search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libcli/cldap: make use of samba_tevent_context_init()
[Samba/gebeck_regimport.git] / source3 / rpc_server / srv_pipe.c
blob7cce1806e2891b9164f111188aa399976c9700a6
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31 #include "system/filesys.h"
32 #include "srv_pipe_internal.h"
33 #include "../librpc/gen_ndr/ndr_schannel.h"
34 #include "../librpc/gen_ndr/dcerpc.h"
35 #include "../librpc/rpc/rpc_common.h"
36 #include "../libcli/auth/schannel.h"
37 #include "../libcli/auth/spnego.h"
38 #include "dcesrv_auth_generic.h"
39 #include "rpc_server.h"
40 #include "rpc_dce.h"
41 #include "smbd/smbd.h"
42 #include "auth.h"
43 #include "ntdomain.h"
44 #include "rpc_server/srv_pipe.h"
45 #include "rpc_server/rpc_contexts.h"
46 #include "lib/param/param.h"
47
48 #undef DBGC_CLASS
49 #define DBGC_CLASS DBGC_RPC_SRV
50
51 /**
52 * Dump everything from the start of the end up of the provided data
53 * into a file, but only at debug level >= 50
54 **/
55 static void dump_pdu_region(const char *name, int v,
56 DATA_BLOB *data, size_t start, size_t end)
57 {
58 int fd, i;
59 char *fname = NULL;
60 ssize_t sz;
61
62 if (DEBUGLEVEL < 50) return;
63
64 if (start > data->length || end > data->length || start > end) return;
65
66 for (i = 1; i < 100; i++) {
67 if (v != -1) {
68 fname = talloc_asprintf(talloc_tos(),
69 "/tmp/%s_%d.%d.prs",
70 name, v, i);
71 } else {
72 fname = talloc_asprintf(talloc_tos(),
73 "/tmp/%s_%d.prs",
74 name, i);
75 }
76 if (!fname) {
77 return;
78 }
79 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
80 if (fd != -1 || errno != EEXIST) break;
81 }
82 if (fd != -1) {
83 sz = write(fd, data->data + start, end - start);
84 i = close(fd);
85 if ((sz != end - start) || (i != 0) ) {
86 DEBUG(0, ("Error writing/closing %s: %ld!=%ld %d\n",
87 fname, (unsigned long)sz,
88 (unsigned long)end - start, i));
89 } else {
90 DEBUG(0,("created %s\n", fname));
91 }
92 }
93 TALLOC_FREE(fname);
94 }
95
96 static DATA_BLOB generic_session_key(void)
97 {
98 return data_blob_const("SystemLibraryDTC", 16);
99 }
100
101 /*******************************************************************
102 Generate the next PDU to be returned from the data.
103 ********************************************************************/
104
105 static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx,
106 struct pipe_auth_data *auth,
107 uint32_t call_id,
108 DATA_BLOB *rdata,
109 size_t data_sent_length,
110 DATA_BLOB *frag,
111 size_t *pdu_size)
112 {
113 union dcerpc_payload u;
114 uint8_t pfc_flags;
115 size_t data_left;
116 size_t data_to_send;
117 size_t frag_len;
118 size_t pad_len = 0;
119 size_t auth_len = 0;
120 NTSTATUS status;
121
122 ZERO_STRUCT(u.response);
123
124 /* Set up rpc packet pfc flags. */
125 if (data_sent_length == 0) {
126 pfc_flags = DCERPC_PFC_FLAG_FIRST;
127 } else {
128 pfc_flags = 0;
129 }
130
131 /* Work out how much we can fit in a single PDU. */
132 data_left = rdata->length - data_sent_length;
133
134 /* Ensure there really is data left to send. */
135 if (!data_left) {
136 DEBUG(0, ("No data left to send !\n"));
137 return NT_STATUS_BUFFER_TOO_SMALL;
138 }
139
140 status = dcerpc_guess_sizes(auth,
141 DCERPC_RESPONSE_LENGTH,
142 data_left,
143 RPC_MAX_PDU_FRAG_LEN,
144 SERVER_NDR_PADDING_SIZE,
145 &data_to_send, &frag_len,
146 &auth_len, &pad_len);
147 if (!NT_STATUS_IS_OK(status)) {
148 return status;
149 }
150
151 /* Set up the alloc hint. This should be the data left to send. */
152 u.response.alloc_hint = data_left;
153
154 /* Work out if this PDU will be the last. */
155 if (data_sent_length + data_to_send >= rdata->length) {
156 pfc_flags |= DCERPC_PFC_FLAG_LAST;
157 }
158
159 /* Prepare data to be NDR encoded. */
160 u.response.stub_and_verifier =
161 data_blob_const(rdata->data + data_sent_length, data_to_send);
162
163 /* Store the packet in the data stream. */
164 status = dcerpc_push_ncacn_packet(mem_ctx, DCERPC_PKT_RESPONSE,
165 pfc_flags, auth_len, call_id,
166 &u, frag);
167 if (!NT_STATUS_IS_OK(status)) {
168 DEBUG(0, ("Failed to marshall RPC Packet.\n"));
169 return status;
170 }
171
172 if (auth_len) {
173 /* Set the proper length on the pdu, including padding.
174 * Only needed if an auth trailer will be appended. */
175 dcerpc_set_frag_length(frag, frag->length
176 + pad_len
177 + DCERPC_AUTH_TRAILER_LENGTH
178 + auth_len);
179 }
180
181 if (auth_len) {
182 status = dcerpc_add_auth_footer(auth, pad_len, frag);
183 if (!NT_STATUS_IS_OK(status)) {
184 data_blob_free(frag);
185 return status;
186 }
187 }
188
189 *pdu_size = data_to_send;
190 return NT_STATUS_OK;
191 }
192
193 /*******************************************************************
194 Generate the next PDU to be returned from the data in p->rdata.
195 ********************************************************************/
196
197 bool create_next_pdu(struct pipes_struct *p)
198 {
199 size_t pdu_size = 0;
200 NTSTATUS status;
201
202 /*
203 * If we're in the fault state, keep returning fault PDU's until
204 * the pipe gets closed. JRA.
205 */
206 if (p->fault_state) {
207 setup_fault_pdu(p, NT_STATUS(p->fault_state));
208 return true;
209 }
210
211 status = create_next_packet(p->mem_ctx, &p->auth,
212 p->call_id, &p->out_data.rdata,
213 p->out_data.data_sent_length,
214 &p->out_data.frag, &pdu_size);
215 if (!NT_STATUS_IS_OK(status)) {
216 DEBUG(0, ("Failed to create packet with error %s, "
217 "(auth level %u / type %u)\n",
218 nt_errstr(status),
219 (unsigned int)p->auth.auth_level,
220 (unsigned int)p->auth.auth_type));
221 return false;
222 }
223
224 /* Setup the counts for this PDU. */
225 p->out_data.data_sent_length += pdu_size;
226 p->out_data.current_pdu_sent = 0;
227 return true;
228 }
229
230
231 static bool pipe_init_outgoing_data(struct pipes_struct *p);
232
233 /*******************************************************************
234 Marshall a bind_nak pdu.
235 *******************************************************************/
236
237 static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
238 {
239 NTSTATUS status;
240 union dcerpc_payload u;
241
242 /* Free any memory in the current return data buffer. */
243 pipe_init_outgoing_data(p);
244
245 /*
246 * Initialize a bind_nak header.
247 */
248
249 ZERO_STRUCT(u);
250
251 u.bind_nak.reject_reason = 0;
252
253 /*
254 * Marshall directly into the outgoing PDU space. We
255 * must do this as we need to set to the bind response
256 * header and are never sending more than one PDU here.
257 */
258
259 status = dcerpc_push_ncacn_packet(p->mem_ctx,
260 DCERPC_PKT_BIND_NAK,
261 DCERPC_PFC_FLAG_FIRST |
262 DCERPC_PFC_FLAG_LAST,
263 0,
264 pkt->call_id,
265 &u,
266 &p->out_data.frag);
267 if (!NT_STATUS_IS_OK(status)) {
268 return False;
269 }
270
271 p->out_data.data_sent_length = 0;
272 p->out_data.current_pdu_sent = 0;
273
274 TALLOC_FREE(p->auth.auth_ctx);
275 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
276 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
277 p->pipe_bound = False;
278
279 return True;
280 }
281
282 /*******************************************************************
283 Marshall a fault pdu.
284 *******************************************************************/
285
286 bool setup_fault_pdu(struct pipes_struct *p, NTSTATUS fault_status)
287 {
288 NTSTATUS status;
289 union dcerpc_payload u;
290
291 /* Free any memory in the current return data buffer. */
292 pipe_init_outgoing_data(p);
293
294 /*
295 * Initialize a fault header.
296 */
297
298 ZERO_STRUCT(u);
299
300 u.fault.status = NT_STATUS_V(fault_status);
301 u.fault._pad = data_blob_talloc_zero(p->mem_ctx, 4);
302
303 /*
304 * Marshall directly into the outgoing PDU space. We
305 * must do this as we need to set to the bind response
306 * header and are never sending more than one PDU here.
307 */
308
309 status = dcerpc_push_ncacn_packet(p->mem_ctx,
310 DCERPC_PKT_FAULT,
311 DCERPC_PFC_FLAG_FIRST |
312 DCERPC_PFC_FLAG_LAST |
313 DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
314 0,
315 p->call_id,
316 &u,
317 &p->out_data.frag);
318 if (!NT_STATUS_IS_OK(status)) {
319 return False;
320 }
321
322 p->out_data.data_sent_length = 0;
323 p->out_data.current_pdu_sent = 0;
324
325 return True;
326 }
327
328 /*******************************************************************
329 Ensure a bind request has the correct abstract & transfer interface.
330 Used to reject unknown binds from Win2k.
331 *******************************************************************/
332
333 static bool check_bind_req(struct pipes_struct *p,
334 struct ndr_syntax_id* abstract,
335 struct ndr_syntax_id* transfer,
336 uint32_t context_id)
337 {
338 struct pipe_rpc_fns *context_fns;
339 bool ok;
340
341 DEBUG(3,("check_bind_req for %s\n",
342 get_pipe_name_from_syntax(talloc_tos(), abstract)));
343
344 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
345 if (rpc_srv_pipe_exists_by_id(abstract) &&
346 ndr_syntax_id_equal(transfer, &ndr_transfer_syntax_ndr)) {
347 DEBUG(3, ("check_bind_req: %s -> %s rpc service\n",
348 rpc_srv_get_pipe_cli_name(abstract),
349 rpc_srv_get_pipe_srv_name(abstract)));
350 } else {
351 return false;
352 }
353
354 ok = init_pipe_handles(p, abstract);
355 if (!ok) {
356 DEBUG(1, ("Failed to init pipe handles!\n"));
357 return false;
358 }
359
360 context_fns = talloc(p, struct pipe_rpc_fns);
361 if (context_fns == NULL) {
362 DEBUG(0,("check_bind_req: talloc() failed!\n"));
363 return false;
364 }
365
366 context_fns->next = context_fns->prev = NULL;
367 context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
368 context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
369 context_fns->context_id = context_id;
370 context_fns->syntax = *abstract;
371
372 /* add to the list of open contexts */
373
374 DLIST_ADD( p->contexts, context_fns );
375
376 return True;
377 }
378
379 /**
380 * Is a named pipe known?
381 * @param[in] pipename Just the filename
382 * @result Do we want to serve this?
383 */
384 bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
385 {
386 NTSTATUS status;
387
388 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
389 DEBUG(10, ("refusing spoolss access\n"));
390 return false;
391 }
392
393 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
394 return true;
395 }
396
397 status = smb_probe_module("rpc", pipename);
398 if (!NT_STATUS_IS_OK(status)) {
399 DEBUG(10, ("is_known_pipename: %s unknown\n", pipename));
400 return false;
401 }
402 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
403
404 /*
405 * Scan the list again for the interface id
406 */
407 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
408 return true;
409 }
410
411 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
412 pipename));
413
414 return false;
415 }
416
417 /*******************************************************************
418 Handle an schannel bind auth.
419 *******************************************************************/
420
421 static bool pipe_schannel_auth_bind(struct pipes_struct *p,
422 TALLOC_CTX *mem_ctx,
423 struct dcerpc_auth *auth_info,
424 DATA_BLOB *response)
425 {
426 struct NL_AUTH_MESSAGE neg;
427 struct NL_AUTH_MESSAGE reply;
428 bool ret;
429 NTSTATUS status;
430 struct netlogon_creds_CredentialState *creds;
431 enum ndr_err_code ndr_err;
432 struct schannel_state *schannel_auth;
433 struct loadparm_context *lp_ctx;
434
435 ndr_err = ndr_pull_struct_blob(
436 &auth_info->credentials, mem_ctx, &neg,
437 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
438 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
439 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
440 return false;
441 }
442
443 if (DEBUGLEVEL >= 10) {
444 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
445 }
446
447 if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
448 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
449 return false;
450 }
451
452 lp_ctx = loadparm_init_s3(p, loadparm_s3_helpers());
453 if (!lp_ctx) {
454 DEBUG(0,("pipe_schannel_auth_bind: loadparm_init_s3() failed!\n"));
455 return false;
456 }
457
458 /*
459 * The neg.oem_netbios_computer.a key here must match the remote computer name
460 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
461 * operations that use credentials.
462 */
463
464 become_root();
465 status = schannel_get_creds_state(p, lp_ctx,
466 neg.oem_netbios_computer.a, &creds);
467 unbecome_root();
468
469 talloc_unlink(p, lp_ctx);
470 if (!NT_STATUS_IS_OK(status)) {
471 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
472 return False;
473 }
474
475 schannel_auth = talloc_zero(p, struct schannel_state);
476 if (!schannel_auth) {
477 TALLOC_FREE(creds);
478 return False;
479 }
480
481 schannel_auth->state = SCHANNEL_STATE_START;
482 schannel_auth->initiator = false;
483 schannel_auth->creds = creds;
484
485 /*
486 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
487 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
488 * struct of the person who opened the pipe. I need to test this further. JRA.
489 *
490 * VL. As we are mapping this to guest set the generic key
491 * "SystemLibraryDTC" key here. It's a bit difficult to test against
492 * W2k3, as it does not allow schannel binds against SAMR and LSA
493 * anymore.
494 */
495
496 ret = session_info_set_session_key(p->session_info, generic_session_key());
497
498 if (!ret) {
499 DEBUG(0, ("session_info_set_session_key failed\n"));
500 return false;
501 }
502
503 /*** SCHANNEL verifier ***/
504
505 reply.MessageType = NL_NEGOTIATE_RESPONSE;
506 reply.Flags = 0;
507 reply.Buffer.dummy = 5; /* ??? actually I don't think
508 * this has any meaning
509 * here - gd */
510
511 ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
512 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
513 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
514 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
515 return false;
516 }
517
518 if (DEBUGLEVEL >= 10) {
519 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
520 }
521
522 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
523 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
524
525 /* We're finished with this bind - no more packets. */
526 p->auth.auth_ctx = schannel_auth;
527 p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
528
529 p->pipe_bound = True;
530
531 return True;
532 }
533
534 /*******************************************************************
535 Handle an NTLMSSP bind auth.
536 *******************************************************************/
537
538 static bool pipe_auth_generic_bind(struct pipes_struct *p,
539 TALLOC_CTX *mem_ctx,
540 struct dcerpc_auth *auth_info,
541 DATA_BLOB *response)
542 {
543 struct gensec_security *gensec_security = NULL;
544 NTSTATUS status;
545
546 status = auth_generic_server_authtype_start(p,
547 auth_info->auth_type,
548 auth_info->auth_level,
549 &auth_info->credentials,
550 response,
551 p->remote_address,
552 &gensec_security);
553 if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
554 DEBUG(0, (__location__ ": auth_generic_server_authtype_start failed: %s\n",
555 nt_errstr(status)));
556 return false;
557 }
558
559 /* Make sure data is bound to the memctx, to be freed the caller */
560 talloc_steal(mem_ctx, response->data);
561
562 p->auth.auth_ctx = gensec_security;
563 p->auth.auth_type = auth_info->auth_type;
564
565 return true;
566 }
567
568 /*******************************************************************
569 Process an NTLMSSP authentication response.
570 If this function succeeds, the user has been authenticated
571 and their domain, name and calling workstation stored in
572 the pipe struct.
573 *******************************************************************/
574
575 static bool pipe_auth_generic_verify_final(TALLOC_CTX *mem_ctx,
576 struct gensec_security *gensec_security,
577 enum dcerpc_AuthLevel auth_level,
578 struct auth_session_info **session_info)
579 {
580 NTSTATUS status;
581 bool ret;
582
583 DEBUG(5, (__location__ ": checking user details\n"));
584
585 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
586 ensure the underlying NTLMSSP flags are also set. If not we should
587 refuse the bind. */
588
589 status = auth_generic_server_check_flags(gensec_security,
590 (auth_level ==
591 DCERPC_AUTH_LEVEL_INTEGRITY),
592 (auth_level ==
593 DCERPC_AUTH_LEVEL_PRIVACY));
594 if (!NT_STATUS_IS_OK(status)) {
595 DEBUG(0, (__location__ ": Client failed to negotatie proper "
596 "security for rpc connection\n"));
597 return false;
598 }
599
600 TALLOC_FREE(*session_info);
601
602 status = auth_generic_server_get_user_info(gensec_security,
603 mem_ctx, session_info);
604 if (!NT_STATUS_IS_OK(status)) {
605 DEBUG(0, (__location__ ": failed to obtain the server info "
606 "for authenticated user: %s\n", nt_errstr(status)));
607 return false;
608 }
609
610 if ((*session_info)->security_token == NULL) {
611 DEBUG(1, ("Auth module failed to provide nt_user_token\n"));
612 return false;
613 }
614
615 /*
616 * We're an authenticated bind over smb, so the session key needs to
617 * be set to "SystemLibraryDTC". Weird, but this is what Windows
618 * does. See the RPC-SAMBA3SESSIONKEY.
619 */
620
621 ret = session_info_set_session_key((*session_info), generic_session_key());
622 if (!ret) {
623 DEBUG(0, ("Failed to set session key!\n"));
624 return false;
625 }
626
627 return true;
628 }
629
630 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
631 {
632 struct gensec_security *gensec_security;
633
634 switch (p->auth.auth_type) {
635 case DCERPC_AUTH_TYPE_NTLMSSP:
636 case DCERPC_AUTH_TYPE_KRB5:
637 case DCERPC_AUTH_TYPE_SPNEGO:
638 gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
639 struct gensec_security);
640 if (!pipe_auth_generic_verify_final(p, gensec_security,
641 p->auth.auth_level,
642 &p->session_info)) {
643 return NT_STATUS_ACCESS_DENIED;
644 }
645 break;
646 default:
647 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
648 (unsigned int)p->auth.auth_type));
649 return NT_STATUS_ACCESS_DENIED;
650 }
651
652 p->pipe_bound = true;
653
654 return NT_STATUS_OK;
655 }
656
657 /*******************************************************************
658 Respond to a pipe bind request.
659 *******************************************************************/
660
661 static bool api_pipe_bind_req(struct pipes_struct *p,
662 struct ncacn_packet *pkt)
663 {
664 struct dcerpc_auth auth_info;
665 uint16 assoc_gid;
666 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
667 NTSTATUS status;
668 struct ndr_syntax_id id;
669 union dcerpc_payload u;
670 struct dcerpc_ack_ctx bind_ack_ctx;
671 DATA_BLOB auth_resp = data_blob_null;
672 DATA_BLOB auth_blob = data_blob_null;
673
674 /* No rebinds on a bound pipe - use alter context. */
675 if (p->pipe_bound) {
676 DEBUG(2,("Rejecting bind request on bound rpc connection\n"));
677 return setup_bind_nak(p, pkt);
678 }
679
680 if (pkt->u.bind.num_contexts == 0) {
681 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
682 goto err_exit;
683 }
684
685 /*
686 * Try and find the correct pipe name to ensure
687 * that this is a pipe name we support.
688 */
689 id = pkt->u.bind.ctx_list[0].abstract_syntax;
690 if (rpc_srv_pipe_exists_by_id(&id)) {
691 DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
692 rpc_srv_get_pipe_cli_name(&id),
693 rpc_srv_get_pipe_srv_name(&id)));
694 } else {
695 status = smb_probe_module(
696 "rpc", get_pipe_name_from_syntax(
697 talloc_tos(),
698 &id));
699
700 if (NT_STATUS_IS_ERR(status)) {
701 DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
702 "%s in bind request.\n",
703 get_pipe_name_from_syntax(talloc_tos(), &id)));
704
705 return setup_bind_nak(p, pkt);
706 }
707
708 if (rpc_srv_get_pipe_interface_by_cli_name(
709 get_pipe_name_from_syntax(talloc_tos(),
710 &id),
711 &id)) {
712 DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
713 rpc_srv_get_pipe_cli_name(&id),
714 rpc_srv_get_pipe_srv_name(&id)));
715 } else {
716 DEBUG(0, ("module %s doesn't provide functions for "
717 "pipe %s!\n",
718 get_pipe_name_from_syntax(talloc_tos(), &id),
719 get_pipe_name_from_syntax(talloc_tos(), &id)));
720 return setup_bind_nak(p, pkt);
721 }
722 }
723
724 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
725
726 if (pkt->u.bind.assoc_group_id != 0) {
727 assoc_gid = pkt->u.bind.assoc_group_id;
728 } else {
729 assoc_gid = 0x53f0;
730 }
731
732 /*
733 * Create the bind response struct.
734 */
735
736 /* If the requested abstract synt uuid doesn't match our client pipe,
737 reject the bind_ack & set the transfer interface synt to all 0's,
738 ver 0 (observed when NT5 attempts to bind to abstract interfaces
739 unknown to NT4)
740 Needed when adding entries to a DACL from NT5 - SK */
741
742 if (check_bind_req(p,
743 &pkt->u.bind.ctx_list[0].abstract_syntax,
744 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
745 pkt->u.bind.ctx_list[0].context_id)) {
746
747 bind_ack_ctx.result = 0;
748 bind_ack_ctx.reason = 0;
749 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
750 } else {
751 p->pipe_bound = False;
752 /* Rejection reason: abstract syntax not supported */
753 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
754 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
755 bind_ack_ctx.syntax = ndr_syntax_id_null;
756 }
757
758 /*
759 * Check if this is an authenticated bind request.
760 */
761 if (pkt->auth_length) {
762 /* Quick length check. Won't catch a bad auth footer,
763 * prevents overrun. */
764
765 if (pkt->frag_length < RPC_HEADER_LEN +
766 DCERPC_AUTH_TRAILER_LENGTH +
767 pkt->auth_length) {
768 DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
769 "too long for fragment %u.\n",
770 (unsigned int)pkt->auth_length,
771 (unsigned int)pkt->frag_length));
772 goto err_exit;
773 }
774
775 /*
776 * Decode the authentication verifier.
777 */
778 status = dcerpc_pull_dcerpc_auth(pkt,
779 &pkt->u.bind.auth_info,
780 &auth_info, p->endian);
781 if (!NT_STATUS_IS_OK(status)) {
782 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
783 goto err_exit;
784 }
785
786 auth_type = auth_info.auth_type;
787
788 /* Work out if we have to sign or seal etc. */
789 switch (auth_info.auth_level) {
790 case DCERPC_AUTH_LEVEL_INTEGRITY:
791 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
792 break;
793 case DCERPC_AUTH_LEVEL_PRIVACY:
794 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
795 break;
796 case DCERPC_AUTH_LEVEL_CONNECT:
797 p->auth.auth_level = DCERPC_AUTH_LEVEL_CONNECT;
798 break;
799 default:
800 DEBUG(0, ("Unexpected auth level (%u).\n",
801 (unsigned int)auth_info.auth_level ));
802 goto err_exit;
803 }
804
805 switch (auth_type) {
806 case DCERPC_AUTH_TYPE_NTLMSSP:
807 if (!pipe_auth_generic_bind(p, pkt,
808 &auth_info, &auth_resp)) {
809 goto err_exit;
810 }
811 assoc_gid = 0x7a77;
812 break;
813
814 case DCERPC_AUTH_TYPE_SCHANNEL:
815 if (!pipe_schannel_auth_bind(p, pkt,
816 &auth_info, &auth_resp)) {
817 goto err_exit;
818 }
819 break;
820
821 case DCERPC_AUTH_TYPE_SPNEGO:
822 case DCERPC_AUTH_TYPE_KRB5:
823 if (!pipe_auth_generic_bind(p, pkt,
824 &auth_info, &auth_resp)) {
825 goto err_exit;
826 }
827 break;
828
829 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
830 if (p->transport == NCALRPC && p->ncalrpc_as_system) {
831 TALLOC_FREE(p->session_info);
832
833 status = make_session_info_system(p,
834 &p->session_info);
835 if (!NT_STATUS_IS_OK(status)) {
836 goto err_exit;
837 }
838
839 auth_resp = data_blob_talloc(pkt,
840 "NCALRPC_AUTH_OK",
841 15);
842
843 p->auth.auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM;
844 p->pipe_bound = true;
845 } else {
846 goto err_exit;
847 }
848 break;
849
850 case DCERPC_AUTH_TYPE_NONE:
851 break;
852
853 default:
854 DEBUG(0, ("Unknown auth type %x requested.\n", auth_type));
855 goto err_exit;
856 }
857 }
858
859 if (auth_type == DCERPC_AUTH_TYPE_NONE) {
860 /* Unauthenticated bind request. */
861 /* We're finished - no more packets. */
862 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
863 /* We must set the pipe auth_level here also. */
864 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
865 p->pipe_bound = True;
866 /* The session key was initialized from the SMB
867 * session in make_internal_rpc_pipe_p */
868 }
869
870 ZERO_STRUCT(u.bind_ack);
871 u.bind_ack.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
872 u.bind_ack.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
873 u.bind_ack.assoc_group_id = assoc_gid;
874
875 /* name has to be \PIPE\xxxxx */
876 u.bind_ack.secondary_address =
877 talloc_asprintf(pkt, "\\PIPE\\%s",
878 rpc_srv_get_pipe_srv_name(&id));
879 if (!u.bind_ack.secondary_address) {
880 DEBUG(0, ("Out of memory!\n"));
881 goto err_exit;
882 }
883 u.bind_ack.secondary_address_size =
884 strlen(u.bind_ack.secondary_address) + 1;
885
886 u.bind_ack.num_results = 1;
887 u.bind_ack.ctx_list = &bind_ack_ctx;
888
889 /* NOTE: We leave the auth_info empty so we can calculate the padding
890 * later and then append the auth_info --simo */
891
892 /*
893 * Marshall directly into the outgoing PDU space. We
894 * must do this as we need to set to the bind response
895 * header and are never sending more than one PDU here.
896 */
897
898 status = dcerpc_push_ncacn_packet(p->mem_ctx,
899 DCERPC_PKT_BIND_ACK,
900 DCERPC_PFC_FLAG_FIRST |
901 DCERPC_PFC_FLAG_LAST,
902 auth_resp.length,
903 pkt->call_id,
904 &u,
905 &p->out_data.frag);
906 if (!NT_STATUS_IS_OK(status)) {
907 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
908 nt_errstr(status)));
909 }
910
911 if (auth_resp.length) {
912
913 status = dcerpc_push_dcerpc_auth(pkt,
914 auth_type,
915 auth_info.auth_level,
916 0,
917 1, /* auth_context_id */
918 &auth_resp,
919 &auth_blob);
920 if (!NT_STATUS_IS_OK(status)) {
921 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
922 goto err_exit;
923 }
924 }
925
926 /* Now that we have the auth len store it into the right place in
927 * the dcerpc header */
928 dcerpc_set_frag_length(&p->out_data.frag,
929 p->out_data.frag.length + auth_blob.length);
930
931 if (auth_blob.length) {
932
933 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
934 auth_blob.data, auth_blob.length)) {
935 DEBUG(0, ("Append of auth info failed.\n"));
936 goto err_exit;
937 }
938 }
939
940 /*
941 * Setup the lengths for the initial reply.
942 */
943
944 p->out_data.data_sent_length = 0;
945 p->out_data.current_pdu_sent = 0;
946
947 TALLOC_FREE(auth_blob.data);
948 return True;
949
950 err_exit:
951
952 data_blob_free(&p->out_data.frag);
953 TALLOC_FREE(auth_blob.data);
954 return setup_bind_nak(p, pkt);
955 }
956
957 /*******************************************************************
958 This is the "stage3" response after a bind request and reply.
959 *******************************************************************/
960
961 bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
962 {
963 struct dcerpc_auth auth_info;
964 DATA_BLOB response = data_blob_null;
965 struct gensec_security *gensec_security;
966 NTSTATUS status;
967
968 DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
969
970 if (pkt->auth_length == 0) {
971 DEBUG(0, ("No auth field sent for bind request!\n"));
972 goto err;
973 }
974
975 /* Ensure there's enough data for an authenticated request. */
976 if (pkt->frag_length < RPC_HEADER_LEN
977 + DCERPC_AUTH_TRAILER_LENGTH
978 + pkt->auth_length) {
979 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
980 "%u is too large.\n",
981 (unsigned int)pkt->auth_length));
982 goto err;
983 }
984
985 /*
986 * Decode the authentication verifier response.
987 */
988
989 status = dcerpc_pull_dcerpc_auth(pkt,
990 &pkt->u.auth3.auth_info,
991 &auth_info, p->endian);
992 if (!NT_STATUS_IS_OK(status)) {
993 DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n"));
994 goto err;
995 }
996
997 /* We must NEVER look at auth_info->auth_pad_len here,
998 * as old Samba client code gets it wrong and sends it
999 * as zero. JRA.
1000 */
1001
1002 if (auth_info.auth_type != p->auth.auth_type) {
1003 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1004 "but auth was started as type %d!\n",
1005 auth_info.auth_type, p->auth.auth_type));
1006 goto err;
1007 }
1008
1009 switch (auth_info.auth_type) {
1010 case DCERPC_AUTH_TYPE_NTLMSSP:
1011 case DCERPC_AUTH_TYPE_KRB5:
1012 case DCERPC_AUTH_TYPE_SPNEGO:
1013 gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
1014 struct gensec_security);
1015 status = auth_generic_server_step(gensec_security,
1016 pkt, &auth_info.credentials,
1017 &response);
1018 break;
1019 default:
1020 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
1021 (unsigned int)auth_info.auth_type));
1022 return false;
1023 }
1024
1025 if (NT_STATUS_EQUAL(status,
1026 NT_STATUS_MORE_PROCESSING_REQUIRED) ||
1027 response.length) {
1028 DEBUG(0, (__location__ ": This was supposed to be the final "
1029 "leg, but crypto machinery claims a response is "
1030 "needed, aborting auth!\n"));
1031 data_blob_free(&response);
1032 goto err;
1033 }
1034 if (!NT_STATUS_IS_OK(status)) {
1035 DEBUG(0, ("Auth failed (%s)\n", nt_errstr(status)));
1036 goto err;
1037 }
1038
1039 /* Now verify auth was indeed successful and extract server info */
1040 status = pipe_auth_verify_final(p);
1041 if (!NT_STATUS_IS_OK(status)) {
1042 DEBUG(0, ("Auth Verify failed (%s)\n", nt_errstr(status)));
1043 goto err;
1044 }
1045
1046 return true;
1047
1048 err:
1049
1050 TALLOC_FREE(p->auth.auth_ctx);
1051 return false;
1052 }
1053
1054 /****************************************************************************
1055 Deal with an alter context call. Can be third part of 3 leg auth request for
1056 SPNEGO calls.
1057 ****************************************************************************/
1058
1059 static bool api_pipe_alter_context(struct pipes_struct *p,
1060 struct ncacn_packet *pkt)
1061 {
1062 struct dcerpc_auth auth_info;
1063 uint16 assoc_gid;
1064 NTSTATUS status;
1065 union dcerpc_payload u;
1066 struct dcerpc_ack_ctx bind_ack_ctx;
1067 DATA_BLOB auth_resp = data_blob_null;
1068 DATA_BLOB auth_blob = data_blob_null;
1069 int pad_len = 0;
1070 struct gensec_security *gensec_security;
1071
1072 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1073
1074 if (pkt->u.bind.assoc_group_id != 0) {
1075 assoc_gid = pkt->u.bind.assoc_group_id;
1076 } else {
1077 assoc_gid = 0x53f0;
1078 }
1079
1080 /*
1081 * Create the bind response struct.
1082 */
1083
1084 /* If the requested abstract synt uuid doesn't match our client pipe,
1085 reject the bind_ack & set the transfer interface synt to all 0's,
1086 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1087 unknown to NT4)
1088 Needed when adding entries to a DACL from NT5 - SK */
1089
1090 if (check_bind_req(p,
1091 &pkt->u.bind.ctx_list[0].abstract_syntax,
1092 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
1093 pkt->u.bind.ctx_list[0].context_id)) {
1094
1095 bind_ack_ctx.result = 0;
1096 bind_ack_ctx.reason = 0;
1097 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
1098 } else {
1099 p->pipe_bound = False;
1100 /* Rejection reason: abstract syntax not supported */
1101 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1102 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
1103 bind_ack_ctx.syntax = ndr_syntax_id_null;
1104 }
1105
1106 /*
1107 * Check if this is an authenticated alter context request.
1108 */
1109 if (pkt->auth_length) {
1110 /* Quick length check. Won't catch a bad auth footer,
1111 * prevents overrun. */
1112
1113 if (pkt->frag_length < RPC_HEADER_LEN +
1114 DCERPC_AUTH_TRAILER_LENGTH +
1115 pkt->auth_length) {
1116 DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
1117 "too long for fragment %u.\n",
1118 (unsigned int)pkt->auth_length,
1119 (unsigned int)pkt->frag_length ));
1120 goto err_exit;
1121 }
1122
1123 status = dcerpc_pull_dcerpc_auth(pkt,
1124 &pkt->u.bind.auth_info,
1125 &auth_info, p->endian);
1126 if (!NT_STATUS_IS_OK(status)) {
1127 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1128 goto err_exit;
1129 }
1130
1131 /* We can only finish if the pipe is unbound for now */
1132 if (p->pipe_bound) {
1133 DEBUG(0, (__location__ ": Pipe already bound, "
1134 "Altering Context not yet supported!\n"));
1135 goto err_exit;
1136 }
1137
1138 if (auth_info.auth_type != p->auth.auth_type) {
1139 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1140 "but auth was started as type %d!\n",
1141 auth_info.auth_type, p->auth.auth_type));
1142 goto err_exit;
1143 }
1144
1145
1146 switch (auth_info.auth_type) {
1147 case DCERPC_AUTH_TYPE_SPNEGO:
1148 case DCERPC_AUTH_TYPE_KRB5:
1149 case DCERPC_AUTH_TYPE_NTLMSSP:
1150 gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
1151 struct gensec_security);
1152 status = auth_generic_server_step(gensec_security,
1153 pkt,
1154 &auth_info.credentials,
1155 &auth_resp);
1156 break;
1157
1158 default:
1159 DEBUG(3, (__location__ ": Usupported auth type (%d) "
1160 "in alter-context call\n",
1161 auth_info.auth_type));
1162 goto err_exit;
1163 }
1164
1165 if (NT_STATUS_IS_OK(status)) {
1166 /* third leg of auth, verify auth info */
1167 status = pipe_auth_verify_final(p);
1168 if (!NT_STATUS_IS_OK(status)) {
1169 DEBUG(0, ("Auth Verify failed (%s)\n",
1170 nt_errstr(status)));
1171 goto err_exit;
1172 }
1173 } else if (NT_STATUS_EQUAL(status,
1174 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1175 DEBUG(10, ("More auth legs required.\n"));
1176 } else {
1177 DEBUG(0, ("Auth step returned an error (%s)\n",
1178 nt_errstr(status)));
1179 goto err_exit;
1180 }
1181 }
1182
1183 ZERO_STRUCT(u.alter_resp);
1184 u.alter_resp.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1185 u.alter_resp.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1186 u.alter_resp.assoc_group_id = assoc_gid;
1187
1188 /* secondary address CAN be NULL
1189 * as the specs say it's ignored.
1190 * It MUST be NULL to have the spoolss working.
1191 */
1192 u.alter_resp.secondary_address = "";
1193 u.alter_resp.secondary_address_size = 1;
1194
1195 u.alter_resp.num_results = 1;
1196 u.alter_resp.ctx_list = &bind_ack_ctx;
1197
1198 /* NOTE: We leave the auth_info empty so we can calculate the padding
1199 * later and then append the auth_info --simo */
1200
1201 /*
1202 * Marshall directly into the outgoing PDU space. We
1203 * must do this as we need to set to the bind response
1204 * header and are never sending more than one PDU here.
1205 */
1206
1207 status = dcerpc_push_ncacn_packet(p->mem_ctx,
1208 DCERPC_PKT_ALTER_RESP,
1209 DCERPC_PFC_FLAG_FIRST |
1210 DCERPC_PFC_FLAG_LAST,
1211 auth_resp.length,
1212 pkt->call_id,
1213 &u,
1214 &p->out_data.frag);
1215 if (!NT_STATUS_IS_OK(status)) {
1216 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1217 nt_errstr(status)));
1218 }
1219
1220 if (auth_resp.length) {
1221
1222 /* Work out any padding needed before the auth footer. */
1223 pad_len = p->out_data.frag.length % SERVER_NDR_PADDING_SIZE;
1224 if (pad_len) {
1225 pad_len = SERVER_NDR_PADDING_SIZE - pad_len;
1226 DEBUG(10, ("auth pad_len = %u\n",
1227 (unsigned int)pad_len));
1228 }
1229
1230 status = dcerpc_push_dcerpc_auth(pkt,
1231 auth_info.auth_type,
1232 auth_info.auth_level,
1233 pad_len,
1234 1, /* auth_context_id */
1235 &auth_resp,
1236 &auth_blob);
1237 if (!NT_STATUS_IS_OK(status)) {
1238 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1239 goto err_exit;
1240 }
1241 }
1242
1243 /* Now that we have the auth len store it into the right place in
1244 * the dcerpc header */
1245 dcerpc_set_frag_length(&p->out_data.frag,
1246 p->out_data.frag.length +
1247 pad_len + auth_blob.length);
1248
1249 if (auth_resp.length) {
1250 if (pad_len) {
1251 char pad[SERVER_NDR_PADDING_SIZE];
1252 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1253 if (!data_blob_append(p->mem_ctx,
1254 &p->out_data.frag,
1255 pad, pad_len)) {
1256 DEBUG(0, ("api_pipe_bind_req: failed to add "
1257 "%u bytes of pad data.\n",
1258 (unsigned int)pad_len));
1259 goto err_exit;
1260 }
1261 }
1262
1263 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1264 auth_blob.data, auth_blob.length)) {
1265 DEBUG(0, ("Append of auth info failed.\n"));
1266 goto err_exit;
1267 }
1268 }
1269
1270 /*
1271 * Setup the lengths for the initial reply.
1272 */
1273
1274 p->out_data.data_sent_length = 0;
1275 p->out_data.current_pdu_sent = 0;
1276
1277 TALLOC_FREE(auth_blob.data);
1278 return True;
1279
1280 err_exit:
1281
1282 data_blob_free(&p->out_data.frag);
1283 TALLOC_FREE(auth_blob.data);
1284 return setup_bind_nak(p, pkt);
1285 }
1286
1287 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1288 const struct api_struct *api_rpc_cmds, int n_cmds,
1289 const struct ndr_syntax_id *syntax);
1290
1291 /****************************************************************************
1292 Find the correct RPC function to call for this request.
1293 If the pipe is authenticated then become the correct UNIX user
1294 before doing the call.
1295 ****************************************************************************/
1296
1297 static bool api_pipe_request(struct pipes_struct *p,
1298 struct ncacn_packet *pkt)
1299 {
1300 bool ret = False;
1301 struct pipe_rpc_fns *pipe_fns;
1302
1303 if (!p->pipe_bound) {
1304 DEBUG(1, ("Pipe not bound!\n"));
1305 data_blob_free(&p->out_data.rdata);
1306 return false;
1307 }
1308
1309 if (!become_authenticated_pipe_user(p->session_info)) {
1310 DEBUG(1, ("Failed to become pipe user!\n"));
1311 data_blob_free(&p->out_data.rdata);
1312 return false;
1313 }
1314
1315 /* get the set of RPC functions for this context */
1316
1317 pipe_fns = find_pipe_fns_by_context(p->contexts,
1318 pkt->u.request.context_id);
1319
1320 if ( pipe_fns ) {
1321 TALLOC_CTX *frame = talloc_stackframe();
1322
1323 DEBUG(5, ("Requested %s rpc service\n",
1324 get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
1325
1326 ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds,
1327 &pipe_fns->syntax);
1328
1329 TALLOC_FREE(frame);
1330 }
1331 else {
1332 DEBUG(0, ("No rpc function table associated with context "
1333 "[%d]\n",
1334 pkt->u.request.context_id));
1335 }
1336
1337 unbecome_authenticated_pipe_user();
1338
1339 return ret;
1340 }
1341
1342 /*******************************************************************
1343 Calls the underlying RPC function for a named pipe.
1344 ********************************************************************/
1345
1346 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1347 const struct api_struct *api_rpc_cmds, int n_cmds,
1348 const struct ndr_syntax_id *syntax)
1349 {
1350 int fn_num;
1351 uint32_t offset1;
1352
1353 /* interpret the command */
1354 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
1355 get_pipe_name_from_syntax(talloc_tos(), syntax),
1356 pkt->u.request.opnum));
1357
1358 if (DEBUGLEVEL >= 50) {
1359 fstring name;
1360 slprintf(name, sizeof(name)-1, "in_%s",
1361 get_pipe_name_from_syntax(talloc_tos(), syntax));
1362 dump_pdu_region(name, pkt->u.request.opnum,
1363 &p->in_data.data, 0,
1364 p->in_data.data.length);
1365 }
1366
1367 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1368 if (api_rpc_cmds[fn_num].opnum == pkt->u.request.opnum &&
1369 api_rpc_cmds[fn_num].fn != NULL) {
1370 DEBUG(3, ("api_rpcTNP: rpc command: %s\n",
1371 api_rpc_cmds[fn_num].name));
1372 break;
1373 }
1374 }
1375
1376 if (fn_num == n_cmds) {
1377 /*
1378 * For an unknown RPC just return a fault PDU but
1379 * return True to allow RPC's on the pipe to continue
1380 * and not put the pipe into fault state. JRA.
1381 */
1382 DEBUG(4, ("unknown\n"));
1383 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1384 return True;
1385 }
1386
1387 offset1 = p->out_data.rdata.length;
1388
1389 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1390 fn_num, api_rpc_cmds[fn_num].fn));
1391 /* do the actual command */
1392 if(!api_rpc_cmds[fn_num].fn(p)) {
1393 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
1394 get_pipe_name_from_syntax(talloc_tos(), syntax),
1395 api_rpc_cmds[fn_num].name));
1396 data_blob_free(&p->out_data.rdata);
1397 return False;
1398 }
1399
1400 if (p->fault_state) {
1401 DEBUG(4,("api_rpcTNP: fault(%d) return.\n", p->fault_state));
1402 setup_fault_pdu(p, NT_STATUS(p->fault_state));
1403 p->fault_state = 0;
1404 return true;
1405 }
1406
1407 if (DEBUGLEVEL >= 50) {
1408 fstring name;
1409 slprintf(name, sizeof(name)-1, "out_%s",
1410 get_pipe_name_from_syntax(talloc_tos(), syntax));
1411 dump_pdu_region(name, pkt->u.request.opnum,
1412 &p->out_data.rdata, offset1,
1413 p->out_data.rdata.length);
1414 }
1415
1416 DEBUG(5,("api_rpcTNP: called %s successfully\n",
1417 get_pipe_name_from_syntax(talloc_tos(), syntax)));
1418
1419 /* Check for buffer underflow in rpc parsing */
1420 if ((DEBUGLEVEL >= 10) &&
1421 (pkt->frag_length < p->in_data.data.length)) {
1422 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1423 dump_data(10, p->in_data.data.data + pkt->frag_length,
1424 p->in_data.data.length - pkt->frag_length);
1425 }
1426
1427 return True;
1428 }
1429
1430 /****************************************************************************
1431 Initialise an outgoing packet.
1432 ****************************************************************************/
1433
1434 static bool pipe_init_outgoing_data(struct pipes_struct *p)
1435 {
1436 output_data *o_data = &p->out_data;
1437
1438 /* Reset the offset counters. */
1439 o_data->data_sent_length = 0;
1440 o_data->current_pdu_sent = 0;
1441
1442 data_blob_free(&o_data->frag);
1443
1444 /* Free any memory in the current return data buffer. */
1445 data_blob_free(&o_data->rdata);
1446
1447 return True;
1448 }
1449
1450 /****************************************************************************
1451 Sets the fault state on incoming packets.
1452 ****************************************************************************/
1453
1454 void set_incoming_fault(struct pipes_struct *p)
1455 {
1456 data_blob_free(&p->in_data.data);
1457 p->in_data.pdu_needed_len = 0;
1458 p->in_data.pdu.length = 0;
1459 p->fault_state = DCERPC_FAULT_CANT_PERFORM;
1460
1461 DEBUG(10, ("Setting fault state\n"));
1462 }
1463
1464 static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
1465 struct ncacn_packet *pkt,
1466 DATA_BLOB *raw_pkt)
1467 {
1468 NTSTATUS status;
1469 size_t hdr_size = DCERPC_REQUEST_LENGTH;
1470 size_t pad_len;
1471
1472 DEBUG(10, ("Checking request auth.\n"));
1473
1474 if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
1475 hdr_size += 16;
1476 }
1477
1478 /* in case of sealing this function will unseal the data in place */
1479 status = dcerpc_check_auth(auth, pkt,
1480 &pkt->u.request.stub_and_verifier,
1481 hdr_size, raw_pkt,
1482 &pad_len);
1483 if (!NT_STATUS_IS_OK(status)) {
1484 return status;
1485 }
1486
1487
1488 /* remove padding and auth trailer,
1489 * this way the caller will get just the data */
1490 if (pkt->auth_length) {
1491 size_t trail_len = pad_len
1492 + DCERPC_AUTH_TRAILER_LENGTH
1493 + pkt->auth_length;
1494 if (pkt->u.request.stub_and_verifier.length < trail_len) {
1495 return NT_STATUS_INFO_LENGTH_MISMATCH;
1496 }
1497 pkt->u.request.stub_and_verifier.length -= trail_len;
1498 }
1499
1500 return NT_STATUS_OK;
1501 }
1502
1503 /****************************************************************************
1504 Processes a request pdu. This will do auth processing if needed, and
1505 appends the data into the complete stream if the LAST flag is not set.
1506 ****************************************************************************/
1507
1508 static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
1509 {
1510 NTSTATUS status;
1511 DATA_BLOB data;
1512
1513 if (!p->pipe_bound) {
1514 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
1515 set_incoming_fault(p);
1516 return False;
1517 }
1518
1519 /* Store the opnum */
1520 p->opnum = pkt->u.request.opnum;
1521
1522 status = dcesrv_auth_request(&p->auth, pkt, &p->in_data.pdu);
1523 if (!NT_STATUS_IS_OK(status)) {
1524 DEBUG(0, ("Failed to check packet auth. (%s)\n",
1525 nt_errstr(status)));
1526 set_incoming_fault(p);
1527 return false;
1528 }
1529
1530 data = pkt->u.request.stub_and_verifier;
1531
1532 /*
1533 * Check the data length doesn't go over the 15Mb limit.
1534 * increased after observing a bug in the Windows NT 4.0 SP6a
1535 * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
1536 * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
1537 */
1538
1539 if (p->in_data.data.length + data.length > MAX_RPC_DATA_SIZE) {
1540 DEBUG(0, ("process_request_pdu: "
1541 "rpc data buffer too large (%u) + (%u)\n",
1542 (unsigned int)p->in_data.data.length,
1543 (unsigned int)data.length));
1544 set_incoming_fault(p);
1545 return False;
1546 }
1547
1548 /*
1549 * Append the data portion into the buffer and return.
1550 */
1551
1552 if (data.length) {
1553 if (!data_blob_append(p->mem_ctx, &p->in_data.data,
1554 data.data, data.length)) {
1555 DEBUG(0, ("Unable to append data size %u "
1556 "to parse buffer of size %u.\n",
1557 (unsigned int)data.length,
1558 (unsigned int)p->in_data.data.length));
1559 set_incoming_fault(p);
1560 return False;
1561 }
1562 }
1563
1564 if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
1565 bool ret = False;
1566 /*
1567 * Ok - we finally have a complete RPC stream.
1568 * Call the rpc command to process it.
1569 */
1570
1571 /*
1572 * Process the complete data stream here.
1573 */
1574 if (pipe_init_outgoing_data(p)) {
1575 ret = api_pipe_request(p, pkt);
1576 }
1577
1578 return ret;
1579 }
1580
1581 return True;
1582 }
1583
1584 /****************************************************************************
1585 Processes a finished PDU stored in p->in_data.pdu.
1586 ****************************************************************************/
1587
1588 void process_complete_pdu(struct pipes_struct *p)
1589 {
1590 struct ncacn_packet *pkt = NULL;
1591 NTSTATUS status;
1592 bool reply = False;
1593
1594 if(p->fault_state) {
1595 DEBUG(10,("RPC connection in fault state.\n"));
1596 goto done;
1597 }
1598
1599 pkt = talloc(p->mem_ctx, struct ncacn_packet);
1600 if (!pkt) {
1601 DEBUG(0, ("Out of memory!\n"));
1602 goto done;
1603 }
1604
1605 /*
1606 * Ensure we're using the corrent endianness for both the
1607 * RPC header flags and the raw data we will be reading from.
1608 */
1609 if (dcerpc_get_endian_flag(&p->in_data.pdu) & DCERPC_DREP_LE) {
1610 p->endian = RPC_LITTLE_ENDIAN;
1611 } else {
1612 p->endian = RPC_BIG_ENDIAN;
1613 }
1614 DEBUG(10, ("PDU is in %s Endian format!\n", p->endian?"Big":"Little"));
1615
1616 status = dcerpc_pull_ncacn_packet(pkt, &p->in_data.pdu,
1617 pkt, p->endian);
1618 if (!NT_STATUS_IS_OK(status)) {
1619 DEBUG(0, ("Failed to unmarshal rpc packet: %s!\n",
1620 nt_errstr(status)));
1621 goto done;
1622 }
1623
1624 /* Store the call_id */
1625 p->call_id = pkt->call_id;
1626
1627 DEBUG(10, ("Processing packet type %u\n", (unsigned int)pkt->ptype));
1628
1629 switch (pkt->ptype) {
1630 case DCERPC_PKT_REQUEST:
1631 reply = process_request_pdu(p, pkt);
1632 break;
1633
1634 case DCERPC_PKT_PING: /* CL request - ignore... */
1635 DEBUG(0, ("Error - Connectionless packet type %u received\n",
1636 (unsigned int)pkt->ptype));
1637 break;
1638
1639 case DCERPC_PKT_RESPONSE: /* No responses here. */
1640 DEBUG(0, ("Error - DCERPC_PKT_RESPONSE received from client"));
1641 break;
1642
1643 case DCERPC_PKT_FAULT:
1644 case DCERPC_PKT_WORKING:
1645 /* CL request - reply to a ping when a call in process. */
1646 case DCERPC_PKT_NOCALL:
1647 /* CL - server reply to a ping call. */
1648 case DCERPC_PKT_REJECT:
1649 case DCERPC_PKT_ACK:
1650 case DCERPC_PKT_CL_CANCEL:
1651 case DCERPC_PKT_FACK:
1652 case DCERPC_PKT_CANCEL_ACK:
1653 DEBUG(0, ("Error - Connectionless packet type %u received\n",
1654 (unsigned int)pkt->ptype));
1655 break;
1656
1657 case DCERPC_PKT_BIND:
1658 /*
1659 * We assume that a pipe bind is only in one pdu.
1660 */
1661 if (pipe_init_outgoing_data(p)) {
1662 reply = api_pipe_bind_req(p, pkt);
1663 }
1664 break;
1665
1666 case DCERPC_PKT_BIND_ACK:
1667 case DCERPC_PKT_BIND_NAK:
1668 DEBUG(0, ("Error - DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK "
1669 "packet type %u received.\n",
1670 (unsigned int)pkt->ptype));
1671 break;
1672
1673
1674 case DCERPC_PKT_ALTER:
1675 /*
1676 * We assume that a pipe bind is only in one pdu.
1677 */
1678 if (pipe_init_outgoing_data(p)) {
1679 reply = api_pipe_alter_context(p, pkt);
1680 }
1681 break;
1682
1683 case DCERPC_PKT_ALTER_RESP:
1684 DEBUG(0, ("Error - DCERPC_PKT_ALTER_RESP received: "
1685 "Should only be server -> client.\n"));
1686 break;
1687
1688 case DCERPC_PKT_AUTH3:
1689 /*
1690 * The third packet in an auth exchange.
1691 */
1692 if (pipe_init_outgoing_data(p)) {
1693 reply = api_pipe_bind_auth3(p, pkt);
1694 }
1695 break;
1696
1697 case DCERPC_PKT_SHUTDOWN:
1698 DEBUG(0, ("Error - DCERPC_PKT_SHUTDOWN received: "
1699 "Should only be server -> client.\n"));
1700 break;
1701
1702 case DCERPC_PKT_CO_CANCEL:
1703 /* For now just free all client data and continue
1704 * processing. */
1705 DEBUG(3,("process_complete_pdu: DCERPC_PKT_CO_CANCEL."
1706 " Abandoning rpc call.\n"));
1707 /* As we never do asynchronous RPC serving, we can
1708 * never cancel a call (as far as I know).
1709 * If we ever did we'd have to send a cancel_ack reply.
1710 * For now, just free all client data and continue
1711 * processing. */
1712 reply = True;
1713 break;
1714
1715 #if 0
1716 /* Enable this if we're doing async rpc. */
1717 /* We must check the outstanding callid matches. */
1718 if (pipe_init_outgoing_data(p)) {
1719 /* Send a cancel_ack PDU reply. */
1720 /* We should probably check the auth-verifier here. */
1721 reply = setup_cancel_ack_reply(p, pkt);
1722 }
1723 break;
1724 #endif
1725
1726 case DCERPC_PKT_ORPHANED:
1727 /* We should probably check the auth-verifier here.
1728 * For now just free all client data and continue
1729 * processing. */
1730 DEBUG(3, ("process_complete_pdu: DCERPC_PKT_ORPHANED."
1731 " Abandoning rpc call.\n"));
1732 reply = True;
1733 break;
1734
1735 default:
1736 DEBUG(0, ("process_complete_pdu: "
1737 "Unknown rpc type = %u received.\n",
1738 (unsigned int)pkt->ptype));
1739 break;
1740 }
1741
1742 done:
1743 if (!reply) {
1744 DEBUG(3,("DCE/RPC fault sent!"));
1745 set_incoming_fault(p);
1746 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1747 TALLOC_FREE(pkt);
1748 } else {
1749 /*
1750 * Reset the lengths. We're ready for a new pdu.
1751 */
1752 TALLOC_FREE(p->in_data.pdu.data);
1753 p->in_data.pdu_needed_len = 0;
1754 p->in_data.pdu.length = 0;
1755 }
1756
1757 TALLOC_FREE(pkt);
1758 }
1759
reg import