source: branches/samba-3.0/source/rpc_server/srv_pipe.c

Last change on this file was 312, checked in by Herwig Bauernfeind, 16 years ago

Update 3.0 to final 3.0.36 (source)
File size: 67.8 KB
Line 
1/*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 */
20
21/* this module apparently provides an implementation of DCE/RPC over a
22 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
23 * documentation are available (in on-line form) from the X-Open group.
24 *
25 * this module should provide a level of abstraction between SMB
26 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
27 * data copies, and network traffic.
28 *
29 */
30
31#include "includes.h"
32
33extern struct pipe_id_info pipe_names[];
34extern struct current_user current_user;
35
36#undef DBGC_CLASS
37#define DBGC_CLASS DBGC_RPC_SRV
38
39static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
40{
41 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
42
43 if (a) {
44 auth_ntlmssp_end(&a);
45 }
46 auth->a_u.auth_ntlmssp_state = NULL;
47}
48
49/*******************************************************************
50 Generate the next PDU to be returned from the data in p->rdata.
51 Handle NTLMSSP.
52 ********************************************************************/
53
54static BOOL create_next_pdu_ntlmssp(pipes_struct *p)
55{
56 RPC_HDR_RESP hdr_resp;
57 uint32 ss_padding_len = 0;
58 uint32 data_space_available;
59 uint32 data_len_left;
60 uint32 data_len;
61 prs_struct outgoing_pdu;
62 NTSTATUS status;
63 DATA_BLOB auth_blob;
64 RPC_HDR_AUTH auth_info;
65 uint8 auth_type, auth_level;
66 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
67
68 /*
69 * If we're in the fault state, keep returning fault PDU's until
70 * the pipe gets closed. JRA.
71 */
72
73 if(p->fault_state) {
74 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
75 return True;
76 }
77
78 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
79
80 /* Change the incoming request header to a response. */
81 p->hdr.pkt_type = RPC_RESPONSE;
82
83 /* Set up rpc header flags. */
84 if (p->out_data.data_sent_length == 0) {
85 p->hdr.flags = RPC_FLG_FIRST;
86 } else {
87 p->hdr.flags = 0;
88 }
89
90 /*
91 * Work out how much we can fit in a single PDU.
92 */
93
94 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
95
96 /*
97 * Ensure there really is data left to send.
98 */
99
100 if(!data_len_left) {
101 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
102 return False;
103 }
104
105 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
106 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
107
108 /*
109 * The amount we send is the minimum of the available
110 * space and the amount left to send.
111 */
112
113 data_len = MIN(data_len_left, data_space_available);
114
115 /*
116 * Set up the alloc hint. This should be the data left to
117 * send.
118 */
119
120 hdr_resp.alloc_hint = data_len_left;
121
122 /*
123 * Work out if this PDU will be the last.
124 */
125
126 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
127 p->hdr.flags |= RPC_FLG_LAST;
128 if (data_len_left % 8) {
129 ss_padding_len = 8 - (data_len_left % 8);
130 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
131 ss_padding_len ));
132 }
133 }
134
135 /*
136 * Set up the header lengths.
137 */
138
139 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
140 data_len + ss_padding_len +
141 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
142 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
143
144
145 /*
146 * Init the parse struct to point at the outgoing
147 * data.
148 */
149
150 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
151 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
152
153 /* Store the header in the data stream. */
154 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
155 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
156 prs_mem_free(&outgoing_pdu);
157 return False;
158 }
159
160 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
161 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
162 prs_mem_free(&outgoing_pdu);
163 return False;
164 }
165
166 /* Copy the data into the PDU. */
167
168 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
169 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
170 prs_mem_free(&outgoing_pdu);
171 return False;
172 }
173
174 /* Copy the sign/seal padding data. */
175 if (ss_padding_len) {
176 char pad[8];
177
178 memset(pad, '\0', 8);
179 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
180 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
181 (unsigned int)ss_padding_len));
182 prs_mem_free(&outgoing_pdu);
183 return False;
184 }
185 }
186
187
188 /* Now write out the auth header and null blob. */
189 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
190 auth_type = RPC_NTLMSSP_AUTH_TYPE;
191 } else {
192 auth_type = RPC_SPNEGO_AUTH_TYPE;
193 }
194 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
195 auth_level = RPC_AUTH_LEVEL_PRIVACY;
196 } else {
197 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
198 }
199
200 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
201 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
202 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
203 prs_mem_free(&outgoing_pdu);
204 return False;
205 }
206
207 /* Generate the sign blob. */
208
209 switch (p->auth.auth_level) {
210 case PIPE_AUTH_LEVEL_PRIVACY:
211 /* Data portion is encrypted. */
212 status = ntlmssp_seal_packet(a->ntlmssp_state,
213 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
214 data_len + ss_padding_len,
215 (unsigned char *)prs_data_p(&outgoing_pdu),
216 (size_t)prs_offset(&outgoing_pdu),
217 &auth_blob);
218 if (!NT_STATUS_IS_OK(status)) {
219 data_blob_free(&auth_blob);
220 prs_mem_free(&outgoing_pdu);
221 return False;
222 }
223 break;
224 case PIPE_AUTH_LEVEL_INTEGRITY:
225 /* Data is signed. */
226 status = ntlmssp_sign_packet(a->ntlmssp_state,
227 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
228 data_len + ss_padding_len,
229 (unsigned char *)prs_data_p(&outgoing_pdu),
230 (size_t)prs_offset(&outgoing_pdu),
231 &auth_blob);
232 if (!NT_STATUS_IS_OK(status)) {
233 data_blob_free(&auth_blob);
234 prs_mem_free(&outgoing_pdu);
235 return False;
236 }
237 break;
238 default:
239 prs_mem_free(&outgoing_pdu);
240 return False;
241 }
242
243 /* Append the auth blob. */
244 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
245 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
246 (unsigned int)NTLMSSP_SIG_SIZE));
247 data_blob_free(&auth_blob);
248 prs_mem_free(&outgoing_pdu);
249 return False;
250 }
251
252 data_blob_free(&auth_blob);
253
254 /*
255 * Setup the counts for this PDU.
256 */
257
258 p->out_data.data_sent_length += data_len;
259 p->out_data.current_pdu_len = p->hdr.frag_len;
260 p->out_data.current_pdu_sent = 0;
261
262 prs_mem_free(&outgoing_pdu);
263 return True;
264}
265
266/*******************************************************************
267 Generate the next PDU to be returned from the data in p->rdata.
268 Return an schannel authenticated fragment.
269 ********************************************************************/
270
271static BOOL create_next_pdu_schannel(pipes_struct *p)
272{
273 RPC_HDR_RESP hdr_resp;
274 uint32 ss_padding_len = 0;
275 uint32 data_len;
276 uint32 data_space_available;
277 uint32 data_len_left;
278 prs_struct outgoing_pdu;
279 uint32 data_pos;
280
281 /*
282 * If we're in the fault state, keep returning fault PDU's until
283 * the pipe gets closed. JRA.
284 */
285
286 if(p->fault_state) {
287 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
288 return True;
289 }
290
291 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
292
293 /* Change the incoming request header to a response. */
294 p->hdr.pkt_type = RPC_RESPONSE;
295
296 /* Set up rpc header flags. */
297 if (p->out_data.data_sent_length == 0) {
298 p->hdr.flags = RPC_FLG_FIRST;
299 } else {
300 p->hdr.flags = 0;
301 }
302
303 /*
304 * Work out how much we can fit in a single PDU.
305 */
306
307 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
308
309 /*
310 * Ensure there really is data left to send.
311 */
312
313 if(!data_len_left) {
314 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
315 return False;
316 }
317
318 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
319 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
320
321 /*
322 * The amount we send is the minimum of the available
323 * space and the amount left to send.
324 */
325
326 data_len = MIN(data_len_left, data_space_available);
327
328 /*
329 * Set up the alloc hint. This should be the data left to
330 * send.
331 */
332
333 hdr_resp.alloc_hint = data_len_left;
334
335 /*
336 * Work out if this PDU will be the last.
337 */
338
339 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
340 p->hdr.flags |= RPC_FLG_LAST;
341 if (data_len_left % 8) {
342 ss_padding_len = 8 - (data_len_left % 8);
343 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
344 ss_padding_len ));
345 }
346 }
347
348 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
349 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
350 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
351
352 /*
353 * Init the parse struct to point at the outgoing
354 * data.
355 */
356
357 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
358 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
359
360 /* Store the header in the data stream. */
361 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
362 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
363 prs_mem_free(&outgoing_pdu);
364 return False;
365 }
366
367 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
368 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
369 prs_mem_free(&outgoing_pdu);
370 return False;
371 }
372
373 /* Store the current offset. */
374 data_pos = prs_offset(&outgoing_pdu);
375
376 /* Copy the data into the PDU. */
377
378 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
379 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
380 prs_mem_free(&outgoing_pdu);
381 return False;
382 }
383
384 /* Copy the sign/seal padding data. */
385 if (ss_padding_len) {
386 char pad[8];
387 memset(pad, '\0', 8);
388 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
389 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
390 prs_mem_free(&outgoing_pdu);
391 return False;
392 }
393 }
394
395 {
396 /*
397 * Schannel processing.
398 */
399 char *data;
400 RPC_HDR_AUTH auth_info;
401 RPC_AUTH_SCHANNEL_CHK verf;
402
403 data = prs_data_p(&outgoing_pdu) + data_pos;
404 /* Check it's the type of reply we were expecting to decode */
405
406 init_rpc_hdr_auth(&auth_info,
407 RPC_SCHANNEL_AUTH_TYPE,
408 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
409 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
410 ss_padding_len, 1);
411
412 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
413 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
414 prs_mem_free(&outgoing_pdu);
415 return False;
416 }
417
418 schannel_encode(p->auth.a_u.schannel_auth,
419 p->auth.auth_level,
420 SENDER_IS_ACCEPTOR,
421 &verf, data, data_len + ss_padding_len);
422
423 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
424 &verf, &outgoing_pdu, 0)) {
425 prs_mem_free(&outgoing_pdu);
426 return False;
427 }
428
429 p->auth.a_u.schannel_auth->seq_num++;
430 }
431
432 /*
433 * Setup the counts for this PDU.
434 */
435
436 p->out_data.data_sent_length += data_len;
437 p->out_data.current_pdu_len = p->hdr.frag_len;
438 p->out_data.current_pdu_sent = 0;
439
440 prs_mem_free(&outgoing_pdu);
441 return True;
442}
443
444/*******************************************************************
445 Generate the next PDU to be returned from the data in p->rdata.
446 No authentication done.
447********************************************************************/
448
449static BOOL create_next_pdu_noauth(pipes_struct *p)
450{
451 RPC_HDR_RESP hdr_resp;
452 uint32 data_len;
453 uint32 data_space_available;
454 uint32 data_len_left;
455 prs_struct outgoing_pdu;
456
457 /*
458 * If we're in the fault state, keep returning fault PDU's until
459 * the pipe gets closed. JRA.
460 */
461
462 if(p->fault_state) {
463 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
464 return True;
465 }
466
467 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
468
469 /* Change the incoming request header to a response. */
470 p->hdr.pkt_type = RPC_RESPONSE;
471
472 /* Set up rpc header flags. */
473 if (p->out_data.data_sent_length == 0) {
474 p->hdr.flags = RPC_FLG_FIRST;
475 } else {
476 p->hdr.flags = 0;
477 }
478
479 /*
480 * Work out how much we can fit in a single PDU.
481 */
482
483 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
484
485 /*
486 * Ensure there really is data left to send.
487 */
488
489 if(!data_len_left) {
490 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
491 return False;
492 }
493
494 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
495
496 /*
497 * The amount we send is the minimum of the available
498 * space and the amount left to send.
499 */
500
501 data_len = MIN(data_len_left, data_space_available);
502
503 /*
504 * Set up the alloc hint. This should be the data left to
505 * send.
506 */
507
508 hdr_resp.alloc_hint = data_len_left;
509
510 /*
511 * Work out if this PDU will be the last.
512 */
513
514 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
515 p->hdr.flags |= RPC_FLG_LAST;
516 }
517
518 /*
519 * Set up the header lengths.
520 */
521
522 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
523 p->hdr.auth_len = 0;
524
525 /*
526 * Init the parse struct to point at the outgoing
527 * data.
528 */
529
530 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
531 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
532
533 /* Store the header in the data stream. */
534 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
535 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
536 prs_mem_free(&outgoing_pdu);
537 return False;
538 }
539
540 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
541 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
542 prs_mem_free(&outgoing_pdu);
543 return False;
544 }
545
546 /* Copy the data into the PDU. */
547
548 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
549 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
550 prs_mem_free(&outgoing_pdu);
551 return False;
552 }
553
554 /*
555 * Setup the counts for this PDU.
556 */
557
558 p->out_data.data_sent_length += data_len;
559 p->out_data.current_pdu_len = p->hdr.frag_len;
560 p->out_data.current_pdu_sent = 0;
561
562 prs_mem_free(&outgoing_pdu);
563 return True;
564}
565
566/*******************************************************************
567 Generate the next PDU to be returned from the data in p->rdata.
568********************************************************************/
569
570BOOL create_next_pdu(pipes_struct *p)
571{
572 switch(p->auth.auth_level) {
573 case PIPE_AUTH_LEVEL_NONE:
574 case PIPE_AUTH_LEVEL_CONNECT:
575 /* This is incorrect for auth level connect. Fixme. JRA */
576 return create_next_pdu_noauth(p);
577
578 default:
579 switch(p->auth.auth_type) {
580 case PIPE_AUTH_TYPE_NTLMSSP:
581 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
582 return create_next_pdu_ntlmssp(p);
583 case PIPE_AUTH_TYPE_SCHANNEL:
584 return create_next_pdu_schannel(p);
585 default:
586 break;
587 }
588 }
589
590 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
591 (unsigned int)p->auth.auth_level,
592 (unsigned int)p->auth.auth_type));
593 return False;
594}
595
596/*******************************************************************
597 Process an NTLMSSP authentication response.
598 If this function succeeds, the user has been authenticated
599 and their domain, name and calling workstation stored in
600 the pipe struct.
601*******************************************************************/
602
603static BOOL pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
604{
605 DATA_BLOB reply;
606 NTSTATUS status;
607 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
608
609 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
610
611 ZERO_STRUCT(reply);
612
613 memset(p->user_name, '\0', sizeof(p->user_name));
614 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
615 memset(p->domain, '\0', sizeof(p->domain));
616 memset(p->wks, '\0', sizeof(p->wks));
617
618 /* Set up for non-authenticated user. */
619 TALLOC_FREE(p->pipe_user.nt_user_token);
620 p->pipe_user.ut.ngroups = 0;
621 SAFE_FREE( p->pipe_user.ut.groups);
622
623 /* this has to be done as root in order to verify the password */
624 become_root();
625 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
626 unbecome_root();
627
628 /* Don't generate a reply. */
629 data_blob_free(&reply);
630
631 if (!NT_STATUS_IS_OK(status)) {
632 return False;
633 }
634
635 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
636 ensure the underlying NTLMSSP flags are also set. If not we should
637 refuse the bind. */
638
639 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
640 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
641 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
642 "but client declined signing.\n",
643 p->name ));
644 return False;
645 }
646 }
647 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
648 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
649 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
650 "but client declined sealing.\n",
651 p->name ));
652 return False;
653 }
654 }
655
656 fstrcpy(p->user_name, a->ntlmssp_state->user);
657 fstrcpy(p->pipe_user_name, a->server_info->unix_name);
658 fstrcpy(p->domain, a->ntlmssp_state->domain);
659 fstrcpy(p->wks, a->ntlmssp_state->workstation);
660
661 DEBUG(5,("pipe_ntlmssp_verify_final: OK: user: %s domain: %s workstation: %s\n",
662 p->user_name, p->domain, p->wks));
663
664 /*
665 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
666 */
667
668 p->pipe_user.ut.uid = a->server_info->uid;
669 p->pipe_user.ut.gid = a->server_info->gid;
670
671 /*
672 * Copy the session key from the ntlmssp state.
673 */
674
675 data_blob_free(&p->session_key);
676 p->session_key = data_blob(a->ntlmssp_state->session_key.data, a->ntlmssp_state->session_key.length);
677 if (!p->session_key.data) {
678 return False;
679 }
680
681 p->pipe_user.ut.ngroups = a->server_info->n_groups;
682 if (p->pipe_user.ut.ngroups) {
683 if (!(p->pipe_user.ut.groups = memdup(a->server_info->groups,
684 sizeof(gid_t) * p->pipe_user.ut.ngroups))) {
685 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
686 return False;
687 }
688 }
689
690 if (a->server_info->ptok) {
691 p->pipe_user.nt_user_token =
692 dup_nt_token(NULL, a->server_info->ptok);
693 } else {
694 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
695 p->pipe_user.nt_user_token = NULL;
696 return False;
697 }
698
699 return True;
700}
701
702/*******************************************************************
703 The switch table for the pipe names and the functions to handle them.
704*******************************************************************/
705
706struct rpc_table {
707 struct {
708 const char *clnt;
709 const char *srv;
710 } pipe;
711 struct api_struct *cmds;
712 int n_cmds;
713};
714
715static struct rpc_table *rpc_lookup;
716static int rpc_lookup_size;
717
718/*******************************************************************
719 This is the "stage3" NTLMSSP response after a bind request and reply.
720*******************************************************************/
721
722BOOL api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
723{
724 RPC_HDR_AUTH auth_info;
725 uint32 pad;
726 DATA_BLOB blob;
727
728 ZERO_STRUCT(blob);
729
730 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
731
732 if (p->hdr.auth_len == 0) {
733 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
734 goto err;
735 }
736
737 /* 4 bytes padding. */
738 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
739 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
740 goto err;
741 }
742
743 /*
744 * Decode the authentication verifier response.
745 */
746
747 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
748 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
749 goto err;
750 }
751
752 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
753 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
754 (unsigned int)auth_info.auth_type ));
755 return False;
756 }
757
758 blob = data_blob(NULL,p->hdr.auth_len);
759
760 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
761 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
762 (unsigned int)p->hdr.auth_len ));
763 goto err;
764 }
765
766 /*
767 * The following call actually checks the challenge/response data.
768 * for correctness against the given DOMAIN\user name.
769 */
770
771 if (!pipe_ntlmssp_verify_final(p, &blob)) {
772 goto err;
773 }
774
775 data_blob_free(&blob);
776
777 p->pipe_bound = True;
778
779 return True;
780
781 err:
782
783 data_blob_free(&blob);
784 free_pipe_ntlmssp_auth_data(&p->auth);
785 p->auth.a_u.auth_ntlmssp_state = NULL;
786
787 return False;
788}
789
790/*******************************************************************
791 Marshall a bind_nak pdu.
792*******************************************************************/
793
794static BOOL setup_bind_nak(pipes_struct *p)
795{
796 prs_struct outgoing_rpc;
797 RPC_HDR nak_hdr;
798 uint16 zero = 0;
799
800 /* Free any memory in the current return data buffer. */
801 prs_mem_free(&p->out_data.rdata);
802
803 /*
804 * Marshall directly into the outgoing PDU space. We
805 * must do this as we need to set to the bind response
806 * header and are never sending more than one PDU here.
807 */
808
809 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
810 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
811
812 /*
813 * Initialize a bind_nak header.
814 */
815
816 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
817 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
818
819 /*
820 * Marshall the header into the outgoing PDU.
821 */
822
823 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
824 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
825 prs_mem_free(&outgoing_rpc);
826 return False;
827 }
828
829 /*
830 * Now add the reject reason.
831 */
832
833 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
834 prs_mem_free(&outgoing_rpc);
835 return False;
836 }
837
838 p->out_data.data_sent_length = 0;
839 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
840 p->out_data.current_pdu_sent = 0;
841
842 if (p->auth.auth_data_free_func) {
843 (*p->auth.auth_data_free_func)(&p->auth);
844 }
845 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
846 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
847 p->pipe_bound = False;
848
849 return True;
850}
851
852/*******************************************************************
853 Marshall a fault pdu.
854*******************************************************************/
855
856BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
857{
858 prs_struct outgoing_pdu;
859 RPC_HDR fault_hdr;
860 RPC_HDR_RESP hdr_resp;
861 RPC_HDR_FAULT fault_resp;
862
863 /* Free any memory in the current return data buffer. */
864 prs_mem_free(&p->out_data.rdata);
865
866 /*
867 * Marshall directly into the outgoing PDU space. We
868 * must do this as we need to set to the bind response
869 * header and are never sending more than one PDU here.
870 */
871
872 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
873 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
874
875 /*
876 * Initialize a fault header.
877 */
878
879 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
880 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
881
882 /*
883 * Initialize the HDR_RESP and FAULT parts of the PDU.
884 */
885
886 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
887
888 fault_resp.status = status;
889 fault_resp.reserved = 0;
890
891 /*
892 * Marshall the header into the outgoing PDU.
893 */
894
895 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
896 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
897 prs_mem_free(&outgoing_pdu);
898 return False;
899 }
900
901 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
902 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
903 prs_mem_free(&outgoing_pdu);
904 return False;
905 }
906
907 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
908 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
909 prs_mem_free(&outgoing_pdu);
910 return False;
911 }
912
913 p->out_data.data_sent_length = 0;
914 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
915 p->out_data.current_pdu_sent = 0;
916
917 prs_mem_free(&outgoing_pdu);
918 return True;
919}
920
921#if 0
922/*******************************************************************
923 Marshall a cancel_ack pdu.
924 We should probably check the auth-verifier here.
925*******************************************************************/
926
927BOOL setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
928{
929 prs_struct outgoing_pdu;
930 RPC_HDR ack_reply_hdr;
931
932 /* Free any memory in the current return data buffer. */
933 prs_mem_free(&p->out_data.rdata);
934
935 /*
936 * Marshall directly into the outgoing PDU space. We
937 * must do this as we need to set to the bind response
938 * header and are never sending more than one PDU here.
939 */
940
941 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
942 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
943
944 /*
945 * Initialize a cancel_ack header.
946 */
947
948 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
949 p->hdr.call_id, RPC_HEADER_LEN, 0);
950
951 /*
952 * Marshall the header into the outgoing PDU.
953 */
954
955 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
956 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
957 prs_mem_free(&outgoing_pdu);
958 return False;
959 }
960
961 p->out_data.data_sent_length = 0;
962 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
963 p->out_data.current_pdu_sent = 0;
964
965 prs_mem_free(&outgoing_pdu);
966 return True;
967}
968#endif
969
970/*******************************************************************
971 Ensure a bind request has the correct abstract & transfer interface.
972 Used to reject unknown binds from Win2k.
973*******************************************************************/
974
975BOOL check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
976 RPC_IFACE* transfer, uint32 context_id)
977{
978 char *pipe_name = p->name;
979 int i=0;
980 fstring pname;
981
982 fstrcpy(pname,"\\PIPE\\");
983 fstrcat(pname,pipe_name);
984
985 DEBUG(3,("check_bind_req for %s\n", pname));
986
987 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
988
989 for ( i=0; pipe_names[i].client_pipe; i++ ) {
990 DEBUG(10,("checking %s\n", pipe_names[i].client_pipe));
991 if ( strequal(pipe_names[i].client_pipe, pname)
992 && (abstract->version == pipe_names[i].abstr_syntax.version)
993 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct GUID)) == 0)
994 && (transfer->version == pipe_names[i].trans_syntax.version)
995 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(struct GUID)) == 0) ) {
996 struct api_struct *fns = NULL;
997 int n_fns = 0;
998 PIPE_RPC_FNS *context_fns;
999
1000 if ( !(context_fns = SMB_MALLOC_P(PIPE_RPC_FNS)) ) {
1001 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1002 return False;
1003 }
1004
1005 /* save the RPC function table associated with this bind */
1006
1007 get_pipe_fns(i, &fns, &n_fns);
1008
1009 context_fns->cmds = fns;
1010 context_fns->n_cmds = n_fns;
1011 context_fns->context_id = context_id;
1012
1013 /* add to the list of open contexts */
1014
1015 DLIST_ADD( p->contexts, context_fns );
1016
1017 break;
1018 }
1019 }
1020
1021 if(pipe_names[i].client_pipe == NULL) {
1022 return False;
1023 }
1024
1025 return True;
1026}
1027
1028/*******************************************************************
1029 Register commands to an RPC pipe
1030*******************************************************************/
1031
1032NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
1033{
1034 struct rpc_table *rpc_entry;
1035
1036 if (!clnt || !srv || !cmds) {
1037 return NT_STATUS_INVALID_PARAMETER;
1038 }
1039
1040 if (version != SMB_RPC_INTERFACE_VERSION) {
1041 DEBUG(0,("Can't register rpc commands!\n"
1042 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1043 ", while this version of samba uses version %d!\n",
1044 version,SMB_RPC_INTERFACE_VERSION));
1045 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1046 }
1047
1048 /* TODO:
1049 *
1050 * we still need to make sure that don't register the same commands twice!!!
1051 *
1052 * --metze
1053 */
1054
1055 /* We use a temporary variable because this call can fail and
1056 rpc_lookup will still be valid afterwards. It could then succeed if
1057 called again later */
1058 rpc_lookup_size++;
1059 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1060 if (NULL == rpc_entry) {
1061 rpc_lookup_size--;
1062 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1063 return NT_STATUS_NO_MEMORY;
1064 } else {
1065 rpc_lookup = rpc_entry;
1066 }
1067
1068 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1069 ZERO_STRUCTP(rpc_entry);
1070 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1071 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1072 rpc_entry->cmds = SMB_REALLOC_ARRAY(rpc_entry->cmds, struct api_struct, rpc_entry->n_cmds + size);
1073 if (!rpc_entry->cmds) {
1074 return NT_STATUS_NO_MEMORY;
1075 }
1076 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds, size * sizeof(struct api_struct));
1077 rpc_entry->n_cmds += size;
1078
1079 return NT_STATUS_OK;
1080}
1081
1082/*******************************************************************
1083 Handle a SPNEGO krb5 bind auth.
1084*******************************************************************/
1085
1086static BOOL pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1087 DATA_BLOB *psecblob, prs_struct *pout_auth)
1088{
1089 return False;
1090}
1091
1092/*******************************************************************
1093 Handle the first part of a SPNEGO bind auth.
1094*******************************************************************/
1095
1096static BOOL pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1097 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1098{
1099 DATA_BLOB blob;
1100 DATA_BLOB secblob;
1101 DATA_BLOB response;
1102 DATA_BLOB chal;
1103 char *OIDs[ASN1_MAX_OIDS];
1104 int i;
1105 NTSTATUS status;
1106 BOOL got_kerberos_mechanism = False;
1107 AUTH_NTLMSSP_STATE *a = NULL;
1108 RPC_HDR_AUTH auth_info;
1109
1110 ZERO_STRUCT(secblob);
1111 ZERO_STRUCT(chal);
1112 ZERO_STRUCT(response);
1113
1114 /* Grab the SPNEGO blob. */
1115 blob = data_blob(NULL,p->hdr.auth_len);
1116
1117 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1118 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1119 (unsigned int)p->hdr.auth_len ));
1120 goto err;
1121 }
1122
1123 if (blob.data[0] != ASN1_APPLICATION(0)) {
1124 goto err;
1125 }
1126
1127 /* parse out the OIDs and the first sec blob */
1128 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1129 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1130 goto err;
1131 }
1132
1133 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1134 got_kerberos_mechanism = True;
1135 }
1136
1137 for (i=0;OIDs[i];i++) {
1138 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1139 SAFE_FREE(OIDs[i]);
1140 }
1141 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1142
1143 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1144 BOOL ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1145 data_blob_free(&secblob);
1146 data_blob_free(&blob);
1147 return ret;
1148 }
1149
1150 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1151 /* Free any previous auth type. */
1152 free_pipe_ntlmssp_auth_data(&p->auth);
1153 }
1154
1155 /* Initialize the NTLM engine. */
1156 status = auth_ntlmssp_start(&a);
1157 if (!NT_STATUS_IS_OK(status)) {
1158 goto err;
1159 }
1160
1161 /*
1162 * Pass the first security blob of data to it.
1163 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1164 * which means we need another packet to complete the bind.
1165 */
1166
1167 status = auth_ntlmssp_update(a, secblob, &chal);
1168
1169 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1170 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1171 goto err;
1172 }
1173
1174 /* Generate the response blob we need for step 2 of the bind. */
1175 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1176
1177 /* Copy the blob into the pout_auth parse struct */
1178 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1179 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1180 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1181 goto err;
1182 }
1183
1184 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1185 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1186 goto err;
1187 }
1188
1189 p->auth.a_u.auth_ntlmssp_state = a;
1190 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1191 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1192
1193 data_blob_free(&blob);
1194 data_blob_free(&secblob);
1195 data_blob_free(&chal);
1196 data_blob_free(&response);
1197
1198 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1199 return True;
1200
1201 err:
1202
1203 data_blob_free(&blob);
1204 data_blob_free(&secblob);
1205 data_blob_free(&chal);
1206 data_blob_free(&response);
1207
1208 p->auth.a_u.auth_ntlmssp_state = NULL;
1209
1210 return False;
1211}
1212
1213/*******************************************************************
1214 Handle the second part of a SPNEGO bind auth.
1215*******************************************************************/
1216
1217static BOOL pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1218 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1219{
1220 RPC_HDR_AUTH auth_info;
1221 DATA_BLOB spnego_blob;
1222 DATA_BLOB auth_blob;
1223 DATA_BLOB auth_reply;
1224 DATA_BLOB response;
1225 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1226
1227 ZERO_STRUCT(spnego_blob);
1228 ZERO_STRUCT(auth_blob);
1229 ZERO_STRUCT(auth_reply);
1230 ZERO_STRUCT(response);
1231
1232 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1233 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1234 goto err;
1235 }
1236
1237 /* Grab the SPNEGO blob. */
1238 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1239
1240 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1241 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1242 (unsigned int)p->hdr.auth_len ));
1243 goto err;
1244 }
1245
1246 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1247 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1248 goto err;
1249 }
1250
1251 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1252 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1253 goto err;
1254 }
1255
1256 /*
1257 * The following call actually checks the challenge/response data.
1258 * for correctness against the given DOMAIN\user name.
1259 */
1260
1261 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1262 goto err;
1263 }
1264
1265 data_blob_free(&spnego_blob);
1266 data_blob_free(&auth_blob);
1267
1268 /* Generate the spnego "accept completed" blob - no incoming data. */
1269 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1270
1271 /* Copy the blob into the pout_auth parse struct */
1272 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1273 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1274 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1275 goto err;
1276 }
1277
1278 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1279 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1280 goto err;
1281 }
1282
1283 data_blob_free(&auth_reply);
1284 data_blob_free(&response);
1285
1286 p->pipe_bound = True;
1287
1288 return True;
1289
1290 err:
1291
1292 data_blob_free(&spnego_blob);
1293 data_blob_free(&auth_blob);
1294 data_blob_free(&auth_reply);
1295 data_blob_free(&response);
1296
1297 free_pipe_ntlmssp_auth_data(&p->auth);
1298 p->auth.a_u.auth_ntlmssp_state = NULL;
1299
1300 return False;
1301}
1302
1303/*******************************************************************
1304 Handle an schannel bind auth.
1305*******************************************************************/
1306
1307static BOOL pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1308 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1309{
1310 RPC_HDR_AUTH auth_info;
1311 RPC_AUTH_SCHANNEL_NEG neg;
1312 RPC_AUTH_VERIFIER auth_verifier;
1313 BOOL ret;
1314 struct dcinfo *pdcinfo;
1315 uint32 flags;
1316
1317 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1318 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1319 return False;
1320 }
1321
1322 /*
1323 * The neg.myname key here must match the remote computer name
1324 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1325 * operations that use credentials.
1326 */
1327
1328 become_root();
1329 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1330 unbecome_root();
1331
1332 if (!ret) {
1333 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1334 return False;
1335 }
1336
1337 p->auth.a_u.schannel_auth = TALLOC_P(p->pipe_state_mem_ctx, struct schannel_auth_struct);
1338 if (!p->auth.a_u.schannel_auth) {
1339 TALLOC_FREE(pdcinfo);
1340 return False;
1341 }
1342
1343 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1344 memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1345 sizeof(pdcinfo->sess_key));
1346
1347 TALLOC_FREE(pdcinfo);
1348
1349 p->auth.a_u.schannel_auth->seq_num = 0;
1350
1351 /*
1352 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1353 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1354 * struct of the person who opened the pipe. I need to test this further. JRA.
1355 */
1356
1357 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1358 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1359 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1360 return False;
1361 }
1362
1363 /*** SCHANNEL verifier ***/
1364
1365 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1366 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1367 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1368 return False;
1369 }
1370
1371 prs_align(pout_auth);
1372
1373 flags = 5;
1374 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1375 return False;
1376 }
1377
1378 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1379 neg.domain, neg.myname));
1380
1381 /* We're finished with this bind - no more packets. */
1382 p->auth.auth_data_free_func = NULL;
1383 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1384
1385 p->pipe_bound = True;
1386
1387 return True;
1388}
1389
1390/*******************************************************************
1391 Handle an NTLMSSP bind auth.
1392*******************************************************************/
1393
1394static BOOL pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1395 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1396{
1397 RPC_HDR_AUTH auth_info;
1398 DATA_BLOB blob;
1399 DATA_BLOB response;
1400 NTSTATUS status;
1401 AUTH_NTLMSSP_STATE *a = NULL;
1402
1403 ZERO_STRUCT(blob);
1404 ZERO_STRUCT(response);
1405
1406 /* Grab the NTLMSSP blob. */
1407 blob = data_blob(NULL,p->hdr.auth_len);
1408
1409 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1410 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1411 (unsigned int)p->hdr.auth_len ));
1412 goto err;
1413 }
1414
1415 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1416 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1417 goto err;
1418 }
1419
1420 /* We have an NTLMSSP blob. */
1421 status = auth_ntlmssp_start(&a);
1422 if (!NT_STATUS_IS_OK(status)) {
1423 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1424 nt_errstr(status) ));
1425 goto err;
1426 }
1427
1428 status = auth_ntlmssp_update(a, blob, &response);
1429 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1430 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1431 nt_errstr(status) ));
1432 goto err;
1433 }
1434
1435 data_blob_free(&blob);
1436
1437 /* Copy the blob into the pout_auth parse struct */
1438 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1439 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1440 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1441 goto err;
1442 }
1443
1444 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1445 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1446 goto err;
1447 }
1448
1449 p->auth.a_u.auth_ntlmssp_state = a;
1450 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1451 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1452
1453 data_blob_free(&blob);
1454 data_blob_free(&response);
1455
1456 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1457
1458 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1459 return True;
1460
1461 err:
1462
1463 data_blob_free(&blob);
1464 data_blob_free(&response);
1465
1466 free_pipe_ntlmssp_auth_data(&p->auth);
1467 p->auth.a_u.auth_ntlmssp_state = NULL;
1468 return False;
1469}
1470
1471/*******************************************************************
1472 Respond to a pipe bind request.
1473*******************************************************************/
1474
1475BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1476{
1477 RPC_HDR_BA hdr_ba;
1478 RPC_HDR_RB hdr_rb;
1479 RPC_HDR_AUTH auth_info;
1480 uint16 assoc_gid;
1481 fstring ack_pipe_name;
1482 prs_struct out_hdr_ba;
1483 prs_struct out_auth;
1484 prs_struct outgoing_rpc;
1485 int i = 0;
1486 int auth_len = 0;
1487 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1488
1489 /* No rebinds on a bound pipe - use alter context. */
1490 if (p->pipe_bound) {
1491 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1492 return setup_bind_nak(p);
1493 }
1494
1495 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1496
1497 /*
1498 * Marshall directly into the outgoing PDU space. We
1499 * must do this as we need to set to the bind response
1500 * header and are never sending more than one PDU here.
1501 */
1502
1503 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1504
1505 /*
1506 * Setup the memory to marshall the ba header, and the
1507 * auth footers.
1508 */
1509
1510 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1511 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1512 prs_mem_free(&outgoing_rpc);
1513 return False;
1514 }
1515
1516 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1517 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1518 prs_mem_free(&outgoing_rpc);
1519 prs_mem_free(&out_hdr_ba);
1520 return False;
1521 }
1522
1523 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1524
1525 /*
1526 * Try and find the correct pipe name to ensure
1527 * that this is a pipe name we support.
1528 */
1529
1530
1531 for (i = 0; i < rpc_lookup_size; i++) {
1532 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1533 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1534 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1535 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1536 break;
1537 }
1538 }
1539
1540 if (i == rpc_lookup_size) {
1541 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1542 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1543 p->name ));
1544 prs_mem_free(&outgoing_rpc);
1545 prs_mem_free(&out_hdr_ba);
1546 prs_mem_free(&out_auth);
1547
1548 return setup_bind_nak(p);
1549 }
1550
1551 for (i = 0; i < rpc_lookup_size; i++) {
1552 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1553 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1554 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1555 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1556 break;
1557 }
1558 }
1559
1560 if (i == rpc_lookup_size) {
1561 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1562 goto err_exit;
1563 }
1564 }
1565
1566 /* decode the bind request */
1567 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1568 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
1569 goto err_exit;
1570 }
1571
1572 /* name has to be \PIPE\xxxxx */
1573 fstrcpy(ack_pipe_name, "\\PIPE\\");
1574 fstrcat(ack_pipe_name, p->pipe_srv_name);
1575
1576 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1577
1578 /*
1579 * Check if this is an authenticated bind request.
1580 */
1581
1582 if (p->hdr.auth_len) {
1583 /*
1584 * Decode the authentication verifier.
1585 */
1586
1587 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1588 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1589 goto err_exit;
1590 }
1591
1592 auth_type = auth_info.auth_type;
1593
1594 /* Work out if we have to sign or seal etc. */
1595 switch (auth_info.auth_level) {
1596 case RPC_AUTH_LEVEL_INTEGRITY:
1597 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1598 break;
1599 case RPC_AUTH_LEVEL_PRIVACY:
1600 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1601 break;
1602 default:
1603 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1604 (unsigned int)auth_info.auth_level ));
1605 goto err_exit;
1606 }
1607 } else {
1608 ZERO_STRUCT(auth_info);
1609 }
1610
1611 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1612
1613 switch(auth_type) {
1614 case RPC_NTLMSSP_AUTH_TYPE:
1615 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1616 goto err_exit;
1617 }
1618 assoc_gid = 0x7a77;
1619 break;
1620
1621 case RPC_SCHANNEL_AUTH_TYPE:
1622 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1623 goto err_exit;
1624 }
1625 break;
1626
1627 case RPC_SPNEGO_AUTH_TYPE:
1628 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1629 goto err_exit;
1630 }
1631 break;
1632
1633 case RPC_ANONYMOUS_AUTH_TYPE:
1634 /* Unauthenticated bind request. */
1635 /* We're finished - no more packets. */
1636 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1637 /* We must set the pipe auth_level here also. */
1638 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1639 p->pipe_bound = True;
1640 break;
1641
1642 default:
1643 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1644 goto err_exit;
1645 }
1646
1647 /*
1648 * Create the bind response struct.
1649 */
1650
1651 /* If the requested abstract synt uuid doesn't match our client pipe,
1652 reject the bind_ack & set the transfer interface synt to all 0's,
1653 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1654 unknown to NT4)
1655 Needed when adding entries to a DACL from NT5 - SK */
1656
1657 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1658 hdr_rb.rpc_context[0].context_id )) {
1659 init_rpc_hdr_ba(&hdr_ba,
1660 RPC_MAX_PDU_FRAG_LEN,
1661 RPC_MAX_PDU_FRAG_LEN,
1662 assoc_gid,
1663 ack_pipe_name,
1664 0x1, 0x0, 0x0,
1665 &hdr_rb.rpc_context[0].transfer[0]);
1666 } else {
1667 RPC_IFACE null_interface;
1668 ZERO_STRUCT(null_interface);
1669 /* Rejection reason: abstract syntax not supported */
1670 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1671 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1672 ack_pipe_name, 0x1, 0x2, 0x1,
1673 &null_interface);
1674 p->pipe_bound = False;
1675 }
1676
1677 /*
1678 * and marshall it.
1679 */
1680
1681 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1682 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1683 goto err_exit;
1684 }
1685
1686 /*
1687 * Create the header, now we know the length.
1688 */
1689
1690 if (prs_offset(&out_auth)) {
1691 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1692 }
1693
1694 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1695 p->hdr.call_id,
1696 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1697 auth_len);
1698
1699 /*
1700 * Marshall the header into the outgoing PDU.
1701 */
1702
1703 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1704 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1705 goto err_exit;
1706 }
1707
1708 /*
1709 * Now add the RPC_HDR_BA and any auth needed.
1710 */
1711
1712 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1713 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1714 goto err_exit;
1715 }
1716
1717 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1718 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1719 goto err_exit;
1720 }
1721
1722 /*
1723 * Setup the lengths for the initial reply.
1724 */
1725
1726 p->out_data.data_sent_length = 0;
1727 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1728 p->out_data.current_pdu_sent = 0;
1729
1730 prs_mem_free(&out_hdr_ba);
1731 prs_mem_free(&out_auth);
1732
1733 return True;
1734
1735 err_exit:
1736
1737 prs_mem_free(&outgoing_rpc);
1738 prs_mem_free(&out_hdr_ba);
1739 prs_mem_free(&out_auth);
1740 return setup_bind_nak(p);
1741}
1742
1743/****************************************************************************
1744 Deal with an alter context call. Can be third part of 3 leg auth request for
1745 SPNEGO calls.
1746****************************************************************************/
1747
1748BOOL api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1749{
1750 RPC_HDR_BA hdr_ba;
1751 RPC_HDR_RB hdr_rb;
1752 RPC_HDR_AUTH auth_info;
1753 uint16 assoc_gid;
1754 fstring ack_pipe_name;
1755 prs_struct out_hdr_ba;
1756 prs_struct out_auth;
1757 prs_struct outgoing_rpc;
1758 int auth_len = 0;
1759
1760 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1761
1762 /*
1763 * Marshall directly into the outgoing PDU space. We
1764 * must do this as we need to set to the bind response
1765 * header and are never sending more than one PDU here.
1766 */
1767
1768 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1769
1770 /*
1771 * Setup the memory to marshall the ba header, and the
1772 * auth footers.
1773 */
1774
1775 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1776 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1777 prs_mem_free(&outgoing_rpc);
1778 return False;
1779 }
1780
1781 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1782 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1783 prs_mem_free(&outgoing_rpc);
1784 prs_mem_free(&out_hdr_ba);
1785 return False;
1786 }
1787
1788 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1789
1790 /* decode the alter context request */
1791 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1792 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1793 goto err_exit;
1794 }
1795
1796 /* secondary address CAN be NULL
1797 * as the specs say it's ignored.
1798 * It MUST be NULL to have the spoolss working.
1799 */
1800 fstrcpy(ack_pipe_name,"");
1801
1802 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1803
1804 /*
1805 * Check if this is an authenticated alter context request.
1806 */
1807
1808 if (p->hdr.auth_len != 0) {
1809 /*
1810 * Decode the authentication verifier.
1811 */
1812
1813 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1814 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1815 goto err_exit;
1816 }
1817
1818 /*
1819 * Currently only the SPNEGO auth type uses the alter ctx
1820 * response in place of the NTLMSSP auth3 type.
1821 */
1822
1823 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1824 /* We can only finish if the pipe is unbound. */
1825 if (!p->pipe_bound) {
1826 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1827 goto err_exit;
1828 }
1829 } else {
1830 goto err_exit;
1831 }
1832 }
1833 } else {
1834 ZERO_STRUCT(auth_info);
1835 }
1836
1837 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1838
1839 /*
1840 * Create the bind response struct.
1841 */
1842
1843 /* If the requested abstract synt uuid doesn't match our client pipe,
1844 reject the bind_ack & set the transfer interface synt to all 0's,
1845 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1846 unknown to NT4)
1847 Needed when adding entries to a DACL from NT5 - SK */
1848
1849 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1850 hdr_rb.rpc_context[0].context_id )) {
1851 init_rpc_hdr_ba(&hdr_ba,
1852 RPC_MAX_PDU_FRAG_LEN,
1853 RPC_MAX_PDU_FRAG_LEN,
1854 assoc_gid,
1855 ack_pipe_name,
1856 0x1, 0x0, 0x0,
1857 &hdr_rb.rpc_context[0].transfer[0]);
1858 } else {
1859 RPC_IFACE null_interface;
1860 ZERO_STRUCT(null_interface);
1861 /* Rejection reason: abstract syntax not supported */
1862 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1863 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1864 ack_pipe_name, 0x1, 0x2, 0x1,
1865 &null_interface);
1866 p->pipe_bound = False;
1867 }
1868
1869 /*
1870 * and marshall it.
1871 */
1872
1873 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1874 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1875 goto err_exit;
1876 }
1877
1878 /*
1879 * Create the header, now we know the length.
1880 */
1881
1882 if (prs_offset(&out_auth)) {
1883 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1884 }
1885
1886 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1887 p->hdr.call_id,
1888 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1889 auth_len);
1890
1891 /*
1892 * Marshall the header into the outgoing PDU.
1893 */
1894
1895 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1896 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1897 goto err_exit;
1898 }
1899
1900 /*
1901 * Now add the RPC_HDR_BA and any auth needed.
1902 */
1903
1904 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1905 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1906 goto err_exit;
1907 }
1908
1909 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1910 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1911 goto err_exit;
1912 }
1913
1914 /*
1915 * Setup the lengths for the initial reply.
1916 */
1917
1918 p->out_data.data_sent_length = 0;
1919 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1920 p->out_data.current_pdu_sent = 0;
1921
1922 prs_mem_free(&out_hdr_ba);
1923 prs_mem_free(&out_auth);
1924
1925 return True;
1926
1927 err_exit:
1928
1929 prs_mem_free(&outgoing_rpc);
1930 prs_mem_free(&out_hdr_ba);
1931 prs_mem_free(&out_auth);
1932 return setup_bind_nak(p);
1933}
1934
1935/****************************************************************************
1936 Deal with NTLMSSP sign & seal processing on an RPC request.
1937****************************************************************************/
1938
1939BOOL api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1940 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1941{
1942 RPC_HDR_AUTH auth_info;
1943 uint32 auth_len = p->hdr.auth_len;
1944 uint32 save_offset = prs_offset(rpc_in);
1945 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1946 unsigned char *data = NULL;
1947 size_t data_len;
1948 unsigned char *full_packet_data = NULL;
1949 size_t full_packet_data_len;
1950 DATA_BLOB auth_blob;
1951
1952 *pstatus = NT_STATUS_OK;
1953
1954 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
1955 return True;
1956 }
1957
1958 if (!a) {
1959 *pstatus = NT_STATUS_INVALID_PARAMETER;
1960 return False;
1961 }
1962
1963 /* Ensure there's enough data for an authenticated request. */
1964 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
1965 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
1966 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
1967 (unsigned int)auth_len ));
1968 *pstatus = NT_STATUS_INVALID_PARAMETER;
1969 return False;
1970 }
1971
1972 /*
1973 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
1974 * after the RPC header.
1975 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
1976 * functions as NTLMv2 checks the rpc headers also.
1977 */
1978
1979 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
1980 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
1981
1982 full_packet_data = p->in_data.current_in_pdu;
1983 full_packet_data_len = p->hdr.frag_len - auth_len;
1984
1985 /* Pull the auth header and the following data into a blob. */
1986 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
1987 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
1988 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
1989 *pstatus = NT_STATUS_INVALID_PARAMETER;
1990 return False;
1991 }
1992
1993 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1994 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1995 *pstatus = NT_STATUS_INVALID_PARAMETER;
1996 return False;
1997 }
1998
1999 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2000 auth_blob.length = auth_len;
2001
2002 switch (p->auth.auth_level) {
2003 case PIPE_AUTH_LEVEL_PRIVACY:
2004 /* Data is encrypted. */
2005 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2006 data, data_len,
2007 full_packet_data,
2008 full_packet_data_len,
2009 &auth_blob);
2010 if (!NT_STATUS_IS_OK(*pstatus)) {
2011 return False;
2012 }
2013 break;
2014 case PIPE_AUTH_LEVEL_INTEGRITY:
2015 /* Data is signed. */
2016 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2017 data, data_len,
2018 full_packet_data,
2019 full_packet_data_len,
2020 &auth_blob);
2021 if (!NT_STATUS_IS_OK(*pstatus)) {
2022 return False;
2023 }
2024 break;
2025 default:
2026 *pstatus = NT_STATUS_INVALID_PARAMETER;
2027 return False;
2028 }
2029
2030 /*
2031 * Return the current pointer to the data offset.
2032 */
2033
2034 if(!prs_set_offset(rpc_in, save_offset)) {
2035 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2036 (unsigned int)save_offset ));
2037 *pstatus = NT_STATUS_INVALID_PARAMETER;
2038 return False;
2039 }
2040
2041 /*
2042 * Remember the padding length. We must remove it from the real data
2043 * stream once the sign/seal is done.
2044 */
2045
2046 *p_ss_padding_len = auth_info.auth_pad_len;
2047
2048 return True;
2049}
2050
2051/****************************************************************************
2052 Deal with schannel processing on an RPC request.
2053****************************************************************************/
2054
2055BOOL api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2056{
2057 uint32 data_len;
2058 uint32 auth_len;
2059 uint32 save_offset = prs_offset(rpc_in);
2060 RPC_HDR_AUTH auth_info;
2061 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2062
2063 auth_len = p->hdr.auth_len;
2064
2065 if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2066 auth_len > RPC_HEADER_LEN +
2067 RPC_HDR_REQ_LEN +
2068 RPC_HDR_AUTH_LEN +
2069 auth_len) {
2070 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2071 return False;
2072 }
2073
2074 /*
2075 * The following is that length of the data we must verify or unseal.
2076 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2077 * preceeding the auth_data.
2078 */
2079
2080 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2081 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2082 (unsigned int)p->hdr.frag_len,
2083 (unsigned int)auth_len ));
2084 return False;
2085 }
2086
2087 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2088 RPC_HDR_AUTH_LEN - auth_len;
2089
2090 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2091
2092 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2093 DEBUG(0,("cannot move offset to %u.\n",
2094 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2095 return False;
2096 }
2097
2098 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2099 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2100 return False;
2101 }
2102
2103 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2104 DEBUG(0,("Invalid auth info %d on schannel\n",
2105 auth_info.auth_type));
2106 return False;
2107 }
2108
2109 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2110 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2111 return False;
2112 }
2113
2114 if (!schannel_decode(p->auth.a_u.schannel_auth,
2115 p->auth.auth_level,
2116 SENDER_IS_INITIATOR,
2117 &schannel_chk,
2118 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2119 DEBUG(3,("failed to decode PDU\n"));
2120 return False;
2121 }
2122
2123 /*
2124 * Return the current pointer to the data offset.
2125 */
2126
2127 if(!prs_set_offset(rpc_in, save_offset)) {
2128 DEBUG(0,("failed to set offset back to %u\n",
2129 (unsigned int)save_offset ));
2130 return False;
2131 }
2132
2133 /* The sequence number gets incremented on both send and receive. */
2134 p->auth.a_u.schannel_auth->seq_num++;
2135
2136 /*
2137 * Remember the padding length. We must remove it from the real data
2138 * stream once the sign/seal is done.
2139 */
2140
2141 *p_ss_padding_len = auth_info.auth_pad_len;
2142
2143 return True;
2144}
2145
2146/****************************************************************************
2147 Return a user struct for a pipe user.
2148****************************************************************************/
2149
2150struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
2151{
2152 if (p->pipe_bound &&
2153 (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP ||
2154 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2155 memcpy(user, &p->pipe_user, sizeof(struct current_user));
2156 } else {
2157 memcpy(user, &current_user, sizeof(struct current_user));
2158 }
2159
2160 return user;
2161}
2162
2163/****************************************************************************
2164 Find the set of RPC functions associated with this context_id
2165****************************************************************************/
2166
2167static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2168{
2169 PIPE_RPC_FNS *fns = NULL;
2170 PIPE_RPC_FNS *tmp = NULL;
2171
2172 if ( !list ) {
2173 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2174 return NULL;
2175 }
2176
2177 for (tmp=list; tmp; tmp=tmp->next ) {
2178 if ( tmp->context_id == context_id )
2179 break;
2180 }
2181
2182 fns = tmp;
2183
2184 return fns;
2185}
2186
2187/****************************************************************************
2188 Memory cleanup.
2189****************************************************************************/
2190
2191void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2192{
2193 PIPE_RPC_FNS *tmp = list;
2194 PIPE_RPC_FNS *tmp2;
2195
2196 while (tmp) {
2197 tmp2 = tmp->next;
2198 SAFE_FREE(tmp);
2199 tmp = tmp2;
2200 }
2201
2202 return;
2203}
2204
2205/****************************************************************************
2206 Find the correct RPC function to call for this request.
2207 If the pipe is authenticated then become the correct UNIX user
2208 before doing the call.
2209****************************************************************************/
2210
2211BOOL api_pipe_request(pipes_struct *p)
2212{
2213 BOOL ret = False;
2214 BOOL changed_user = False;
2215 PIPE_RPC_FNS *pipe_fns;
2216
2217 if (p->pipe_bound &&
2218 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2219 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2220 if(!become_authenticated_pipe_user(p)) {
2221 prs_mem_free(&p->out_data.rdata);
2222 return False;
2223 }
2224 changed_user = True;
2225 }
2226
2227 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2228
2229 /* get the set of RPC functions for this context */
2230
2231 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2232
2233 if ( pipe_fns ) {
2234 set_current_rpc_talloc(p->mem_ctx);
2235 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2236 set_current_rpc_talloc(NULL);
2237 }
2238 else {
2239 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2240 p->hdr_req.context_id, p->name));
2241 }
2242
2243 if (changed_user) {
2244 unbecome_authenticated_pipe_user();
2245 }
2246
2247 return ret;
2248}
2249
2250/*******************************************************************
2251 Calls the underlying RPC function for a named pipe.
2252 ********************************************************************/
2253
2254BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
2255 const struct api_struct *api_rpc_cmds, int n_cmds)
2256{
2257 int fn_num;
2258 fstring name;
2259 uint32 offset1, offset2;
2260
2261 /* interpret the command */
2262 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2263
2264 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2265 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2266
2267 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2268 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2269 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2270 break;
2271 }
2272 }
2273
2274 if (fn_num == n_cmds) {
2275 /*
2276 * For an unknown RPC just return a fault PDU but
2277 * return True to allow RPC's on the pipe to continue
2278 * and not put the pipe into fault state. JRA.
2279 */
2280 DEBUG(4, ("unknown\n"));
2281 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2282 return True;
2283 }
2284
2285 offset1 = prs_offset(&p->out_data.rdata);
2286
2287 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2288 fn_num, api_rpc_cmds[fn_num].fn));
2289 /* do the actual command */
2290 if(!api_rpc_cmds[fn_num].fn(p)) {
2291 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2292 prs_mem_free(&p->out_data.rdata);
2293 return False;
2294 }
2295
2296 if (p->bad_handle_fault_state) {
2297 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2298 p->bad_handle_fault_state = False;
2299 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2300 return True;
2301 }
2302
2303 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2304 offset2 = prs_offset(&p->out_data.rdata);
2305 prs_set_offset(&p->out_data.rdata, offset1);
2306 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2307 prs_set_offset(&p->out_data.rdata, offset2);
2308
2309 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2310
2311 /* Check for buffer underflow in rpc parsing */
2312
2313 if ((DEBUGLEVEL >= 10) &&
2314 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2315 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2316 char *data = SMB_MALLOC(data_len);
2317
2318 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2319 if (data) {
2320 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2321 SAFE_FREE(data);
2322 }
2323
2324 }
2325
2326 return True;
2327}
2328
2329/*******************************************************************
2330*******************************************************************/
2331
2332void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
2333{
2334 struct api_struct *cmds = NULL;
2335 int n_cmds = 0;
2336
2337 switch ( idx ) {
2338 case PI_LSARPC:
2339 lsa_get_pipe_fns( &cmds, &n_cmds );
2340 break;
2341 case PI_LSARPC_DS:
2342 lsa_ds_get_pipe_fns( &cmds, &n_cmds );
2343 break;
2344 case PI_SAMR:
2345 samr_get_pipe_fns( &cmds, &n_cmds );
2346 break;
2347 case PI_NETLOGON:
2348 netlog_get_pipe_fns( &cmds, &n_cmds );
2349 break;
2350 case PI_SRVSVC:
2351 srvsvc_get_pipe_fns( &cmds, &n_cmds );
2352 break;
2353 case PI_WKSSVC:
2354 wkssvc_get_pipe_fns( &cmds, &n_cmds );
2355 break;
2356 case PI_WINREG:
2357 reg_get_pipe_fns( &cmds, &n_cmds );
2358 break;
2359 case PI_SPOOLSS:
2360 spoolss_get_pipe_fns( &cmds, &n_cmds );
2361 break;
2362 case PI_NETDFS:
2363 netdfs_get_pipe_fns( &cmds, &n_cmds );
2364 break;
2365 case PI_SVCCTL:
2366 svcctl_get_pipe_fns( &cmds, &n_cmds );
2367 break;
2368 case PI_EVENTLOG:
2369 eventlog_get_pipe_fns( &cmds, &n_cmds );
2370 break;
2371 case PI_NTSVCS:
2372 ntsvcs_get_pipe_fns( &cmds, &n_cmds );
2373 break;
2374#ifdef DEVELOPER
2375 case PI_ECHO:
2376 echo_get_pipe_fns( &cmds, &n_cmds );
2377 break;
2378#endif
2379 default:
2380 DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));
2381 }
2382
2383 *fns = cmds;
2384 *n_fns = n_cmds;
2385
2386 return;
2387}
Note: See TracBrowser for help on using the repository browser.