source: branches/samba-3.2.x/source/rpc_server/srv_pipe.c

Last change on this file was 233, checked in by Herwig Bauernfeind, 16 years ago

Update 3.2 branch to 3.2.9
File size: 69.0 KB
Line 
1/*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20/* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30#include "includes.h"
31
32extern struct pipe_id_info pipe_names[];
33extern struct current_user current_user;
34
35#undef DBGC_CLASS
36#define DBGC_CLASS DBGC_RPC_SRV
37
38static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
39{
40 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
41
42 if (a) {
43 auth_ntlmssp_end(&a);
44 }
45 auth->a_u.auth_ntlmssp_state = NULL;
46}
47
48static DATA_BLOB generic_session_key(void)
49{
50 return data_blob("SystemLibraryDTC", 16);
51}
52
53/*******************************************************************
54 Generate the next PDU to be returned from the data in p->rdata.
55 Handle NTLMSSP.
56 ********************************************************************/
57
58static bool create_next_pdu_ntlmssp(pipes_struct *p)
59{
60 RPC_HDR_RESP hdr_resp;
61 uint32 ss_padding_len = 0;
62 uint32 data_space_available;
63 uint32 data_len_left;
64 uint32 data_len;
65 prs_struct outgoing_pdu;
66 NTSTATUS status;
67 DATA_BLOB auth_blob;
68 RPC_HDR_AUTH auth_info;
69 uint8 auth_type, auth_level;
70 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
71
72 /*
73 * If we're in the fault state, keep returning fault PDU's until
74 * the pipe gets closed. JRA.
75 */
76
77 if(p->fault_state) {
78 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
79 return True;
80 }
81
82 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
83
84 /* Change the incoming request header to a response. */
85 p->hdr.pkt_type = RPC_RESPONSE;
86
87 /* Set up rpc header flags. */
88 if (p->out_data.data_sent_length == 0) {
89 p->hdr.flags = RPC_FLG_FIRST;
90 } else {
91 p->hdr.flags = 0;
92 }
93
94 /*
95 * Work out how much we can fit in a single PDU.
96 */
97
98 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
99
100 /*
101 * Ensure there really is data left to send.
102 */
103
104 if(!data_len_left) {
105 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
106 return False;
107 }
108
109 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
110 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
111
112 /*
113 * The amount we send is the minimum of the available
114 * space and the amount left to send.
115 */
116
117 data_len = MIN(data_len_left, data_space_available);
118
119 /*
120 * Set up the alloc hint. This should be the data left to
121 * send.
122 */
123
124 hdr_resp.alloc_hint = data_len_left;
125
126 /*
127 * Work out if this PDU will be the last.
128 */
129
130 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
131 p->hdr.flags |= RPC_FLG_LAST;
132 if (data_len_left % 8) {
133 ss_padding_len = 8 - (data_len_left % 8);
134 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
135 ss_padding_len ));
136 }
137 }
138
139 /*
140 * Set up the header lengths.
141 */
142
143 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
144 data_len + ss_padding_len +
145 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
146 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
147
148
149 /*
150 * Init the parse struct to point at the outgoing
151 * data.
152 */
153
154 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
155 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
156
157 /* Store the header in the data stream. */
158 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
159 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
160 prs_mem_free(&outgoing_pdu);
161 return False;
162 }
163
164 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
165 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
166 prs_mem_free(&outgoing_pdu);
167 return False;
168 }
169
170 /* Copy the data into the PDU. */
171
172 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
173 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
174 prs_mem_free(&outgoing_pdu);
175 return False;
176 }
177
178 /* Copy the sign/seal padding data. */
179 if (ss_padding_len) {
180 char pad[8];
181
182 memset(pad, '\0', 8);
183 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
184 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
185 (unsigned int)ss_padding_len));
186 prs_mem_free(&outgoing_pdu);
187 return False;
188 }
189 }
190
191
192 /* Now write out the auth header and null blob. */
193 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
194 auth_type = RPC_NTLMSSP_AUTH_TYPE;
195 } else {
196 auth_type = RPC_SPNEGO_AUTH_TYPE;
197 }
198 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
199 auth_level = RPC_AUTH_LEVEL_PRIVACY;
200 } else {
201 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
202 }
203
204 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
205 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
206 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
207 prs_mem_free(&outgoing_pdu);
208 return False;
209 }
210
211 /* Generate the sign blob. */
212
213 switch (p->auth.auth_level) {
214 case PIPE_AUTH_LEVEL_PRIVACY:
215 /* Data portion is encrypted. */
216 status = ntlmssp_seal_packet(a->ntlmssp_state,
217 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
218 data_len + ss_padding_len,
219 (unsigned char *)prs_data_p(&outgoing_pdu),
220 (size_t)prs_offset(&outgoing_pdu),
221 &auth_blob);
222 if (!NT_STATUS_IS_OK(status)) {
223 data_blob_free(&auth_blob);
224 prs_mem_free(&outgoing_pdu);
225 return False;
226 }
227 break;
228 case PIPE_AUTH_LEVEL_INTEGRITY:
229 /* Data is signed. */
230 status = ntlmssp_sign_packet(a->ntlmssp_state,
231 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
232 data_len + ss_padding_len,
233 (unsigned char *)prs_data_p(&outgoing_pdu),
234 (size_t)prs_offset(&outgoing_pdu),
235 &auth_blob);
236 if (!NT_STATUS_IS_OK(status)) {
237 data_blob_free(&auth_blob);
238 prs_mem_free(&outgoing_pdu);
239 return False;
240 }
241 break;
242 default:
243 prs_mem_free(&outgoing_pdu);
244 return False;
245 }
246
247 /* Append the auth blob. */
248 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
249 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
250 (unsigned int)NTLMSSP_SIG_SIZE));
251 data_blob_free(&auth_blob);
252 prs_mem_free(&outgoing_pdu);
253 return False;
254 }
255
256 data_blob_free(&auth_blob);
257
258 /*
259 * Setup the counts for this PDU.
260 */
261
262 p->out_data.data_sent_length += data_len;
263 p->out_data.current_pdu_len = p->hdr.frag_len;
264 p->out_data.current_pdu_sent = 0;
265
266 prs_mem_free(&outgoing_pdu);
267 return True;
268}
269
270/*******************************************************************
271 Generate the next PDU to be returned from the data in p->rdata.
272 Return an schannel authenticated fragment.
273 ********************************************************************/
274
275static bool create_next_pdu_schannel(pipes_struct *p)
276{
277 RPC_HDR_RESP hdr_resp;
278 uint32 ss_padding_len = 0;
279 uint32 data_len;
280 uint32 data_space_available;
281 uint32 data_len_left;
282 prs_struct outgoing_pdu;
283 uint32 data_pos;
284
285 /*
286 * If we're in the fault state, keep returning fault PDU's until
287 * the pipe gets closed. JRA.
288 */
289
290 if(p->fault_state) {
291 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
292 return True;
293 }
294
295 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
296
297 /* Change the incoming request header to a response. */
298 p->hdr.pkt_type = RPC_RESPONSE;
299
300 /* Set up rpc header flags. */
301 if (p->out_data.data_sent_length == 0) {
302 p->hdr.flags = RPC_FLG_FIRST;
303 } else {
304 p->hdr.flags = 0;
305 }
306
307 /*
308 * Work out how much we can fit in a single PDU.
309 */
310
311 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
312
313 /*
314 * Ensure there really is data left to send.
315 */
316
317 if(!data_len_left) {
318 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
319 return False;
320 }
321
322 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
323 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
324
325 /*
326 * The amount we send is the minimum of the available
327 * space and the amount left to send.
328 */
329
330 data_len = MIN(data_len_left, data_space_available);
331
332 /*
333 * Set up the alloc hint. This should be the data left to
334 * send.
335 */
336
337 hdr_resp.alloc_hint = data_len_left;
338
339 /*
340 * Work out if this PDU will be the last.
341 */
342
343 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
344 p->hdr.flags |= RPC_FLG_LAST;
345 if (data_len_left % 8) {
346 ss_padding_len = 8 - (data_len_left % 8);
347 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
348 ss_padding_len ));
349 }
350 }
351
352 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
353 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
354 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
355
356 /*
357 * Init the parse struct to point at the outgoing
358 * data.
359 */
360
361 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
362 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
363
364 /* Store the header in the data stream. */
365 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
366 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
367 prs_mem_free(&outgoing_pdu);
368 return False;
369 }
370
371 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
372 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
373 prs_mem_free(&outgoing_pdu);
374 return False;
375 }
376
377 /* Store the current offset. */
378 data_pos = prs_offset(&outgoing_pdu);
379
380 /* Copy the data into the PDU. */
381
382 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
383 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
384 prs_mem_free(&outgoing_pdu);
385 return False;
386 }
387
388 /* Copy the sign/seal padding data. */
389 if (ss_padding_len) {
390 char pad[8];
391 memset(pad, '\0', 8);
392 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
393 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
394 prs_mem_free(&outgoing_pdu);
395 return False;
396 }
397 }
398
399 {
400 /*
401 * Schannel processing.
402 */
403 char *data;
404 RPC_HDR_AUTH auth_info;
405 RPC_AUTH_SCHANNEL_CHK verf;
406
407 data = prs_data_p(&outgoing_pdu) + data_pos;
408 /* Check it's the type of reply we were expecting to decode */
409
410 init_rpc_hdr_auth(&auth_info,
411 RPC_SCHANNEL_AUTH_TYPE,
412 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
413 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
414 ss_padding_len, 1);
415
416 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
417 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
418 prs_mem_free(&outgoing_pdu);
419 return False;
420 }
421
422 schannel_encode(p->auth.a_u.schannel_auth,
423 p->auth.auth_level,
424 SENDER_IS_ACCEPTOR,
425 &verf, data, data_len + ss_padding_len);
426
427 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
428 &verf, &outgoing_pdu, 0)) {
429 prs_mem_free(&outgoing_pdu);
430 return False;
431 }
432
433 p->auth.a_u.schannel_auth->seq_num++;
434 }
435
436 /*
437 * Setup the counts for this PDU.
438 */
439
440 p->out_data.data_sent_length += data_len;
441 p->out_data.current_pdu_len = p->hdr.frag_len;
442 p->out_data.current_pdu_sent = 0;
443
444 prs_mem_free(&outgoing_pdu);
445 return True;
446}
447
448/*******************************************************************
449 Generate the next PDU to be returned from the data in p->rdata.
450 No authentication done.
451********************************************************************/
452
453static bool create_next_pdu_noauth(pipes_struct *p)
454{
455 RPC_HDR_RESP hdr_resp;
456 uint32 data_len;
457 uint32 data_space_available;
458 uint32 data_len_left;
459 prs_struct outgoing_pdu;
460
461 /*
462 * If we're in the fault state, keep returning fault PDU's until
463 * the pipe gets closed. JRA.
464 */
465
466 if(p->fault_state) {
467 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
468 return True;
469 }
470
471 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
472
473 /* Change the incoming request header to a response. */
474 p->hdr.pkt_type = RPC_RESPONSE;
475
476 /* Set up rpc header flags. */
477 if (p->out_data.data_sent_length == 0) {
478 p->hdr.flags = RPC_FLG_FIRST;
479 } else {
480 p->hdr.flags = 0;
481 }
482
483 /*
484 * Work out how much we can fit in a single PDU.
485 */
486
487 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
488
489 /*
490 * Ensure there really is data left to send.
491 */
492
493 if(!data_len_left) {
494 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
495 return False;
496 }
497
498 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
499
500 /*
501 * The amount we send is the minimum of the available
502 * space and the amount left to send.
503 */
504
505 data_len = MIN(data_len_left, data_space_available);
506
507 /*
508 * Set up the alloc hint. This should be the data left to
509 * send.
510 */
511
512 hdr_resp.alloc_hint = data_len_left;
513
514 /*
515 * Work out if this PDU will be the last.
516 */
517
518 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
519 p->hdr.flags |= RPC_FLG_LAST;
520 }
521
522 /*
523 * Set up the header lengths.
524 */
525
526 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
527 p->hdr.auth_len = 0;
528
529 /*
530 * Init the parse struct to point at the outgoing
531 * data.
532 */
533
534 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
535 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
536
537 /* Store the header in the data stream. */
538 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
539 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
540 prs_mem_free(&outgoing_pdu);
541 return False;
542 }
543
544 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
545 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
546 prs_mem_free(&outgoing_pdu);
547 return False;
548 }
549
550 /* Copy the data into the PDU. */
551
552 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
553 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
554 prs_mem_free(&outgoing_pdu);
555 return False;
556 }
557
558 /*
559 * Setup the counts for this PDU.
560 */
561
562 p->out_data.data_sent_length += data_len;
563 p->out_data.current_pdu_len = p->hdr.frag_len;
564 p->out_data.current_pdu_sent = 0;
565
566 prs_mem_free(&outgoing_pdu);
567 return True;
568}
569
570/*******************************************************************
571 Generate the next PDU to be returned from the data in p->rdata.
572********************************************************************/
573
574bool create_next_pdu(pipes_struct *p)
575{
576 switch(p->auth.auth_level) {
577 case PIPE_AUTH_LEVEL_NONE:
578 case PIPE_AUTH_LEVEL_CONNECT:
579 /* This is incorrect for auth level connect. Fixme. JRA */
580 return create_next_pdu_noauth(p);
581
582 default:
583 switch(p->auth.auth_type) {
584 case PIPE_AUTH_TYPE_NTLMSSP:
585 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
586 return create_next_pdu_ntlmssp(p);
587 case PIPE_AUTH_TYPE_SCHANNEL:
588 return create_next_pdu_schannel(p);
589 default:
590 break;
591 }
592 }
593
594 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
595 (unsigned int)p->auth.auth_level,
596 (unsigned int)p->auth.auth_type));
597 return False;
598}
599
600/*******************************************************************
601 Process an NTLMSSP authentication response.
602 If this function succeeds, the user has been authenticated
603 and their domain, name and calling workstation stored in
604 the pipe struct.
605*******************************************************************/
606
607static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
608{
609 DATA_BLOB reply;
610 NTSTATUS status;
611 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
612
613 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
614
615 ZERO_STRUCT(reply);
616
617 memset(p->user_name, '\0', sizeof(p->user_name));
618 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
619 memset(p->domain, '\0', sizeof(p->domain));
620 memset(p->wks, '\0', sizeof(p->wks));
621
622 /* Set up for non-authenticated user. */
623 TALLOC_FREE(p->pipe_user.nt_user_token);
624 p->pipe_user.ut.ngroups = 0;
625 SAFE_FREE( p->pipe_user.ut.groups);
626
627 /* this has to be done as root in order to verify the password */
628 become_root();
629 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
630 unbecome_root();
631
632 /* Don't generate a reply. */
633 data_blob_free(&reply);
634
635 if (!NT_STATUS_IS_OK(status)) {
636 return False;
637 }
638
639 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
640 ensure the underlying NTLMSSP flags are also set. If not we should
641 refuse the bind. */
642
643 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
644 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
645 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
646 "but client declined signing.\n",
647 p->name ));
648 return False;
649 }
650 }
651 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
652 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
653 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
654 "but client declined sealing.\n",
655 p->name ));
656 return False;
657 }
658 }
659
660 fstrcpy(p->user_name, a->ntlmssp_state->user);
661 fstrcpy(p->pipe_user_name, a->server_info->unix_name);
662 fstrcpy(p->domain, a->ntlmssp_state->domain);
663 fstrcpy(p->wks, a->ntlmssp_state->workstation);
664
665 DEBUG(5,("pipe_ntlmssp_verify_final: OK: user: %s domain: %s workstation: %s\n",
666 p->user_name, p->domain, p->wks));
667
668 /*
669 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
670 */
671
672 p->pipe_user.ut.uid = a->server_info->uid;
673 p->pipe_user.ut.gid = a->server_info->gid;
674
675 /*
676 * We're an authenticated bind over smbd, so the session key needs to
677 * be set to "SystemLibraryDTC". Weird, but this is what Windows
678 * does. See the RPC-SAMBA3SESSIONKEY.
679 */
680
681 data_blob_free(&p->session_key);
682 p->session_key = generic_session_key();
683 if (!p->session_key.data) {
684 return False;
685 }
686
687 p->pipe_user.ut.ngroups = a->server_info->n_groups;
688 if (p->pipe_user.ut.ngroups) {
689 if (!(p->pipe_user.ut.groups = (gid_t *)memdup(a->server_info->groups,
690 sizeof(gid_t) * p->pipe_user.ut.ngroups))) {
691 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
692 return False;
693 }
694 }
695
696 if (a->server_info->ptok) {
697 p->pipe_user.nt_user_token =
698 dup_nt_token(NULL, a->server_info->ptok);
699 } else {
700 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
701 p->pipe_user.nt_user_token = NULL;
702 return False;
703 }
704
705 return True;
706}
707
708/*******************************************************************
709 The switch table for the pipe names and the functions to handle them.
710*******************************************************************/
711
712struct rpc_table {
713 struct {
714 const char *clnt;
715 const char *srv;
716 } pipe;
717 const struct api_struct *cmds;
718 int n_cmds;
719};
720
721static struct rpc_table *rpc_lookup;
722static int rpc_lookup_size;
723
724/*******************************************************************
725 This is the "stage3" NTLMSSP response after a bind request and reply.
726*******************************************************************/
727
728bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
729{
730 RPC_HDR_AUTH auth_info;
731 uint32 pad;
732 DATA_BLOB blob;
733
734 ZERO_STRUCT(blob);
735
736 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
737
738 if (p->hdr.auth_len == 0) {
739 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
740 goto err;
741 }
742
743 /* 4 bytes padding. */
744 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
745 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
746 goto err;
747 }
748
749 /*
750 * Decode the authentication verifier response.
751 */
752
753 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
754 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
755 goto err;
756 }
757
758 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
759 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
760 (unsigned int)auth_info.auth_type ));
761 return False;
762 }
763
764 blob = data_blob(NULL,p->hdr.auth_len);
765
766 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
767 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
768 (unsigned int)p->hdr.auth_len ));
769 goto err;
770 }
771
772 /*
773 * The following call actually checks the challenge/response data.
774 * for correctness against the given DOMAIN\user name.
775 */
776
777 if (!pipe_ntlmssp_verify_final(p, &blob)) {
778 goto err;
779 }
780
781 data_blob_free(&blob);
782
783 p->pipe_bound = True;
784
785 return True;
786
787 err:
788
789 data_blob_free(&blob);
790 free_pipe_ntlmssp_auth_data(&p->auth);
791 p->auth.a_u.auth_ntlmssp_state = NULL;
792
793 return False;
794}
795
796/*******************************************************************
797 Marshall a bind_nak pdu.
798*******************************************************************/
799
800static bool setup_bind_nak(pipes_struct *p)
801{
802 prs_struct outgoing_rpc;
803 RPC_HDR nak_hdr;
804 uint16 zero = 0;
805
806 /* Free any memory in the current return data buffer. */
807 prs_mem_free(&p->out_data.rdata);
808
809 /*
810 * Marshall directly into the outgoing PDU space. We
811 * must do this as we need to set to the bind response
812 * header and are never sending more than one PDU here.
813 */
814
815 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
816 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
817
818 /*
819 * Initialize a bind_nak header.
820 */
821
822 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
823 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
824
825 /*
826 * Marshall the header into the outgoing PDU.
827 */
828
829 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
830 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
831 prs_mem_free(&outgoing_rpc);
832 return False;
833 }
834
835 /*
836 * Now add the reject reason.
837 */
838
839 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
840 prs_mem_free(&outgoing_rpc);
841 return False;
842 }
843
844 p->out_data.data_sent_length = 0;
845 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
846 p->out_data.current_pdu_sent = 0;
847
848 if (p->auth.auth_data_free_func) {
849 (*p->auth.auth_data_free_func)(&p->auth);
850 }
851 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
852 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
853 p->pipe_bound = False;
854
855 return True;
856}
857
858/*******************************************************************
859 Marshall a fault pdu.
860*******************************************************************/
861
862bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
863{
864 prs_struct outgoing_pdu;
865 RPC_HDR fault_hdr;
866 RPC_HDR_RESP hdr_resp;
867 RPC_HDR_FAULT fault_resp;
868
869 /* Free any memory in the current return data buffer. */
870 prs_mem_free(&p->out_data.rdata);
871
872 /*
873 * Marshall directly into the outgoing PDU space. We
874 * must do this as we need to set to the bind response
875 * header and are never sending more than one PDU here.
876 */
877
878 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
879 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
880
881 /*
882 * Initialize a fault header.
883 */
884
885 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
886 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
887
888 /*
889 * Initialize the HDR_RESP and FAULT parts of the PDU.
890 */
891
892 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
893
894 fault_resp.status = status;
895 fault_resp.reserved = 0;
896
897 /*
898 * Marshall the header into the outgoing PDU.
899 */
900
901 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
902 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
903 prs_mem_free(&outgoing_pdu);
904 return False;
905 }
906
907 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
908 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
909 prs_mem_free(&outgoing_pdu);
910 return False;
911 }
912
913 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
914 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
915 prs_mem_free(&outgoing_pdu);
916 return False;
917 }
918
919 p->out_data.data_sent_length = 0;
920 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
921 p->out_data.current_pdu_sent = 0;
922
923 prs_mem_free(&outgoing_pdu);
924 return True;
925}
926
927#if 0
928/*******************************************************************
929 Marshall a cancel_ack pdu.
930 We should probably check the auth-verifier here.
931*******************************************************************/
932
933bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
934{
935 prs_struct outgoing_pdu;
936 RPC_HDR ack_reply_hdr;
937
938 /* Free any memory in the current return data buffer. */
939 prs_mem_free(&p->out_data.rdata);
940
941 /*
942 * Marshall directly into the outgoing PDU space. We
943 * must do this as we need to set to the bind response
944 * header and are never sending more than one PDU here.
945 */
946
947 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
948 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
949
950 /*
951 * Initialize a cancel_ack header.
952 */
953
954 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
955 p->hdr.call_id, RPC_HEADER_LEN, 0);
956
957 /*
958 * Marshall the header into the outgoing PDU.
959 */
960
961 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
962 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
963 prs_mem_free(&outgoing_pdu);
964 return False;
965 }
966
967 p->out_data.data_sent_length = 0;
968 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
969 p->out_data.current_pdu_sent = 0;
970
971 prs_mem_free(&outgoing_pdu);
972 return True;
973}
974#endif
975
976/*******************************************************************
977 Ensure a bind request has the correct abstract & transfer interface.
978 Used to reject unknown binds from Win2k.
979*******************************************************************/
980
981bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
982 RPC_IFACE* transfer, uint32 context_id)
983{
984 char *pipe_name = p->name;
985 int i=0;
986 fstring pname;
987
988 fstrcpy(pname,"\\PIPE\\");
989 fstrcat(pname,pipe_name);
990
991 DEBUG(3,("check_bind_req for %s\n", pname));
992
993 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
994
995 for ( i=0; pipe_names[i].client_pipe; i++ ) {
996 DEBUGADD(10,("checking %s\n", pipe_names[i].client_pipe));
997 if ( strequal(pipe_names[i].client_pipe, pname)
998 && (abstract->version == pipe_names[i].abstr_syntax.version)
999 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct GUID)) == 0)
1000 && (transfer->version == pipe_names[i].trans_syntax.version)
1001 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(struct GUID)) == 0) ) {
1002 struct api_struct *fns = NULL;
1003 int n_fns = 0;
1004 PIPE_RPC_FNS *context_fns;
1005
1006 if ( !(context_fns = SMB_MALLOC_P(PIPE_RPC_FNS)) ) {
1007 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1008 return False;
1009 }
1010
1011 /* save the RPC function table associated with this bind */
1012
1013 get_pipe_fns(i, &fns, &n_fns);
1014
1015 context_fns->cmds = fns;
1016 context_fns->n_cmds = n_fns;
1017 context_fns->context_id = context_id;
1018
1019 /* add to the list of open contexts */
1020
1021 DLIST_ADD( p->contexts, context_fns );
1022
1023 break;
1024 }
1025 }
1026
1027 if(pipe_names[i].client_pipe == NULL) {
1028 return False;
1029 }
1030
1031 return True;
1032}
1033
1034/*******************************************************************
1035 Register commands to an RPC pipe
1036*******************************************************************/
1037
1038NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
1039{
1040 struct rpc_table *rpc_entry;
1041
1042 if (!clnt || !srv || !cmds) {
1043 return NT_STATUS_INVALID_PARAMETER;
1044 }
1045
1046 if (version != SMB_RPC_INTERFACE_VERSION) {
1047 DEBUG(0,("Can't register rpc commands!\n"
1048 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1049 ", while this version of samba uses version %d!\n",
1050 version,SMB_RPC_INTERFACE_VERSION));
1051 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1052 }
1053
1054 /* TODO:
1055 *
1056 * we still need to make sure that don't register the same commands twice!!!
1057 *
1058 * --metze
1059 */
1060
1061 /* We use a temporary variable because this call can fail and
1062 rpc_lookup will still be valid afterwards. It could then succeed if
1063 called again later */
1064 rpc_lookup_size++;
1065 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1066 if (NULL == rpc_entry) {
1067 rpc_lookup_size--;
1068 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1069 return NT_STATUS_NO_MEMORY;
1070 } else {
1071 rpc_lookup = rpc_entry;
1072 }
1073
1074 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1075 ZERO_STRUCTP(rpc_entry);
1076 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1077 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1078 rpc_entry->cmds = cmds;
1079 rpc_entry->n_cmds = size;
1080
1081 return NT_STATUS_OK;
1082}
1083
1084/*******************************************************************
1085 Handle a SPNEGO krb5 bind auth.
1086*******************************************************************/
1087
1088static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1089 DATA_BLOB *psecblob, prs_struct *pout_auth)
1090{
1091 return False;
1092}
1093
1094/*******************************************************************
1095 Handle the first part of a SPNEGO bind auth.
1096*******************************************************************/
1097
1098static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1099 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1100{
1101 DATA_BLOB blob;
1102 DATA_BLOB secblob;
1103 DATA_BLOB response;
1104 DATA_BLOB chal;
1105 char *OIDs[ASN1_MAX_OIDS];
1106 int i;
1107 NTSTATUS status;
1108 bool got_kerberos_mechanism = false;
1109 AUTH_NTLMSSP_STATE *a = NULL;
1110 RPC_HDR_AUTH auth_info;
1111
1112 ZERO_STRUCT(secblob);
1113 ZERO_STRUCT(chal);
1114 ZERO_STRUCT(response);
1115
1116 /* Grab the SPNEGO blob. */
1117 blob = data_blob(NULL,p->hdr.auth_len);
1118
1119 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1120 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1121 (unsigned int)p->hdr.auth_len ));
1122 goto err;
1123 }
1124
1125 if (blob.data[0] != ASN1_APPLICATION(0)) {
1126 goto err;
1127 }
1128
1129 /* parse out the OIDs and the first sec blob */
1130 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1131 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1132 goto err;
1133 }
1134
1135 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1136 got_kerberos_mechanism = true;
1137 }
1138
1139 for (i=0;OIDs[i];i++) {
1140 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1141 SAFE_FREE(OIDs[i]);
1142 }
1143 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1144
1145 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1146 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1147 data_blob_free(&secblob);
1148 data_blob_free(&blob);
1149 return ret;
1150 }
1151
1152 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1153 /* Free any previous auth type. */
1154 free_pipe_ntlmssp_auth_data(&p->auth);
1155 }
1156
1157 if (!got_kerberos_mechanism) {
1158 /* Initialize the NTLM engine. */
1159 status = auth_ntlmssp_start(&a);
1160 if (!NT_STATUS_IS_OK(status)) {
1161 goto err;
1162 }
1163
1164 /*
1165 * Pass the first security blob of data to it.
1166 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1167 * which means we need another packet to complete the bind.
1168 */
1169
1170 status = auth_ntlmssp_update(a, secblob, &chal);
1171
1172 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1173 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1174 goto err;
1175 }
1176
1177 /* Generate the response blob we need for step 2 of the bind. */
1178 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1179 } else {
1180 /*
1181 * SPNEGO negotiate down to NTLMSSP. The subsequent
1182 * code to process follow-up packets is not complete
1183 * yet. JRA.
1184 */
1185 response = spnego_gen_auth_response(NULL,
1186 NT_STATUS_MORE_PROCESSING_REQUIRED,
1187 OID_NTLMSSP);
1188 }
1189
1190 /* Copy the blob into the pout_auth parse struct */
1191 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1192 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1193 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1194 goto err;
1195 }
1196
1197 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1198 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1199 goto err;
1200 }
1201
1202 p->auth.a_u.auth_ntlmssp_state = a;
1203 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1204 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1205
1206 data_blob_free(&blob);
1207 data_blob_free(&secblob);
1208 data_blob_free(&chal);
1209 data_blob_free(&response);
1210
1211 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1212 return True;
1213
1214 err:
1215
1216 data_blob_free(&blob);
1217 data_blob_free(&secblob);
1218 data_blob_free(&chal);
1219 data_blob_free(&response);
1220
1221 p->auth.a_u.auth_ntlmssp_state = NULL;
1222
1223 return False;
1224}
1225
1226/*******************************************************************
1227 Handle the second part of a SPNEGO bind auth.
1228*******************************************************************/
1229
1230static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1231 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1232{
1233 RPC_HDR_AUTH auth_info;
1234 DATA_BLOB spnego_blob;
1235 DATA_BLOB auth_blob;
1236 DATA_BLOB auth_reply;
1237 DATA_BLOB response;
1238 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1239
1240 ZERO_STRUCT(spnego_blob);
1241 ZERO_STRUCT(auth_blob);
1242 ZERO_STRUCT(auth_reply);
1243 ZERO_STRUCT(response);
1244
1245 /*
1246 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1247 * fail here as 'a' == NULL.
1248 */
1249 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1250 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1251 goto err;
1252 }
1253
1254 /* Grab the SPNEGO blob. */
1255 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1256
1257 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1258 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1259 (unsigned int)p->hdr.auth_len ));
1260 goto err;
1261 }
1262
1263 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1264 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1265 goto err;
1266 }
1267
1268 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1269 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1270 goto err;
1271 }
1272
1273 /*
1274 * The following call actually checks the challenge/response data.
1275 * for correctness against the given DOMAIN\user name.
1276 */
1277
1278 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1279 goto err;
1280 }
1281
1282 data_blob_free(&spnego_blob);
1283 data_blob_free(&auth_blob);
1284
1285 /* Generate the spnego "accept completed" blob - no incoming data. */
1286 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1287
1288 /* Copy the blob into the pout_auth parse struct */
1289 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1290 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1291 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1292 goto err;
1293 }
1294
1295 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1296 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1297 goto err;
1298 }
1299
1300 data_blob_free(&auth_reply);
1301 data_blob_free(&response);
1302
1303 p->pipe_bound = True;
1304
1305 return True;
1306
1307 err:
1308
1309 data_blob_free(&spnego_blob);
1310 data_blob_free(&auth_blob);
1311 data_blob_free(&auth_reply);
1312 data_blob_free(&response);
1313
1314 free_pipe_ntlmssp_auth_data(&p->auth);
1315 p->auth.a_u.auth_ntlmssp_state = NULL;
1316
1317 return False;
1318}
1319
1320/*******************************************************************
1321 Handle an schannel bind auth.
1322*******************************************************************/
1323
1324static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1325 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1326{
1327 RPC_HDR_AUTH auth_info;
1328 RPC_AUTH_SCHANNEL_NEG neg;
1329 RPC_AUTH_VERIFIER auth_verifier;
1330 bool ret;
1331 struct dcinfo *pdcinfo;
1332 uint32 flags;
1333
1334 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1335 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1336 return False;
1337 }
1338
1339 /*
1340 * The neg.myname key here must match the remote computer name
1341 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1342 * operations that use credentials.
1343 */
1344
1345 become_root();
1346 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1347 unbecome_root();
1348
1349 if (!ret) {
1350 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1351 return False;
1352 }
1353
1354 p->auth.a_u.schannel_auth = TALLOC_P(p->pipe_state_mem_ctx, struct schannel_auth_struct);
1355 if (!p->auth.a_u.schannel_auth) {
1356 TALLOC_FREE(pdcinfo);
1357 return False;
1358 }
1359
1360 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1361 memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1362 sizeof(pdcinfo->sess_key));
1363
1364 TALLOC_FREE(pdcinfo);
1365
1366 p->auth.a_u.schannel_auth->seq_num = 0;
1367
1368 /*
1369 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1370 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1371 * struct of the person who opened the pipe. I need to test this further. JRA.
1372 *
1373 * VL. As we are mapping this to guest set the generic key
1374 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1375 * W2k3, as it does not allow schannel binds against SAMR and LSA
1376 * anymore.
1377 */
1378
1379 data_blob_free(&p->session_key);
1380 p->session_key = generic_session_key();
1381 if (p->session_key.data == NULL) {
1382 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1383 " key\n"));
1384 return False;
1385 }
1386
1387 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1388 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1389 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1390 return False;
1391 }
1392
1393 /*** SCHANNEL verifier ***/
1394
1395 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1396 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1397 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1398 return False;
1399 }
1400
1401 prs_align(pout_auth);
1402
1403 flags = 5;
1404 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1405 return False;
1406 }
1407
1408 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1409 neg.domain, neg.myname));
1410
1411 /* We're finished with this bind - no more packets. */
1412 p->auth.auth_data_free_func = NULL;
1413 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1414
1415 p->pipe_bound = True;
1416
1417 return True;
1418}
1419
1420/*******************************************************************
1421 Handle an NTLMSSP bind auth.
1422*******************************************************************/
1423
1424static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1425 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1426{
1427 RPC_HDR_AUTH auth_info;
1428 DATA_BLOB blob;
1429 DATA_BLOB response;
1430 NTSTATUS status;
1431 AUTH_NTLMSSP_STATE *a = NULL;
1432
1433 ZERO_STRUCT(blob);
1434 ZERO_STRUCT(response);
1435
1436 /* Grab the NTLMSSP blob. */
1437 blob = data_blob(NULL,p->hdr.auth_len);
1438
1439 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1440 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1441 (unsigned int)p->hdr.auth_len ));
1442 goto err;
1443 }
1444
1445 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1446 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1447 goto err;
1448 }
1449
1450 /* We have an NTLMSSP blob. */
1451 status = auth_ntlmssp_start(&a);
1452 if (!NT_STATUS_IS_OK(status)) {
1453 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1454 nt_errstr(status) ));
1455 goto err;
1456 }
1457
1458 status = auth_ntlmssp_update(a, blob, &response);
1459 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1460 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1461 nt_errstr(status) ));
1462 goto err;
1463 }
1464
1465 data_blob_free(&blob);
1466
1467 /* Copy the blob into the pout_auth parse struct */
1468 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1469 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1470 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1471 goto err;
1472 }
1473
1474 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1475 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1476 goto err;
1477 }
1478
1479 p->auth.a_u.auth_ntlmssp_state = a;
1480 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1481 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1482
1483 data_blob_free(&blob);
1484 data_blob_free(&response);
1485
1486 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1487
1488 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1489 return True;
1490
1491 err:
1492
1493 data_blob_free(&blob);
1494 data_blob_free(&response);
1495
1496 free_pipe_ntlmssp_auth_data(&p->auth);
1497 p->auth.a_u.auth_ntlmssp_state = NULL;
1498 return False;
1499}
1500
1501/*******************************************************************
1502 Respond to a pipe bind request.
1503*******************************************************************/
1504
1505bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1506{
1507 RPC_HDR_BA hdr_ba;
1508 RPC_HDR_RB hdr_rb;
1509 RPC_HDR_AUTH auth_info;
1510 uint16 assoc_gid;
1511 fstring ack_pipe_name;
1512 prs_struct out_hdr_ba;
1513 prs_struct out_auth;
1514 prs_struct outgoing_rpc;
1515 int i = 0;
1516 int auth_len = 0;
1517 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1518
1519 /* No rebinds on a bound pipe - use alter context. */
1520 if (p->pipe_bound) {
1521 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1522 return setup_bind_nak(p);
1523 }
1524
1525 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1526
1527 /*
1528 * Marshall directly into the outgoing PDU space. We
1529 * must do this as we need to set to the bind response
1530 * header and are never sending more than one PDU here.
1531 */
1532
1533 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1534
1535 /*
1536 * Setup the memory to marshall the ba header, and the
1537 * auth footers.
1538 */
1539
1540 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1541 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1542 prs_mem_free(&outgoing_rpc);
1543 return False;
1544 }
1545
1546 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1547 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1548 prs_mem_free(&outgoing_rpc);
1549 prs_mem_free(&out_hdr_ba);
1550 return False;
1551 }
1552
1553 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1554
1555 /*
1556 * Try and find the correct pipe name to ensure
1557 * that this is a pipe name we support.
1558 */
1559
1560
1561 for (i = 0; i < rpc_lookup_size; i++) {
1562 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1563 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1564 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1565 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1566 break;
1567 }
1568 }
1569
1570 if (i == rpc_lookup_size) {
1571 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1572 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1573 p->name ));
1574 prs_mem_free(&outgoing_rpc);
1575 prs_mem_free(&out_hdr_ba);
1576 prs_mem_free(&out_auth);
1577
1578 return setup_bind_nak(p);
1579 }
1580
1581 for (i = 0; i < rpc_lookup_size; i++) {
1582 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1583 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1584 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1585 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1586 break;
1587 }
1588 }
1589
1590 if (i == rpc_lookup_size) {
1591 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1592 goto err_exit;
1593 }
1594 }
1595
1596 ZERO_STRUCT(hdr_rb);
1597
1598 /* decode the bind request */
1599 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1600 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
1601 goto err_exit;
1602 }
1603
1604 /* name has to be \PIPE\xxxxx */
1605 fstrcpy(ack_pipe_name, "\\PIPE\\");
1606 fstrcat(ack_pipe_name, p->pipe_srv_name);
1607
1608 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1609
1610 /*
1611 * Check if this is an authenticated bind request.
1612 */
1613
1614 if (p->hdr.auth_len) {
1615 /*
1616 * Decode the authentication verifier.
1617 */
1618
1619 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1620 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1621 goto err_exit;
1622 }
1623
1624 auth_type = auth_info.auth_type;
1625
1626 /* Work out if we have to sign or seal etc. */
1627 switch (auth_info.auth_level) {
1628 case RPC_AUTH_LEVEL_INTEGRITY:
1629 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1630 break;
1631 case RPC_AUTH_LEVEL_PRIVACY:
1632 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1633 break;
1634 default:
1635 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1636 (unsigned int)auth_info.auth_level ));
1637 goto err_exit;
1638 }
1639 } else {
1640 ZERO_STRUCT(auth_info);
1641 }
1642
1643 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1644
1645 switch(auth_type) {
1646 case RPC_NTLMSSP_AUTH_TYPE:
1647 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1648 goto err_exit;
1649 }
1650 assoc_gid = 0x7a77;
1651 break;
1652
1653 case RPC_SCHANNEL_AUTH_TYPE:
1654 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1655 goto err_exit;
1656 }
1657 break;
1658
1659 case RPC_SPNEGO_AUTH_TYPE:
1660 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1661 goto err_exit;
1662 }
1663 break;
1664
1665 case RPC_ANONYMOUS_AUTH_TYPE:
1666 /* Unauthenticated bind request. */
1667 /* Get the authenticated pipe user from current_user */
1668 if (!copy_current_user(&p->pipe_user, &current_user)) {
1669 DEBUG(10, ("Could not copy current user\n"));
1670 goto err_exit;
1671 }
1672 /* We're finished - no more packets. */
1673 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1674 /* We must set the pipe auth_level here also. */
1675 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1676 p->pipe_bound = True;
1677 /* The session key was initialized from the SMB
1678 * session in make_internal_rpc_pipe_p */
1679 break;
1680
1681 default:
1682 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1683 goto err_exit;
1684 }
1685
1686 /*
1687 * Create the bind response struct.
1688 */
1689
1690 /* If the requested abstract synt uuid doesn't match our client pipe,
1691 reject the bind_ack & set the transfer interface synt to all 0's,
1692 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1693 unknown to NT4)
1694 Needed when adding entries to a DACL from NT5 - SK */
1695
1696 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1697 hdr_rb.rpc_context[0].context_id )) {
1698 init_rpc_hdr_ba(&hdr_ba,
1699 RPC_MAX_PDU_FRAG_LEN,
1700 RPC_MAX_PDU_FRAG_LEN,
1701 assoc_gid,
1702 ack_pipe_name,
1703 0x1, 0x0, 0x0,
1704 &hdr_rb.rpc_context[0].transfer[0]);
1705 } else {
1706 RPC_IFACE null_interface;
1707 ZERO_STRUCT(null_interface);
1708 /* Rejection reason: abstract syntax not supported */
1709 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1710 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1711 ack_pipe_name, 0x1, 0x2, 0x1,
1712 &null_interface);
1713 p->pipe_bound = False;
1714 }
1715
1716 /*
1717 * and marshall it.
1718 */
1719
1720 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1721 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1722 goto err_exit;
1723 }
1724
1725 /*
1726 * Create the header, now we know the length.
1727 */
1728
1729 if (prs_offset(&out_auth)) {
1730 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1731 }
1732
1733 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1734 p->hdr.call_id,
1735 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1736 auth_len);
1737
1738 /*
1739 * Marshall the header into the outgoing PDU.
1740 */
1741
1742 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1743 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1744 goto err_exit;
1745 }
1746
1747 /*
1748 * Now add the RPC_HDR_BA and any auth needed.
1749 */
1750
1751 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1752 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1753 goto err_exit;
1754 }
1755
1756 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1757 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1758 goto err_exit;
1759 }
1760
1761 /*
1762 * Setup the lengths for the initial reply.
1763 */
1764
1765 p->out_data.data_sent_length = 0;
1766 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1767 p->out_data.current_pdu_sent = 0;
1768
1769 prs_mem_free(&out_hdr_ba);
1770 prs_mem_free(&out_auth);
1771
1772 return True;
1773
1774 err_exit:
1775
1776 prs_mem_free(&outgoing_rpc);
1777 prs_mem_free(&out_hdr_ba);
1778 prs_mem_free(&out_auth);
1779 return setup_bind_nak(p);
1780}
1781
1782/****************************************************************************
1783 Deal with an alter context call. Can be third part of 3 leg auth request for
1784 SPNEGO calls.
1785****************************************************************************/
1786
1787bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1788{
1789 RPC_HDR_BA hdr_ba;
1790 RPC_HDR_RB hdr_rb;
1791 RPC_HDR_AUTH auth_info;
1792 uint16 assoc_gid;
1793 fstring ack_pipe_name;
1794 prs_struct out_hdr_ba;
1795 prs_struct out_auth;
1796 prs_struct outgoing_rpc;
1797 int auth_len = 0;
1798
1799 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1800
1801 /*
1802 * Marshall directly into the outgoing PDU space. We
1803 * must do this as we need to set to the bind response
1804 * header and are never sending more than one PDU here.
1805 */
1806
1807 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1808
1809 /*
1810 * Setup the memory to marshall the ba header, and the
1811 * auth footers.
1812 */
1813
1814 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1815 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1816 prs_mem_free(&outgoing_rpc);
1817 return False;
1818 }
1819
1820 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1821 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1822 prs_mem_free(&outgoing_rpc);
1823 prs_mem_free(&out_hdr_ba);
1824 return False;
1825 }
1826
1827 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1828
1829 /* decode the alter context request */
1830 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1831 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1832 goto err_exit;
1833 }
1834
1835 /* secondary address CAN be NULL
1836 * as the specs say it's ignored.
1837 * It MUST be NULL to have the spoolss working.
1838 */
1839 fstrcpy(ack_pipe_name,"");
1840
1841 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1842
1843 /*
1844 * Check if this is an authenticated alter context request.
1845 */
1846
1847 if (p->hdr.auth_len != 0) {
1848 /*
1849 * Decode the authentication verifier.
1850 */
1851
1852 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1853 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1854 goto err_exit;
1855 }
1856
1857 /*
1858 * Currently only the SPNEGO auth type uses the alter ctx
1859 * response in place of the NTLMSSP auth3 type.
1860 */
1861
1862 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1863 /* We can only finish if the pipe is unbound. */
1864 if (!p->pipe_bound) {
1865 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1866 goto err_exit;
1867 }
1868 } else {
1869 goto err_exit;
1870 }
1871 }
1872 } else {
1873 ZERO_STRUCT(auth_info);
1874 }
1875
1876 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1877
1878 /*
1879 * Create the bind response struct.
1880 */
1881
1882 /* If the requested abstract synt uuid doesn't match our client pipe,
1883 reject the bind_ack & set the transfer interface synt to all 0's,
1884 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1885 unknown to NT4)
1886 Needed when adding entries to a DACL from NT5 - SK */
1887
1888 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1889 hdr_rb.rpc_context[0].context_id )) {
1890 init_rpc_hdr_ba(&hdr_ba,
1891 RPC_MAX_PDU_FRAG_LEN,
1892 RPC_MAX_PDU_FRAG_LEN,
1893 assoc_gid,
1894 ack_pipe_name,
1895 0x1, 0x0, 0x0,
1896 &hdr_rb.rpc_context[0].transfer[0]);
1897 } else {
1898 RPC_IFACE null_interface;
1899 ZERO_STRUCT(null_interface);
1900 /* Rejection reason: abstract syntax not supported */
1901 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1902 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1903 ack_pipe_name, 0x1, 0x2, 0x1,
1904 &null_interface);
1905 p->pipe_bound = False;
1906 }
1907
1908 /*
1909 * and marshall it.
1910 */
1911
1912 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1913 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1914 goto err_exit;
1915 }
1916
1917 /*
1918 * Create the header, now we know the length.
1919 */
1920
1921 if (prs_offset(&out_auth)) {
1922 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1923 }
1924
1925 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1926 p->hdr.call_id,
1927 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1928 auth_len);
1929
1930 /*
1931 * Marshall the header into the outgoing PDU.
1932 */
1933
1934 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1935 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1936 goto err_exit;
1937 }
1938
1939 /*
1940 * Now add the RPC_HDR_BA and any auth needed.
1941 */
1942
1943 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1944 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1945 goto err_exit;
1946 }
1947
1948 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1949 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1950 goto err_exit;
1951 }
1952
1953 /*
1954 * Setup the lengths for the initial reply.
1955 */
1956
1957 p->out_data.data_sent_length = 0;
1958 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1959 p->out_data.current_pdu_sent = 0;
1960
1961 prs_mem_free(&out_hdr_ba);
1962 prs_mem_free(&out_auth);
1963
1964 return True;
1965
1966 err_exit:
1967
1968 prs_mem_free(&outgoing_rpc);
1969 prs_mem_free(&out_hdr_ba);
1970 prs_mem_free(&out_auth);
1971 return setup_bind_nak(p);
1972}
1973
1974/****************************************************************************
1975 Deal with NTLMSSP sign & seal processing on an RPC request.
1976****************************************************************************/
1977
1978bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1979 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1980{
1981 RPC_HDR_AUTH auth_info;
1982 uint32 auth_len = p->hdr.auth_len;
1983 uint32 save_offset = prs_offset(rpc_in);
1984 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1985 unsigned char *data = NULL;
1986 size_t data_len;
1987 unsigned char *full_packet_data = NULL;
1988 size_t full_packet_data_len;
1989 DATA_BLOB auth_blob;
1990
1991 *pstatus = NT_STATUS_OK;
1992
1993 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
1994 return True;
1995 }
1996
1997 if (!a) {
1998 *pstatus = NT_STATUS_INVALID_PARAMETER;
1999 return False;
2000 }
2001
2002 /* Ensure there's enough data for an authenticated request. */
2003 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2004 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2005 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2006 (unsigned int)auth_len ));
2007 *pstatus = NT_STATUS_INVALID_PARAMETER;
2008 return False;
2009 }
2010
2011 /*
2012 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2013 * after the RPC header.
2014 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2015 * functions as NTLMv2 checks the rpc headers also.
2016 */
2017
2018 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2019 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2020
2021 full_packet_data = p->in_data.current_in_pdu;
2022 full_packet_data_len = p->hdr.frag_len - auth_len;
2023
2024 /* Pull the auth header and the following data into a blob. */
2025 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2026 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2027 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2028 *pstatus = NT_STATUS_INVALID_PARAMETER;
2029 return False;
2030 }
2031
2032 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2033 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2034 *pstatus = NT_STATUS_INVALID_PARAMETER;
2035 return False;
2036 }
2037
2038 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2039 auth_blob.length = auth_len;
2040
2041 switch (p->auth.auth_level) {
2042 case PIPE_AUTH_LEVEL_PRIVACY:
2043 /* Data is encrypted. */
2044 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2045 data, data_len,
2046 full_packet_data,
2047 full_packet_data_len,
2048 &auth_blob);
2049 if (!NT_STATUS_IS_OK(*pstatus)) {
2050 return False;
2051 }
2052 break;
2053 case PIPE_AUTH_LEVEL_INTEGRITY:
2054 /* Data is signed. */
2055 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2056 data, data_len,
2057 full_packet_data,
2058 full_packet_data_len,
2059 &auth_blob);
2060 if (!NT_STATUS_IS_OK(*pstatus)) {
2061 return False;
2062 }
2063 break;
2064 default:
2065 *pstatus = NT_STATUS_INVALID_PARAMETER;
2066 return False;
2067 }
2068
2069 /*
2070 * Return the current pointer to the data offset.
2071 */
2072
2073 if(!prs_set_offset(rpc_in, save_offset)) {
2074 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2075 (unsigned int)save_offset ));
2076 *pstatus = NT_STATUS_INVALID_PARAMETER;
2077 return False;
2078 }
2079
2080 /*
2081 * Remember the padding length. We must remove it from the real data
2082 * stream once the sign/seal is done.
2083 */
2084
2085 *p_ss_padding_len = auth_info.auth_pad_len;
2086
2087 return True;
2088}
2089
2090/****************************************************************************
2091 Deal with schannel processing on an RPC request.
2092****************************************************************************/
2093
2094bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2095{
2096 uint32 data_len;
2097 uint32 auth_len;
2098 uint32 save_offset = prs_offset(rpc_in);
2099 RPC_HDR_AUTH auth_info;
2100 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2101
2102 auth_len = p->hdr.auth_len;
2103
2104 if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2105 auth_len > RPC_HEADER_LEN +
2106 RPC_HDR_REQ_LEN +
2107 RPC_HDR_AUTH_LEN +
2108 auth_len) {
2109 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2110 return False;
2111 }
2112
2113 /*
2114 * The following is that length of the data we must verify or unseal.
2115 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2116 * preceeding the auth_data.
2117 */
2118
2119 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2120 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2121 (unsigned int)p->hdr.frag_len,
2122 (unsigned int)auth_len ));
2123 return False;
2124 }
2125
2126 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2127 RPC_HDR_AUTH_LEN - auth_len;
2128
2129 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2130
2131 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2132 DEBUG(0,("cannot move offset to %u.\n",
2133 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2134 return False;
2135 }
2136
2137 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2138 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2139 return False;
2140 }
2141
2142 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2143 DEBUG(0,("Invalid auth info %d on schannel\n",
2144 auth_info.auth_type));
2145 return False;
2146 }
2147
2148 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2149 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2150 return False;
2151 }
2152
2153 if (!schannel_decode(p->auth.a_u.schannel_auth,
2154 p->auth.auth_level,
2155 SENDER_IS_INITIATOR,
2156 &schannel_chk,
2157 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2158 DEBUG(3,("failed to decode PDU\n"));
2159 return False;
2160 }
2161
2162 /*
2163 * Return the current pointer to the data offset.
2164 */
2165
2166 if(!prs_set_offset(rpc_in, save_offset)) {
2167 DEBUG(0,("failed to set offset back to %u\n",
2168 (unsigned int)save_offset ));
2169 return False;
2170 }
2171
2172 /* The sequence number gets incremented on both send and receive. */
2173 p->auth.a_u.schannel_auth->seq_num++;
2174
2175 /*
2176 * Remember the padding length. We must remove it from the real data
2177 * stream once the sign/seal is done.
2178 */
2179
2180 *p_ss_padding_len = auth_info.auth_pad_len;
2181
2182 return True;
2183}
2184
2185/****************************************************************************
2186 Return a user struct for a pipe user.
2187****************************************************************************/
2188
2189struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
2190{
2191 if (p->pipe_bound &&
2192 (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP ||
2193 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2194 memcpy(user, &p->pipe_user, sizeof(struct current_user));
2195 } else {
2196 memcpy(user, &current_user, sizeof(struct current_user));
2197 }
2198
2199 return user;
2200}
2201
2202/****************************************************************************
2203 Find the set of RPC functions associated with this context_id
2204****************************************************************************/
2205
2206static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2207{
2208 PIPE_RPC_FNS *fns = NULL;
2209 PIPE_RPC_FNS *tmp = NULL;
2210
2211 if ( !list ) {
2212 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2213 return NULL;
2214 }
2215
2216 for (tmp=list; tmp; tmp=tmp->next ) {
2217 if ( tmp->context_id == context_id )
2218 break;
2219 }
2220
2221 fns = tmp;
2222
2223 return fns;
2224}
2225
2226/****************************************************************************
2227 Memory cleanup.
2228****************************************************************************/
2229
2230void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2231{
2232 PIPE_RPC_FNS *tmp = list;
2233 PIPE_RPC_FNS *tmp2;
2234
2235 while (tmp) {
2236 tmp2 = tmp->next;
2237 SAFE_FREE(tmp);
2238 tmp = tmp2;
2239 }
2240
2241 return;
2242}
2243
2244/****************************************************************************
2245 Find the correct RPC function to call for this request.
2246 If the pipe is authenticated then become the correct UNIX user
2247 before doing the call.
2248****************************************************************************/
2249
2250bool api_pipe_request(pipes_struct *p)
2251{
2252 bool ret = False;
2253 bool changed_user = False;
2254 PIPE_RPC_FNS *pipe_fns;
2255
2256 if (p->pipe_bound &&
2257 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2258 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2259 if(!become_authenticated_pipe_user(p)) {
2260 prs_mem_free(&p->out_data.rdata);
2261 return False;
2262 }
2263 changed_user = True;
2264 }
2265
2266 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2267
2268 /* get the set of RPC functions for this context */
2269
2270 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2271
2272 if ( pipe_fns ) {
2273 TALLOC_CTX *frame = talloc_stackframe();
2274 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2275 TALLOC_FREE(frame);
2276 }
2277 else {
2278 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2279 p->hdr_req.context_id, p->name));
2280 }
2281
2282 if (changed_user) {
2283 unbecome_authenticated_pipe_user();
2284 }
2285
2286 return ret;
2287}
2288
2289/*******************************************************************
2290 Calls the underlying RPC function for a named pipe.
2291 ********************************************************************/
2292
2293bool api_rpcTNP(pipes_struct *p, const char *rpc_name,
2294 const struct api_struct *api_rpc_cmds, int n_cmds)
2295{
2296 int fn_num;
2297 fstring name;
2298 uint32 offset1, offset2;
2299
2300 /* interpret the command */
2301 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2302
2303 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2304 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2305
2306 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2307 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2308 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2309 break;
2310 }
2311 }
2312
2313 if (fn_num == n_cmds) {
2314 /*
2315 * For an unknown RPC just return a fault PDU but
2316 * return True to allow RPC's on the pipe to continue
2317 * and not put the pipe into fault state. JRA.
2318 */
2319 DEBUG(4, ("unknown\n"));
2320 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2321 return True;
2322 }
2323
2324 offset1 = prs_offset(&p->out_data.rdata);
2325
2326 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2327 fn_num, api_rpc_cmds[fn_num].fn));
2328 /* do the actual command */
2329 if(!api_rpc_cmds[fn_num].fn(p)) {
2330 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2331 prs_mem_free(&p->out_data.rdata);
2332 return False;
2333 }
2334
2335 if (p->bad_handle_fault_state) {
2336 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2337 p->bad_handle_fault_state = False;
2338 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2339 return True;
2340 }
2341
2342 if (p->rng_fault_state) {
2343 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2344 p->rng_fault_state = False;
2345 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2346 return True;
2347 }
2348
2349 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2350 offset2 = prs_offset(&p->out_data.rdata);
2351 prs_set_offset(&p->out_data.rdata, offset1);
2352 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2353 prs_set_offset(&p->out_data.rdata, offset2);
2354
2355 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2356
2357 /* Check for buffer underflow in rpc parsing */
2358
2359 if ((DEBUGLEVEL >= 10) &&
2360 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2361 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2362 char *data = (char *)SMB_MALLOC(data_len);
2363
2364 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2365 if (data) {
2366 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2367 SAFE_FREE(data);
2368 }
2369
2370 }
2371
2372 return True;
2373}
2374
2375/*******************************************************************
2376*******************************************************************/
2377
2378void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
2379{
2380 struct api_struct *cmds = NULL;
2381 int n_cmds = 0;
2382
2383 switch ( idx ) {
2384 case PI_LSARPC:
2385 lsarpc_get_pipe_fns( &cmds, &n_cmds );
2386 break;
2387 case PI_DSSETUP:
2388 dssetup_get_pipe_fns( &cmds, &n_cmds );
2389 break;
2390 case PI_SAMR:
2391 samr_get_pipe_fns( &cmds, &n_cmds );
2392 break;
2393 case PI_NETLOGON:
2394 netlogon_get_pipe_fns( &cmds, &n_cmds );
2395 break;
2396 case PI_SRVSVC:
2397 srvsvc_get_pipe_fns( &cmds, &n_cmds );
2398 break;
2399 case PI_WKSSVC:
2400 wkssvc_get_pipe_fns( &cmds, &n_cmds );
2401 break;
2402 case PI_WINREG:
2403 winreg_get_pipe_fns( &cmds, &n_cmds );
2404 break;
2405 case PI_SPOOLSS:
2406 spoolss_get_pipe_fns( &cmds, &n_cmds );
2407 break;
2408 case PI_NETDFS:
2409 netdfs_get_pipe_fns( &cmds, &n_cmds );
2410 break;
2411 case PI_SVCCTL:
2412 svcctl2_get_pipe_fns( &cmds, &n_cmds );
2413 break;
2414 case PI_EVENTLOG:
2415 eventlog2_get_pipe_fns( &cmds, &n_cmds );
2416 break;
2417 case PI_NTSVCS:
2418 ntsvcs2_get_pipe_fns( &cmds, &n_cmds );
2419 break;
2420#ifdef DEVELOPER
2421 case PI_RPCECHO:
2422 rpcecho_get_pipe_fns( &cmds, &n_cmds );
2423 break;
2424#endif
2425 default:
2426 DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));
2427 }
2428
2429 *fns = cmds;
2430 *n_fns = n_cmds;
2431
2432 return;
2433}
Note: See TracBrowser for help on using the repository browser.