netapi: add example code for NetUserModalsGet and NetUserModalsSet.
[Samba/gebeck_regimport.git] / source3 / rpc_server / srv_pipe.c
blobbe7d3db4443e4d4bc6d2ad55e7d50e7e45f47d05
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
30 #include "includes.h"
32 extern struct current_user current_user;
34 #undef DBGC_CLASS
35 #define DBGC_CLASS DBGC_RPC_SRV
37 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
39 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
41 if (a) {
42 auth_ntlmssp_end(&a);
44 auth->a_u.auth_ntlmssp_state = NULL;
47 static DATA_BLOB generic_session_key(void)
49 return data_blob("SystemLibraryDTC", 16);
52 /*******************************************************************
53 Generate the next PDU to be returned from the data in p->rdata.
54 Handle NTLMSSP.
55 ********************************************************************/
57 static bool create_next_pdu_ntlmssp(pipes_struct *p)
59 RPC_HDR_RESP hdr_resp;
60 uint32 ss_padding_len = 0;
61 uint32 data_space_available;
62 uint32 data_len_left;
63 uint32 data_len;
64 prs_struct outgoing_pdu;
65 NTSTATUS status;
66 DATA_BLOB auth_blob;
67 RPC_HDR_AUTH auth_info;
68 uint8 auth_type, auth_level;
69 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
72 * If we're in the fault state, keep returning fault PDU's until
73 * the pipe gets closed. JRA.
76 if(p->fault_state) {
77 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
78 return True;
81 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
83 /* Change the incoming request header to a response. */
84 p->hdr.pkt_type = RPC_RESPONSE;
86 /* Set up rpc header flags. */
87 if (p->out_data.data_sent_length == 0) {
88 p->hdr.flags = RPC_FLG_FIRST;
89 } else {
90 p->hdr.flags = 0;
94 * Work out how much we can fit in a single PDU.
97 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
100 * Ensure there really is data left to send.
103 if(!data_len_left) {
104 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
105 return False;
108 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
109 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
112 * The amount we send is the minimum of the available
113 * space and the amount left to send.
116 data_len = MIN(data_len_left, data_space_available);
119 * Set up the alloc hint. This should be the data left to
120 * send.
123 hdr_resp.alloc_hint = data_len_left;
126 * Work out if this PDU will be the last.
129 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
130 p->hdr.flags |= RPC_FLG_LAST;
131 if (data_len_left % 8) {
132 ss_padding_len = 8 - (data_len_left % 8);
133 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
134 ss_padding_len ));
139 * Set up the header lengths.
142 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
143 data_len + ss_padding_len +
144 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
145 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
149 * Init the parse struct to point at the outgoing
150 * data.
153 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
154 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
156 /* Store the header in the data stream. */
157 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
158 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
159 prs_mem_free(&outgoing_pdu);
160 return False;
163 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
164 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
165 prs_mem_free(&outgoing_pdu);
166 return False;
169 /* Copy the data into the PDU. */
171 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
172 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
173 prs_mem_free(&outgoing_pdu);
174 return False;
177 /* Copy the sign/seal padding data. */
178 if (ss_padding_len) {
179 char pad[8];
181 memset(pad, '\0', 8);
182 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
183 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
184 (unsigned int)ss_padding_len));
185 prs_mem_free(&outgoing_pdu);
186 return False;
191 /* Now write out the auth header and null blob. */
192 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
193 auth_type = RPC_NTLMSSP_AUTH_TYPE;
194 } else {
195 auth_type = RPC_SPNEGO_AUTH_TYPE;
197 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
198 auth_level = RPC_AUTH_LEVEL_PRIVACY;
199 } else {
200 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
203 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
204 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
205 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
206 prs_mem_free(&outgoing_pdu);
207 return False;
210 /* Generate the sign blob. */
212 switch (p->auth.auth_level) {
213 case PIPE_AUTH_LEVEL_PRIVACY:
214 /* Data portion is encrypted. */
215 status = ntlmssp_seal_packet(a->ntlmssp_state,
216 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
217 data_len + ss_padding_len,
218 (unsigned char *)prs_data_p(&outgoing_pdu),
219 (size_t)prs_offset(&outgoing_pdu),
220 &auth_blob);
221 if (!NT_STATUS_IS_OK(status)) {
222 data_blob_free(&auth_blob);
223 prs_mem_free(&outgoing_pdu);
224 return False;
226 break;
227 case PIPE_AUTH_LEVEL_INTEGRITY:
228 /* Data is signed. */
229 status = ntlmssp_sign_packet(a->ntlmssp_state,
230 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
231 data_len + ss_padding_len,
232 (unsigned char *)prs_data_p(&outgoing_pdu),
233 (size_t)prs_offset(&outgoing_pdu),
234 &auth_blob);
235 if (!NT_STATUS_IS_OK(status)) {
236 data_blob_free(&auth_blob);
237 prs_mem_free(&outgoing_pdu);
238 return False;
240 break;
241 default:
242 prs_mem_free(&outgoing_pdu);
243 return False;
246 /* Append the auth blob. */
247 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
248 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
249 (unsigned int)NTLMSSP_SIG_SIZE));
250 data_blob_free(&auth_blob);
251 prs_mem_free(&outgoing_pdu);
252 return False;
255 data_blob_free(&auth_blob);
258 * Setup the counts for this PDU.
261 p->out_data.data_sent_length += data_len;
262 p->out_data.current_pdu_len = p->hdr.frag_len;
263 p->out_data.current_pdu_sent = 0;
265 prs_mem_free(&outgoing_pdu);
266 return True;
269 /*******************************************************************
270 Generate the next PDU to be returned from the data in p->rdata.
271 Return an schannel authenticated fragment.
272 ********************************************************************/
274 static bool create_next_pdu_schannel(pipes_struct *p)
276 RPC_HDR_RESP hdr_resp;
277 uint32 ss_padding_len = 0;
278 uint32 data_len;
279 uint32 data_space_available;
280 uint32 data_len_left;
281 prs_struct outgoing_pdu;
282 uint32 data_pos;
285 * If we're in the fault state, keep returning fault PDU's until
286 * the pipe gets closed. JRA.
289 if(p->fault_state) {
290 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
291 return True;
294 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
296 /* Change the incoming request header to a response. */
297 p->hdr.pkt_type = RPC_RESPONSE;
299 /* Set up rpc header flags. */
300 if (p->out_data.data_sent_length == 0) {
301 p->hdr.flags = RPC_FLG_FIRST;
302 } else {
303 p->hdr.flags = 0;
307 * Work out how much we can fit in a single PDU.
310 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
313 * Ensure there really is data left to send.
316 if(!data_len_left) {
317 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
318 return False;
321 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
322 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
325 * The amount we send is the minimum of the available
326 * space and the amount left to send.
329 data_len = MIN(data_len_left, data_space_available);
332 * Set up the alloc hint. This should be the data left to
333 * send.
336 hdr_resp.alloc_hint = data_len_left;
339 * Work out if this PDU will be the last.
342 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
343 p->hdr.flags |= RPC_FLG_LAST;
344 if (data_len_left % 8) {
345 ss_padding_len = 8 - (data_len_left % 8);
346 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
347 ss_padding_len ));
351 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
352 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
353 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
356 * Init the parse struct to point at the outgoing
357 * data.
360 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
361 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
363 /* Store the header in the data stream. */
364 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
365 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
366 prs_mem_free(&outgoing_pdu);
367 return False;
370 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
371 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
372 prs_mem_free(&outgoing_pdu);
373 return False;
376 /* Store the current offset. */
377 data_pos = prs_offset(&outgoing_pdu);
379 /* Copy the data into the PDU. */
381 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
382 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
383 prs_mem_free(&outgoing_pdu);
384 return False;
387 /* Copy the sign/seal padding data. */
388 if (ss_padding_len) {
389 char pad[8];
390 memset(pad, '\0', 8);
391 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
392 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
393 prs_mem_free(&outgoing_pdu);
394 return False;
400 * Schannel processing.
402 char *data;
403 RPC_HDR_AUTH auth_info;
404 RPC_AUTH_SCHANNEL_CHK verf;
406 data = prs_data_p(&outgoing_pdu) + data_pos;
407 /* Check it's the type of reply we were expecting to decode */
409 init_rpc_hdr_auth(&auth_info,
410 RPC_SCHANNEL_AUTH_TYPE,
411 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
412 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
413 ss_padding_len, 1);
415 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
416 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
417 prs_mem_free(&outgoing_pdu);
418 return False;
421 schannel_encode(p->auth.a_u.schannel_auth,
422 p->auth.auth_level,
423 SENDER_IS_ACCEPTOR,
424 &verf, data, data_len + ss_padding_len);
426 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
427 &verf, &outgoing_pdu, 0)) {
428 prs_mem_free(&outgoing_pdu);
429 return False;
432 p->auth.a_u.schannel_auth->seq_num++;
436 * Setup the counts for this PDU.
439 p->out_data.data_sent_length += data_len;
440 p->out_data.current_pdu_len = p->hdr.frag_len;
441 p->out_data.current_pdu_sent = 0;
443 prs_mem_free(&outgoing_pdu);
444 return True;
447 /*******************************************************************
448 Generate the next PDU to be returned from the data in p->rdata.
449 No authentication done.
450 ********************************************************************/
452 static bool create_next_pdu_noauth(pipes_struct *p)
454 RPC_HDR_RESP hdr_resp;
455 uint32 data_len;
456 uint32 data_space_available;
457 uint32 data_len_left;
458 prs_struct outgoing_pdu;
461 * If we're in the fault state, keep returning fault PDU's until
462 * the pipe gets closed. JRA.
465 if(p->fault_state) {
466 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
467 return True;
470 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
472 /* Change the incoming request header to a response. */
473 p->hdr.pkt_type = RPC_RESPONSE;
475 /* Set up rpc header flags. */
476 if (p->out_data.data_sent_length == 0) {
477 p->hdr.flags = RPC_FLG_FIRST;
478 } else {
479 p->hdr.flags = 0;
483 * Work out how much we can fit in a single PDU.
486 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
489 * Ensure there really is data left to send.
492 if(!data_len_left) {
493 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
494 return False;
497 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
500 * The amount we send is the minimum of the available
501 * space and the amount left to send.
504 data_len = MIN(data_len_left, data_space_available);
507 * Set up the alloc hint. This should be the data left to
508 * send.
511 hdr_resp.alloc_hint = data_len_left;
514 * Work out if this PDU will be the last.
517 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
518 p->hdr.flags |= RPC_FLG_LAST;
522 * Set up the header lengths.
525 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
526 p->hdr.auth_len = 0;
529 * Init the parse struct to point at the outgoing
530 * data.
533 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
534 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
536 /* Store the header in the data stream. */
537 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
538 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
539 prs_mem_free(&outgoing_pdu);
540 return False;
543 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
544 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
545 prs_mem_free(&outgoing_pdu);
546 return False;
549 /* Copy the data into the PDU. */
551 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
552 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
553 prs_mem_free(&outgoing_pdu);
554 return False;
558 * Setup the counts for this PDU.
561 p->out_data.data_sent_length += data_len;
562 p->out_data.current_pdu_len = p->hdr.frag_len;
563 p->out_data.current_pdu_sent = 0;
565 prs_mem_free(&outgoing_pdu);
566 return True;
569 /*******************************************************************
570 Generate the next PDU to be returned from the data in p->rdata.
571 ********************************************************************/
573 bool create_next_pdu(pipes_struct *p)
575 switch(p->auth.auth_level) {
576 case PIPE_AUTH_LEVEL_NONE:
577 case PIPE_AUTH_LEVEL_CONNECT:
578 /* This is incorrect for auth level connect. Fixme. JRA */
579 return create_next_pdu_noauth(p);
581 default:
582 switch(p->auth.auth_type) {
583 case PIPE_AUTH_TYPE_NTLMSSP:
584 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
585 return create_next_pdu_ntlmssp(p);
586 case PIPE_AUTH_TYPE_SCHANNEL:
587 return create_next_pdu_schannel(p);
588 default:
589 break;
593 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
594 (unsigned int)p->auth.auth_level,
595 (unsigned int)p->auth.auth_type));
596 return False;
599 /*******************************************************************
600 Process an NTLMSSP authentication response.
601 If this function succeeds, the user has been authenticated
602 and their domain, name and calling workstation stored in
603 the pipe struct.
604 *******************************************************************/
606 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
608 DATA_BLOB session_key, reply;
609 NTSTATUS status;
610 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
611 bool ret;
613 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
615 ZERO_STRUCT(reply);
617 /* Set up for non-authenticated user. */
618 TALLOC_FREE(p->pipe_user.nt_user_token);
619 p->pipe_user.ut.ngroups = 0;
620 SAFE_FREE( p->pipe_user.ut.groups);
622 /* this has to be done as root in order to verify the password */
623 become_root();
624 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
625 unbecome_root();
627 /* Don't generate a reply. */
628 data_blob_free(&reply);
630 if (!NT_STATUS_IS_OK(status)) {
631 return False;
634 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
635 ensure the underlying NTLMSSP flags are also set. If not we should
636 refuse the bind. */
638 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
639 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
640 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
641 "but client declined signing.\n",
642 p->name ));
643 return False;
646 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
647 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
648 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
649 "but client declined sealing.\n",
650 p->name ));
651 return False;
655 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
656 "workstation: %s\n", a->ntlmssp_state->user,
657 a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
660 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
663 p->pipe_user.ut.uid = a->server_info->utok.uid;
664 p->pipe_user.ut.gid = a->server_info->utok.gid;
666 p->pipe_user.ut.ngroups = a->server_info->utok.ngroups;
667 if (p->pipe_user.ut.ngroups) {
668 if (!(p->pipe_user.ut.groups = (gid_t *)memdup(
669 a->server_info->utok.groups,
670 sizeof(gid_t) * p->pipe_user.ut.ngroups))) {
671 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
672 return False;
676 if (a->server_info->ptok) {
677 p->pipe_user.nt_user_token =
678 dup_nt_token(NULL, a->server_info->ptok);
679 } else {
680 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
681 p->pipe_user.nt_user_token = NULL;
682 return False;
685 TALLOC_FREE(p->server_info);
687 p->server_info = copy_serverinfo(p, a->server_info);
688 if (p->server_info == NULL) {
689 DEBUG(0, ("copy_serverinfo failed\n"));
690 return false;
694 * We're an authenticated bind over smb, so the session key needs to
695 * be set to "SystemLibraryDTC". Weird, but this is what Windows
696 * does. See the RPC-SAMBA3SESSIONKEY.
699 session_key = generic_session_key();
700 if (session_key.data == NULL) {
701 return False;
704 ret = server_info_set_session_key(p->server_info, session_key);
706 data_blob_free(&session_key);
708 return True;
711 /*******************************************************************
712 The switch table for the pipe names and the functions to handle them.
713 *******************************************************************/
715 struct rpc_table {
716 struct {
717 const char *clnt;
718 const char *srv;
719 } pipe;
720 struct ndr_syntax_id rpc_interface;
721 const struct api_struct *cmds;
722 int n_cmds;
725 static struct rpc_table *rpc_lookup;
726 static int rpc_lookup_size;
728 /*******************************************************************
729 This is the "stage3" NTLMSSP response after a bind request and reply.
730 *******************************************************************/
732 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
734 RPC_HDR_AUTH auth_info;
735 uint32 pad;
736 DATA_BLOB blob;
738 ZERO_STRUCT(blob);
740 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
742 if (p->hdr.auth_len == 0) {
743 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
744 goto err;
747 /* 4 bytes padding. */
748 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
749 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
750 goto err;
754 * Decode the authentication verifier response.
757 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
758 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
759 goto err;
762 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
763 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
764 (unsigned int)auth_info.auth_type ));
765 return False;
768 blob = data_blob(NULL,p->hdr.auth_len);
770 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
771 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
772 (unsigned int)p->hdr.auth_len ));
773 goto err;
777 * The following call actually checks the challenge/response data.
778 * for correctness against the given DOMAIN\user name.
781 if (!pipe_ntlmssp_verify_final(p, &blob)) {
782 goto err;
785 data_blob_free(&blob);
787 p->pipe_bound = True;
789 return True;
791 err:
793 data_blob_free(&blob);
794 free_pipe_ntlmssp_auth_data(&p->auth);
795 p->auth.a_u.auth_ntlmssp_state = NULL;
797 return False;
800 /*******************************************************************
801 Marshall a bind_nak pdu.
802 *******************************************************************/
804 static bool setup_bind_nak(pipes_struct *p)
806 prs_struct outgoing_rpc;
807 RPC_HDR nak_hdr;
808 uint16 zero = 0;
810 /* Free any memory in the current return data buffer. */
811 prs_mem_free(&p->out_data.rdata);
814 * Marshall directly into the outgoing PDU space. We
815 * must do this as we need to set to the bind response
816 * header and are never sending more than one PDU here.
819 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
820 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
823 * Initialize a bind_nak header.
826 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
827 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
830 * Marshall the header into the outgoing PDU.
833 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
834 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
835 prs_mem_free(&outgoing_rpc);
836 return False;
840 * Now add the reject reason.
843 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
844 prs_mem_free(&outgoing_rpc);
845 return False;
848 p->out_data.data_sent_length = 0;
849 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
850 p->out_data.current_pdu_sent = 0;
852 if (p->auth.auth_data_free_func) {
853 (*p->auth.auth_data_free_func)(&p->auth);
855 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
856 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
857 p->pipe_bound = False;
859 return True;
862 /*******************************************************************
863 Marshall a fault pdu.
864 *******************************************************************/
866 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
868 prs_struct outgoing_pdu;
869 RPC_HDR fault_hdr;
870 RPC_HDR_RESP hdr_resp;
871 RPC_HDR_FAULT fault_resp;
873 /* Free any memory in the current return data buffer. */
874 prs_mem_free(&p->out_data.rdata);
877 * Marshall directly into the outgoing PDU space. We
878 * must do this as we need to set to the bind response
879 * header and are never sending more than one PDU here.
882 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
883 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
886 * Initialize a fault header.
889 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
890 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
893 * Initialize the HDR_RESP and FAULT parts of the PDU.
896 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
898 fault_resp.status = status;
899 fault_resp.reserved = 0;
902 * Marshall the header into the outgoing PDU.
905 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
906 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
907 prs_mem_free(&outgoing_pdu);
908 return False;
911 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
912 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
913 prs_mem_free(&outgoing_pdu);
914 return False;
917 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
918 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
919 prs_mem_free(&outgoing_pdu);
920 return False;
923 p->out_data.data_sent_length = 0;
924 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
925 p->out_data.current_pdu_sent = 0;
927 prs_mem_free(&outgoing_pdu);
928 return True;
931 #if 0
932 /*******************************************************************
933 Marshall a cancel_ack pdu.
934 We should probably check the auth-verifier here.
935 *******************************************************************/
937 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
939 prs_struct outgoing_pdu;
940 RPC_HDR ack_reply_hdr;
942 /* Free any memory in the current return data buffer. */
943 prs_mem_free(&p->out_data.rdata);
946 * Marshall directly into the outgoing PDU space. We
947 * must do this as we need to set to the bind response
948 * header and are never sending more than one PDU here.
951 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
952 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
955 * Initialize a cancel_ack header.
958 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
959 p->hdr.call_id, RPC_HEADER_LEN, 0);
962 * Marshall the header into the outgoing PDU.
965 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
966 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
967 prs_mem_free(&outgoing_pdu);
968 return False;
971 p->out_data.data_sent_length = 0;
972 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
973 p->out_data.current_pdu_sent = 0;
975 prs_mem_free(&outgoing_pdu);
976 return True;
978 #endif
980 /*******************************************************************
981 Ensure a bind request has the correct abstract & transfer interface.
982 Used to reject unknown binds from Win2k.
983 *******************************************************************/
985 bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
986 RPC_IFACE* transfer, uint32 context_id)
988 int i=0;
989 struct pipe_rpc_fns *context_fns;
991 DEBUG(3,("check_bind_req for %s\n", p->name));
993 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
995 for (i=0; i<rpc_lookup_size; i++) {
996 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
997 if (strequal(rpc_lookup[i].pipe.clnt, p->name)
998 && ndr_syntax_id_equal(
999 abstract, &rpc_lookup[i].rpc_interface)
1000 && ndr_syntax_id_equal(
1001 transfer, &ndr_transfer_syntax)) {
1002 break;
1006 if (i == rpc_lookup_size) {
1007 return false;
1010 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1011 if (context_fns == NULL) {
1012 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1013 return False;
1016 context_fns->cmds = rpc_lookup[i].cmds;
1017 context_fns->n_cmds = rpc_lookup[i].n_cmds;
1018 context_fns->context_id = context_id;
1020 /* add to the list of open contexts */
1022 DLIST_ADD( p->contexts, context_fns );
1024 return True;
1027 /*******************************************************************
1028 Register commands to an RPC pipe
1029 *******************************************************************/
1031 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt,
1032 const char *srv,
1033 const struct ndr_syntax_id *interface,
1034 const struct api_struct *cmds, int size)
1036 struct rpc_table *rpc_entry;
1038 if (!clnt || !srv || !cmds) {
1039 return NT_STATUS_INVALID_PARAMETER;
1042 if (version != SMB_RPC_INTERFACE_VERSION) {
1043 DEBUG(0,("Can't register rpc commands!\n"
1044 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1045 ", while this version of samba uses version %d!\n",
1046 version,SMB_RPC_INTERFACE_VERSION));
1047 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1050 /* TODO:
1052 * we still need to make sure that don't register the same commands twice!!!
1054 * --metze
1057 /* We use a temporary variable because this call can fail and
1058 rpc_lookup will still be valid afterwards. It could then succeed if
1059 called again later */
1060 rpc_lookup_size++;
1061 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1062 if (NULL == rpc_entry) {
1063 rpc_lookup_size--;
1064 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1065 return NT_STATUS_NO_MEMORY;
1066 } else {
1067 rpc_lookup = rpc_entry;
1070 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1071 ZERO_STRUCTP(rpc_entry);
1072 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1073 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1074 rpc_entry->rpc_interface = *interface;
1075 rpc_entry->cmds = cmds;
1076 rpc_entry->n_cmds = size;
1078 return NT_STATUS_OK;
1082 * Is a named pipe known?
1083 * @param[in] cli_filename The pipe name requested by the client
1084 * @result Do we want to serve this?
1086 bool is_known_pipename(const char *cli_filename)
1088 const char *pipename = cli_filename;
1089 int i;
1091 if (strnequal(pipename, "\\PIPE\\", 6)) {
1092 pipename += 5;
1095 if (*pipename == '\\') {
1096 pipename += 1;
1099 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1100 DEBUG(10, ("refusing spoolss access\n"));
1101 return false;
1104 for (i=0; i<rpc_lookup_size; i++) {
1105 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1106 return true;
1110 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1111 return false;
1114 /*******************************************************************
1115 Handle a SPNEGO krb5 bind auth.
1116 *******************************************************************/
1118 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1119 DATA_BLOB *psecblob, prs_struct *pout_auth)
1121 return False;
1124 /*******************************************************************
1125 Handle the first part of a SPNEGO bind auth.
1126 *******************************************************************/
1128 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1129 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1131 DATA_BLOB blob;
1132 DATA_BLOB secblob;
1133 DATA_BLOB response;
1134 DATA_BLOB chal;
1135 char *OIDs[ASN1_MAX_OIDS];
1136 int i;
1137 NTSTATUS status;
1138 bool got_kerberos_mechanism = false;
1139 AUTH_NTLMSSP_STATE *a = NULL;
1140 RPC_HDR_AUTH auth_info;
1142 ZERO_STRUCT(secblob);
1143 ZERO_STRUCT(chal);
1144 ZERO_STRUCT(response);
1146 /* Grab the SPNEGO blob. */
1147 blob = data_blob(NULL,p->hdr.auth_len);
1149 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1150 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1151 (unsigned int)p->hdr.auth_len ));
1152 goto err;
1155 if (blob.data[0] != ASN1_APPLICATION(0)) {
1156 goto err;
1159 /* parse out the OIDs and the first sec blob */
1160 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1161 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1162 goto err;
1165 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1166 got_kerberos_mechanism = true;
1169 for (i=0;OIDs[i];i++) {
1170 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1171 SAFE_FREE(OIDs[i]);
1173 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1175 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1176 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1177 data_blob_free(&secblob);
1178 data_blob_free(&blob);
1179 return ret;
1182 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1183 /* Free any previous auth type. */
1184 free_pipe_ntlmssp_auth_data(&p->auth);
1187 if (!got_kerberos_mechanism) {
1188 /* Initialize the NTLM engine. */
1189 status = auth_ntlmssp_start(&a);
1190 if (!NT_STATUS_IS_OK(status)) {
1191 goto err;
1195 * Pass the first security blob of data to it.
1196 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1197 * which means we need another packet to complete the bind.
1200 status = auth_ntlmssp_update(a, secblob, &chal);
1202 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1203 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1204 goto err;
1207 /* Generate the response blob we need for step 2 of the bind. */
1208 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1209 } else {
1211 * SPNEGO negotiate down to NTLMSSP. The subsequent
1212 * code to process follow-up packets is not complete
1213 * yet. JRA.
1215 response = spnego_gen_auth_response(NULL,
1216 NT_STATUS_MORE_PROCESSING_REQUIRED,
1217 OID_NTLMSSP);
1220 /* Copy the blob into the pout_auth parse struct */
1221 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1222 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1223 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1224 goto err;
1227 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1228 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1229 goto err;
1232 p->auth.a_u.auth_ntlmssp_state = a;
1233 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1234 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1236 data_blob_free(&blob);
1237 data_blob_free(&secblob);
1238 data_blob_free(&chal);
1239 data_blob_free(&response);
1241 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1242 return True;
1244 err:
1246 data_blob_free(&blob);
1247 data_blob_free(&secblob);
1248 data_blob_free(&chal);
1249 data_blob_free(&response);
1251 p->auth.a_u.auth_ntlmssp_state = NULL;
1253 return False;
1256 /*******************************************************************
1257 Handle the second part of a SPNEGO bind auth.
1258 *******************************************************************/
1260 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1261 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1263 RPC_HDR_AUTH auth_info;
1264 DATA_BLOB spnego_blob;
1265 DATA_BLOB auth_blob;
1266 DATA_BLOB auth_reply;
1267 DATA_BLOB response;
1268 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1270 ZERO_STRUCT(spnego_blob);
1271 ZERO_STRUCT(auth_blob);
1272 ZERO_STRUCT(auth_reply);
1273 ZERO_STRUCT(response);
1276 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1277 * fail here as 'a' == NULL.
1279 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1280 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1281 goto err;
1284 /* Grab the SPNEGO blob. */
1285 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1287 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1288 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1289 (unsigned int)p->hdr.auth_len ));
1290 goto err;
1293 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1294 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1295 goto err;
1298 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1299 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1300 goto err;
1304 * The following call actually checks the challenge/response data.
1305 * for correctness against the given DOMAIN\user name.
1308 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1309 goto err;
1312 data_blob_free(&spnego_blob);
1313 data_blob_free(&auth_blob);
1315 /* Generate the spnego "accept completed" blob - no incoming data. */
1316 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1318 /* Copy the blob into the pout_auth parse struct */
1319 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1320 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1321 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1322 goto err;
1325 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1326 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1327 goto err;
1330 data_blob_free(&auth_reply);
1331 data_blob_free(&response);
1333 p->pipe_bound = True;
1335 return True;
1337 err:
1339 data_blob_free(&spnego_blob);
1340 data_blob_free(&auth_blob);
1341 data_blob_free(&auth_reply);
1342 data_blob_free(&response);
1344 free_pipe_ntlmssp_auth_data(&p->auth);
1345 p->auth.a_u.auth_ntlmssp_state = NULL;
1347 return False;
1350 /*******************************************************************
1351 Handle an schannel bind auth.
1352 *******************************************************************/
1354 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1355 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1357 RPC_HDR_AUTH auth_info;
1358 RPC_AUTH_SCHANNEL_NEG neg;
1359 RPC_AUTH_VERIFIER auth_verifier;
1360 bool ret;
1361 struct dcinfo *pdcinfo;
1362 uint32 flags;
1363 DATA_BLOB session_key;
1365 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1366 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1367 return False;
1371 * The neg.myname key here must match the remote computer name
1372 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1373 * operations that use credentials.
1376 become_root();
1377 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1378 unbecome_root();
1380 if (!ret) {
1381 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1382 return False;
1385 p->auth.a_u.schannel_auth = talloc(p, struct schannel_auth_struct);
1386 if (!p->auth.a_u.schannel_auth) {
1387 TALLOC_FREE(pdcinfo);
1388 return False;
1391 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1392 memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1393 sizeof(pdcinfo->sess_key));
1395 TALLOC_FREE(pdcinfo);
1397 p->auth.a_u.schannel_auth->seq_num = 0;
1400 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1401 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1402 * struct of the person who opened the pipe. I need to test this further. JRA.
1404 * VL. As we are mapping this to guest set the generic key
1405 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1406 * W2k3, as it does not allow schannel binds against SAMR and LSA
1407 * anymore.
1410 session_key = generic_session_key();
1411 if (session_key.data == NULL) {
1412 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1413 " key\n"));
1414 return false;
1417 ret = server_info_set_session_key(p->server_info, session_key);
1419 data_blob_free(&session_key);
1421 if (!ret) {
1422 DEBUG(0, ("server_info_set_session_key failed\n"));
1423 return false;
1426 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1427 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1428 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1429 return False;
1432 /*** SCHANNEL verifier ***/
1434 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1435 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1436 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1437 return False;
1440 prs_align(pout_auth);
1442 flags = 5;
1443 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1444 return False;
1447 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1448 neg.domain, neg.myname));
1450 /* We're finished with this bind - no more packets. */
1451 p->auth.auth_data_free_func = NULL;
1452 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1454 p->pipe_bound = True;
1456 return True;
1459 /*******************************************************************
1460 Handle an NTLMSSP bind auth.
1461 *******************************************************************/
1463 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1464 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1466 RPC_HDR_AUTH auth_info;
1467 DATA_BLOB blob;
1468 DATA_BLOB response;
1469 NTSTATUS status;
1470 AUTH_NTLMSSP_STATE *a = NULL;
1472 ZERO_STRUCT(blob);
1473 ZERO_STRUCT(response);
1475 /* Grab the NTLMSSP blob. */
1476 blob = data_blob(NULL,p->hdr.auth_len);
1478 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1479 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1480 (unsigned int)p->hdr.auth_len ));
1481 goto err;
1484 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1485 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1486 goto err;
1489 /* We have an NTLMSSP blob. */
1490 status = auth_ntlmssp_start(&a);
1491 if (!NT_STATUS_IS_OK(status)) {
1492 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1493 nt_errstr(status) ));
1494 goto err;
1497 status = auth_ntlmssp_update(a, blob, &response);
1498 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1499 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1500 nt_errstr(status) ));
1501 goto err;
1504 data_blob_free(&blob);
1506 /* Copy the blob into the pout_auth parse struct */
1507 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1508 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1509 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1510 goto err;
1513 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1514 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1515 goto err;
1518 p->auth.a_u.auth_ntlmssp_state = a;
1519 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1520 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1522 data_blob_free(&blob);
1523 data_blob_free(&response);
1525 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1527 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1528 return True;
1530 err:
1532 data_blob_free(&blob);
1533 data_blob_free(&response);
1535 free_pipe_ntlmssp_auth_data(&p->auth);
1536 p->auth.a_u.auth_ntlmssp_state = NULL;
1537 return False;
1540 /*******************************************************************
1541 Respond to a pipe bind request.
1542 *******************************************************************/
1544 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1546 RPC_HDR_BA hdr_ba;
1547 RPC_HDR_RB hdr_rb;
1548 RPC_HDR_AUTH auth_info;
1549 uint16 assoc_gid;
1550 fstring ack_pipe_name;
1551 prs_struct out_hdr_ba;
1552 prs_struct out_auth;
1553 prs_struct outgoing_rpc;
1554 int i = 0;
1555 int auth_len = 0;
1556 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1558 /* No rebinds on a bound pipe - use alter context. */
1559 if (p->pipe_bound) {
1560 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1561 return setup_bind_nak(p);
1564 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1567 * Marshall directly into the outgoing PDU space. We
1568 * must do this as we need to set to the bind response
1569 * header and are never sending more than one PDU here.
1572 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1575 * Setup the memory to marshall the ba header, and the
1576 * auth footers.
1579 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1580 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1581 prs_mem_free(&outgoing_rpc);
1582 return False;
1585 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1586 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1587 prs_mem_free(&outgoing_rpc);
1588 prs_mem_free(&out_hdr_ba);
1589 return False;
1592 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1594 ZERO_STRUCT(hdr_rb);
1596 /* decode the bind request */
1598 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1599 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1600 "struct.\n"));
1601 goto err_exit;
1604 if (hdr_rb.num_contexts == 0) {
1605 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1606 goto err_exit;
1610 * Try and find the correct pipe name to ensure
1611 * that this is a pipe name we support.
1614 for (i = 0; i < rpc_lookup_size; i++) {
1615 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1616 &hdr_rb.rpc_context[0].abstract)) {
1617 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1618 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1619 fstrcpy(p->name, rpc_lookup[i].pipe.clnt);
1620 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1621 break;
1625 if (i == rpc_lookup_size) {
1626 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1627 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1628 p->name ));
1629 prs_mem_free(&outgoing_rpc);
1630 prs_mem_free(&out_hdr_ba);
1631 prs_mem_free(&out_auth);
1633 return setup_bind_nak(p);
1636 for (i = 0; i < rpc_lookup_size; i++) {
1637 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1638 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1639 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1640 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1641 break;
1645 if (i == rpc_lookup_size) {
1646 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1647 goto err_exit;
1651 /* name has to be \PIPE\xxxxx */
1652 fstrcpy(ack_pipe_name, "\\PIPE\\");
1653 fstrcat(ack_pipe_name, p->pipe_srv_name);
1655 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1658 * Check if this is an authenticated bind request.
1661 if (p->hdr.auth_len) {
1663 * Decode the authentication verifier.
1666 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1667 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1668 goto err_exit;
1671 auth_type = auth_info.auth_type;
1673 /* Work out if we have to sign or seal etc. */
1674 switch (auth_info.auth_level) {
1675 case RPC_AUTH_LEVEL_INTEGRITY:
1676 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1677 break;
1678 case RPC_AUTH_LEVEL_PRIVACY:
1679 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1680 break;
1681 default:
1682 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1683 (unsigned int)auth_info.auth_level ));
1684 goto err_exit;
1686 } else {
1687 ZERO_STRUCT(auth_info);
1690 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1692 switch(auth_type) {
1693 case RPC_NTLMSSP_AUTH_TYPE:
1694 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1695 goto err_exit;
1697 assoc_gid = 0x7a77;
1698 break;
1700 case RPC_SCHANNEL_AUTH_TYPE:
1701 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1702 goto err_exit;
1704 break;
1706 case RPC_SPNEGO_AUTH_TYPE:
1707 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1708 goto err_exit;
1710 break;
1712 case RPC_ANONYMOUS_AUTH_TYPE:
1713 /* Unauthenticated bind request. */
1714 /* Get the authenticated pipe user from current_user */
1715 if (!copy_current_user(&p->pipe_user, &current_user)) {
1716 DEBUG(10, ("Could not copy current user\n"));
1717 goto err_exit;
1719 /* We're finished - no more packets. */
1720 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1721 /* We must set the pipe auth_level here also. */
1722 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1723 p->pipe_bound = True;
1724 /* The session key was initialized from the SMB
1725 * session in make_internal_rpc_pipe_p */
1726 break;
1728 default:
1729 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1730 goto err_exit;
1734 * Create the bind response struct.
1737 /* If the requested abstract synt uuid doesn't match our client pipe,
1738 reject the bind_ack & set the transfer interface synt to all 0's,
1739 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1740 unknown to NT4)
1741 Needed when adding entries to a DACL from NT5 - SK */
1743 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1744 hdr_rb.rpc_context[0].context_id )) {
1745 init_rpc_hdr_ba(&hdr_ba,
1746 RPC_MAX_PDU_FRAG_LEN,
1747 RPC_MAX_PDU_FRAG_LEN,
1748 assoc_gid,
1749 ack_pipe_name,
1750 0x1, 0x0, 0x0,
1751 &hdr_rb.rpc_context[0].transfer[0]);
1752 } else {
1753 RPC_IFACE null_interface;
1754 ZERO_STRUCT(null_interface);
1755 /* Rejection reason: abstract syntax not supported */
1756 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1757 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1758 ack_pipe_name, 0x1, 0x2, 0x1,
1759 &null_interface);
1760 p->pipe_bound = False;
1764 * and marshall it.
1767 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1768 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1769 goto err_exit;
1773 * Create the header, now we know the length.
1776 if (prs_offset(&out_auth)) {
1777 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1780 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1781 p->hdr.call_id,
1782 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1783 auth_len);
1786 * Marshall the header into the outgoing PDU.
1789 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1790 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1791 goto err_exit;
1795 * Now add the RPC_HDR_BA and any auth needed.
1798 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1799 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1800 goto err_exit;
1803 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1804 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1805 goto err_exit;
1809 * Setup the lengths for the initial reply.
1812 p->out_data.data_sent_length = 0;
1813 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1814 p->out_data.current_pdu_sent = 0;
1816 prs_mem_free(&out_hdr_ba);
1817 prs_mem_free(&out_auth);
1819 return True;
1821 err_exit:
1823 prs_mem_free(&outgoing_rpc);
1824 prs_mem_free(&out_hdr_ba);
1825 prs_mem_free(&out_auth);
1826 return setup_bind_nak(p);
1829 /****************************************************************************
1830 Deal with an alter context call. Can be third part of 3 leg auth request for
1831 SPNEGO calls.
1832 ****************************************************************************/
1834 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1836 RPC_HDR_BA hdr_ba;
1837 RPC_HDR_RB hdr_rb;
1838 RPC_HDR_AUTH auth_info;
1839 uint16 assoc_gid;
1840 fstring ack_pipe_name;
1841 prs_struct out_hdr_ba;
1842 prs_struct out_auth;
1843 prs_struct outgoing_rpc;
1844 int auth_len = 0;
1846 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1849 * Marshall directly into the outgoing PDU space. We
1850 * must do this as we need to set to the bind response
1851 * header and are never sending more than one PDU here.
1854 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1857 * Setup the memory to marshall the ba header, and the
1858 * auth footers.
1861 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1862 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1863 prs_mem_free(&outgoing_rpc);
1864 return False;
1867 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1868 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1869 prs_mem_free(&outgoing_rpc);
1870 prs_mem_free(&out_hdr_ba);
1871 return False;
1874 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1876 /* decode the alter context request */
1877 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1878 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1879 goto err_exit;
1882 /* secondary address CAN be NULL
1883 * as the specs say it's ignored.
1884 * It MUST be NULL to have the spoolss working.
1886 fstrcpy(ack_pipe_name,"");
1888 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1891 * Check if this is an authenticated alter context request.
1894 if (p->hdr.auth_len != 0) {
1896 * Decode the authentication verifier.
1899 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1900 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1901 goto err_exit;
1905 * Currently only the SPNEGO auth type uses the alter ctx
1906 * response in place of the NTLMSSP auth3 type.
1909 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1910 /* We can only finish if the pipe is unbound. */
1911 if (!p->pipe_bound) {
1912 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1913 goto err_exit;
1915 } else {
1916 goto err_exit;
1919 } else {
1920 ZERO_STRUCT(auth_info);
1923 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1926 * Create the bind response struct.
1929 /* If the requested abstract synt uuid doesn't match our client pipe,
1930 reject the bind_ack & set the transfer interface synt to all 0's,
1931 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1932 unknown to NT4)
1933 Needed when adding entries to a DACL from NT5 - SK */
1935 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1936 hdr_rb.rpc_context[0].context_id )) {
1937 init_rpc_hdr_ba(&hdr_ba,
1938 RPC_MAX_PDU_FRAG_LEN,
1939 RPC_MAX_PDU_FRAG_LEN,
1940 assoc_gid,
1941 ack_pipe_name,
1942 0x1, 0x0, 0x0,
1943 &hdr_rb.rpc_context[0].transfer[0]);
1944 } else {
1945 RPC_IFACE null_interface;
1946 ZERO_STRUCT(null_interface);
1947 /* Rejection reason: abstract syntax not supported */
1948 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1949 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1950 ack_pipe_name, 0x1, 0x2, 0x1,
1951 &null_interface);
1952 p->pipe_bound = False;
1956 * and marshall it.
1959 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1960 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1961 goto err_exit;
1965 * Create the header, now we know the length.
1968 if (prs_offset(&out_auth)) {
1969 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1972 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1973 p->hdr.call_id,
1974 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1975 auth_len);
1978 * Marshall the header into the outgoing PDU.
1981 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1982 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1983 goto err_exit;
1987 * Now add the RPC_HDR_BA and any auth needed.
1990 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1991 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1992 goto err_exit;
1995 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1996 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1997 goto err_exit;
2001 * Setup the lengths for the initial reply.
2004 p->out_data.data_sent_length = 0;
2005 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
2006 p->out_data.current_pdu_sent = 0;
2008 prs_mem_free(&out_hdr_ba);
2009 prs_mem_free(&out_auth);
2011 return True;
2013 err_exit:
2015 prs_mem_free(&outgoing_rpc);
2016 prs_mem_free(&out_hdr_ba);
2017 prs_mem_free(&out_auth);
2018 return setup_bind_nak(p);
2021 /****************************************************************************
2022 Deal with NTLMSSP sign & seal processing on an RPC request.
2023 ****************************************************************************/
2025 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2026 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2028 RPC_HDR_AUTH auth_info;
2029 uint32 auth_len = p->hdr.auth_len;
2030 uint32 save_offset = prs_offset(rpc_in);
2031 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2032 unsigned char *data = NULL;
2033 size_t data_len;
2034 unsigned char *full_packet_data = NULL;
2035 size_t full_packet_data_len;
2036 DATA_BLOB auth_blob;
2038 *pstatus = NT_STATUS_OK;
2040 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
2041 return True;
2044 if (!a) {
2045 *pstatus = NT_STATUS_INVALID_PARAMETER;
2046 return False;
2049 /* Ensure there's enough data for an authenticated request. */
2050 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2051 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2052 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2053 (unsigned int)auth_len ));
2054 *pstatus = NT_STATUS_INVALID_PARAMETER;
2055 return False;
2059 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2060 * after the RPC header.
2061 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2062 * functions as NTLMv2 checks the rpc headers also.
2065 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2066 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2068 full_packet_data = p->in_data.current_in_pdu;
2069 full_packet_data_len = p->hdr.frag_len - auth_len;
2071 /* Pull the auth header and the following data into a blob. */
2072 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2073 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2074 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2075 *pstatus = NT_STATUS_INVALID_PARAMETER;
2076 return False;
2079 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2080 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2081 *pstatus = NT_STATUS_INVALID_PARAMETER;
2082 return False;
2085 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2086 auth_blob.length = auth_len;
2088 switch (p->auth.auth_level) {
2089 case PIPE_AUTH_LEVEL_PRIVACY:
2090 /* Data is encrypted. */
2091 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2092 data, data_len,
2093 full_packet_data,
2094 full_packet_data_len,
2095 &auth_blob);
2096 if (!NT_STATUS_IS_OK(*pstatus)) {
2097 return False;
2099 break;
2100 case PIPE_AUTH_LEVEL_INTEGRITY:
2101 /* Data is signed. */
2102 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2103 data, data_len,
2104 full_packet_data,
2105 full_packet_data_len,
2106 &auth_blob);
2107 if (!NT_STATUS_IS_OK(*pstatus)) {
2108 return False;
2110 break;
2111 default:
2112 *pstatus = NT_STATUS_INVALID_PARAMETER;
2113 return False;
2117 * Return the current pointer to the data offset.
2120 if(!prs_set_offset(rpc_in, save_offset)) {
2121 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2122 (unsigned int)save_offset ));
2123 *pstatus = NT_STATUS_INVALID_PARAMETER;
2124 return False;
2128 * Remember the padding length. We must remove it from the real data
2129 * stream once the sign/seal is done.
2132 *p_ss_padding_len = auth_info.auth_pad_len;
2134 return True;
2137 /****************************************************************************
2138 Deal with schannel processing on an RPC request.
2139 ****************************************************************************/
2141 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2143 uint32 data_len;
2144 uint32 auth_len;
2145 uint32 save_offset = prs_offset(rpc_in);
2146 RPC_HDR_AUTH auth_info;
2147 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2149 auth_len = p->hdr.auth_len;
2151 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2152 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2153 return False;
2157 * The following is that length of the data we must verify or unseal.
2158 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2159 * preceeding the auth_data.
2162 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2163 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2164 (unsigned int)p->hdr.frag_len,
2165 (unsigned int)auth_len ));
2166 return False;
2169 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2170 RPC_HDR_AUTH_LEN - auth_len;
2172 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2174 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2175 DEBUG(0,("cannot move offset to %u.\n",
2176 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2177 return False;
2180 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2181 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2182 return False;
2185 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2186 DEBUG(0,("Invalid auth info %d on schannel\n",
2187 auth_info.auth_type));
2188 return False;
2191 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2192 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2193 return False;
2196 if (!schannel_decode(p->auth.a_u.schannel_auth,
2197 p->auth.auth_level,
2198 SENDER_IS_INITIATOR,
2199 &schannel_chk,
2200 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2201 DEBUG(3,("failed to decode PDU\n"));
2202 return False;
2206 * Return the current pointer to the data offset.
2209 if(!prs_set_offset(rpc_in, save_offset)) {
2210 DEBUG(0,("failed to set offset back to %u\n",
2211 (unsigned int)save_offset ));
2212 return False;
2215 /* The sequence number gets incremented on both send and receive. */
2216 p->auth.a_u.schannel_auth->seq_num++;
2219 * Remember the padding length. We must remove it from the real data
2220 * stream once the sign/seal is done.
2223 *p_ss_padding_len = auth_info.auth_pad_len;
2225 return True;
2228 /****************************************************************************
2229 Return a user struct for a pipe user.
2230 ****************************************************************************/
2232 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
2234 if (p->pipe_bound &&
2235 (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP ||
2236 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2237 memcpy(user, &p->pipe_user, sizeof(struct current_user));
2238 } else {
2239 memcpy(user, &current_user, sizeof(struct current_user));
2242 return user;
2245 /****************************************************************************
2246 Find the set of RPC functions associated with this context_id
2247 ****************************************************************************/
2249 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2251 PIPE_RPC_FNS *fns = NULL;
2252 PIPE_RPC_FNS *tmp = NULL;
2254 if ( !list ) {
2255 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2256 return NULL;
2259 for (tmp=list; tmp; tmp=tmp->next ) {
2260 if ( tmp->context_id == context_id )
2261 break;
2264 fns = tmp;
2266 return fns;
2269 /****************************************************************************
2270 Memory cleanup.
2271 ****************************************************************************/
2273 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2275 PIPE_RPC_FNS *tmp = list;
2276 PIPE_RPC_FNS *tmp2;
2278 while (tmp) {
2279 tmp2 = tmp->next;
2280 SAFE_FREE(tmp);
2281 tmp = tmp2;
2284 return;
2287 static bool api_rpcTNP(pipes_struct *p, const char *rpc_name,
2288 const struct api_struct *api_rpc_cmds, int n_cmds);
2290 /****************************************************************************
2291 Find the correct RPC function to call for this request.
2292 If the pipe is authenticated then become the correct UNIX user
2293 before doing the call.
2294 ****************************************************************************/
2296 bool api_pipe_request(pipes_struct *p)
2298 bool ret = False;
2299 bool changed_user = False;
2300 PIPE_RPC_FNS *pipe_fns;
2302 if (p->pipe_bound &&
2303 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2304 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2305 if(!become_authenticated_pipe_user(p)) {
2306 prs_mem_free(&p->out_data.rdata);
2307 return False;
2309 changed_user = True;
2312 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2314 /* get the set of RPC functions for this context */
2316 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2318 if ( pipe_fns ) {
2319 TALLOC_CTX *frame = talloc_stackframe();
2320 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2321 TALLOC_FREE(frame);
2323 else {
2324 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2325 p->hdr_req.context_id, p->name));
2328 if (changed_user) {
2329 unbecome_authenticated_pipe_user();
2332 return ret;
2335 /*******************************************************************
2336 Calls the underlying RPC function for a named pipe.
2337 ********************************************************************/
2339 static bool api_rpcTNP(pipes_struct *p, const char *rpc_name,
2340 const struct api_struct *api_rpc_cmds, int n_cmds)
2342 int fn_num;
2343 fstring name;
2344 uint32 offset1, offset2;
2346 /* interpret the command */
2347 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2349 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2350 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2352 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2353 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2354 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2355 break;
2359 if (fn_num == n_cmds) {
2361 * For an unknown RPC just return a fault PDU but
2362 * return True to allow RPC's on the pipe to continue
2363 * and not put the pipe into fault state. JRA.
2365 DEBUG(4, ("unknown\n"));
2366 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2367 return True;
2370 offset1 = prs_offset(&p->out_data.rdata);
2372 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2373 fn_num, api_rpc_cmds[fn_num].fn));
2374 /* do the actual command */
2375 if(!api_rpc_cmds[fn_num].fn(p)) {
2376 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2377 prs_mem_free(&p->out_data.rdata);
2378 return False;
2381 if (p->bad_handle_fault_state) {
2382 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2383 p->bad_handle_fault_state = False;
2384 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2385 return True;
2388 if (p->rng_fault_state) {
2389 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2390 p->rng_fault_state = False;
2391 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2392 return True;
2395 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2396 offset2 = prs_offset(&p->out_data.rdata);
2397 prs_set_offset(&p->out_data.rdata, offset1);
2398 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2399 prs_set_offset(&p->out_data.rdata, offset2);
2401 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2403 /* Check for buffer underflow in rpc parsing */
2405 if ((DEBUGLEVEL >= 10) &&
2406 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2407 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2408 char *data = (char *)SMB_MALLOC(data_len);
2410 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2411 if (data) {
2412 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2413 SAFE_FREE(data);
2418 return True;