search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r13176: Fix show-stopper bug for 3.0.21b where 4 leg NTLMSSP SPNEGO
[Samba/nascimento.git] / source / rpc_server / srv_pipe.c
blobecf79d0c1f32ba7b0fd7587ec596d33b05ce870b
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 */
20
21 /* this module apparently provides an implementation of DCE/RPC over a
22 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
23 * documentation are available (in on-line form) from the X-Open group.
24 *
25 * this module should provide a level of abstraction between SMB
26 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
27 * data copies, and network traffic.
28 *
29 */
30
31 #include "includes.h"
32
33 extern struct pipe_id_info pipe_names[];
34 extern struct current_user current_user;
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_RPC_SRV
38
39 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
40 {
41 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
42
43 if (a) {
44 auth_ntlmssp_end(&a);
45 }
46 auth->a_u.auth_ntlmssp_state = NULL;
47 }
48
49 /*******************************************************************
50 Generate the next PDU to be returned from the data in p->rdata.
51 Handle NTLMSSP.
52 ********************************************************************/
53
54 static BOOL create_next_pdu_ntlmssp(pipes_struct *p)
55 {
56 RPC_HDR_RESP hdr_resp;
57 uint32 ss_padding_len = 0;
58 uint32 data_space_available;
59 uint32 data_len_left;
60 uint32 data_len;
61 prs_struct outgoing_pdu;
62 NTSTATUS status;
63 DATA_BLOB auth_blob;
64 RPC_HDR_AUTH auth_info;
65 uint8 auth_type, auth_level;
66 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
67
68 /*
69 * If we're in the fault state, keep returning fault PDU's until
70 * the pipe gets closed. JRA.
71 */
72
73 if(p->fault_state) {
74 setup_fault_pdu(p, NT_STATUS(0x1c010002));
75 return True;
76 }
77
78 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
79
80 /* Change the incoming request header to a response. */
81 p->hdr.pkt_type = RPC_RESPONSE;
82
83 /* Set up rpc header flags. */
84 if (p->out_data.data_sent_length == 0) {
85 p->hdr.flags = RPC_FLG_FIRST;
86 } else {
87 p->hdr.flags = 0;
88 }
89
90 /*
91 * Work out how much we can fit in a single PDU.
92 */
93
94 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
95
96 /*
97 * Ensure there really is data left to send.
98 */
99
100 if(!data_len_left) {
101 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
102 return False;
103 }
104
105 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
106 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
107
108 /*
109 * The amount we send is the minimum of the available
110 * space and the amount left to send.
111 */
112
113 data_len = MIN(data_len_left, data_space_available);
114
115 /*
116 * Set up the alloc hint. This should be the data left to
117 * send.
118 */
119
120 hdr_resp.alloc_hint = data_len_left;
121
122 /*
123 * Work out if this PDU will be the last.
124 */
125
126 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
127 p->hdr.flags |= RPC_FLG_LAST;
128 if (data_len_left % 8) {
129 ss_padding_len = 8 - (data_len_left % 8);
130 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
131 ss_padding_len ));
132 }
133 }
134
135 /*
136 * Set up the header lengths.
137 */
138
139 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
140 data_len + ss_padding_len +
141 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
142 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
143
144
145 /*
146 * Init the parse struct to point at the outgoing
147 * data.
148 */
149
150 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
151 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
152
153 /* Store the header in the data stream. */
154 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
155 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
156 prs_mem_free(&outgoing_pdu);
157 return False;
158 }
159
160 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
161 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
162 prs_mem_free(&outgoing_pdu);
163 return False;
164 }
165
166 /* Copy the data into the PDU. */
167
168 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
169 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
170 prs_mem_free(&outgoing_pdu);
171 return False;
172 }
173
174 /* Copy the sign/seal padding data. */
175 if (ss_padding_len) {
176 char pad[8];
177
178 memset(pad, '\0', 8);
179 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
180 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
181 (unsigned int)ss_padding_len));
182 prs_mem_free(&outgoing_pdu);
183 return False;
184 }
185 }
186
187
188 /* Now write out the auth header and null blob. */
189 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
190 auth_type = RPC_NTLMSSP_AUTH_TYPE;
191 } else {
192 auth_type = RPC_SPNEGO_AUTH_TYPE;
193 }
194 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
195 auth_level = RPC_AUTH_LEVEL_PRIVACY;
196 } else {
197 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
198 }
199
200 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
201 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
202 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
203 prs_mem_free(&outgoing_pdu);
204 return False;
205 }
206
207 /* Generate the sign blob. */
208
209 switch (p->auth.auth_level) {
210 case PIPE_AUTH_LEVEL_PRIVACY:
211 /* Data portion is encrypted. */
212 status = ntlmssp_seal_packet(a->ntlmssp_state,
213 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
214 data_len + ss_padding_len,
215 (unsigned char *)prs_data_p(&outgoing_pdu),
216 (size_t)prs_offset(&outgoing_pdu),
217 &auth_blob);
218 if (!NT_STATUS_IS_OK(status)) {
219 data_blob_free(&auth_blob);
220 prs_mem_free(&outgoing_pdu);
221 return False;
222 }
223 break;
224 case PIPE_AUTH_LEVEL_INTEGRITY:
225 /* Data is signed. */
226 status = ntlmssp_sign_packet(a->ntlmssp_state,
227 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
228 data_len + ss_padding_len,
229 (unsigned char *)prs_data_p(&outgoing_pdu),
230 (size_t)prs_offset(&outgoing_pdu),
231 &auth_blob);
232 if (!NT_STATUS_IS_OK(status)) {
233 data_blob_free(&auth_blob);
234 prs_mem_free(&outgoing_pdu);
235 return False;
236 }
237 break;
238 default:
239 prs_mem_free(&outgoing_pdu);
240 return False;
241 }
242
243 /* Append the auth blob. */
244 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
245 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
246 (unsigned int)NTLMSSP_SIG_SIZE));
247 data_blob_free(&auth_blob);
248 prs_mem_free(&outgoing_pdu);
249 return False;
250 }
251
252 data_blob_free(&auth_blob);
253
254 /*
255 * Setup the counts for this PDU.
256 */
257
258 p->out_data.data_sent_length += data_len;
259 p->out_data.current_pdu_len = p->hdr.frag_len;
260 p->out_data.current_pdu_sent = 0;
261
262 prs_mem_free(&outgoing_pdu);
263 return True;
264 }
265
266 /*******************************************************************
267 Generate the next PDU to be returned from the data in p->rdata.
268 Return an schannel authenticated fragment.
269 ********************************************************************/
270
271 static BOOL create_next_pdu_schannel(pipes_struct *p)
272 {
273 RPC_HDR_RESP hdr_resp;
274 uint32 ss_padding_len = 0;
275 uint32 data_len;
276 uint32 data_space_available;
277 uint32 data_len_left;
278 prs_struct outgoing_pdu;
279 uint32 data_pos;
280
281 /*
282 * If we're in the fault state, keep returning fault PDU's until
283 * the pipe gets closed. JRA.
284 */
285
286 if(p->fault_state) {
287 setup_fault_pdu(p, NT_STATUS(0x1c010002));
288 return True;
289 }
290
291 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
292
293 /* Change the incoming request header to a response. */
294 p->hdr.pkt_type = RPC_RESPONSE;
295
296 /* Set up rpc header flags. */
297 if (p->out_data.data_sent_length == 0) {
298 p->hdr.flags = RPC_FLG_FIRST;
299 } else {
300 p->hdr.flags = 0;
301 }
302
303 /*
304 * Work out how much we can fit in a single PDU.
305 */
306
307 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
308
309 /*
310 * Ensure there really is data left to send.
311 */
312
313 if(!data_len_left) {
314 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
315 return False;
316 }
317
318 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
319 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
320
321 /*
322 * The amount we send is the minimum of the available
323 * space and the amount left to send.
324 */
325
326 data_len = MIN(data_len_left, data_space_available);
327
328 /*
329 * Set up the alloc hint. This should be the data left to
330 * send.
331 */
332
333 hdr_resp.alloc_hint = data_len_left;
334
335 /*
336 * Work out if this PDU will be the last.
337 */
338
339 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
340 p->hdr.flags |= RPC_FLG_LAST;
341 if (data_len_left % 8) {
342 ss_padding_len = 8 - (data_len_left % 8);
343 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
344 ss_padding_len ));
345 }
346 }
347
348 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
349 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
350 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
351
352 /*
353 * Init the parse struct to point at the outgoing
354 * data.
355 */
356
357 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
358 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
359
360 /* Store the header in the data stream. */
361 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
362 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
363 prs_mem_free(&outgoing_pdu);
364 return False;
365 }
366
367 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
368 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
369 prs_mem_free(&outgoing_pdu);
370 return False;
371 }
372
373 /* Store the current offset. */
374 data_pos = prs_offset(&outgoing_pdu);
375
376 /* Copy the data into the PDU. */
377
378 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
379 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
380 prs_mem_free(&outgoing_pdu);
381 return False;
382 }
383
384 /* Copy the sign/seal padding data. */
385 if (ss_padding_len) {
386 char pad[8];
387 memset(pad, '\0', 8);
388 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
389 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
390 prs_mem_free(&outgoing_pdu);
391 return False;
392 }
393 }
394
395 {
396 /*
397 * Schannel processing.
398 */
399 char *data;
400 RPC_HDR_AUTH auth_info;
401 RPC_AUTH_SCHANNEL_CHK verf;
402
403 data = prs_data_p(&outgoing_pdu) + data_pos;
404 /* Check it's the type of reply we were expecting to decode */
405
406 init_rpc_hdr_auth(&auth_info,
407 RPC_SCHANNEL_AUTH_TYPE,
408 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
409 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
410 ss_padding_len, 1);
411
412 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
413 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
414 prs_mem_free(&outgoing_pdu);
415 return False;
416 }
417
418 schannel_encode(p->auth.a_u.schannel_auth,
419 p->auth.auth_level,
420 SENDER_IS_ACCEPTOR,
421 &verf, data, data_len + ss_padding_len);
422
423 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
424 &verf, &outgoing_pdu, 0)) {
425 prs_mem_free(&outgoing_pdu);
426 return False;
427 }
428
429 p->auth.a_u.schannel_auth->seq_num++;
430 }
431
432 /*
433 * Setup the counts for this PDU.
434 */
435
436 p->out_data.data_sent_length += data_len;
437 p->out_data.current_pdu_len = p->hdr.frag_len;
438 p->out_data.current_pdu_sent = 0;
439
440 prs_mem_free(&outgoing_pdu);
441 return True;
442 }
443
444 /*******************************************************************
445 Generate the next PDU to be returned from the data in p->rdata.
446 No authentication done.
447 ********************************************************************/
448
449 static BOOL create_next_pdu_noauth(pipes_struct *p)
450 {
451 RPC_HDR_RESP hdr_resp;
452 uint32 data_len;
453 uint32 data_space_available;
454 uint32 data_len_left;
455 prs_struct outgoing_pdu;
456
457 /*
458 * If we're in the fault state, keep returning fault PDU's until
459 * the pipe gets closed. JRA.
460 */
461
462 if(p->fault_state) {
463 setup_fault_pdu(p, NT_STATUS(0x1c010002));
464 return True;
465 }
466
467 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
468
469 /* Change the incoming request header to a response. */
470 p->hdr.pkt_type = RPC_RESPONSE;
471
472 /* Set up rpc header flags. */
473 if (p->out_data.data_sent_length == 0) {
474 p->hdr.flags = RPC_FLG_FIRST;
475 } else {
476 p->hdr.flags = 0;
477 }
478
479 /*
480 * Work out how much we can fit in a single PDU.
481 */
482
483 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
484
485 /*
486 * Ensure there really is data left to send.
487 */
488
489 if(!data_len_left) {
490 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
491 return False;
492 }
493
494 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
495
496 /*
497 * The amount we send is the minimum of the available
498 * space and the amount left to send.
499 */
500
501 data_len = MIN(data_len_left, data_space_available);
502
503 /*
504 * Set up the alloc hint. This should be the data left to
505 * send.
506 */
507
508 hdr_resp.alloc_hint = data_len_left;
509
510 /*
511 * Work out if this PDU will be the last.
512 */
513
514 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
515 p->hdr.flags |= RPC_FLG_LAST;
516 }
517
518 /*
519 * Set up the header lengths.
520 */
521
522 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
523 p->hdr.auth_len = 0;
524
525 /*
526 * Init the parse struct to point at the outgoing
527 * data.
528 */
529
530 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
531 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
532
533 /* Store the header in the data stream. */
534 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
535 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
536 prs_mem_free(&outgoing_pdu);
537 return False;
538 }
539
540 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
541 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
542 prs_mem_free(&outgoing_pdu);
543 return False;
544 }
545
546 /* Copy the data into the PDU. */
547
548 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
549 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
550 prs_mem_free(&outgoing_pdu);
551 return False;
552 }
553
554 /*
555 * Setup the counts for this PDU.
556 */
557
558 p->out_data.data_sent_length += data_len;
559 p->out_data.current_pdu_len = p->hdr.frag_len;
560 p->out_data.current_pdu_sent = 0;
561
562 prs_mem_free(&outgoing_pdu);
563 return True;
564 }
565
566 /*******************************************************************
567 Generate the next PDU to be returned from the data in p->rdata.
568 ********************************************************************/
569
570 BOOL create_next_pdu(pipes_struct *p)
571 {
572 switch(p->auth.auth_level) {
573 case PIPE_AUTH_LEVEL_NONE:
574 case PIPE_AUTH_LEVEL_CONNECT:
575 /* This is incorrect for auth level connect. Fixme. JRA */
576 return create_next_pdu_noauth(p);
577
578 default:
579 switch(p->auth.auth_type) {
580 case PIPE_AUTH_TYPE_NTLMSSP:
581 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
582 return create_next_pdu_ntlmssp(p);
583 case PIPE_AUTH_TYPE_SCHANNEL:
584 return create_next_pdu_schannel(p);
585 default:
586 break;
587 }
588 }
589
590 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
591 (unsigned int)p->auth.auth_level,
592 (unsigned int)p->auth.auth_type));
593 return False;
594 }
595
596 /*******************************************************************
597 Process an NTLMSSP authentication response.
598 If this function succeeds, the user has been authenticated
599 and their domain, name and calling workstation stored in
600 the pipe struct.
601 *******************************************************************/
602
603 static BOOL pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
604 {
605 DATA_BLOB reply;
606 NTSTATUS status;
607 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
608
609 DEBUG(5,("pipe_ntlmssp_verify_final: checking user details\n"));
610
611 ZERO_STRUCT(reply);
612
613 memset(p->user_name, '\0', sizeof(p->user_name));
614 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
615 memset(p->domain, '\0', sizeof(p->domain));
616 memset(p->wks, '\0', sizeof(p->wks));
617
618 /* Set up for non-authenticated user. */
619 delete_nt_token(&p->pipe_user.nt_user_token);
620 p->pipe_user.ngroups = 0;
621 SAFE_FREE( p->pipe_user.groups);
622
623 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
624
625 /* Don't generate a reply. */
626 data_blob_free(&reply);
627
628 if (!NT_STATUS_IS_OK(status)) {
629 return False;
630 }
631
632 fstrcpy(p->user_name, a->ntlmssp_state->user);
633 fstrcpy(p->pipe_user_name, a->server_info->unix_name);
634 fstrcpy(p->domain, a->ntlmssp_state->domain);
635 fstrcpy(p->wks, a->ntlmssp_state->workstation);
636
637 DEBUG(5,("pipe_ntlmssp_verify_final: OK: user: %s domain: %s workstation: %s\n",
638 p->user_name, p->domain, p->wks));
639
640 /*
641 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
642 */
643
644 p->pipe_user.uid = a->server_info->uid;
645 p->pipe_user.gid = a->server_info->gid;
646
647 /*
648 * Copy the session key from the ntlmssp state.
649 */
650
651 data_blob_free(&p->session_key);
652 p->session_key = data_blob(a->ntlmssp_state->session_key.data, a->ntlmssp_state->session_key.length);
653 if (!p->session_key.data) {
654 return False;
655 }
656
657 p->pipe_user.ngroups = a->server_info->n_groups;
658 if (p->pipe_user.ngroups) {
659 if (!(p->pipe_user.groups = memdup(a->server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
660 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
661 return False;
662 }
663 }
664
665 if (a->server_info->ptok) {
666 p->pipe_user.nt_user_token = dup_nt_token(a->server_info->ptok);
667 } else {
668 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
669 p->pipe_user.nt_user_token = NULL;
670 return False;
671 }
672
673 return True;
674 }
675
676 /*******************************************************************
677 The switch table for the pipe names and the functions to handle them.
678 *******************************************************************/
679
680 struct rpc_table {
681 struct {
682 const char *clnt;
683 const char *srv;
684 } pipe;
685 struct api_struct *cmds;
686 int n_cmds;
687 };
688
689 static struct rpc_table *rpc_lookup;
690 static int rpc_lookup_size;
691
692 /*******************************************************************
693 This is the "stage3" NTLMSSP response after a bind request and reply.
694 *******************************************************************/
695
696 BOOL api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
697 {
698 RPC_HDR_AUTH auth_info;
699 uint32 pad;
700 DATA_BLOB blob;
701
702 ZERO_STRUCT(blob);
703
704 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
705
706 if (p->hdr.auth_len == 0) {
707 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
708 goto err;
709 }
710
711 /* 4 bytes padding. */
712 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
713 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
714 goto err;
715 }
716
717 /*
718 * Decode the authentication verifier response.
719 */
720
721 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
722 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
723 goto err;
724 }
725
726 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
727 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
728 (unsigned int)auth_info.auth_type ));
729 return False;
730 }
731
732 blob = data_blob(NULL,p->hdr.auth_len);
733
734 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
735 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
736 (unsigned int)p->hdr.auth_len ));
737 goto err;
738 }
739
740 /*
741 * The following call actually checks the challenge/response data.
742 * for correctness against the given DOMAIN\user name.
743 */
744
745 if (!pipe_ntlmssp_verify_final(p, &blob)) {
746 goto err;
747 }
748
749 data_blob_free(&blob);
750
751 p->pipe_bound = True;
752
753 return True;
754
755 err:
756
757 data_blob_free(&blob);
758 free_pipe_ntlmssp_auth_data(&p->auth);
759 p->auth.a_u.auth_ntlmssp_state = NULL;
760
761 return False;
762 }
763
764 /*******************************************************************
765 Marshall a bind_nak pdu.
766 *******************************************************************/
767
768 static BOOL setup_bind_nak(pipes_struct *p)
769 {
770 prs_struct outgoing_rpc;
771 RPC_HDR nak_hdr;
772 uint16 zero = 0;
773
774 /* Free any memory in the current return data buffer. */
775 prs_mem_free(&p->out_data.rdata);
776
777 /*
778 * Marshall directly into the outgoing PDU space. We
779 * must do this as we need to set to the bind response
780 * header and are never sending more than one PDU here.
781 */
782
783 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
784 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
785
786 /*
787 * Initialize a bind_nak header.
788 */
789
790 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
791 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
792
793 /*
794 * Marshall the header into the outgoing PDU.
795 */
796
797 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
798 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
799 prs_mem_free(&outgoing_rpc);
800 return False;
801 }
802
803 /*
804 * Now add the reject reason.
805 */
806
807 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
808 prs_mem_free(&outgoing_rpc);
809 return False;
810 }
811
812 p->out_data.data_sent_length = 0;
813 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
814 p->out_data.current_pdu_sent = 0;
815
816 if (p->auth.auth_data_free_func) {
817 (*p->auth.auth_data_free_func)(&p->auth);
818 }
819 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
820 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
821 p->pipe_bound = False;
822
823 return True;
824 }
825
826 /*******************************************************************
827 Marshall a fault pdu.
828 *******************************************************************/
829
830 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
831 {
832 prs_struct outgoing_pdu;
833 RPC_HDR fault_hdr;
834 RPC_HDR_RESP hdr_resp;
835 RPC_HDR_FAULT fault_resp;
836
837 /* Free any memory in the current return data buffer. */
838 prs_mem_free(&p->out_data.rdata);
839
840 /*
841 * Marshall directly into the outgoing PDU space. We
842 * must do this as we need to set to the bind response
843 * header and are never sending more than one PDU here.
844 */
845
846 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
847 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
848
849 /*
850 * Initialize a fault header.
851 */
852
853 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
854 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
855
856 /*
857 * Initialize the HDR_RESP and FAULT parts of the PDU.
858 */
859
860 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
861
862 fault_resp.status = status;
863 fault_resp.reserved = 0;
864
865 /*
866 * Marshall the header into the outgoing PDU.
867 */
868
869 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
870 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
871 prs_mem_free(&outgoing_pdu);
872 return False;
873 }
874
875 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
876 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
877 prs_mem_free(&outgoing_pdu);
878 return False;
879 }
880
881 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
882 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
883 prs_mem_free(&outgoing_pdu);
884 return False;
885 }
886
887 p->out_data.data_sent_length = 0;
888 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
889 p->out_data.current_pdu_sent = 0;
890
891 prs_mem_free(&outgoing_pdu);
892 return True;
893 }
894
895 #if 0
896 /*******************************************************************
897 Marshall a cancel_ack pdu.
898 We should probably check the auth-verifier here.
899 *******************************************************************/
900
901 BOOL setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
902 {
903 prs_struct outgoing_pdu;
904 RPC_HDR ack_reply_hdr;
905
906 /* Free any memory in the current return data buffer. */
907 prs_mem_free(&p->out_data.rdata);
908
909 /*
910 * Marshall directly into the outgoing PDU space. We
911 * must do this as we need to set to the bind response
912 * header and are never sending more than one PDU here.
913 */
914
915 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
916 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
917
918 /*
919 * Initialize a cancel_ack header.
920 */
921
922 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
923 p->hdr.call_id, RPC_HEADER_LEN, 0);
924
925 /*
926 * Marshall the header into the outgoing PDU.
927 */
928
929 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
930 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
931 prs_mem_free(&outgoing_pdu);
932 return False;
933 }
934
935 p->out_data.data_sent_length = 0;
936 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
937 p->out_data.current_pdu_sent = 0;
938
939 prs_mem_free(&outgoing_pdu);
940 return True;
941 }
942 #endif
943
944 /*******************************************************************
945 Ensure a bind request has the correct abstract & transfer interface.
946 Used to reject unknown binds from Win2k.
947 *******************************************************************/
948
949 BOOL check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
950 RPC_IFACE* transfer, uint32 context_id)
951 {
952 char *pipe_name = p->name;
953 int i=0;
954 fstring pname;
955
956 fstrcpy(pname,"\\PIPE\\");
957 fstrcat(pname,pipe_name);
958
959 DEBUG(3,("check_bind_req for %s\n", pname));
960
961 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
962
963 for ( i=0; pipe_names[i].client_pipe; i++ ) {
964 DEBUG(10,("checking %s\n", pipe_names[i].client_pipe));
965 if ( strequal(pipe_names[i].client_pipe, pname)
966 && (abstract->version == pipe_names[i].abstr_syntax.version)
967 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct uuid)) == 0)
968 && (transfer->version == pipe_names[i].trans_syntax.version)
969 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(struct uuid)) == 0) ) {
970 struct api_struct *fns = NULL;
971 int n_fns = 0;
972 PIPE_RPC_FNS *context_fns;
973
974 if ( !(context_fns = SMB_MALLOC_P(PIPE_RPC_FNS)) ) {
975 DEBUG(0,("check_bind_req: malloc() failed!\n"));
976 return False;
977 }
978
979 /* save the RPC function table associated with this bind */
980
981 get_pipe_fns(i, &fns, &n_fns);
982
983 context_fns->cmds = fns;
984 context_fns->n_cmds = n_fns;
985 context_fns->context_id = context_id;
986
987 /* add to the list of open contexts */
988
989 DLIST_ADD( p->contexts, context_fns );
990
991 break;
992 }
993 }
994
995 if(pipe_names[i].client_pipe == NULL) {
996 return False;
997 }
998
999 return True;
1000 }
1001
1002 /*******************************************************************
1003 Register commands to an RPC pipe
1004 *******************************************************************/
1005
1006 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
1007 {
1008 struct rpc_table *rpc_entry;
1009
1010 if (!clnt || !srv || !cmds) {
1011 return NT_STATUS_INVALID_PARAMETER;
1012 }
1013
1014 if (version != SMB_RPC_INTERFACE_VERSION) {
1015 DEBUG(0,("Can't register rpc commands!\n"
1016 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1017 ", while this version of samba uses version %d!\n",
1018 version,SMB_RPC_INTERFACE_VERSION));
1019 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1020 }
1021
1022 /* TODO:
1023 *
1024 * we still need to make sure that don't register the same commands twice!!!
1025 *
1026 * --metze
1027 */
1028
1029 /* We use a temporary variable because this call can fail and
1030 rpc_lookup will still be valid afterwards. It could then succeed if
1031 called again later */
1032 rpc_lookup_size++;
1033 rpc_entry = SMB_REALLOC_ARRAY(rpc_lookup, struct rpc_table, rpc_lookup_size);
1034 if (NULL == rpc_entry) {
1035 rpc_lookup_size--;
1036 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1037 return NT_STATUS_NO_MEMORY;
1038 } else {
1039 rpc_lookup = rpc_entry;
1040 }
1041
1042 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1043 ZERO_STRUCTP(rpc_entry);
1044 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1045 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1046 rpc_entry->cmds = SMB_REALLOC_ARRAY(rpc_entry->cmds, struct api_struct, rpc_entry->n_cmds + size);
1047 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds, size * sizeof(struct api_struct));
1048 rpc_entry->n_cmds += size;
1049
1050 return NT_STATUS_OK;
1051 }
1052
1053 /*******************************************************************
1054 Handle a SPNEGO krb5 bind auth.
1055 *******************************************************************/
1056
1057 static BOOL pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1058 DATA_BLOB *psecblob, prs_struct *pout_auth)
1059 {
1060 return False;
1061 }
1062
1063 /*******************************************************************
1064 Handle the first part of a SPNEGO bind auth.
1065 *******************************************************************/
1066
1067 static BOOL pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1068 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1069 {
1070 DATA_BLOB blob;
1071 DATA_BLOB secblob;
1072 DATA_BLOB response;
1073 DATA_BLOB chal;
1074 char *OIDs[ASN1_MAX_OIDS];
1075 int i;
1076 NTSTATUS status;
1077 BOOL got_kerberos_mechanism = False;
1078 AUTH_NTLMSSP_STATE *a = NULL;
1079 RPC_HDR_AUTH auth_info;
1080
1081 ZERO_STRUCT(secblob);
1082 ZERO_STRUCT(chal);
1083 ZERO_STRUCT(response);
1084
1085 /* Grab the SPNEGO blob. */
1086 blob = data_blob(NULL,p->hdr.auth_len);
1087
1088 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1089 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1090 (unsigned int)p->hdr.auth_len ));
1091 goto err;
1092 }
1093
1094 if (blob.data[0] != ASN1_APPLICATION(0)) {
1095 goto err;
1096 }
1097
1098 /* parse out the OIDs and the first sec blob */
1099 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1100 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1101 goto err;
1102 }
1103
1104 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1105 got_kerberos_mechanism = True;
1106 }
1107
1108 for (i=0;OIDs[i];i++) {
1109 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1110 SAFE_FREE(OIDs[i]);
1111 }
1112 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1113
1114 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1115 BOOL ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1116 data_blob_free(&secblob);
1117 data_blob_free(&blob);
1118 return ret;
1119 }
1120
1121 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1122 /* Free any previous auth type. */
1123 free_pipe_ntlmssp_auth_data(&p->auth);
1124 }
1125
1126 /* Initialize the NTLM engine. */
1127 status = auth_ntlmssp_start(&a);
1128 if (!NT_STATUS_IS_OK(status)) {
1129 goto err;
1130 }
1131
1132 /*
1133 * Pass the first security blob of data to it.
1134 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1135 * which means we need another packet to complete the bind.
1136 */
1137
1138 status = auth_ntlmssp_update(a, secblob, &chal);
1139
1140 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1141 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1142 goto err;
1143 }
1144
1145 /* Generate the response blob we need for step 2 of the bind. */
1146 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1147
1148 /* Copy the blob into the pout_auth parse struct */
1149 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1150 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1151 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1152 goto err;
1153 }
1154
1155 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1156 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1157 goto err;
1158 }
1159
1160 p->auth.a_u.auth_ntlmssp_state = a;
1161 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1162 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1163
1164 data_blob_free(&blob);
1165 data_blob_free(&secblob);
1166 data_blob_free(&chal);
1167 data_blob_free(&response);
1168
1169 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1170 return True;
1171
1172 err:
1173
1174 data_blob_free(&blob);
1175 data_blob_free(&secblob);
1176 data_blob_free(&chal);
1177 data_blob_free(&response);
1178
1179 p->auth.a_u.auth_ntlmssp_state = NULL;
1180
1181 return False;
1182 }
1183
1184 /*******************************************************************
1185 Handle the second part of a SPNEGO bind auth.
1186 *******************************************************************/
1187
1188 static BOOL pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1189 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1190 {
1191 RPC_HDR_AUTH auth_info;
1192 DATA_BLOB spnego_blob;
1193 DATA_BLOB auth_blob;
1194 DATA_BLOB auth_reply;
1195 DATA_BLOB response;
1196 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1197
1198 ZERO_STRUCT(spnego_blob);
1199 ZERO_STRUCT(auth_blob);
1200 ZERO_STRUCT(auth_reply);
1201 ZERO_STRUCT(response);
1202
1203 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1204 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1205 goto err;
1206 }
1207
1208 /* Grab the SPNEGO blob. */
1209 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1210
1211 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1212 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1213 (unsigned int)p->hdr.auth_len ));
1214 goto err;
1215 }
1216
1217 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1218 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1219 goto err;
1220 }
1221
1222 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1223 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1224 goto err;
1225 }
1226
1227 /*
1228 * The following call actually checks the challenge/response data.
1229 * for correctness against the given DOMAIN\user name.
1230 */
1231
1232 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1233 goto err;
1234 }
1235
1236 data_blob_free(&spnego_blob);
1237 data_blob_free(&auth_blob);
1238
1239 /* Generate the spnego "accept completed" blob - no incoming data. */
1240 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1241
1242 /* Copy the blob into the pout_auth parse struct */
1243 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1244 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1245 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1246 goto err;
1247 }
1248
1249 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1250 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1251 goto err;
1252 }
1253
1254 data_blob_free(&auth_reply);
1255 data_blob_free(&response);
1256
1257 p->pipe_bound = True;
1258
1259 return True;
1260
1261 err:
1262
1263 data_blob_free(&spnego_blob);
1264 data_blob_free(&auth_blob);
1265 data_blob_free(&auth_reply);
1266 data_blob_free(&response);
1267
1268 free_pipe_ntlmssp_auth_data(&p->auth);
1269 p->auth.a_u.auth_ntlmssp_state = NULL;
1270
1271 return False;
1272 }
1273
1274 /*******************************************************************
1275 Handle an schannel bind auth.
1276 *******************************************************************/
1277
1278 static BOOL pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1279 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1280 {
1281 RPC_HDR_AUTH auth_info;
1282 RPC_AUTH_SCHANNEL_NEG neg;
1283 RPC_AUTH_VERIFIER auth_verifier;
1284 BOOL ret;
1285 struct dcinfo stored_dcinfo;
1286 uint32 flags;
1287
1288 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1289 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1290 return False;
1291 }
1292
1293 ZERO_STRUCT(stored_dcinfo);
1294
1295 become_root();
1296 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &stored_dcinfo);
1297 unbecome_root();
1298
1299 if (!ret) {
1300 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1301 return False;
1302 }
1303
1304 p->auth.a_u.schannel_auth = TALLOC_P(p->pipe_state_mem_ctx, struct schannel_auth_struct);
1305 if (!p->auth.a_u.schannel_auth) {
1306 return False;
1307 }
1308
1309 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1310 memcpy(p->auth.a_u.schannel_auth->sess_key, stored_dcinfo.sess_key, sizeof(stored_dcinfo.sess_key));
1311
1312 p->auth.a_u.schannel_auth->seq_num = 0;
1313
1314 /*
1315 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1316 * here ? We do that for NTLMSPP, but the session key is already set up from the vuser
1317 * struct of the person who opened the pipe. I need to test this further. JRA.
1318 */
1319
1320 /* The client opens a second RPC NETLOGON pipe without
1321 doing a auth2. The credentials for the schannel are
1322 re-used from the auth2 the client did before. */
1323 p->dc = TALLOC_ZERO_P(p->pipe_state_mem_ctx, struct dcinfo);
1324 if (!p->dc) {
1325 return False;
1326 }
1327 *p->dc = stored_dcinfo;
1328
1329 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1330 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1331 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1332 return False;
1333 }
1334
1335 /*** SCHANNEL verifier ***/
1336
1337 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1338 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1339 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1340 return False;
1341 }
1342
1343 prs_align(pout_auth);
1344
1345 flags = 5;
1346 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1347 return False;
1348 }
1349
1350 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1351 neg.domain, neg.myname));
1352
1353 /* We're finished with this bind - no more packets. */
1354 p->auth.auth_data_free_func = NULL;
1355 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1356
1357 p->pipe_bound = True;
1358
1359 return True;
1360 }
1361
1362 /*******************************************************************
1363 Handle an NTLMSSP bind auth.
1364 *******************************************************************/
1365
1366 static BOOL pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1367 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1368 {
1369 RPC_HDR_AUTH auth_info;
1370 DATA_BLOB blob;
1371 DATA_BLOB response;
1372 NTSTATUS status;
1373 AUTH_NTLMSSP_STATE *a = NULL;
1374
1375 ZERO_STRUCT(blob);
1376 ZERO_STRUCT(response);
1377
1378 /* Grab the NTLMSSP blob. */
1379 blob = data_blob(NULL,p->hdr.auth_len);
1380
1381 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1382 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1383 (unsigned int)p->hdr.auth_len ));
1384 goto err;
1385 }
1386
1387 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1388 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1389 goto err;
1390 }
1391
1392 /* We have an NTLMSSP blob. */
1393 status = auth_ntlmssp_start(&a);
1394 if (!NT_STATUS_IS_OK(status)) {
1395 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1396 nt_errstr(status) ));
1397 goto err;
1398 }
1399
1400 status = auth_ntlmssp_update(a, blob, &response);
1401 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1402 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1403 nt_errstr(status) ));
1404 goto err;
1405 }
1406
1407 data_blob_free(&blob);
1408
1409 /* Copy the blob into the pout_auth parse struct */
1410 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1411 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1412 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1413 goto err;
1414 }
1415
1416 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1417 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1418 goto err;
1419 }
1420
1421 p->auth.a_u.auth_ntlmssp_state = a;
1422 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1423 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1424
1425 data_blob_free(&blob);
1426 data_blob_free(&response);
1427
1428 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1429
1430 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1431 return True;
1432
1433 err:
1434
1435 data_blob_free(&blob);
1436 data_blob_free(&response);
1437
1438 free_pipe_ntlmssp_auth_data(&p->auth);
1439 p->auth.a_u.auth_ntlmssp_state = NULL;
1440 return False;
1441 }
1442
1443 /*******************************************************************
1444 Respond to a pipe bind request.
1445 *******************************************************************/
1446
1447 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1448 {
1449 RPC_HDR_BA hdr_ba;
1450 RPC_HDR_RB hdr_rb;
1451 RPC_HDR_AUTH auth_info;
1452 uint16 assoc_gid;
1453 fstring ack_pipe_name;
1454 prs_struct out_hdr_ba;
1455 prs_struct out_auth;
1456 prs_struct outgoing_rpc;
1457 int i = 0;
1458 int auth_len = 0;
1459 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1460
1461 /* No rebinds on a bound pipe - use alter context. */
1462 if (p->pipe_bound) {
1463 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1464 return setup_bind_nak(p);
1465 }
1466
1467 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1468
1469 /*
1470 * Marshall directly into the outgoing PDU space. We
1471 * must do this as we need to set to the bind response
1472 * header and are never sending more than one PDU here.
1473 */
1474
1475 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1476
1477 /*
1478 * Setup the memory to marshall the ba header, and the
1479 * auth footers.
1480 */
1481
1482 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1483 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1484 prs_mem_free(&outgoing_rpc);
1485 return False;
1486 }
1487
1488 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1489 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1490 prs_mem_free(&outgoing_rpc);
1491 prs_mem_free(&out_hdr_ba);
1492 return False;
1493 }
1494
1495 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1496
1497 /*
1498 * Try and find the correct pipe name to ensure
1499 * that this is a pipe name we support.
1500 */
1501
1502
1503 for (i = 0; i < rpc_lookup_size; i++) {
1504 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1505 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1506 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1507 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1508 break;
1509 }
1510 }
1511
1512 if (i == rpc_lookup_size) {
1513 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1514 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1515 p->name ));
1516 prs_mem_free(&outgoing_rpc);
1517 prs_mem_free(&out_hdr_ba);
1518 prs_mem_free(&out_auth);
1519
1520 return setup_bind_nak(p);
1521 }
1522
1523 for (i = 0; i < rpc_lookup_size; i++) {
1524 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1525 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1526 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1527 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1528 break;
1529 }
1530 }
1531
1532 if (i == rpc_lookup_size) {
1533 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1534 goto err_exit;
1535 }
1536 }
1537
1538 /* decode the bind request */
1539 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1540 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
1541 goto err_exit;
1542 }
1543
1544 /* name has to be \PIPE\xxxxx */
1545 fstrcpy(ack_pipe_name, "\\PIPE\\");
1546 fstrcat(ack_pipe_name, p->pipe_srv_name);
1547
1548 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1549
1550 /*
1551 * Check if this is an authenticated bind request.
1552 */
1553
1554 if (p->hdr.auth_len) {
1555 /*
1556 * Decode the authentication verifier.
1557 */
1558
1559 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1560 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1561 goto err_exit;
1562 }
1563
1564 auth_type = auth_info.auth_type;
1565
1566 /* Work out if we have to sign or seal etc. */
1567 switch (auth_info.auth_level) {
1568 case RPC_AUTH_LEVEL_INTEGRITY:
1569 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1570 break;
1571 case RPC_AUTH_LEVEL_PRIVACY:
1572 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1573 break;
1574 default:
1575 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1576 (unsigned int)auth_info.auth_level ));
1577 goto err_exit;
1578 }
1579 } else {
1580 ZERO_STRUCT(auth_info);
1581 }
1582
1583 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1584
1585 switch(auth_type) {
1586 case RPC_NTLMSSP_AUTH_TYPE:
1587 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1588 goto err_exit;
1589 }
1590 assoc_gid = 0x7a77;
1591 break;
1592
1593 case RPC_SCHANNEL_AUTH_TYPE:
1594 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1595 goto err_exit;
1596 }
1597 break;
1598
1599 case RPC_SPNEGO_AUTH_TYPE:
1600 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1601 goto err_exit;
1602 }
1603 break;
1604
1605 case RPC_ANONYMOUS_AUTH_TYPE:
1606 /* Unauthenticated bind request. */
1607 /* We're finished - no more packets. */
1608 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1609 /* We must set the pipe auth_level here also. */
1610 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1611 p->pipe_bound = True;
1612 break;
1613
1614 default:
1615 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1616 goto err_exit;
1617 }
1618
1619 /*
1620 * Create the bind response struct.
1621 */
1622
1623 /* If the requested abstract synt uuid doesn't match our client pipe,
1624 reject the bind_ack & set the transfer interface synt to all 0's,
1625 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1626 unknown to NT4)
1627 Needed when adding entries to a DACL from NT5 - SK */
1628
1629 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1630 hdr_rb.rpc_context[0].context_id )) {
1631 init_rpc_hdr_ba(&hdr_ba,
1632 RPC_MAX_PDU_FRAG_LEN,
1633 RPC_MAX_PDU_FRAG_LEN,
1634 assoc_gid,
1635 ack_pipe_name,
1636 0x1, 0x0, 0x0,
1637 &hdr_rb.rpc_context[0].transfer[0]);
1638 } else {
1639 RPC_IFACE null_interface;
1640 ZERO_STRUCT(null_interface);
1641 /* Rejection reason: abstract syntax not supported */
1642 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1643 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1644 ack_pipe_name, 0x1, 0x2, 0x1,
1645 &null_interface);
1646 p->pipe_bound = False;
1647 }
1648
1649 /*
1650 * and marshall it.
1651 */
1652
1653 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1654 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1655 goto err_exit;
1656 }
1657
1658 /*
1659 * Create the header, now we know the length.
1660 */
1661
1662 if (prs_offset(&out_auth)) {
1663 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1664 }
1665
1666 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1667 p->hdr.call_id,
1668 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1669 auth_len);
1670
1671 /*
1672 * Marshall the header into the outgoing PDU.
1673 */
1674
1675 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1676 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1677 goto err_exit;
1678 }
1679
1680 /*
1681 * Now add the RPC_HDR_BA and any auth needed.
1682 */
1683
1684 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1685 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1686 goto err_exit;
1687 }
1688
1689 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1690 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1691 goto err_exit;
1692 }
1693
1694 /*
1695 * Setup the lengths for the initial reply.
1696 */
1697
1698 p->out_data.data_sent_length = 0;
1699 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1700 p->out_data.current_pdu_sent = 0;
1701
1702 prs_mem_free(&out_hdr_ba);
1703 prs_mem_free(&out_auth);
1704
1705 return True;
1706
1707 err_exit:
1708
1709 prs_mem_free(&outgoing_rpc);
1710 prs_mem_free(&out_hdr_ba);
1711 prs_mem_free(&out_auth);
1712 return setup_bind_nak(p);
1713 }
1714
1715 /****************************************************************************
1716 Deal with an alter context call. Can be third part of 3 leg auth request for
1717 SPNEGO calls.
1718 ****************************************************************************/
1719
1720 BOOL api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1721 {
1722 RPC_HDR_BA hdr_ba;
1723 RPC_HDR_RB hdr_rb;
1724 RPC_HDR_AUTH auth_info;
1725 uint16 assoc_gid;
1726 fstring ack_pipe_name;
1727 prs_struct out_hdr_ba;
1728 prs_struct out_auth;
1729 prs_struct outgoing_rpc;
1730 int auth_len = 0;
1731
1732 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1733
1734 /*
1735 * Marshall directly into the outgoing PDU space. We
1736 * must do this as we need to set to the bind response
1737 * header and are never sending more than one PDU here.
1738 */
1739
1740 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1741
1742 /*
1743 * Setup the memory to marshall the ba header, and the
1744 * auth footers.
1745 */
1746
1747 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1748 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1749 prs_mem_free(&outgoing_rpc);
1750 return False;
1751 }
1752
1753 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1754 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1755 prs_mem_free(&outgoing_rpc);
1756 prs_mem_free(&out_hdr_ba);
1757 return False;
1758 }
1759
1760 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1761
1762 /* decode the alter context request */
1763 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1764 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1765 goto err_exit;
1766 }
1767
1768 /* secondary address CAN be NULL
1769 * as the specs say it's ignored.
1770 * It MUST be NULL to have the spoolss working.
1771 */
1772 fstrcpy(ack_pipe_name,"");
1773
1774 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1775
1776 /*
1777 * Check if this is an authenticated alter context request.
1778 */
1779
1780 if (p->hdr.auth_len != 0) {
1781 /*
1782 * Decode the authentication verifier.
1783 */
1784
1785 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1786 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1787 goto err_exit;
1788 }
1789
1790 /*
1791 * Currently only the SPNEGO auth type uses the alter ctx
1792 * response in place of the NTLMSSP auth3 type.
1793 */
1794
1795 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1796 /* We can only finish if the pipe is unbound. */
1797 if (!p->pipe_bound) {
1798 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1799 goto err_exit;
1800 }
1801 } else {
1802 goto err_exit;
1803 }
1804 }
1805 } else {
1806 ZERO_STRUCT(auth_info);
1807 }
1808
1809 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1810
1811 /*
1812 * Create the bind response struct.
1813 */
1814
1815 /* If the requested abstract synt uuid doesn't match our client pipe,
1816 reject the bind_ack & set the transfer interface synt to all 0's,
1817 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1818 unknown to NT4)
1819 Needed when adding entries to a DACL from NT5 - SK */
1820
1821 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1822 hdr_rb.rpc_context[0].context_id )) {
1823 init_rpc_hdr_ba(&hdr_ba,
1824 RPC_MAX_PDU_FRAG_LEN,
1825 RPC_MAX_PDU_FRAG_LEN,
1826 assoc_gid,
1827 ack_pipe_name,
1828 0x1, 0x0, 0x0,
1829 &hdr_rb.rpc_context[0].transfer[0]);
1830 } else {
1831 RPC_IFACE null_interface;
1832 ZERO_STRUCT(null_interface);
1833 /* Rejection reason: abstract syntax not supported */
1834 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1835 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1836 ack_pipe_name, 0x1, 0x2, 0x1,
1837 &null_interface);
1838 p->pipe_bound = False;
1839 }
1840
1841 /*
1842 * and marshall it.
1843 */
1844
1845 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1846 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1847 goto err_exit;
1848 }
1849
1850 /*
1851 * Create the header, now we know the length.
1852 */
1853
1854 if (prs_offset(&out_auth)) {
1855 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1856 }
1857
1858 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1859 p->hdr.call_id,
1860 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1861 auth_len);
1862
1863 /*
1864 * Marshall the header into the outgoing PDU.
1865 */
1866
1867 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1868 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1869 goto err_exit;
1870 }
1871
1872 /*
1873 * Now add the RPC_HDR_BA and any auth needed.
1874 */
1875
1876 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1877 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1878 goto err_exit;
1879 }
1880
1881 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1882 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1883 goto err_exit;
1884 }
1885
1886 /*
1887 * Setup the lengths for the initial reply.
1888 */
1889
1890 p->out_data.data_sent_length = 0;
1891 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1892 p->out_data.current_pdu_sent = 0;
1893
1894 prs_mem_free(&out_hdr_ba);
1895 prs_mem_free(&out_auth);
1896
1897 return True;
1898
1899 err_exit:
1900
1901 prs_mem_free(&outgoing_rpc);
1902 prs_mem_free(&out_hdr_ba);
1903 prs_mem_free(&out_auth);
1904 return setup_bind_nak(p);
1905 }
1906
1907 /****************************************************************************
1908 Deal with NTLMSSP sign & seal processing on an RPC request.
1909 ****************************************************************************/
1910
1911 BOOL api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1912 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1913 {
1914 RPC_HDR_AUTH auth_info;
1915 uint32 auth_len = p->hdr.auth_len;
1916 uint32 save_offset = prs_offset(rpc_in);
1917 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1918 unsigned char *data = NULL;
1919 size_t data_len;
1920 unsigned char *full_packet_data = NULL;
1921 size_t full_packet_data_len;
1922 DATA_BLOB auth_blob;
1923
1924 *pstatus = NT_STATUS_OK;
1925
1926 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
1927 return True;
1928 }
1929
1930 if (!a) {
1931 *pstatus = NT_STATUS_INVALID_PARAMETER;
1932 return False;
1933 }
1934
1935 /* Ensure there's enough data for an authenticated request. */
1936 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
1937 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
1938 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
1939 (unsigned int)auth_len ));
1940 *pstatus = NT_STATUS_INVALID_PARAMETER;
1941 return False;
1942 }
1943
1944 /*
1945 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
1946 * after the RPC header.
1947 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
1948 * functions as NTLMv2 checks the rpc headers also.
1949 */
1950
1951 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
1952 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
1953
1954 full_packet_data = p->in_data.current_in_pdu;
1955 full_packet_data_len = p->hdr.frag_len - auth_len;
1956
1957 /* Pull the auth header and the following data into a blob. */
1958 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
1959 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
1960 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
1961 *pstatus = NT_STATUS_INVALID_PARAMETER;
1962 return False;
1963 }
1964
1965 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1966 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1967 *pstatus = NT_STATUS_INVALID_PARAMETER;
1968 return False;
1969 }
1970
1971 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
1972 auth_blob.length = auth_len;
1973
1974 switch (p->auth.auth_level) {
1975 case PIPE_AUTH_LEVEL_PRIVACY:
1976 /* Data is encrypted. */
1977 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
1978 data, data_len,
1979 full_packet_data,
1980 full_packet_data_len,
1981 &auth_blob);
1982 if (!NT_STATUS_IS_OK(*pstatus)) {
1983 return False;
1984 }
1985 break;
1986 case PIPE_AUTH_LEVEL_INTEGRITY:
1987 /* Data is signed. */
1988 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
1989 data, data_len,
1990 full_packet_data,
1991 full_packet_data_len,
1992 &auth_blob);
1993 if (!NT_STATUS_IS_OK(*pstatus)) {
1994 return False;
1995 }
1996 break;
1997 default:
1998 *pstatus = NT_STATUS_INVALID_PARAMETER;
1999 return False;
2000 }
2001
2002 /*
2003 * Return the current pointer to the data offset.
2004 */
2005
2006 if(!prs_set_offset(rpc_in, save_offset)) {
2007 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2008 (unsigned int)save_offset ));
2009 *pstatus = NT_STATUS_INVALID_PARAMETER;
2010 return False;
2011 }
2012
2013 /*
2014 * Remember the padding length. We must remove it from the real data
2015 * stream once the sign/seal is done.
2016 */
2017
2018 *p_ss_padding_len = auth_info.auth_pad_len;
2019
2020 return True;
2021 }
2022
2023 /****************************************************************************
2024 Deal with schannel processing on an RPC request.
2025 ****************************************************************************/
2026
2027 BOOL api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2028 {
2029 uint32 data_len;
2030 uint32 auth_len;
2031 uint32 save_offset = prs_offset(rpc_in);
2032 RPC_HDR_AUTH auth_info;
2033 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2034
2035 auth_len = p->hdr.auth_len;
2036
2037 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2038 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2039 return False;
2040 }
2041
2042 /*
2043 * The following is that length of the data we must verify or unseal.
2044 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2045 * preceeding the auth_data.
2046 */
2047
2048 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2049 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2050 (unsigned int)p->hdr.frag_len,
2051 (unsigned int)auth_len ));
2052 return False;
2053 }
2054
2055 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2056 RPC_HDR_AUTH_LEN - auth_len;
2057
2058 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2059
2060 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2061 DEBUG(0,("cannot move offset to %u.\n",
2062 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2063 return False;
2064 }
2065
2066 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2067 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2068 return False;
2069 }
2070
2071 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2072 DEBUG(0,("Invalid auth info %d on schannel\n",
2073 auth_info.auth_type));
2074 return False;
2075 }
2076
2077 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2078 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2079 return False;
2080 }
2081
2082 if (!schannel_decode(p->auth.a_u.schannel_auth,
2083 p->auth.auth_level,
2084 SENDER_IS_INITIATOR,
2085 &schannel_chk,
2086 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2087 DEBUG(3,("failed to decode PDU\n"));
2088 return False;
2089 }
2090
2091 /*
2092 * Return the current pointer to the data offset.
2093 */
2094
2095 if(!prs_set_offset(rpc_in, save_offset)) {
2096 DEBUG(0,("failed to set offset back to %u\n",
2097 (unsigned int)save_offset ));
2098 return False;
2099 }
2100
2101 /* The sequence number gets incremented on both send and receive. */
2102 p->auth.a_u.schannel_auth->seq_num++;
2103
2104 /*
2105 * Remember the padding length. We must remove it from the real data
2106 * stream once the sign/seal is done.
2107 */
2108
2109 *p_ss_padding_len = auth_info.auth_pad_len;
2110
2111 return True;
2112 }
2113
2114 /****************************************************************************
2115 Return a user struct for a pipe user.
2116 ****************************************************************************/
2117
2118 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
2119 {
2120 if (p->pipe_bound &&
2121 (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP ||
2122 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2123 memcpy(user, &p->pipe_user, sizeof(struct current_user));
2124 } else {
2125 memcpy(user, &current_user, sizeof(struct current_user));
2126 }
2127
2128 return user;
2129 }
2130
2131 /****************************************************************************
2132 Find the set of RPC functions associated with this context_id
2133 ****************************************************************************/
2134
2135 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2136 {
2137 PIPE_RPC_FNS *fns = NULL;
2138 PIPE_RPC_FNS *tmp = NULL;
2139
2140 if ( !list ) {
2141 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2142 return NULL;
2143 }
2144
2145 for (tmp=list; tmp; tmp=tmp->next ) {
2146 if ( tmp->context_id == context_id )
2147 break;
2148 }
2149
2150 fns = tmp;
2151
2152 return fns;
2153 }
2154
2155 /****************************************************************************
2156 Memory cleanup.
2157 ****************************************************************************/
2158
2159 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2160 {
2161 PIPE_RPC_FNS *tmp = list;
2162 PIPE_RPC_FNS *tmp2;
2163
2164 while (tmp) {
2165 tmp2 = tmp->next;
2166 SAFE_FREE(tmp);
2167 tmp = tmp2;
2168 }
2169
2170 return;
2171 }
2172
2173 /****************************************************************************
2174 Find the correct RPC function to call for this request.
2175 If the pipe is authenticated then become the correct UNIX user
2176 before doing the call.
2177 ****************************************************************************/
2178
2179 BOOL api_pipe_request(pipes_struct *p)
2180 {
2181 BOOL ret = False;
2182 BOOL changed_user = False;
2183 PIPE_RPC_FNS *pipe_fns;
2184
2185 if (p->pipe_bound &&
2186 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2187 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2188 if(!become_authenticated_pipe_user(p)) {
2189 prs_mem_free(&p->out_data.rdata);
2190 return False;
2191 }
2192 changed_user = True;
2193 }
2194
2195 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2196
2197 /* get the set of RPC functions for this context */
2198
2199 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2200
2201 if ( pipe_fns ) {
2202 set_current_rpc_talloc(p->mem_ctx);
2203 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2204 set_current_rpc_talloc(NULL);
2205 }
2206 else {
2207 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2208 p->hdr_req.context_id, p->name));
2209 }
2210
2211 if (changed_user) {
2212 unbecome_authenticated_pipe_user();
2213 }
2214
2215 return ret;
2216 }
2217
2218 /*******************************************************************
2219 Calls the underlying RPC function for a named pipe.
2220 ********************************************************************/
2221
2222 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
2223 const struct api_struct *api_rpc_cmds, int n_cmds)
2224 {
2225 int fn_num;
2226 fstring name;
2227 uint32 offset1, offset2;
2228
2229 /* interpret the command */
2230 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2231
2232 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2233 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2234
2235 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2236 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2237 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2238 break;
2239 }
2240 }
2241
2242 if (fn_num == n_cmds) {
2243 /*
2244 * For an unknown RPC just return a fault PDU but
2245 * return True to allow RPC's on the pipe to continue
2246 * and not put the pipe into fault state. JRA.
2247 */
2248 DEBUG(4, ("unknown\n"));
2249 setup_fault_pdu(p, NT_STATUS(0x1c010002));
2250 return True;
2251 }
2252
2253 offset1 = prs_offset(&p->out_data.rdata);
2254
2255 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2256 fn_num, api_rpc_cmds[fn_num].fn));
2257 /* do the actual command */
2258 if(!api_rpc_cmds[fn_num].fn(p)) {
2259 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2260 prs_mem_free(&p->out_data.rdata);
2261 return False;
2262 }
2263
2264 if (p->bad_handle_fault_state) {
2265 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2266 p->bad_handle_fault_state = False;
2267 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
2268 return True;
2269 }
2270
2271 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2272 offset2 = prs_offset(&p->out_data.rdata);
2273 prs_set_offset(&p->out_data.rdata, offset1);
2274 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2275 prs_set_offset(&p->out_data.rdata, offset2);
2276
2277 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2278
2279 /* Check for buffer underflow in rpc parsing */
2280
2281 if ((DEBUGLEVEL >= 10) &&
2282 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2283 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2284 char *data = SMB_MALLOC(data_len);
2285
2286 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2287 if (data) {
2288 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2289 SAFE_FREE(data);
2290 }
2291
2292 }
2293
2294 return True;
2295 }
2296
2297 /*******************************************************************
2298 *******************************************************************/
2299
2300 void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
2301 {
2302 struct api_struct *cmds = NULL;
2303 int n_cmds = 0;
2304
2305 switch ( idx ) {
2306 case PI_LSARPC:
2307 lsa_get_pipe_fns( &cmds, &n_cmds );
2308 break;
2309 case PI_LSARPC_DS:
2310 lsa_ds_get_pipe_fns( &cmds, &n_cmds );
2311 break;
2312 case PI_SAMR:
2313 samr_get_pipe_fns( &cmds, &n_cmds );
2314 break;
2315 case PI_NETLOGON:
2316 netlog_get_pipe_fns( &cmds, &n_cmds );
2317 break;
2318 case PI_SRVSVC:
2319 srvsvc_get_pipe_fns( &cmds, &n_cmds );
2320 break;
2321 case PI_WKSSVC:
2322 wkssvc_get_pipe_fns( &cmds, &n_cmds );
2323 break;
2324 case PI_WINREG:
2325 reg_get_pipe_fns( &cmds, &n_cmds );
2326 break;
2327 case PI_SPOOLSS:
2328 spoolss_get_pipe_fns( &cmds, &n_cmds );
2329 break;
2330 case PI_NETDFS:
2331 netdfs_get_pipe_fns( &cmds, &n_cmds );
2332 break;
2333 case PI_SVCCTL:
2334 svcctl_get_pipe_fns( &cmds, &n_cmds );
2335 break;
2336 case PI_EVENTLOG:
2337 eventlog_get_pipe_fns( &cmds, &n_cmds );
2338 break;
2339 case PI_NTSVCS:
2340 ntsvcs_get_pipe_fns( &cmds, &n_cmds );
2341 break;
2342 #ifdef DEVELOPER
2343 case PI_ECHO:
2344 echo_get_pipe_fns( &cmds, &n_cmds );
2345 break;
2346 #endif
2347 default:
2348 DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));
2349 }
2350
2351 *fns = cmds;
2352 *n_fns = n_cmds;
2353
2354 return;
2355 }