search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r10656: BIG merge from trunk. Features not copied over
[Samba/nascimento.git] / source3 / rpc_server / srv_pipe.c
blobba6d9704e808375ef8c62fb685390bcabd548cf0
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 */
20
21 /* this module apparently provides an implementation of DCE/RPC over a
22 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
23 * documentation are available (in on-line form) from the X-Open group.
24 *
25 * this module should provide a level of abstraction between SMB
26 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
27 * data copies, and network traffic.
28 *
29 */
30
31 #include "includes.h"
32
33 extern struct pipe_id_info pipe_names[];
34 extern struct current_user current_user;
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_RPC_SRV
38
39 /*************************************************************
40 HACK Alert!
41 We need to transfer the session key from one rpc bind to the
42 next. This is the way the netlogon schannel works.
43 **************************************************************/
44
45 struct dcinfo last_dcinfo;
46 BOOL server_auth2_negotiated = False;
47
48 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
49 {
50 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
51
52 if (a) {
53 auth_ntlmssp_end(&a);
54 }
55 auth->a_u.auth_ntlmssp_state = NULL;
56 }
57
58 /*******************************************************************
59 Generate the next PDU to be returned from the data in p->rdata.
60 Handle NTLMSSP.
61 ********************************************************************/
62
63 static BOOL create_next_pdu_ntlmssp(pipes_struct *p)
64 {
65 RPC_HDR_RESP hdr_resp;
66 uint32 ss_padding_len = 0;
67 uint32 data_space_available;
68 uint32 data_len_left;
69 uint32 data_len;
70 prs_struct outgoing_pdu;
71 NTSTATUS status;
72 DATA_BLOB auth_blob;
73 RPC_HDR_AUTH auth_info;
74 uint8 auth_type, auth_level;
75 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
76
77 /*
78 * If we're in the fault state, keep returning fault PDU's until
79 * the pipe gets closed. JRA.
80 */
81
82 if(p->fault_state) {
83 setup_fault_pdu(p, NT_STATUS(0x1c010002));
84 return True;
85 }
86
87 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
88
89 /* Change the incoming request header to a response. */
90 p->hdr.pkt_type = RPC_RESPONSE;
91
92 /* Set up rpc header flags. */
93 if (p->out_data.data_sent_length == 0) {
94 p->hdr.flags = RPC_FLG_FIRST;
95 } else {
96 p->hdr.flags = 0;
97 }
98
99 /*
100 * Work out how much we can fit in a single PDU.
101 */
102
103 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
104
105 /*
106 * Ensure there really is data left to send.
107 */
108
109 if(!data_len_left) {
110 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
111 return False;
112 }
113
114 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
115 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
116
117 /*
118 * The amount we send is the minimum of the available
119 * space and the amount left to send.
120 */
121
122 data_len = MIN(data_len_left, data_space_available);
123
124 /*
125 * Set up the alloc hint. This should be the data left to
126 * send.
127 */
128
129 hdr_resp.alloc_hint = data_len_left;
130
131 /*
132 * Work out if this PDU will be the last.
133 */
134
135 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
136 p->hdr.flags |= RPC_FLG_LAST;
137 if (data_len_left % 8) {
138 ss_padding_len = 8 - (data_len_left % 8);
139 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
140 ss_padding_len ));
141 }
142 }
143
144 /*
145 * Set up the header lengths.
146 */
147
148 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
149 data_len + ss_padding_len +
150 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
151 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
152
153
154 /*
155 * Init the parse struct to point at the outgoing
156 * data.
157 */
158
159 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
160 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
161
162 /* Store the header in the data stream. */
163 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
164 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
165 prs_mem_free(&outgoing_pdu);
166 return False;
167 }
168
169 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
170 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
171 prs_mem_free(&outgoing_pdu);
172 return False;
173 }
174
175 /* Copy the data into the PDU. */
176
177 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
178 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
179 prs_mem_free(&outgoing_pdu);
180 return False;
181 }
182
183 /* Copy the sign/seal padding data. */
184 if (ss_padding_len) {
185 unsigned char pad[8];
186
187 memset(pad, '\0', 8);
188 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
189 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
190 (unsigned int)ss_padding_len));
191 prs_mem_free(&outgoing_pdu);
192 return False;
193 }
194 }
195
196
197 /* Now write out the auth header and null blob. */
198 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
199 auth_type = RPC_NTLMSSP_AUTH_TYPE;
200 } else {
201 auth_type = RPC_SPNEGO_AUTH_TYPE;
202 }
203 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
204 auth_level = RPC_AUTH_LEVEL_PRIVACY;
205 } else {
206 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
207 }
208
209 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
210 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
211 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
212 prs_mem_free(&outgoing_pdu);
213 return False;
214 }
215
216 /* Generate the sign blob. */
217
218 switch (p->auth.auth_level) {
219 case PIPE_AUTH_LEVEL_PRIVACY:
220 /* Data portion is encrypted. */
221 status = ntlmssp_seal_packet(a->ntlmssp_state,
222 prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
223 data_len + ss_padding_len,
224 prs_data_p(&outgoing_pdu),
225 (size_t)prs_offset(&outgoing_pdu),
226 &auth_blob);
227 if (!NT_STATUS_IS_OK(status)) {
228 data_blob_free(&auth_blob);
229 prs_mem_free(&outgoing_pdu);
230 return False;
231 }
232 break;
233 case PIPE_AUTH_LEVEL_INTEGRITY:
234 /* Data is signed. */
235 status = ntlmssp_sign_packet(a->ntlmssp_state,
236 prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
237 data_len + ss_padding_len,
238 prs_data_p(&outgoing_pdu),
239 (size_t)prs_offset(&outgoing_pdu),
240 &auth_blob);
241 if (!NT_STATUS_IS_OK(status)) {
242 data_blob_free(&auth_blob);
243 prs_mem_free(&outgoing_pdu);
244 return False;
245 }
246 break;
247 default:
248 prs_mem_free(&outgoing_pdu);
249 return False;
250 }
251
252 /* Append the auth blob. */
253 if (!prs_copy_data_in(&outgoing_pdu, auth_blob.data, NTLMSSP_SIG_SIZE)) {
254 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
255 (unsigned int)NTLMSSP_SIG_SIZE));
256 data_blob_free(&auth_blob);
257 prs_mem_free(&outgoing_pdu);
258 return False;
259 }
260
261 data_blob_free(&auth_blob);
262
263 /*
264 * Setup the counts for this PDU.
265 */
266
267 p->out_data.data_sent_length += data_len;
268 p->out_data.current_pdu_len = p->hdr.frag_len;
269 p->out_data.current_pdu_sent = 0;
270
271 prs_mem_free(&outgoing_pdu);
272 return True;
273 }
274
275 /*******************************************************************
276 Generate the next PDU to be returned from the data in p->rdata.
277 Return an schannel authenticated fragment.
278 ********************************************************************/
279
280 static BOOL create_next_pdu_schannel(pipes_struct *p)
281 {
282 RPC_HDR_RESP hdr_resp;
283 uint32 ss_padding_len = 0;
284 uint32 data_len;
285 uint32 data_space_available;
286 uint32 data_len_left;
287 prs_struct outgoing_pdu;
288 uint32 data_pos;
289
290 /*
291 * If we're in the fault state, keep returning fault PDU's until
292 * the pipe gets closed. JRA.
293 */
294
295 if(p->fault_state) {
296 setup_fault_pdu(p, NT_STATUS(0x1c010002));
297 return True;
298 }
299
300 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
301
302 /* Change the incoming request header to a response. */
303 p->hdr.pkt_type = RPC_RESPONSE;
304
305 /* Set up rpc header flags. */
306 if (p->out_data.data_sent_length == 0) {
307 p->hdr.flags = RPC_FLG_FIRST;
308 } else {
309 p->hdr.flags = 0;
310 }
311
312 /*
313 * Work out how much we can fit in a single PDU.
314 */
315
316 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
317
318 /*
319 * Ensure there really is data left to send.
320 */
321
322 if(!data_len_left) {
323 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
324 return False;
325 }
326
327 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
328 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
329
330 /*
331 * The amount we send is the minimum of the available
332 * space and the amount left to send.
333 */
334
335 data_len = MIN(data_len_left, data_space_available);
336
337 /*
338 * Set up the alloc hint. This should be the data left to
339 * send.
340 */
341
342 hdr_resp.alloc_hint = data_len_left;
343
344 /*
345 * Work out if this PDU will be the last.
346 */
347
348 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
349 p->hdr.flags |= RPC_FLG_LAST;
350 if (data_len_left % 8) {
351 ss_padding_len = 8 - (data_len_left % 8);
352 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
353 ss_padding_len ));
354 }
355 }
356
357 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
358 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
359 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
360
361 /*
362 * Init the parse struct to point at the outgoing
363 * data.
364 */
365
366 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
367 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
368
369 /* Store the header in the data stream. */
370 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
371 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
372 prs_mem_free(&outgoing_pdu);
373 return False;
374 }
375
376 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
377 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
378 prs_mem_free(&outgoing_pdu);
379 return False;
380 }
381
382 /* Store the current offset. */
383 data_pos = prs_offset(&outgoing_pdu);
384
385 /* Copy the data into the PDU. */
386
387 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
388 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
389 prs_mem_free(&outgoing_pdu);
390 return False;
391 }
392
393 /* Copy the sign/seal padding data. */
394 if (ss_padding_len) {
395 char pad[8];
396 memset(pad, '\0', 8);
397 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
398 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
399 prs_mem_free(&outgoing_pdu);
400 return False;
401 }
402 }
403
404 {
405 /*
406 * Schannel processing.
407 */
408 char *data;
409 RPC_HDR_AUTH auth_info;
410 RPC_AUTH_SCHANNEL_CHK verf;
411
412 data = prs_data_p(&outgoing_pdu) + data_pos;
413 /* Check it's the type of reply we were expecting to decode */
414
415 init_rpc_hdr_auth(&auth_info,
416 RPC_SCHANNEL_AUTH_TYPE,
417 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
418 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
419 ss_padding_len, 1);
420
421 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
422 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
423 prs_mem_free(&outgoing_pdu);
424 return False;
425 }
426
427 schannel_encode(p->auth.a_u.schannel_auth,
428 p->auth.auth_level,
429 SENDER_IS_ACCEPTOR,
430 &verf, data, data_len + ss_padding_len);
431
432 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
433 &verf, &outgoing_pdu, 0)) {
434 prs_mem_free(&outgoing_pdu);
435 return False;
436 }
437
438 p->auth.a_u.schannel_auth->seq_num++;
439 }
440
441 /*
442 * Setup the counts for this PDU.
443 */
444
445 p->out_data.data_sent_length += data_len;
446 p->out_data.current_pdu_len = p->hdr.frag_len;
447 p->out_data.current_pdu_sent = 0;
448
449 prs_mem_free(&outgoing_pdu);
450 return True;
451 }
452
453 /*******************************************************************
454 Generate the next PDU to be returned from the data in p->rdata.
455 No authentication done.
456 ********************************************************************/
457
458 static BOOL create_next_pdu_noauth(pipes_struct *p)
459 {
460 RPC_HDR_RESP hdr_resp;
461 uint32 data_len;
462 uint32 data_space_available;
463 uint32 data_len_left;
464 prs_struct outgoing_pdu;
465
466 /*
467 * If we're in the fault state, keep returning fault PDU's until
468 * the pipe gets closed. JRA.
469 */
470
471 if(p->fault_state) {
472 setup_fault_pdu(p, NT_STATUS(0x1c010002));
473 return True;
474 }
475
476 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
477
478 /* Change the incoming request header to a response. */
479 p->hdr.pkt_type = RPC_RESPONSE;
480
481 /* Set up rpc header flags. */
482 if (p->out_data.data_sent_length == 0) {
483 p->hdr.flags = RPC_FLG_FIRST;
484 } else {
485 p->hdr.flags = 0;
486 }
487
488 /*
489 * Work out how much we can fit in a single PDU.
490 */
491
492 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
493
494 /*
495 * Ensure there really is data left to send.
496 */
497
498 if(!data_len_left) {
499 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
500 return False;
501 }
502
503 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
504
505 /*
506 * The amount we send is the minimum of the available
507 * space and the amount left to send.
508 */
509
510 data_len = MIN(data_len_left, data_space_available);
511
512 /*
513 * Set up the alloc hint. This should be the data left to
514 * send.
515 */
516
517 hdr_resp.alloc_hint = data_len_left;
518
519 /*
520 * Work out if this PDU will be the last.
521 */
522
523 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
524 p->hdr.flags |= RPC_FLG_LAST;
525 }
526
527 /*
528 * Set up the header lengths.
529 */
530
531 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
532 p->hdr.auth_len = 0;
533
534 /*
535 * Init the parse struct to point at the outgoing
536 * data.
537 */
538
539 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
540 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
541
542 /* Store the header in the data stream. */
543 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
544 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
545 prs_mem_free(&outgoing_pdu);
546 return False;
547 }
548
549 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
550 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
551 prs_mem_free(&outgoing_pdu);
552 return False;
553 }
554
555 /* Copy the data into the PDU. */
556
557 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
558 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
559 prs_mem_free(&outgoing_pdu);
560 return False;
561 }
562
563 /*
564 * Setup the counts for this PDU.
565 */
566
567 p->out_data.data_sent_length += data_len;
568 p->out_data.current_pdu_len = p->hdr.frag_len;
569 p->out_data.current_pdu_sent = 0;
570
571 prs_mem_free(&outgoing_pdu);
572 return True;
573 }
574
575 /*******************************************************************
576 Generate the next PDU to be returned from the data in p->rdata.
577 ********************************************************************/
578
579 BOOL create_next_pdu(pipes_struct *p)
580 {
581 switch(p->auth.auth_level) {
582 case PIPE_AUTH_LEVEL_NONE:
583 case PIPE_AUTH_LEVEL_CONNECT:
584 /* This is incorrect for auth level connect. Fixme. JRA */
585 return create_next_pdu_noauth(p);
586
587 default:
588 switch(p->auth.auth_type) {
589 case PIPE_AUTH_TYPE_NTLMSSP:
590 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
591 return create_next_pdu_ntlmssp(p);
592 case PIPE_AUTH_TYPE_SCHANNEL:
593 return create_next_pdu_schannel(p);
594 default:
595 break;
596 }
597 }
598
599 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
600 (unsigned int)p->auth.auth_level,
601 (unsigned int)p->auth.auth_type));
602 return False;
603 }
604
605 /*******************************************************************
606 Process an NTLMSSP authentication response.
607 If this function succeeds, the user has been authenticated
608 and their domain, name and calling workstation stored in
609 the pipe struct.
610 *******************************************************************/
611
612 static BOOL pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
613 {
614 DATA_BLOB reply;
615 NTSTATUS status;
616 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
617
618 DEBUG(5,("pipe_ntlmssp_verify_final: checking user details\n"));
619
620 ZERO_STRUCT(reply);
621
622 memset(p->user_name, '\0', sizeof(p->user_name));
623 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
624 memset(p->domain, '\0', sizeof(p->domain));
625 memset(p->wks, '\0', sizeof(p->wks));
626
627 /* Set up for non-authenticated user. */
628 delete_nt_token(&p->pipe_user.nt_user_token);
629 p->pipe_user.ngroups = 0;
630 SAFE_FREE( p->pipe_user.groups);
631
632 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
633
634 /* Don't generate a reply. */
635 data_blob_free(&reply);
636
637 if (!NT_STATUS_IS_OK(status)) {
638 return False;
639 }
640
641 fstrcpy(p->user_name, a->ntlmssp_state->user);
642 fstrcpy(p->pipe_user_name, a->server_info->unix_name);
643 fstrcpy(p->domain, a->ntlmssp_state->domain);
644 fstrcpy(p->wks, a->ntlmssp_state->workstation);
645
646 DEBUG(5,("pipe_ntlmssp_verify_final: OK: user: %s domain: %s workstation: %s\n",
647 p->user_name, p->domain, p->wks));
648
649 /*
650 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
651 */
652
653 p->pipe_user.uid = a->server_info->uid;
654 p->pipe_user.gid = a->server_info->gid;
655
656 /*
657 * Copy the session key from the ntlmssp state.
658 */
659
660 data_blob_free(&p->session_key);
661 p->session_key = data_blob(a->ntlmssp_state->session_key.data, a->ntlmssp_state->session_key.length);
662 if (!p->session_key.data) {
663 return False;
664 }
665
666 p->pipe_user.ngroups = a->server_info->n_groups;
667 if (p->pipe_user.ngroups) {
668 if (!(p->pipe_user.groups = memdup(a->server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
669 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
670 return False;
671 }
672 }
673
674 if (a->server_info->ptok) {
675 p->pipe_user.nt_user_token = dup_nt_token(a->server_info->ptok);
676 } else {
677 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
678 p->pipe_user.nt_user_token = NULL;
679 return False;
680 }
681
682 return True;
683 }
684
685 /*******************************************************************
686 The switch table for the pipe names and the functions to handle them.
687 *******************************************************************/
688
689 struct rpc_table {
690 struct {
691 const char *clnt;
692 const char *srv;
693 } pipe;
694 struct api_struct *cmds;
695 int n_cmds;
696 };
697
698 static struct rpc_table *rpc_lookup;
699 static int rpc_lookup_size;
700
701 /*******************************************************************
702 This is the "stage3" NTLMSSP response after a bind request and reply.
703 *******************************************************************/
704
705 BOOL api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
706 {
707 RPC_HDR_AUTH auth_info;
708 uint32 pad;
709 DATA_BLOB blob;
710
711 ZERO_STRUCT(blob);
712
713 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
714
715 if (p->hdr.auth_len == 0) {
716 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
717 goto err;
718 }
719
720 /* 4 bytes padding. */
721 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
722 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
723 goto err;
724 }
725
726 /*
727 * Decode the authentication verifier response.
728 */
729
730 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
731 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
732 goto err;
733 }
734
735 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
736 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
737 (unsigned int)auth_info.auth_type ));
738 return False;
739 }
740
741 blob = data_blob(NULL,p->hdr.auth_len);
742
743 if (!prs_copy_data_out(blob.data, rpc_in_p, p->hdr.auth_len)) {
744 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
745 (unsigned int)p->hdr.auth_len ));
746 goto err;
747 }
748
749 /*
750 * The following call actually checks the challenge/response data.
751 * for correctness against the given DOMAIN\user name.
752 */
753
754 if (!pipe_ntlmssp_verify_final(p, &blob)) {
755 goto err;
756 }
757
758 data_blob_free(&blob);
759
760 p->pipe_bound = True;
761
762 return True;
763
764 err:
765
766 data_blob_free(&blob);
767 free_pipe_ntlmssp_auth_data(&p->auth);
768 p->auth.a_u.auth_ntlmssp_state = NULL;
769
770 return False;
771 }
772
773 /*******************************************************************
774 Marshall a bind_nak pdu.
775 *******************************************************************/
776
777 static BOOL setup_bind_nak(pipes_struct *p)
778 {
779 prs_struct outgoing_rpc;
780 RPC_HDR nak_hdr;
781 uint16 zero = 0;
782
783 /* Free any memory in the current return data buffer. */
784 prs_mem_free(&p->out_data.rdata);
785
786 /*
787 * Marshall directly into the outgoing PDU space. We
788 * must do this as we need to set to the bind response
789 * header and are never sending more than one PDU here.
790 */
791
792 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
793 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
794
795 /*
796 * Initialize a bind_nak header.
797 */
798
799 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
800 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
801
802 /*
803 * Marshall the header into the outgoing PDU.
804 */
805
806 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
807 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
808 prs_mem_free(&outgoing_rpc);
809 return False;
810 }
811
812 /*
813 * Now add the reject reason.
814 */
815
816 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
817 prs_mem_free(&outgoing_rpc);
818 return False;
819 }
820
821 p->out_data.data_sent_length = 0;
822 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
823 p->out_data.current_pdu_sent = 0;
824
825 if (p->auth.auth_data_free_func) {
826 (*p->auth.auth_data_free_func)(&p->auth);
827 }
828 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
829 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
830 p->pipe_bound = False;
831
832 return True;
833 }
834
835 /*******************************************************************
836 Marshall a fault pdu.
837 *******************************************************************/
838
839 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
840 {
841 prs_struct outgoing_pdu;
842 RPC_HDR fault_hdr;
843 RPC_HDR_RESP hdr_resp;
844 RPC_HDR_FAULT fault_resp;
845
846 /* Free any memory in the current return data buffer. */
847 prs_mem_free(&p->out_data.rdata);
848
849 /*
850 * Marshall directly into the outgoing PDU space. We
851 * must do this as we need to set to the bind response
852 * header and are never sending more than one PDU here.
853 */
854
855 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
856 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
857
858 /*
859 * Initialize a fault header.
860 */
861
862 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
863 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
864
865 /*
866 * Initialize the HDR_RESP and FAULT parts of the PDU.
867 */
868
869 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
870
871 fault_resp.status = status;
872 fault_resp.reserved = 0;
873
874 /*
875 * Marshall the header into the outgoing PDU.
876 */
877
878 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
879 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
880 prs_mem_free(&outgoing_pdu);
881 return False;
882 }
883
884 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
885 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
886 prs_mem_free(&outgoing_pdu);
887 return False;
888 }
889
890 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
891 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
892 prs_mem_free(&outgoing_pdu);
893 return False;
894 }
895
896 p->out_data.data_sent_length = 0;
897 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
898 p->out_data.current_pdu_sent = 0;
899
900 prs_mem_free(&outgoing_pdu);
901 return True;
902 }
903
904 /*******************************************************************
905 Ensure a bind request has the correct abstract & transfer interface.
906 Used to reject unknown binds from Win2k.
907 *******************************************************************/
908
909 BOOL check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
910 RPC_IFACE* transfer, uint32 context_id)
911 {
912 char *pipe_name = p->name;
913 int i=0;
914 fstring pname;
915
916 fstrcpy(pname,"\\PIPE\\");
917 fstrcat(pname,pipe_name);
918
919 DEBUG(3,("check_bind_req for %s\n", pname));
920
921 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
922
923 for ( i=0; pipe_names[i].client_pipe; i++ ) {
924 DEBUG(10,("checking %s\n", pipe_names[i].client_pipe));
925 if ( strequal(pipe_names[i].client_pipe, pname)
926 && (abstract->version == pipe_names[i].abstr_syntax.version)
927 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct uuid)) == 0)
928 && (transfer->version == pipe_names[i].trans_syntax.version)
929 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(struct uuid)) == 0) ) {
930 struct api_struct *fns = NULL;
931 int n_fns = 0;
932 PIPE_RPC_FNS *context_fns;
933
934 if ( !(context_fns = SMB_MALLOC_P(PIPE_RPC_FNS)) ) {
935 DEBUG(0,("check_bind_req: malloc() failed!\n"));
936 return False;
937 }
938
939 /* save the RPC function table associated with this bind */
940
941 get_pipe_fns(i, &fns, &n_fns);
942
943 context_fns->cmds = fns;
944 context_fns->n_cmds = n_fns;
945 context_fns->context_id = context_id;
946
947 /* add to the list of open contexts */
948
949 DLIST_ADD( p->contexts, context_fns );
950
951 break;
952 }
953 }
954
955 if(pipe_names[i].client_pipe == NULL) {
956 return False;
957 }
958
959 return True;
960 }
961
962 /*******************************************************************
963 Register commands to an RPC pipe
964 *******************************************************************/
965
966 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
967 {
968 struct rpc_table *rpc_entry;
969
970 if (!clnt || !srv || !cmds) {
971 return NT_STATUS_INVALID_PARAMETER;
972 }
973
974 if (version != SMB_RPC_INTERFACE_VERSION) {
975 DEBUG(0,("Can't register rpc commands!\n"
976 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
977 ", while this version of samba uses version %d!\n",
978 version,SMB_RPC_INTERFACE_VERSION));
979 return NT_STATUS_OBJECT_TYPE_MISMATCH;
980 }
981
982 /* TODO:
983 *
984 * we still need to make sure that don't register the same commands twice!!!
985 *
986 * --metze
987 */
988
989 /* We use a temporary variable because this call can fail and
990 rpc_lookup will still be valid afterwards. It could then succeed if
991 called again later */
992 rpc_lookup_size++;
993 rpc_entry = SMB_REALLOC_ARRAY(rpc_lookup, struct rpc_table, rpc_lookup_size);
994 if (NULL == rpc_entry) {
995 rpc_lookup_size--;
996 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
997 return NT_STATUS_NO_MEMORY;
998 } else {
999 rpc_lookup = rpc_entry;
1000 }
1001
1002 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1003 ZERO_STRUCTP(rpc_entry);
1004 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1005 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1006 rpc_entry->cmds = SMB_REALLOC_ARRAY(rpc_entry->cmds, struct api_struct, rpc_entry->n_cmds + size);
1007 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds, size * sizeof(struct api_struct));
1008 rpc_entry->n_cmds += size;
1009
1010 return NT_STATUS_OK;
1011 }
1012
1013 /*******************************************************************
1014 Handle a SPNEGO krb5 bind auth.
1015 *******************************************************************/
1016
1017 static BOOL pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1018 DATA_BLOB *psecblob, prs_struct *pout_auth)
1019 {
1020 return False;
1021 }
1022
1023 /*******************************************************************
1024 Handle the first part of a SPNEGO bind auth.
1025 *******************************************************************/
1026
1027 static BOOL pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1028 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1029 {
1030 DATA_BLOB blob;
1031 DATA_BLOB secblob;
1032 DATA_BLOB response;
1033 DATA_BLOB chal;
1034 char *OIDs[ASN1_MAX_OIDS];
1035 int i;
1036 NTSTATUS status;
1037 BOOL got_kerberos_mechanism = False;
1038 AUTH_NTLMSSP_STATE *a = NULL;
1039 RPC_HDR_AUTH auth_info;
1040
1041 ZERO_STRUCT(secblob);
1042 ZERO_STRUCT(chal);
1043 ZERO_STRUCT(response);
1044
1045 /* Grab the SPNEGO blob. */
1046 blob = data_blob(NULL,p->hdr.auth_len);
1047
1048 if (!prs_copy_data_out(blob.data, rpc_in_p, p->hdr.auth_len)) {
1049 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1050 (unsigned int)p->hdr.auth_len ));
1051 goto err;
1052 }
1053
1054 if (blob.data[0] != ASN1_APPLICATION(0)) {
1055 goto err;
1056 }
1057
1058 /* parse out the OIDs and the first sec blob */
1059 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1060 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1061 goto err;
1062 }
1063
1064 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1065 got_kerberos_mechanism = True;
1066 }
1067
1068 for (i=0;OIDs[i];i++) {
1069 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1070 SAFE_FREE(OIDs[i]);
1071 }
1072 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1073
1074 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1075 BOOL ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1076 data_blob_free(&secblob);
1077 data_blob_free(&blob);
1078 return ret;
1079 }
1080
1081 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1082 /* Free any previous auth type. */
1083 free_pipe_ntlmssp_auth_data(&p->auth);
1084 }
1085
1086 /* Initialize the NTLM engine. */
1087 status = auth_ntlmssp_start(&a);
1088 if (!NT_STATUS_IS_OK(status)) {
1089 goto err;
1090 }
1091
1092 /*
1093 * Pass the first security blob of data to it.
1094 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1095 * which means we need another packet to complete the bind.
1096 */
1097
1098 status = auth_ntlmssp_update(a, secblob, &chal);
1099
1100 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1101 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1102 goto err;
1103 }
1104
1105 /* Generate the response blob we need for step 2 of the bind. */
1106 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1107
1108 /* Copy the blob into the pout_auth parse struct */
1109 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1110 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1111 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1112 goto err;
1113 }
1114
1115 if (!prs_copy_data_in(pout_auth, response.data, response.length)) {
1116 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1117 goto err;
1118 }
1119
1120 p->auth.a_u.auth_ntlmssp_state = a;
1121 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1122 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1123
1124 data_blob_free(&blob);
1125 data_blob_free(&secblob);
1126 data_blob_free(&chal);
1127 data_blob_free(&response);
1128
1129 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1130 return True;
1131
1132 err:
1133
1134 data_blob_free(&blob);
1135 data_blob_free(&secblob);
1136 data_blob_free(&chal);
1137 data_blob_free(&response);
1138
1139 p->auth.a_u.auth_ntlmssp_state = NULL;
1140
1141 return False;
1142 }
1143
1144 /*******************************************************************
1145 Handle the second part of a SPNEGO bind auth.
1146 *******************************************************************/
1147
1148 static BOOL pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1149 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1150 {
1151 DATA_BLOB spnego_blob, auth_blob, auth_reply;
1152 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1153
1154 ZERO_STRUCT(spnego_blob);
1155 ZERO_STRUCT(auth_blob);
1156 ZERO_STRUCT(auth_reply);
1157
1158 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1159 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1160 goto err;
1161 }
1162
1163 /* Grab the SPNEGO blob. */
1164 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1165
1166 if (!prs_copy_data_out(spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1167 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1168 (unsigned int)p->hdr.auth_len ));
1169 goto err;
1170 }
1171
1172 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1173 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1174 goto err;
1175 }
1176
1177 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1178 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1179 goto err;
1180 }
1181
1182 /*
1183 * The following call actually checks the challenge/response data.
1184 * for correctness against the given DOMAIN\user name.
1185 */
1186
1187 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1188 goto err;
1189 }
1190
1191 data_blob_free(&spnego_blob);
1192 data_blob_free(&auth_blob);
1193 data_blob_free(&auth_reply);
1194
1195 p->pipe_bound = True;
1196
1197 return True;
1198
1199 err:
1200
1201 data_blob_free(&spnego_blob);
1202 data_blob_free(&auth_blob);
1203 data_blob_free(&auth_reply);
1204
1205 free_pipe_ntlmssp_auth_data(&p->auth);
1206 p->auth.a_u.auth_ntlmssp_state = NULL;
1207
1208 return False;
1209 }
1210
1211 /*******************************************************************
1212 Handle an schannel bind auth.
1213 *******************************************************************/
1214
1215 static BOOL pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1216 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1217 {
1218 RPC_HDR_AUTH auth_info;
1219 RPC_AUTH_SCHANNEL_NEG neg;
1220 RPC_AUTH_VERIFIER auth_verifier;
1221 uint32 flags;
1222
1223 if (!server_auth2_negotiated) {
1224 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1225 return False;
1226 }
1227
1228 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1229 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1230 return False;
1231 }
1232
1233 p->auth.a_u.schannel_auth = TALLOC_P(p->pipe_state_mem_ctx, struct schannel_auth_struct);
1234 if (!p->auth.a_u.schannel_auth) {
1235 return False;
1236 }
1237
1238 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1239 memcpy(p->auth.a_u.schannel_auth->sess_key, last_dcinfo.sess_key, sizeof(last_dcinfo.sess_key));
1240
1241 p->auth.a_u.schannel_auth->seq_num = 0;
1242
1243 /*
1244 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1245 * here ? We do that for NTLMSPP, but the session key is already set up from the vuser
1246 * struct of the person who opened the pipe. I need to test this further. JRA.
1247 */
1248
1249 /* The client opens a second RPC NETLOGON pipe without
1250 doing a auth2. The credentials for the schannel are
1251 re-used from the auth2 the client did before. */
1252 p->dc = TALLOC_ZERO_P(p->pipe_state_mem_ctx, struct dcinfo);
1253 if (!p->dc) {
1254 return False;
1255 }
1256 *p->dc = last_dcinfo;
1257
1258 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1259 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1260 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1261 return False;
1262 }
1263
1264 /*** SCHANNEL verifier ***/
1265
1266 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1267 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1268 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1269 return False;
1270 }
1271
1272 prs_align(pout_auth);
1273
1274 flags = 5;
1275 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1276 return False;
1277 }
1278
1279 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1280 neg.domain, neg.myname));
1281
1282 /* We're finished with this bind - no more packets. */
1283 p->auth.auth_data_free_func = NULL;
1284 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1285
1286 p->pipe_bound = True;
1287
1288 return True;
1289 }
1290
1291 /*******************************************************************
1292 Handle an NTLMSSP bind auth.
1293 *******************************************************************/
1294
1295 static BOOL pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1296 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1297 {
1298 RPC_HDR_AUTH auth_info;
1299 DATA_BLOB blob;
1300 DATA_BLOB response;
1301 NTSTATUS status;
1302 AUTH_NTLMSSP_STATE *a = NULL;
1303
1304 ZERO_STRUCT(blob);
1305 ZERO_STRUCT(response);
1306
1307 /* Grab the NTLMSSP blob. */
1308 blob = data_blob(NULL,p->hdr.auth_len);
1309
1310 if (!prs_copy_data_out(blob.data, rpc_in_p, p->hdr.auth_len)) {
1311 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1312 (unsigned int)p->hdr.auth_len ));
1313 goto err;
1314 }
1315
1316 if (strncmp(blob.data, "NTLMSSP", 7) != 0) {
1317 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1318 goto err;
1319 }
1320
1321 /* We have an NTLMSSP blob. */
1322 status = auth_ntlmssp_start(&a);
1323 if (!NT_STATUS_IS_OK(status)) {
1324 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1325 nt_errstr(status) ));
1326 goto err;
1327 }
1328
1329 status = auth_ntlmssp_update(a, blob, &response);
1330 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1331 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1332 nt_errstr(status) ));
1333 goto err;
1334 }
1335
1336 data_blob_free(&blob);
1337
1338 /* Copy the blob into the pout_auth parse struct */
1339 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1340 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1341 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1342 goto err;
1343 }
1344
1345 if (!prs_copy_data_in(pout_auth, response.data, response.length)) {
1346 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1347 goto err;
1348 }
1349
1350 p->auth.a_u.auth_ntlmssp_state = a;
1351 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1352 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1353
1354 data_blob_free(&blob);
1355 data_blob_free(&response);
1356
1357 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1358
1359 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1360 return True;
1361
1362 err:
1363
1364 data_blob_free(&blob);
1365 data_blob_free(&response);
1366
1367 free_pipe_ntlmssp_auth_data(&p->auth);
1368 p->auth.a_u.auth_ntlmssp_state = NULL;
1369 return False;
1370 }
1371
1372 /*******************************************************************
1373 Respond to a pipe bind request.
1374 *******************************************************************/
1375
1376 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1377 {
1378 RPC_HDR_BA hdr_ba;
1379 RPC_HDR_RB hdr_rb;
1380 RPC_HDR_AUTH auth_info;
1381 uint16 assoc_gid;
1382 fstring ack_pipe_name;
1383 prs_struct out_hdr_ba;
1384 prs_struct out_auth;
1385 prs_struct outgoing_rpc;
1386 int i = 0;
1387 int auth_len = 0;
1388 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1389
1390 /* No rebinds on a bound pipe - use alter context. */
1391 if (p->pipe_bound) {
1392 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1393 return setup_bind_nak(p);
1394 }
1395
1396 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1397
1398 /*
1399 * Marshall directly into the outgoing PDU space. We
1400 * must do this as we need to set to the bind response
1401 * header and are never sending more than one PDU here.
1402 */
1403
1404 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1405
1406 /*
1407 * Setup the memory to marshall the ba header, and the
1408 * auth footers.
1409 */
1410
1411 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1412 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1413 prs_mem_free(&outgoing_rpc);
1414 return False;
1415 }
1416
1417 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1418 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1419 prs_mem_free(&outgoing_rpc);
1420 prs_mem_free(&out_hdr_ba);
1421 return False;
1422 }
1423
1424 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1425
1426 /*
1427 * Try and find the correct pipe name to ensure
1428 * that this is a pipe name we support.
1429 */
1430
1431
1432 for (i = 0; i < rpc_lookup_size; i++) {
1433 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1434 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1435 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1436 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1437 break;
1438 }
1439 }
1440
1441 if (i == rpc_lookup_size) {
1442 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1443 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1444 p->name ));
1445 prs_mem_free(&outgoing_rpc);
1446 prs_mem_free(&out_hdr_ba);
1447 prs_mem_free(&out_auth);
1448
1449 return setup_bind_nak(p);
1450 }
1451
1452 for (i = 0; i < rpc_lookup_size; i++) {
1453 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1454 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1455 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1456 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1457 break;
1458 }
1459 }
1460
1461 if (i == rpc_lookup_size) {
1462 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1463 goto err_exit;
1464 }
1465 }
1466
1467 /* decode the bind request */
1468 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1469 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
1470 goto err_exit;
1471 }
1472
1473 /* name has to be \PIPE\xxxxx */
1474 fstrcpy(ack_pipe_name, "\\PIPE\\");
1475 fstrcat(ack_pipe_name, p->pipe_srv_name);
1476
1477 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1478
1479 /*
1480 * Check if this is an authenticated bind request.
1481 */
1482
1483 if (p->hdr.auth_len) {
1484 /*
1485 * Decode the authentication verifier.
1486 */
1487
1488 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1489 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1490 goto err_exit;
1491 }
1492
1493 auth_type = auth_info.auth_type;
1494
1495 /* Work out if we have to sign or seal etc. */
1496 switch (auth_info.auth_level) {
1497 case RPC_AUTH_LEVEL_INTEGRITY:
1498 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1499 break;
1500 case RPC_AUTH_LEVEL_PRIVACY:
1501 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1502 break;
1503 default:
1504 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1505 (unsigned int)auth_info.auth_level ));
1506 goto err_exit;
1507 }
1508 } else {
1509 ZERO_STRUCT(auth_info);
1510 }
1511
1512 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1513
1514 switch(auth_type) {
1515 case RPC_NTLMSSP_AUTH_TYPE:
1516 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1517 goto err_exit;
1518 }
1519 assoc_gid = 0x7a77;
1520 break;
1521
1522 case RPC_SCHANNEL_AUTH_TYPE:
1523 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1524 goto err_exit;
1525 }
1526 break;
1527
1528 case RPC_SPNEGO_AUTH_TYPE:
1529 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1530 goto err_exit;
1531 }
1532 break;
1533
1534 case RPC_ANONYMOUS_AUTH_TYPE:
1535 /* Unauthenticated bind request. */
1536 /* We're finished - no more packets. */
1537 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1538 /* We must set the pipe auth_level here also. */
1539 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1540 p->pipe_bound = True;
1541 break;
1542
1543 default:
1544 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1545 goto err_exit;
1546 }
1547
1548 /*
1549 * Create the bind response struct.
1550 */
1551
1552 /* If the requested abstract synt uuid doesn't match our client pipe,
1553 reject the bind_ack & set the transfer interface synt to all 0's,
1554 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1555 unknown to NT4)
1556 Needed when adding entries to a DACL from NT5 - SK */
1557
1558 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1559 hdr_rb.rpc_context[0].context_id )) {
1560 init_rpc_hdr_ba(&hdr_ba,
1561 RPC_MAX_PDU_FRAG_LEN,
1562 RPC_MAX_PDU_FRAG_LEN,
1563 assoc_gid,
1564 ack_pipe_name,
1565 0x1, 0x0, 0x0,
1566 &hdr_rb.rpc_context[0].transfer[0]);
1567 } else {
1568 RPC_IFACE null_interface;
1569 ZERO_STRUCT(null_interface);
1570 /* Rejection reason: abstract syntax not supported */
1571 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1572 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1573 ack_pipe_name, 0x1, 0x2, 0x1,
1574 &null_interface);
1575 p->pipe_bound = False;
1576 }
1577
1578 /*
1579 * and marshall it.
1580 */
1581
1582 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1583 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1584 goto err_exit;
1585 }
1586
1587 /*
1588 * Create the header, now we know the length.
1589 */
1590
1591 if (prs_offset(&out_auth)) {
1592 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1593 }
1594
1595 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1596 p->hdr.call_id,
1597 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1598 auth_len);
1599
1600 /*
1601 * Marshall the header into the outgoing PDU.
1602 */
1603
1604 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1605 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1606 goto err_exit;
1607 }
1608
1609 /*
1610 * Now add the RPC_HDR_BA and any auth needed.
1611 */
1612
1613 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1614 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1615 goto err_exit;
1616 }
1617
1618 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1619 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1620 goto err_exit;
1621 }
1622
1623 /*
1624 * Setup the lengths for the initial reply.
1625 */
1626
1627 p->out_data.data_sent_length = 0;
1628 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1629 p->out_data.current_pdu_sent = 0;
1630
1631 prs_mem_free(&out_hdr_ba);
1632 prs_mem_free(&out_auth);
1633
1634 return True;
1635
1636 err_exit:
1637
1638 prs_mem_free(&outgoing_rpc);
1639 prs_mem_free(&out_hdr_ba);
1640 prs_mem_free(&out_auth);
1641 return setup_bind_nak(p);
1642 }
1643
1644 /****************************************************************************
1645 Deal with an alter context call. Can be third part of 3 leg auth request for
1646 SPNEGO calls.
1647 ****************************************************************************/
1648
1649 BOOL api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1650 {
1651 RPC_HDR_BA hdr_ba;
1652 RPC_HDR_RB hdr_rb;
1653 RPC_HDR_AUTH auth_info;
1654 uint16 assoc_gid;
1655 fstring ack_pipe_name;
1656 prs_struct out_hdr_ba;
1657 prs_struct out_auth;
1658 prs_struct outgoing_rpc;
1659 int auth_len = 0;
1660
1661 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1662
1663 /*
1664 * Marshall directly into the outgoing PDU space. We
1665 * must do this as we need to set to the bind response
1666 * header and are never sending more than one PDU here.
1667 */
1668
1669 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1670
1671 /*
1672 * Setup the memory to marshall the ba header, and the
1673 * auth footers.
1674 */
1675
1676 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1677 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1678 prs_mem_free(&outgoing_rpc);
1679 return False;
1680 }
1681
1682 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1683 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1684 prs_mem_free(&outgoing_rpc);
1685 prs_mem_free(&out_hdr_ba);
1686 return False;
1687 }
1688
1689 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1690
1691 /* decode the alter context request */
1692 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1693 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1694 goto err_exit;
1695 }
1696
1697 /* secondary address CAN be NULL
1698 * as the specs say it's ignored.
1699 * It MUST be NULL to have the spoolss working.
1700 */
1701 fstrcpy(ack_pipe_name,"");
1702
1703 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1704
1705 /*
1706 * Check if this is an authenticated alter context request.
1707 */
1708
1709 if (p->hdr.auth_len != 0) {
1710 /*
1711 * Decode the authentication verifier.
1712 */
1713
1714 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1715 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1716 goto err_exit;
1717 }
1718
1719 /*
1720 * Currently only the SPNEGO auth type uses the alter ctx
1721 * response in place of the NTLMSSP auth3 type.
1722 */
1723
1724 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1725 /* We can only finish if the pipe is unbound. */
1726 if (!p->pipe_bound) {
1727 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1728 goto err_exit;
1729 }
1730 } else {
1731 goto err_exit;
1732 }
1733 }
1734 } else {
1735 ZERO_STRUCT(auth_info);
1736 }
1737
1738 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1739
1740 /*
1741 * Create the bind response struct.
1742 */
1743
1744 /* If the requested abstract synt uuid doesn't match our client pipe,
1745 reject the bind_ack & set the transfer interface synt to all 0's,
1746 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1747 unknown to NT4)
1748 Needed when adding entries to a DACL from NT5 - SK */
1749
1750 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1751 hdr_rb.rpc_context[0].context_id )) {
1752 init_rpc_hdr_ba(&hdr_ba,
1753 RPC_MAX_PDU_FRAG_LEN,
1754 RPC_MAX_PDU_FRAG_LEN,
1755 assoc_gid,
1756 ack_pipe_name,
1757 0x1, 0x0, 0x0,
1758 &hdr_rb.rpc_context[0].transfer[0]);
1759 } else {
1760 RPC_IFACE null_interface;
1761 ZERO_STRUCT(null_interface);
1762 /* Rejection reason: abstract syntax not supported */
1763 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1764 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1765 ack_pipe_name, 0x1, 0x2, 0x1,
1766 &null_interface);
1767 p->pipe_bound = False;
1768 }
1769
1770 /*
1771 * and marshall it.
1772 */
1773
1774 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1775 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1776 goto err_exit;
1777 }
1778
1779 /*
1780 * Create the header, now we know the length.
1781 */
1782
1783 if (prs_offset(&out_auth)) {
1784 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1785 }
1786
1787 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1788 p->hdr.call_id,
1789 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1790 auth_len);
1791
1792 /*
1793 * Marshall the header into the outgoing PDU.
1794 */
1795
1796 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1797 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1798 goto err_exit;
1799 }
1800
1801 /*
1802 * Now add the RPC_HDR_BA and any auth needed.
1803 */
1804
1805 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1806 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1807 goto err_exit;
1808 }
1809
1810 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1811 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1812 goto err_exit;
1813 }
1814
1815 /*
1816 * Setup the lengths for the initial reply.
1817 */
1818
1819 p->out_data.data_sent_length = 0;
1820 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1821 p->out_data.current_pdu_sent = 0;
1822
1823 prs_mem_free(&out_hdr_ba);
1824 prs_mem_free(&out_auth);
1825
1826 return True;
1827
1828 err_exit:
1829
1830 prs_mem_free(&outgoing_rpc);
1831 prs_mem_free(&out_hdr_ba);
1832 prs_mem_free(&out_auth);
1833 return setup_bind_nak(p);
1834 }
1835
1836 /****************************************************************************
1837 Deal with NTLMSSP sign & seal processing on an RPC request.
1838 ****************************************************************************/
1839
1840 BOOL api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1841 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1842 {
1843 RPC_HDR_AUTH auth_info;
1844 uint32 auth_len = p->hdr.auth_len;
1845 uint32 save_offset = prs_offset(rpc_in);
1846 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1847 unsigned char *data = NULL;
1848 size_t data_len;
1849 unsigned char *full_packet_data = NULL;
1850 size_t full_packet_data_len;
1851 DATA_BLOB auth_blob;
1852
1853 *pstatus = NT_STATUS_OK;
1854
1855 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
1856 return True;
1857 }
1858
1859 if (!a) {
1860 *pstatus = NT_STATUS_INVALID_PARAMETER;
1861 return False;
1862 }
1863
1864 /* Ensure there's enough data for an authenticated request. */
1865 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
1866 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
1867 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
1868 (unsigned int)auth_len ));
1869 *pstatus = NT_STATUS_INVALID_PARAMETER;
1870 return False;
1871 }
1872
1873 /*
1874 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
1875 * after the RPC header.
1876 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
1877 * functions as NTLMv2 checks the rpc headers also.
1878 */
1879
1880 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
1881 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
1882
1883 full_packet_data = p->in_data.current_in_pdu;
1884 full_packet_data_len = p->hdr.frag_len - auth_len;
1885
1886 /* Pull the auth header and the following data into a blob. */
1887 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
1888 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
1889 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
1890 *pstatus = NT_STATUS_INVALID_PARAMETER;
1891 return False;
1892 }
1893
1894 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1895 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1896 *pstatus = NT_STATUS_INVALID_PARAMETER;
1897 return False;
1898 }
1899
1900 auth_blob.data = prs_data_p(rpc_in) + prs_offset(rpc_in);
1901 auth_blob.length = auth_len;
1902
1903 switch (p->auth.auth_level) {
1904 case PIPE_AUTH_LEVEL_PRIVACY:
1905 /* Data is encrypted. */
1906 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
1907 data, data_len,
1908 full_packet_data,
1909 full_packet_data_len,
1910 &auth_blob);
1911 if (!NT_STATUS_IS_OK(*pstatus)) {
1912 return False;
1913 }
1914 break;
1915 case PIPE_AUTH_LEVEL_INTEGRITY:
1916 /* Data is signed. */
1917 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
1918 data, data_len,
1919 full_packet_data,
1920 full_packet_data_len,
1921 &auth_blob);
1922 if (!NT_STATUS_IS_OK(*pstatus)) {
1923 return False;
1924 }
1925 break;
1926 default:
1927 *pstatus = NT_STATUS_INVALID_PARAMETER;
1928 return False;
1929 }
1930
1931 /*
1932 * Return the current pointer to the data offset.
1933 */
1934
1935 if(!prs_set_offset(rpc_in, save_offset)) {
1936 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1937 (unsigned int)save_offset ));
1938 *pstatus = NT_STATUS_INVALID_PARAMETER;
1939 return False;
1940 }
1941
1942 /*
1943 * Remember the padding length. We must remove it from the real data
1944 * stream once the sign/seal is done.
1945 */
1946
1947 *p_ss_padding_len = auth_info.auth_pad_len;
1948
1949 return True;
1950 }
1951
1952 /****************************************************************************
1953 Deal with schannel processing on an RPC request.
1954 ****************************************************************************/
1955
1956 BOOL api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
1957 {
1958 uint32 data_len;
1959 uint32 auth_len;
1960 uint32 save_offset = prs_offset(rpc_in);
1961 RPC_HDR_AUTH auth_info;
1962 RPC_AUTH_SCHANNEL_CHK schannel_chk;
1963
1964 auth_len = p->hdr.auth_len;
1965
1966 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
1967 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
1968 return False;
1969 }
1970
1971 /*
1972 * The following is that length of the data we must verify or unseal.
1973 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1974 * preceeding the auth_data.
1975 */
1976
1977 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
1978 DEBUG(0,("Incorrect frag %u, auth %u.\n",
1979 (unsigned int)p->hdr.frag_len,
1980 (unsigned int)auth_len ));
1981 return False;
1982 }
1983
1984 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1985 RPC_HDR_AUTH_LEN - auth_len;
1986
1987 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
1988
1989 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
1990 DEBUG(0,("cannot move offset to %u.\n",
1991 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
1992 return False;
1993 }
1994
1995 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1996 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
1997 return False;
1998 }
1999
2000 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2001 DEBUG(0,("Invalid auth info %d on schannel\n",
2002 auth_info.auth_type));
2003 return False;
2004 }
2005
2006 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2007 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2008 return False;
2009 }
2010
2011 if (!schannel_decode(p->auth.a_u.schannel_auth,
2012 p->auth.auth_level,
2013 SENDER_IS_INITIATOR,
2014 &schannel_chk,
2015 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2016 DEBUG(3,("failed to decode PDU\n"));
2017 return False;
2018 }
2019
2020 /*
2021 * Return the current pointer to the data offset.
2022 */
2023
2024 if(!prs_set_offset(rpc_in, save_offset)) {
2025 DEBUG(0,("failed to set offset back to %u\n",
2026 (unsigned int)save_offset ));
2027 return False;
2028 }
2029
2030 /* The sequence number gets incremented on both send and receive. */
2031 p->auth.a_u.schannel_auth->seq_num++;
2032
2033 /*
2034 * Remember the padding length. We must remove it from the real data
2035 * stream once the sign/seal is done.
2036 */
2037
2038 *p_ss_padding_len = auth_info.auth_pad_len;
2039
2040 return True;
2041 }
2042
2043 /****************************************************************************
2044 Return a user struct for a pipe user.
2045 ****************************************************************************/
2046
2047 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
2048 {
2049 if (p->pipe_bound &&
2050 (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP ||
2051 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2052 memcpy(user, &p->pipe_user, sizeof(struct current_user));
2053 } else {
2054 memcpy(user, &current_user, sizeof(struct current_user));
2055 }
2056
2057 return user;
2058 }
2059
2060 /****************************************************************************
2061 Find the set of RPC functions associated with this context_id
2062 ****************************************************************************/
2063
2064 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2065 {
2066 PIPE_RPC_FNS *fns = NULL;
2067 PIPE_RPC_FNS *tmp = NULL;
2068
2069 if ( !list ) {
2070 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2071 return NULL;
2072 }
2073
2074 for (tmp=list; tmp; tmp=tmp->next ) {
2075 if ( tmp->context_id == context_id )
2076 break;
2077 }
2078
2079 fns = tmp;
2080
2081 return fns;
2082 }
2083
2084 /****************************************************************************
2085 Memory cleanup.
2086 ****************************************************************************/
2087
2088 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2089 {
2090 PIPE_RPC_FNS *tmp = list;
2091 PIPE_RPC_FNS *tmp2;
2092
2093 while (tmp) {
2094 tmp2 = tmp->next;
2095 SAFE_FREE(tmp);
2096 tmp = tmp2;
2097 }
2098
2099 return;
2100 }
2101
2102 /****************************************************************************
2103 Find the correct RPC function to call for this request.
2104 If the pipe is authenticated then become the correct UNIX user
2105 before doing the call.
2106 ****************************************************************************/
2107
2108 BOOL api_pipe_request(pipes_struct *p)
2109 {
2110 BOOL ret = False;
2111 BOOL changed_user = False;
2112 PIPE_RPC_FNS *pipe_fns;
2113
2114 if (p->pipe_bound &&
2115 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2116 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2117 if(!become_authenticated_pipe_user(p)) {
2118 prs_mem_free(&p->out_data.rdata);
2119 return False;
2120 }
2121 changed_user = True;
2122 }
2123
2124 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2125
2126 /* get the set of RPC functions for this context */
2127
2128 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2129
2130 if ( pipe_fns ) {
2131 set_current_rpc_talloc(p->mem_ctx);
2132 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2133 set_current_rpc_talloc(NULL);
2134 }
2135 else {
2136 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2137 p->hdr_req.context_id, p->name));
2138 }
2139
2140 if (changed_user) {
2141 unbecome_authenticated_pipe_user();
2142 }
2143
2144 return ret;
2145 }
2146
2147 /*******************************************************************
2148 Calls the underlying RPC function for a named pipe.
2149 ********************************************************************/
2150
2151 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
2152 const struct api_struct *api_rpc_cmds, int n_cmds)
2153 {
2154 int fn_num;
2155 fstring name;
2156 uint32 offset1, offset2;
2157
2158 /* interpret the command */
2159 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2160
2161 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2162 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2163
2164 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2165 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2166 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2167 break;
2168 }
2169 }
2170
2171 if (fn_num == n_cmds) {
2172 /*
2173 * For an unknown RPC just return a fault PDU but
2174 * return True to allow RPC's on the pipe to continue
2175 * and not put the pipe into fault state. JRA.
2176 */
2177 DEBUG(4, ("unknown\n"));
2178 setup_fault_pdu(p, NT_STATUS(0x1c010002));
2179 return True;
2180 }
2181
2182 offset1 = prs_offset(&p->out_data.rdata);
2183
2184 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2185 fn_num, api_rpc_cmds[fn_num].fn));
2186 /* do the actual command */
2187 if(!api_rpc_cmds[fn_num].fn(p)) {
2188 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2189 prs_mem_free(&p->out_data.rdata);
2190 return False;
2191 }
2192
2193 if (p->bad_handle_fault_state) {
2194 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2195 p->bad_handle_fault_state = False;
2196 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
2197 return True;
2198 }
2199
2200 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2201 offset2 = prs_offset(&p->out_data.rdata);
2202 prs_set_offset(&p->out_data.rdata, offset1);
2203 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2204 prs_set_offset(&p->out_data.rdata, offset2);
2205
2206 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2207
2208 /* Check for buffer underflow in rpc parsing */
2209
2210 if ((DEBUGLEVEL >= 10) &&
2211 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2212 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2213 char *data = SMB_MALLOC(data_len);
2214
2215 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2216 if (data) {
2217 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2218 SAFE_FREE(data);
2219 }
2220
2221 }
2222
2223 return True;
2224 }
2225
2226 /*******************************************************************
2227 *******************************************************************/
2228
2229 void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
2230 {
2231 struct api_struct *cmds = NULL;
2232 int n_cmds = 0;
2233
2234 switch ( idx ) {
2235 case PI_LSARPC:
2236 lsa_get_pipe_fns( &cmds, &n_cmds );
2237 break;
2238 case PI_LSARPC_DS:
2239 lsa_ds_get_pipe_fns( &cmds, &n_cmds );
2240 break;
2241 case PI_SAMR:
2242 samr_get_pipe_fns( &cmds, &n_cmds );
2243 break;
2244 case PI_NETLOGON:
2245 netlog_get_pipe_fns( &cmds, &n_cmds );
2246 break;
2247 case PI_SRVSVC:
2248 srvsvc_get_pipe_fns( &cmds, &n_cmds );
2249 break;
2250 case PI_WKSSVC:
2251 wkssvc_get_pipe_fns( &cmds, &n_cmds );
2252 break;
2253 case PI_WINREG:
2254 reg_get_pipe_fns( &cmds, &n_cmds );
2255 break;
2256 case PI_SPOOLSS:
2257 spoolss_get_pipe_fns( &cmds, &n_cmds );
2258 break;
2259 case PI_NETDFS:
2260 netdfs_get_pipe_fns( &cmds, &n_cmds );
2261 break;
2262 case PI_SVCCTL:
2263 svcctl_get_pipe_fns( &cmds, &n_cmds );
2264 break;
2265 case PI_EVENTLOG:
2266 eventlog_get_pipe_fns( &cmds, &n_cmds );
2267 break;
2268 case PI_NTSVCS:
2269 ntsvcs_get_pipe_fns( &cmds, &n_cmds );
2270 break;
2271 #ifdef DEVELOPER
2272 case PI_ECHO:
2273 echo_get_pipe_fns( &cmds, &n_cmds );
2274 break;
2275 #endif
2276 default:
2277 DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));
2278 }
2279
2280 *fns = cmds;
2281 *n_fns = n_cmds;
2282
2283 return;
2284 }