlmssp_state = NULL;
1298
1299 return False;
1300 }
1301
1302 /*******************************************************************
1303 Handle an schannel bind auth.
1304 *******************************************************************/
1305
1306 static BOOL pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1307 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1308 {
1309 RPC_HDR_AUTH auth_info;
1310 RPC_AUTH_SCHANNEL_NEG neg;
1311 RPC_AUTH_VERIFIER auth_verifier;
1312 BOOL ret;
1313 struct dcinfo *pdcinfo;
1314 uint32 flags;
1315
1316 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1317 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1318 return False;
1319 }
1320
1321 /*
1322 * The neg.myname key here must match the remote computer name
1323 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1324 * operations that use credentials.
1325 */
1326
1327 become_root();
1328 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1329 unbecome_root();
1330
1331 if (!ret) {
1332 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1333 return False;
1334 }
1335
1336 p->auth.a_u.schannel_auth = TALLOC_P(p->pipe_state_mem_ctx, struct schannel_auth_struct);
1337 if (!p->auth.a_u.schannel_auth) {
1338 TALLOC_FREE(pdcinfo);
1339 return False;
1340 }
1341
1342 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1343 memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1344 sizeof(pdcinfo->sess_key));
1345
1346 TALLOC_FREE(pdcinfo);
1347
1348 p->auth.a_u.schannel_auth->seq_num = 0;
1349
1350 /*
1351 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1352 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1353 * struct of the person who opened the pipe. I need to test this further. JRA.
1354 */
1355
1356 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1357 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1358 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1359 return False;
1360 }
1361
1362 /*** SCHANNEL verifier ***/
1363
1364 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1365 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1366 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1367 return False;
1368 }
1369
1370 prs_align(pout_auth);
1371
1372 flags = 5;
1373 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1374 return False;
1375 }
1376
1377 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1378 neg.domain, neg.myname));
1379
1380 /* We're finished with this bind - no more packets. */
1381 p->auth.auth_data_free_func = NULL;
1382 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1383
1384 p->pipe_bound = True;
1385
1386 return True;
1387 }
1388
1389 /*******************************************************************
1390 Handle an NTLMSSP bind auth.
1391 *******************************************************************/
1392
1393 static BOOL pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1394 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1395 {
1396 RPC_HDR_AUTH auth_info;
1397 DATA_BLOB blob;
1398 DATA_BLOB response;
1399 NTSTATUS status;
1400 AUTH_NTLMSSP_STATE *a = NULL;
1401
1402 ZERO_STRUCT(blob);
1403 ZERO_STRUCT(response);
1404
1405 /* Grab the NTLMSSP blob. */
1406 blob = data_blob(NULL,p->hdr.auth_len);
1407
1408 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1409 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1410 (unsigned int)p->hdr.auth_len ));
1411 goto err;
1412 }
1413
1414 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1415 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1416 goto err;
1417 }
1418
1419 /* We have an NTLMSSP blob. */
1420 status = auth_ntlmssp_start(&a);
1421 if (!NT_STATUS_IS_OK(status)) {
1422 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1423 nt_errstr(status) ));
1424 goto err;
1425 }
1426
1427 status = auth_ntlmssp_update(a, blob, &response);
1428 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1429 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1430 nt_errstr(status) ));
1431 goto err;
1432 }
1433
1434 data_blob_free(&blob);
1435
1436 /* Copy the blob into the pout_auth parse struct */
1437 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1438 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1439 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1440 goto err;
1441 }
1442
1443 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1444 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1445 goto err;
1446 }
1447
1448 p->auth.a_u.auth_ntlmssp_state = a;
1449 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1450 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1451
1452 data_blob_free(&blob);
1453 data_blob_free(&response);
1454
1455 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1456
1457 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1458 return True;
1459
1460 err:
1461
1462 data_blob_free(&blob);
1463 data_blob_free(&response);
1464
1465 free_pipe_ntlmssp_auth_data(&p->auth);
1466 p->auth.a_u.auth_ntlmssp_state = NULL;
1467 return False;
1468 }
1469
1470 /*******************************************************************
1471 Respond to a pipe bind request.
1472 *******************************************************************/
1473
1474 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1475 {
1476 RPC_HDR_BA hdr_ba;
1477 RPC_HDR_RB hdr_rb;
1478 RPC_HDR_AUTH auth_info;
1479 uint16 assoc_gid;
1480 fstring ack_pipe_name;
1481 prs_struct out_hdr_ba;
1482 prs_struct out_auth;
1483 prs_struct outgoing_rpc;
1484 int i = 0;
1485 int auth_len = 0;
1486 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1487
1488 /* No rebinds on a bound pipe - use alter context. */
1489 if (p->pipe_bound) {
1490 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1491 return setup_bind_nak(p);
1492 }
1493
1494 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1495
1496 /*
1497 * Marshall directly into the outgoing PDU space. We
1498 * must do this as we need to set to the bind response
1499 * header and are never sending more than one PDU here.
1500 */
1501
1502 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1503
1504 /*
1505 * Setup the memory to marshall the ba header, and the
1506 * auth footers.
1507 */
1508
1509 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1510 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1511 prs_mem_free(&outgoing_rpc);
1512 return False;
1513 }
1514
1515 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1516 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1517 prs_mem_free(&outgoing_rpc);
1518 prs_mem_free(&out_hdr_ba);
1519 return False;
1520 }
1521
1522 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1523
1524 /*
1525 * Try and find the correct pipe name to ensure
1526 * that this is a pipe name we support.
1527 */
1528
1529
1530 for (i = 0; i < rpc_lookup_size; i++) {
1531 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1532 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1533 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1534 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1535 break;
1536 }
1537 }
1538
1539 if (i == rpc_lookup_size) {
1540 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1541 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1542 p->name ));
1543 prs_mem_free(&outgoing_rpc);
1544 prs_mem_free(&out_hdr_ba);
1545 prs_mem_free(&out_auth);
1546
1547 return setup_bind_nak(p);
1548 }
1549
1550 for (i = 0; i < rpc_lookup_size; i++) {
1551 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1552 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1553 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1554 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1555 break;
1556 }
1557 }
1558
1559 if (i == rpc_lookup_size) {
1560 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1561 goto err_exit;
1562 }
1563 }
1564
1565 /* decode the bind request */
1566 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1567 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
1568 goto err_exit;
1569 }
1570
1571 /* name has to be \PIPE\xxxxx */
1572 fstrcpy(ack_pipe_name, "\\PIPE\\");
1573 fstrcat(ack_pipe_name, p->pipe_srv_name);
1574
1575 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1576
1577 /*
1578 * Check if this is an authenticated bind request.
1579 */
1580
1581 if (p->hdr.auth_len) {
1582 /*
1583 * Decode the authentication verifier.
1584 */
1585
1586 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1587 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1588 goto err_exit;
1589 }
1590
1591 auth_type = auth_info.auth_type;
1592
1593 /* Work out if we have to sign or seal etc. */
1594 switch (auth_info.auth_level) {
1595 case RPC_AUTH_LEVEL_INTEGRITY:
1596 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1597 break;
1598 case RPC_AUTH_LEVEL_PRIVACY:
1599 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1600 break;
1601 default:
1602 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1603 (unsigned int)auth_info.auth_level ));
1604 goto err_exit;
1605 }
1606 } else {
1607 ZERO_STRUCT(auth_info);
1608 }
1609
1610 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1611
1612 switch(auth_type) {
1613 case RPC_NTLMSSP_AUTH_TYPE:
1614 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1615 goto err_exit;
1616 }
1617 assoc_gid = 0x7a77;
1618 break;
1619
1620 case RPC_SCHANNEL_AUTH_TYPE:
1621 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1622 goto err_exit;
1623 }
1624 break;
1625
1626 case RPC_SPNEGO_AUTH_TYPE:
1627 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1628 goto err_exit;
1629 }
1630 break;
1631
1632 case RPC_ANONYMOUS_AUTH_TYPE:
1633 /* Unauthenticated bind request. */
1634 /* Get the authenticated pipe user from current_user */
1635 if (!copy_current_user(&p->pipe_user, &current_user)) {
1636 DEBUG(10, ("Could not copy current user\n"));
1637 goto err_exit;
1638 }
1639 /* We're finished - no more packets. */
1640 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1641 /* We must set the pipe auth_level here also. */
1642 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1643 p->pipe_bound = True;
1644 /* The session key was initialized from the SMB
1645 * session in make_internal_rpc_pipe_p */
1646 break;
1647
1648 default:
1649 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1650 goto err_exit;
1651 }
1652
1653 /*
1654 * Create the bind response struct.
1655 */
1656
1657 /* If the requested abstract synt uuid doesn't match our client pipe,
1658 reject the bind_ack & set the transfer interface synt to all 0's,
1659 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1660 unknown to NT4)
1661 Needed when adding entries to a DACL from NT5 - SK */
1662
1663 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1664 hdr_rb.rpc_context[0].context_id )) {
1665 init_rpc_hdr_ba(&hdr_ba,
1666 RPC_MAX_PDU_FRAG_LEN,
1667 RPC_MAX_PDU_FRAG_LEN,
1668 assoc_gid,
1669 ack_pipe_name,
1670 0x1, 0x0, 0x0,
1671 &hdr_rb.rpc_context[0].transfer[0]);
1672 } else {
1673 RPC_IFACE null_interface;
1674 ZERO_STRUCT(null_interface);
1675 /* Rejection reason: abstract syntax not supported */
1676 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1677 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1678 ack_pipe_name, 0x1, 0x2, 0x1,
1679 &null_interface);
1680 p->pipe_bound = False;
1681 }
1682
1683 /*
1684 * and marshall it.
1685 */
1686
1687 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1688 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1689 goto err_exit;
1690 }
1691
1692 /*
1693 * Create the header, now we know the length.
1694 */
1695
1696 if (prs_offset(&out_auth)) {
1697 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1698 }
1699
1700 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1701 p->hdr.call_id,
1702 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1703 auth_len);
1704
1705 /*
1706 * Marshall the header into the outgoing PDU.
1707 */
1708
1709 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1710 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1711 goto err_exit;
1712 }
1713
1714 /*
1715 * Now add the RPC_HDR_BA and any auth needed.
1716 */
1717
1718 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1719 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1720 goto err_exit;
1721 }
1722
1723 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1724 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1725 goto err_exit;
1726 }
1727
1728 /*
1729 * Setup the lengths for the initial reply.
1730 */
1731
1732 p->out_data.data_sent_length = 0;
1733 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1734 p->out_data.current_pdu_sent = 0;
1735
1736 prs_mem_free(&out_hdr_ba);
1737 prs_mem_free(&out_auth);
1738
1739 return True;
1740
1741 err_exit:
1742
1743 prs_mem_free(&outgoing_rpc);
1744 prs_mem_free(&out_hdr_ba);
1745 prs_mem_free(&out_auth);
1746 return setup_bind_nak(p);
1747 }
1748
1749 /****************************************************************************
1750 Deal with an alter context call. Can be third part of 3 leg auth request for
1751 SPNEGO calls.
1752 ****************************************************************************/
1753
1754 BOOL api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1755 {
1756 RPC_HDR_BA hdr_ba;
1757 RPC_HDR_RB hdr_rb;
1758 RPC_HDR_AUTH auth_info;
1759 uint16 assoc_gid;
1760 fstring ack_pipe_name;
1761 prs_struct out_hdr_ba;
1762 prs_struct out_auth;
1763 prs_struct outgoing_rpc;
1764 int auth_len = 0;
1765
1766 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1767
1768 /*
1769 * Marshall directly into the outgoing PDU space. We
1770 * must do this as we need to set to the bind response
1771 * header and are never sending more than one PDU here.
1772 */
1773
1774 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1775
1776 /*
1777 * Setup the memory to marshall the ba header, and the
1778 * auth footers.
1779 */
1780
1781 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1782 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1783 prs_mem_free(&outgoing_rpc);
1784 return False;
1785 }
1786
1787 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1788 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1789 prs_mem_free(&outgoing_rpc);
1790 prs_mem_free(&out_hdr_ba);
1791 return False;
1792 }
1793
1794 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1795
1796 /* decode the alter context request */
1797 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1798 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1799 goto err_exit;
1800 }
1801
1802 /* secondary address CAN be NULL
1803 * as the specs say it's ignored.
1804 * It MUST be NULL to have the spoolss working.
1805 */
1806 fstrcpy(ack_pipe_name,"");
1807
1808 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1809
1810 /*
1811 * Check if this is an authenticated alter context request.
1812 */
1813
1814 if (p->hdr.auth_len != 0) {
1815 /*
1816 * Decode the authentication verifier.
1817 */
1818
1819 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1820 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1821 goto err_exit;
1822 }
1823
1824 /*
1825 * Currently only the SPNEGO auth type uses the alter ctx
1826 * response in place of the NTLMSSP auth3 type.
1827 */
1828
1829 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1830 /* We can only finish if the pipe is unbound. */
1831 if (!p->pipe_bound) {
1832 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1833 goto err_exit;
1834 }
1835 } else {
1836 goto err_exit;
1837 }
1838 }
1839 } else {
1840 ZERO_STRUCT(auth_info);
1841 }
1842
1843 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1844
1845 /*
1846 * Create the bind response struct.
1847 */
1848
1849 /* If the requested abstract synt uuid doesn't match our client pipe,
1850 reject the bind_ack & set the transfer interface synt to all 0's,
1851 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1852 unknown to NT4)
1853 Needed when adding entries to a DACL from NT5 - SK */
1854
1855 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1856 hdr_rb.rpc_context[0].context_id )) {
1857 init_rpc_hdr_ba(&hdr_ba,
1858 RPC_MAX_PDU_FRAG_LEN,
1859 RPC_MAX_PDU_FRAG_LEN,
1860 assoc_gid,
1861 ack_pipe_name,
1862 0x1, 0x0, 0x0,
1863 &hdr_rb.rpc_context[0].transfer[0]);
1864 } else {
1865 RPC_IFACE null_interface;
1866 ZERO_STRUCT(null_interface);
1867 /* Rejection reason: abstract syntax not supported */
1868 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1869 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1870 ack_pipe_name, 0x1, 0x2, 0x1,
1871 &null_interface);
1872 p->pipe_bound = False;
1873 }
1874
1875 /*
1876 * and marshall it.
1877 */
1878
1879 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1880 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1881 goto err_exit;
1882 }
1883
1884 /*
1885 * Create the header, now we know the length.
1886 */
1887
1888 if (prs_offset(&out_auth)) {
1889 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1890 }
1891
1892 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1893 p->hdr.call_id,
1894 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1895 auth_len);
1896
1897 /*
1898 * Marshall the header into the outgoing PDU.
1899 */
1900
1901 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1902 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1903 goto err_exit;
1904 }
1905
1906 /*
1907 * Now add the RPC_HDR_BA and any auth needed.
1908 */
1909
1910 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1911 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1912 goto err_exit;
1913 }
1914
1915 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1916 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1917 goto err_exit;
1918 }
1919
1920 /*
1921 * Setup the lengths for the initial reply.
1922 */
1923
1924 p->out_data.data_sent_length = 0;
1925 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1926 p->out_data.current_pdu_sent = 0;
1927
1928 prs_mem_free(&out_hdr_ba);
1929 prs_mem_free(&out_auth);
1930
1931 return True;
1932
1933 err_exit:
1934
1935 prs_mem_free(&outgoing_rpc);
1936 prs_mem_free(&out_hdr_ba);
1937 prs_mem_free(&out_auth);
1938 return setup_bind_nak(p);
1939 }
1940
1941 /****************************************************************************
1942 Deal with NTLMSSP sign & seal processing on an RPC request.
1943 ****************************************************************************/
1944
1945 BOOL api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1946 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1947 {
1948 RPC_HDR_AUTH auth_info;
1949 uint32 auth_len = p->hdr.auth_len;
1950 uint32 save_offset = prs_offset(rpc_in);
1951 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1952 unsigned char *data = NULL;
1953 size_t data_len;
1954 unsigned char *full_packet_data = NULL;
1955 size_t full_packet_data_len;
1956 DATA_BLOB auth_blob;
1957
1958 *pstatus = NT_STATUS_OK;
1959
1960 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
1961 return True;
1962 }
1963
1964 if (!a) {
1965 *pstatus = NT_STATUS_INVALID_PARAMETER;
1966 return False;
1967 }
1968
1969 /* Ensure there's enough data for an authenticated request. */
1970 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
1971 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
1972 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
1973 (unsigned int)auth_len ));
1974 *pstatus = NT_STATUS_INVALID_PARAMETER;
1975 return False;
1976 }
1977
1978 /*
1979 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
1980 * after the RPC header.
1981 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
1982 * functions as NTLMv2 checks the rpc headers also.
1983 */
1984
1985 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
1986 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
1987
1988 full_packet_data = p->in_data.current_in_pdu;
1989 full_packet_data_len = p->hdr.frag_len - auth_len;
1990
1991 /* Pull the auth header and the following data into a blob. */
1992 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
1993 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
1994 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
1995 *pstatus = NT_STATUS_INVALID_PARAMETER;
1996 return False;
1997 }
1998
1999 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2000 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2001 *pstatus = NT_STATUS_INVALID_PARAMETER;
2002 return False;
2003 }
2004
2005 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2006 auth_blob.length = auth_len;
2007
2008 switch (p->auth.auth_level) {
2009 case PIPE_AUTH_LEVEL_PRIVACY:
2010 /* Data is encrypted. */
2011 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2012 data, data_len,
2013 full_packet_data,
2014 full_packet_data_len,
2015 &auth_blob);
2016 if (!NT_STATUS_IS_OK(*pstatus)) {
2017 return False;
2018 }
2019 break;
2020 case PIPE_AUTH_LEVEL_INTEGRITY:
2021 /* Data is signed. */
2022 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2023 data, data_len,
2024 full_packet_data,
2025 full_packet_data_len,
2026 &auth_blob);
2027 if (!NT_STATUS_IS_OK(*pstatus)) {
2028 return False;
2029 }
2030 break;
2031 default:
2032 *pstatus = NT_STATUS_INVALID_PARAMETER;
2033 return False;
2034 }
2035
2036 /*
2037 * Return the current pointer to the data offset.
2038 */
2039
2040 if(!prs_set_offset(rpc_in, save_offset)) {
2041 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2042 (unsigned int)save_offset ));
2043 *pstatus = NT_STATUS_INVALID_PARAMETER;
2044 return False;
2045 }
2046
2047 /*
2048 * Remember the padding length. We must remove it from the real data
2049 * stream once the sign/seal is done.
2050 */
2051
2052 *p_ss_padding_len = auth_info.auth_pad_len;
2053
2054 return True;
2055 }
2056
2057 /****************************************************************************
2058 Deal with schannel processing on an RPC request.
2059 ****************************************************************************/
2060
2061 BOOL api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2062 {
2063 uint32 data_len;
2064 uint32 auth_len;
2065 uint32 save_offset = prs_offset(rpc_in);
2066 RPC_HDR_AUTH auth_info;
2067 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2068
2069 auth_len = p->hdr.auth_len;
2070
2071 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2072 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2073 return False;
2074 }
2075
2076 /*
2077 * The following is that length of the data we must verify or unseal.
2078 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2079 * preceeding the auth_data.
2080 */
2081
2082 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2083 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2084 (unsigned int)p->hdr.frag_len,
2085 (unsigned int)auth_len ));
2086 return False;
2087 }
2088
2089 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2090 RPC_HDR_AUTH_LEN - auth_len;
2091
2092 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2093
2094 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2095 DEBUG(0,("cannot move offset to %u.\n",
2096 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2097 return False;
2098 }
2099
2100 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2101 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2102 return False;
2103 }
2104
2105 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2106 DEBUG(0,("Invalid auth info %d on schannel\n",
2107 auth_info.auth_type));
2108 return False;
2109 }
2110
2111 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2112 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2113 return False;
2114 }
2115
2116 if (!schannel_decode(p->auth.a_u.schannel_auth,
2117 p->auth.auth_level,
2118 SENDER_IS_INITIATOR,
2119 &schannel_chk,
2120 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2121 DEBUG(3,("failed to decode PDU\n"));
2122 return False;
2123 }
2124
2125 /*
2126 * Return the current pointer to the data offset.
2127 */
2128
2129 if(!prs_set_offset(rpc_in, save_offset)) {
2130 DEBUG(0,("failed to set offset back to %u\n",
2131 (unsigned int)save_offset ));
2132 return False;
2133 }
2134
2135 /* The sequence number gets incremented on both send and receive. */
2136 p->auth.a_u.schannel_auth->seq_num++;
2137
2138 /*
2139 * Remember the padding length. We must remove it from the real data
2140 * stream once the sign/seal is done.
2141 */
2142
2143 *p_ss_padding_len = auth_info.auth_pad_len;
2144
2145 return True;
2146 }
2147
2148 /****************************************************************************
2149 Return a user struct for a pipe user.
2150 ****************************************************************************/
2151
2152 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
2153 {
2154 if (p->pipe_bound &&
2155 (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP ||
2156 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2157 memcpy(user, &p->pipe_user, sizeof(struct current_user));
2158 } else {
2159 memcpy(user, &current_user, sizeof(struct current_user));
2160 }
2161
2162 return user;
2163 }
2164
2165 /****************************************************************************
2166 Find the set of RPC functions associated with this context_id
2167 ****************************************************************************/
2168
2169 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2170 {
2171 PIPE_RPC_FNS *fns = NULL;
2172 PIPE_RPC_FNS *tmp = NULL;
2173
2174 if ( !list ) {
2175 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2176 return NULL;
2177 }
2178
2179 for (tmp=list; tmp; tmp=tmp->next ) {
2180 if ( tmp->context_id == context_id )
2181 break;
2182 }
2183
2184 fns = tmp;
2185
2186 return fns;
2187 }
2188
2189 /****************************************************************************
2190 Memory cleanup.
2191 ****************************************************************************/
2192
2193 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2194 {
2195 PIPE_RPC_FNS *tmp = list;
2196 PIPE_RPC_FNS *tmp2;
2197
2198 while (tmp) {
2199 tmp2 = tmp->next;
2200 SAFE_FREE(tmp);
2201 tmp = tmp2;
2202 }
2203
2204 return;
2205 }
2206
2207 /****************************************************************************
2208 Find the correct RPC function to call for this request.
2209 If the pipe is authenticated then become the correct UNIX user
2210 before doing the call.
2211 ****************************************************************************/
2212
2213 BOOL api_pipe_request(pipes_struct *p)
2214 {
2215 BOOL ret = False;
2216 BOOL changed_user = False;
2217 PIPE_RPC_FNS *pipe_fns;
2218
2219 if (p->pipe_bound &&
2220 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2221 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2222 if(!become_authenticated_pipe_user(p)) {
2223 prs_mem_free(&p->out_data.rdata);
2224 return False;
2225 }
2226 changed_user = True;
2227 }
2228
2229 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2230
2231 /* get the set of RPC functions for this context */
2232
2233 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2234
2235 if ( pipe_fns ) {
2236 TALLOC_CTX *frame = talloc_stackframe();
2237 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2238 TALLOC_FREE(frame);
2239 }
2240 else {
2241 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2242 p->hdr_req.context_id, p->name));
2243 }
2244
2245 if (changed_user) {
2246 unbecome_authenticated_pipe_user();
2247 }
2248
2249 return ret;
2250 }
2251
2252 /*******************************************************************
2253 Calls the underlying RPC function for a named pipe.
2254 ********************************************************************/
2255
2256 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
2257 const struct api_struct *api_rpc_cmds, int n_cmds)
2258 {
2259 int fn_num;
2260 fstring name;
2261 uint32 offset1, offset2;
2262
2263 /* interpret the command */
2264 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2265
2266 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2267 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2268
2269 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2270 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2271 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2272 break;
2273 }
2274 }
2275
2276 if (fn_num == n_cmds) {
2277 /*
2278 * For an unknown RPC just return a fault PDU but
2279 * return True to allow RPC's on the pipe to continue
2280 * and not put the pipe into fault state. JRA.
2281 */
2282 DEBUG(4, ("unknown\n"));
2283 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2284 return True;
2285 }
2286
2287 offset1 = prs_offset(&p->out_data.rdata);
2288
2289 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2290 fn_num, api_rpc_cmds[fn_num].fn));
2291 /* do the actual command */
2292 if(!api_rpc_cmds[fn_num].fn(p)) {
2293 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2294 prs_mem_free(&p->out_data.rdata);
2295 return False;
2296 }
2297
2298 if (p->bad_handle_fault_state) {
2299 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2300 p->bad_handle_fault_state = False;
2301 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2302 return True;
2303 }
2304
2305 if (p->rng_fault_state) {
2306 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2307 p->rng_fault_state = False;
2308 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2309 return True;
2310 }
2311
2312 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2313 offset2 = prs_offset(&p->out_data.rdata);
2314 prs_set_offset(&p->out_data.rdata, offset1);
2315 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2316 prs_set_offset(&p->out_data.rdata, offset2);
2317
2318 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2319
2320 /* Check for buffer underflow in rpc parsing */
2321
2322 if ((DEBUGLEVEL >= 10) &&
2323 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2324 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2325 char *data = (char *)SMB_MALLOC(data_len);
2326
2327 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2328 if (data) {
2329 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2330 SAFE_FREE(data);
2331 }
2332
2333 }
2334
2335 return True;
2336 }
2337
2338 /*******************************************************************
2339 *******************************************************************/
2340
2341 void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
2342 {
2343 struct api_struct *cmds = NULL;
2344 int n_cmds = 0;
2345
2346 switch ( idx ) {
2347 case PI_LSARPC:
2348 lsa_get_pipe_fns( &cmds, &n_cmds );
2349 break;
2350 case PI_LSARPC_DS:
2351 lsa_ds_get_pipe_fns( &cmds, &n_cmds );
2352 break;
2353 case PI_SAMR:
2354 samr_get_pipe_fns( &cmds, &n_cmds );
2355 break;
2356 case PI_NETLOGON:
2357 netlog_get_pipe_fns( &cmds, &n_cmds );
2358 break;
2359 case PI_SRVSVC:
2360 srvsvc2_get_pipe_fns( &cmds, &n_cmds );
2361 break;
2362 case PI_WKSSVC:
2363 wkssvc_get_pipe_fns( &cmds, &n_cmds );
2364 break;
2365 case PI_WINREG:
2366 winreg_get_pipe_fns( &cmds, &n_cmds );
2367 break;
2368 case PI_SPOOLSS:
2369 spoolss_get_pipe_fns( &cmds, &n_cmds );
2370 break;
2371 case PI_NETDFS:
2372 netdfs_get_pipe_fns( &cmds, &n_cmds );
2373 break;
2374 case PI_SVCCTL:
2375 svcctl2_get_pipe_fns( &cmds, &n_cmds );
2376 break;
2377 case PI_EVENTLOG:
2378 eventlog2_get_pipe_fns( &cmds, &n_cmds );
2379 break;
2380 case PI_NTSVCS:
2381 ntsvcs_get_pipe_fns( &cmds, &n_cmds );
2382 break;
2383 #ifdef DEVELOPER
2384 case PI_RPCECHO:
2385 rpcecho_get_pipe_fns( &cmds, &n_cmds );
2386 break;
2387 #endif
2388 default:
2389 DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));
2390 }
2391
2392 *fns = cmds;
2393 *n_fns = n_cmds;
2394
2395 return;
2396 }
reg import