source: branches/samba-3.3.x/source/rpc_server/srv_pipe.c

Last change on this file was 224, checked in by Herwig Bauernfeind, 16 years ago

Update Samba 3.3 branch to 3.3.4
File size: 68.4 KB
Line 
1/*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20/* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30#include "includes.h"
31
32extern struct current_user current_user;
33
34#undef DBGC_CLASS
35#define DBGC_CLASS DBGC_RPC_SRV
36
37static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
38{
39 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
40
41 if (a) {
42 auth_ntlmssp_end(&a);
43 }
44 auth->a_u.auth_ntlmssp_state = NULL;
45}
46
47static DATA_BLOB generic_session_key(void)
48{
49 return data_blob("SystemLibraryDTC", 16);
50}
51
52/*******************************************************************
53 Generate the next PDU to be returned from the data in p->rdata.
54 Handle NTLMSSP.
55 ********************************************************************/
56
57static bool create_next_pdu_ntlmssp(pipes_struct *p)
58{
59 RPC_HDR_RESP hdr_resp;
60 uint32 ss_padding_len = 0;
61 uint32 data_space_available;
62 uint32 data_len_left;
63 uint32 data_len;
64 prs_struct outgoing_pdu;
65 NTSTATUS status;
66 DATA_BLOB auth_blob;
67 RPC_HDR_AUTH auth_info;
68 uint8 auth_type, auth_level;
69 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
70
71 /*
72 * If we're in the fault state, keep returning fault PDU's until
73 * the pipe gets closed. JRA.
74 */
75
76 if(p->fault_state) {
77 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
78 return True;
79 }
80
81 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
82
83 /* Change the incoming request header to a response. */
84 p->hdr.pkt_type = RPC_RESPONSE;
85
86 /* Set up rpc header flags. */
87 if (p->out_data.data_sent_length == 0) {
88 p->hdr.flags = RPC_FLG_FIRST;
89 } else {
90 p->hdr.flags = 0;
91 }
92
93 /*
94 * Work out how much we can fit in a single PDU.
95 */
96
97 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
98
99 /*
100 * Ensure there really is data left to send.
101 */
102
103 if(!data_len_left) {
104 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
105 return False;
106 }
107
108 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
109 RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
110
111 /*
112 * The amount we send is the minimum of the available
113 * space and the amount left to send.
114 */
115
116 data_len = MIN(data_len_left, data_space_available);
117
118 /*
119 * Set up the alloc hint. This should be the data left to
120 * send.
121 */
122
123 hdr_resp.alloc_hint = data_len_left;
124
125 /*
126 * Work out if this PDU will be the last.
127 */
128
129 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
130 p->hdr.flags |= RPC_FLG_LAST;
131 if (data_len_left % 8) {
132 ss_padding_len = 8 - (data_len_left % 8);
133 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
134 ss_padding_len ));
135 }
136 }
137
138 /*
139 * Set up the header lengths.
140 */
141
142 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
143 data_len + ss_padding_len +
144 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
145 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
146
147
148 /*
149 * Init the parse struct to point at the outgoing
150 * data.
151 */
152
153 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
154 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
155
156 /* Store the header in the data stream. */
157 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
158 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
159 prs_mem_free(&outgoing_pdu);
160 return False;
161 }
162
163 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
164 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
165 prs_mem_free(&outgoing_pdu);
166 return False;
167 }
168
169 /* Copy the data into the PDU. */
170
171 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
172 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
173 prs_mem_free(&outgoing_pdu);
174 return False;
175 }
176
177 /* Copy the sign/seal padding data. */
178 if (ss_padding_len) {
179 char pad[8];
180
181 memset(pad, '\0', 8);
182 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
183 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
184 (unsigned int)ss_padding_len));
185 prs_mem_free(&outgoing_pdu);
186 return False;
187 }
188 }
189
190
191 /* Now write out the auth header and null blob. */
192 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
193 auth_type = RPC_NTLMSSP_AUTH_TYPE;
194 } else {
195 auth_type = RPC_SPNEGO_AUTH_TYPE;
196 }
197 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
198 auth_level = RPC_AUTH_LEVEL_PRIVACY;
199 } else {
200 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
201 }
202
203 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
204 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
205 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
206 prs_mem_free(&outgoing_pdu);
207 return False;
208 }
209
210 /* Generate the sign blob. */
211
212 switch (p->auth.auth_level) {
213 case PIPE_AUTH_LEVEL_PRIVACY:
214 /* Data portion is encrypted. */
215 status = ntlmssp_seal_packet(a->ntlmssp_state,
216 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
217 data_len + ss_padding_len,
218 (unsigned char *)prs_data_p(&outgoing_pdu),
219 (size_t)prs_offset(&outgoing_pdu),
220 &auth_blob);
221 if (!NT_STATUS_IS_OK(status)) {
222 data_blob_free(&auth_blob);
223 prs_mem_free(&outgoing_pdu);
224 return False;
225 }
226 break;
227 case PIPE_AUTH_LEVEL_INTEGRITY:
228 /* Data is signed. */
229 status = ntlmssp_sign_packet(a->ntlmssp_state,
230 (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
231 data_len + ss_padding_len,
232 (unsigned char *)prs_data_p(&outgoing_pdu),
233 (size_t)prs_offset(&outgoing_pdu),
234 &auth_blob);
235 if (!NT_STATUS_IS_OK(status)) {
236 data_blob_free(&auth_blob);
237 prs_mem_free(&outgoing_pdu);
238 return False;
239 }
240 break;
241 default:
242 prs_mem_free(&outgoing_pdu);
243 return False;
244 }
245
246 /* Append the auth blob. */
247 if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
248 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
249 (unsigned int)NTLMSSP_SIG_SIZE));
250 data_blob_free(&auth_blob);
251 prs_mem_free(&outgoing_pdu);
252 return False;
253 }
254
255 data_blob_free(&auth_blob);
256
257 /*
258 * Setup the counts for this PDU.
259 */
260
261 p->out_data.data_sent_length += data_len;
262 p->out_data.current_pdu_len = p->hdr.frag_len;
263 p->out_data.current_pdu_sent = 0;
264
265 prs_mem_free(&outgoing_pdu);
266 return True;
267}
268
269/*******************************************************************
270 Generate the next PDU to be returned from the data in p->rdata.
271 Return an schannel authenticated fragment.
272 ********************************************************************/
273
274static bool create_next_pdu_schannel(pipes_struct *p)
275{
276 RPC_HDR_RESP hdr_resp;
277 uint32 ss_padding_len = 0;
278 uint32 data_len;
279 uint32 data_space_available;
280 uint32 data_len_left;
281 prs_struct outgoing_pdu;
282 uint32 data_pos;
283
284 /*
285 * If we're in the fault state, keep returning fault PDU's until
286 * the pipe gets closed. JRA.
287 */
288
289 if(p->fault_state) {
290 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
291 return True;
292 }
293
294 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
295
296 /* Change the incoming request header to a response. */
297 p->hdr.pkt_type = RPC_RESPONSE;
298
299 /* Set up rpc header flags. */
300 if (p->out_data.data_sent_length == 0) {
301 p->hdr.flags = RPC_FLG_FIRST;
302 } else {
303 p->hdr.flags = 0;
304 }
305
306 /*
307 * Work out how much we can fit in a single PDU.
308 */
309
310 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
311
312 /*
313 * Ensure there really is data left to send.
314 */
315
316 if(!data_len_left) {
317 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
318 return False;
319 }
320
321 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
322 RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
323
324 /*
325 * The amount we send is the minimum of the available
326 * space and the amount left to send.
327 */
328
329 data_len = MIN(data_len_left, data_space_available);
330
331 /*
332 * Set up the alloc hint. This should be the data left to
333 * send.
334 */
335
336 hdr_resp.alloc_hint = data_len_left;
337
338 /*
339 * Work out if this PDU will be the last.
340 */
341
342 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
343 p->hdr.flags |= RPC_FLG_LAST;
344 if (data_len_left % 8) {
345 ss_padding_len = 8 - (data_len_left % 8);
346 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
347 ss_padding_len ));
348 }
349 }
350
351 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
352 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
353 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
354
355 /*
356 * Init the parse struct to point at the outgoing
357 * data.
358 */
359
360 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
361 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
362
363 /* Store the header in the data stream. */
364 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
365 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
366 prs_mem_free(&outgoing_pdu);
367 return False;
368 }
369
370 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
371 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
372 prs_mem_free(&outgoing_pdu);
373 return False;
374 }
375
376 /* Store the current offset. */
377 data_pos = prs_offset(&outgoing_pdu);
378
379 /* Copy the data into the PDU. */
380
381 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
382 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
383 prs_mem_free(&outgoing_pdu);
384 return False;
385 }
386
387 /* Copy the sign/seal padding data. */
388 if (ss_padding_len) {
389 char pad[8];
390 memset(pad, '\0', 8);
391 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
392 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
393 prs_mem_free(&outgoing_pdu);
394 return False;
395 }
396 }
397
398 {
399 /*
400 * Schannel processing.
401 */
402 char *data;
403 RPC_HDR_AUTH auth_info;
404 RPC_AUTH_SCHANNEL_CHK verf;
405
406 data = prs_data_p(&outgoing_pdu) + data_pos;
407 /* Check it's the type of reply we were expecting to decode */
408
409 init_rpc_hdr_auth(&auth_info,
410 RPC_SCHANNEL_AUTH_TYPE,
411 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
412 RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
413 ss_padding_len, 1);
414
415 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
416 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
417 prs_mem_free(&outgoing_pdu);
418 return False;
419 }
420
421 schannel_encode(p->auth.a_u.schannel_auth,
422 p->auth.auth_level,
423 SENDER_IS_ACCEPTOR,
424 &verf, data, data_len + ss_padding_len);
425
426 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
427 &verf, &outgoing_pdu, 0)) {
428 prs_mem_free(&outgoing_pdu);
429 return False;
430 }
431
432 p->auth.a_u.schannel_auth->seq_num++;
433 }
434
435 /*
436 * Setup the counts for this PDU.
437 */
438
439 p->out_data.data_sent_length += data_len;
440 p->out_data.current_pdu_len = p->hdr.frag_len;
441 p->out_data.current_pdu_sent = 0;
442
443 prs_mem_free(&outgoing_pdu);
444 return True;
445}
446
447/*******************************************************************
448 Generate the next PDU to be returned from the data in p->rdata.
449 No authentication done.
450********************************************************************/
451
452static bool create_next_pdu_noauth(pipes_struct *p)
453{
454 RPC_HDR_RESP hdr_resp;
455 uint32 data_len;
456 uint32 data_space_available;
457 uint32 data_len_left;
458 prs_struct outgoing_pdu;
459
460 /*
461 * If we're in the fault state, keep returning fault PDU's until
462 * the pipe gets closed. JRA.
463 */
464
465 if(p->fault_state) {
466 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
467 return True;
468 }
469
470 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
471
472 /* Change the incoming request header to a response. */
473 p->hdr.pkt_type = RPC_RESPONSE;
474
475 /* Set up rpc header flags. */
476 if (p->out_data.data_sent_length == 0) {
477 p->hdr.flags = RPC_FLG_FIRST;
478 } else {
479 p->hdr.flags = 0;
480 }
481
482 /*
483 * Work out how much we can fit in a single PDU.
484 */
485
486 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
487
488 /*
489 * Ensure there really is data left to send.
490 */
491
492 if(!data_len_left) {
493 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
494 return False;
495 }
496
497 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
498
499 /*
500 * The amount we send is the minimum of the available
501 * space and the amount left to send.
502 */
503
504 data_len = MIN(data_len_left, data_space_available);
505
506 /*
507 * Set up the alloc hint. This should be the data left to
508 * send.
509 */
510
511 hdr_resp.alloc_hint = data_len_left;
512
513 /*
514 * Work out if this PDU will be the last.
515 */
516
517 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
518 p->hdr.flags |= RPC_FLG_LAST;
519 }
520
521 /*
522 * Set up the header lengths.
523 */
524
525 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
526 p->hdr.auth_len = 0;
527
528 /*
529 * Init the parse struct to point at the outgoing
530 * data.
531 */
532
533 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
534 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
535
536 /* Store the header in the data stream. */
537 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
538 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
539 prs_mem_free(&outgoing_pdu);
540 return False;
541 }
542
543 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
544 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
545 prs_mem_free(&outgoing_pdu);
546 return False;
547 }
548
549 /* Copy the data into the PDU. */
550
551 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
552 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
553 prs_mem_free(&outgoing_pdu);
554 return False;
555 }
556
557 /*
558 * Setup the counts for this PDU.
559 */
560
561 p->out_data.data_sent_length += data_len;
562 p->out_data.current_pdu_len = p->hdr.frag_len;
563 p->out_data.current_pdu_sent = 0;
564
565 prs_mem_free(&outgoing_pdu);
566 return True;
567}
568
569/*******************************************************************
570 Generate the next PDU to be returned from the data in p->rdata.
571********************************************************************/
572
573bool create_next_pdu(pipes_struct *p)
574{
575 switch(p->auth.auth_level) {
576 case PIPE_AUTH_LEVEL_NONE:
577 case PIPE_AUTH_LEVEL_CONNECT:
578 /* This is incorrect for auth level connect. Fixme. JRA */
579 return create_next_pdu_noauth(p);
580
581 default:
582 switch(p->auth.auth_type) {
583 case PIPE_AUTH_TYPE_NTLMSSP:
584 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
585 return create_next_pdu_ntlmssp(p);
586 case PIPE_AUTH_TYPE_SCHANNEL:
587 return create_next_pdu_schannel(p);
588 default:
589 break;
590 }
591 }
592
593 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
594 (unsigned int)p->auth.auth_level,
595 (unsigned int)p->auth.auth_type));
596 return False;
597}
598
599/*******************************************************************
600 Process an NTLMSSP authentication response.
601 If this function succeeds, the user has been authenticated
602 and their domain, name and calling workstation stored in
603 the pipe struct.
604*******************************************************************/
605
606static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
607{
608 DATA_BLOB session_key, reply;
609 NTSTATUS status;
610 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
611 bool ret;
612
613 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
614
615 ZERO_STRUCT(reply);
616
617 /* Set up for non-authenticated user. */
618 TALLOC_FREE(p->pipe_user.nt_user_token);
619 p->pipe_user.ut.ngroups = 0;
620 SAFE_FREE( p->pipe_user.ut.groups);
621
622 /* this has to be done as root in order to verify the password */
623 become_root();
624 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
625 unbecome_root();
626
627 /* Don't generate a reply. */
628 data_blob_free(&reply);
629
630 if (!NT_STATUS_IS_OK(status)) {
631 return False;
632 }
633
634 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
635 ensure the underlying NTLMSSP flags are also set. If not we should
636 refuse the bind. */
637
638 if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
639 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
640 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
641 "but client declined signing.\n",
642 p->name ));
643 return False;
644 }
645 }
646 if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
647 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
648 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
649 "but client declined sealing.\n",
650 p->name ));
651 return False;
652 }
653 }
654
655 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
656 "workstation: %s\n", a->ntlmssp_state->user,
657 a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
658
659 /*
660 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
661 */
662
663 p->pipe_user.ut.uid = a->server_info->utok.uid;
664 p->pipe_user.ut.gid = a->server_info->utok.gid;
665
666 p->pipe_user.ut.ngroups = a->server_info->utok.ngroups;
667 if (p->pipe_user.ut.ngroups) {
668 if (!(p->pipe_user.ut.groups = (gid_t *)memdup(
669 a->server_info->utok.groups,
670 sizeof(gid_t) * p->pipe_user.ut.ngroups))) {
671 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
672 return False;
673 }
674 }
675
676 if (a->server_info->ptok) {
677 p->pipe_user.nt_user_token =
678 dup_nt_token(NULL, a->server_info->ptok);
679 } else {
680 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
681 p->pipe_user.nt_user_token = NULL;
682 return False;
683 }
684
685 TALLOC_FREE(p->server_info);
686
687 p->server_info = copy_serverinfo(p, a->server_info);
688 if (p->server_info == NULL) {
689 DEBUG(0, ("copy_serverinfo failed\n"));
690 return false;
691 }
692
693 /*
694 * We're an authenticated bind over smb, so the session key needs to
695 * be set to "SystemLibraryDTC". Weird, but this is what Windows
696 * does. See the RPC-SAMBA3SESSIONKEY.
697 */
698
699 session_key = generic_session_key();
700 if (session_key.data == NULL) {
701 return False;
702 }
703
704 ret = server_info_set_session_key(p->server_info, session_key);
705
706 data_blob_free(&session_key);
707
708 return True;
709}
710
711/*******************************************************************
712 The switch table for the pipe names and the functions to handle them.
713*******************************************************************/
714
715struct rpc_table {
716 struct {
717 const char *clnt;
718 const char *srv;
719 } pipe;
720 struct ndr_syntax_id rpc_interface;
721 const struct api_struct *cmds;
722 int n_cmds;
723};
724
725static struct rpc_table *rpc_lookup;
726static int rpc_lookup_size;
727
728/*******************************************************************
729 This is the "stage3" NTLMSSP response after a bind request and reply.
730*******************************************************************/
731
732bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
733{
734 RPC_HDR_AUTH auth_info;
735 uint32 pad = 0;
736 DATA_BLOB blob;
737
738 ZERO_STRUCT(blob);
739
740 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
741
742 if (p->hdr.auth_len == 0) {
743 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
744 goto err;
745 }
746
747 /* 4 bytes padding. */
748 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
749 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
750 goto err;
751 }
752
753 /*
754 * Decode the authentication verifier response.
755 */
756
757 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
758 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
759 goto err;
760 }
761
762 if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
763 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
764 (unsigned int)auth_info.auth_type ));
765 return False;
766 }
767
768 blob = data_blob(NULL,p->hdr.auth_len);
769
770 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
771 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
772 (unsigned int)p->hdr.auth_len ));
773 goto err;
774 }
775
776 /*
777 * The following call actually checks the challenge/response data.
778 * for correctness against the given DOMAIN\user name.
779 */
780
781 if (!pipe_ntlmssp_verify_final(p, &blob)) {
782 goto err;
783 }
784
785 data_blob_free(&blob);
786
787 p->pipe_bound = True;
788
789 return True;
790
791 err:
792
793 data_blob_free(&blob);
794 free_pipe_ntlmssp_auth_data(&p->auth);
795 p->auth.a_u.auth_ntlmssp_state = NULL;
796
797 return False;
798}
799
800/*******************************************************************
801 Marshall a bind_nak pdu.
802*******************************************************************/
803
804static bool setup_bind_nak(pipes_struct *p)
805{
806 prs_struct outgoing_rpc;
807 RPC_HDR nak_hdr;
808 uint16 zero = 0;
809
810 /* Free any memory in the current return data buffer. */
811 prs_mem_free(&p->out_data.rdata);
812
813 /*
814 * Marshall directly into the outgoing PDU space. We
815 * must do this as we need to set to the bind response
816 * header and are never sending more than one PDU here.
817 */
818
819 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
820 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
821
822 /*
823 * Initialize a bind_nak header.
824 */
825
826 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
827 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
828
829 /*
830 * Marshall the header into the outgoing PDU.
831 */
832
833 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
834 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
835 prs_mem_free(&outgoing_rpc);
836 return False;
837 }
838
839 /*
840 * Now add the reject reason.
841 */
842
843 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
844 prs_mem_free(&outgoing_rpc);
845 return False;
846 }
847
848 p->out_data.data_sent_length = 0;
849 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
850 p->out_data.current_pdu_sent = 0;
851
852 if (p->auth.auth_data_free_func) {
853 (*p->auth.auth_data_free_func)(&p->auth);
854 }
855 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
856 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
857 p->pipe_bound = False;
858
859 return True;
860}
861
862/*******************************************************************
863 Marshall a fault pdu.
864*******************************************************************/
865
866bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
867{
868 prs_struct outgoing_pdu;
869 RPC_HDR fault_hdr;
870 RPC_HDR_RESP hdr_resp;
871 RPC_HDR_FAULT fault_resp;
872
873 /* Free any memory in the current return data buffer. */
874 prs_mem_free(&p->out_data.rdata);
875
876 /*
877 * Marshall directly into the outgoing PDU space. We
878 * must do this as we need to set to the bind response
879 * header and are never sending more than one PDU here.
880 */
881
882 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
883 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
884
885 /*
886 * Initialize a fault header.
887 */
888
889 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
890 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
891
892 /*
893 * Initialize the HDR_RESP and FAULT parts of the PDU.
894 */
895
896 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
897
898 fault_resp.status = status;
899 fault_resp.reserved = 0;
900
901 /*
902 * Marshall the header into the outgoing PDU.
903 */
904
905 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
906 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
907 prs_mem_free(&outgoing_pdu);
908 return False;
909 }
910
911 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
912 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
913 prs_mem_free(&outgoing_pdu);
914 return False;
915 }
916
917 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
918 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
919 prs_mem_free(&outgoing_pdu);
920 return False;
921 }
922
923 p->out_data.data_sent_length = 0;
924 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
925 p->out_data.current_pdu_sent = 0;
926
927 prs_mem_free(&outgoing_pdu);
928 return True;
929}
930
931#if 0
932/*******************************************************************
933 Marshall a cancel_ack pdu.
934 We should probably check the auth-verifier here.
935*******************************************************************/
936
937bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
938{
939 prs_struct outgoing_pdu;
940 RPC_HDR ack_reply_hdr;
941
942 /* Free any memory in the current return data buffer. */
943 prs_mem_free(&p->out_data.rdata);
944
945 /*
946 * Marshall directly into the outgoing PDU space. We
947 * must do this as we need to set to the bind response
948 * header and are never sending more than one PDU here.
949 */
950
951 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
952 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
953
954 /*
955 * Initialize a cancel_ack header.
956 */
957
958 init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
959 p->hdr.call_id, RPC_HEADER_LEN, 0);
960
961 /*
962 * Marshall the header into the outgoing PDU.
963 */
964
965 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
966 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
967 prs_mem_free(&outgoing_pdu);
968 return False;
969 }
970
971 p->out_data.data_sent_length = 0;
972 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
973 p->out_data.current_pdu_sent = 0;
974
975 prs_mem_free(&outgoing_pdu);
976 return True;
977}
978#endif
979
980/*******************************************************************
981 Ensure a bind request has the correct abstract & transfer interface.
982 Used to reject unknown binds from Win2k.
983*******************************************************************/
984
985bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
986 RPC_IFACE* transfer, uint32 context_id)
987{
988 int i=0;
989 struct pipe_rpc_fns *context_fns;
990
991 DEBUG(3,("check_bind_req for %s\n", p->name));
992
993 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
994
995 for (i=0; i<rpc_lookup_size; i++) {
996 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
997 if (ndr_syntax_id_equal(
998 abstract, &rpc_lookup[i].rpc_interface)
999 && ndr_syntax_id_equal(
1000 transfer, &ndr_transfer_syntax)) {
1001 break;
1002 }
1003 }
1004
1005 if (i == rpc_lookup_size) {
1006 return false;
1007 }
1008
1009 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1010 if (context_fns == NULL) {
1011 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1012 return False;
1013 }
1014
1015 context_fns->cmds = rpc_lookup[i].cmds;
1016 context_fns->n_cmds = rpc_lookup[i].n_cmds;
1017 context_fns->context_id = context_id;
1018
1019 /* add to the list of open contexts */
1020
1021 DLIST_ADD( p->contexts, context_fns );
1022
1023 return True;
1024}
1025
1026/*******************************************************************
1027 Register commands to an RPC pipe
1028*******************************************************************/
1029
1030NTSTATUS rpc_pipe_register_commands(int version, const char *clnt,
1031 const char *srv,
1032 const struct ndr_syntax_id *interface,
1033 const struct api_struct *cmds, int size)
1034{
1035 struct rpc_table *rpc_entry;
1036
1037 if (!clnt || !srv || !cmds) {
1038 return NT_STATUS_INVALID_PARAMETER;
1039 }
1040
1041 if (version != SMB_RPC_INTERFACE_VERSION) {
1042 DEBUG(0,("Can't register rpc commands!\n"
1043 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1044 ", while this version of samba uses version %d!\n",
1045 version,SMB_RPC_INTERFACE_VERSION));
1046 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1047 }
1048
1049 /* TODO:
1050 *
1051 * we still need to make sure that don't register the same commands twice!!!
1052 *
1053 * --metze
1054 */
1055
1056 /* We use a temporary variable because this call can fail and
1057 rpc_lookup will still be valid afterwards. It could then succeed if
1058 called again later */
1059 rpc_lookup_size++;
1060 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1061 if (NULL == rpc_entry) {
1062 rpc_lookup_size--;
1063 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1064 return NT_STATUS_NO_MEMORY;
1065 } else {
1066 rpc_lookup = rpc_entry;
1067 }
1068
1069 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1070 ZERO_STRUCTP(rpc_entry);
1071 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1072 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1073 rpc_entry->rpc_interface = *interface;
1074 rpc_entry->cmds = cmds;
1075 rpc_entry->n_cmds = size;
1076
1077 return NT_STATUS_OK;
1078}
1079
1080/**
1081 * Is a named pipe known?
1082 * @param[in] cli_filename The pipe name requested by the client
1083 * @result Do we want to serve this?
1084 */
1085bool is_known_pipename(const char *cli_filename)
1086{
1087 const char *pipename = cli_filename;
1088 int i;
1089
1090 if (strnequal(pipename, "\\PIPE\\", 6)) {
1091 pipename += 5;
1092 }
1093
1094 if (*pipename == '\\') {
1095 pipename += 1;
1096 }
1097
1098 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1099 DEBUG(10, ("refusing spoolss access\n"));
1100 return false;
1101 }
1102
1103 for (i=0; i<rpc_lookup_size; i++) {
1104 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1105 return true;
1106 }
1107 }
1108
1109 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1110 return false;
1111}
1112
1113/*******************************************************************
1114 Handle a SPNEGO krb5 bind auth.
1115*******************************************************************/
1116
1117static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1118 DATA_BLOB *psecblob, prs_struct *pout_auth)
1119{
1120 return False;
1121}
1122
1123/*******************************************************************
1124 Handle the first part of a SPNEGO bind auth.
1125*******************************************************************/
1126
1127static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1128 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1129{
1130 DATA_BLOB blob;
1131 DATA_BLOB secblob;
1132 DATA_BLOB response;
1133 DATA_BLOB chal;
1134 char *OIDs[ASN1_MAX_OIDS];
1135 int i;
1136 NTSTATUS status;
1137 bool got_kerberos_mechanism = false;
1138 AUTH_NTLMSSP_STATE *a = NULL;
1139 RPC_HDR_AUTH auth_info;
1140
1141 ZERO_STRUCT(secblob);
1142 ZERO_STRUCT(chal);
1143 ZERO_STRUCT(response);
1144
1145 /* Grab the SPNEGO blob. */
1146 blob = data_blob(NULL,p->hdr.auth_len);
1147
1148 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1149 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1150 (unsigned int)p->hdr.auth_len ));
1151 goto err;
1152 }
1153
1154 if (blob.data[0] != ASN1_APPLICATION(0)) {
1155 goto err;
1156 }
1157
1158 /* parse out the OIDs and the first sec blob */
1159 if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1160 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1161 goto err;
1162 }
1163
1164 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1165 got_kerberos_mechanism = true;
1166 }
1167
1168 for (i=0;OIDs[i];i++) {
1169 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1170 SAFE_FREE(OIDs[i]);
1171 }
1172 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1173
1174 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1175 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1176 data_blob_free(&secblob);
1177 data_blob_free(&blob);
1178 return ret;
1179 }
1180
1181 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1182 /* Free any previous auth type. */
1183 free_pipe_ntlmssp_auth_data(&p->auth);
1184 }
1185
1186 if (!got_kerberos_mechanism) {
1187 /* Initialize the NTLM engine. */
1188 status = auth_ntlmssp_start(&a);
1189 if (!NT_STATUS_IS_OK(status)) {
1190 goto err;
1191 }
1192
1193 /*
1194 * Pass the first security blob of data to it.
1195 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1196 * which means we need another packet to complete the bind.
1197 */
1198
1199 status = auth_ntlmssp_update(a, secblob, &chal);
1200
1201 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1202 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1203 goto err;
1204 }
1205
1206 /* Generate the response blob we need for step 2 of the bind. */
1207 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1208 } else {
1209 /*
1210 * SPNEGO negotiate down to NTLMSSP. The subsequent
1211 * code to process follow-up packets is not complete
1212 * yet. JRA.
1213 */
1214 response = spnego_gen_auth_response(NULL,
1215 NT_STATUS_MORE_PROCESSING_REQUIRED,
1216 OID_NTLMSSP);
1217 }
1218
1219 /* Copy the blob into the pout_auth parse struct */
1220 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1221 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1222 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1223 goto err;
1224 }
1225
1226 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1227 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1228 goto err;
1229 }
1230
1231 p->auth.a_u.auth_ntlmssp_state = a;
1232 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1233 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1234
1235 data_blob_free(&blob);
1236 data_blob_free(&secblob);
1237 data_blob_free(&chal);
1238 data_blob_free(&response);
1239
1240 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1241 return True;
1242
1243 err:
1244
1245 data_blob_free(&blob);
1246 data_blob_free(&secblob);
1247 data_blob_free(&chal);
1248 data_blob_free(&response);
1249
1250 p->auth.a_u.auth_ntlmssp_state = NULL;
1251
1252 return False;
1253}
1254
1255/*******************************************************************
1256 Handle the second part of a SPNEGO bind auth.
1257*******************************************************************/
1258
1259static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1260 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1261{
1262 RPC_HDR_AUTH auth_info;
1263 DATA_BLOB spnego_blob;
1264 DATA_BLOB auth_blob;
1265 DATA_BLOB auth_reply;
1266 DATA_BLOB response;
1267 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1268
1269 ZERO_STRUCT(spnego_blob);
1270 ZERO_STRUCT(auth_blob);
1271 ZERO_STRUCT(auth_reply);
1272 ZERO_STRUCT(response);
1273
1274 /*
1275 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1276 * fail here as 'a' == NULL.
1277 */
1278 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1279 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1280 goto err;
1281 }
1282
1283 /* Grab the SPNEGO blob. */
1284 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1285
1286 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1287 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1288 (unsigned int)p->hdr.auth_len ));
1289 goto err;
1290 }
1291
1292 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1293 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1294 goto err;
1295 }
1296
1297 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1298 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1299 goto err;
1300 }
1301
1302 /*
1303 * The following call actually checks the challenge/response data.
1304 * for correctness against the given DOMAIN\user name.
1305 */
1306
1307 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1308 goto err;
1309 }
1310
1311 data_blob_free(&spnego_blob);
1312 data_blob_free(&auth_blob);
1313
1314 /* Generate the spnego "accept completed" blob - no incoming data. */
1315 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1316
1317 /* Copy the blob into the pout_auth parse struct */
1318 init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1319 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1320 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1321 goto err;
1322 }
1323
1324 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1325 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1326 goto err;
1327 }
1328
1329 data_blob_free(&auth_reply);
1330 data_blob_free(&response);
1331
1332 p->pipe_bound = True;
1333
1334 return True;
1335
1336 err:
1337
1338 data_blob_free(&spnego_blob);
1339 data_blob_free(&auth_blob);
1340 data_blob_free(&auth_reply);
1341 data_blob_free(&response);
1342
1343 free_pipe_ntlmssp_auth_data(&p->auth);
1344 p->auth.a_u.auth_ntlmssp_state = NULL;
1345
1346 return False;
1347}
1348
1349/*******************************************************************
1350 Handle an schannel bind auth.
1351*******************************************************************/
1352
1353static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1354 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1355{
1356 RPC_HDR_AUTH auth_info;
1357 RPC_AUTH_SCHANNEL_NEG neg;
1358 RPC_AUTH_VERIFIER auth_verifier;
1359 bool ret;
1360 struct dcinfo *pdcinfo;
1361 uint32 flags;
1362 DATA_BLOB session_key;
1363
1364 if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1365 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1366 return False;
1367 }
1368
1369 /*
1370 * The neg.myname key here must match the remote computer name
1371 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1372 * operations that use credentials.
1373 */
1374
1375 become_root();
1376 ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1377 unbecome_root();
1378
1379 if (!ret) {
1380 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1381 return False;
1382 }
1383
1384 p->auth.a_u.schannel_auth = talloc(p, struct schannel_auth_struct);
1385 if (!p->auth.a_u.schannel_auth) {
1386 TALLOC_FREE(pdcinfo);
1387 return False;
1388 }
1389
1390 memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1391 memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1392 sizeof(pdcinfo->sess_key));
1393
1394 TALLOC_FREE(pdcinfo);
1395
1396 p->auth.a_u.schannel_auth->seq_num = 0;
1397
1398 /*
1399 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1400 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1401 * struct of the person who opened the pipe. I need to test this further. JRA.
1402 *
1403 * VL. As we are mapping this to guest set the generic key
1404 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1405 * W2k3, as it does not allow schannel binds against SAMR and LSA
1406 * anymore.
1407 */
1408
1409 session_key = generic_session_key();
1410 if (session_key.data == NULL) {
1411 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1412 " key\n"));
1413 return false;
1414 }
1415
1416 ret = server_info_set_session_key(p->server_info, session_key);
1417
1418 data_blob_free(&session_key);
1419
1420 if (!ret) {
1421 DEBUG(0, ("server_info_set_session_key failed\n"));
1422 return false;
1423 }
1424
1425 init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1426 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1427 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1428 return False;
1429 }
1430
1431 /*** SCHANNEL verifier ***/
1432
1433 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1434 if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1435 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1436 return False;
1437 }
1438
1439 prs_align(pout_auth);
1440
1441 flags = 5;
1442 if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1443 return False;
1444 }
1445
1446 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1447 neg.domain, neg.myname));
1448
1449 /* We're finished with this bind - no more packets. */
1450 p->auth.auth_data_free_func = NULL;
1451 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1452
1453 p->pipe_bound = True;
1454
1455 return True;
1456}
1457
1458/*******************************************************************
1459 Handle an NTLMSSP bind auth.
1460*******************************************************************/
1461
1462static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1463 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1464{
1465 RPC_HDR_AUTH auth_info;
1466 DATA_BLOB blob;
1467 DATA_BLOB response;
1468 NTSTATUS status;
1469 AUTH_NTLMSSP_STATE *a = NULL;
1470
1471 ZERO_STRUCT(blob);
1472 ZERO_STRUCT(response);
1473
1474 /* Grab the NTLMSSP blob. */
1475 blob = data_blob(NULL,p->hdr.auth_len);
1476
1477 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1478 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1479 (unsigned int)p->hdr.auth_len ));
1480 goto err;
1481 }
1482
1483 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1484 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1485 goto err;
1486 }
1487
1488 /* We have an NTLMSSP blob. */
1489 status = auth_ntlmssp_start(&a);
1490 if (!NT_STATUS_IS_OK(status)) {
1491 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1492 nt_errstr(status) ));
1493 goto err;
1494 }
1495
1496 status = auth_ntlmssp_update(a, blob, &response);
1497 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1498 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1499 nt_errstr(status) ));
1500 goto err;
1501 }
1502
1503 data_blob_free(&blob);
1504
1505 /* Copy the blob into the pout_auth parse struct */
1506 init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1507 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1508 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1509 goto err;
1510 }
1511
1512 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1513 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1514 goto err;
1515 }
1516
1517 p->auth.a_u.auth_ntlmssp_state = a;
1518 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1519 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1520
1521 data_blob_free(&blob);
1522 data_blob_free(&response);
1523
1524 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1525
1526 /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1527 return True;
1528
1529 err:
1530
1531 data_blob_free(&blob);
1532 data_blob_free(&response);
1533
1534 free_pipe_ntlmssp_auth_data(&p->auth);
1535 p->auth.a_u.auth_ntlmssp_state = NULL;
1536 return False;
1537}
1538
1539/*******************************************************************
1540 Respond to a pipe bind request.
1541*******************************************************************/
1542
1543bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1544{
1545 RPC_HDR_BA hdr_ba;
1546 RPC_HDR_RB hdr_rb;
1547 RPC_HDR_AUTH auth_info;
1548 uint16 assoc_gid;
1549 fstring ack_pipe_name;
1550 prs_struct out_hdr_ba;
1551 prs_struct out_auth;
1552 prs_struct outgoing_rpc;
1553 int i = 0;
1554 int auth_len = 0;
1555 unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1556
1557 /* No rebinds on a bound pipe - use alter context. */
1558 if (p->pipe_bound) {
1559 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1560 return setup_bind_nak(p);
1561 }
1562
1563 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1564
1565 /*
1566 * Marshall directly into the outgoing PDU space. We
1567 * must do this as we need to set to the bind response
1568 * header and are never sending more than one PDU here.
1569 */
1570
1571 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1572
1573 /*
1574 * Setup the memory to marshall the ba header, and the
1575 * auth footers.
1576 */
1577
1578 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1579 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1580 prs_mem_free(&outgoing_rpc);
1581 return False;
1582 }
1583
1584 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1585 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1586 prs_mem_free(&outgoing_rpc);
1587 prs_mem_free(&out_hdr_ba);
1588 return False;
1589 }
1590
1591 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1592
1593 ZERO_STRUCT(hdr_rb);
1594
1595 /* decode the bind request */
1596
1597 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1598 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1599 "struct.\n"));
1600 goto err_exit;
1601 }
1602
1603 if (hdr_rb.num_contexts == 0) {
1604 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1605 goto err_exit;
1606 }
1607
1608 /*
1609 * Try and find the correct pipe name to ensure
1610 * that this is a pipe name we support.
1611 */
1612
1613 for (i = 0; i < rpc_lookup_size; i++) {
1614 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1615 &hdr_rb.rpc_context[0].abstract)) {
1616 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1617 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1618 fstrcpy(p->name, rpc_lookup[i].pipe.clnt);
1619 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1620 break;
1621 }
1622 }
1623
1624 if (i == rpc_lookup_size) {
1625 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1626 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1627 p->name ));
1628 prs_mem_free(&outgoing_rpc);
1629 prs_mem_free(&out_hdr_ba);
1630 prs_mem_free(&out_auth);
1631
1632 return setup_bind_nak(p);
1633 }
1634
1635 for (i = 0; i < rpc_lookup_size; i++) {
1636 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1637 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1638 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1639 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1640 break;
1641 }
1642 }
1643
1644 if (i == rpc_lookup_size) {
1645 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1646 goto err_exit;
1647 }
1648 }
1649
1650 /* name has to be \PIPE\xxxxx */
1651 fstrcpy(ack_pipe_name, "\\PIPE\\");
1652 fstrcat(ack_pipe_name, p->pipe_srv_name);
1653
1654 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1655
1656 /*
1657 * Check if this is an authenticated bind request.
1658 */
1659
1660 if (p->hdr.auth_len) {
1661 /*
1662 * Decode the authentication verifier.
1663 */
1664
1665 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1666 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1667 goto err_exit;
1668 }
1669
1670 auth_type = auth_info.auth_type;
1671
1672 /* Work out if we have to sign or seal etc. */
1673 switch (auth_info.auth_level) {
1674 case RPC_AUTH_LEVEL_INTEGRITY:
1675 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1676 break;
1677 case RPC_AUTH_LEVEL_PRIVACY:
1678 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1679 break;
1680 default:
1681 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1682 (unsigned int)auth_info.auth_level ));
1683 goto err_exit;
1684 }
1685 } else {
1686 ZERO_STRUCT(auth_info);
1687 }
1688
1689 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1690
1691 switch(auth_type) {
1692 case RPC_NTLMSSP_AUTH_TYPE:
1693 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1694 goto err_exit;
1695 }
1696 assoc_gid = 0x7a77;
1697 break;
1698
1699 case RPC_SCHANNEL_AUTH_TYPE:
1700 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1701 goto err_exit;
1702 }
1703 break;
1704
1705 case RPC_SPNEGO_AUTH_TYPE:
1706 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1707 goto err_exit;
1708 }
1709 break;
1710
1711 case RPC_ANONYMOUS_AUTH_TYPE:
1712 /* Unauthenticated bind request. */
1713 /* Get the authenticated pipe user from current_user */
1714 if (!copy_current_user(&p->pipe_user, &current_user)) {
1715 DEBUG(10, ("Could not copy current user\n"));
1716 goto err_exit;
1717 }
1718 /* We're finished - no more packets. */
1719 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1720 /* We must set the pipe auth_level here also. */
1721 p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1722 p->pipe_bound = True;
1723 /* The session key was initialized from the SMB
1724 * session in make_internal_rpc_pipe_p */
1725 break;
1726
1727 default:
1728 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1729 goto err_exit;
1730 }
1731
1732 /*
1733 * Create the bind response struct.
1734 */
1735
1736 /* If the requested abstract synt uuid doesn't match our client pipe,
1737 reject the bind_ack & set the transfer interface synt to all 0's,
1738 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1739 unknown to NT4)
1740 Needed when adding entries to a DACL from NT5 - SK */
1741
1742 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1743 hdr_rb.rpc_context[0].context_id )) {
1744 init_rpc_hdr_ba(&hdr_ba,
1745 RPC_MAX_PDU_FRAG_LEN,
1746 RPC_MAX_PDU_FRAG_LEN,
1747 assoc_gid,
1748 ack_pipe_name,
1749 0x1, 0x0, 0x0,
1750 &hdr_rb.rpc_context[0].transfer[0]);
1751 } else {
1752 RPC_IFACE null_interface;
1753 ZERO_STRUCT(null_interface);
1754 /* Rejection reason: abstract syntax not supported */
1755 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1756 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1757 ack_pipe_name, 0x1, 0x2, 0x1,
1758 &null_interface);
1759 p->pipe_bound = False;
1760 }
1761
1762 /*
1763 * and marshall it.
1764 */
1765
1766 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1767 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1768 goto err_exit;
1769 }
1770
1771 /*
1772 * Create the header, now we know the length.
1773 */
1774
1775 if (prs_offset(&out_auth)) {
1776 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1777 }
1778
1779 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1780 p->hdr.call_id,
1781 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1782 auth_len);
1783
1784 /*
1785 * Marshall the header into the outgoing PDU.
1786 */
1787
1788 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1789 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1790 goto err_exit;
1791 }
1792
1793 /*
1794 * Now add the RPC_HDR_BA and any auth needed.
1795 */
1796
1797 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1798 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1799 goto err_exit;
1800 }
1801
1802 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1803 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1804 goto err_exit;
1805 }
1806
1807 /*
1808 * Setup the lengths for the initial reply.
1809 */
1810
1811 p->out_data.data_sent_length = 0;
1812 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1813 p->out_data.current_pdu_sent = 0;
1814
1815 prs_mem_free(&out_hdr_ba);
1816 prs_mem_free(&out_auth);
1817
1818 return True;
1819
1820 err_exit:
1821
1822 prs_mem_free(&outgoing_rpc);
1823 prs_mem_free(&out_hdr_ba);
1824 prs_mem_free(&out_auth);
1825 return setup_bind_nak(p);
1826}
1827
1828/****************************************************************************
1829 Deal with an alter context call. Can be third part of 3 leg auth request for
1830 SPNEGO calls.
1831****************************************************************************/
1832
1833bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1834{
1835 RPC_HDR_BA hdr_ba;
1836 RPC_HDR_RB hdr_rb;
1837 RPC_HDR_AUTH auth_info;
1838 uint16 assoc_gid;
1839 fstring ack_pipe_name;
1840 prs_struct out_hdr_ba;
1841 prs_struct out_auth;
1842 prs_struct outgoing_rpc;
1843 int auth_len = 0;
1844
1845 prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1846
1847 /*
1848 * Marshall directly into the outgoing PDU space. We
1849 * must do this as we need to set to the bind response
1850 * header and are never sending more than one PDU here.
1851 */
1852
1853 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1854
1855 /*
1856 * Setup the memory to marshall the ba header, and the
1857 * auth footers.
1858 */
1859
1860 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1861 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1862 prs_mem_free(&outgoing_rpc);
1863 return False;
1864 }
1865
1866 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1867 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1868 prs_mem_free(&outgoing_rpc);
1869 prs_mem_free(&out_hdr_ba);
1870 return False;
1871 }
1872
1873 ZERO_STRUCT(hdr_rb);
1874
1875 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1876
1877 /* decode the alter context request */
1878 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1879 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1880 goto err_exit;
1881 }
1882
1883 /* secondary address CAN be NULL
1884 * as the specs say it's ignored.
1885 * It MUST be NULL to have the spoolss working.
1886 */
1887 fstrcpy(ack_pipe_name,"");
1888
1889 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1890
1891 /*
1892 * Check if this is an authenticated alter context request.
1893 */
1894
1895 if (p->hdr.auth_len != 0) {
1896 /*
1897 * Decode the authentication verifier.
1898 */
1899
1900 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1901 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1902 goto err_exit;
1903 }
1904
1905 /*
1906 * Currently only the SPNEGO auth type uses the alter ctx
1907 * response in place of the NTLMSSP auth3 type.
1908 */
1909
1910 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1911 /* We can only finish if the pipe is unbound. */
1912 if (!p->pipe_bound) {
1913 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1914 goto err_exit;
1915 }
1916 } else {
1917 goto err_exit;
1918 }
1919 }
1920 } else {
1921 ZERO_STRUCT(auth_info);
1922 }
1923
1924 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1925
1926 /*
1927 * Create the bind response struct.
1928 */
1929
1930 /* If the requested abstract synt uuid doesn't match our client pipe,
1931 reject the bind_ack & set the transfer interface synt to all 0's,
1932 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1933 unknown to NT4)
1934 Needed when adding entries to a DACL from NT5 - SK */
1935
1936 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1937 hdr_rb.rpc_context[0].context_id )) {
1938 init_rpc_hdr_ba(&hdr_ba,
1939 RPC_MAX_PDU_FRAG_LEN,
1940 RPC_MAX_PDU_FRAG_LEN,
1941 assoc_gid,
1942 ack_pipe_name,
1943 0x1, 0x0, 0x0,
1944 &hdr_rb.rpc_context[0].transfer[0]);
1945 } else {
1946 RPC_IFACE null_interface;
1947 ZERO_STRUCT(null_interface);
1948 /* Rejection reason: abstract syntax not supported */
1949 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1950 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1951 ack_pipe_name, 0x1, 0x2, 0x1,
1952 &null_interface);
1953 p->pipe_bound = False;
1954 }
1955
1956 /*
1957 * and marshall it.
1958 */
1959
1960 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1961 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1962 goto err_exit;
1963 }
1964
1965 /*
1966 * Create the header, now we know the length.
1967 */
1968
1969 if (prs_offset(&out_auth)) {
1970 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1971 }
1972
1973 init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1974 p->hdr.call_id,
1975 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1976 auth_len);
1977
1978 /*
1979 * Marshall the header into the outgoing PDU.
1980 */
1981
1982 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1983 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1984 goto err_exit;
1985 }
1986
1987 /*
1988 * Now add the RPC_HDR_BA and any auth needed.
1989 */
1990
1991 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1992 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1993 goto err_exit;
1994 }
1995
1996 if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1997 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1998 goto err_exit;
1999 }
2000
2001 /*
2002 * Setup the lengths for the initial reply.
2003 */
2004
2005 p->out_data.data_sent_length = 0;
2006 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
2007 p->out_data.current_pdu_sent = 0;
2008
2009 prs_mem_free(&out_hdr_ba);
2010 prs_mem_free(&out_auth);
2011
2012 return True;
2013
2014 err_exit:
2015
2016 prs_mem_free(&outgoing_rpc);
2017 prs_mem_free(&out_hdr_ba);
2018 prs_mem_free(&out_auth);
2019 return setup_bind_nak(p);
2020}
2021
2022/****************************************************************************
2023 Deal with NTLMSSP sign & seal processing on an RPC request.
2024****************************************************************************/
2025
2026bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2027 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2028{
2029 RPC_HDR_AUTH auth_info;
2030 uint32 auth_len = p->hdr.auth_len;
2031 uint32 save_offset = prs_offset(rpc_in);
2032 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2033 unsigned char *data = NULL;
2034 size_t data_len;
2035 unsigned char *full_packet_data = NULL;
2036 size_t full_packet_data_len;
2037 DATA_BLOB auth_blob;
2038
2039 *pstatus = NT_STATUS_OK;
2040
2041 if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
2042 return True;
2043 }
2044
2045 if (!a) {
2046 *pstatus = NT_STATUS_INVALID_PARAMETER;
2047 return False;
2048 }
2049
2050 /* Ensure there's enough data for an authenticated request. */
2051 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2052 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2053 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2054 (unsigned int)auth_len ));
2055 *pstatus = NT_STATUS_INVALID_PARAMETER;
2056 return False;
2057 }
2058
2059 /*
2060 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2061 * after the RPC header.
2062 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2063 * functions as NTLMv2 checks the rpc headers also.
2064 */
2065
2066 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2067 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2068
2069 full_packet_data = p->in_data.current_in_pdu;
2070 full_packet_data_len = p->hdr.frag_len - auth_len;
2071
2072 /* Pull the auth header and the following data into a blob. */
2073 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2074 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2075 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2076 *pstatus = NT_STATUS_INVALID_PARAMETER;
2077 return False;
2078 }
2079
2080 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2081 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2082 *pstatus = NT_STATUS_INVALID_PARAMETER;
2083 return False;
2084 }
2085
2086 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2087 auth_blob.length = auth_len;
2088
2089 switch (p->auth.auth_level) {
2090 case PIPE_AUTH_LEVEL_PRIVACY:
2091 /* Data is encrypted. */
2092 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2093 data, data_len,
2094 full_packet_data,
2095 full_packet_data_len,
2096 &auth_blob);
2097 if (!NT_STATUS_IS_OK(*pstatus)) {
2098 return False;
2099 }
2100 break;
2101 case PIPE_AUTH_LEVEL_INTEGRITY:
2102 /* Data is signed. */
2103 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2104 data, data_len,
2105 full_packet_data,
2106 full_packet_data_len,
2107 &auth_blob);
2108 if (!NT_STATUS_IS_OK(*pstatus)) {
2109 return False;
2110 }
2111 break;
2112 default:
2113 *pstatus = NT_STATUS_INVALID_PARAMETER;
2114 return False;
2115 }
2116
2117 /*
2118 * Return the current pointer to the data offset.
2119 */
2120
2121 if(!prs_set_offset(rpc_in, save_offset)) {
2122 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2123 (unsigned int)save_offset ));
2124 *pstatus = NT_STATUS_INVALID_PARAMETER;
2125 return False;
2126 }
2127
2128 /*
2129 * Remember the padding length. We must remove it from the real data
2130 * stream once the sign/seal is done.
2131 */
2132
2133 *p_ss_padding_len = auth_info.auth_pad_len;
2134
2135 return True;
2136}
2137
2138/****************************************************************************
2139 Deal with schannel processing on an RPC request.
2140****************************************************************************/
2141
2142bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2143{
2144 uint32 data_len;
2145 uint32 auth_len;
2146 uint32 save_offset = prs_offset(rpc_in);
2147 RPC_HDR_AUTH auth_info;
2148 RPC_AUTH_SCHANNEL_CHK schannel_chk;
2149
2150 auth_len = p->hdr.auth_len;
2151
2152 if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2153 auth_len > RPC_HEADER_LEN +
2154 RPC_HDR_REQ_LEN +
2155 RPC_HDR_AUTH_LEN +
2156 auth_len) {
2157 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2158 return False;
2159 }
2160
2161 /*
2162 * The following is that length of the data we must verify or unseal.
2163 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2164 * preceeding the auth_data.
2165 */
2166
2167 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2168 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2169 (unsigned int)p->hdr.frag_len,
2170 (unsigned int)auth_len ));
2171 return False;
2172 }
2173
2174 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2175 RPC_HDR_AUTH_LEN - auth_len;
2176
2177 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2178
2179 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2180 DEBUG(0,("cannot move offset to %u.\n",
2181 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2182 return False;
2183 }
2184
2185 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2186 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2187 return False;
2188 }
2189
2190 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2191 DEBUG(0,("Invalid auth info %d on schannel\n",
2192 auth_info.auth_type));
2193 return False;
2194 }
2195
2196 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2197 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2198 return False;
2199 }
2200
2201 if (!schannel_decode(p->auth.a_u.schannel_auth,
2202 p->auth.auth_level,
2203 SENDER_IS_INITIATOR,
2204 &schannel_chk,
2205 prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2206 DEBUG(3,("failed to decode PDU\n"));
2207 return False;
2208 }
2209
2210 /*
2211 * Return the current pointer to the data offset.
2212 */
2213
2214 if(!prs_set_offset(rpc_in, save_offset)) {
2215 DEBUG(0,("failed to set offset back to %u\n",
2216 (unsigned int)save_offset ));
2217 return False;
2218 }
2219
2220 /* The sequence number gets incremented on both send and receive. */
2221 p->auth.a_u.schannel_auth->seq_num++;
2222
2223 /*
2224 * Remember the padding length. We must remove it from the real data
2225 * stream once the sign/seal is done.
2226 */
2227
2228 *p_ss_padding_len = auth_info.auth_pad_len;
2229
2230 return True;
2231}
2232
2233/****************************************************************************
2234 Return a user struct for a pipe user.
2235****************************************************************************/
2236
2237struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
2238{
2239 if (p->pipe_bound &&
2240 (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP ||
2241 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2242 memcpy(user, &p->pipe_user, sizeof(struct current_user));
2243 } else {
2244 memcpy(user, &current_user, sizeof(struct current_user));
2245 }
2246
2247 return user;
2248}
2249
2250/****************************************************************************
2251 Find the set of RPC functions associated with this context_id
2252****************************************************************************/
2253
2254static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2255{
2256 PIPE_RPC_FNS *fns = NULL;
2257 PIPE_RPC_FNS *tmp = NULL;
2258
2259 if ( !list ) {
2260 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2261 return NULL;
2262 }
2263
2264 for (tmp=list; tmp; tmp=tmp->next ) {
2265 if ( tmp->context_id == context_id )
2266 break;
2267 }
2268
2269 fns = tmp;
2270
2271 return fns;
2272}
2273
2274/****************************************************************************
2275 Memory cleanup.
2276****************************************************************************/
2277
2278void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2279{
2280 PIPE_RPC_FNS *tmp = list;
2281 PIPE_RPC_FNS *tmp2;
2282
2283 while (tmp) {
2284 tmp2 = tmp->next;
2285 SAFE_FREE(tmp);
2286 tmp = tmp2;
2287 }
2288
2289 return;
2290}
2291
2292static bool api_rpcTNP(pipes_struct *p, const char *rpc_name,
2293 const struct api_struct *api_rpc_cmds, int n_cmds);
2294
2295/****************************************************************************
2296 Find the correct RPC function to call for this request.
2297 If the pipe is authenticated then become the correct UNIX user
2298 before doing the call.
2299****************************************************************************/
2300
2301bool api_pipe_request(pipes_struct *p)
2302{
2303 bool ret = False;
2304 bool changed_user = False;
2305 PIPE_RPC_FNS *pipe_fns;
2306
2307 if (p->pipe_bound &&
2308 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2309 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2310 if(!become_authenticated_pipe_user(p)) {
2311 prs_mem_free(&p->out_data.rdata);
2312 return False;
2313 }
2314 changed_user = True;
2315 }
2316
2317 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2318
2319 /* get the set of RPC functions for this context */
2320
2321 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2322
2323 if ( pipe_fns ) {
2324 TALLOC_CTX *frame = talloc_stackframe();
2325 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2326 TALLOC_FREE(frame);
2327 }
2328 else {
2329 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2330 p->hdr_req.context_id, p->name));
2331 }
2332
2333 if (changed_user) {
2334 unbecome_authenticated_pipe_user();
2335 }
2336
2337 return ret;
2338}
2339
2340/*******************************************************************
2341 Calls the underlying RPC function for a named pipe.
2342 ********************************************************************/
2343
2344static bool api_rpcTNP(pipes_struct *p, const char *rpc_name,
2345 const struct api_struct *api_rpc_cmds, int n_cmds)
2346{
2347 int fn_num;
2348 fstring name;
2349 uint32 offset1, offset2;
2350
2351 /* interpret the command */
2352 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2353
2354 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2355 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2356
2357 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2358 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2359 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2360 break;
2361 }
2362 }
2363
2364 if (fn_num == n_cmds) {
2365 /*
2366 * For an unknown RPC just return a fault PDU but
2367 * return True to allow RPC's on the pipe to continue
2368 * and not put the pipe into fault state. JRA.
2369 */
2370 DEBUG(4, ("unknown\n"));
2371 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2372 return True;
2373 }
2374
2375 offset1 = prs_offset(&p->out_data.rdata);
2376
2377 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2378 fn_num, api_rpc_cmds[fn_num].fn));
2379 /* do the actual command */
2380 if(!api_rpc_cmds[fn_num].fn(p)) {
2381 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2382 prs_mem_free(&p->out_data.rdata);
2383 return False;
2384 }
2385
2386 if (p->bad_handle_fault_state) {
2387 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2388 p->bad_handle_fault_state = False;
2389 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2390 return True;
2391 }
2392
2393 if (p->rng_fault_state) {
2394 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2395 p->rng_fault_state = False;
2396 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2397 return True;
2398 }
2399
2400 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2401 offset2 = prs_offset(&p->out_data.rdata);
2402 prs_set_offset(&p->out_data.rdata, offset1);
2403 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2404 prs_set_offset(&p->out_data.rdata, offset2);
2405
2406 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2407
2408 /* Check for buffer underflow in rpc parsing */
2409
2410 if ((DEBUGLEVEL >= 10) &&
2411 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2412 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2413 char *data = (char *)SMB_MALLOC(data_len);
2414
2415 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2416 if (data) {
2417 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2418 SAFE_FREE(data);
2419 }
2420
2421 }
2422
2423 return True;
2424}
Note: See TracBrowser for help on using the repository browser.