search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add two new parameters to control how we verify kerberos tickets. Removes lp_use_kerb...
[Samba/vl.git] / source3 / rpc_server / srv_pipe.c
blob924226bc4f2ad61f75d19cfee14973bccd470bb1
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31
32 extern struct current_user current_user;
33
34 #undef DBGC_CLASS
35 #define DBGC_CLASS DBGC_RPC_SRV
36
37 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
38 {
39 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
40
41 if (a) {
42 auth_ntlmssp_end(&a);
43 }
44 auth->a_u.auth_ntlmssp_state = NULL;
45 }
46
47 static DATA_BLOB generic_session_key(void)
48 {
49 return data_blob("SystemLibraryDTC", 16);
50 }
51
52 /*******************************************************************
53 Generate the next PDU to be returned from the data in p->rdata.
54 Handle NTLMSSP.
55 ********************************************************************/
56
57 static bool create_next_pdu_ntlmssp(pipes_struct *p)
58 {
59 RPC_HDR_RESP hdr_resp;
60 uint32 ss_padding_len = 0;
61 uint32 data_space_available;
62 uint32 data_len_left;
63 uint32 data_len;
64 prs_struct outgoing_pdu;
65 NTSTATUS status;
66 DATA_BLOB auth_blob;
67 RPC_HDR_AUTH auth_info;
68 uint8 auth_type, auth_level;
69 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
70
71 /*
72 * If we're in the fault state, keep returning fault PDU's until
73 * the pipe gets closed. JRA.
74 */
75
76 if(p->fault_state) {
77 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
78 return True;
79 }
80
81 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
82
83 /* Change the incoming request header to a response. */
84 p->hdr.pkt_type = RPC_RESPONSE;
85
86 /* Set up rpc header flags. */
87 if (p->out_data.data_sent_length == 0) {
88 p->hdr.flags = RPC_FLG_FIRST;
89 } else {
90 p->hdr.flags = 0;
91 }
92
93 /*
94 * Work out how much we can fit in a single PDU.
95 */
96
97 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
98
99 /*
100 * Ensure there really is data left to send.
101 */
102
103 if(!data_len_left) {
104 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
105 return False;
106 }
107
108 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
109 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
110
111 /*
112 * The amount we send is the minimum of the available
113 * space and the amount left to send.
114 */
115
116 data_len = MIN(data_len_left, data_space_available);
117
118 /*
119 * Set up the alloc hint. This should be the data left to
120 * send.
121 */
122
123 hdr_resp.alloc_hint = data_len_left;
124
125 /*
126 * Work out if this PDU will be the last.
127 */
128
129 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
130 p->hdr.flags |= RPC_FLG_LAST;
131 if (data_len_left % 8) {
132 ss_padding_len = 8 - (data_len_left % 8);
133 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
134 ss_padding_len ));
135 }
136 }
137
138 /*
139 * Set up the header lengths.
140 */
141
142 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
143 data_len + ss_padding_len +
144 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
145 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
146
147
148 /*
149 * Init the parse struct to point at the outgoing
150 * data.
151 */
152
153 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
154 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
155
156 /* Store the header in the data stream. */
157 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
158 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
159 prs_mem_free(&outgoing_pdu);
160 return False;
161 }
162
163 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
164 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
165 prs_mem_free(&outgoing_pdu);
166 return False;
167 }
168
169 /* Copy the data into the PDU. */
170
171 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
172 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
173 prs_mem_free(&outgoing_pdu);
174 return False;
175 }
176
177 /* Copy the sign/seal padding data. */
178 if (ss_padding_len) {
179 char pad[8];
180
181 memset(pad, '\0', 8);
182 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
183 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
184 (unsigned int)ss_padding_len));
185 prs_mem_free(&outgoing_pdu);
186 return False;
187 }
188 }
189
190
191 /* Now write out the auth header and null blob. */
192 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
193 auth_type = RPC_NTLMSSP_AUTH_TYPE;
194 } else {
195 auth_type = RPC_SPNEGO_AUTH_TYPE;
196 }
197 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
198 auth_level = RPC_AUTH_LEVEL_PRIVACY;
199 } else {
200 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
201 }
202
203 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
204 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
205 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
206 prs_mem_free(&outgoing_pdu);
207 return False;
208 }
209
210 /* Generate the sign blob. */
211
212 switch (p->auth.auth_level) {
213 case PIPE_AUTH_LEVEL_PRIVACY:
214 /* Data portion is encrypted. */
215 status = ntlmssp_seal_packet(a->ntlmssp_state,
216 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
217 data_len + ss_padding_len,
218 (unsigned char *)prs_data_p(&outgoing_pdu),
219 (size_t)prs_offset(&outgoing_pdu),
220 &auth_blob);
221 if (!NT_STATUS_IS_OK(status)) {
222 data_blob_free(&auth_blob);
223 prs_mem_free(&outgoing_pdu);
224 return False;
225 }
226 break;
227 case PIPE_AUTH_LEVEL_INTEGRITY:
228 /* Data is signed. */
229 status = ntlmssp_sign_packet(a->ntlmssp_state,
230 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
231 data_len + ss_padding_len,
232 (unsigned char *)prs_data_p(&outgoing_pdu),
233 (size_t)prs_offset(&outgoing_pdu),
234 &auth_blob);
235 if (!NT_STATUS_IS_OK(status)) {
236 data_blob_free(&auth_blob);
237 prs_mem_free(&outgoing_pdu);
238 return False;
239 }
240 break;
241 default:
242 prs_mem_free(&outgoing_pdu);
243 return False;
244 }
245
246 /* Append the auth blob. */
247 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
248 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
249 (unsigned int)NTLMSSP_SIG_SIZE));
250 data_blob_free(&auth_blob);
251 prs_mem_free(&outgoing_pdu);
252 return False;
253 }
254
255 data_blob_free(&auth_blob);
256
257 /*
258 * Setup the counts for this PDU.
259 */
260
261 p->out_data.data_sent_length += data_len;
262 p->out_data.current_pdu_len = p->hdr.frag_len;
263 p->out_data.current_pdu_sent = 0;
264
265 prs_mem_free(&outgoing_pdu);
266 return True;
267 }
268
269 /*******************************************************************
270 Generate the next PDU to be returned from the data in p->rdata.
271 Return an schannel authenticated fragment.
272 ********************************************************************/
273
274 static bool create_next_pdu_schannel(pipes_struct *p)
275 {
276 RPC_HDR_RESP hdr_resp;
277 uint32 ss_padding_len = 0;
278 uint32 data_len;
279 uint32 data_space_available;
280 uint32 data_len_left;
281 prs_struct outgoing_pdu;
282 uint32 data_pos;
283
284 /*
285 * If we're in the fault state, keep returning fault PDU's until
286 * the pipe gets closed. JRA.
287 */
288
289 if(p->fault_state) {
290 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
291 return True;
292 }
293
294 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
295
296 /* Change the incoming request header to a response. */
297 p->hdr.pkt_type = RPC_RESPONSE;
298
299 /* Set up rpc header flags. */
300 if (p->out_data.data_sent_length == 0) {
301 p->hdr.flags = RPC_FLG_FIRST;
302 } else {
303 p->hdr.flags = 0;
304 }
305
306 /*
307 * Work out how much we can fit in a single PDU.
308 */
309
310 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
311
312 /*
313 * Ensure there really is data left to send.
314 */
315
316 if(!data_len_left) {
317 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
318 return False;
319 }
320
321 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
322 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
323
324 /*
325 * The amount we send is the minimum of the available
326 * space and the amount left to send.
327 */
328
329 data_len = MIN(data_len_left, data_space_available);
330
331 /*
332 * Set up the alloc hint. This should be the data left to
333 * send.
334 */
335
336 hdr_resp.alloc_hint = data_len_left;
337
338 /*
339 * Work out if this PDU will be the last.
340 */
341
342 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
343 p->hdr.flags |= RPC_FLG_LAST;
344 if (data_len_left % 8) {
345 ss_padding_len = 8 - (data_len_left % 8);
346 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
347 ss_padding_len ));
348 }
349 }
350
351 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
352 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
353 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
354
355 /*
356 * Init the parse struct to point at the outgoing
357 * data.
358 */
359
360 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
361 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
362
363 /* Store the header in the data stream. */
364 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
365 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
366 prs_mem_free(&outgoing_pdu);
367 return False;
368 }
369
370 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
371 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
372 prs_mem_free(&outgoing_pdu);
373 return False;
374 }
375
376 /* Store the current offset. */
377 data_pos = prs_offset(&outgoing_pdu);
378
379 /* Copy the data into the PDU. */
380
381 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
382 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
383 prs_mem_free(&outgoing_pdu);
384 return False;
385 }
386
387 /* Copy the sign/seal padding data. */
388 if (ss_padding_len) {
389 char pad[8];
390 memset(pad, '\0', 8);
391 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
392 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
393 prs_mem_free(&outgoing_pdu);
394 return False;
395 }
396 }
397
398 {
399 /*
400 * Schannel processing.
401 */
402 char *data;
403 RPC_HDR_AUTH auth_info;
404 RPC_AUTH_SCHANNEL_CHK verf;
405
406 data = prs_data_p(&outgoing_pdu) + data_pos;
407 /* Check it's the type of reply we were expecting to decode */
408
409 init_rpc_hdr_auth(&auth_info,
410 RPC_SCHANNEL_AUTH_TYPE,
411 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
412 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
413 ss_padding_len, 1);
414
415 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
416 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
417 prs_mem_free(&outgoing_pdu);
418 return False;
419 }
420
421 schannel_encode(p->auth.a_u.schannel_auth,
422 p->auth.auth_level,
423 SENDER_IS_ACCEPTOR,
424 &verf, data, data_len + ss_padding_len);
425
426 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
427 &verf, &outgoing_pdu, 0)) {
428 prs_mem_free(&outgoing_pdu);
429 return False;
430 }
431
432 p->auth.a_u.schannel_auth->seq_num++;
433 }
434
435 /*
436 * Setup the counts for this PDU.
437 */
438
439 p->out_data.data_sent_length += data_len;
440 p->out_data.current_pdu_len = p->hdr.frag_len;
441 p->out_data.current_pdu_sent = 0;
442
443 prs_mem_free(&outgoing_pdu);
444 return True;
445 }
446
447 /*******************************************************************
448 Generate the next PDU to be returned from the data in p->rdata.
449 No authentication done.
450 ********************************************************************/
451
452 static bool create_next_pdu_noauth(pipes_struct *p)
453 {
454 RPC_HDR_RESP hdr_resp;
455 uint32 data_len;
456 uint32 data_space_available;
457 uint32 data_len_left;
458 prs_struct outgoing_pdu;
459
460 /*
461 * If we're in the fault state, keep returning fault PDU's until
462 * the pipe gets closed. JRA.
463 */
464
465 if(p->fault_state) {
466 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
467 return True;
468 }
469
470 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
471
472 /* Change the incoming request header to a response. */
473 p->hdr.pkt_type = RPC_RESPONSE;
474
475 /* Set up rpc header flags. */
476 if (p->out_data.data_sent_length == 0) {
477 p->hdr.flags = RPC_FLG_FIRST;
478 } else {
479 p->hdr.flags = 0;
480 }
481
482 /*
483 * Work out how much we can fit in a single PDU.
484 */
485
486 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
487
488 /*
489 * Ensure there really is data left to send.
490 */
491
492 if(!data_len_left) {
493 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
494 return False;
495 }
496
497 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
498
499 /*
500 * The amount we send is the minimum of the available
501 * space and the amount left to send.
502 */
503
504 data_len = MIN(data_len_left, data_space_available);
505
506 /*
507 * Set up the alloc hint. This should be the data left to
508 * send.
509 */
510
511 hdr_resp.alloc_hint = data_len_left;
512
513 /*
514 * Work out if this PDU will be the last.
515 */
516
517 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
518 p->hdr.flags |= RPC_FLG_LAST;
519 }
520
521 /*
522 * Set up the header lengths.
523 */
524
525 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
526 p->hdr.auth_len = 0;
527
528 /*
529 * Init the parse struct to point at the outgoing
530 * data.
531 */
532
533 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
534 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
535
536 /* Store the header in the data stream. */
537 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
538 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
539 prs_mem_free(&outgoing_pdu);
540 return False;
541 }
542
543 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
544 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
545 prs_mem_free(&outgoing_pdu);
546 return False;
547 }
548
549 /* Copy the data into the PDU. */
550
551 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
552 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
553 prs_mem_free(&outgoing_pdu);
554 return False;
555 }
556
557 /*
558 * Setup the counts for this PDU.
559 */
560
561 p->out_data.data_sent_length += data_len;
562 p->out_data.current_pdu_len = p->hdr.frag_len;
563 p->out_data.current_pdu_sent = 0;
564
565 prs_mem_free(&outgoing_pdu);
566 return True;
567 }
568
569 /*******************************************************************
570 Generate the next PDU to be returned from the data in p->rdata.
571 ********************************************************************/
572
573 bool create_next_pdu(pipes_struct *p)
574 {
575 switch(p->auth.auth_level) {
576 case PIPE_AUTH_LEVEL_NONE:
577 case PIPE_AUTH_LEVEL_CONNECT:
578 /* This is incorrect for auth level connect. Fixme. JRA */
579 return create_next_pdu_noauth(p);
580
581 default:
582 switch(p->auth.auth_type) {
583 case PIPE_AUTH_TYPE_NTLMSSP:
584 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
585 return create_next_pdu_ntlmssp(p);
586 case PIPE_AUTH_TYPE_SCHANNEL:
587 return create_next_pdu_schannel(p);
588 default:
589 break;
590 }
591 }
592
593 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
594 (unsigned int)p->auth.auth_level,
595 (unsigned int)p->auth.auth_type));
596 return False;
597 }
598
599 /*******************************************************************
600 Process an NTLMSSP authentication response.
601 If this function succeeds, the user has been authenticated
602 and their domain, name and calling workstation stored in
603 the pipe struct.
604 *******************************************************************/
605
606 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
607 {
608 DATA_BLOB session_key, reply;
609 NTSTATUS status;
610 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
611 bool ret;
612
613 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
614 get_pipe_name_from_iface(&p->syntax)));
615
616 ZERO_STRUCT(reply);
617
618 /* this has to be done as root in order to verify the password */
619 become_root();
620 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
621 unbecome_root();
622
623 /* Don't generate a reply. */
624 data_blob_free(&reply);
625
626 if (!NT_STATUS_IS_OK(status)) {
627 return False;
628 }
629
630 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
631 ensure the underlying NTLMSSP flags are also set. If not we should
632 refuse the bind. */
633
634 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
635 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
636 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
637 "but client declined signing.\n",
638 get_pipe_name_from_iface(&p->syntax)));
639 return False;
640 }
641 }
642 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
643 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
644 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
645 "but client declined sealing.\n",
646 get_pipe_name_from_iface(&p->syntax)));
647 return False;
648 }
649 }
650
651 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
652 "workstation: %s\n", a->ntlmssp_state->user,
653 a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
654
655 if (a->server_info->ptok == NULL) {
656 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
657 return False;
658 }
659
660 TALLOC_FREE(p->server_info);
661
662 p->server_info = copy_serverinfo(p, a->server_info);
663 if (p->server_info == NULL) {
664 DEBUG(0, ("copy_serverinfo failed\n"));
665 return false;
666 }
667
668 /*
669 * We're an authenticated bind over smb, so the session key needs to
670 * be set to "SystemLibraryDTC". Weird, but this is what Windows
671 * does. See the RPC-SAMBA3SESSIONKEY.
672 */
673
674 session_key = generic_session_key();
675 if (session_key.data == NULL) {
676 return False;
677 }
678
679 ret = server_info_set_session_key(p->server_info, session_key);
680
681 data_blob_free(&session_key);
682
683 return True;
684 }
685
686 /*******************************************************************
687 The switch table for the pipe names and the functions to handle them.
688 *******************************************************************/
689
690 struct rpc_table {
691 struct {
692 const char *clnt;
693 const char *srv;
694 } pipe;
695 struct ndr_syntax_id rpc_interface;
696 const struct api_struct *cmds;
697 int n_cmds;
698 };
699
700 static struct rpc_table *rpc_lookup;
701 static int rpc_lookup_size;
702
703 /*******************************************************************
704 This is the "stage3" NTLMSSP response after a bind request and reply.
705 *******************************************************************/
706
707 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
708 {
709 RPC_HDR_AUTH auth_info;
710 uint32 pad = 0;
711 DATA_BLOB blob;
712
713 ZERO_STRUCT(blob);
714
715 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
716
717 if (p->hdr.auth_len == 0) {
718 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
719 goto err;
720 }
721
722 /* 4 bytes padding. */
723 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
724 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
725 goto err;
726 }
727
728 /*
729 * Decode the authentication verifier response.
730 */
731
732 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
733 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
734 goto err;
735 }
736
737 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
738 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
739 (unsigned int)auth_info.auth_type ));
740 return False;
741 }
742
743 blob = data_blob(NULL,p->hdr.auth_len);
744
745 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
746 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
747 (unsigned int)p->hdr.auth_len ));
748 goto err;
749 }
750
751 /*
752 * The following call actually checks the challenge/response data.
753 * for correctness against the given DOMAIN\user name.
754 */
755
756 if (!pipe_ntlmssp_verify_final(p, &blob)) {
757 goto err;
758 }
759
760 data_blob_free(&blob);
761
762 p->pipe_bound = True;
763
764 return True;
765
766 err:
767
768 data_blob_free(&blob);
769 free_pipe_ntlmssp_auth_data(&p->auth);
770 p->auth.a_u.auth_ntlmssp_state = NULL;
771
772 return False;
773 }
774
775 /*******************************************************************
776 Marshall a bind_nak pdu.
777 *******************************************************************/
778
779 static bool setup_bind_nak(pipes_struct *p)
780 {
781 prs_struct outgoing_rpc;
782 RPC_HDR nak_hdr;
783 uint16 zero = 0;
784
785 /* Free any memory in the current return data buffer. */
786 prs_mem_free(&p->out_data.rdata);
787
788 /*
789 * Marshall directly into the outgoing PDU space. We
790 * must do this as we need to set to the bind response
791 * header and are never sending more than one PDU here.
792 */
793
794 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
795 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
796
797 /*
798 * Initialize a bind_nak header.
799 */
800
801 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
802 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
803
804 /*
805 * Marshall the header into the outgoing PDU.
806 */
807
808 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
809 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
810 prs_mem_free(&outgoing_rpc);
811 return False;
812 }
813
814 /*
815 * Now add the reject reason.
816 */
817
818 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
819 prs_mem_free(&outgoing_rpc);
820 return False;
821 }
822
823 p->out_data.data_sent_length = 0;
824 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
825 p->out_data.current_pdu_sent = 0;
826
827 if (p->auth.auth_data_free_func) {
828 (*p->auth.auth_data_free_func)(&p->auth);
829 }
830 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
831 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
832 p->pipe_bound = False;
833
834 return True;
835 }
836
837 /*******************************************************************
838 Marshall a fault pdu.
839 *******************************************************************/
840
841 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
842 {
843 prs_struct outgoing_pdu;
844 RPC_HDR fault_hdr;
845 RPC_HDR_RESP hdr_resp;
846 RPC_HDR_FAULT fault_resp;
847
848 /* Free any memory in the current return data buffer. */
849 prs_mem_free(&p->out_data.rdata);
850
851 /*
852 * Marshall directly into the outgoing PDU space. We
853 * must do this as we need to set to the bind response
854 * header and are never sending more than one PDU here.
855 */
856
857 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
858 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
859
860 /*
861 * Initialize a fault header.
862 */
863
864 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
865 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
866
867 /*
868 * Initialize the HDR_RESP and FAULT parts of the PDU.
869 */
870
871 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
872
873 fault_resp.status = status;
874 fault_resp.reserved = 0;
875
876 /*
877 * Marshall the header into the outgoing PDU.
878 */
879
880 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
881 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
882 prs_mem_free(&outgoing_pdu);
883 return False;
884 }
885
886 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
887 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
888 prs_mem_free(&outgoing_pdu);
889 return False;
890 }
891
892 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
893 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
894 prs_mem_free(&outgoing_pdu);
895 return False;
896 }
897
898 p->out_data.data_sent_length = 0;
899 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
900 p->out_data.current_pdu_sent = 0;
901
902 prs_mem_free(&outgoing_pdu);
903 return True;
904 }
905
906 #if 0
907 /*******************************************************************
908 Marshall a cancel_ack pdu.
909 We should probably check the auth-verifier here.
910 *******************************************************************/
911
912 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
913 {
914 prs_struct outgoing_pdu;
915 RPC_HDR ack_reply_hdr;
916
917 /* Free any memory in the current return data buffer. */
918 prs_mem_free(&p->out_data.rdata);
919
920 /*
921 * Marshall directly into the outgoing PDU space. We
922 * must do this as we need to set to the bind response
923 * header and are never sending more than one PDU here.
924 */
925
926 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
927 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
928
929 /*
930 * Initialize a cancel_ack header.
931 */
932
933 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
934 p->hdr.call_id, RPC_HEADER_LEN, 0);
935
936 /*
937 * Marshall the header into the outgoing PDU.
938 */
939
940 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
941 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
942 prs_mem_free(&outgoing_pdu);
943 return False;
944 }
945
946 p->out_data.data_sent_length = 0;
947 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
948 p->out_data.current_pdu_sent = 0;
949
950 prs_mem_free(&outgoing_pdu);
951 return True;
952 }
953 #endif
954
955 /*******************************************************************
956 Ensure a bind request has the correct abstract & transfer interface.
957 Used to reject unknown binds from Win2k.
958 *******************************************************************/
959
960 bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
961 RPC_IFACE* transfer, uint32 context_id)
962 {
963 int i=0;
964 struct pipe_rpc_fns *context_fns;
965
966 DEBUG(3,("check_bind_req for %s\n",
967 get_pipe_name_from_iface(&p->syntax)));
968
969 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
970
971 for (i=0; i<rpc_lookup_size; i++) {
972 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
973 if (ndr_syntax_id_equal(
974 abstract, &rpc_lookup[i].rpc_interface)
975 && ndr_syntax_id_equal(
976 transfer, &ndr_transfer_syntax)) {
977 break;
978 }
979 }
980
981 if (i == rpc_lookup_size) {
982 return false;
983 }
984
985 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
986 if (context_fns == NULL) {
987 DEBUG(0,("check_bind_req: malloc() failed!\n"));
988 return False;
989 }
990
991 context_fns->cmds = rpc_lookup[i].cmds;
992 context_fns->n_cmds = rpc_lookup[i].n_cmds;
993 context_fns->context_id = context_id;
994
995 /* add to the list of open contexts */
996
997 DLIST_ADD( p->contexts, context_fns );
998
999 return True;
1000 }
1001
1002 /*******************************************************************
1003 Register commands to an RPC pipe
1004 *******************************************************************/
1005
1006 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1007 const struct ndr_interface_table *iface,
1008 const struct api_struct *cmds, int size)
1009 {
1010 struct rpc_table *rpc_entry;
1011
1012 if (!clnt || !srv || !cmds) {
1013 return NT_STATUS_INVALID_PARAMETER;
1014 }
1015
1016 if (version != SMB_RPC_INTERFACE_VERSION) {
1017 DEBUG(0,("Can't register rpc commands!\n"
1018 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1019 ", while this version of samba uses version %d!\n",
1020 version,SMB_RPC_INTERFACE_VERSION));
1021 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1022 }
1023
1024 /* TODO:
1025 *
1026 * we still need to make sure that don't register the same commands twice!!!
1027 *
1028 * --metze
1029 */
1030
1031 /* We use a temporary variable because this call can fail and
1032 rpc_lookup will still be valid afterwards. It could then succeed if
1033 called again later */
1034 rpc_lookup_size++;
1035 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1036 if (NULL == rpc_entry) {
1037 rpc_lookup_size--;
1038 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1039 return NT_STATUS_NO_MEMORY;
1040 } else {
1041 rpc_lookup = rpc_entry;
1042 }
1043
1044 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1045 ZERO_STRUCTP(rpc_entry);
1046 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1047 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1048 rpc_entry->rpc_interface = iface->syntax_id;
1049 rpc_entry->cmds = cmds;
1050 rpc_entry->n_cmds = size;
1051
1052 return NT_STATUS_OK;
1053 }
1054
1055 /**
1056 * Is a named pipe known?
1057 * @param[in] cli_filename The pipe name requested by the client
1058 * @result Do we want to serve this?
1059 */
1060 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1061 {
1062 const char *pipename = cli_filename;
1063 int i;
1064
1065 if (strnequal(pipename, "\\PIPE\\", 6)) {
1066 pipename += 5;
1067 }
1068
1069 if (*pipename == '\\') {
1070 pipename += 1;
1071 }
1072
1073 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1074 DEBUG(10, ("refusing spoolss access\n"));
1075 return false;
1076 }
1077
1078 for (i=0; i<rpc_lookup_size; i++) {
1079 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1080 *syntax = rpc_lookup[i].rpc_interface;
1081 return true;
1082 }
1083 }
1084
1085 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1086 return false;
1087 }
1088
1089 /*******************************************************************
1090 Handle a SPNEGO krb5 bind auth.
1091 *******************************************************************/
1092
1093 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1094 DATA_BLOB *psecblob, prs_struct *pout_auth)
1095 {
1096 return False;
1097 }
1098
1099 /*******************************************************************
1100 Handle the first part of a SPNEGO bind auth.
1101 *******************************************************************/
1102
1103 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1104 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1105 {
1106 DATA_BLOB blob;
1107 DATA_BLOB secblob;
1108 DATA_BLOB response;
1109 DATA_BLOB chal;
1110 char *OIDs[ASN1_MAX_OIDS];
1111 int i;
1112 NTSTATUS status;
1113 bool got_kerberos_mechanism = false;
1114 AUTH_NTLMSSP_STATE *a = NULL;
1115 RPC_HDR_AUTH auth_info;
1116
1117 ZERO_STRUCT(secblob);
1118 ZERO_STRUCT(chal);
1119 ZERO_STRUCT(response);
1120
1121 /* Grab the SPNEGO blob. */
1122 blob = data_blob(NULL,p->hdr.auth_len);
1123
1124 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1125 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1126 (unsigned int)p->hdr.auth_len ));
1127 goto err;
1128 }
1129
1130 if (blob.data[0] != ASN1_APPLICATION(0)) {
1131 goto err;
1132 }
1133
1134 /* parse out the OIDs and the first sec blob */
1135 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1136 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1137 goto err;
1138 }
1139
1140 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1141 got_kerberos_mechanism = true;
1142 }
1143
1144 for (i=0;OIDs[i];i++) {
1145 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1146 TALLOC_FREE(OIDs[i]);
1147 }
1148 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1149
1150 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1151 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1152 data_blob_free(&secblob);
1153 data_blob_free(&blob);
1154 return ret;
1155 }
1156
1157 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1158 /* Free any previous auth type. */
1159 free_pipe_ntlmssp_auth_data(&p->auth);
1160 }
1161
1162 if (!got_kerberos_mechanism) {
1163 /* Initialize the NTLM engine. */
1164 status = auth_ntlmssp_start(&a);
1165 if (!NT_STATUS_IS_OK(status)) {
1166 goto err;
1167 }
1168
1169 /*
1170 * Pass the first security blob of data to it.
1171 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1172 * which means we need another packet to complete the bind.
1173 */
1174
1175 status = auth_ntlmssp_update(a, secblob, &chal);
1176
1177 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1178 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1179 goto err;
1180 }
1181
1182 /* Generate the response blob we need for step 2 of the bind. */
1183 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1184 } else {
1185 /*
1186 * SPNEGO negotiate down to NTLMSSP. The subsequent
1187 * code to process follow-up packets is not complete
1188 * yet. JRA.
1189 */
1190 response = spnego_gen_auth_response(NULL,
1191 NT_STATUS_MORE_PROCESSING_REQUIRED,
1192 OID_NTLMSSP);
1193 }
1194
1195 /* Copy the blob into the pout_auth parse struct */
1196 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1197 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1198 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1199 goto err;
1200 }
1201
1202 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1203 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1204 goto err;
1205 }
1206
1207 p->auth.a_u.auth_ntlmssp_state = a;
1208 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1209 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1210
1211 data_blob_free(&blob);
1212 data_blob_free(&secblob);
1213 data_blob_free(&chal);
1214 data_blob_free(&response);
1215
1216 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1217 return True;
1218
1219 err:
1220
1221 data_blob_free(&blob);
1222 data_blob_free(&secblob);
1223 data_blob_free(&chal);
1224 data_blob_free(&response);
1225
1226 p->auth.a_u.auth_ntlmssp_state = NULL;
1227
1228 return False;
1229 }
1230
1231 /*******************************************************************
1232 Handle the second part of a SPNEGO bind auth.
1233 *******************************************************************/
1234
1235 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1236 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1237 {
1238 RPC_HDR_AUTH auth_info;
1239 DATA_BLOB spnego_blob;
1240 DATA_BLOB auth_blob;
1241 DATA_BLOB auth_reply;
1242 DATA_BLOB response;
1243 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1244
1245 ZERO_STRUCT(spnego_blob);
1246 ZERO_STRUCT(auth_blob);
1247 ZERO_STRUCT(auth_reply);
1248 ZERO_STRUCT(response);
1249
1250 /*
1251 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1252 * fail here as 'a' == NULL.
1253 */
1254 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1255 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1256 goto err;
1257 }
1258
1259 /* Grab the SPNEGO blob. */
1260 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1261
1262 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1263 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1264 (unsigned int)p->hdr.auth_len ));
1265 goto err;
1266 }
1267
1268 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1269 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1270 goto err;
1271 }
1272
1273 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1274 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1275 goto err;
1276 }
1277
1278 /*
1279 * The following call actually checks the challenge/response data.
1280 * for correctness against the given DOMAIN\user name.
1281 */
1282
1283 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1284 goto err;
1285 }
1286
1287 data_blob_free(&spnego_blob);
1288 data_blob_free(&auth_blob);
1289
1290 /* Generate the spnego "accept completed" blob - no incoming data. */
1291 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1292
1293 /* Copy the blob into the pout_auth parse struct */
1294 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1295 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1296 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1297 goto err;
1298 }
1299
1300 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1301 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1302 goto err;
1303 }
1304
1305 data_blob_free(&auth_reply);
1306 data_blob_free(&response);
1307
1308 p->pipe_bound = True;
1309
1310 return True;
1311
1312 err:
1313
1314 data_blob_free(&spnego_blob);
1315 data_blob_free(&auth_blob);
1316 data_blob_free(&auth_reply);
1317 data_blob_free(&response);
1318
1319 free_pipe_ntlmssp_auth_data(&p->auth);
1320 p->auth.a_u.auth_ntlmssp_state = NULL;
1321
1322 return False;
1323 }
1324
1325 /*******************************************************************
1326 Handle an schannel bind auth.
1327 *******************************************************************/
1328
1329 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1330 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1331 {
1332 RPC_HDR_AUTH auth_info;
1333 RPC_AUTH_SCHANNEL_NEG neg;
1334 RPC_AUTH_VERIFIER auth_verifier;
1335 bool ret;
1336 struct dcinfo *pdcinfo;
1337 uint32 flags;
1338 DATA_BLOB session_key;
1339
1340 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1341 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1342 return False;
1343 }
1344
1345 /*
1346 * The neg.myname key here must match the remote computer name
1347 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1348 * operations that use credentials.
1349 */
1350
1351 become_root();
1352 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1353 unbecome_root();
1354
1355 if (!ret) {
1356 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1357 return False;
1358 }
1359
1360 p->auth.a_u.schannel_auth = talloc(p, struct schannel_auth_struct);
1361 if (!p->auth.a_u.schannel_auth) {
1362 TALLOC_FREE(pdcinfo);
1363 return False;
1364 }
1365
1366 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1367 memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1368 sizeof(pdcinfo->sess_key));
1369
1370 TALLOC_FREE(pdcinfo);
1371
1372 p->auth.a_u.schannel_auth->seq_num = 0;
1373
1374 /*
1375 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1376 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1377 * struct of the person who opened the pipe. I need to test this further. JRA.
1378 *
1379 * VL. As we are mapping this to guest set the generic key
1380 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1381 * W2k3, as it does not allow schannel binds against SAMR and LSA
1382 * anymore.
1383 */
1384
1385 session_key = generic_session_key();
1386 if (session_key.data == NULL) {
1387 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1388 " key\n"));
1389 return false;
1390 }
1391
1392 ret = server_info_set_session_key(p->server_info, session_key);
1393
1394 data_blob_free(&session_key);
1395
1396 if (!ret) {
1397 DEBUG(0, ("server_info_set_session_key failed\n"));
1398 return false;
1399 }
1400
1401 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1402 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1403 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1404 return False;
1405 }
1406
1407 /*** SCHANNEL verifier ***/
1408
1409 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1410 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1411 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1412 return False;
1413 }
1414
1415 prs_align(pout_auth);
1416
1417 flags = 5;
1418 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1419 return False;
1420 }
1421
1422 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1423 neg.domain, neg.myname));
1424
1425 /* We're finished with this bind - no more packets. */
1426 p->auth.auth_data_free_func = NULL;
1427 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1428
1429 p->pipe_bound = True;
1430
1431 return True;
1432 }
1433
1434 /*******************************************************************
1435 Handle an NTLMSSP bind auth.
1436 *******************************************************************/
1437
1438 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1439 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1440 {
1441 RPC_HDR_AUTH auth_info;
1442 DATA_BLOB blob;
1443 DATA_BLOB response;
1444 NTSTATUS status;
1445 AUTH_NTLMSSP_STATE *a = NULL;
1446
1447 ZERO_STRUCT(blob);
1448 ZERO_STRUCT(response);
1449
1450 /* Grab the NTLMSSP blob. */
1451 blob = data_blob(NULL,p->hdr.auth_len);
1452
1453 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1454 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1455 (unsigned int)p->hdr.auth_len ));
1456 goto err;
1457 }
1458
1459 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1460 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1461 goto err;
1462 }
1463
1464 /* We have an NTLMSSP blob. */
1465 status = auth_ntlmssp_start(&a);
1466 if (!NT_STATUS_IS_OK(status)) {
1467 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1468 nt_errstr(status) ));
1469 goto err;
1470 }
1471
1472 status = auth_ntlmssp_update(a, blob, &response);
1473 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1474 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1475 nt_errstr(status) ));
1476 goto err;
1477 }
1478
1479 data_blob_free(&blob);
1480
1481 /* Copy the blob into the pout_auth parse struct */
1482 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1483 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1484 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1485 goto err;
1486 }
1487
1488 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1489 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1490 goto err;
1491 }
1492
1493 p->auth.a_u.auth_ntlmssp_state = a;
1494 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1495 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1496
1497 data_blob_free(&blob);
1498 data_blob_free(&response);
1499
1500 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1501
1502 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1503 return True;
1504
1505 err:
1506
1507 data_blob_free(&blob);
1508 data_blob_free(&response);
1509
1510 free_pipe_ntlmssp_auth_data(&p->auth);
1511 p->auth.a_u.auth_ntlmssp_state = NULL;
1512 return False;
1513 }
1514
1515 /*******************************************************************
1516 Respond to a pipe bind request.
1517 *******************************************************************/
1518
1519 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1520 {
1521 RPC_HDR_BA hdr_ba;
1522 RPC_HDR_RB hdr_rb;
1523 RPC_HDR_AUTH auth_info;
1524 uint16 assoc_gid;
1525 fstring ack_pipe_name;
1526 prs_struct out_hdr_ba;
1527 prs_struct out_auth;
1528 prs_struct outgoing_rpc;
1529 int i = 0;
1530 int auth_len = 0;
1531 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1532
1533 /* No rebinds on a bound pipe - use alter context. */
1534 if (p->pipe_bound) {
1535 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1536 "pipe %s.\n", get_pipe_name_from_iface(&p->syntax)));
1537 return setup_bind_nak(p);
1538 }
1539
1540 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1541
1542 /*
1543 * Marshall directly into the outgoing PDU space. We
1544 * must do this as we need to set to the bind response
1545 * header and are never sending more than one PDU here.
1546 */
1547
1548 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1549
1550 /*
1551 * Setup the memory to marshall the ba header, and the
1552 * auth footers.
1553 */
1554
1555 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1556 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1557 prs_mem_free(&outgoing_rpc);
1558 return False;
1559 }
1560
1561 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1562 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1563 prs_mem_free(&outgoing_rpc);
1564 prs_mem_free(&out_hdr_ba);
1565 return False;
1566 }
1567
1568 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1569
1570 ZERO_STRUCT(hdr_rb);
1571
1572 /* decode the bind request */
1573
1574 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1575 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1576 "struct.\n"));
1577 goto err_exit;
1578 }
1579
1580 if (hdr_rb.num_contexts == 0) {
1581 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1582 goto err_exit;
1583 }
1584
1585 /*
1586 * Try and find the correct pipe name to ensure
1587 * that this is a pipe name we support.
1588 */
1589
1590 for (i = 0; i < rpc_lookup_size; i++) {
1591 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1592 &hdr_rb.rpc_context[0].abstract)) {
1593 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1594 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1595 break;
1596 }
1597 }
1598
1599 if (i == rpc_lookup_size) {
1600 NTSTATUS status;
1601
1602 status = smb_probe_module(
1603 "rpc", get_pipe_name_from_iface(
1604 &hdr_rb.rpc_context[0].abstract));
1605
1606 if (NT_STATUS_IS_ERR(status)) {
1607 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1608 get_pipe_name_from_iface(&hdr_rb.rpc_context[0].abstract)));
1609 prs_mem_free(&outgoing_rpc);
1610 prs_mem_free(&out_hdr_ba);
1611 prs_mem_free(&out_auth);
1612
1613 return setup_bind_nak(p);
1614 }
1615
1616 for (i = 0; i < rpc_lookup_size; i++) {
1617 if (strequal(rpc_lookup[i].pipe.clnt,
1618 get_pipe_name_from_iface(&p->syntax))) {
1619 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1620 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1621 break;
1622 }
1623 }
1624
1625 if (i == rpc_lookup_size) {
1626 DEBUG(0, ("module %s doesn't provide functions for "
1627 "pipe %s!\n",
1628 get_pipe_name_from_iface(&p->syntax),
1629 get_pipe_name_from_iface(&p->syntax)));
1630 goto err_exit;
1631 }
1632 }
1633
1634 /* name has to be \PIPE\xxxxx */
1635 fstrcpy(ack_pipe_name, "\\PIPE\\");
1636 fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1637
1638 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1639
1640 /*
1641 * Check if this is an authenticated bind request.
1642 */
1643
1644 if (p->hdr.auth_len) {
1645 /*
1646 * Decode the authentication verifier.
1647 */
1648
1649 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1650 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1651 goto err_exit;
1652 }
1653
1654 auth_type = auth_info.auth_type;
1655
1656 /* Work out if we have to sign or seal etc. */
1657 switch (auth_info.auth_level) {
1658 case RPC_AUTH_LEVEL_INTEGRITY:
1659 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1660 break;
1661 case RPC_AUTH_LEVEL_PRIVACY:
1662 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1663 break;
1664 default:
1665 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1666 (unsigned int)auth_info.auth_level ));
1667 goto err_exit;
1668 }
1669 } else {
1670 ZERO_STRUCT(auth_info);
1671 }
1672
1673 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1674
1675 switch(auth_type) {
1676 case RPC_NTLMSSP_AUTH_TYPE:
1677 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1678 goto err_exit;
1679 }
1680 assoc_gid = 0x7a77;
1681 break;
1682
1683 case RPC_SCHANNEL_AUTH_TYPE:
1684 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1685 goto err_exit;
1686 }
1687 break;
1688
1689 case RPC_SPNEGO_AUTH_TYPE:
1690 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1691 goto err_exit;
1692 }
1693 break;
1694
1695 case RPC_ANONYMOUS_AUTH_TYPE:
1696 /* Unauthenticated bind request. */
1697 /* We're finished - no more packets. */
1698 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1699 /* We must set the pipe auth_level here also. */
1700 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1701 p->pipe_bound = True;
1702 /* The session key was initialized from the SMB
1703 * session in make_internal_rpc_pipe_p */
1704 break;
1705
1706 default:
1707 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1708 goto err_exit;
1709 }
1710
1711 /*
1712 * Create the bind response struct.
1713 */
1714
1715 /* If the requested abstract synt uuid doesn't match our client pipe,
1716 reject the bind_ack & set the transfer interface synt to all 0's,
1717 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1718 unknown to NT4)
1719 Needed when adding entries to a DACL from NT5 - SK */
1720
1721 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1722 hdr_rb.rpc_context[0].context_id )) {
1723 init_rpc_hdr_ba(&hdr_ba,
1724 RPC_MAX_PDU_FRAG_LEN,
1725 RPC_MAX_PDU_FRAG_LEN,
1726 assoc_gid,
1727 ack_pipe_name,
1728 0x1, 0x0, 0x0,
1729 &hdr_rb.rpc_context[0].transfer[0]);
1730 } else {
1731 RPC_IFACE null_interface;
1732 ZERO_STRUCT(null_interface);
1733 /* Rejection reason: abstract syntax not supported */
1734 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1735 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1736 ack_pipe_name, 0x1, 0x2, 0x1,
1737 &null_interface);
1738 p->pipe_bound = False;
1739 }
1740
1741 /*
1742 * and marshall it.
1743 */
1744
1745 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1746 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1747 goto err_exit;
1748 }
1749
1750 /*
1751 * Create the header, now we know the length.
1752 */
1753
1754 if (prs_offset(&out_auth)) {
1755 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1756 }
1757
1758 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1759 p->hdr.call_id,
1760 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1761 auth_len);
1762
1763 /*
1764 * Marshall the header into the outgoing PDU.
1765 */
1766
1767 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1768 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1769 goto err_exit;
1770 }
1771
1772 /*
1773 * Now add the RPC_HDR_BA and any auth needed.
1774 */
1775
1776 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1777 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1778 goto err_exit;
1779 }
1780
1781 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1782 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1783 goto err_exit;
1784 }
1785
1786 /*
1787 * Setup the lengths for the initial reply.
1788 */
1789
1790 p->out_data.data_sent_length = 0;
1791 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1792 p->out_data.current_pdu_sent = 0;
1793
1794 prs_mem_free(&out_hdr_ba);
1795 prs_mem_free(&out_auth);
1796
1797 return True;
1798
1799 err_exit:
1800
1801 prs_mem_free(&outgoing_rpc);
1802 prs_mem_free(&out_hdr_ba);
1803 prs_mem_free(&out_auth);
1804 return setup_bind_nak(p);
1805 }
1806
1807 /****************************************************************************
1808 Deal with an alter context call. Can be third part of 3 leg auth request for
1809 SPNEGO calls.
1810 ****************************************************************************/
1811
1812 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1813 {
1814 RPC_HDR_BA hdr_ba;
1815 RPC_HDR_RB hdr_rb;
1816 RPC_HDR_AUTH auth_info;
1817 uint16 assoc_gid;
1818 fstring ack_pipe_name;
1819 prs_struct out_hdr_ba;
1820 prs_struct out_auth;
1821 prs_struct outgoing_rpc;
1822 int auth_len = 0;
1823
1824 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1825
1826 /*
1827 * Marshall directly into the outgoing PDU space. We
1828 * must do this as we need to set to the bind response
1829 * header and are never sending more than one PDU here.
1830 */
1831
1832 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1833
1834 /*
1835 * Setup the memory to marshall the ba header, and the
1836 * auth footers.
1837 */
1838
1839 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1840 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1841 prs_mem_free(&outgoing_rpc);
1842 return False;
1843 }
1844
1845 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1846 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1847 prs_mem_free(&outgoing_rpc);
1848 prs_mem_free(&out_hdr_ba);
1849 return False;
1850 }
1851
1852 ZERO_STRUCT(hdr_rb);
1853
1854 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1855
1856 /* decode the alter context request */
1857 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1858 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1859 goto err_exit;
1860 }
1861
1862 /* secondary address CAN be NULL
1863 * as the specs say it's ignored.
1864 * It MUST be NULL to have the spoolss working.
1865 */
1866 fstrcpy(ack_pipe_name,"");
1867
1868 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1869
1870 /*
1871 * Check if this is an authenticated alter context request.
1872 */
1873
1874 if (p->hdr.auth_len != 0) {
1875 /*
1876 * Decode the authentication verifier.
1877 */
1878
1879 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1880 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1881 goto err_exit;
1882 }
1883
1884 /*
1885 * Currently only the SPNEGO auth type uses the alter ctx
1886 * response in place of the NTLMSSP auth3 type.
1887 */
1888
1889 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1890 /* We can only finish if the pipe is unbound. */
1891 if (!p->pipe_bound) {
1892 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1893 goto err_exit;
1894 }
1895 } else {
1896 goto err_exit;
1897 }
1898 }
1899 } else {
1900 ZERO_STRUCT(auth_info);
1901 }
1902
1903 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1904
1905 /*
1906 * Create the bind response struct.
1907 */
1908
1909 /* If the requested abstract synt uuid doesn't match our client pipe,
1910 reject the bind_ack & set the transfer interface synt to all 0's,
1911 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1912 unknown to NT4)
1913 Needed when adding entries to a DACL from NT5 - SK */
1914
1915 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1916 hdr_rb.rpc_context[0].context_id )) {
1917 init_rpc_hdr_ba(&hdr_ba,
1918 RPC_MAX_PDU_FRAG_LEN,
1919 RPC_MAX_PDU_FRAG_LEN,
1920 assoc_gid,
1921 ack_pipe_name,
1922 0x1, 0x0, 0x0,
1923 &hdr_rb.rpc_context[0].transfer[0]);
1924 } else {
1925 RPC_IFACE null_interface;
1926 ZERO_STRUCT(null_interface);
1927 /* Rejection reason: abstract syntax not supported */
1928 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1929 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1930 ack_pipe_name, 0x1, 0x2, 0x1,
1931 &null_interface);
1932 p->pipe_bound = False;
1933 }
1934
1935 /*
1936 * and marshall it.
1937 */
1938
1939 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1940 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1941 goto err_exit;
1942 }
1943
1944 /*
1945 * Create the header, now we know the length.
1946 */
1947
1948 if (prs_offset(&out_auth)) {
1949 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1950 }
1951
1952 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1953 p->hdr.call_id,
1954 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1955 auth_len);
1956
1957 /*
1958 * Marshall the header into the outgoing PDU.
1959 */
1960
1961 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1962 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1963 goto err_exit;
1964 }
1965
1966 /*
1967 * Now add the RPC_HDR_BA and any auth needed.
1968 */
1969
1970 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1971 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1972 goto err_exit;
1973 }
1974
1975 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1976 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1977 goto err_exit;
1978 }
1979
1980 /*
1981 * Setup the lengths for the initial reply.
1982 */
1983
1984 p->out_data.data_sent_length = 0;
1985 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1986 p->out_data.current_pdu_sent = 0;
1987
1988 prs_mem_free(&out_hdr_ba);
1989 prs_mem_free(&out_auth);
1990
1991 return True;
1992
1993 err_exit:
1994
1995 prs_mem_free(&outgoing_rpc);
1996 prs_mem_free(&out_hdr_ba);
1997 prs_mem_free(&out_auth);
1998 return setup_bind_nak(p);
1999 }
2000
2001 /****************************************************************************
2002 Deal with NTLMSSP sign & seal processing on an RPC request.
2003 ****************************************************************************/
2004
2005 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2006 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2007 {
2008 RPC_HDR_AUTH auth_info;
2009 uint32 auth_len = p->hdr.auth_len;
2010 uint32 save_offset = prs_offset(rpc_in);
2011 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2012 unsigned char *data = NULL;
2013 size_t data_len;
2014 unsigned char *full_packet_data = NULL;
2015 size_t full_packet_data_len;
2016 DATA_BLOB auth_blob;
2017
2018 *pstatus = NT_STATUS_OK;
2019
2020 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
2021 return True;
2022 }
2023
2024 if (!a) {
2025 *pstatus = NT_STATUS_INVALID_PARAMETER;
2026 return False;
2027 }
2028
2029 /* Ensure there's enough data for an authenticated request. */
2030 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2031 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2032 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2033 (unsigned int)auth_len ));
2034 *pstatus = NT_STATUS_INVALID_PARAMETER;
2035 return False;
2036 }
2037
2038 /*
2039 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2040 * after the RPC header.
2041 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2042 * functions as NTLMv2 checks the rpc headers also.
2043 */
2044
2045 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2046 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2047
2048 full_packet_data = p->in_data.current_in_pdu;
2049 full_packet_data_len = p->hdr.frag_len - auth_len;
2050
2051 /* Pull the auth header and the following data into a blob. */
2052 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2053 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2054 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2055 *pstatus = NT_STATUS_INVALID_PARAMETER;
2056 return False;
2057 }
2058
2059 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2060 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2061 *pstatus = NT_STATUS_INVALID_PARAMETER;
2062 return False;
2063 }
2064
2065 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2066 auth_blob.length = auth_len;
2067
2068 switch (p->auth.auth_level) {
2069 case PIPE_AUTH_LEVEL_PRIVACY:
2070 /* Data is encrypted. */
2071 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2072 data, data_len,
2073 full_packet_data,
2074 full_packet_data_len,
2075 &auth_blob);
2076 if (!NT_STATUS_IS_OK(*pstatus)) {
2077 return False;
2078 }
2079 break;
2080 case PIPE_AUTH_LEVEL_INTEGRITY:
2081 /* Data is signed. */
2082 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2083 data, data_len,
2084 full_packet_data,
2085 full_packet_data_len,
2086 &auth_blob);
2087 if (!NT_STATUS_IS_OK(*pstatus)) {
2088 return False;
2089 }
2090 break;
2091 default:
2092 *pstatus = NT_STATUS_INVALID_PARAMETER;
2093 return False;
2094 }
2095
2096 /*
2097 * Return the current pointer to the data offset.
2098 */
2099
2100 if(!prs_set_offset(rpc_in, save_offset)) {
2101 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2102 (unsigned int)save_offset ));
2103 *pstatus = NT_STATUS_INVALID_PARAMETER;
2104 return False;
2105 }
2106
2107 /*
2108 * Remember the padding length. We must remove it from the real data
2109 * stream once the sign/seal is done.
2110 */
2111
2112 *p_ss_padding_len = auth_info.auth_pad_len;
2113
2114 return True;
2115 }
2116
2117 /****************************************************************************
2118 Deal with schannel processing on an RPC request.
2119 ****************************************************************************/
2120
2121 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2122 {
2123 uint32 data_len;
2124 uint32 auth_len;
2125 uint32 save_offset = prs_offset(rpc_in);
2126 RPC_HDR_AUTH auth_info;
2127 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2128
2129 auth_len = p->hdr.auth_len;
2130
2131 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2132 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2133 return False;
2134 }
2135
2136 /*
2137 * The following is that length of the data we must verify or unseal.
2138 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2139 * preceeding the auth_data.
2140 */
2141
2142 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2143 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2144 (unsigned int)p->hdr.frag_len,
2145 (unsigned int)auth_len ));
2146 return False;
2147 }
2148
2149 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2150 RPC_HDR_AUTH_LEN - auth_len;
2151
2152 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2153
2154 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2155 DEBUG(0,("cannot move offset to %u.\n",
2156 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2157 return False;
2158 }
2159
2160 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2161 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2162 return False;
2163 }
2164
2165 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2166 DEBUG(0,("Invalid auth info %d on schannel\n",
2167 auth_info.auth_type));
2168 return False;
2169 }
2170
2171 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2172 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2173 return False;
2174 }
2175
2176 if (!schannel_decode(p->auth.a_u.schannel_auth,
2177 p->auth.auth_level,
2178 SENDER_IS_INITIATOR,
2179 &schannel_chk,
2180 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2181 DEBUG(3,("failed to decode PDU\n"));
2182 return False;
2183 }
2184
2185 /*
2186 * Return the current pointer to the data offset.
2187 */
2188
2189 if(!prs_set_offset(rpc_in, save_offset)) {
2190 DEBUG(0,("failed to set offset back to %u\n",
2191 (unsigned int)save_offset ));
2192 return False;
2193 }
2194
2195 /* The sequence number gets incremented on both send and receive. */
2196 p->auth.a_u.schannel_auth->seq_num++;
2197
2198 /*
2199 * Remember the padding length. We must remove it from the real data
2200 * stream once the sign/seal is done.
2201 */
2202
2203 *p_ss_padding_len = auth_info.auth_pad_len;
2204
2205 return True;
2206 }
2207
2208 /****************************************************************************
2209 Find the set of RPC functions associated with this context_id
2210 ****************************************************************************/
2211
2212 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2213 {
2214 PIPE_RPC_FNS *fns = NULL;
2215
2216 if ( !list ) {
2217 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2218 return NULL;
2219 }
2220
2221 for (fns=list; fns; fns=fns->next ) {
2222 if ( fns->context_id == context_id )
2223 return fns;
2224 }
2225 return NULL;
2226 }
2227
2228 /****************************************************************************
2229 Memory cleanup.
2230 ****************************************************************************/
2231
2232 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2233 {
2234 PIPE_RPC_FNS *tmp = list;
2235 PIPE_RPC_FNS *tmp2;
2236
2237 while (tmp) {
2238 tmp2 = tmp->next;
2239 SAFE_FREE(tmp);
2240 tmp = tmp2;
2241 }
2242
2243 return;
2244 }
2245
2246 static bool api_rpcTNP(pipes_struct *p,
2247 const struct api_struct *api_rpc_cmds, int n_cmds);
2248
2249 /****************************************************************************
2250 Find the correct RPC function to call for this request.
2251 If the pipe is authenticated then become the correct UNIX user
2252 before doing the call.
2253 ****************************************************************************/
2254
2255 bool api_pipe_request(pipes_struct *p)
2256 {
2257 bool ret = False;
2258 bool changed_user = False;
2259 PIPE_RPC_FNS *pipe_fns;
2260
2261 if (p->pipe_bound &&
2262 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2263 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2264 if(!become_authenticated_pipe_user(p)) {
2265 prs_mem_free(&p->out_data.rdata);
2266 return False;
2267 }
2268 changed_user = True;
2269 }
2270
2271 DEBUG(5, ("Requested \\PIPE\\%s\n",
2272 get_pipe_name_from_iface(&p->syntax)));
2273
2274 /* get the set of RPC functions for this context */
2275
2276 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2277
2278 if ( pipe_fns ) {
2279 TALLOC_CTX *frame = talloc_stackframe();
2280 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2281 TALLOC_FREE(frame);
2282 }
2283 else {
2284 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2285 p->hdr_req.context_id,
2286 get_pipe_name_from_iface(&p->syntax)));
2287 }
2288
2289 if (changed_user) {
2290 unbecome_authenticated_pipe_user();
2291 }
2292
2293 return ret;
2294 }
2295
2296 /*******************************************************************
2297 Calls the underlying RPC function for a named pipe.
2298 ********************************************************************/
2299
2300 static bool api_rpcTNP(pipes_struct *p,
2301 const struct api_struct *api_rpc_cmds, int n_cmds)
2302 {
2303 int fn_num;
2304 uint32 offset1, offset2;
2305
2306 /* interpret the command */
2307 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2308 get_pipe_name_from_iface(&p->syntax), p->hdr_req.opnum));
2309
2310 if (DEBUGLEVEL >= 50) {
2311 fstring name;
2312 slprintf(name, sizeof(name)-1, "in_%s",
2313 get_pipe_name_from_iface(&p->syntax));
2314 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2315 }
2316
2317 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2318 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2319 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2320 break;
2321 }
2322 }
2323
2324 if (fn_num == n_cmds) {
2325 /*
2326 * For an unknown RPC just return a fault PDU but
2327 * return True to allow RPC's on the pipe to continue
2328 * and not put the pipe into fault state. JRA.
2329 */
2330 DEBUG(4, ("unknown\n"));
2331 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2332 return True;
2333 }
2334
2335 offset1 = prs_offset(&p->out_data.rdata);
2336
2337 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2338 fn_num, api_rpc_cmds[fn_num].fn));
2339 /* do the actual command */
2340 if(!api_rpc_cmds[fn_num].fn(p)) {
2341 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2342 get_pipe_name_from_iface(&p->syntax),
2343 api_rpc_cmds[fn_num].name));
2344 prs_mem_free(&p->out_data.rdata);
2345 return False;
2346 }
2347
2348 if (p->bad_handle_fault_state) {
2349 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2350 p->bad_handle_fault_state = False;
2351 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2352 return True;
2353 }
2354
2355 if (p->rng_fault_state) {
2356 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2357 p->rng_fault_state = False;
2358 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2359 return True;
2360 }
2361
2362 offset2 = prs_offset(&p->out_data.rdata);
2363 prs_set_offset(&p->out_data.rdata, offset1);
2364 if (DEBUGLEVEL >= 50) {
2365 fstring name;
2366 slprintf(name, sizeof(name)-1, "out_%s",
2367 get_pipe_name_from_iface(&p->syntax));
2368 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2369 }
2370 prs_set_offset(&p->out_data.rdata, offset2);
2371
2372 DEBUG(5,("api_rpcTNP: called %s successfully\n",
2373 get_pipe_name_from_iface(&p->syntax)));
2374
2375 /* Check for buffer underflow in rpc parsing */
2376
2377 if ((DEBUGLEVEL >= 10) &&
2378 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2379 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2380 char *data = (char *)SMB_MALLOC(data_len);
2381
2382 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2383 if (data) {
2384 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2385 SAFE_FREE(data);
2386 }
2387
2388 }
2389
2390 return True;
2391 }