search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Document default of the printing config variable.
[Samba/nascimento.git] / source3 / rpc_server / srv_pipe.c
blob343342a06c175d0ce82a396757e9d221f4fd2eaa
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31
32 extern struct current_user current_user;
33
34 #undef DBGC_CLASS
35 #define DBGC_CLASS DBGC_RPC_SRV
36
37 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
38 {
39 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
40
41 if (a) {
42 auth_ntlmssp_end(&a);
43 }
44 auth->a_u.auth_ntlmssp_state = NULL;
45 }
46
47 static DATA_BLOB generic_session_key(void)
48 {
49 return data_blob("SystemLibraryDTC", 16);
50 }
51
52 /*******************************************************************
53 Generate the next PDU to be returned from the data in p->rdata.
54 Handle NTLMSSP.
55 ********************************************************************/
56
57 static bool create_next_pdu_ntlmssp(pipes_struct *p)
58 {
59 RPC_HDR_RESP hdr_resp;
60 uint32 ss_padding_len = 0;
61 uint32 data_space_available;
62 uint32 data_len_left;
63 uint32 data_len;
64 prs_struct outgoing_pdu;
65 NTSTATUS status;
66 DATA_BLOB auth_blob;
67 RPC_HDR_AUTH auth_info;
68 uint8 auth_type, auth_level;
69 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
70
71 /*
72 * If we're in the fault state, keep returning fault PDU's until
73 * the pipe gets closed. JRA.
74 */
75
76 if(p->fault_state) {
77 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
78 return True;
79 }
80
81 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
82
83 /* Change the incoming request header to a response. */
84 p->hdr.pkt_type = RPC_RESPONSE;
85
86 /* Set up rpc header flags. */
87 if (p->out_data.data_sent_length == 0) {
88 p->hdr.flags = RPC_FLG_FIRST;
89 } else {
90 p->hdr.flags = 0;
91 }
92
93 /*
94 * Work out how much we can fit in a single PDU.
95 */
96
97 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
98
99 /*
100 * Ensure there really is data left to send.
101 */
102
103 if(!data_len_left) {
104 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
105 return False;
106 }
107
108 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
109 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
110
111 /*
112 * The amount we send is the minimum of the available
113 * space and the amount left to send.
114 */
115
116 data_len = MIN(data_len_left, data_space_available);
117
118 /*
119 * Set up the alloc hint. This should be the data left to
120 * send.
121 */
122
123 hdr_resp.alloc_hint = data_len_left;
124
125 /*
126 * Work out if this PDU will be the last.
127 */
128
129 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
130 p->hdr.flags |= RPC_FLG_LAST;
131 if (data_len_left % 8) {
132 ss_padding_len = 8 - (data_len_left % 8);
133 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
134 ss_padding_len ));
135 }
136 }
137
138 /*
139 * Set up the header lengths.
140 */
141
142 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
143 data_len + ss_padding_len +
144 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
145 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
146
147
148 /*
149 * Init the parse struct to point at the outgoing
150 * data.
151 */
152
153 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
154 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
155
156 /* Store the header in the data stream. */
157 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
158 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
159 prs_mem_free(&outgoing_pdu);
160 return False;
161 }
162
163 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
164 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
165 prs_mem_free(&outgoing_pdu);
166 return False;
167 }
168
169 /* Copy the data into the PDU. */
170
171 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
172 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
173 prs_mem_free(&outgoing_pdu);
174 return False;
175 }
176
177 /* Copy the sign/seal padding data. */
178 if (ss_padding_len) {
179 char pad[8];
180
181 memset(pad, '\0', 8);
182 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
183 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
184 (unsigned int)ss_padding_len));
185 prs_mem_free(&outgoing_pdu);
186 return False;
187 }
188 }
189
190
191 /* Now write out the auth header and null blob. */
192 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
193 auth_type = RPC_NTLMSSP_AUTH_TYPE;
194 } else {
195 auth_type = RPC_SPNEGO_AUTH_TYPE;
196 }
197 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
198 auth_level = RPC_AUTH_LEVEL_PRIVACY;
199 } else {
200 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
201 }
202
203 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
204 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
205 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
206 prs_mem_free(&outgoing_pdu);
207 return False;
208 }
209
210 /* Generate the sign blob. */
211
212 switch (p->auth.auth_level) {
213 case PIPE_AUTH_LEVEL_PRIVACY:
214 /* Data portion is encrypted. */
215 status = ntlmssp_seal_packet(a->ntlmssp_state,
216 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
217 data_len + ss_padding_len,
218 (unsigned char *)prs_data_p(&outgoing_pdu),
219 (size_t)prs_offset(&outgoing_pdu),
220 &auth_blob);
221 if (!NT_STATUS_IS_OK(status)) {
222 data_blob_free(&auth_blob);
223 prs_mem_free(&outgoing_pdu);
224 return False;
225 }
226 break;
227 case PIPE_AUTH_LEVEL_INTEGRITY:
228 /* Data is signed. */
229 status = ntlmssp_sign_packet(a->ntlmssp_state,
230 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
231 data_len + ss_padding_len,
232 (unsigned char *)prs_data_p(&outgoing_pdu),
233 (size_t)prs_offset(&outgoing_pdu),
234 &auth_blob);
235 if (!NT_STATUS_IS_OK(status)) {
236 data_blob_free(&auth_blob);
237 prs_mem_free(&outgoing_pdu);
238 return False;
239 }
240 break;
241 default:
242 prs_mem_free(&outgoing_pdu);
243 return False;
244 }
245
246 /* Append the auth blob. */
247 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
248 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
249 (unsigned int)NTLMSSP_SIG_SIZE));
250 data_blob_free(&auth_blob);
251 prs_mem_free(&outgoing_pdu);
252 return False;
253 }
254
255 data_blob_free(&auth_blob);
256
257 /*
258 * Setup the counts for this PDU.
259 */
260
261 p->out_data.data_sent_length += data_len;
262 p->out_data.current_pdu_len = p->hdr.frag_len;
263 p->out_data.current_pdu_sent = 0;
264
265 prs_mem_free(&outgoing_pdu);
266 return True;
267 }
268
269 /*******************************************************************
270 Generate the next PDU to be returned from the data in p->rdata.
271 Return an schannel authenticated fragment.
272 ********************************************************************/
273
274 static bool create_next_pdu_schannel(pipes_struct *p)
275 {
276 RPC_HDR_RESP hdr_resp;
277 uint32 ss_padding_len = 0;
278 uint32 data_len;
279 uint32 data_space_available;
280 uint32 data_len_left;
281 prs_struct outgoing_pdu;
282 uint32 data_pos;
283
284 /*
285 * If we're in the fault state, keep returning fault PDU's until
286 * the pipe gets closed. JRA.
287 */
288
289 if(p->fault_state) {
290 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
291 return True;
292 }
293
294 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
295
296 /* Change the incoming request header to a response. */
297 p->hdr.pkt_type = RPC_RESPONSE;
298
299 /* Set up rpc header flags. */
300 if (p->out_data.data_sent_length == 0) {
301 p->hdr.flags = RPC_FLG_FIRST;
302 } else {
303 p->hdr.flags = 0;
304 }
305
306 /*
307 * Work out how much we can fit in a single PDU.
308 */
309
310 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
311
312 /*
313 * Ensure there really is data left to send.
314 */
315
316 if(!data_len_left) {
317 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
318 return False;
319 }
320
321 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
322 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
323
324 /*
325 * The amount we send is the minimum of the available
326 * space and the amount left to send.
327 */
328
329 data_len = MIN(data_len_left, data_space_available);
330
331 /*
332 * Set up the alloc hint. This should be the data left to
333 * send.
334 */
335
336 hdr_resp.alloc_hint = data_len_left;
337
338 /*
339 * Work out if this PDU will be the last.
340 */
341
342 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
343 p->hdr.flags |= RPC_FLG_LAST;
344 if (data_len_left % 8) {
345 ss_padding_len = 8 - (data_len_left % 8);
346 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
347 ss_padding_len ));
348 }
349 }
350
351 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
352 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
353 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
354
355 /*
356 * Init the parse struct to point at the outgoing
357 * data.
358 */
359
360 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
361 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
362
363 /* Store the header in the data stream. */
364 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
365 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
366 prs_mem_free(&outgoing_pdu);
367 return False;
368 }
369
370 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
371 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
372 prs_mem_free(&outgoing_pdu);
373 return False;
374 }
375
376 /* Store the current offset. */
377 data_pos = prs_offset(&outgoing_pdu);
378
379 /* Copy the data into the PDU. */
380
381 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
382 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
383 prs_mem_free(&outgoing_pdu);
384 return False;
385 }
386
387 /* Copy the sign/seal padding data. */
388 if (ss_padding_len) {
389 char pad[8];
390 memset(pad, '\0', 8);
391 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
392 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
393 prs_mem_free(&outgoing_pdu);
394 return False;
395 }
396 }
397
398 {
399 /*
400 * Schannel processing.
401 */
402 char *data;
403 RPC_HDR_AUTH auth_info;
404 RPC_AUTH_SCHANNEL_CHK verf;
405
406 data = prs_data_p(&outgoing_pdu) + data_pos;
407 /* Check it's the type of reply we were expecting to decode */
408
409 init_rpc_hdr_auth(&auth_info,
410 RPC_SCHANNEL_AUTH_TYPE,
411 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
412 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
413 ss_padding_len, 1);
414
415 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
416 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
417 prs_mem_free(&outgoing_pdu);
418 return False;
419 }
420
421 schannel_encode(p->auth.a_u.schannel_auth,
422 p->auth.auth_level,
423 SENDER_IS_ACCEPTOR,
424 &verf, data, data_len + ss_padding_len);
425
426 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
427 &verf, &outgoing_pdu, 0)) {
428 prs_mem_free(&outgoing_pdu);
429 return False;
430 }
431
432 p->auth.a_u.schannel_auth->seq_num++;
433 }
434
435 /*
436 * Setup the counts for this PDU.
437 */
438
439 p->out_data.data_sent_length += data_len;
440 p->out_data.current_pdu_len = p->hdr.frag_len;
441 p->out_data.current_pdu_sent = 0;
442
443 prs_mem_free(&outgoing_pdu);
444 return True;
445 }
446
447 /*******************************************************************
448 Generate the next PDU to be returned from the data in p->rdata.
449 No authentication done.
450 ********************************************************************/
451
452 static bool create_next_pdu_noauth(pipes_struct *p)
453 {
454 RPC_HDR_RESP hdr_resp;
455 uint32 data_len;
456 uint32 data_space_available;
457 uint32 data_len_left;
458 prs_struct outgoing_pdu;
459
460 /*
461 * If we're in the fault state, keep returning fault PDU's until
462 * the pipe gets closed. JRA.
463 */
464
465 if(p->fault_state) {
466 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
467 return True;
468 }
469
470 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
471
472 /* Change the incoming request header to a response. */
473 p->hdr.pkt_type = RPC_RESPONSE;
474
475 /* Set up rpc header flags. */
476 if (p->out_data.data_sent_length == 0) {
477 p->hdr.flags = RPC_FLG_FIRST;
478 } else {
479 p->hdr.flags = 0;
480 }
481
482 /*
483 * Work out how much we can fit in a single PDU.
484 */
485
486 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
487
488 /*
489 * Ensure there really is data left to send.
490 */
491
492 if(!data_len_left) {
493 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
494 return False;
495 }
496
497 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
498
499 /*
500 * The amount we send is the minimum of the available
501 * space and the amount left to send.
502 */
503
504 data_len = MIN(data_len_left, data_space_available);
505
506 /*
507 * Set up the alloc hint. This should be the data left to
508 * send.
509 */
510
511 hdr_resp.alloc_hint = data_len_left;
512
513 /*
514 * Work out if this PDU will be the last.
515 */
516
517 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
518 p->hdr.flags |= RPC_FLG_LAST;
519 }
520
521 /*
522 * Set up the header lengths.
523 */
524
525 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
526 p->hdr.auth_len = 0;
527
528 /*
529 * Init the parse struct to point at the outgoing
530 * data.
531 */
532
533 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
534 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
535
536 /* Store the header in the data stream. */
537 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
538 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
539 prs_mem_free(&outgoing_pdu);
540 return False;
541 }
542
543 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
544 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
545 prs_mem_free(&outgoing_pdu);
546 return False;
547 }
548
549 /* Copy the data into the PDU. */
550
551 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
552 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
553 prs_mem_free(&outgoing_pdu);
554 return False;
555 }
556
557 /*
558 * Setup the counts for this PDU.
559 */
560
561 p->out_data.data_sent_length += data_len;
562 p->out_data.current_pdu_len = p->hdr.frag_len;
563 p->out_data.current_pdu_sent = 0;
564
565 prs_mem_free(&outgoing_pdu);
566 return True;
567 }
568
569 /*******************************************************************
570 Generate the next PDU to be returned from the data in p->rdata.
571 ********************************************************************/
572
573 bool create_next_pdu(pipes_struct *p)
574 {
575 switch(p->auth.auth_level) {
576 case PIPE_AUTH_LEVEL_NONE:
577 case PIPE_AUTH_LEVEL_CONNECT:
578 /* This is incorrect for auth level connect. Fixme. JRA */
579 return create_next_pdu_noauth(p);
580
581 default:
582 switch(p->auth.auth_type) {
583 case PIPE_AUTH_TYPE_NTLMSSP:
584 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
585 return create_next_pdu_ntlmssp(p);
586 case PIPE_AUTH_TYPE_SCHANNEL:
587 return create_next_pdu_schannel(p);
588 default:
589 break;
590 }
591 }
592
593 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
594 (unsigned int)p->auth.auth_level,
595 (unsigned int)p->auth.auth_type));
596 return False;
597 }
598
599 /*******************************************************************
600 Process an NTLMSSP authentication response.
601 If this function succeeds, the user has been authenticated
602 and their domain, name and calling workstation stored in
603 the pipe struct.
604 *******************************************************************/
605
606 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
607 {
608 DATA_BLOB session_key, reply;
609 NTSTATUS status;
610 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
611 bool ret;
612
613 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
614
615 ZERO_STRUCT(reply);
616
617 /* this has to be done as root in order to verify the password */
618 become_root();
619 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
620 unbecome_root();
621
622 /* Don't generate a reply. */
623 data_blob_free(&reply);
624
625 if (!NT_STATUS_IS_OK(status)) {
626 return False;
627 }
628
629 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
630 ensure the underlying NTLMSSP flags are also set. If not we should
631 refuse the bind. */
632
633 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
634 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
635 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
636 "but client declined signing.\n",
637 p->name ));
638 return False;
639 }
640 }
641 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
642 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
643 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
644 "but client declined sealing.\n",
645 p->name ));
646 return False;
647 }
648 }
649
650 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
651 "workstation: %s\n", a->ntlmssp_state->user,
652 a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
653
654 if (a->server_info->ptok == NULL) {
655 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
656 return False;
657 }
658
659 TALLOC_FREE(p->server_info);
660
661 p->server_info = copy_serverinfo(p, a->server_info);
662 if (p->server_info == NULL) {
663 DEBUG(0, ("copy_serverinfo failed\n"));
664 return false;
665 }
666
667 /*
668 * We're an authenticated bind over smb, so the session key needs to
669 * be set to "SystemLibraryDTC". Weird, but this is what Windows
670 * does. See the RPC-SAMBA3SESSIONKEY.
671 */
672
673 session_key = generic_session_key();
674 if (session_key.data == NULL) {
675 return False;
676 }
677
678 ret = server_info_set_session_key(p->server_info, session_key);
679
680 data_blob_free(&session_key);
681
682 return True;
683 }
684
685 /*******************************************************************
686 The switch table for the pipe names and the functions to handle them.
687 *******************************************************************/
688
689 struct rpc_table {
690 struct {
691 const char *clnt;
692 const char *srv;
693 } pipe;
694 struct ndr_syntax_id rpc_interface;
695 const struct api_struct *cmds;
696 int n_cmds;
697 };
698
699 static struct rpc_table *rpc_lookup;
700 static int rpc_lookup_size;
701
702 /*******************************************************************
703 This is the "stage3" NTLMSSP response after a bind request and reply.
704 *******************************************************************/
705
706 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
707 {
708 RPC_HDR_AUTH auth_info;
709 uint32 pad = 0;
710 DATA_BLOB blob;
711
712 ZERO_STRUCT(blob);
713
714 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
715
716 if (p->hdr.auth_len == 0) {
717 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
718 goto err;
719 }
720
721 /* 4 bytes padding. */
722 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
723 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
724 goto err;
725 }
726
727 /*
728 * Decode the authentication verifier response.
729 */
730
731 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
732 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
733 goto err;
734 }
735
736 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
737 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
738 (unsigned int)auth_info.auth_type ));
739 return False;
740 }
741
742 blob = data_blob(NULL,p->hdr.auth_len);
743
744 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
745 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
746 (unsigned int)p->hdr.auth_len ));
747 goto err;
748 }
749
750 /*
751 * The following call actually checks the challenge/response data.
752 * for correctness against the given DOMAIN\user name.
753 */
754
755 if (!pipe_ntlmssp_verify_final(p, &blob)) {
756 goto err;
757 }
758
759 data_blob_free(&blob);
760
761 p->pipe_bound = True;
762
763 return True;
764
765 err:
766
767 data_blob_free(&blob);
768 free_pipe_ntlmssp_auth_data(&p->auth);
769 p->auth.a_u.auth_ntlmssp_state = NULL;
770
771 return False;
772 }
773
774 /*******************************************************************
775 Marshall a bind_nak pdu.
776 *******************************************************************/
777
778 static bool setup_bind_nak(pipes_struct *p)
779 {
780 prs_struct outgoing_rpc;
781 RPC_HDR nak_hdr;
782 uint16 zero = 0;
783
784 /* Free any memory in the current return data buffer. */
785 prs_mem_free(&p->out_data.rdata);
786
787 /*
788 * Marshall directly into the outgoing PDU space. We
789 * must do this as we need to set to the bind response
790 * header and are never sending more than one PDU here.
791 */
792
793 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
794 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
795
796 /*
797 * Initialize a bind_nak header.
798 */
799
800 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
801 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
802
803 /*
804 * Marshall the header into the outgoing PDU.
805 */
806
807 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
808 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
809 prs_mem_free(&outgoing_rpc);
810 return False;
811 }
812
813 /*
814 * Now add the reject reason.
815 */
816
817 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
818 prs_mem_free(&outgoing_rpc);
819 return False;
820 }
821
822 p->out_data.data_sent_length = 0;
823 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
824 p->out_data.current_pdu_sent = 0;
825
826 if (p->auth.auth_data_free_func) {
827 (*p->auth.auth_data_free_func)(&p->auth);
828 }
829 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
830 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
831 p->pipe_bound = False;
832
833 return True;
834 }
835
836 /*******************************************************************
837 Marshall a fault pdu.
838 *******************************************************************/
839
840 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
841 {
842 prs_struct outgoing_pdu;
843 RPC_HDR fault_hdr;
844 RPC_HDR_RESP hdr_resp;
845 RPC_HDR_FAULT fault_resp;
846
847 /* Free any memory in the current return data buffer. */
848 prs_mem_free(&p->out_data.rdata);
849
850 /*
851 * Marshall directly into the outgoing PDU space. We
852 * must do this as we need to set to the bind response
853 * header and are never sending more than one PDU here.
854 */
855
856 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
857 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
858
859 /*
860 * Initialize a fault header.
861 */
862
863 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
864 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
865
866 /*
867 * Initialize the HDR_RESP and FAULT parts of the PDU.
868 */
869
870 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
871
872 fault_resp.status = status;
873 fault_resp.reserved = 0;
874
875 /*
876 * Marshall the header into the outgoing PDU.
877 */
878
879 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
880 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
881 prs_mem_free(&outgoing_pdu);
882 return False;
883 }
884
885 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
886 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
887 prs_mem_free(&outgoing_pdu);
888 return False;
889 }
890
891 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
892 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
893 prs_mem_free(&outgoing_pdu);
894 return False;
895 }
896
897 p->out_data.data_sent_length = 0;
898 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
899 p->out_data.current_pdu_sent = 0;
900
901 prs_mem_free(&outgoing_pdu);
902 return True;
903 }
904
905 #if 0
906 /*******************************************************************
907 Marshall a cancel_ack pdu.
908 We should probably check the auth-verifier here.
909 *******************************************************************/
910
911 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
912 {
913 prs_struct outgoing_pdu;
914 RPC_HDR ack_reply_hdr;
915
916 /* Free any memory in the current return data buffer. */
917 prs_mem_free(&p->out_data.rdata);
918
919 /*
920 * Marshall directly into the outgoing PDU space. We
921 * must do this as we need to set to the bind response
922 * header and are never sending more than one PDU here.
923 */
924
925 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
926 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
927
928 /*
929 * Initialize a cancel_ack header.
930 */
931
932 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
933 p->hdr.call_id, RPC_HEADER_LEN, 0);
934
935 /*
936 * Marshall the header into the outgoing PDU.
937 */
938
939 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
940 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
941 prs_mem_free(&outgoing_pdu);
942 return False;
943 }
944
945 p->out_data.data_sent_length = 0;
946 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
947 p->out_data.current_pdu_sent = 0;
948
949 prs_mem_free(&outgoing_pdu);
950 return True;
951 }
952 #endif
953
954 /*******************************************************************
955 Ensure a bind request has the correct abstract & transfer interface.
956 Used to reject unknown binds from Win2k.
957 *******************************************************************/
958
959 bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
960 RPC_IFACE* transfer, uint32 context_id)
961 {
962 int i=0;
963 struct pipe_rpc_fns *context_fns;
964
965 DEBUG(3,("check_bind_req for %s\n", p->name));
966
967 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
968
969 for (i=0; i<rpc_lookup_size; i++) {
970 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
971 if (strequal(rpc_lookup[i].pipe.clnt, p->name)
972 && ndr_syntax_id_equal(
973 abstract, &rpc_lookup[i].rpc_interface)
974 && ndr_syntax_id_equal(
975 transfer, &ndr_transfer_syntax)) {
976 break;
977 }
978 }
979
980 if (i == rpc_lookup_size) {
981 return false;
982 }
983
984 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
985 if (context_fns == NULL) {
986 DEBUG(0,("check_bind_req: malloc() failed!\n"));
987 return False;
988 }
989
990 context_fns->cmds = rpc_lookup[i].cmds;
991 context_fns->n_cmds = rpc_lookup[i].n_cmds;
992 context_fns->context_id = context_id;
993
994 /* add to the list of open contexts */
995
996 DLIST_ADD( p->contexts, context_fns );
997
998 return True;
999 }
1000
1001 /*******************************************************************
1002 Register commands to an RPC pipe
1003 *******************************************************************/
1004
1005 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1006 const struct ndr_interface_table *iface,
1007 const struct api_struct *cmds, int size)
1008 {
1009 struct rpc_table *rpc_entry;
1010
1011 if (!clnt || !srv || !cmds) {
1012 return NT_STATUS_INVALID_PARAMETER;
1013 }
1014
1015 if (version != SMB_RPC_INTERFACE_VERSION) {
1016 DEBUG(0,("Can't register rpc commands!\n"
1017 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1018 ", while this version of samba uses version %d!\n",
1019 version,SMB_RPC_INTERFACE_VERSION));
1020 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1021 }
1022
1023 /* TODO:
1024 *
1025 * we still need to make sure that don't register the same commands twice!!!
1026 *
1027 * --metze
1028 */
1029
1030 /* We use a temporary variable because this call can fail and
1031 rpc_lookup will still be valid afterwards. It could then succeed if
1032 called again later */
1033 rpc_lookup_size++;
1034 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1035 if (NULL == rpc_entry) {
1036 rpc_lookup_size--;
1037 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1038 return NT_STATUS_NO_MEMORY;
1039 } else {
1040 rpc_lookup = rpc_entry;
1041 }
1042
1043 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1044 ZERO_STRUCTP(rpc_entry);
1045 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1046 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1047 rpc_entry->rpc_interface = iface->syntax_id;
1048 rpc_entry->cmds = cmds;
1049 rpc_entry->n_cmds = size;
1050
1051 return NT_STATUS_OK;
1052 }
1053
1054 /**
1055 * Is a named pipe known?
1056 * @param[in] cli_filename The pipe name requested by the client
1057 * @result Do we want to serve this?
1058 */
1059 bool is_known_pipename(const char *cli_filename)
1060 {
1061 const char *pipename = cli_filename;
1062 int i;
1063
1064 if (strnequal(pipename, "\\PIPE\\", 6)) {
1065 pipename += 5;
1066 }
1067
1068 if (*pipename == '\\') {
1069 pipename += 1;
1070 }
1071
1072 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1073 DEBUG(10, ("refusing spoolss access\n"));
1074 return false;
1075 }
1076
1077 for (i=0; i<rpc_lookup_size; i++) {
1078 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1079 return true;
1080 }
1081 }
1082
1083 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1084 return false;
1085 }
1086
1087 /*******************************************************************
1088 Handle a SPNEGO krb5 bind auth.
1089 *******************************************************************/
1090
1091 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1092 DATA_BLOB *psecblob, prs_struct *pout_auth)
1093 {
1094 return False;
1095 }
1096
1097 /*******************************************************************
1098 Handle the first part of a SPNEGO bind auth.
1099 *******************************************************************/
1100
1101 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1102 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1103 {
1104 DATA_BLOB blob;
1105 DATA_BLOB secblob;
1106 DATA_BLOB response;
1107 DATA_BLOB chal;
1108 char *OIDs[ASN1_MAX_OIDS];
1109 int i;
1110 NTSTATUS status;
1111 bool got_kerberos_mechanism = false;
1112 AUTH_NTLMSSP_STATE *a = NULL;
1113 RPC_HDR_AUTH auth_info;
1114
1115 ZERO_STRUCT(secblob);
1116 ZERO_STRUCT(chal);
1117 ZERO_STRUCT(response);
1118
1119 /* Grab the SPNEGO blob. */
1120 blob = data_blob(NULL,p->hdr.auth_len);
1121
1122 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1123 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1124 (unsigned int)p->hdr.auth_len ));
1125 goto err;
1126 }
1127
1128 if (blob.data[0] != ASN1_APPLICATION(0)) {
1129 goto err;
1130 }
1131
1132 /* parse out the OIDs and the first sec blob */
1133 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1134 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1135 goto err;
1136 }
1137
1138 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1139 got_kerberos_mechanism = true;
1140 }
1141
1142 for (i=0;OIDs[i];i++) {
1143 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1144 TALLOC_FREE(OIDs[i]);
1145 }
1146 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1147
1148 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1149 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1150 data_blob_free(&secblob);
1151 data_blob_free(&blob);
1152 return ret;
1153 }
1154
1155 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1156 /* Free any previous auth type. */
1157 free_pipe_ntlmssp_auth_data(&p->auth);
1158 }
1159
1160 if (!got_kerberos_mechanism) {
1161 /* Initialize the NTLM engine. */
1162 status = auth_ntlmssp_start(&a);
1163 if (!NT_STATUS_IS_OK(status)) {
1164 goto err;
1165 }
1166
1167 /*
1168 * Pass the first security blob of data to it.
1169 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1170 * which means we need another packet to complete the bind.
1171 */
1172
1173 status = auth_ntlmssp_update(a, secblob, &chal);
1174
1175 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1176 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1177 goto err;
1178 }
1179
1180 /* Generate the response blob we need for step 2 of the bind. */
1181 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1182 } else {
1183 /*
1184 * SPNEGO negotiate down to NTLMSSP. The subsequent
1185 * code to process follow-up packets is not complete
1186 * yet. JRA.
1187 */
1188 response = spnego_gen_auth_response(NULL,
1189 NT_STATUS_MORE_PROCESSING_REQUIRED,
1190 OID_NTLMSSP);
1191 }
1192
1193 /* Copy the blob into the pout_auth parse struct */
1194 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1195 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1196 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1197 goto err;
1198 }
1199
1200 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1201 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1202 goto err;
1203 }
1204
1205 p->auth.a_u.auth_ntlmssp_state = a;
1206 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1207 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1208
1209 data_blob_free(&blob);
1210 data_blob_free(&secblob);
1211 data_blob_free(&chal);
1212 data_blob_free(&response);
1213
1214 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1215 return True;
1216
1217 err:
1218
1219 data_blob_free(&blob);
1220 data_blob_free(&secblob);
1221 data_blob_free(&chal);
1222 data_blob_free(&response);
1223
1224 p->auth.a_u.auth_ntlmssp_state = NULL;
1225
1226 return False;
1227 }
1228
1229 /*******************************************************************
1230 Handle the second part of a SPNEGO bind auth.
1231 *******************************************************************/
1232
1233 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1234 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1235 {
1236 RPC_HDR_AUTH auth_info;
1237 DATA_BLOB spnego_blob;
1238 DATA_BLOB auth_blob;
1239 DATA_BLOB auth_reply;
1240 DATA_BLOB response;
1241 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1242
1243 ZERO_STRUCT(spnego_blob);
1244 ZERO_STRUCT(auth_blob);
1245 ZERO_STRUCT(auth_reply);
1246 ZERO_STRUCT(response);
1247
1248 /*
1249 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1250 * fail here as 'a' == NULL.
1251 */
1252 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1253 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1254 goto err;
1255 }
1256
1257 /* Grab the SPNEGO blob. */
1258 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1259
1260 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1261 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1262 (unsigned int)p->hdr.auth_len ));
1263 goto err;
1264 }
1265
1266 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1267 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1268 goto err;
1269 }
1270
1271 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1272 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1273 goto err;
1274 }
1275
1276 /*
1277 * The following call actually checks the challenge/response data.
1278 * for correctness against the given DOMAIN\user name.
1279 */
1280
1281 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1282 goto err;
1283 }
1284
1285 data_blob_free(&spnego_blob);
1286 data_blob_free(&auth_blob);
1287
1288 /* Generate the spnego "accept completed" blob - no incoming data. */
1289 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1290
1291 /* Copy the blob into the pout_auth parse struct */
1292 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1293 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1294 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1295 goto err;
1296 }
1297
1298 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1299 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1300 goto err;
1301 }
1302
1303 data_blob_free(&auth_reply);
1304 data_blob_free(&response);
1305
1306 p->pipe_bound = True;
1307
1308 return True;
1309
1310 err:
1311
1312 data_blob_free(&spnego_blob);
1313 data_blob_free(&auth_blob);
1314 data_blob_free(&auth_reply);
1315 data_blob_free(&response);
1316
1317 free_pipe_ntlmssp_auth_data(&p->auth);
1318 p->auth.a_u.auth_ntlmssp_state = NULL;
1319
1320 return False;
1321 }
1322
1323 /*******************************************************************
1324 Handle an schannel bind auth.
1325 *******************************************************************/
1326
1327 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1328 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1329 {
1330 RPC_HDR_AUTH auth_info;
1331 RPC_AUTH_SCHANNEL_NEG neg;
1332 RPC_AUTH_VERIFIER auth_verifier;
1333 bool ret;
1334 struct dcinfo *pdcinfo;
1335 uint32 flags;
1336 DATA_BLOB session_key;
1337
1338 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1339 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1340 return False;
1341 }
1342
1343 /*
1344 * The neg.myname key here must match the remote computer name
1345 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1346 * operations that use credentials.
1347 */
1348
1349 become_root();
1350 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1351 unbecome_root();
1352
1353 if (!ret) {
1354 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1355 return False;
1356 }
1357
1358 p->auth.a_u.schannel_auth = talloc(p, struct schannel_auth_struct);
1359 if (!p->auth.a_u.schannel_auth) {
1360 TALLOC_FREE(pdcinfo);
1361 return False;
1362 }
1363
1364 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1365 memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1366 sizeof(pdcinfo->sess_key));
1367
1368 TALLOC_FREE(pdcinfo);
1369
1370 p->auth.a_u.schannel_auth->seq_num = 0;
1371
1372 /*
1373 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1374 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1375 * struct of the person who opened the pipe. I need to test this further. JRA.
1376 *
1377 * VL. As we are mapping this to guest set the generic key
1378 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1379 * W2k3, as it does not allow schannel binds against SAMR and LSA
1380 * anymore.
1381 */
1382
1383 session_key = generic_session_key();
1384 if (session_key.data == NULL) {
1385 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1386 " key\n"));
1387 return false;
1388 }
1389
1390 ret = server_info_set_session_key(p->server_info, session_key);
1391
1392 data_blob_free(&session_key);
1393
1394 if (!ret) {
1395 DEBUG(0, ("server_info_set_session_key failed\n"));
1396 return false;
1397 }
1398
1399 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1400 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1401 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1402 return False;
1403 }
1404
1405 /*** SCHANNEL verifier ***/
1406
1407 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1408 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1409 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1410 return False;
1411 }
1412
1413 prs_align(pout_auth);
1414
1415 flags = 5;
1416 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1417 return False;
1418 }
1419
1420 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1421 neg.domain, neg.myname));
1422
1423 /* We're finished with this bind - no more packets. */
1424 p->auth.auth_data_free_func = NULL;
1425 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1426
1427 p->pipe_bound = True;
1428
1429 return True;
1430 }
1431
1432 /*******************************************************************
1433 Handle an NTLMSSP bind auth.
1434 *******************************************************************/
1435
1436 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1437 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1438 {
1439 RPC_HDR_AUTH auth_info;
1440 DATA_BLOB blob;
1441 DATA_BLOB response;
1442 NTSTATUS status;
1443 AUTH_NTLMSSP_STATE *a = NULL;
1444
1445 ZERO_STRUCT(blob);
1446 ZERO_STRUCT(response);
1447
1448 /* Grab the NTLMSSP blob. */
1449 blob = data_blob(NULL,p->hdr.auth_len);
1450
1451 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1452 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1453 (unsigned int)p->hdr.auth_len ));
1454 goto err;
1455 }
1456
1457 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1458 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1459 goto err;
1460 }
1461
1462 /* We have an NTLMSSP blob. */
1463 status = auth_ntlmssp_start(&a);
1464 if (!NT_STATUS_IS_OK(status)) {
1465 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1466 nt_errstr(status) ));
1467 goto err;
1468 }
1469
1470 status = auth_ntlmssp_update(a, blob, &response);
1471 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1472 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1473 nt_errstr(status) ));
1474 goto err;
1475 }
1476
1477 data_blob_free(&blob);
1478
1479 /* Copy the blob into the pout_auth parse struct */
1480 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1481 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1482 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1483 goto err;
1484 }
1485
1486 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1487 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1488 goto err;
1489 }
1490
1491 p->auth.a_u.auth_ntlmssp_state = a;
1492 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1493 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1494
1495 data_blob_free(&blob);
1496 data_blob_free(&response);
1497
1498 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1499
1500 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1501 return True;
1502
1503 err:
1504
1505 data_blob_free(&blob);
1506 data_blob_free(&response);
1507
1508 free_pipe_ntlmssp_auth_data(&p->auth);
1509 p->auth.a_u.auth_ntlmssp_state = NULL;
1510 return False;
1511 }
1512
1513 /*******************************************************************
1514 Respond to a pipe bind request.
1515 *******************************************************************/
1516
1517 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1518 {
1519 RPC_HDR_BA hdr_ba;
1520 RPC_HDR_RB hdr_rb;
1521 RPC_HDR_AUTH auth_info;
1522 uint16 assoc_gid;
1523 fstring ack_pipe_name;
1524 prs_struct out_hdr_ba;
1525 prs_struct out_auth;
1526 prs_struct outgoing_rpc;
1527 int i = 0;
1528 int auth_len = 0;
1529 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1530
1531 /* No rebinds on a bound pipe - use alter context. */
1532 if (p->pipe_bound) {
1533 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1534 return setup_bind_nak(p);
1535 }
1536
1537 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1538
1539 /*
1540 * Marshall directly into the outgoing PDU space. We
1541 * must do this as we need to set to the bind response
1542 * header and are never sending more than one PDU here.
1543 */
1544
1545 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1546
1547 /*
1548 * Setup the memory to marshall the ba header, and the
1549 * auth footers.
1550 */
1551
1552 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1553 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1554 prs_mem_free(&outgoing_rpc);
1555 return False;
1556 }
1557
1558 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1559 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1560 prs_mem_free(&outgoing_rpc);
1561 prs_mem_free(&out_hdr_ba);
1562 return False;
1563 }
1564
1565 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1566
1567 ZERO_STRUCT(hdr_rb);
1568
1569 /* decode the bind request */
1570
1571 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1572 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1573 "struct.\n"));
1574 goto err_exit;
1575 }
1576
1577 if (hdr_rb.num_contexts == 0) {
1578 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1579 goto err_exit;
1580 }
1581
1582 /*
1583 * Try and find the correct pipe name to ensure
1584 * that this is a pipe name we support.
1585 */
1586
1587 for (i = 0; i < rpc_lookup_size; i++) {
1588 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1589 &hdr_rb.rpc_context[0].abstract)) {
1590 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1591 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1592 fstrcpy(p->name, rpc_lookup[i].pipe.clnt);
1593 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1594 break;
1595 }
1596 }
1597
1598 if (i == rpc_lookup_size) {
1599 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1600 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1601 p->name ));
1602 prs_mem_free(&outgoing_rpc);
1603 prs_mem_free(&out_hdr_ba);
1604 prs_mem_free(&out_auth);
1605
1606 return setup_bind_nak(p);
1607 }
1608
1609 for (i = 0; i < rpc_lookup_size; i++) {
1610 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1611 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1612 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1613 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1614 break;
1615 }
1616 }
1617
1618 if (i == rpc_lookup_size) {
1619 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1620 goto err_exit;
1621 }
1622 }
1623
1624 /* name has to be \PIPE\xxxxx */
1625 fstrcpy(ack_pipe_name, "\\PIPE\\");
1626 fstrcat(ack_pipe_name, p->pipe_srv_name);
1627
1628 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1629
1630 /*
1631 * Check if this is an authenticated bind request.
1632 */
1633
1634 if (p->hdr.auth_len) {
1635 /*
1636 * Decode the authentication verifier.
1637 */
1638
1639 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1640 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1641 goto err_exit;
1642 }
1643
1644 auth_type = auth_info.auth_type;
1645
1646 /* Work out if we have to sign or seal etc. */
1647 switch (auth_info.auth_level) {
1648 case RPC_AUTH_LEVEL_INTEGRITY:
1649 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1650 break;
1651 case RPC_AUTH_LEVEL_PRIVACY:
1652 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1653 break;
1654 default:
1655 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1656 (unsigned int)auth_info.auth_level ));
1657 goto err_exit;
1658 }
1659 } else {
1660 ZERO_STRUCT(auth_info);
1661 }
1662
1663 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1664
1665 switch(auth_type) {
1666 case RPC_NTLMSSP_AUTH_TYPE:
1667 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1668 goto err_exit;
1669 }
1670 assoc_gid = 0x7a77;
1671 break;
1672
1673 case RPC_SCHANNEL_AUTH_TYPE:
1674 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1675 goto err_exit;
1676 }
1677 break;
1678
1679 case RPC_SPNEGO_AUTH_TYPE:
1680 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1681 goto err_exit;
1682 }
1683 break;
1684
1685 case RPC_ANONYMOUS_AUTH_TYPE:
1686 /* Unauthenticated bind request. */
1687 /* We're finished - no more packets. */
1688 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1689 /* We must set the pipe auth_level here also. */
1690 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1691 p->pipe_bound = True;
1692 /* The session key was initialized from the SMB
1693 * session in make_internal_rpc_pipe_p */
1694 break;
1695
1696 default:
1697 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1698 goto err_exit;
1699 }
1700
1701 /*
1702 * Create the bind response struct.
1703 */
1704
1705 /* If the requested abstract synt uuid doesn't match our client pipe,
1706 reject the bind_ack & set the transfer interface synt to all 0's,
1707 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1708 unknown to NT4)
1709 Needed when adding entries to a DACL from NT5 - SK */
1710
1711 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1712 hdr_rb.rpc_context[0].context_id )) {
1713 init_rpc_hdr_ba(&hdr_ba,
1714 RPC_MAX_PDU_FRAG_LEN,
1715 RPC_MAX_PDU_FRAG_LEN,
1716 assoc_gid,
1717 ack_pipe_name,
1718 0x1, 0x0, 0x0,
1719 &hdr_rb.rpc_context[0].transfer[0]);
1720 } else {
1721 RPC_IFACE null_interface;
1722 ZERO_STRUCT(null_interface);
1723 /* Rejection reason: abstract syntax not supported */
1724 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1725 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1726 ack_pipe_name, 0x1, 0x2, 0x1,
1727 &null_interface);
1728 p->pipe_bound = False;
1729 }
1730
1731 /*
1732 * and marshall it.
1733 */
1734
1735 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1736 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1737 goto err_exit;
1738 }
1739
1740 /*
1741 * Create the header, now we know the length.
1742 */
1743
1744 if (prs_offset(&out_auth)) {
1745 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1746 }
1747
1748 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1749 p->hdr.call_id,
1750 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1751 auth_len);
1752
1753 /*
1754 * Marshall the header into the outgoing PDU.
1755 */
1756
1757 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1758 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1759 goto err_exit;
1760 }
1761
1762 /*
1763 * Now add the RPC_HDR_BA and any auth needed.
1764 */
1765
1766 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1767 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1768 goto err_exit;
1769 }
1770
1771 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1772 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1773 goto err_exit;
1774 }
1775
1776 /*
1777 * Setup the lengths for the initial reply.
1778 */
1779
1780 p->out_data.data_sent_length = 0;
1781 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1782 p->out_data.current_pdu_sent = 0;
1783
1784 prs_mem_free(&out_hdr_ba);
1785 prs_mem_free(&out_auth);
1786
1787 return True;
1788
1789 err_exit:
1790
1791 prs_mem_free(&outgoing_rpc);
1792 prs_mem_free(&out_hdr_ba);
1793 prs_mem_free(&out_auth);
1794 return setup_bind_nak(p);
1795 }
1796
1797 /****************************************************************************
1798 Deal with an alter context call. Can be third part of 3 leg auth request for
1799 SPNEGO calls.
1800 ****************************************************************************/
1801
1802 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1803 {
1804 RPC_HDR_BA hdr_ba;
1805 RPC_HDR_RB hdr_rb;
1806 RPC_HDR_AUTH auth_info;
1807 uint16 assoc_gid;
1808 fstring ack_pipe_name;
1809 prs_struct out_hdr_ba;
1810 prs_struct out_auth;
1811 prs_struct outgoing_rpc;
1812 int auth_len = 0;
1813
1814 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1815
1816 /*
1817 * Marshall directly into the outgoing PDU space. We
1818 * must do this as we need to set to the bind response
1819 * header and are never sending more than one PDU here.
1820 */
1821
1822 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1823
1824 /*
1825 * Setup the memory to marshall the ba header, and the
1826 * auth footers.
1827 */
1828
1829 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1830 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1831 prs_mem_free(&outgoing_rpc);
1832 return False;
1833 }
1834
1835 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1836 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1837 prs_mem_free(&outgoing_rpc);
1838 prs_mem_free(&out_hdr_ba);
1839 return False;
1840 }
1841
1842 ZERO_STRUCT(hdr_rb);
1843
1844 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1845
1846 /* decode the alter context request */
1847 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1848 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1849 goto err_exit;
1850 }
1851
1852 /* secondary address CAN be NULL
1853 * as the specs say it's ignored.
1854 * It MUST be NULL to have the spoolss working.
1855 */
1856 fstrcpy(ack_pipe_name,"");
1857
1858 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1859
1860 /*
1861 * Check if this is an authenticated alter context request.
1862 */
1863
1864 if (p->hdr.auth_len != 0) {
1865 /*
1866 * Decode the authentication verifier.
1867 */
1868
1869 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1870 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1871 goto err_exit;
1872 }
1873
1874 /*
1875 * Currently only the SPNEGO auth type uses the alter ctx
1876 * response in place of the NTLMSSP auth3 type.
1877 */
1878
1879 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1880 /* We can only finish if the pipe is unbound. */
1881 if (!p->pipe_bound) {
1882 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1883 goto err_exit;
1884 }
1885 } else {
1886 goto err_exit;
1887 }
1888 }
1889 } else {
1890 ZERO_STRUCT(auth_info);
1891 }
1892
1893 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1894
1895 /*
1896 * Create the bind response struct.
1897 */
1898
1899 /* If the requested abstract synt uuid doesn't match our client pipe,
1900 reject the bind_ack & set the transfer interface synt to all 0's,
1901 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1902 unknown to NT4)
1903 Needed when adding entries to a DACL from NT5 - SK */
1904
1905 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1906 hdr_rb.rpc_context[0].context_id )) {
1907 init_rpc_hdr_ba(&hdr_ba,
1908 RPC_MAX_PDU_FRAG_LEN,
1909 RPC_MAX_PDU_FRAG_LEN,
1910 assoc_gid,
1911 ack_pipe_name,
1912 0x1, 0x0, 0x0,
1913 &hdr_rb.rpc_context[0].transfer[0]);
1914 } else {
1915 RPC_IFACE null_interface;
1916 ZERO_STRUCT(null_interface);
1917 /* Rejection reason: abstract syntax not supported */
1918 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1919 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1920 ack_pipe_name, 0x1, 0x2, 0x1,
1921 &null_interface);
1922 p->pipe_bound = False;
1923 }
1924
1925 /*
1926 * and marshall it.
1927 */
1928
1929 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1930 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1931 goto err_exit;
1932 }
1933
1934 /*
1935 * Create the header, now we know the length.
1936 */
1937
1938 if (prs_offset(&out_auth)) {
1939 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1940 }
1941
1942 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1943 p->hdr.call_id,
1944 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1945 auth_len);
1946
1947 /*
1948 * Marshall the header into the outgoing PDU.
1949 */
1950
1951 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1952 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1953 goto err_exit;
1954 }
1955
1956 /*
1957 * Now add the RPC_HDR_BA and any auth needed.
1958 */
1959
1960 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1961 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1962 goto err_exit;
1963 }
1964
1965 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1966 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1967 goto err_exit;
1968 }
1969
1970 /*
1971 * Setup the lengths for the initial reply.
1972 */
1973
1974 p->out_data.data_sent_length = 0;
1975 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1976 p->out_data.current_pdu_sent = 0;
1977
1978 prs_mem_free(&out_hdr_ba);
1979 prs_mem_free(&out_auth);
1980
1981 return True;
1982
1983 err_exit:
1984
1985 prs_mem_free(&outgoing_rpc);
1986 prs_mem_free(&out_hdr_ba);
1987 prs_mem_free(&out_auth);
1988 return setup_bind_nak(p);
1989 }
1990
1991 /****************************************************************************
1992 Deal with NTLMSSP sign & seal processing on an RPC request.
1993 ****************************************************************************/
1994
1995 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1996 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1997 {
1998 RPC_HDR_AUTH auth_info;
1999 uint32 auth_len = p->hdr.auth_len;
2000 uint32 save_offset = prs_offset(rpc_in);
2001 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2002 unsigned char *data = NULL;
2003 size_t data_len;
2004 unsigned char *full_packet_data = NULL;
2005 size_t full_packet_data_len;
2006 DATA_BLOB auth_blob;
2007
2008 *pstatus = NT_STATUS_OK;
2009
2010 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
2011 return True;
2012 }
2013
2014 if (!a) {
2015 *pstatus = NT_STATUS_INVALID_PARAMETER;
2016 return False;
2017 }
2018
2019 /* Ensure there's enough data for an authenticated request. */
2020 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2021 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2022 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2023 (unsigned int)auth_len ));
2024 *pstatus = NT_STATUS_INVALID_PARAMETER;
2025 return False;
2026 }
2027
2028 /*
2029 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2030 * after the RPC header.
2031 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2032 * functions as NTLMv2 checks the rpc headers also.
2033 */
2034
2035 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2036 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2037
2038 full_packet_data = p->in_data.current_in_pdu;
2039 full_packet_data_len = p->hdr.frag_len - auth_len;
2040
2041 /* Pull the auth header and the following data into a blob. */
2042 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2043 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2044 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2045 *pstatus = NT_STATUS_INVALID_PARAMETER;
2046 return False;
2047 }
2048
2049 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2050 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2051 *pstatus = NT_STATUS_INVALID_PARAMETER;
2052 return False;
2053 }
2054
2055 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2056 auth_blob.length = auth_len;
2057
2058 switch (p->auth.auth_level) {
2059 case PIPE_AUTH_LEVEL_PRIVACY:
2060 /* Data is encrypted. */
2061 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2062 data, data_len,
2063 full_packet_data,
2064 full_packet_data_len,
2065 &auth_blob);
2066 if (!NT_STATUS_IS_OK(*pstatus)) {
2067 return False;
2068 }
2069 break;
2070 case PIPE_AUTH_LEVEL_INTEGRITY:
2071 /* Data is signed. */
2072 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2073 data, data_len,
2074 full_packet_data,
2075 full_packet_data_len,
2076 &auth_blob);
2077 if (!NT_STATUS_IS_OK(*pstatus)) {
2078 return False;
2079 }
2080 break;
2081 default:
2082 *pstatus = NT_STATUS_INVALID_PARAMETER;
2083 return False;
2084 }
2085
2086 /*
2087 * Return the current pointer to the data offset.
2088 */
2089
2090 if(!prs_set_offset(rpc_in, save_offset)) {
2091 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2092 (unsigned int)save_offset ));
2093 *pstatus = NT_STATUS_INVALID_PARAMETER;
2094 return False;
2095 }
2096
2097 /*
2098 * Remember the padding length. We must remove it from the real data
2099 * stream once the sign/seal is done.
2100 */
2101
2102 *p_ss_padding_len = auth_info.auth_pad_len;
2103
2104 return True;
2105 }
2106
2107 /****************************************************************************
2108 Deal with schannel processing on an RPC request.
2109 ****************************************************************************/
2110
2111 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2112 {
2113 uint32 data_len;
2114 uint32 auth_len;
2115 uint32 save_offset = prs_offset(rpc_in);
2116 RPC_HDR_AUTH auth_info;
2117 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2118
2119 auth_len = p->hdr.auth_len;
2120
2121 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2122 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2123 return False;
2124 }
2125
2126 /*
2127 * The following is that length of the data we must verify or unseal.
2128 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2129 * preceeding the auth_data.
2130 */
2131
2132 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2133 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2134 (unsigned int)p->hdr.frag_len,
2135 (unsigned int)auth_len ));
2136 return False;
2137 }
2138
2139 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2140 RPC_HDR_AUTH_LEN - auth_len;
2141
2142 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2143
2144 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2145 DEBUG(0,("cannot move offset to %u.\n",
2146 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2147 return False;
2148 }
2149
2150 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2151 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2152 return False;
2153 }
2154
2155 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2156 DEBUG(0,("Invalid auth info %d on schannel\n",
2157 auth_info.auth_type));
2158 return False;
2159 }
2160
2161 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2162 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2163 return False;
2164 }
2165
2166 if (!schannel_decode(p->auth.a_u.schannel_auth,
2167 p->auth.auth_level,
2168 SENDER_IS_INITIATOR,
2169 &schannel_chk,
2170 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2171 DEBUG(3,("failed to decode PDU\n"));
2172 return False;
2173 }
2174
2175 /*
2176 * Return the current pointer to the data offset.
2177 */
2178
2179 if(!prs_set_offset(rpc_in, save_offset)) {
2180 DEBUG(0,("failed to set offset back to %u\n",
2181 (unsigned int)save_offset ));
2182 return False;
2183 }
2184
2185 /* The sequence number gets incremented on both send and receive. */
2186 p->auth.a_u.schannel_auth->seq_num++;
2187
2188 /*
2189 * Remember the padding length. We must remove it from the real data
2190 * stream once the sign/seal is done.
2191 */
2192
2193 *p_ss_padding_len = auth_info.auth_pad_len;
2194
2195 return True;
2196 }
2197
2198 /****************************************************************************
2199 Find the set of RPC functions associated with this context_id
2200 ****************************************************************************/
2201
2202 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2203 {
2204 PIPE_RPC_FNS *fns = NULL;
2205
2206 if ( !list ) {
2207 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2208 return NULL;
2209 }
2210
2211 for (fns=list; fns; fns=fns->next ) {
2212 if ( fns->context_id == context_id )
2213 return fns;
2214 }
2215 return NULL;
2216 }
2217
2218 /****************************************************************************
2219 Memory cleanup.
2220 ****************************************************************************/
2221
2222 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2223 {
2224 PIPE_RPC_FNS *tmp = list;
2225 PIPE_RPC_FNS *tmp2;
2226
2227 while (tmp) {
2228 tmp2 = tmp->next;
2229 SAFE_FREE(tmp);
2230 tmp = tmp2;
2231 }
2232
2233 return;
2234 }
2235
2236 static bool api_rpcTNP(pipes_struct *p, const char *rpc_name,
2237 const struct api_struct *api_rpc_cmds, int n_cmds);
2238
2239 /****************************************************************************
2240 Find the correct RPC function to call for this request.
2241 If the pipe is authenticated then become the correct UNIX user
2242 before doing the call.
2243 ****************************************************************************/
2244
2245 bool api_pipe_request(pipes_struct *p)
2246 {
2247 bool ret = False;
2248 bool changed_user = False;
2249 PIPE_RPC_FNS *pipe_fns;
2250
2251 if (p->pipe_bound &&
2252 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2253 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2254 if(!become_authenticated_pipe_user(p)) {
2255 prs_mem_free(&p->out_data.rdata);
2256 return False;
2257 }
2258 changed_user = True;
2259 }
2260
2261 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2262
2263 /* get the set of RPC functions for this context */
2264
2265 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2266
2267 if ( pipe_fns ) {
2268 TALLOC_CTX *frame = talloc_stackframe();
2269 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2270 TALLOC_FREE(frame);
2271 }
2272 else {
2273 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2274 p->hdr_req.context_id, p->name));
2275 }
2276
2277 if (changed_user) {
2278 unbecome_authenticated_pipe_user();
2279 }
2280
2281 return ret;
2282 }
2283
2284 /*******************************************************************
2285 Calls the underlying RPC function for a named pipe.
2286 ********************************************************************/
2287
2288 static bool api_rpcTNP(pipes_struct *p, const char *rpc_name,
2289 const struct api_struct *api_rpc_cmds, int n_cmds)
2290 {
2291 int fn_num;
2292 fstring name;
2293 uint32 offset1, offset2;
2294
2295 /* interpret the command */
2296 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2297
2298 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2299 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2300
2301 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2302 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2303 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2304 break;
2305 }
2306 }
2307
2308 if (fn_num == n_cmds) {
2309 /*
2310 * For an unknown RPC just return a fault PDU but
2311 * return True to allow RPC's on the pipe to continue
2312 * and not put the pipe into fault state. JRA.
2313 */
2314 DEBUG(4, ("unknown\n"));
2315 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2316 return True;
2317 }
2318
2319 offset1 = prs_offset(&p->out_data.rdata);
2320
2321 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2322 fn_num, api_rpc_cmds[fn_num].fn));
2323 /* do the actual command */
2324 if(!api_rpc_cmds[fn_num].fn(p)) {
2325 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2326 prs_mem_free(&p->out_data.rdata);
2327 return False;
2328 }
2329
2330 if (p->bad_handle_fault_state) {
2331 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2332 p->bad_handle_fault_state = False;
2333 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2334 return True;
2335 }
2336
2337 if (p->rng_fault_state) {
2338 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2339 p->rng_fault_state = False;
2340 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2341 return True;
2342 }
2343
2344 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2345 offset2 = prs_offset(&p->out_data.rdata);
2346 prs_set_offset(&p->out_data.rdata, offset1);
2347 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2348 prs_set_offset(&p->out_data.rdata, offset2);
2349
2350 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2351
2352 /* Check for buffer underflow in rpc parsing */
2353
2354 if ((DEBUGLEVEL >= 10) &&
2355 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2356 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2357 char *data = (char *)SMB_MALLOC(data_len);
2358
2359 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2360 if (data) {
2361 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2362 SAFE_FREE(data);
2363 }
2364
2365 }
2366
2367 return True;
2368 }