Changeset 740 for vendor/current/source3/rpc_server
- Timestamp:
- Nov 14, 2012, 12:59:34 PM (13 years ago)
- Location:
- vendor/current/source3/rpc_server
- Files:
-
- 64 added
- 16 deleted
- 2 edited
-
dcesrv_gssapi.c (added)
-
dcesrv_gssapi.h (added)
-
dcesrv_ntlmssp.c (added)
-
dcesrv_ntlmssp.h (added)
-
dcesrv_spnego.c (added)
-
dcesrv_spnego.h (added)
-
dfs (added)
-
dfs/srv_dfs_nt.c (added)
-
dssetup (added)
-
dssetup/srv_dssetup_nt.c (added)
-
echo (added)
-
echo/srv_echo_nt.c (added)
-
epmapper (added)
-
epmapper/srv_epmapper.c (added)
-
epmapper/srv_epmapper.h (added)
-
epmd.c (added)
-
eventlog (added)
-
eventlog/srv_eventlog_nt.c (added)
-
eventlog/srv_eventlog_reg.c (added)
-
eventlog/srv_eventlog_reg.h (added)
-
initshutdown (added)
-
initshutdown/srv_initshutdown_nt.c (added)
-
lsa (added)
-
lsa/srv_lsa_nt.c (added)
-
netlogon (added)
-
netlogon/srv_netlog_nt.c (added)
-
ntsvcs (added)
-
ntsvcs/srv_ntsvcs_nt.c (added)
-
rpc_ep_setup.c (added)
-
rpc_ep_setup.h (added)
-
rpc_handles.c (added)
-
rpc_ncacn_np.c (added)
-
rpc_ncacn_np.h (added)
-
rpc_server.c (added)
-
rpc_server.h (added)
-
samr (added)
-
samr/srv_samr_chgpasswd.c (added)
-
samr/srv_samr_nt.c (added)
-
samr/srv_samr_util.c (added)
-
samr/srv_samr_util.h (added)
-
spoolss (added)
-
spoolss/srv_spoolss_nt.c (added)
-
spoolss/srv_spoolss_nt.h (added)
-
spoolss/srv_spoolss_util.c (added)
-
spoolss/srv_spoolss_util.h (added)
-
srv_access_check.c (added)
-
srv_access_check.h (added)
-
srv_dfs_nt.c (deleted)
-
srv_dssetup_nt.c (deleted)
-
srv_echo_nt.c (deleted)
-
srv_eventlog_nt.c (deleted)
-
srv_initshutdown_nt.c (deleted)
-
srv_lsa_hnd.c (deleted)
-
srv_lsa_nt.c (deleted)
-
srv_netlog_nt.c (deleted)
-
srv_ntsvcs_nt.c (deleted)
-
srv_pipe.c (modified) (46 diffs)
-
srv_pipe.h (added)
-
srv_pipe_hnd.c (modified) (30 diffs)
-
srv_pipe_hnd.h (added)
-
srv_pipe_internal.h (added)
-
srv_pipe_register.c (added)
-
srv_pipe_register.h (added)
-
srv_samr_nt.c (deleted)
-
srv_samr_util.c (deleted)
-
srv_spoolss_nt.c (deleted)
-
srv_srvsvc_nt.c (deleted)
-
srv_svcctl_nt.c (deleted)
-
srv_winreg_nt.c (deleted)
-
srv_wkssvc_nt.c (deleted)
-
srvsvc (added)
-
srvsvc/srv_srvsvc_nt.c (added)
-
svcctl (added)
-
svcctl/srv_svcctl_nt.c (added)
-
svcctl/srv_svcctl_nt.h (added)
-
svcctl/srv_svcctl_reg.c (added)
-
svcctl/srv_svcctl_reg.h (added)
-
winreg (added)
-
winreg/srv_winreg_nt.c (added)
-
wkssvc (added)
-
wkssvc/srv_wkssvc_nt.c (added)
-
wscript_build (added)
Legend:
- Unmodified
- Added
- Removed
-
vendor/current/source3/rpc_server/srv_pipe.c
r587 r740 2 2 * Unix SMB/CIFS implementation. 3 3 * RPC Pipe client / server routines 4 * Almost completely rewritten by (C) Jeremy Allison 2005 .4 * Almost completely rewritten by (C) Jeremy Allison 2005 - 2010 5 5 * 6 6 * This program is free software; you can redistribute it and/or modify … … 29 29 30 30 #include "includes.h" 31 #include "system/filesys.h" 32 #include "srv_pipe_internal.h" 31 33 #include "../librpc/gen_ndr/ndr_schannel.h" 32 34 #include "../libcli/auth/schannel.h" 33 35 #include "../libcli/auth/spnego.h" 34 35 extern struct current_user current_user; 36 #include "dcesrv_ntlmssp.h" 37 #include "dcesrv_gssapi.h" 38 #include "dcesrv_spnego.h" 39 #include "rpc_server.h" 40 #include "rpc_dce.h" 41 #include "smbd/smbd.h" 42 #include "auth.h" 43 #include "ntdomain.h" 44 #include "rpc_server/srv_pipe.h" 36 45 37 46 #undef DBGC_CLASS 38 47 #define DBGC_CLASS DBGC_RPC_SRV 39 48 40 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth) 41 { 42 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state; 43 44 if (a) { 45 auth_ntlmssp_end(&a); 46 } 47 auth->a_u.auth_ntlmssp_state = NULL; 49 /** 50 * Dump everything from the start of the end up of the provided data 51 * into a file, but only at debug level >= 50 52 **/ 53 static void dump_pdu_region(const char *name, int v, 54 DATA_BLOB *data, size_t start, size_t end) 55 { 56 int fd, i; 57 char *fname = NULL; 58 ssize_t sz; 59 60 if (DEBUGLEVEL < 50) return; 61 62 if (start > data->length || end > data->length || start > end) return; 63 64 for (i = 1; i < 100; i++) { 65 if (v != -1) { 66 fname = talloc_asprintf(talloc_tos(), 67 "/tmp/%s_%d.%d.prs", 68 name, v, i); 69 } else { 70 fname = talloc_asprintf(talloc_tos(), 71 "/tmp/%s_%d.prs", 72 name, i); 73 } 74 if (!fname) { 75 return; 76 } 77 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644); 78 if (fd != -1 || errno != EEXIST) break; 79 } 80 if (fd != -1) { 81 sz = write(fd, data->data + start, end - start); 82 i = close(fd); 83 if ((sz != end - start) || (i != 0) ) { 84 DEBUG(0, ("Error writing/closing %s: %ld!=%ld %d\n", 85 fname, (unsigned long)sz, 86 (unsigned long)end - start, i)); 87 } else { 88 DEBUG(0,("created %s\n", fname)); 89 } 90 } 91 TALLOC_FREE(fname); 48 92 } 49 93 50 94 static DATA_BLOB generic_session_key(void) 51 95 { 52 return data_blob ("SystemLibraryDTC", 16);96 return data_blob_const("SystemLibraryDTC", 16); 53 97 } 54 98 55 99 /******************************************************************* 56 Generate the next PDU to be returned from the data in p->rdata. 57 Handle NTLMSSP. 58 ********************************************************************/ 59 60 static bool create_next_pdu_ntlmssp(pipes_struct *p) 61 { 62 RPC_HDR_RESP hdr_resp; 63 uint32 ss_padding_len = 0; 64 uint32 data_space_available; 65 uint32 data_len_left; 66 uint32 data_len; 100 Generate the next PDU to be returned from the data. 101 ********************************************************************/ 102 103 static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx, 104 struct pipe_auth_data *auth, 105 uint32_t call_id, 106 DATA_BLOB *rdata, 107 size_t data_sent_length, 108 DATA_BLOB *frag, 109 size_t *pdu_size) 110 { 111 union dcerpc_payload u; 112 uint8_t pfc_flags; 113 size_t data_left; 114 size_t data_to_send; 115 size_t frag_len; 116 size_t pad_len = 0; 117 size_t auth_len = 0; 67 118 NTSTATUS status; 68 DATA_BLOB auth_blob; 69 RPC_HDR_AUTH auth_info; 70 uint8 auth_type, auth_level; 71 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state; 72 73 /* 74 * If we're in the fault state, keep returning fault PDU's until 75 * the pipe gets closed. JRA. 76 */ 77 78 if(p->fault_state) { 79 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR)); 80 return True; 81 } 82 83 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp)); 84 85 /* Change the incoming request header to a response. */ 86 p->hdr.pkt_type = DCERPC_PKT_RESPONSE; 87 88 /* Set up rpc header flags. */ 89 if (p->out_data.data_sent_length == 0) { 90 p->hdr.flags = DCERPC_PFC_FLAG_FIRST; 119 120 ZERO_STRUCT(u.response); 121 122 /* Set up rpc packet pfc flags. */ 123 if (data_sent_length == 0) { 124 pfc_flags = DCERPC_PFC_FLAG_FIRST; 91 125 } else { 92 p->hdr.flags = 0; 93 } 94 95 /* 96 * Work out how much we can fit in a single PDU. 97 */ 98 99 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length; 100 101 /* 102 * Ensure there really is data left to send. 103 */ 104 105 if(!data_len_left) { 106 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n")); 107 return False; 108 } 109 110 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN 111 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE; 112 113 /* 114 * The amount we send is the minimum of the available 115 * space and the amount left to send. 116 */ 117 118 data_len = MIN(data_len_left, data_space_available); 119 120 /* 121 * Set up the alloc hint. This should be the data left to 122 * send. 123 */ 124 125 hdr_resp.alloc_hint = data_len_left; 126 127 /* 128 * Work out if this PDU will be the last. 129 */ 130 131 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) { 132 p->hdr.flags |= DCERPC_PFC_FLAG_LAST; 133 if (data_len_left % 8) { 134 ss_padding_len = 8 - (data_len_left % 8); 135 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n", 136 ss_padding_len )); 137 } 138 } 139 140 /* 141 * Set up the header lengths. 142 */ 143 144 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + 145 data_len + ss_padding_len + 146 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE; 147 p->hdr.auth_len = NTLMSSP_SIG_SIZE; 148 149 150 /* 151 * Init the parse struct to point at the outgoing 152 * data. 153 */ 154 155 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL); 156 157 /* Store the header in the data stream. */ 158 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) { 159 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n")); 160 prs_mem_free(&p->out_data.frag); 161 return False; 162 } 163 164 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) { 165 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n")); 166 prs_mem_free(&p->out_data.frag); 167 return False; 168 } 169 170 /* Copy the data into the PDU. */ 171 172 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata, 173 p->out_data.data_sent_length, data_len)) { 174 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len)); 175 prs_mem_free(&p->out_data.frag); 176 return False; 177 } 178 179 /* Copy the sign/seal padding data. */ 180 if (ss_padding_len) { 181 char pad[8]; 182 183 memset(pad, '\0', 8); 184 if (!prs_copy_data_in(&p->out_data.frag, pad, 185 ss_padding_len)) { 186 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n", 187 (unsigned int)ss_padding_len)); 188 prs_mem_free(&p->out_data.frag); 189 return False; 190 } 191 } 192 193 194 /* Now write out the auth header and null blob. */ 195 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) { 196 auth_type = DCERPC_AUTH_TYPE_NTLMSSP; 197 } else { 198 auth_type = DCERPC_AUTH_TYPE_SPNEGO; 199 } 200 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { 201 auth_level = DCERPC_AUTH_LEVEL_PRIVACY; 202 } else { 203 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY; 204 } 205 206 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */); 207 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &p->out_data.frag, 208 0)) { 209 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n")); 210 prs_mem_free(&p->out_data.frag); 211 return False; 212 } 213 214 /* Generate the sign blob. */ 215 216 switch (p->auth.auth_level) { 217 case DCERPC_AUTH_LEVEL_PRIVACY: 218 /* Data portion is encrypted. */ 219 status = ntlmssp_seal_packet( 220 a->ntlmssp_state, 221 (uint8_t *)prs_data_p(&p->out_data.frag) 222 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN, 223 data_len + ss_padding_len, 224 (unsigned char *)prs_data_p(&p->out_data.frag), 225 (size_t)prs_offset(&p->out_data.frag), 226 &auth_blob); 227 if (!NT_STATUS_IS_OK(status)) { 228 data_blob_free(&auth_blob); 229 prs_mem_free(&p->out_data.frag); 230 return False; 231 } 232 break; 233 case DCERPC_AUTH_LEVEL_INTEGRITY: 234 /* Data is signed. */ 235 status = ntlmssp_sign_packet( 236 a->ntlmssp_state, 237 (unsigned char *)prs_data_p(&p->out_data.frag) 238 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN, 239 data_len + ss_padding_len, 240 (unsigned char *)prs_data_p(&p->out_data.frag), 241 (size_t)prs_offset(&p->out_data.frag), 242 &auth_blob); 243 if (!NT_STATUS_IS_OK(status)) { 244 data_blob_free(&auth_blob); 245 prs_mem_free(&p->out_data.frag); 246 return False; 247 } 248 break; 249 default: 250 prs_mem_free(&p->out_data.frag); 251 return False; 252 } 253 254 /* Append the auth blob. */ 255 if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data, 256 NTLMSSP_SIG_SIZE)) { 257 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n", 258 (unsigned int)NTLMSSP_SIG_SIZE)); 259 data_blob_free(&auth_blob); 260 prs_mem_free(&p->out_data.frag); 261 return False; 262 } 263 264 data_blob_free(&auth_blob); 265 266 /* 267 * Setup the counts for this PDU. 268 */ 269 270 p->out_data.data_sent_length += data_len; 271 p->out_data.current_pdu_sent = 0; 272 273 return True; 274 } 275 276 /******************************************************************* 277 Generate the next PDU to be returned from the data in p->rdata. 278 Return an schannel authenticated fragment. 279 ********************************************************************/ 280 281 static bool create_next_pdu_schannel(pipes_struct *p) 282 { 283 RPC_HDR_RESP hdr_resp; 284 uint32 ss_padding_len = 0; 285 uint32 data_len; 286 uint32 data_space_available; 287 uint32 data_len_left; 288 uint32 data_pos; 289 NTSTATUS status; 290 291 /* 292 * If we're in the fault state, keep returning fault PDU's until 293 * the pipe gets closed. JRA. 294 */ 295 296 if(p->fault_state) { 297 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR)); 298 return True; 299 } 300 301 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp)); 302 303 /* Change the incoming request header to a response. */ 304 p->hdr.pkt_type = DCERPC_PKT_RESPONSE; 305 306 /* Set up rpc header flags. */ 307 if (p->out_data.data_sent_length == 0) { 308 p->hdr.flags = DCERPC_PFC_FLAG_FIRST; 309 } else { 310 p->hdr.flags = 0; 311 } 312 313 /* 314 * Work out how much we can fit in a single PDU. 315 */ 316 317 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length; 318 319 /* 320 * Ensure there really is data left to send. 321 */ 322 323 if(!data_len_left) { 324 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n")); 325 return False; 326 } 327 328 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN 329 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN 330 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN; 331 332 /* 333 * The amount we send is the minimum of the available 334 * space and the amount left to send. 335 */ 336 337 data_len = MIN(data_len_left, data_space_available); 338 339 /* 340 * Set up the alloc hint. This should be the data left to 341 * send. 342 */ 343 344 hdr_resp.alloc_hint = data_len_left; 345 346 /* 347 * Work out if this PDU will be the last. 348 */ 349 350 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) { 351 p->hdr.flags |= DCERPC_PFC_FLAG_LAST; 352 if (data_len_left % 8) { 353 ss_padding_len = 8 - (data_len_left % 8); 354 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n", 355 ss_padding_len )); 356 } 357 } 358 359 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len + 360 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN; 361 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN; 362 363 /* 364 * Init the parse struct to point at the outgoing 365 * data. 366 */ 367 368 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL); 369 370 /* Store the header in the data stream. */ 371 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) { 372 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n")); 373 prs_mem_free(&p->out_data.frag); 374 return False; 375 } 376 377 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) { 378 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n")); 379 prs_mem_free(&p->out_data.frag); 380 return False; 381 } 382 383 /* Store the current offset. */ 384 data_pos = prs_offset(&p->out_data.frag); 385 386 /* Copy the data into the PDU. */ 387 388 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata, 389 p->out_data.data_sent_length, data_len)) { 390 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len)); 391 prs_mem_free(&p->out_data.frag); 392 return False; 393 } 394 395 /* Copy the sign/seal padding data. */ 396 if (ss_padding_len) { 397 char pad[8]; 398 memset(pad, '\0', 8); 399 if (!prs_copy_data_in(&p->out_data.frag, pad, 400 ss_padding_len)) { 401 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len)); 402 prs_mem_free(&p->out_data.frag); 403 return False; 404 } 405 } 406 407 { 408 /* 409 * Schannel processing. 410 */ 411 RPC_HDR_AUTH auth_info; 412 DATA_BLOB blob; 413 uint8_t *data; 414 415 /* Check it's the type of reply we were expecting to decode */ 416 417 init_rpc_hdr_auth(&auth_info, 418 DCERPC_AUTH_TYPE_SCHANNEL, 419 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ? 420 DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY, 421 ss_padding_len, 1); 422 423 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, 424 &p->out_data.frag, 0)) { 425 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n")); 426 prs_mem_free(&p->out_data.frag); 427 return False; 428 } 429 430 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos; 431 432 switch (p->auth.auth_level) { 433 case DCERPC_AUTH_LEVEL_PRIVACY: 434 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth, 435 talloc_tos(), 436 true, 437 data, 438 data_len + ss_padding_len, 439 &blob); 440 break; 441 case DCERPC_AUTH_LEVEL_INTEGRITY: 442 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth, 443 talloc_tos(), 444 false, 445 data, 446 data_len + ss_padding_len, 447 &blob); 448 break; 449 default: 450 status = NT_STATUS_INTERNAL_ERROR; 451 break; 452 } 453 126 pfc_flags = 0; 127 } 128 129 /* Work out how much we can fit in a single PDU. */ 130 data_left = rdata->length - data_sent_length; 131 132 /* Ensure there really is data left to send. */ 133 if (!data_left) { 134 DEBUG(0, ("No data left to send !\n")); 135 return NT_STATUS_BUFFER_TOO_SMALL; 136 } 137 138 status = dcerpc_guess_sizes(auth, 139 DCERPC_RESPONSE_LENGTH, 140 data_left, 141 RPC_MAX_PDU_FRAG_LEN, 142 SERVER_NDR_PADDING_SIZE, 143 &data_to_send, &frag_len, 144 &auth_len, &pad_len); 145 if (!NT_STATUS_IS_OK(status)) { 146 return status; 147 } 148 149 /* Set up the alloc hint. This should be the data left to send. */ 150 u.response.alloc_hint = data_left; 151 152 /* Work out if this PDU will be the last. */ 153 if (data_sent_length + data_to_send >= rdata->length) { 154 pfc_flags |= DCERPC_PFC_FLAG_LAST; 155 } 156 157 /* Prepare data to be NDR encoded. */ 158 u.response.stub_and_verifier = 159 data_blob_const(rdata->data + data_sent_length, data_to_send); 160 161 /* Store the packet in the data stream. */ 162 status = dcerpc_push_ncacn_packet(mem_ctx, DCERPC_PKT_RESPONSE, 163 pfc_flags, auth_len, call_id, 164 &u, frag); 165 if (!NT_STATUS_IS_OK(status)) { 166 DEBUG(0, ("Failed to marshall RPC Packet.\n")); 167 return status; 168 } 169 170 if (auth_len) { 171 /* Set the proper length on the pdu, including padding. 172 * Only needed if an auth trailer will be appended. */ 173 dcerpc_set_frag_length(frag, frag->length 174 + pad_len 175 + DCERPC_AUTH_TRAILER_LENGTH 176 + auth_len); 177 } 178 179 if (auth_len) { 180 status = dcerpc_add_auth_footer(auth, pad_len, frag); 454 181 if (!NT_STATUS_IS_OK(status)) { 455 DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n", 456 nt_errstr(status))); 457 prs_mem_free(&p->out_data.frag); 458 return false; 459 } 460 461 /* Finally marshall the blob. */ 462 463 if (DEBUGLEVEL >= 10) { 464 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob); 465 } 466 467 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) { 468 prs_mem_free(&p->out_data.frag); 469 return false; 470 } 471 } 472 473 /* 474 * Setup the counts for this PDU. 475 */ 476 477 p->out_data.data_sent_length += data_len; 478 p->out_data.current_pdu_sent = 0; 479 480 return True; 481 } 482 483 /******************************************************************* 484 Generate the next PDU to be returned from the data in p->rdata. 485 No authentication done. 486 ********************************************************************/ 487 488 static bool create_next_pdu_noauth(pipes_struct *p) 489 { 490 RPC_HDR_RESP hdr_resp; 491 uint32 data_len; 492 uint32 data_space_available; 493 uint32 data_len_left; 494 495 /* 496 * If we're in the fault state, keep returning fault PDU's until 497 * the pipe gets closed. JRA. 498 */ 499 500 if(p->fault_state) { 501 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR)); 502 return True; 503 } 504 505 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp)); 506 507 /* Change the incoming request header to a response. */ 508 p->hdr.pkt_type = DCERPC_PKT_RESPONSE; 509 510 /* Set up rpc header flags. */ 511 if (p->out_data.data_sent_length == 0) { 512 p->hdr.flags = DCERPC_PFC_FLAG_FIRST; 513 } else { 514 p->hdr.flags = 0; 515 } 516 517 /* 518 * Work out how much we can fit in a single PDU. 519 */ 520 521 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length; 522 523 /* 524 * Ensure there really is data left to send. 525 */ 526 527 if(!data_len_left) { 528 DEBUG(0,("create_next_pdu_noath: no data left to send !\n")); 529 return False; 530 } 531 532 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN 533 - RPC_HDR_RESP_LEN; 534 535 /* 536 * The amount we send is the minimum of the available 537 * space and the amount left to send. 538 */ 539 540 data_len = MIN(data_len_left, data_space_available); 541 542 /* 543 * Set up the alloc hint. This should be the data left to 544 * send. 545 */ 546 547 hdr_resp.alloc_hint = data_len_left; 548 549 /* 550 * Work out if this PDU will be the last. 551 */ 552 553 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) { 554 p->hdr.flags |= DCERPC_PFC_FLAG_LAST; 555 } 556 557 /* 558 * Set up the header lengths. 559 */ 560 561 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len; 562 p->hdr.auth_len = 0; 563 564 /* 565 * Init the parse struct to point at the outgoing 566 * data. 567 */ 568 569 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL); 570 571 /* Store the header in the data stream. */ 572 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) { 573 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n")); 574 prs_mem_free(&p->out_data.frag); 575 return False; 576 } 577 578 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) { 579 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n")); 580 prs_mem_free(&p->out_data.frag); 581 return False; 582 } 583 584 /* Copy the data into the PDU. */ 585 586 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata, 587 p->out_data.data_sent_length, data_len)) { 588 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len)); 589 prs_mem_free(&p->out_data.frag); 590 return False; 591 } 592 593 /* 594 * Setup the counts for this PDU. 595 */ 596 597 p->out_data.data_sent_length += data_len; 598 p->out_data.current_pdu_sent = 0; 599 600 return True; 182 data_blob_free(frag); 183 return status; 184 } 185 } 186 187 *pdu_size = data_to_send; 188 return NT_STATUS_OK; 601 189 } 602 190 … … 605 193 ********************************************************************/ 606 194 607 bool create_next_pdu(pipes_struct *p) 608 { 609 switch(p->auth.auth_level) { 610 case DCERPC_AUTH_LEVEL_NONE: 611 case DCERPC_AUTH_LEVEL_CONNECT: 612 /* This is incorrect for auth level connect. Fixme. JRA */ 613 return create_next_pdu_noauth(p); 614 615 default: 616 switch(p->auth.auth_type) { 617 case PIPE_AUTH_TYPE_NTLMSSP: 618 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP: 619 return create_next_pdu_ntlmssp(p); 620 case PIPE_AUTH_TYPE_SCHANNEL: 621 return create_next_pdu_schannel(p); 622 default: 623 break; 624 } 625 } 626 627 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u", 628 (unsigned int)p->auth.auth_level, 629 (unsigned int)p->auth.auth_type)); 630 return False; 631 } 632 633 /******************************************************************* 634 Process an NTLMSSP authentication response. 635 If this function succeeds, the user has been authenticated 636 and their domain, name and calling workstation stored in 637 the pipe struct. 638 *******************************************************************/ 639 640 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob) 641 { 642 DATA_BLOB session_key, reply; 195 bool create_next_pdu(struct pipes_struct *p) 196 { 197 size_t pdu_size = 0; 643 198 NTSTATUS status; 644 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state; 645 bool ret; 646 647 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", 648 get_pipe_name_from_syntax(talloc_tos(), &p->syntax))); 649 650 ZERO_STRUCT(reply); 651 652 /* this has to be done as root in order to verify the password */ 653 become_root(); 654 status = auth_ntlmssp_update(a, *p_resp_blob, &reply); 655 unbecome_root(); 656 657 /* Don't generate a reply. */ 658 data_blob_free(&reply); 659 199 200 /* 201 * If we're in the fault state, keep returning fault PDU's until 202 * the pipe gets closed. JRA. 203 */ 204 if (p->fault_state) { 205 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR)); 206 return true; 207 } 208 209 status = create_next_packet(p->mem_ctx, &p->auth, 210 p->call_id, &p->out_data.rdata, 211 p->out_data.data_sent_length, 212 &p->out_data.frag, &pdu_size); 660 213 if (!NT_STATUS_IS_OK(status)) { 661 return False; 662 } 663 664 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal) 665 ensure the underlying NTLMSSP flags are also set. If not we should 666 refuse the bind. */ 667 668 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { 669 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) { 670 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested " 671 "but client declined signing.\n", 672 get_pipe_name_from_syntax(talloc_tos(), 673 &p->syntax))); 674 return False; 675 } 676 } 677 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { 678 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) { 679 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested " 680 "but client declined sealing.\n", 681 get_pipe_name_from_syntax(talloc_tos(), 682 &p->syntax))); 683 return False; 684 } 685 } 686 687 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s " 688 "workstation: %s\n", a->ntlmssp_state->user, 689 a->ntlmssp_state->domain, a->ntlmssp_state->workstation)); 690 691 if (a->server_info->ptok == NULL) { 692 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n")); 693 return False; 694 } 695 696 TALLOC_FREE(p->server_info); 697 698 p->server_info = copy_serverinfo(p, a->server_info); 699 if (p->server_info == NULL) { 700 DEBUG(0, ("copy_serverinfo failed\n")); 214 DEBUG(0, ("Failed to create packet with error %s, " 215 "(auth level %u / type %u)\n", 216 nt_errstr(status), 217 (unsigned int)p->auth.auth_level, 218 (unsigned int)p->auth.auth_type)); 701 219 return false; 702 220 } 703 221 704 /* 705 * We're an authenticated bind over smb, so the session key needs to 706 * be set to "SystemLibraryDTC". Weird, but this is what Windows 707 * does. See the RPC-SAMBA3SESSIONKEY. 708 */ 709 710 session_key = generic_session_key(); 711 if (session_key.data == NULL) { 712 return False; 713 } 714 715 ret = server_info_set_session_key(p->server_info, session_key); 716 717 data_blob_free(&session_key); 718 719 return True; 720 } 721 722 /******************************************************************* 723 The switch table for the pipe names and the functions to handle them. 724 *******************************************************************/ 725 726 struct rpc_table { 727 struct { 728 const char *clnt; 729 const char *srv; 730 } pipe; 731 struct ndr_syntax_id rpc_interface; 732 const struct api_struct *cmds; 733 int n_cmds; 734 }; 735 736 static struct rpc_table *rpc_lookup; 737 static int rpc_lookup_size; 738 739 /******************************************************************* 740 This is the "stage3" NTLMSSP response after a bind request and reply. 741 *******************************************************************/ 742 743 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p) 744 { 745 RPC_HDR_AUTH auth_info; 746 uint32 pad = 0; 747 DATA_BLOB blob; 748 749 ZERO_STRUCT(blob); 750 751 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__)); 752 753 if (p->hdr.auth_len == 0) { 754 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n")); 755 goto err; 756 } 757 758 /* 4 bytes padding. */ 759 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) { 760 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n")); 761 goto err; 762 } 763 764 /* 765 * Decode the authentication verifier response. 766 */ 767 768 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) { 769 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n")); 770 goto err; 771 } 772 773 if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) { 774 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n", 775 (unsigned int)auth_info.auth_type )); 776 return False; 777 } 778 779 blob = data_blob(NULL,p->hdr.auth_len); 780 781 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) { 782 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n", 783 (unsigned int)p->hdr.auth_len )); 784 goto err; 785 } 786 787 /* 788 * The following call actually checks the challenge/response data. 789 * for correctness against the given DOMAIN\user name. 790 */ 791 792 if (!pipe_ntlmssp_verify_final(p, &blob)) { 793 goto err; 794 } 795 796 data_blob_free(&blob); 797 798 p->pipe_bound = True; 799 800 return True; 801 802 err: 803 804 data_blob_free(&blob); 805 free_pipe_ntlmssp_auth_data(&p->auth); 806 p->auth.a_u.auth_ntlmssp_state = NULL; 807 808 return False; 809 } 222 /* Setup the counts for this PDU. */ 223 p->out_data.data_sent_length += pdu_size; 224 p->out_data.current_pdu_sent = 0; 225 return true; 226 } 227 228 229 static bool pipe_init_outgoing_data(struct pipes_struct *p); 810 230 811 231 /******************************************************************* … … 813 233 *******************************************************************/ 814 234 815 static bool setup_bind_nak( pipes_struct *p)816 { 817 RPC_HDR nak_hdr;818 u int16 zero = 0;235 static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt) 236 { 237 NTSTATUS status; 238 union dcerpc_payload u; 819 239 820 240 /* Free any memory in the current return data buffer. */ 821 prs_mem_free(&p->out_data.rdata); 241 pipe_init_outgoing_data(p); 242 243 /* 244 * Initialize a bind_nak header. 245 */ 246 247 ZERO_STRUCT(u); 248 249 u.bind_nak.reject_reason = 0; 822 250 823 251 /* … … 827 255 */ 828 256 829 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL); 830 831 /* 832 * Initialize a bind_nak header. 833 */ 834 835 init_rpc_hdr(&nak_hdr, DCERPC_PKT_BIND_NAK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST, 836 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0); 837 838 /* 839 * Marshall the header into the outgoing PDU. 840 */ 841 842 if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) { 843 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n")); 844 prs_mem_free(&p->out_data.frag); 845 return False; 846 } 847 848 /* 849 * Now add the reject reason. 850 */ 851 852 if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) { 853 prs_mem_free(&p->out_data.frag); 257 status = dcerpc_push_ncacn_packet(p->mem_ctx, 258 DCERPC_PKT_BIND_NAK, 259 DCERPC_PFC_FLAG_FIRST | 260 DCERPC_PFC_FLAG_LAST, 261 0, 262 pkt->call_id, 263 &u, 264 &p->out_data.frag); 265 if (!NT_STATUS_IS_OK(status)) { 854 266 return False; 855 267 } … … 858 270 p->out_data.current_pdu_sent = 0; 859 271 860 if (p->auth.auth_data_free_func) { 861 (*p->auth.auth_data_free_func)(&p->auth); 862 } 272 TALLOC_FREE(p->auth.auth_ctx); 863 273 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE; 864 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;274 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE; 865 275 p->pipe_bound = False; 866 276 … … 872 282 *******************************************************************/ 873 283 874 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status) 875 { 876 RPC_HDR fault_hdr; 877 RPC_HDR_RESP hdr_resp; 878 RPC_HDR_FAULT fault_resp; 284 bool setup_fault_pdu(struct pipes_struct *p, NTSTATUS fault_status) 285 { 286 NTSTATUS status; 287 union dcerpc_payload u; 879 288 880 289 /* Free any memory in the current return data buffer. */ 881 prs_mem_free(&p->out_data.rdata); 290 pipe_init_outgoing_data(p); 291 292 /* 293 * Initialize a fault header. 294 */ 295 296 ZERO_STRUCT(u); 297 298 u.fault.status = NT_STATUS_V(fault_status); 299 u.fault._pad = data_blob_talloc_zero(p->mem_ctx, 4); 882 300 883 301 /* … … 887 305 */ 888 306 889 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL); 890 891 /* 892 * Initialize a fault header. 893 */ 894 895 init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE, 896 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0); 897 898 /* 899 * Initialize the HDR_RESP and FAULT parts of the PDU. 900 */ 901 902 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp)); 903 904 fault_resp.status = status; 905 fault_resp.reserved = 0; 906 907 /* 908 * Marshall the header into the outgoing PDU. 909 */ 910 911 if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) { 912 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n")); 913 prs_mem_free(&p->out_data.frag); 914 return False; 915 } 916 917 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) { 918 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n")); 919 prs_mem_free(&p->out_data.frag); 920 return False; 921 } 922 923 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) { 924 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n")); 925 prs_mem_free(&p->out_data.frag); 307 status = dcerpc_push_ncacn_packet(p->mem_ctx, 308 DCERPC_PKT_FAULT, 309 DCERPC_PFC_FLAG_FIRST | 310 DCERPC_PFC_FLAG_LAST | 311 DCERPC_PFC_FLAG_DID_NOT_EXECUTE, 312 0, 313 p->call_id, 314 &u, 315 &p->out_data.frag); 316 if (!NT_STATUS_IS_OK(status)) { 926 317 return False; 927 318 } … … 932 323 return True; 933 324 } 934 935 #if 0936 /*******************************************************************937 Marshall a cancel_ack pdu.938 We should probably check the auth-verifier here.939 *******************************************************************/940 941 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)942 {943 prs_struct outgoing_pdu;944 RPC_HDR ack_reply_hdr;945 946 /* Free any memory in the current return data buffer. */947 prs_mem_free(&p->out_data.rdata);948 949 /*950 * Marshall directly into the outgoing PDU space. We951 * must do this as we need to set to the bind response952 * header and are never sending more than one PDU here.953 */954 955 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);956 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);957 958 /*959 * Initialize a cancel_ack header.960 */961 962 init_rpc_hdr(&ack_reply_hdr, DCERPC_PKT_CANCEL_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,963 p->hdr.call_id, RPC_HEADER_LEN, 0);964 965 /*966 * Marshall the header into the outgoing PDU.967 */968 969 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {970 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));971 prs_mem_free(&outgoing_pdu);972 return False;973 }974 975 p->out_data.data_sent_length = 0;976 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);977 p->out_data.current_pdu_sent = 0;978 979 prs_mem_free(&outgoing_pdu);980 return True;981 }982 #endif983 325 984 326 /******************************************************************* … … 992 334 uint32 context_id) 993 335 { 994 int i=0;995 336 struct pipe_rpc_fns *context_fns; 996 337 … … 999 340 1000 341 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */ 1001 1002 for (i=0; i<rpc_lookup_size; i++) { 1003 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt)); 1004 if (ndr_syntax_id_equal( 1005 abstract, &rpc_lookup[i].rpc_interface) 1006 && ndr_syntax_id_equal( 1007 transfer, &ndr_transfer_syntax)) { 1008 break; 1009 } 1010 } 1011 1012 if (i == rpc_lookup_size) { 342 if (rpc_srv_pipe_exists_by_id(abstract) && 343 ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) { 344 DEBUG(3, ("check_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n", 345 rpc_srv_get_pipe_cli_name(abstract), 346 rpc_srv_get_pipe_srv_name(abstract))); 347 } else { 1013 348 return false; 1014 349 } … … 1020 355 } 1021 356 1022 context_fns->cmds = rpc_lookup[i].cmds; 1023 context_fns->n_cmds = rpc_lookup[i].n_cmds; 357 context_fns->next = context_fns->prev = NULL; 358 context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract); 359 context_fns->cmds = rpc_srv_get_pipe_cmds(abstract); 1024 360 context_fns->context_id = context_id; 1025 361 … … 1029 365 1030 366 return True; 1031 }1032 1033 /*******************************************************************1034 Register commands to an RPC pipe1035 *******************************************************************/1036 1037 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,1038 const struct ndr_interface_table *iface,1039 const struct api_struct *cmds, int size)1040 {1041 struct rpc_table *rpc_entry;1042 1043 if (!clnt || !srv || !cmds) {1044 return NT_STATUS_INVALID_PARAMETER;1045 }1046 1047 if (version != SMB_RPC_INTERFACE_VERSION) {1048 DEBUG(0,("Can't register rpc commands!\n"1049 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"1050 ", while this version of samba uses version %d!\n",1051 version,SMB_RPC_INTERFACE_VERSION));1052 return NT_STATUS_OBJECT_TYPE_MISMATCH;1053 }1054 1055 /* TODO:1056 *1057 * we still need to make sure that don't register the same commands twice!!!1058 *1059 * --metze1060 */1061 1062 /* We use a temporary variable because this call can fail and1063 rpc_lookup will still be valid afterwards. It could then succeed if1064 called again later */1065 rpc_lookup_size++;1066 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);1067 if (NULL == rpc_entry) {1068 rpc_lookup_size--;1069 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));1070 return NT_STATUS_NO_MEMORY;1071 } else {1072 rpc_lookup = rpc_entry;1073 }1074 1075 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);1076 ZERO_STRUCTP(rpc_entry);1077 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);1078 rpc_entry->pipe.srv = SMB_STRDUP(srv);1079 rpc_entry->rpc_interface = iface->syntax_id;1080 rpc_entry->cmds = cmds;1081 rpc_entry->n_cmds = size;1082 1083 return NT_STATUS_OK;1084 367 } 1085 368 … … 1092 375 { 1093 376 const char *pipename = cli_filename; 1094 int i;1095 377 NTSTATUS status; 1096 378 … … 1108 390 } 1109 391 1110 for (i=0; i<rpc_lookup_size; i++) { 1111 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) { 1112 *syntax = rpc_lookup[i].rpc_interface; 1113 return true; 1114 } 392 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) { 393 return true; 1115 394 } 1116 395 … … 1125 404 * Scan the list again for the interface id 1126 405 */ 1127 1128 for (i=0; i<rpc_lookup_size; i++) { 1129 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) { 1130 *syntax = rpc_lookup[i].rpc_interface; 1131 return true; 1132 } 406 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) { 407 return true; 1133 408 } 1134 409 … … 1137 412 1138 413 return false; 1139 }1140 1141 /*******************************************************************1142 Handle a SPNEGO krb5 bind auth.1143 *******************************************************************/1144 1145 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,1146 DATA_BLOB *psecblob, prs_struct *pout_auth)1147 {1148 return False;1149 414 } 1150 415 … … 1153 418 *******************************************************************/ 1154 419 1155 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p, 1156 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth) 1157 { 1158 DATA_BLOB blob; 1159 DATA_BLOB secblob; 1160 DATA_BLOB response; 1161 DATA_BLOB chal; 1162 char *OIDs[ASN1_MAX_OIDS]; 1163 int i; 420 static bool pipe_spnego_auth_bind(struct pipes_struct *p, 421 TALLOC_CTX *mem_ctx, 422 struct dcerpc_auth *auth_info, 423 DATA_BLOB *response) 424 { 425 struct spnego_context *spnego_ctx; 1164 426 NTSTATUS status; 1165 bool got_kerberos_mechanism = false; 1166 AUTH_NTLMSSP_STATE *a = NULL; 1167 RPC_HDR_AUTH auth_info; 1168 1169 ZERO_STRUCT(secblob); 1170 ZERO_STRUCT(chal); 1171 ZERO_STRUCT(response); 1172 1173 /* Grab the SPNEGO blob. */ 1174 blob = data_blob(NULL,p->hdr.auth_len); 1175 1176 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) { 1177 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n", 1178 (unsigned int)p->hdr.auth_len )); 1179 goto err; 1180 } 1181 1182 if (blob.data[0] != ASN1_APPLICATION(0)) { 1183 goto err; 1184 } 1185 1186 /* parse out the OIDs and the first sec blob */ 1187 if (!parse_negTokenTarg(blob, OIDs, &secblob) || 1188 OIDs[0] == NULL) { 1189 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n")); 1190 goto err; 1191 } 1192 1193 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) { 1194 got_kerberos_mechanism = true; 1195 } 1196 1197 for (i=0;OIDs[i];i++) { 1198 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i])); 1199 TALLOC_FREE(OIDs[i]); 1200 } 1201 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length)); 1202 1203 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) { 1204 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth); 1205 data_blob_free(&secblob); 1206 data_blob_free(&blob); 1207 return ret; 1208 } 1209 1210 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) { 1211 /* Free any previous auth type. */ 1212 free_pipe_ntlmssp_auth_data(&p->auth); 1213 } 1214 1215 if (!got_kerberos_mechanism) { 1216 /* Initialize the NTLM engine. */ 1217 status = auth_ntlmssp_start(&a); 1218 if (!NT_STATUS_IS_OK(status)) { 1219 goto err; 1220 } 1221 1222 /* 1223 * Pass the first security blob of data to it. 1224 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED 1225 * which means we need another packet to complete the bind. 1226 */ 1227 1228 status = auth_ntlmssp_update(a, secblob, &chal); 1229 1230 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { 1231 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n")); 1232 goto err; 1233 } 1234 1235 /* Generate the response blob we need for step 2 of the bind. */ 1236 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP); 1237 } else { 1238 /* 1239 * SPNEGO negotiate down to NTLMSSP. The subsequent 1240 * code to process follow-up packets is not complete 1241 * yet. JRA. 1242 */ 1243 response = spnego_gen_auth_response(NULL, 1244 NT_STATUS_MORE_PROCESSING_REQUIRED, 1245 OID_NTLMSSP); 1246 } 1247 1248 /* Copy the blob into the pout_auth parse struct */ 1249 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1); 1250 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) { 1251 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n")); 1252 goto err; 1253 } 1254 1255 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) { 1256 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n")); 1257 goto err; 1258 } 1259 1260 p->auth.a_u.auth_ntlmssp_state = a; 1261 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data; 1262 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP; 1263 1264 data_blob_free(&blob); 1265 data_blob_free(&secblob); 1266 data_blob_free(&chal); 1267 data_blob_free(&response); 1268 1269 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */ 1270 return True; 1271 1272 err: 1273 1274 data_blob_free(&blob); 1275 data_blob_free(&secblob); 1276 data_blob_free(&chal); 1277 data_blob_free(&response); 1278 1279 p->auth.a_u.auth_ntlmssp_state = NULL; 1280 1281 return False; 1282 } 1283 1284 /******************************************************************* 1285 Handle the second part of a SPNEGO bind auth. 1286 *******************************************************************/ 1287 1288 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p, 1289 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth) 1290 { 1291 RPC_HDR_AUTH auth_info; 1292 DATA_BLOB spnego_blob; 1293 DATA_BLOB auth_blob; 1294 DATA_BLOB auth_reply; 1295 DATA_BLOB response; 1296 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state; 1297 1298 ZERO_STRUCT(spnego_blob); 1299 ZERO_STRUCT(auth_blob); 1300 ZERO_STRUCT(auth_reply); 1301 ZERO_STRUCT(response); 1302 1303 /* 1304 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently 1305 * fail here as 'a' == NULL. 1306 */ 1307 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) { 1308 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n")); 1309 goto err; 1310 } 1311 1312 /* Grab the SPNEGO blob. */ 1313 spnego_blob = data_blob(NULL,p->hdr.auth_len); 1314 1315 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) { 1316 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n", 1317 (unsigned int)p->hdr.auth_len )); 1318 goto err; 1319 } 1320 1321 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) { 1322 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n")); 1323 goto err; 1324 } 1325 1326 if (!spnego_parse_auth(spnego_blob, &auth_blob)) { 1327 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n")); 1328 goto err; 1329 } 1330 1331 /* 1332 * The following call actually checks the challenge/response data. 1333 * for correctness against the given DOMAIN\user name. 1334 */ 1335 1336 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) { 1337 goto err; 1338 } 1339 1340 data_blob_free(&spnego_blob); 1341 data_blob_free(&auth_blob); 1342 1343 /* Generate the spnego "accept completed" blob - no incoming data. */ 1344 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP); 1345 1346 /* Copy the blob into the pout_auth parse struct */ 1347 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1); 1348 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) { 1349 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n")); 1350 goto err; 1351 } 1352 1353 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) { 1354 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n")); 1355 goto err; 1356 } 1357 1358 data_blob_free(&auth_reply); 1359 data_blob_free(&response); 1360 1361 p->pipe_bound = True; 1362 1363 return True; 1364 1365 err: 1366 1367 data_blob_free(&spnego_blob); 1368 data_blob_free(&auth_blob); 1369 data_blob_free(&auth_reply); 1370 data_blob_free(&response); 1371 1372 free_pipe_ntlmssp_auth_data(&p->auth); 1373 p->auth.a_u.auth_ntlmssp_state = NULL; 1374 1375 return False; 427 428 status = spnego_server_auth_start(p, 429 (auth_info->auth_level == 430 DCERPC_AUTH_LEVEL_INTEGRITY), 431 (auth_info->auth_level == 432 DCERPC_AUTH_LEVEL_PRIVACY), 433 true, 434 &auth_info->credentials, 435 response, 436 &spnego_ctx); 437 if (!NT_STATUS_IS_OK(status)) { 438 DEBUG(0, ("Failed SPNEGO negotiate (%s)\n", 439 nt_errstr(status))); 440 return false; 441 } 442 443 /* Make sure data is bound to the memctx, to be freed the caller */ 444 talloc_steal(mem_ctx, response->data); 445 446 p->auth.auth_ctx = spnego_ctx; 447 p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO; 448 449 DEBUG(10, ("SPNEGO auth started\n")); 450 451 return true; 1376 452 } 1377 453 … … 1380 456 *******************************************************************/ 1381 457 1382 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p, 1383 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth) 1384 { 1385 RPC_HDR_AUTH auth_info; 458 static bool pipe_schannel_auth_bind(struct pipes_struct *p, 459 TALLOC_CTX *mem_ctx, 460 struct dcerpc_auth *auth_info, 461 DATA_BLOB *response) 462 { 1386 463 struct NL_AUTH_MESSAGE neg; 1387 464 struct NL_AUTH_MESSAGE reply; … … 1389 466 NTSTATUS status; 1390 467 struct netlogon_creds_CredentialState *creds; 1391 DATA_BLOB session_key;1392 468 enum ndr_err_code ndr_err; 1393 DATA_BLOB blob; 1394 1395 blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p), 1396 prs_data_size(rpc_in_p)); 1397 1398 ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg, 1399 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE); 469 struct schannel_state *schannel_auth; 470 471 ndr_err = ndr_pull_struct_blob( 472 &auth_info->credentials, mem_ctx, &neg, 473 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE); 1400 474 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { 1401 475 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n")); … … 1419 493 1420 494 become_root(); 1421 status = schannel_fetch_session_key(p, 1422 neg.oem_netbios_computer.a, 1423 &creds); 495 status = schannel_get_creds_state(p, lp_private_dir(), 496 neg.oem_netbios_computer.a, &creds); 1424 497 unbecome_root(); 1425 498 … … 1429 502 } 1430 503 1431 p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);1432 if (! p->auth.a_u.schannel_auth) {504 schannel_auth = talloc(p, struct schannel_state); 505 if (!schannel_auth) { 1433 506 TALLOC_FREE(creds); 1434 507 return False; 1435 508 } 1436 509 1437 p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;1438 p->auth.a_u.schannel_auth->seq_num = 0;1439 p->auth.a_u.schannel_auth->initiator = false;1440 p->auth.a_u.schannel_auth->creds = creds;510 schannel_auth->state = SCHANNEL_STATE_START; 511 schannel_auth->seq_num = 0; 512 schannel_auth->initiator = false; 513 schannel_auth->creds = creds; 1441 514 1442 515 /* … … 1451 524 */ 1452 525 1453 session_key = generic_session_key();1454 if (session_key.data == NULL) { 1455 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"1456 " key\n"));526 ret = session_info_set_session_key(p->session_info, generic_session_key()); 527 528 if (!ret) { 529 DEBUG(0, ("session_info_set_session_key failed\n")); 1457 530 return false; 1458 }1459 1460 ret = server_info_set_session_key(p->server_info, session_key);1461 1462 data_blob_free(&session_key);1463 1464 if (!ret) {1465 DEBUG(0, ("server_info_set_session_key failed\n"));1466 return false;1467 }1468 1469 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);1470 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {1471 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));1472 return False;1473 531 } 1474 532 … … 1481 539 * here - gd */ 1482 540 1483 ndr_err = ndr_push_struct_blob( &blob, talloc_tos(), NULL, &reply,541 ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply, 1484 542 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE); 1485 543 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { … … 1492 550 } 1493 551 1494 if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {1495 return false;1496 }1497 1498 552 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n", 1499 553 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a)); 1500 554 1501 555 /* We're finished with this bind - no more packets. */ 1502 p->auth.auth_ data_free_func = NULL;1503 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;556 p->auth.auth_ctx = schannel_auth; 557 p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL; 1504 558 1505 559 p->pipe_bound = True; … … 1512 566 *******************************************************************/ 1513 567 1514 static bool pipe_ntlmssp_auth_bind( pipes_struct *p, prs_struct *rpc_in_p,1515 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)1516 { 1517 RPC_HDR_AUTH auth_info;1518 DATA_BLOB blob; 1519 DATA_BLOB response;568 static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p, 569 TALLOC_CTX *mem_ctx, 570 struct dcerpc_auth *auth_info, 571 DATA_BLOB *response) 572 { 573 struct auth_ntlmssp_state *ntlmssp_state = NULL; 1520 574 NTSTATUS status; 1521 AUTH_NTLMSSP_STATE *a = NULL; 1522 1523 ZERO_STRUCT(blob); 1524 ZERO_STRUCT(response); 1525 1526 /* Grab the NTLMSSP blob. */ 1527 blob = data_blob(NULL,p->hdr.auth_len); 1528 1529 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) { 1530 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n", 1531 (unsigned int)p->hdr.auth_len )); 575 576 if (strncmp((char *)auth_info->credentials.data, "NTLMSSP", 7) != 0) { 577 DEBUG(0, ("Failed to read NTLMSSP in blob\n")); 578 return false; 579 } 580 581 /* We have an NTLMSSP blob. */ 582 status = ntlmssp_server_auth_start(p, 583 (auth_info->auth_level == 584 DCERPC_AUTH_LEVEL_INTEGRITY), 585 (auth_info->auth_level == 586 DCERPC_AUTH_LEVEL_PRIVACY), 587 true, 588 &auth_info->credentials, 589 response, 590 &ntlmssp_state); 591 if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) { 592 DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n", 593 nt_errstr(status))); 594 return false; 595 } 596 597 /* Make sure data is bound to the memctx, to be freed the caller */ 598 talloc_steal(mem_ctx, response->data); 599 600 p->auth.auth_ctx = ntlmssp_state; 601 p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP; 602 603 DEBUG(10, (__location__ ": NTLMSSP auth started\n")); 604 605 return true; 606 } 607 608 /******************************************************************* 609 Process an NTLMSSP authentication response. 610 If this function succeeds, the user has been authenticated 611 and their domain, name and calling workstation stored in 612 the pipe struct. 613 *******************************************************************/ 614 615 static bool pipe_ntlmssp_verify_final(TALLOC_CTX *mem_ctx, 616 struct auth_ntlmssp_state *ntlmssp_ctx, 617 enum dcerpc_AuthLevel auth_level, 618 struct client_address *client_id, 619 struct ndr_syntax_id *syntax, 620 struct auth_serversupplied_info **session_info) 621 { 622 NTSTATUS status; 623 bool ret; 624 625 DEBUG(5, (__location__ ": pipe %s checking user details\n", 626 get_pipe_name_from_syntax(talloc_tos(), syntax))); 627 628 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal) 629 ensure the underlying NTLMSSP flags are also set. If not we should 630 refuse the bind. */ 631 632 status = ntlmssp_server_check_flags(ntlmssp_ctx, 633 (auth_level == 634 DCERPC_AUTH_LEVEL_INTEGRITY), 635 (auth_level == 636 DCERPC_AUTH_LEVEL_PRIVACY)); 637 if (!NT_STATUS_IS_OK(status)) { 638 DEBUG(0, (__location__ ": Client failed to negotatie proper " 639 "security for pipe %s\n", 640 get_pipe_name_from_syntax(talloc_tos(), syntax))); 641 return false; 642 } 643 644 TALLOC_FREE(*session_info); 645 646 status = ntlmssp_server_get_user_info(ntlmssp_ctx, 647 mem_ctx, session_info); 648 if (!NT_STATUS_IS_OK(status)) { 649 DEBUG(0, (__location__ ": failed to obtain the server info " 650 "for authenticated user: %s\n", nt_errstr(status))); 651 return false; 652 } 653 654 if ((*session_info)->security_token == NULL) { 655 DEBUG(1, ("Auth module failed to provide nt_user_token\n")); 656 return false; 657 } 658 659 /* 660 * We're an authenticated bind over smb, so the session key needs to 661 * be set to "SystemLibraryDTC". Weird, but this is what Windows 662 * does. See the RPC-SAMBA3SESSIONKEY. 663 */ 664 665 ret = session_info_set_session_key((*session_info), generic_session_key()); 666 if (!ret) { 667 DEBUG(0, ("Failed to set session key!\n")); 668 return false; 669 } 670 671 return true; 672 } 673 674 /******************************************************************* 675 Handle a GSSAPI bind auth. 676 *******************************************************************/ 677 678 static bool pipe_gssapi_auth_bind(struct pipes_struct *p, 679 TALLOC_CTX *mem_ctx, 680 struct dcerpc_auth *auth_info, 681 DATA_BLOB *response) 682 { 683 NTSTATUS status; 684 struct gse_context *gse_ctx = NULL; 685 686 status = gssapi_server_auth_start(p, 687 (auth_info->auth_level == 688 DCERPC_AUTH_LEVEL_INTEGRITY), 689 (auth_info->auth_level == 690 DCERPC_AUTH_LEVEL_PRIVACY), 691 true, 692 &auth_info->credentials, 693 response, 694 &gse_ctx); 695 if (!NT_STATUS_IS_OK(status)) { 696 DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n", 697 nt_errstr(status))); 1532 698 goto err; 1533 699 } 1534 700 1535 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) { 1536 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n")); 1537 goto err; 1538 } 1539 1540 /* We have an NTLMSSP blob. */ 1541 status = auth_ntlmssp_start(&a); 701 /* Make sure data is bound to the memctx, to be freed the caller */ 702 talloc_steal(mem_ctx, response->data); 703 704 p->auth.auth_ctx = gse_ctx; 705 p->auth.auth_type = DCERPC_AUTH_TYPE_KRB5; 706 707 DEBUG(10, ("KRB5 auth started\n")); 708 709 return true; 710 711 err: 712 TALLOC_FREE(gse_ctx); 713 return false; 714 } 715 716 static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx, 717 struct gse_context *gse_ctx, 718 struct client_address *client_id, 719 struct auth_serversupplied_info **session_info) 720 { 721 NTSTATUS status; 722 bool bret; 723 724 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal) 725 ensure the underlying flags are also set. If not we should 726 refuse the bind. */ 727 728 status = gssapi_server_check_flags(gse_ctx); 1542 729 if (!NT_STATUS_IS_OK(status)) { 1543 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n", 1544 nt_errstr(status) )); 1545 goto err; 1546 } 1547 1548 status = auth_ntlmssp_update(a, blob, &response); 1549 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { 1550 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n", 1551 nt_errstr(status) )); 1552 goto err; 1553 } 1554 1555 data_blob_free(&blob); 1556 1557 /* Copy the blob into the pout_auth parse struct */ 1558 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1); 1559 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) { 1560 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n")); 1561 goto err; 1562 } 1563 1564 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) { 1565 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n")); 1566 goto err; 1567 } 1568 1569 p->auth.a_u.auth_ntlmssp_state = a; 1570 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data; 1571 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP; 1572 1573 data_blob_free(&blob); 1574 data_blob_free(&response); 1575 1576 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n")); 1577 1578 /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */ 1579 return True; 1580 1581 err: 1582 1583 data_blob_free(&blob); 1584 data_blob_free(&response); 1585 1586 free_pipe_ntlmssp_auth_data(&p->auth); 1587 p->auth.a_u.auth_ntlmssp_state = NULL; 1588 return False; 730 DEBUG(0, ("Requested Security Layers not honored!\n")); 731 return status; 732 } 733 734 status = gssapi_server_get_user_info(gse_ctx, mem_ctx, 735 client_id, session_info); 736 if (!NT_STATUS_IS_OK(status)) { 737 DEBUG(0, (__location__ ": failed to obtain the server info " 738 "for authenticated user: %s\n", nt_errstr(status))); 739 return status; 740 } 741 742 if ((*session_info)->security_token == NULL) { 743 status = create_local_token(*session_info); 744 if (!NT_STATUS_IS_OK(status)) { 745 DEBUG(1, ("Failed to create local user token (%s)\n", 746 nt_errstr(status))); 747 status = NT_STATUS_ACCESS_DENIED; 748 return status; 749 } 750 } 751 752 /* TODO: this is what the ntlmssp code does with the session_key, check 753 * it is ok with gssapi too */ 754 /* 755 * We're an authenticated bind over smb, so the session key needs to 756 * be set to "SystemLibraryDTC". Weird, but this is what Windows 757 * does. See the RPC-SAMBA3SESSIONKEY. 758 */ 759 760 bret = session_info_set_session_key((*session_info), generic_session_key()); 761 if (!bret) { 762 return NT_STATUS_ACCESS_DENIED; 763 } 764 765 return NT_STATUS_OK; 766 } 767 768 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p) 769 { 770 enum spnego_mech auth_type; 771 struct auth_ntlmssp_state *ntlmssp_ctx; 772 struct spnego_context *spnego_ctx; 773 struct gse_context *gse_ctx; 774 void *mech_ctx; 775 NTSTATUS status; 776 777 switch (p->auth.auth_type) { 778 case DCERPC_AUTH_TYPE_NTLMSSP: 779 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx, 780 struct auth_ntlmssp_state); 781 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx, 782 p->auth.auth_level, 783 p->client_id, &p->syntax, 784 &p->session_info)) { 785 return NT_STATUS_ACCESS_DENIED; 786 } 787 break; 788 case DCERPC_AUTH_TYPE_KRB5: 789 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx, 790 struct gse_context); 791 status = pipe_gssapi_verify_final(p, gse_ctx, 792 p->client_id, 793 &p->session_info); 794 if (!NT_STATUS_IS_OK(status)) { 795 DEBUG(1, ("gssapi bind failed with: %s", 796 nt_errstr(status))); 797 return status; 798 } 799 break; 800 case DCERPC_AUTH_TYPE_SPNEGO: 801 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx, 802 struct spnego_context); 803 status = spnego_get_negotiated_mech(spnego_ctx, 804 &auth_type, &mech_ctx); 805 if (!NT_STATUS_IS_OK(status)) { 806 DEBUG(0, ("Bad SPNEGO state (%s)\n", 807 nt_errstr(status))); 808 return status; 809 } 810 switch(auth_type) { 811 case SPNEGO_KRB5: 812 gse_ctx = talloc_get_type_abort(mech_ctx, 813 struct gse_context); 814 status = pipe_gssapi_verify_final(p, gse_ctx, 815 p->client_id, 816 &p->session_info); 817 if (!NT_STATUS_IS_OK(status)) { 818 DEBUG(1, ("gssapi bind failed with: %s", 819 nt_errstr(status))); 820 return status; 821 } 822 break; 823 case SPNEGO_NTLMSSP: 824 ntlmssp_ctx = talloc_get_type_abort(mech_ctx, 825 struct auth_ntlmssp_state); 826 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx, 827 p->auth.auth_level, 828 p->client_id, 829 &p->syntax, 830 &p->session_info)) { 831 return NT_STATUS_ACCESS_DENIED; 832 } 833 break; 834 default: 835 DEBUG(0, (__location__ ": incorrect spnego type " 836 "(%d).\n", auth_type)); 837 return NT_STATUS_ACCESS_DENIED; 838 } 839 break; 840 default: 841 DEBUG(0, (__location__ ": incorrect auth type (%u).\n", 842 (unsigned int)p->auth.auth_type)); 843 return NT_STATUS_ACCESS_DENIED; 844 } 845 846 p->pipe_bound = true; 847 848 return NT_STATUS_OK; 1589 849 } 1590 850 … … 1593 853 *******************************************************************/ 1594 854 1595 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p) 1596 { 1597 RPC_HDR_BA hdr_ba; 1598 RPC_HDR_RB hdr_rb; 1599 RPC_HDR_AUTH auth_info; 855 static bool api_pipe_bind_req(struct pipes_struct *p, 856 struct ncacn_packet *pkt) 857 { 858 struct dcerpc_auth auth_info; 1600 859 uint16 assoc_gid; 1601 fstring ack_pipe_name;1602 prs_struct out_hdr_ba;1603 prs_struct out_auth;1604 int i = 0;1605 int auth_len = 0;1606 860 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE; 861 NTSTATUS status; 862 struct ndr_syntax_id id; 863 union dcerpc_payload u; 864 struct dcerpc_ack_ctx bind_ack_ctx; 865 DATA_BLOB auth_resp = data_blob_null; 866 DATA_BLOB auth_blob = data_blob_null; 1607 867 1608 868 /* No rebinds on a bound pipe - use alter context. */ … … 1611 871 "pipe %s.\n", 1612 872 get_pipe_name_from_syntax(talloc_tos(), &p->syntax))); 1613 return setup_bind_nak(p); 1614 } 1615 1616 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL); 1617 1618 /* 1619 * Marshall directly into the outgoing PDU space. We 1620 * must do this as we need to set to the bind response 1621 * header and are never sending more than one PDU here. 1622 */ 1623 1624 /* 1625 * Setup the memory to marshall the ba header, and the 1626 * auth footers. 1627 */ 1628 1629 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) { 1630 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n")); 1631 prs_mem_free(&p->out_data.frag); 1632 return False; 1633 } 1634 1635 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) { 1636 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n")); 1637 prs_mem_free(&p->out_data.frag); 1638 prs_mem_free(&out_hdr_ba); 1639 return False; 1640 } 1641 1642 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__)); 1643 1644 ZERO_STRUCT(hdr_rb); 1645 1646 /* decode the bind request */ 1647 1648 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) { 1649 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB " 1650 "struct.\n")); 1651 goto err_exit; 1652 } 1653 1654 if (hdr_rb.num_contexts == 0) { 873 return setup_bind_nak(p, pkt); 874 } 875 876 if (pkt->u.bind.num_contexts == 0) { 1655 877 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n")); 1656 878 goto err_exit; … … 1661 883 * that this is a pipe name we support. 1662 884 */ 1663 1664 for (i = 0; i < rpc_lookup_size; i++) { 1665 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface, 1666 &hdr_rb.rpc_context[0].abstract)) { 1667 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n", 1668 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv)); 1669 break; 1670 } 1671 } 1672 1673 if (i == rpc_lookup_size) { 1674 NTSTATUS status; 1675 885 id = pkt->u.bind.ctx_list[0].abstract_syntax; 886 if (rpc_srv_pipe_exists_by_id(&id)) { 887 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n", 888 rpc_srv_get_pipe_cli_name(&id), 889 rpc_srv_get_pipe_srv_name(&id))); 890 } else { 1676 891 status = smb_probe_module( 1677 892 "rpc", get_pipe_name_from_syntax( 1678 893 talloc_tos(), 1679 & hdr_rb.rpc_context[0].abstract));894 &pkt->u.bind.ctx_list[0].abstract_syntax)); 1680 895 1681 896 if (NT_STATUS_IS_ERR(status)) { … … 1683 898 get_pipe_name_from_syntax( 1684 899 talloc_tos(), 1685 &hdr_rb.rpc_context[0].abstract))); 1686 prs_mem_free(&p->out_data.frag); 1687 prs_mem_free(&out_hdr_ba); 1688 prs_mem_free(&out_auth); 1689 1690 return setup_bind_nak(p); 1691 } 1692 1693 for (i = 0; i < rpc_lookup_size; i++) { 1694 if (strequal(rpc_lookup[i].pipe.clnt, 1695 get_pipe_name_from_syntax(talloc_tos(), 1696 &p->syntax))) { 1697 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n", 1698 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv)); 1699 break; 1700 } 1701 } 1702 1703 if (i == rpc_lookup_size) { 900 &pkt->u.bind.ctx_list[0].abstract_syntax))); 901 902 return setup_bind_nak(p, pkt); 903 } 904 905 if (rpc_srv_get_pipe_interface_by_cli_name( 906 get_pipe_name_from_syntax(talloc_tos(), 907 &p->syntax), 908 &id)) { 909 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n", 910 rpc_srv_get_pipe_cli_name(&id), 911 rpc_srv_get_pipe_srv_name(&id))); 912 } else { 1704 913 DEBUG(0, ("module %s doesn't provide functions for " 1705 914 "pipe %s!\n", … … 1708 917 get_pipe_name_from_syntax(talloc_tos(), 1709 918 &p->syntax))); 1710 goto err_exit; 1711 } 1712 } 1713 1714 /* name has to be \PIPE\xxxxx */ 1715 fstrcpy(ack_pipe_name, "\\PIPE\\"); 1716 fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv); 919 return setup_bind_nak(p, pkt); 920 } 921 } 1717 922 1718 923 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__)); 1719 924 1720 /* 1721 * Check if this is an authenticated bind request. 1722 */ 1723 1724 if (p->hdr.auth_len) { 1725 /* 1726 * Decode the authentication verifier. 1727 */ 1728 1729 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) { 1730 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n")); 1731 goto err_exit; 1732 } 1733 1734 auth_type = auth_info.auth_type; 1735 1736 /* Work out if we have to sign or seal etc. */ 1737 switch (auth_info.auth_level) { 1738 case DCERPC_AUTH_LEVEL_INTEGRITY: 1739 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY; 1740 break; 1741 case DCERPC_AUTH_LEVEL_PRIVACY: 1742 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY; 1743 break; 1744 default: 1745 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n", 1746 (unsigned int)auth_info.auth_level )); 1747 goto err_exit; 1748 } 925 if (pkt->u.bind.assoc_group_id != 0) { 926 assoc_gid = pkt->u.bind.assoc_group_id; 1749 927 } else { 1750 ZERO_STRUCT(auth_info); 1751 } 1752 1753 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0; 1754 1755 switch(auth_type) { 1756 case DCERPC_AUTH_TYPE_NTLMSSP: 1757 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) { 1758 goto err_exit; 1759 } 1760 assoc_gid = 0x7a77; 1761 break; 1762 1763 case DCERPC_AUTH_TYPE_SCHANNEL: 1764 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) { 1765 goto err_exit; 1766 } 1767 break; 1768 1769 case DCERPC_AUTH_TYPE_SPNEGO: 1770 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) { 1771 goto err_exit; 1772 } 1773 break; 1774 1775 case DCERPC_AUTH_TYPE_NONE: 1776 /* Unauthenticated bind request. */ 1777 /* We're finished - no more packets. */ 1778 p->auth.auth_type = PIPE_AUTH_TYPE_NONE; 1779 /* We must set the pipe auth_level here also. */ 1780 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE; 1781 p->pipe_bound = True; 1782 /* The session key was initialized from the SMB 1783 * session in make_internal_rpc_pipe_p */ 1784 break; 1785 1786 default: 1787 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type )); 1788 goto err_exit; 928 assoc_gid = 0x53f0; 1789 929 } 1790 930 … … 1799 939 Needed when adding entries to a DACL from NT5 - SK */ 1800 940 1801 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0], 1802 hdr_rb.rpc_context[0].context_id )) { 1803 init_rpc_hdr_ba(&hdr_ba, 1804 RPC_MAX_PDU_FRAG_LEN, 1805 RPC_MAX_PDU_FRAG_LEN, 1806 assoc_gid, 1807 ack_pipe_name, 1808 0x1, 0x0, 0x0, 1809 &hdr_rb.rpc_context[0].transfer[0]); 941 if (check_bind_req(p, 942 &pkt->u.bind.ctx_list[0].abstract_syntax, 943 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0], 944 pkt->u.bind.ctx_list[0].context_id)) { 945 946 bind_ack_ctx.result = 0; 947 bind_ack_ctx.reason = 0; 948 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0]; 1810 949 } else { 950 p->pipe_bound = False; 1811 951 /* Rejection reason: abstract syntax not supported */ 1812 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN, 1813 RPC_MAX_PDU_FRAG_LEN, assoc_gid, 1814 ack_pipe_name, 0x1, 0x2, 0x1, 1815 &null_ndr_syntax_id); 1816 p->pipe_bound = False; 1817 } 1818 1819 /* 1820 * and marshall it. 1821 */ 1822 1823 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) { 1824 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n")); 952 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT; 953 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX; 954 bind_ack_ctx.syntax = null_ndr_syntax_id; 955 } 956 957 /* 958 * Check if this is an authenticated bind request. 959 */ 960 if (pkt->auth_length) { 961 /* Quick length check. Won't catch a bad auth footer, 962 * prevents overrun. */ 963 964 if (pkt->frag_length < RPC_HEADER_LEN + 965 DCERPC_AUTH_TRAILER_LENGTH + 966 pkt->auth_length) { 967 DEBUG(0,("api_pipe_bind_req: auth_len (%u) " 968 "too long for fragment %u.\n", 969 (unsigned int)pkt->auth_length, 970 (unsigned int)pkt->frag_length)); 971 goto err_exit; 972 } 973 974 /* 975 * Decode the authentication verifier. 976 */ 977 status = dcerpc_pull_dcerpc_auth(pkt, 978 &pkt->u.bind.auth_info, 979 &auth_info, p->endian); 980 if (!NT_STATUS_IS_OK(status)) { 981 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n")); 982 goto err_exit; 983 } 984 985 auth_type = auth_info.auth_type; 986 987 /* Work out if we have to sign or seal etc. */ 988 switch (auth_info.auth_level) { 989 case DCERPC_AUTH_LEVEL_INTEGRITY: 990 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY; 991 break; 992 case DCERPC_AUTH_LEVEL_PRIVACY: 993 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY; 994 break; 995 case DCERPC_AUTH_LEVEL_CONNECT: 996 p->auth.auth_level = DCERPC_AUTH_LEVEL_CONNECT; 997 break; 998 default: 999 DEBUG(0, ("Unexpected auth level (%u).\n", 1000 (unsigned int)auth_info.auth_level )); 1001 goto err_exit; 1002 } 1003 1004 switch (auth_type) { 1005 case DCERPC_AUTH_TYPE_NTLMSSP: 1006 if (!pipe_ntlmssp_auth_bind(p, pkt, 1007 &auth_info, &auth_resp)) { 1008 goto err_exit; 1009 } 1010 assoc_gid = 0x7a77; 1011 break; 1012 1013 case DCERPC_AUTH_TYPE_SCHANNEL: 1014 if (!pipe_schannel_auth_bind(p, pkt, 1015 &auth_info, &auth_resp)) { 1016 goto err_exit; 1017 } 1018 break; 1019 1020 case DCERPC_AUTH_TYPE_SPNEGO: 1021 if (!pipe_spnego_auth_bind(p, pkt, 1022 &auth_info, &auth_resp)) { 1023 goto err_exit; 1024 } 1025 break; 1026 1027 case DCERPC_AUTH_TYPE_KRB5: 1028 if (!pipe_gssapi_auth_bind(p, pkt, 1029 &auth_info, &auth_resp)) { 1030 goto err_exit; 1031 } 1032 break; 1033 1034 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM: 1035 if (p->transport == NCALRPC && p->ncalrpc_as_system) { 1036 TALLOC_FREE(p->session_info); 1037 1038 status = make_session_info_system(p, 1039 &p->session_info); 1040 if (!NT_STATUS_IS_OK(status)) { 1041 goto err_exit; 1042 } 1043 1044 auth_resp = data_blob_talloc(pkt, 1045 "NCALRPC_AUTH_OK", 1046 15); 1047 1048 p->auth.auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM; 1049 p->pipe_bound = true; 1050 } else { 1051 goto err_exit; 1052 } 1053 break; 1054 1055 case DCERPC_AUTH_TYPE_NONE: 1056 break; 1057 1058 default: 1059 DEBUG(0, ("Unknown auth type %x requested.\n", auth_type)); 1060 goto err_exit; 1061 } 1062 } 1063 1064 if (auth_type == DCERPC_AUTH_TYPE_NONE) { 1065 /* Unauthenticated bind request. */ 1066 /* We're finished - no more packets. */ 1067 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE; 1068 /* We must set the pipe auth_level here also. */ 1069 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE; 1070 p->pipe_bound = True; 1071 /* The session key was initialized from the SMB 1072 * session in make_internal_rpc_pipe_p */ 1073 } 1074 1075 ZERO_STRUCT(u.bind_ack); 1076 u.bind_ack.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN; 1077 u.bind_ack.max_recv_frag = RPC_MAX_PDU_FRAG_LEN; 1078 u.bind_ack.assoc_group_id = assoc_gid; 1079 1080 /* name has to be \PIPE\xxxxx */ 1081 u.bind_ack.secondary_address = 1082 talloc_asprintf(pkt, "\\PIPE\\%s", 1083 rpc_srv_get_pipe_srv_name(&id)); 1084 if (!u.bind_ack.secondary_address) { 1085 DEBUG(0, ("Out of memory!\n")); 1825 1086 goto err_exit; 1826 1087 } 1827 1828 /* 1829 * Create the header, now we know the length. 1830 */ 1831 1832 if (prs_offset(&out_auth)) { 1833 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN; 1834 } 1835 1836 init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST, 1837 p->hdr.call_id, 1838 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth), 1839 auth_len); 1840 1841 /* 1842 * Marshall the header into the outgoing PDU. 1843 */ 1844 1845 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) { 1846 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n")); 1847 goto err_exit; 1848 } 1849 1850 /* 1851 * Now add the RPC_HDR_BA and any auth needed. 1852 */ 1853 1854 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) { 1855 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n")); 1856 goto err_exit; 1857 } 1858 1859 if (auth_len && !prs_append_prs_data( &p->out_data.frag, &out_auth)) { 1860 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n")); 1861 goto err_exit; 1088 u.bind_ack.secondary_address_size = 1089 strlen(u.bind_ack.secondary_address) + 1; 1090 1091 u.bind_ack.num_results = 1; 1092 u.bind_ack.ctx_list = &bind_ack_ctx; 1093 1094 /* NOTE: We leave the auth_info empty so we can calculate the padding 1095 * later and then append the auth_info --simo */ 1096 1097 /* 1098 * Marshall directly into the outgoing PDU space. We 1099 * must do this as we need to set to the bind response 1100 * header and are never sending more than one PDU here. 1101 */ 1102 1103 status = dcerpc_push_ncacn_packet(p->mem_ctx, 1104 DCERPC_PKT_BIND_ACK, 1105 DCERPC_PFC_FLAG_FIRST | 1106 DCERPC_PFC_FLAG_LAST, 1107 auth_resp.length, 1108 pkt->call_id, 1109 &u, 1110 &p->out_data.frag); 1111 if (!NT_STATUS_IS_OK(status)) { 1112 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n", 1113 nt_errstr(status))); 1114 } 1115 1116 if (auth_resp.length) { 1117 1118 status = dcerpc_push_dcerpc_auth(pkt, 1119 auth_type, 1120 auth_info.auth_level, 1121 0, 1122 1, /* auth_context_id */ 1123 &auth_resp, 1124 &auth_blob); 1125 if (!NT_STATUS_IS_OK(status)) { 1126 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n")); 1127 goto err_exit; 1128 } 1129 } 1130 1131 /* Now that we have the auth len store it into the right place in 1132 * the dcerpc header */ 1133 dcerpc_set_frag_length(&p->out_data.frag, 1134 p->out_data.frag.length + auth_blob.length); 1135 1136 if (auth_blob.length) { 1137 1138 if (!data_blob_append(p->mem_ctx, &p->out_data.frag, 1139 auth_blob.data, auth_blob.length)) { 1140 DEBUG(0, ("Append of auth info failed.\n")); 1141 goto err_exit; 1142 } 1862 1143 } 1863 1144 … … 1869 1150 p->out_data.current_pdu_sent = 0; 1870 1151 1871 prs_mem_free(&out_hdr_ba); 1872 prs_mem_free(&out_auth); 1873 1152 TALLOC_FREE(auth_blob.data); 1874 1153 return True; 1875 1154 1876 1155 err_exit: 1877 1156 1878 prs_mem_free(&p->out_data.frag); 1879 prs_mem_free(&out_hdr_ba); 1880 prs_mem_free(&out_auth); 1881 return setup_bind_nak(p); 1157 data_blob_free(&p->out_data.frag); 1158 TALLOC_FREE(auth_blob.data); 1159 return setup_bind_nak(p, pkt); 1160 } 1161 1162 /******************************************************************* 1163 This is the "stage3" response after a bind request and reply. 1164 *******************************************************************/ 1165 1166 bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt) 1167 { 1168 struct dcerpc_auth auth_info; 1169 DATA_BLOB response = data_blob_null; 1170 struct auth_ntlmssp_state *ntlmssp_ctx; 1171 struct spnego_context *spnego_ctx; 1172 struct gse_context *gse_ctx; 1173 NTSTATUS status; 1174 1175 DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__)); 1176 1177 if (pkt->auth_length == 0) { 1178 DEBUG(0, ("No auth field sent for bind request!\n")); 1179 goto err; 1180 } 1181 1182 /* Ensure there's enough data for an authenticated request. */ 1183 if (pkt->frag_length < RPC_HEADER_LEN 1184 + DCERPC_AUTH_TRAILER_LENGTH 1185 + pkt->auth_length) { 1186 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len " 1187 "%u is too large.\n", 1188 (unsigned int)pkt->auth_length)); 1189 goto err; 1190 } 1191 1192 /* 1193 * Decode the authentication verifier response. 1194 */ 1195 1196 status = dcerpc_pull_dcerpc_auth(pkt, 1197 &pkt->u.auth3.auth_info, 1198 &auth_info, p->endian); 1199 if (!NT_STATUS_IS_OK(status)) { 1200 DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n")); 1201 goto err; 1202 } 1203 1204 /* We must NEVER look at auth_info->auth_pad_len here, 1205 * as old Samba client code gets it wrong and sends it 1206 * as zero. JRA. 1207 */ 1208 1209 if (auth_info.auth_type != p->auth.auth_type) { 1210 DEBUG(0, ("Auth type mismatch! Client sent %d, " 1211 "but auth was started as type %d!\n", 1212 auth_info.auth_type, p->auth.auth_type)); 1213 goto err; 1214 } 1215 1216 switch (auth_info.auth_type) { 1217 case DCERPC_AUTH_TYPE_NTLMSSP: 1218 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx, 1219 struct auth_ntlmssp_state); 1220 status = ntlmssp_server_step(ntlmssp_ctx, 1221 pkt, &auth_info.credentials, 1222 &response); 1223 break; 1224 case DCERPC_AUTH_TYPE_KRB5: 1225 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx, 1226 struct gse_context); 1227 status = gssapi_server_step(gse_ctx, 1228 pkt, &auth_info.credentials, 1229 &response); 1230 break; 1231 case DCERPC_AUTH_TYPE_SPNEGO: 1232 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx, 1233 struct spnego_context); 1234 status = spnego_server_step(spnego_ctx, 1235 pkt, &auth_info.credentials, 1236 &response); 1237 break; 1238 default: 1239 DEBUG(0, (__location__ ": incorrect auth type (%u).\n", 1240 (unsigned int)auth_info.auth_type)); 1241 return false; 1242 } 1243 1244 if (NT_STATUS_EQUAL(status, 1245 NT_STATUS_MORE_PROCESSING_REQUIRED) || 1246 response.length) { 1247 DEBUG(0, (__location__ ": This was supposed to be the final " 1248 "leg, but crypto machinery claims a response is " 1249 "needed, aborting auth!\n")); 1250 data_blob_free(&response); 1251 goto err; 1252 } 1253 if (!NT_STATUS_IS_OK(status)) { 1254 DEBUG(0, ("Auth failed (%s)\n", nt_errstr(status))); 1255 goto err; 1256 } 1257 1258 /* Now verify auth was indeed successful and extract server info */ 1259 status = pipe_auth_verify_final(p); 1260 if (!NT_STATUS_IS_OK(status)) { 1261 DEBUG(0, ("Auth Verify failed (%s)\n", nt_errstr(status))); 1262 goto err; 1263 } 1264 1265 return true; 1266 1267 err: 1268 1269 TALLOC_FREE(p->auth.auth_ctx); 1270 return false; 1882 1271 } 1883 1272 … … 1887 1276 ****************************************************************************/ 1888 1277 1889 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p) 1890 { 1891 RPC_HDR_BA hdr_ba; 1892 RPC_HDR_RB hdr_rb; 1893 RPC_HDR_AUTH auth_info; 1278 static bool api_pipe_alter_context(struct pipes_struct *p, 1279 struct ncacn_packet *pkt) 1280 { 1281 struct dcerpc_auth auth_info; 1894 1282 uint16 assoc_gid; 1895 fstring ack_pipe_name; 1896 prs_struct out_hdr_ba; 1897 prs_struct out_auth; 1898 int auth_len = 0; 1899 1900 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL); 1901 1902 /* 1903 * Marshall directly into the outgoing PDU space. We 1904 * must do this as we need to set to the bind response 1905 * header and are never sending more than one PDU here. 1906 */ 1907 1908 /* 1909 * Setup the memory to marshall the ba header, and the 1910 * auth footers. 1911 */ 1912 1913 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) { 1914 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n")); 1915 prs_mem_free(&p->out_data.frag); 1916 return False; 1917 } 1918 1919 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) { 1920 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n")); 1921 prs_mem_free(&p->out_data.frag); 1922 prs_mem_free(&out_hdr_ba); 1923 return False; 1924 } 1925 1926 ZERO_STRUCT(hdr_rb); 1927 1928 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__)); 1929 1930 /* decode the alter context request */ 1931 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) { 1932 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n")); 1933 goto err_exit; 1934 } 1935 1936 /* secondary address CAN be NULL 1937 * as the specs say it's ignored. 1938 * It MUST be NULL to have the spoolss working. 1939 */ 1940 fstrcpy(ack_pipe_name,""); 1283 NTSTATUS status; 1284 union dcerpc_payload u; 1285 struct dcerpc_ack_ctx bind_ack_ctx; 1286 DATA_BLOB auth_resp = data_blob_null; 1287 DATA_BLOB auth_blob = data_blob_null; 1288 int pad_len = 0; 1289 struct auth_ntlmssp_state *ntlmssp_ctx; 1290 struct spnego_context *spnego_ctx; 1291 struct gse_context *gse_ctx; 1941 1292 1942 1293 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__)); 1943 1294 1944 /* 1945 * Check if this is an authenticated alter context request. 1946 */ 1947 1948 if (p->hdr.auth_len != 0) { 1949 /* 1950 * Decode the authentication verifier. 1951 */ 1952 1953 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) { 1954 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n")); 1955 goto err_exit; 1956 } 1957 1958 /* 1959 * Currently only the SPNEGO auth type uses the alter ctx 1960 * response in place of the NTLMSSP auth3 type. 1961 */ 1962 1963 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) { 1964 /* We can only finish if the pipe is unbound. */ 1965 if (!p->pipe_bound) { 1966 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) { 1967 goto err_exit; 1968 } 1969 } else { 1970 goto err_exit; 1971 } 1972 } 1295 if (pkt->u.bind.assoc_group_id != 0) { 1296 assoc_gid = pkt->u.bind.assoc_group_id; 1973 1297 } else { 1974 ZERO_STRUCT(auth_info); 1975 } 1976 1977 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0; 1298 assoc_gid = 0x53f0; 1299 } 1978 1300 1979 1301 /* … … 1987 1309 Needed when adding entries to a DACL from NT5 - SK */ 1988 1310 1989 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0], 1990 hdr_rb.rpc_context[0].context_id )) { 1991 init_rpc_hdr_ba(&hdr_ba, 1992 RPC_MAX_PDU_FRAG_LEN, 1993 RPC_MAX_PDU_FRAG_LEN, 1994 assoc_gid, 1995 ack_pipe_name, 1996 0x1, 0x0, 0x0, 1997 &hdr_rb.rpc_context[0].transfer[0]); 1311 if (check_bind_req(p, 1312 &pkt->u.bind.ctx_list[0].abstract_syntax, 1313 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0], 1314 pkt->u.bind.ctx_list[0].context_id)) { 1315 1316 bind_ack_ctx.result = 0; 1317 bind_ack_ctx.reason = 0; 1318 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0]; 1998 1319 } else { 1320 p->pipe_bound = False; 1999 1321 /* Rejection reason: abstract syntax not supported */ 2000 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN, 2001 RPC_MAX_PDU_FRAG_LEN, assoc_gid, 2002 ack_pipe_name, 0x1, 0x2, 0x1, 2003 &null_ndr_syntax_id); 2004 p->pipe_bound = False; 2005 } 2006 2007 /* 2008 * and marshall it. 2009 */ 2010 2011 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) { 2012 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n")); 2013 goto err_exit; 2014 } 2015 2016 /* 2017 * Create the header, now we know the length. 2018 */ 2019 2020 if (prs_offset(&out_auth)) { 2021 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN; 2022 } 2023 2024 init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST, 2025 p->hdr.call_id, 2026 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth), 2027 auth_len); 2028 2029 /* 2030 * Marshall the header into the outgoing PDU. 2031 */ 2032 2033 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) { 2034 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n")); 2035 goto err_exit; 2036 } 2037 2038 /* 2039 * Now add the RPC_HDR_BA and any auth needed. 2040 */ 2041 2042 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) { 2043 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n")); 2044 goto err_exit; 2045 } 2046 2047 if (auth_len && !prs_append_prs_data(&p->out_data.frag, &out_auth)) { 2048 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n")); 2049 goto err_exit; 1322 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT; 1323 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX; 1324 bind_ack_ctx.syntax = null_ndr_syntax_id; 1325 } 1326 1327 /* 1328 * Check if this is an authenticated alter context request. 1329 */ 1330 if (pkt->auth_length) { 1331 /* Quick length check. Won't catch a bad auth footer, 1332 * prevents overrun. */ 1333 1334 if (pkt->frag_length < RPC_HEADER_LEN + 1335 DCERPC_AUTH_TRAILER_LENGTH + 1336 pkt->auth_length) { 1337 DEBUG(0,("api_pipe_alter_context: auth_len (%u) " 1338 "too long for fragment %u.\n", 1339 (unsigned int)pkt->auth_length, 1340 (unsigned int)pkt->frag_length )); 1341 goto err_exit; 1342 } 1343 1344 status = dcerpc_pull_dcerpc_auth(pkt, 1345 &pkt->u.bind.auth_info, 1346 &auth_info, p->endian); 1347 if (!NT_STATUS_IS_OK(status)) { 1348 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n")); 1349 goto err_exit; 1350 } 1351 1352 /* We can only finish if the pipe is unbound for now */ 1353 if (p->pipe_bound) { 1354 DEBUG(0, (__location__ ": Pipe already bound, " 1355 "Altering Context not yet supported!\n")); 1356 goto err_exit; 1357 } 1358 1359 if (auth_info.auth_type != p->auth.auth_type) { 1360 DEBUG(0, ("Auth type mismatch! Client sent %d, " 1361 "but auth was started as type %d!\n", 1362 auth_info.auth_type, p->auth.auth_type)); 1363 goto err_exit; 1364 } 1365 1366 1367 switch (auth_info.auth_type) { 1368 case DCERPC_AUTH_TYPE_SPNEGO: 1369 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx, 1370 struct spnego_context); 1371 status = spnego_server_step(spnego_ctx, 1372 pkt, 1373 &auth_info.credentials, 1374 &auth_resp); 1375 break; 1376 1377 case DCERPC_AUTH_TYPE_KRB5: 1378 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx, 1379 struct gse_context); 1380 status = gssapi_server_step(gse_ctx, 1381 pkt, 1382 &auth_info.credentials, 1383 &auth_resp); 1384 break; 1385 case DCERPC_AUTH_TYPE_NTLMSSP: 1386 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx, 1387 struct auth_ntlmssp_state); 1388 status = ntlmssp_server_step(ntlmssp_ctx, 1389 pkt, 1390 &auth_info.credentials, 1391 &auth_resp); 1392 break; 1393 1394 default: 1395 DEBUG(3, (__location__ ": Usupported auth type (%d) " 1396 "in alter-context call\n", 1397 auth_info.auth_type)); 1398 goto err_exit; 1399 } 1400 1401 if (NT_STATUS_IS_OK(status)) { 1402 /* third leg of auth, verify auth info */ 1403 status = pipe_auth_verify_final(p); 1404 if (!NT_STATUS_IS_OK(status)) { 1405 DEBUG(0, ("Auth Verify failed (%s)\n", 1406 nt_errstr(status))); 1407 goto err_exit; 1408 } 1409 } else if (NT_STATUS_EQUAL(status, 1410 NT_STATUS_MORE_PROCESSING_REQUIRED)) { 1411 DEBUG(10, ("More auth legs required.\n")); 1412 } else { 1413 DEBUG(0, ("Auth step returned an error (%s)\n", 1414 nt_errstr(status))); 1415 goto err_exit; 1416 } 1417 } 1418 1419 ZERO_STRUCT(u.alter_resp); 1420 u.alter_resp.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN; 1421 u.alter_resp.max_recv_frag = RPC_MAX_PDU_FRAG_LEN; 1422 u.alter_resp.assoc_group_id = assoc_gid; 1423 1424 /* secondary address CAN be NULL 1425 * as the specs say it's ignored. 1426 * It MUST be NULL to have the spoolss working. 1427 */ 1428 u.alter_resp.secondary_address = ""; 1429 u.alter_resp.secondary_address_size = 1; 1430 1431 u.alter_resp.num_results = 1; 1432 u.alter_resp.ctx_list = &bind_ack_ctx; 1433 1434 /* NOTE: We leave the auth_info empty so we can calculate the padding 1435 * later and then append the auth_info --simo */ 1436 1437 /* 1438 * Marshall directly into the outgoing PDU space. We 1439 * must do this as we need to set to the bind response 1440 * header and are never sending more than one PDU here. 1441 */ 1442 1443 status = dcerpc_push_ncacn_packet(p->mem_ctx, 1444 DCERPC_PKT_ALTER_RESP, 1445 DCERPC_PFC_FLAG_FIRST | 1446 DCERPC_PFC_FLAG_LAST, 1447 auth_resp.length, 1448 pkt->call_id, 1449 &u, 1450 &p->out_data.frag); 1451 if (!NT_STATUS_IS_OK(status)) { 1452 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n", 1453 nt_errstr(status))); 1454 } 1455 1456 if (auth_resp.length) { 1457 1458 /* Work out any padding needed before the auth footer. */ 1459 pad_len = p->out_data.frag.length % SERVER_NDR_PADDING_SIZE; 1460 if (pad_len) { 1461 pad_len = SERVER_NDR_PADDING_SIZE - pad_len; 1462 DEBUG(10, ("auth pad_len = %u\n", 1463 (unsigned int)pad_len)); 1464 } 1465 1466 status = dcerpc_push_dcerpc_auth(pkt, 1467 auth_info.auth_type, 1468 auth_info.auth_level, 1469 pad_len, 1470 1, /* auth_context_id */ 1471 &auth_resp, 1472 &auth_blob); 1473 if (!NT_STATUS_IS_OK(status)) { 1474 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n")); 1475 goto err_exit; 1476 } 1477 } 1478 1479 /* Now that we have the auth len store it into the right place in 1480 * the dcerpc header */ 1481 dcerpc_set_frag_length(&p->out_data.frag, 1482 p->out_data.frag.length + 1483 pad_len + auth_blob.length); 1484 1485 if (auth_resp.length) { 1486 if (pad_len) { 1487 char pad[SERVER_NDR_PADDING_SIZE]; 1488 memset(pad, '\0', SERVER_NDR_PADDING_SIZE); 1489 if (!data_blob_append(p->mem_ctx, 1490 &p->out_data.frag, 1491 pad, pad_len)) { 1492 DEBUG(0, ("api_pipe_bind_req: failed to add " 1493 "%u bytes of pad data.\n", 1494 (unsigned int)pad_len)); 1495 goto err_exit; 1496 } 1497 } 1498 1499 if (!data_blob_append(p->mem_ctx, &p->out_data.frag, 1500 auth_blob.data, auth_blob.length)) { 1501 DEBUG(0, ("Append of auth info failed.\n")); 1502 goto err_exit; 1503 } 2050 1504 } 2051 1505 … … 2057 1511 p->out_data.current_pdu_sent = 0; 2058 1512 2059 prs_mem_free(&out_hdr_ba); 2060 prs_mem_free(&out_auth); 2061 1513 TALLOC_FREE(auth_blob.data); 2062 1514 return True; 2063 1515 2064 1516 err_exit: 2065 1517 2066 prs_mem_free(&p->out_data.frag); 2067 prs_mem_free(&out_hdr_ba); 2068 prs_mem_free(&out_auth); 2069 return setup_bind_nak(p); 2070 } 2071 2072 /**************************************************************************** 2073 Deal with NTLMSSP sign & seal processing on an RPC request. 2074 ****************************************************************************/ 2075 2076 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in, 2077 uint32 *p_ss_padding_len, NTSTATUS *pstatus) 2078 { 2079 RPC_HDR_AUTH auth_info; 2080 uint32 auth_len = p->hdr.auth_len; 2081 uint32 save_offset = prs_offset(rpc_in); 2082 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state; 2083 unsigned char *data = NULL; 2084 size_t data_len; 2085 unsigned char *full_packet_data = NULL; 2086 size_t full_packet_data_len; 2087 DATA_BLOB auth_blob; 2088 2089 *pstatus = NT_STATUS_OK; 2090 2091 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) { 2092 return True; 2093 } 2094 2095 if (!a) { 2096 *pstatus = NT_STATUS_INVALID_PARAMETER; 2097 return False; 2098 } 2099 2100 /* Ensure there's enough data for an authenticated request. */ 2101 if ((auth_len > RPC_MAX_SIGN_SIZE) || 2102 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) { 2103 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n", 2104 (unsigned int)auth_len )); 2105 *pstatus = NT_STATUS_INVALID_PARAMETER; 2106 return False; 2107 } 2108 2109 /* 2110 * We need the full packet data + length (minus auth stuff) as well as the packet data + length 2111 * after the RPC header. 2112 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal 2113 * functions as NTLMv2 checks the rpc headers also. 2114 */ 2115 2116 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN); 2117 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len); 2118 2119 full_packet_data = p->in_data.current_in_pdu; 2120 full_packet_data_len = p->hdr.frag_len - auth_len; 2121 2122 /* Pull the auth header and the following data into a blob. */ 2123 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) { 2124 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n", 2125 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len )); 2126 *pstatus = NT_STATUS_INVALID_PARAMETER; 2127 return False; 2128 } 2129 2130 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) { 2131 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n")); 2132 *pstatus = NT_STATUS_INVALID_PARAMETER; 2133 return False; 2134 } 2135 2136 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in); 2137 auth_blob.length = auth_len; 2138 2139 switch (p->auth.auth_level) { 2140 case DCERPC_AUTH_LEVEL_PRIVACY: 2141 /* Data is encrypted. */ 2142 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state, 2143 data, data_len, 2144 full_packet_data, 2145 full_packet_data_len, 2146 &auth_blob); 2147 if (!NT_STATUS_IS_OK(*pstatus)) { 2148 return False; 2149 } 2150 break; 2151 case DCERPC_AUTH_LEVEL_INTEGRITY: 2152 /* Data is signed. */ 2153 *pstatus = ntlmssp_check_packet(a->ntlmssp_state, 2154 data, data_len, 2155 full_packet_data, 2156 full_packet_data_len, 2157 &auth_blob); 2158 if (!NT_STATUS_IS_OK(*pstatus)) { 2159 return False; 2160 } 2161 break; 2162 default: 2163 *pstatus = NT_STATUS_INVALID_PARAMETER; 2164 return False; 2165 } 2166 2167 /* 2168 * Return the current pointer to the data offset. 2169 */ 2170 2171 if(!prs_set_offset(rpc_in, save_offset)) { 2172 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n", 2173 (unsigned int)save_offset )); 2174 *pstatus = NT_STATUS_INVALID_PARAMETER; 2175 return False; 2176 } 2177 2178 /* 2179 * Remember the padding length. We must remove it from the real data 2180 * stream once the sign/seal is done. 2181 */ 2182 2183 *p_ss_padding_len = auth_info.auth_pad_len; 2184 2185 return True; 2186 } 2187 2188 /**************************************************************************** 2189 Deal with schannel processing on an RPC request. 2190 ****************************************************************************/ 2191 2192 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len) 2193 { 2194 uint32 data_len; 2195 uint32 auth_len; 2196 uint32 save_offset = prs_offset(rpc_in); 2197 RPC_HDR_AUTH auth_info; 2198 DATA_BLOB blob; 2199 NTSTATUS status; 2200 uint8_t *data; 2201 2202 auth_len = p->hdr.auth_len; 2203 2204 if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN || 2205 auth_len > RPC_HEADER_LEN + 2206 RPC_HDR_REQ_LEN + 2207 RPC_HDR_AUTH_LEN + 2208 auth_len) { 2209 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len )); 2210 return False; 2211 } 2212 2213 /* 2214 * The following is that length of the data we must verify or unseal. 2215 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN 2216 * preceeding the auth_data. 2217 */ 2218 2219 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) { 2220 DEBUG(0,("Incorrect frag %u, auth %u.\n", 2221 (unsigned int)p->hdr.frag_len, 2222 (unsigned int)auth_len )); 2223 return False; 2224 } 2225 2226 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 2227 RPC_HDR_AUTH_LEN - auth_len; 2228 2229 DEBUG(5,("data %d auth %d\n", data_len, auth_len)); 2230 2231 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) { 2232 DEBUG(0,("cannot move offset to %u.\n", 2233 (unsigned int)RPC_HDR_REQ_LEN + data_len )); 2234 return False; 2235 } 2236 2237 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) { 2238 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n")); 2239 return False; 2240 } 2241 2242 if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { 2243 DEBUG(0,("Invalid auth info %d on schannel\n", 2244 auth_info.auth_type)); 2245 return False; 2246 } 2247 2248 blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len); 2249 2250 if (DEBUGLEVEL >= 10) { 2251 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob); 2252 } 2253 2254 data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN; 2255 2256 switch (auth_info.auth_level) { 2257 case DCERPC_AUTH_LEVEL_PRIVACY: 2258 status = netsec_incoming_packet(p->auth.a_u.schannel_auth, 2259 talloc_tos(), 2260 true, 2261 data, 2262 data_len, 2263 &blob); 2264 break; 2265 case DCERPC_AUTH_LEVEL_INTEGRITY: 2266 status = netsec_incoming_packet(p->auth.a_u.schannel_auth, 2267 talloc_tos(), 2268 false, 2269 data, 2270 data_len, 2271 &blob); 2272 break; 2273 default: 2274 status = NT_STATUS_INTERNAL_ERROR; 2275 break; 2276 } 2277 2278 if (!NT_STATUS_IS_OK(status)) { 2279 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status))); 2280 return false; 2281 } 2282 2283 /* 2284 * Return the current pointer to the data offset. 2285 */ 2286 2287 if(!prs_set_offset(rpc_in, save_offset)) { 2288 DEBUG(0,("failed to set offset back to %u\n", 2289 (unsigned int)save_offset )); 2290 return False; 2291 } 2292 2293 /* 2294 * Remember the padding length. We must remove it from the real data 2295 * stream once the sign/seal is done. 2296 */ 2297 2298 *p_ss_padding_len = auth_info.auth_pad_len; 2299 2300 return True; 1518 data_blob_free(&p->out_data.frag); 1519 TALLOC_FREE(auth_blob.data); 1520 return setup_bind_nak(p, pkt); 2301 1521 } 2302 1522 … … 2321 1541 } 2322 1542 2323 /**************************************************************************** 2324 Memory cleanup. 2325 ****************************************************************************/ 2326 2327 void free_pipe_rpc_context( PIPE_RPC_FNS *list ) 2328 { 2329 PIPE_RPC_FNS *tmp = list; 2330 PIPE_RPC_FNS *tmp2; 2331 2332 while (tmp) { 2333 tmp2 = tmp->next; 2334 SAFE_FREE(tmp); 2335 tmp = tmp2; 2336 } 2337 2338 return; 2339 } 2340 2341 static bool api_rpcTNP(pipes_struct *p, 1543 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt, 2342 1544 const struct api_struct *api_rpc_cmds, int n_cmds); 2343 1545 … … 2348 1550 ****************************************************************************/ 2349 1551 2350 bool api_pipe_request(pipes_struct *p) 1552 static bool api_pipe_request(struct pipes_struct *p, 1553 struct ncacn_packet *pkt) 2351 1554 { 2352 1555 bool ret = False; … … 2355 1558 2356 1559 if (p->pipe_bound && 2357 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) || 2358 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) { 2359 if(!become_authenticated_pipe_user(p)) { 2360 prs_mem_free(&p->out_data.rdata); 1560 ((p->auth.auth_type == DCERPC_AUTH_TYPE_NTLMSSP) || 1561 (p->auth.auth_type == DCERPC_AUTH_TYPE_KRB5) || 1562 (p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO))) { 1563 if(!become_authenticated_pipe_user(p->session_info)) { 1564 data_blob_free(&p->out_data.rdata); 2361 1565 return False; 2362 1566 } … … 2369 1573 /* get the set of RPC functions for this context */ 2370 1574 2371 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id); 1575 pipe_fns = find_pipe_fns_by_context(p->contexts, 1576 pkt->u.request.context_id); 2372 1577 2373 1578 if ( pipe_fns ) { 2374 1579 TALLOC_CTX *frame = talloc_stackframe(); 2375 ret = api_rpcTNP(p, p ipe_fns->cmds, pipe_fns->n_cmds);1580 ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds); 2376 1581 TALLOC_FREE(frame); 2377 1582 } 2378 1583 else { 2379 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n", 2380 p->hdr_req.context_id, 2381 get_pipe_name_from_syntax(talloc_tos(), &p->syntax))); 1584 DEBUG(0, ("No rpc function table associated with context " 1585 "[%d] on pipe [%s]\n", 1586 pkt->u.request.context_id, 1587 get_pipe_name_from_syntax(talloc_tos(), 1588 &p->syntax))); 2382 1589 } 2383 1590 … … 2393 1600 ********************************************************************/ 2394 1601 2395 static bool api_rpcTNP( pipes_struct *p,1602 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt, 2396 1603 const struct api_struct *api_rpc_cmds, int n_cmds) 2397 1604 { 2398 1605 int fn_num; 2399 uint32 offset1, offset2;1606 uint32_t offset1; 2400 1607 2401 1608 /* interpret the command */ 2402 1609 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", 2403 1610 get_pipe_name_from_syntax(talloc_tos(), &p->syntax), 2404 p ->hdr_req.opnum));1611 pkt->u.request.opnum)); 2405 1612 2406 1613 if (DEBUGLEVEL >= 50) { … … 2408 1615 slprintf(name, sizeof(name)-1, "in_%s", 2409 1616 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)); 2410 prs_dump(name, p->hdr_req.opnum, &p->in_data.data); 1617 dump_pdu_region(name, pkt->u.request.opnum, 1618 &p->in_data.data, 0, 1619 p->in_data.data.length); 2411 1620 } 2412 1621 2413 1622 for (fn_num = 0; fn_num < n_cmds; fn_num++) { 2414 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) { 2415 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name)); 1623 if (api_rpc_cmds[fn_num].opnum == pkt->u.request.opnum && 1624 api_rpc_cmds[fn_num].fn != NULL) { 1625 DEBUG(3, ("api_rpcTNP: rpc command: %s\n", 1626 api_rpc_cmds[fn_num].name)); 2416 1627 break; 2417 1628 } … … 2429 1640 } 2430 1641 2431 offset1 = p rs_offset(&p->out_data.rdata);1642 offset1 = p->out_data.rdata.length; 2432 1643 2433 1644 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", … … 2438 1649 get_pipe_name_from_syntax(talloc_tos(), &p->syntax), 2439 1650 api_rpc_cmds[fn_num].name)); 2440 prs_mem_free(&p->out_data.rdata);1651 data_blob_free(&p->out_data.rdata); 2441 1652 return False; 2442 1653 } … … 2456 1667 } 2457 1668 2458 offset2 = prs_offset(&p->out_data.rdata);2459 prs_set_offset(&p->out_data.rdata, offset1);2460 1669 if (DEBUGLEVEL >= 50) { 2461 1670 fstring name; 2462 1671 slprintf(name, sizeof(name)-1, "out_%s", 2463 1672 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)); 2464 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata); 2465 } 2466 prs_set_offset(&p->out_data.rdata, offset2); 1673 dump_pdu_region(name, pkt->u.request.opnum, 1674 &p->out_data.rdata, offset1, 1675 p->out_data.rdata.length); 1676 } 2467 1677 2468 1678 DEBUG(5,("api_rpcTNP: called %s successfully\n", … … 2470 1680 2471 1681 /* Check for buffer underflow in rpc parsing */ 2472 2473 if ((DEBUGLEVEL >= 10) && 2474 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) { 2475 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data); 2476 char *data = (char *)SMB_MALLOC(data_len); 2477 1682 if ((DEBUGLEVEL >= 10) && 1683 (pkt->frag_length < p->in_data.data.length)) { 2478 1684 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n")); 2479 if (data) { 2480 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len); 2481 SAFE_FREE(data); 2482 } 2483 1685 dump_data(10, p->in_data.data.data + pkt->frag_length, 1686 p->in_data.data.length - pkt->frag_length); 2484 1687 } 2485 1688 2486 1689 return True; 2487 1690 } 1691 1692 /**************************************************************************** 1693 Initialise an outgoing packet. 1694 ****************************************************************************/ 1695 1696 static bool pipe_init_outgoing_data(struct pipes_struct *p) 1697 { 1698 output_data *o_data = &p->out_data; 1699 1700 /* Reset the offset counters. */ 1701 o_data->data_sent_length = 0; 1702 o_data->current_pdu_sent = 0; 1703 1704 data_blob_free(&o_data->frag); 1705 1706 /* Free any memory in the current return data buffer. */ 1707 data_blob_free(&o_data->rdata); 1708 1709 return True; 1710 } 1711 1712 /**************************************************************************** 1713 Sets the fault state on incoming packets. 1714 ****************************************************************************/ 1715 1716 void set_incoming_fault(struct pipes_struct *p) 1717 { 1718 data_blob_free(&p->in_data.data); 1719 p->in_data.pdu_needed_len = 0; 1720 p->in_data.pdu.length = 0; 1721 p->fault_state = True; 1722 DEBUG(10, ("set_incoming_fault: Setting fault state on pipe %s\n", 1723 get_pipe_name_from_syntax(talloc_tos(), &p->syntax))); 1724 } 1725 1726 static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth, 1727 struct ncacn_packet *pkt, 1728 DATA_BLOB *raw_pkt) 1729 { 1730 NTSTATUS status; 1731 size_t hdr_size = DCERPC_REQUEST_LENGTH; 1732 size_t pad_len; 1733 1734 DEBUG(10, ("Checking request auth.\n")); 1735 1736 if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) { 1737 hdr_size += 16; 1738 } 1739 1740 /* in case of sealing this function will unseal the data in place */ 1741 status = dcerpc_check_auth(auth, pkt, 1742 &pkt->u.request.stub_and_verifier, 1743 hdr_size, raw_pkt, 1744 &pad_len); 1745 if (!NT_STATUS_IS_OK(status)) { 1746 return status; 1747 } 1748 1749 1750 /* remove padding and auth trailer, 1751 * this way the caller will get just the data */ 1752 if (pkt->auth_length) { 1753 size_t trail_len = pad_len 1754 + DCERPC_AUTH_TRAILER_LENGTH 1755 + pkt->auth_length; 1756 if (pkt->u.request.stub_and_verifier.length < trail_len) { 1757 return NT_STATUS_INFO_LENGTH_MISMATCH; 1758 } 1759 pkt->u.request.stub_and_verifier.length -= trail_len; 1760 } 1761 1762 return NT_STATUS_OK; 1763 } 1764 1765 /**************************************************************************** 1766 Processes a request pdu. This will do auth processing if needed, and 1767 appends the data into the complete stream if the LAST flag is not set. 1768 ****************************************************************************/ 1769 1770 static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt) 1771 { 1772 NTSTATUS status; 1773 DATA_BLOB data; 1774 1775 if (!p->pipe_bound) { 1776 DEBUG(0,("process_request_pdu: rpc request with no bind.\n")); 1777 set_incoming_fault(p); 1778 return False; 1779 } 1780 1781 /* Store the opnum */ 1782 p->opnum = pkt->u.request.opnum; 1783 1784 status = dcesrv_auth_request(&p->auth, pkt, &p->in_data.pdu); 1785 if (!NT_STATUS_IS_OK(status)) { 1786 DEBUG(0, ("Failed to check packet auth. (%s)\n", 1787 nt_errstr(status))); 1788 set_incoming_fault(p); 1789 return false; 1790 } 1791 1792 data = pkt->u.request.stub_and_verifier; 1793 1794 /* 1795 * Check the data length doesn't go over the 15Mb limit. 1796 * increased after observing a bug in the Windows NT 4.0 SP6a 1797 * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC 1798 * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002 1799 */ 1800 1801 if (p->in_data.data.length + data.length > MAX_RPC_DATA_SIZE) { 1802 DEBUG(0, ("process_request_pdu: " 1803 "rpc data buffer too large (%u) + (%u)\n", 1804 (unsigned int)p->in_data.data.length, 1805 (unsigned int)data.length)); 1806 set_incoming_fault(p); 1807 return False; 1808 } 1809 1810 /* 1811 * Append the data portion into the buffer and return. 1812 */ 1813 1814 if (data.length) { 1815 if (!data_blob_append(p->mem_ctx, &p->in_data.data, 1816 data.data, data.length)) { 1817 DEBUG(0, ("Unable to append data size %u " 1818 "to parse buffer of size %u.\n", 1819 (unsigned int)data.length, 1820 (unsigned int)p->in_data.data.length)); 1821 set_incoming_fault(p); 1822 return False; 1823 } 1824 } 1825 1826 if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) { 1827 bool ret = False; 1828 /* 1829 * Ok - we finally have a complete RPC stream. 1830 * Call the rpc command to process it. 1831 */ 1832 1833 /* 1834 * Process the complete data stream here. 1835 */ 1836 if (pipe_init_outgoing_data(p)) { 1837 ret = api_pipe_request(p, pkt); 1838 } 1839 1840 return ret; 1841 } 1842 1843 return True; 1844 } 1845 1846 /**************************************************************************** 1847 Processes a finished PDU stored in p->in_data.pdu. 1848 ****************************************************************************/ 1849 1850 void process_complete_pdu(struct pipes_struct *p) 1851 { 1852 struct ncacn_packet *pkt = NULL; 1853 NTSTATUS status; 1854 bool reply = False; 1855 1856 if(p->fault_state) { 1857 DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n", 1858 get_pipe_name_from_syntax(talloc_tos(), &p->syntax))); 1859 goto done; 1860 } 1861 1862 pkt = talloc(p->mem_ctx, struct ncacn_packet); 1863 if (!pkt) { 1864 DEBUG(0, ("Out of memory!\n")); 1865 goto done; 1866 } 1867 1868 /* 1869 * Ensure we're using the corrent endianness for both the 1870 * RPC header flags and the raw data we will be reading from. 1871 */ 1872 if (dcerpc_get_endian_flag(&p->in_data.pdu) & DCERPC_DREP_LE) { 1873 p->endian = RPC_LITTLE_ENDIAN; 1874 } else { 1875 p->endian = RPC_BIG_ENDIAN; 1876 } 1877 DEBUG(10, ("PDU is in %s Endian format!\n", p->endian?"Big":"Little")); 1878 1879 status = dcerpc_pull_ncacn_packet(pkt, &p->in_data.pdu, 1880 pkt, p->endian); 1881 if (!NT_STATUS_IS_OK(status)) { 1882 DEBUG(0, ("Failed to unmarshal rpc packet: %s!\n", 1883 nt_errstr(status))); 1884 goto done; 1885 } 1886 1887 /* Store the call_id */ 1888 p->call_id = pkt->call_id; 1889 1890 DEBUG(10, ("Processing packet type %d\n", (int)pkt->ptype)); 1891 1892 switch (pkt->ptype) { 1893 case DCERPC_PKT_REQUEST: 1894 reply = process_request_pdu(p, pkt); 1895 break; 1896 1897 case DCERPC_PKT_PING: /* CL request - ignore... */ 1898 DEBUG(0, ("process_complete_pdu: Error. " 1899 "Connectionless packet type %d received on " 1900 "pipe %s.\n", (int)pkt->ptype, 1901 get_pipe_name_from_syntax(talloc_tos(), 1902 &p->syntax))); 1903 break; 1904 1905 case DCERPC_PKT_RESPONSE: /* No responses here. */ 1906 DEBUG(0, ("process_complete_pdu: Error. " 1907 "DCERPC_PKT_RESPONSE received from client " 1908 "on pipe %s.\n", 1909 get_pipe_name_from_syntax(talloc_tos(), 1910 &p->syntax))); 1911 break; 1912 1913 case DCERPC_PKT_FAULT: 1914 case DCERPC_PKT_WORKING: 1915 /* CL request - reply to a ping when a call in process. */ 1916 case DCERPC_PKT_NOCALL: 1917 /* CL - server reply to a ping call. */ 1918 case DCERPC_PKT_REJECT: 1919 case DCERPC_PKT_ACK: 1920 case DCERPC_PKT_CL_CANCEL: 1921 case DCERPC_PKT_FACK: 1922 case DCERPC_PKT_CANCEL_ACK: 1923 DEBUG(0, ("process_complete_pdu: Error. " 1924 "Connectionless packet type %u received on " 1925 "pipe %s.\n", (unsigned int)pkt->ptype, 1926 get_pipe_name_from_syntax(talloc_tos(), 1927 &p->syntax))); 1928 break; 1929 1930 case DCERPC_PKT_BIND: 1931 /* 1932 * We assume that a pipe bind is only in one pdu. 1933 */ 1934 if (pipe_init_outgoing_data(p)) { 1935 reply = api_pipe_bind_req(p, pkt); 1936 } 1937 break; 1938 1939 case DCERPC_PKT_BIND_ACK: 1940 case DCERPC_PKT_BIND_NAK: 1941 DEBUG(0, ("process_complete_pdu: Error. " 1942 "DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK " 1943 "packet type %u received on pipe %s.\n", 1944 (unsigned int)pkt->ptype, 1945 get_pipe_name_from_syntax(talloc_tos(), 1946 &p->syntax))); 1947 break; 1948 1949 1950 case DCERPC_PKT_ALTER: 1951 /* 1952 * We assume that a pipe bind is only in one pdu. 1953 */ 1954 if (pipe_init_outgoing_data(p)) { 1955 reply = api_pipe_alter_context(p, pkt); 1956 } 1957 break; 1958 1959 case DCERPC_PKT_ALTER_RESP: 1960 DEBUG(0, ("process_complete_pdu: Error. " 1961 "DCERPC_PKT_ALTER_RESP on pipe %s: " 1962 "Should only be server -> client.\n", 1963 get_pipe_name_from_syntax(talloc_tos(), 1964 &p->syntax))); 1965 break; 1966 1967 case DCERPC_PKT_AUTH3: 1968 /* 1969 * The third packet in an auth exchange. 1970 */ 1971 if (pipe_init_outgoing_data(p)) { 1972 reply = api_pipe_bind_auth3(p, pkt); 1973 } 1974 break; 1975 1976 case DCERPC_PKT_SHUTDOWN: 1977 DEBUG(0, ("process_complete_pdu: Error. " 1978 "DCERPC_PKT_SHUTDOWN on pipe %s: " 1979 "Should only be server -> client.\n", 1980 get_pipe_name_from_syntax(talloc_tos(), 1981 &p->syntax))); 1982 break; 1983 1984 case DCERPC_PKT_CO_CANCEL: 1985 /* For now just free all client data and continue 1986 * processing. */ 1987 DEBUG(3,("process_complete_pdu: DCERPC_PKT_CO_CANCEL." 1988 " Abandoning rpc call.\n")); 1989 /* As we never do asynchronous RPC serving, we can 1990 * never cancel a call (as far as I know). 1991 * If we ever did we'd have to send a cancel_ack reply. 1992 * For now, just free all client data and continue 1993 * processing. */ 1994 reply = True; 1995 break; 1996 1997 #if 0 1998 /* Enable this if we're doing async rpc. */ 1999 /* We must check the outstanding callid matches. */ 2000 if (pipe_init_outgoing_data(p)) { 2001 /* Send a cancel_ack PDU reply. */ 2002 /* We should probably check the auth-verifier here. */ 2003 reply = setup_cancel_ack_reply(p, pkt); 2004 } 2005 break; 2006 #endif 2007 2008 case DCERPC_PKT_ORPHANED: 2009 /* We should probably check the auth-verifier here. 2010 * For now just free all client data and continue 2011 * processing. */ 2012 DEBUG(3, ("process_complete_pdu: DCERPC_PKT_ORPHANED." 2013 " Abandoning rpc call.\n")); 2014 reply = True; 2015 break; 2016 2017 default: 2018 DEBUG(0, ("process_complete_pdu: " 2019 "Unknown rpc type = %u received.\n", 2020 (unsigned int)pkt->ptype)); 2021 break; 2022 } 2023 2024 done: 2025 if (!reply) { 2026 DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on " 2027 "pipe %s\n", get_pipe_name_from_syntax(talloc_tos(), 2028 &p->syntax))); 2029 set_incoming_fault(p); 2030 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR)); 2031 TALLOC_FREE(pkt); 2032 } else { 2033 /* 2034 * Reset the lengths. We're ready for a new pdu. 2035 */ 2036 TALLOC_FREE(p->in_data.pdu.data); 2037 p->in_data.pdu_needed_len = 0; 2038 p->in_data.pdu.length = 0; 2039 } 2040 2041 TALLOC_FREE(pkt); 2042 } 2043 -
vendor/current/source3/rpc_server/srv_pipe_hnd.c
r414 r740 1 /* 1 /* 2 2 * Unix SMB/CIFS implementation. 3 3 * RPC Pipe client / server routines … … 5 5 * Largely re-written : 2005 6 6 * Copyright (C) Jeremy Allison 1998 - 2005 7 * 7 * 8 8 * This program is free software; you can redistribute it and/or modify 9 9 * it under the terms of the GNU General Public License as published by 10 10 * the Free Software Foundation; either version 3 of the License, or 11 11 * (at your option) any later version. 12 * 12 * 13 13 * This program is distributed in the hope that it will be useful, 14 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 16 * GNU General Public License for more details. 17 * 17 * 18 18 * You should have received a copy of the GNU General Public License 19 19 * along with this program; if not, see <http://www.gnu.org/licenses/>. … … 21 21 22 22 #include "includes.h" 23 #include "librpc/gen_ndr/ndr_named_pipe_auth.h" 23 #include "rpc_server.h" 24 #include "fake_file.h" 25 #include "rpc_dce.h" 26 #include "ntdomain.h" 27 #include "rpc_server/rpc_ncacn_np.h" 28 #include "rpc_server/srv_pipe_hnd.h" 29 #include "rpc_server/srv_pipe.h" 30 #include "../lib/tsocket/tsocket.h" 31 #include "../lib/util/tevent_ntstatus.h" 24 32 25 33 #undef DBGC_CLASS 26 34 #define DBGC_CLASS DBGC_RPC_SRV 27 28 static int pipes_open;29 30 static pipes_struct *InternalPipes;31 32 /* TODO33 * the following prototypes are declared here to avoid34 * code being moved about too much for a patch to be35 * disrupted / less obvious.36 *37 * these functions, and associated functions that they38 * call, should be moved behind a .so module-loading39 * system _anyway_. so that's the next step...40 */41 42 static int close_internal_rpc_pipe_hnd(struct pipes_struct *p);43 44 /****************************************************************************45 Internal Pipe iterator functions.46 ****************************************************************************/47 48 pipes_struct *get_first_internal_pipe(void)49 {50 return InternalPipes;51 }52 53 pipes_struct *get_next_internal_pipe(pipes_struct *p)54 {55 return p->next;56 }57 58 /****************************************************************************59 Initialise an outgoing packet.60 ****************************************************************************/61 62 static bool pipe_init_outgoing_data(pipes_struct *p)63 {64 output_data *o_data = &p->out_data;65 66 /* Reset the offset counters. */67 o_data->data_sent_length = 0;68 o_data->current_pdu_sent = 0;69 70 prs_mem_free(&o_data->frag);71 72 /* Free any memory in the current return data buffer. */73 prs_mem_free(&o_data->rdata);74 75 /*76 * Initialize the outgoing RPC data buffer.77 * we will use this as the raw data area for replying to rpc requests.78 */79 if(!prs_init(&o_data->rdata, 128, p->mem_ctx, MARSHALL)) {80 DEBUG(0,("pipe_init_outgoing_data: malloc fail.\n"));81 return False;82 }83 84 return True;85 }86 87 /****************************************************************************88 Make an internal namedpipes structure89 ****************************************************************************/90 91 static struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx,92 const struct ndr_syntax_id *syntax,93 const char *client_address,94 struct auth_serversupplied_info *server_info)95 {96 pipes_struct *p;97 98 DEBUG(4,("Create pipe requested %s\n",99 get_pipe_name_from_syntax(talloc_tos(), syntax)));100 101 p = TALLOC_ZERO_P(mem_ctx, struct pipes_struct);102 103 if (!p) {104 DEBUG(0,("ERROR! no memory for pipes_struct!\n"));105 return NULL;106 }107 108 p->mem_ctx = talloc_init("pipe %s %p",109 get_pipe_name_from_syntax(talloc_tos(),110 syntax), p);111 if (p->mem_ctx == NULL) {112 DEBUG(0,("open_rpc_pipe_p: talloc_init failed.\n"));113 TALLOC_FREE(p);114 return NULL;115 }116 117 if (!init_pipe_handle_list(p, syntax)) {118 DEBUG(0,("open_rpc_pipe_p: init_pipe_handles failed.\n"));119 talloc_destroy(p->mem_ctx);120 TALLOC_FREE(p);121 return NULL;122 }123 124 /*125 * Initialize the incoming RPC data buffer with one PDU worth of memory.126 * We cheat here and say we're marshalling, as we intend to add incoming127 * data directly into the prs_struct and we want it to auto grow. We will128 * change the type to UNMARSALLING before processing the stream.129 */130 131 if(!prs_init(&p->in_data.data, 128, p->mem_ctx, MARSHALL)) {132 DEBUG(0,("open_rpc_pipe_p: malloc fail for in_data struct.\n"));133 talloc_destroy(p->mem_ctx);134 close_policy_by_pipe(p);135 TALLOC_FREE(p);136 return NULL;137 }138 139 p->server_info = copy_serverinfo(p, server_info);140 if (p->server_info == NULL) {141 DEBUG(0, ("open_rpc_pipe_p: copy_serverinfo failed\n"));142 talloc_destroy(p->mem_ctx);143 close_policy_by_pipe(p);144 TALLOC_FREE(p);145 return NULL;146 }147 148 DLIST_ADD(InternalPipes, p);149 150 memcpy(p->client_address, client_address, sizeof(p->client_address));151 152 p->endian = RPC_LITTLE_ENDIAN;153 154 /*155 * Initialize the outgoing RPC data buffer with no memory.156 */157 prs_init_empty(&p->out_data.rdata, p->mem_ctx, MARSHALL);158 159 p->syntax = *syntax;160 161 DEBUG(4,("Created internal pipe %s (pipes_open=%d)\n",162 get_pipe_name_from_syntax(talloc_tos(), syntax), pipes_open));163 164 talloc_set_destructor(p, close_internal_rpc_pipe_hnd);165 166 return p;167 }168 169 /****************************************************************************170 Sets the fault state on incoming packets.171 ****************************************************************************/172 173 static void set_incoming_fault(pipes_struct *p)174 {175 prs_mem_free(&p->in_data.data);176 p->in_data.pdu_needed_len = 0;177 p->in_data.pdu_received_len = 0;178 p->fault_state = True;179 DEBUG(10, ("set_incoming_fault: Setting fault state on pipe %s\n",180 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));181 }182 35 183 36 /**************************************************************************** … … 185 38 ****************************************************************************/ 186 39 187 static ssize_t fill_rpc_header(pipes_struct *p, char *data, size_t data_to_copy) 188 { 189 size_t len_needed_to_complete_hdr = MIN(data_to_copy, RPC_HEADER_LEN - p->in_data.pdu_received_len); 190 191 DEBUG(10,("fill_rpc_header: data_to_copy = %u, len_needed_to_complete_hdr = %u, receive_len = %u\n", 192 (unsigned int)data_to_copy, (unsigned int)len_needed_to_complete_hdr, 193 (unsigned int)p->in_data.pdu_received_len )); 194 195 if (p->in_data.current_in_pdu == NULL) { 196 p->in_data.current_in_pdu = talloc_array(p, uint8_t, 197 RPC_HEADER_LEN); 198 } 199 if (p->in_data.current_in_pdu == NULL) { 40 static ssize_t fill_rpc_header(struct pipes_struct *p, char *data, size_t data_to_copy) 41 { 42 size_t len_needed_to_complete_hdr = 43 MIN(data_to_copy, RPC_HEADER_LEN - p->in_data.pdu.length); 44 45 DEBUG(10, ("fill_rpc_header: data_to_copy = %u, " 46 "len_needed_to_complete_hdr = %u, " 47 "receive_len = %u\n", 48 (unsigned int)data_to_copy, 49 (unsigned int)len_needed_to_complete_hdr, 50 (unsigned int)p->in_data.pdu.length )); 51 52 if (p->in_data.pdu.data == NULL) { 53 p->in_data.pdu.data = talloc_array(p, uint8_t, RPC_HEADER_LEN); 54 } 55 if (p->in_data.pdu.data == NULL) { 200 56 DEBUG(0, ("talloc failed\n")); 201 57 return -1; 202 58 } 203 59 204 memcpy((char *)&p->in_data.current_in_pdu[p->in_data.pdu_received_len], data, len_needed_to_complete_hdr); 205 p->in_data.pdu_received_len += len_needed_to_complete_hdr; 60 memcpy((char *)&p->in_data.pdu.data[p->in_data.pdu.length], 61 data, len_needed_to_complete_hdr); 62 p->in_data.pdu.length += len_needed_to_complete_hdr; 206 63 207 64 return (ssize_t)len_needed_to_complete_hdr; 208 65 } 209 66 67 static bool get_pdu_size(struct pipes_struct *p) 68 { 69 uint16_t frag_len; 70 /* the fill_rpc_header() call insures we copy only 71 * RPC_HEADER_LEN bytes. If this doesn't match then 72 * somethign is very wrong and we can only abort */ 73 if (p->in_data.pdu.length != RPC_HEADER_LEN) { 74 DEBUG(0, ("Unexpected RPC Header size! " 75 "got %d, expected %d)\n", 76 (int)p->in_data.pdu.length, 77 RPC_HEADER_LEN)); 78 set_incoming_fault(p); 79 return false; 80 } 81 82 frag_len = dcerpc_get_frag_length(&p->in_data.pdu); 83 84 /* verify it is a reasonable value */ 85 if ((frag_len < RPC_HEADER_LEN) || 86 (frag_len > RPC_MAX_PDU_FRAG_LEN)) { 87 DEBUG(0, ("Unexpected RPC Fragment size! (%d)\n", 88 frag_len)); 89 set_incoming_fault(p); 90 return false; 91 } 92 93 p->in_data.pdu_needed_len = frag_len - RPC_HEADER_LEN; 94 95 /* allocate the space needed to fill the pdu */ 96 p->in_data.pdu.data = talloc_realloc(p, p->in_data.pdu.data, 97 uint8_t, frag_len); 98 if (p->in_data.pdu.data == NULL) { 99 DEBUG(0, ("talloc_realloc failed\n")); 100 set_incoming_fault(p); 101 return false; 102 } 103 104 return true; 105 } 106 210 107 /**************************************************************************** 211 Unmarshalls a new PDU header. Assumes the raw header data is in current_in_pdu. 108 Call this to free any talloc'ed memory. Do this after processing 109 a complete incoming and outgoing request (multiple incoming/outgoing 110 PDU's). 212 111 ****************************************************************************/ 213 112 214 static ssize_t unmarshall_rpc_header(pipes_struct *p) 215 { 216 /* 217 * Unmarshall the header to determine the needed length. 218 */ 219 220 prs_struct rpc_in; 221 222 if(p->in_data.pdu_received_len != RPC_HEADER_LEN) { 223 DEBUG(0,("unmarshall_rpc_header: assert on rpc header length failed.\n")); 224 set_incoming_fault(p); 225 return -1; 226 } 227 228 prs_init_empty( &rpc_in, p->mem_ctx, UNMARSHALL); 229 prs_set_endian_data( &rpc_in, p->endian); 230 231 prs_give_memory( &rpc_in, (char *)&p->in_data.current_in_pdu[0], 232 p->in_data.pdu_received_len, False); 233 234 /* 235 * Unmarshall the header as this will tell us how much 236 * data we need to read to get the complete pdu. 237 * This also sets the endian flag in rpc_in. 238 */ 239 240 if(!smb_io_rpc_hdr("", &p->hdr, &rpc_in, 0)) { 241 DEBUG(0,("unmarshall_rpc_header: failed to unmarshall RPC_HDR.\n")); 242 set_incoming_fault(p); 243 prs_mem_free(&rpc_in); 244 return -1; 245 } 246 247 /* 248 * Validate the RPC header. 249 */ 250 251 if(p->hdr.major != 5 && p->hdr.minor != 0) { 252 DEBUG(0,("unmarshall_rpc_header: invalid major/minor numbers in RPC_HDR.\n")); 253 set_incoming_fault(p); 254 prs_mem_free(&rpc_in); 255 return -1; 256 } 257 258 /* 259 * If there's not data in the incoming buffer this should be the start of a new RPC. 260 */ 261 262 if(prs_offset(&p->in_data.data) == 0) { 263 264 /* 265 * AS/U doesn't set FIRST flag in a BIND packet it seems. 266 */ 267 268 if ((p->hdr.pkt_type == DCERPC_PKT_REQUEST) && !(p->hdr.flags & DCERPC_PFC_FLAG_FIRST)) { 269 /* 270 * Ensure that the FIRST flag is set. If not then we have 271 * a stream missmatch. 272 */ 273 274 DEBUG(0,("unmarshall_rpc_header: FIRST flag not set in first PDU !\n")); 275 set_incoming_fault(p); 276 prs_mem_free(&rpc_in); 277 return -1; 278 } 279 280 /* 281 * If this is the first PDU then set the endianness 282 * flag in the pipe. We will need this when parsing all 283 * data in this RPC. 284 */ 285 286 p->endian = rpc_in.bigendian_data; 287 288 DEBUG(5,("unmarshall_rpc_header: using %sendian RPC\n", 289 p->endian == RPC_LITTLE_ENDIAN ? "little-" : "big-" )); 290 291 } else { 292 293 /* 294 * If this is *NOT* the first PDU then check the endianness 295 * flag in the pipe is the same as that in the PDU. 296 */ 297 298 if (p->endian != rpc_in.bigendian_data) { 299 DEBUG(0,("unmarshall_rpc_header: FIRST endianness flag (%d) different in next PDU !\n", (int)p->endian)); 300 set_incoming_fault(p); 301 prs_mem_free(&rpc_in); 302 return -1; 303 } 304 } 305 306 /* 307 * Ensure that the pdu length is sane. 308 */ 309 310 if((p->hdr.frag_len < RPC_HEADER_LEN) || (p->hdr.frag_len > RPC_MAX_PDU_FRAG_LEN)) { 311 DEBUG(0,("unmarshall_rpc_header: assert on frag length failed.\n")); 312 set_incoming_fault(p); 313 prs_mem_free(&rpc_in); 314 return -1; 315 } 316 317 DEBUG(10,("unmarshall_rpc_header: type = %u, flags = %u\n", (unsigned int)p->hdr.pkt_type, 318 (unsigned int)p->hdr.flags )); 319 320 p->in_data.pdu_needed_len = (uint32)p->hdr.frag_len - RPC_HEADER_LEN; 321 322 prs_mem_free(&rpc_in); 323 324 p->in_data.current_in_pdu = TALLOC_REALLOC_ARRAY( 325 p, p->in_data.current_in_pdu, uint8_t, p->hdr.frag_len); 326 if (p->in_data.current_in_pdu == NULL) { 327 DEBUG(0, ("talloc failed\n")); 328 set_incoming_fault(p); 329 return -1; 330 } 331 332 return 0; /* No extra data processed. */ 333 } 334 335 /**************************************************************************** 336 Call this to free any talloc'ed memory. Do this before and after processing 337 a complete PDU. 338 ****************************************************************************/ 339 340 static void free_pipe_context(pipes_struct *p) 341 { 342 if (p->mem_ctx) { 343 DEBUG(3,("free_pipe_context: destroying talloc pool of size " 344 "%lu\n", (unsigned long)talloc_total_size(p->mem_ctx) )); 345 talloc_free_children(p->mem_ctx); 346 } else { 347 p->mem_ctx = talloc_init( 348 "pipe %s %p", get_pipe_name_from_syntax(talloc_tos(), 349 &p->syntax), 350 p); 351 if (p->mem_ctx == NULL) { 352 p->fault_state = True; 353 } 354 } 355 } 356 357 /**************************************************************************** 358 Processes a request pdu. This will do auth processing if needed, and 359 appends the data into the complete stream if the LAST flag is not set. 360 ****************************************************************************/ 361 362 static bool process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p) 363 { 364 uint32 ss_padding_len = 0; 365 size_t data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 366 (p->hdr.auth_len ? RPC_HDR_AUTH_LEN : 0) - p->hdr.auth_len; 367 368 if(!p->pipe_bound) { 369 DEBUG(0,("process_request_pdu: rpc request with no bind.\n")); 370 set_incoming_fault(p); 371 return False; 372 } 373 374 /* 375 * Check if we need to do authentication processing. 376 * This is only done on requests, not binds. 377 */ 378 379 /* 380 * Read the RPC request header. 381 */ 382 383 if(!smb_io_rpc_hdr_req("req", &p->hdr_req, rpc_in_p, 0)) { 384 DEBUG(0,("process_request_pdu: failed to unmarshall RPC_HDR_REQ.\n")); 385 set_incoming_fault(p); 386 return False; 387 } 388 389 switch(p->auth.auth_type) { 390 case PIPE_AUTH_TYPE_NONE: 391 break; 392 393 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP: 394 case PIPE_AUTH_TYPE_NTLMSSP: 395 { 396 NTSTATUS status; 397 if(!api_pipe_ntlmssp_auth_process(p, rpc_in_p, &ss_padding_len, &status)) { 398 DEBUG(0,("process_request_pdu: failed to do auth processing.\n")); 399 DEBUG(0,("process_request_pdu: error was %s.\n", nt_errstr(status) )); 400 set_incoming_fault(p); 401 return False; 402 } 403 break; 404 } 405 406 case PIPE_AUTH_TYPE_SCHANNEL: 407 if (!api_pipe_schannel_process(p, rpc_in_p, &ss_padding_len)) { 408 DEBUG(3,("process_request_pdu: failed to do schannel processing.\n")); 409 set_incoming_fault(p); 410 return False; 411 } 412 break; 413 414 default: 415 DEBUG(0,("process_request_pdu: unknown auth type %u set.\n", (unsigned int)p->auth.auth_type )); 416 set_incoming_fault(p); 417 return False; 418 } 419 420 /* Now we've done the sign/seal we can remove any padding data. */ 421 if (data_len > ss_padding_len) { 422 data_len -= ss_padding_len; 423 } 424 425 /* 426 * Check the data length doesn't go over the 15Mb limit. 427 * increased after observing a bug in the Windows NT 4.0 SP6a 428 * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC 429 * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002 430 */ 431 432 if(prs_offset(&p->in_data.data) + data_len > MAX_RPC_DATA_SIZE) { 433 DEBUG(0,("process_request_pdu: rpc data buffer too large (%u) + (%u)\n", 434 (unsigned int)prs_data_size(&p->in_data.data), (unsigned int)data_len )); 435 set_incoming_fault(p); 436 return False; 437 } 438 439 /* 440 * Append the data portion into the buffer and return. 441 */ 442 443 if(!prs_append_some_prs_data(&p->in_data.data, rpc_in_p, prs_offset(rpc_in_p), data_len)) { 444 DEBUG(0,("process_request_pdu: Unable to append data size %u to parse buffer of size %u.\n", 445 (unsigned int)data_len, (unsigned int)prs_data_size(&p->in_data.data) )); 446 set_incoming_fault(p); 447 return False; 448 } 449 450 if(p->hdr.flags & DCERPC_PFC_FLAG_LAST) { 451 bool ret = False; 452 /* 453 * Ok - we finally have a complete RPC stream. 454 * Call the rpc command to process it. 455 */ 456 457 /* 458 * Ensure the internal prs buffer size is *exactly* the same 459 * size as the current offset. 460 */ 461 462 if(!prs_set_buffer_size(&p->in_data.data, prs_offset(&p->in_data.data))) { 463 DEBUG(0,("process_request_pdu: Call to prs_set_buffer_size failed!\n")); 464 set_incoming_fault(p); 465 return False; 466 } 467 468 /* 469 * Set the parse offset to the start of the data and set the 470 * prs_struct to UNMARSHALL. 471 */ 472 473 prs_set_offset(&p->in_data.data, 0); 474 prs_switch_type(&p->in_data.data, UNMARSHALL); 475 476 /* 477 * Process the complete data stream here. 478 */ 479 480 free_pipe_context(p); 481 482 if(pipe_init_outgoing_data(p)) { 483 ret = api_pipe_request(p); 484 } 485 486 free_pipe_context(p); 487 488 /* 489 * We have consumed the whole data stream. Set back to 490 * marshalling and set the offset back to the start of 491 * the buffer to re-use it (we could also do a prs_mem_free() 492 * and then re_init on the next start of PDU. Not sure which 493 * is best here.... JRA. 494 */ 495 496 prs_switch_type(&p->in_data.data, MARSHALL); 497 prs_set_offset(&p->in_data.data, 0); 498 return ret; 499 } 500 501 return True; 502 } 503 504 /**************************************************************************** 505 Processes a finished PDU stored in current_in_pdu. The RPC_HEADER has 506 already been parsed and stored in p->hdr. 507 ****************************************************************************/ 508 509 static void process_complete_pdu(pipes_struct *p) 510 { 511 prs_struct rpc_in; 512 size_t data_len = p->in_data.pdu_received_len - RPC_HEADER_LEN; 513 char *data_p = (char *)&p->in_data.current_in_pdu[RPC_HEADER_LEN]; 514 bool reply = False; 515 516 if(p->fault_state) { 517 DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n", 518 get_pipe_name_from_syntax(talloc_tos(), &p->syntax))); 519 set_incoming_fault(p); 520 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR)); 521 return; 522 } 523 524 prs_init_empty( &rpc_in, p->mem_ctx, UNMARSHALL); 525 526 /* 527 * Ensure we're using the corrent endianness for both the 528 * RPC header flags and the raw data we will be reading from. 529 */ 530 531 prs_set_endian_data( &rpc_in, p->endian); 532 prs_set_endian_data( &p->in_data.data, p->endian); 533 534 prs_give_memory( &rpc_in, data_p, (uint32)data_len, False); 535 536 DEBUG(10,("process_complete_pdu: processing packet type %u\n", 537 (unsigned int)p->hdr.pkt_type )); 538 539 switch (p->hdr.pkt_type) { 540 case DCERPC_PKT_REQUEST: 541 reply = process_request_pdu(p, &rpc_in); 542 break; 543 544 case DCERPC_PKT_PING: /* CL request - ignore... */ 545 DEBUG(0,("process_complete_pdu: Error. Connectionless packet type %u received on pipe %s.\n", 546 (unsigned int)p->hdr.pkt_type, 547 get_pipe_name_from_syntax(talloc_tos(), 548 &p->syntax))); 549 break; 550 551 case DCERPC_PKT_RESPONSE: /* No responses here. */ 552 DEBUG(0,("process_complete_pdu: Error. DCERPC_PKT_RESPONSE received from client on pipe %s.\n", 553 get_pipe_name_from_syntax(talloc_tos(), 554 &p->syntax))); 555 break; 556 557 case DCERPC_PKT_FAULT: 558 case DCERPC_PKT_WORKING: /* CL request - reply to a ping when a call in process. */ 559 case DCERPC_PKT_NOCALL: /* CL - server reply to a ping call. */ 560 case DCERPC_PKT_REJECT: 561 case DCERPC_PKT_ACK: 562 case DCERPC_PKT_CL_CANCEL: 563 case DCERPC_PKT_FACK: 564 case DCERPC_PKT_CANCEL_ACK: 565 DEBUG(0,("process_complete_pdu: Error. Connectionless packet type %u received on pipe %s.\n", 566 (unsigned int)p->hdr.pkt_type, 567 get_pipe_name_from_syntax(talloc_tos(), 568 &p->syntax))); 569 break; 570 571 case DCERPC_PKT_BIND: 572 /* 573 * We assume that a pipe bind is only in one pdu. 574 */ 575 if(pipe_init_outgoing_data(p)) { 576 reply = api_pipe_bind_req(p, &rpc_in); 577 } 578 break; 579 580 case DCERPC_PKT_BIND_ACK: 581 case DCERPC_PKT_BIND_NAK: 582 DEBUG(0,("process_complete_pdu: Error. DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK packet type %u received on pipe %s.\n", 583 (unsigned int)p->hdr.pkt_type, 584 get_pipe_name_from_syntax(talloc_tos(), 585 &p->syntax))); 586 break; 587 588 589 case DCERPC_PKT_ALTER: 590 /* 591 * We assume that a pipe bind is only in one pdu. 592 */ 593 if(pipe_init_outgoing_data(p)) { 594 reply = api_pipe_alter_context(p, &rpc_in); 595 } 596 break; 597 598 case DCERPC_PKT_ALTER_RESP: 599 DEBUG(0,("process_complete_pdu: Error. DCERPC_PKT_ALTER_RESP on pipe %s: Should only be server -> client.\n", 600 get_pipe_name_from_syntax(talloc_tos(), 601 &p->syntax))); 602 break; 603 604 case DCERPC_PKT_AUTH3: 605 /* 606 * The third packet in an NTLMSSP auth exchange. 607 */ 608 if(pipe_init_outgoing_data(p)) { 609 reply = api_pipe_bind_auth3(p, &rpc_in); 610 } 611 break; 612 613 case DCERPC_PKT_SHUTDOWN: 614 DEBUG(0,("process_complete_pdu: Error. DCERPC_PKT_SHUTDOWN on pipe %s: Should only be server -> client.\n", 615 get_pipe_name_from_syntax(talloc_tos(), 616 &p->syntax))); 617 break; 618 619 case DCERPC_PKT_CO_CANCEL: 620 /* For now just free all client data and continue processing. */ 621 DEBUG(3,("process_complete_pdu: DCERPC_PKT_CO_CANCEL. Abandoning rpc call.\n")); 622 /* As we never do asynchronous RPC serving, we can never cancel a 623 call (as far as I know). If we ever did we'd have to send a cancel_ack 624 reply. For now, just free all client data and continue processing. */ 625 reply = True; 626 break; 627 #if 0 628 /* Enable this if we're doing async rpc. */ 629 /* We must check the call-id matches the outstanding callid. */ 630 if(pipe_init_outgoing_data(p)) { 631 /* Send a cancel_ack PDU reply. */ 632 /* We should probably check the auth-verifier here. */ 633 reply = setup_cancel_ack_reply(p, &rpc_in); 634 } 635 break; 636 #endif 637 638 case DCERPC_PKT_ORPHANED: 639 /* We should probably check the auth-verifier here. 640 For now just free all client data and continue processing. */ 641 DEBUG(3,("process_complete_pdu: DCERPC_PKT_ORPHANED. Abandoning rpc call.\n")); 642 reply = True; 643 break; 644 645 default: 646 DEBUG(0,("process_complete_pdu: Unknown rpc type = %u received.\n", (unsigned int)p->hdr.pkt_type )); 647 break; 648 } 649 650 /* Reset to little endian. Probably don't need this but it won't hurt. */ 651 prs_set_endian_data( &p->in_data.data, RPC_LITTLE_ENDIAN); 652 653 if (!reply) { 654 DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on " 655 "pipe %s\n", get_pipe_name_from_syntax(talloc_tos(), 656 &p->syntax))); 657 set_incoming_fault(p); 658 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR)); 659 prs_mem_free(&rpc_in); 660 } else { 661 /* 662 * Reset the lengths. We're ready for a new pdu. 663 */ 664 TALLOC_FREE(p->in_data.current_in_pdu); 665 p->in_data.pdu_needed_len = 0; 666 p->in_data.pdu_received_len = 0; 667 } 668 669 prs_mem_free(&rpc_in); 113 static void free_pipe_context(struct pipes_struct *p) 114 { 115 data_blob_free(&p->out_data.frag); 116 data_blob_free(&p->out_data.rdata); 117 data_blob_free(&p->in_data.data); 118 119 DEBUG(3, ("free_pipe_context: " 120 "destroying talloc pool of size %lu\n", 121 (unsigned long)talloc_total_size(p->mem_ctx))); 122 talloc_free_children(p->mem_ctx); 670 123 } 671 124 … … 674 127 ****************************************************************************/ 675 128 676 static ssize_t process_incoming_data(pipes_struct *p, char *data, size_t n) 677 { 678 size_t data_to_copy = MIN(n, RPC_MAX_PDU_FRAG_LEN - p->in_data.pdu_received_len); 679 680 DEBUG(10,("process_incoming_data: Start: pdu_received_len = %u, pdu_needed_len = %u, incoming data = %u\n", 681 (unsigned int)p->in_data.pdu_received_len, (unsigned int)p->in_data.pdu_needed_len, 682 (unsigned int)n )); 129 ssize_t process_incoming_data(struct pipes_struct *p, char *data, size_t n) 130 { 131 size_t data_to_copy = MIN(n, RPC_MAX_PDU_FRAG_LEN 132 - p->in_data.pdu.length); 133 134 DEBUG(10, ("process_incoming_data: Start: pdu.length = %u, " 135 "pdu_needed_len = %u, incoming data = %u\n", 136 (unsigned int)p->in_data.pdu.length, 137 (unsigned int)p->in_data.pdu_needed_len, 138 (unsigned int)n )); 683 139 684 140 if(data_to_copy == 0) { 685 141 /* 686 142 * This is an error - data is being received and there is no 687 * space in the PDU. Free the received data and go into the fault state. 143 * space in the PDU. Free the received data and go into the 144 * fault state. 688 145 */ 689 DEBUG(0,("process_incoming_data: No space in incoming pdu buffer. Current size = %u \ 690 incoming data size = %u\n", (unsigned int)p->in_data.pdu_received_len, (unsigned int)n )); 146 DEBUG(0, ("process_incoming_data: " 147 "No space in incoming pdu buffer. " 148 "Current size = %u incoming data size = %u\n", 149 (unsigned int)p->in_data.pdu.length, 150 (unsigned int)n)); 691 151 set_incoming_fault(p); 692 152 return -1; … … 694 154 695 155 /* 696 * If we have no data already, wait until we get at least a RPC_HEADER_LEN 697 * number of bytes before we can do anything. 698 */ 699 700 if((p->in_data.pdu_needed_len == 0) && (p->in_data.pdu_received_len < RPC_HEADER_LEN)) { 156 * If we have no data already, wait until we get at least 157 * a RPC_HEADER_LEN * number of bytes before we can do anything. 158 */ 159 160 if ((p->in_data.pdu_needed_len == 0) && 161 (p->in_data.pdu.length < RPC_HEADER_LEN)) { 701 162 /* 702 163 * Always return here. If we have more data then the RPC_HEADER … … 707 168 708 169 /* 709 * At this point we know we have at least an RPC_HEADER_LEN amount of data 710 * stored in current_in_pdu. 711 */ 712 713 /* 714 * If pdu_needed_len is zero this is a new pdu. 715 * Unmarshall the header so we know how much more 716 * data we need, then loop again. 717 */ 718 719 if(p->in_data.pdu_needed_len == 0) { 720 ssize_t rret = unmarshall_rpc_header(p); 721 if (rret == -1 || p->in_data.pdu_needed_len > 0) { 722 return rret; 723 } 724 /* If rret == 0 and pdu_needed_len == 0 here we have a PDU that consists 725 of an RPC_HEADER only. This is a DCERPC_PKT_SHUTDOWN, DCERPC_PKT_CO_CANCEL or DCERPC_PKT_ORPHANED 726 pdu type. Deal with this in process_complete_pdu(). */ 727 } 728 729 /* 730 * Ok - at this point we have a valid RPC_HEADER in p->hdr. 170 * At this point we know we have at least an RPC_HEADER_LEN amount of 171 * data stored in p->in_data.pdu. 172 */ 173 174 /* 175 * If pdu_needed_len is zero this is a new pdu. 176 * Check how much more data we need, then loop again. 177 */ 178 if (p->in_data.pdu_needed_len == 0) { 179 180 bool ok = get_pdu_size(p); 181 if (!ok) { 182 return -1; 183 } 184 if (p->in_data.pdu_needed_len > 0) { 185 return 0; 186 } 187 188 /* If rret == 0 and pdu_needed_len == 0 here we have a PDU 189 * that consists of an RPC_HEADER only. This is a 190 * DCERPC_PKT_SHUTDOWN, DCERPC_PKT_CO_CANCEL or 191 * DCERPC_PKT_ORPHANED pdu type. 192 * Deal with this in process_complete_pdu(). */ 193 } 194 195 /* 196 * Ok - at this point we have a valid RPC_HEADER. 731 197 * Keep reading until we have a full pdu. 732 198 */ … … 735 201 736 202 /* 737 * Copy as much of the data as we need into the current_in_pdu buffer.203 * Copy as much of the data as we need into the p->in_data.pdu buffer. 738 204 * pdu_needed_len becomes zero when we have a complete pdu. 739 205 */ 740 206 741 memcpy( (char *)&p->in_data.current_in_pdu[p->in_data.pdu_received_len], data, data_to_copy); 742 p->in_data.pdu_received_len += data_to_copy; 207 memcpy((char *)&p->in_data.pdu.data[p->in_data.pdu.length], 208 data, data_to_copy); 209 p->in_data.pdu.length += data_to_copy; 743 210 p->in_data.pdu_needed_len -= data_to_copy; 744 211 … … 753 220 } 754 221 755 DEBUG(10,("process_incoming_data: not a complete PDU yet. pdu_received_len = %u, pdu_needed_len = %u\n", 756 (unsigned int)p->in_data.pdu_received_len, (unsigned int)p->in_data.pdu_needed_len )); 222 DEBUG(10, ("process_incoming_data: not a complete PDU yet. " 223 "pdu.length = %u, pdu_needed_len = %u\n", 224 (unsigned int)p->in_data.pdu.length, 225 (unsigned int)p->in_data.pdu_needed_len)); 757 226 758 227 return (ssize_t)data_to_copy; … … 770 239 ssize_t data_used; 771 240 772 DEBUG(10,("write_to_pipe: data_left = %u\n", (unsigned int)data_left )); 241 DEBUG(10, ("write_to_pipe: data_left = %u\n", 242 (unsigned int)data_left)); 773 243 774 244 data_used = process_incoming_data(p, data, data_left); 775 245 776 DEBUG(10,("write_to_pipe: data_used = %d\n", (int)data_used )); 246 DEBUG(10, ("write_to_pipe: data_used = %d\n", 247 (int)data_used)); 777 248 778 249 if(data_used < 0) { … … 782 253 data_left -= data_used; 783 254 data += data_used; 784 } 255 } 785 256 786 257 return n; … … 798 269 ****************************************************************************/ 799 270 800 static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data, size_t n,801 bool *is_data_outstanding)271 static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data, 272 size_t n, bool *is_data_outstanding) 802 273 { 803 274 uint32 pdu_remaining = 0; … … 806 277 if (!p) { 807 278 DEBUG(0,("read_from_pipe: pipe not open\n")); 808 return -1; 279 return -1; 809 280 } 810 281 … … 819 290 820 291 /* 821 * This condition should result in the connection being closed. 292 * This condition should result in the connection being closed. 822 293 * Netapp filers seem to set it to 0xffff which results in domain 823 294 * authentications failing. Just ignore it so things work. … … 841 312 */ 842 313 843 pdu_remaining = p rs_offset(&p->out_data.frag)314 pdu_remaining = p->out_data.frag.length 844 315 - p->out_data.current_pdu_sent; 845 316 … … 850 321 "current_pdu_sent = %u returning %d bytes.\n", 851 322 get_pipe_name_from_syntax(talloc_tos(), &p->syntax), 852 (unsigned int)p rs_offset(&p->out_data.frag),323 (unsigned int)p->out_data.frag.length, 853 324 (unsigned int)p->out_data.current_pdu_sent, 854 325 (int)data_returned)); 855 326 856 327 memcpy(data, 857 p rs_data_p(&p->out_data.frag)328 p->out_data.frag.data 858 329 + p->out_data.current_pdu_sent, 859 330 data_returned); … … 869 340 870 341 DEBUG(10,("read_from_pipe: %s: fault_state = %d : data_sent_length " 871 "= %u, p rs_offset(&p->out_data.rdata)= %u.\n",342 "= %u, p->out_data.rdata.length = %u.\n", 872 343 get_pipe_name_from_syntax(talloc_tos(), &p->syntax), 873 344 (int)p->fault_state, 874 345 (unsigned int)p->out_data.data_sent_length, 875 (unsigned int)p rs_offset(&p->out_data.rdata)));876 877 if (p->out_data.data_sent_length >= prs_offset(&p->out_data.rdata)) {346 (unsigned int)p->out_data.rdata.length)); 347 348 if (p->out_data.data_sent_length >= p->out_data.rdata.length) { 878 349 /* 879 350 * We have sent all possible data, return 0. … … 896 367 } 897 368 898 data_returned = MIN(n, p rs_offset(&p->out_data.frag));899 900 memcpy( data, prs_data_p(&p->out_data.frag), (size_t)data_returned);369 data_returned = MIN(n, p->out_data.frag.length); 370 371 memcpy(data, p->out_data.frag.data, (size_t)data_returned); 901 372 p->out_data.current_pdu_sent += (uint32)data_returned; 902 373 903 374 out: 904 (*is_data_outstanding) = p rs_offset(&p->out_data.frag)> n;905 906 if (p->out_data.current_pdu_sent == p rs_offset(&p->out_data.frag)) {375 (*is_data_outstanding) = p->out_data.frag.length > n; 376 377 if (p->out_data.current_pdu_sent == p->out_data.frag.length) { 907 378 /* We've returned everything in the out_data.frag 908 379 * so we're done with this pdu. Free it and reset 909 380 * current_pdu_sent. */ 910 381 p->out_data.current_pdu_sent = 0; 911 prs_mem_free(&p->out_data.frag); 912 } 382 data_blob_free(&p->out_data.frag); 383 384 if (p->out_data.data_sent_length >= p->out_data.rdata.length) { 385 /* 386 * We're completely finished with both outgoing and 387 * incoming data streams. It's safe to free all 388 * temporary data from this request. 389 */ 390 free_pipe_context(p); 391 } 392 } 393 913 394 return data_returned; 914 }915 916 /****************************************************************************917 Close an rpc pipe.918 ****************************************************************************/919 920 static int close_internal_rpc_pipe_hnd(struct pipes_struct *p)921 {922 if (!p) {923 DEBUG(0,("Invalid pipe in close_internal_rpc_pipe_hnd\n"));924 return False;925 }926 927 prs_mem_free(&p->out_data.frag);928 prs_mem_free(&p->out_data.rdata);929 prs_mem_free(&p->in_data.data);930 931 if (p->auth.auth_data_free_func) {932 (*p->auth.auth_data_free_func)(&p->auth);933 }934 935 TALLOC_FREE(p->mem_ctx);936 937 free_pipe_rpc_context( p->contexts );938 939 /* Free the handles database. */940 close_policy_by_pipe(p);941 942 DLIST_REMOVE(InternalPipes, p);943 944 ZERO_STRUCTP(p);945 946 TALLOC_FREE(p);947 948 return True;949 395 } 950 396 … … 963 409 } 964 410 965 struct np_proxy_state {966 struct tevent_queue *read_queue;967 struct tevent_queue *write_queue;968 int fd;969 970 uint8_t *msg;971 size_t sent;972 };973 974 static int np_proxy_state_destructor(struct np_proxy_state *state)975 {976 if (state->fd != -1) {977 close(state->fd);978 }979 return 0;980 }981 982 static struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx,983 const char *pipe_name,984 struct auth_serversupplied_info *server_info)985 {986 struct np_proxy_state *result;987 struct sockaddr_un addr;988 char *socket_path;989 const char *socket_dir;990 991 DATA_BLOB req_blob;992 struct netr_SamInfo3 *info3;993 struct named_pipe_auth_req req;994 DATA_BLOB rep_blob;995 uint8 rep_buf[20];996 struct named_pipe_auth_rep rep;997 enum ndr_err_code ndr_err;998 NTSTATUS status;999 ssize_t written;1000 1001 result = talloc(mem_ctx, struct np_proxy_state);1002 if (result == NULL) {1003 DEBUG(0, ("talloc failed\n"));1004 return NULL;1005 }1006 1007 result->fd = socket(AF_UNIX, SOCK_STREAM, 0);1008 if (result->fd == -1) {1009 DEBUG(10, ("socket(2) failed: %s\n", strerror(errno)));1010 goto fail;1011 }1012 talloc_set_destructor(result, np_proxy_state_destructor);1013 1014 ZERO_STRUCT(addr);1015 addr.sun_family = AF_UNIX;1016 1017 socket_dir = lp_parm_const_string(1018 GLOBAL_SECTION_SNUM, "external_rpc_pipe", "socket_dir",1019 get_dyn_NCALRPCDIR());1020 if (socket_dir == NULL) {1021 DEBUG(0, ("externan_rpc_pipe:socket_dir not set\n"));1022 goto fail;1023 }1024 1025 socket_path = talloc_asprintf(talloc_tos(), "%s/np/%s",1026 socket_dir, pipe_name);1027 if (socket_path == NULL) {1028 DEBUG(0, ("talloc_asprintf failed\n"));1029 goto fail;1030 }1031 strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path));1032 TALLOC_FREE(socket_path);1033 1034 become_root();1035 if (sys_connect(result->fd, (struct sockaddr *)&addr) == -1) {1036 unbecome_root();1037 DEBUG(0, ("connect(%s) failed: %s\n", addr.sun_path,1038 strerror(errno)));1039 goto fail;1040 }1041 unbecome_root();1042 1043 info3 = talloc(talloc_tos(), struct netr_SamInfo3);1044 if (info3 == NULL) {1045 DEBUG(0, ("talloc failed\n"));1046 goto fail;1047 }1048 1049 status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3);1050 if (!NT_STATUS_IS_OK(status)) {1051 TALLOC_FREE(info3);1052 DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",1053 nt_errstr(status)));1054 goto fail;1055 }1056 1057 req.level = 1;1058 req.info.info1 = *info3;1059 1060 ndr_err = ndr_push_struct_blob(1061 &req_blob, talloc_tos(), NULL, &req,1062 (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_req);1063 1064 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {1065 DEBUG(10, ("ndr_push_named_pipe_auth_req failed: %s\n",1066 ndr_errstr(ndr_err)));1067 goto fail;1068 }1069 1070 DEBUG(10, ("named_pipe_auth_req(client)[%u]\n", (uint32_t)req_blob.length));1071 dump_data(10, req_blob.data, req_blob.length);1072 1073 written = write_data(result->fd, (char *)req_blob.data,1074 req_blob.length);1075 if (written == -1) {1076 DEBUG(3, ("Could not write auth req data to RPC server\n"));1077 goto fail;1078 }1079 1080 status = read_data(result->fd, (char *)rep_buf, sizeof(rep_buf));1081 if (!NT_STATUS_IS_OK(status)) {1082 DEBUG(3, ("Could not read auth result\n"));1083 goto fail;1084 }1085 1086 rep_blob = data_blob_const(rep_buf, sizeof(rep_buf));1087 1088 DEBUG(10,("name_pipe_auth_rep(client)[%u]\n", (uint32_t)rep_blob.length));1089 dump_data(10, rep_blob.data, rep_blob.length);1090 1091 ndr_err = ndr_pull_struct_blob(1092 &rep_blob, talloc_tos(), NULL, &rep,1093 (ndr_pull_flags_fn_t)ndr_pull_named_pipe_auth_rep);1094 1095 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {1096 DEBUG(0, ("ndr_pull_named_pipe_auth_rep failed: %s\n",1097 ndr_errstr(ndr_err)));1098 goto fail;1099 }1100 1101 if (rep.length != 16) {1102 DEBUG(0, ("req invalid length: %u != 16\n",1103 rep.length));1104 goto fail;1105 }1106 1107 if (strcmp(NAMED_PIPE_AUTH_MAGIC, rep.magic) != 0) {1108 DEBUG(0, ("req invalid magic: %s != %s\n",1109 rep.magic, NAMED_PIPE_AUTH_MAGIC));1110 goto fail;1111 }1112 1113 if (!NT_STATUS_IS_OK(rep.status)) {1114 DEBUG(0, ("req failed: %s\n",1115 nt_errstr(rep.status)));1116 goto fail;1117 }1118 1119 if (rep.level != 1) {1120 DEBUG(0, ("req invalid level: %u != 1\n",1121 rep.level));1122 goto fail;1123 }1124 1125 result->msg = NULL;1126 1127 result->read_queue = tevent_queue_create(result, "np_read");1128 if (result->read_queue == NULL) {1129 goto fail;1130 }1131 result->write_queue = tevent_queue_create(result, "np_write");1132 if (result->write_queue == NULL) {1133 goto fail;1134 }1135 1136 return result;1137 1138 fail:1139 TALLOC_FREE(result);1140 return NULL;1141 }1142 1143 411 NTSTATUS np_open(TALLOC_CTX *mem_ctx, const char *name, 1144 const char *client_address, 1145 struct auth_serversupplied_info *server_info, 412 const struct tsocket_address *local_address, 413 const struct tsocket_address *remote_address, 414 struct client_address *client_id, 415 struct auth_serversupplied_info *session_info, 416 struct messaging_context *msg_ctx, 1146 417 struct fake_file_handle **phandle) 1147 418 { 419 const char *rpcsrv_type; 1148 420 const char **proxy_list; 1149 421 struct fake_file_handle *handle; 422 bool external = false; 1150 423 1151 424 proxy_list = lp_parm_string_list(-1, "np", "proxy", NULL); … … 1156 429 } 1157 430 431 /* Check what is the server type for this pipe. 432 Defaults to "embedded" */ 433 rpcsrv_type = lp_parm_const_string(GLOBAL_SECTION_SNUM, 434 "rpc_server", name, 435 "embedded"); 436 if (StrCaseCmp(rpcsrv_type, "embedded") != 0) { 437 external = true; 438 } 439 440 /* Still support the old method for defining external servers */ 1158 441 if ((proxy_list != NULL) && str_list_check_ci(proxy_list, name)) { 442 external = true; 443 } 444 445 if (external) { 1159 446 struct np_proxy_state *p; 1160 447 1161 p = make_external_rpc_pipe_p(handle, name, server_info); 448 p = make_external_rpc_pipe_p(handle, name, 449 local_address, 450 remote_address, 451 session_info); 1162 452 1163 453 handle->type = FAKE_FILE_TYPE_NAMED_PIPE_PROXY; … … 1172 462 } 1173 463 1174 p = make_internal_rpc_pipe_p(handle, &syntax, client_ address,1175 se rver_info);464 p = make_internal_rpc_pipe_p(handle, &syntax, client_id, 465 session_info, msg_ctx); 1176 466 1177 467 handle->type = FAKE_FILE_TYPE_NAMED_PIPE; … … 1187 477 1188 478 return NT_STATUS_OK; 479 } 480 481 bool np_read_in_progress(struct fake_file_handle *handle) 482 { 483 if (handle->type == FAKE_FILE_TYPE_NAMED_PIPE) { 484 return false; 485 } 486 487 if (handle->type == FAKE_FILE_TYPE_NAMED_PIPE_PROXY) { 488 struct np_proxy_state *p = talloc_get_type_abort( 489 handle->private_data, struct np_proxy_state); 490 size_t read_count; 491 492 read_count = tevent_queue_length(p->read_queue); 493 if (read_count > 0) { 494 return true; 495 } 496 497 return false; 498 } 499 500 return false; 1189 501 } 1190 502 … … 1241 553 state->iov.iov_len = len; 1242 554 1243 subreq = writev_send(state, ev, p->write_queue, p->fd, 1244 false, &state->iov, 1); 555 subreq = tstream_writev_queue_send(state, ev, 556 p->npipe, 557 p->write_queue, 558 &state->iov, 1); 1245 559 if (subreq == NULL) { 1246 560 goto fail; … … 1272 586 int err; 1273 587 1274 received = writev_recv(subreq, &err);588 received = tstream_writev_queue_recv(subreq, &err); 1275 589 if (received < 0) { 1276 590 tevent_req_nterror(req, map_nt_error_from_unix(err)); … … 1294 608 } 1295 609 1296 static ssize_t rpc_frag_more_fn(uint8_t *buf, size_t buflen, void *priv) 1297 { 1298 prs_struct hdr_prs; 1299 struct rpc_hdr_info hdr; 1300 bool ret; 1301 1302 if (buflen > RPC_HEADER_LEN) { 610 struct np_ipc_readv_next_vector_state { 611 uint8_t *buf; 612 size_t len; 613 off_t ofs; 614 size_t remaining; 615 }; 616 617 static void np_ipc_readv_next_vector_init(struct np_ipc_readv_next_vector_state *s, 618 uint8_t *buf, size_t len) 619 { 620 ZERO_STRUCTP(s); 621 622 s->buf = buf; 623 s->len = MIN(len, UINT16_MAX); 624 } 625 626 static int np_ipc_readv_next_vector(struct tstream_context *stream, 627 void *private_data, 628 TALLOC_CTX *mem_ctx, 629 struct iovec **_vector, 630 size_t *count) 631 { 632 struct np_ipc_readv_next_vector_state *state = 633 (struct np_ipc_readv_next_vector_state *)private_data; 634 struct iovec *vector; 635 ssize_t pending; 636 size_t wanted; 637 638 if (state->ofs == state->len) { 639 *_vector = NULL; 640 *count = 0; 1303 641 return 0; 1304 642 } 1305 prs_init_empty(&hdr_prs, talloc_tos(), UNMARSHALL); 1306 prs_give_memory(&hdr_prs, (char *)buf, RPC_HEADER_LEN, false); 1307 ret = smb_io_rpc_hdr("", &hdr, &hdr_prs, 0); 1308 prs_mem_free(&hdr_prs); 1309 1310 if (!ret) { 643 644 pending = tstream_pending_bytes(stream); 645 if (pending == -1) { 1311 646 return -1; 1312 647 } 1313 648 1314 return (hdr.frag_len - RPC_HEADER_LEN); 649 if (pending == 0 && state->ofs != 0) { 650 /* return a short read */ 651 *_vector = NULL; 652 *count = 0; 653 return 0; 654 } 655 656 if (pending == 0) { 657 /* we want at least one byte and recheck again */ 658 wanted = 1; 659 } else { 660 size_t missing = state->len - state->ofs; 661 if (pending > missing) { 662 /* there's more available */ 663 state->remaining = pending - missing; 664 wanted = missing; 665 } else { 666 /* read what we can get and recheck in the next cycle */ 667 wanted = pending; 668 } 669 } 670 671 vector = talloc_array(mem_ctx, struct iovec, 1); 672 if (!vector) { 673 return -1; 674 } 675 676 vector[0].iov_base = state->buf + state->ofs; 677 vector[0].iov_len = wanted; 678 679 state->ofs += wanted; 680 681 *_vector = vector; 682 *count = 1; 683 return 0; 1315 684 } 1316 685 1317 686 struct np_read_state { 1318 struct event_context *ev;1319 687 struct np_proxy_state *p; 1320 uint8_t *data; 1321 size_t len; 688 struct np_ipc_readv_next_vector_state next_vector; 1322 689 1323 690 size_t nread; … … 1325 692 }; 1326 693 1327 static void np_read_trigger(struct tevent_req *req, void *private_data);1328 694 static void np_read_done(struct tevent_req *subreq); 1329 695 … … 1356 722 struct np_proxy_state *p = talloc_get_type_abort( 1357 723 handle->private_data, struct np_proxy_state); 1358 1359 if (p->msg != NULL) { 1360 size_t thistime; 1361 1362 thistime = MIN(talloc_get_size(p->msg) - p->sent, 1363 len); 1364 1365 memcpy(data, p->msg+p->sent, thistime); 1366 state->nread = thistime; 1367 p->sent += thistime; 1368 1369 if (p->sent < talloc_get_size(p->msg)) { 1370 state->is_data_outstanding = true; 1371 } else { 1372 state->is_data_outstanding = false; 1373 TALLOC_FREE(p->msg); 1374 } 1375 status = NT_STATUS_OK; 724 struct tevent_req *subreq; 725 726 np_ipc_readv_next_vector_init(&state->next_vector, 727 data, len); 728 729 subreq = tstream_readv_pdu_queue_send(state, 730 ev, 731 p->npipe, 732 p->read_queue, 733 np_ipc_readv_next_vector, 734 &state->next_vector); 735 if (subreq == NULL) { 736 status = NT_STATUS_NO_MEMORY; 1376 737 goto post_status; 1377 738 } 1378 1379 state->ev = ev; 1380 state->p = p; 1381 state->data = data; 1382 state->len = len; 1383 1384 if (!tevent_queue_add(p->read_queue, ev, req, np_read_trigger, 1385 NULL)) { 1386 goto fail; 1387 } 739 tevent_req_set_callback(subreq, np_read_done, req); 1388 740 return req; 1389 741 } … … 1397 749 } 1398 750 return tevent_req_post(req, ev); 1399 fail:1400 TALLOC_FREE(req);1401 return NULL;1402 }1403 1404 static void np_read_trigger(struct tevent_req *req, void *private_data)1405 {1406 struct np_read_state *state = tevent_req_data(1407 req, struct np_read_state);1408 struct tevent_req *subreq;1409 1410 subreq = read_packet_send(state, state->ev, state->p->fd,1411 RPC_HEADER_LEN, rpc_frag_more_fn, NULL);1412 if (tevent_req_nomem(subreq, req)) {1413 return;1414 }1415 tevent_req_set_callback(subreq, np_read_done, req);1416 751 } 1417 752 … … 1422 757 struct np_read_state *state = tevent_req_data( 1423 758 req, struct np_read_state); 1424 ssize_t received; 1425 size_t thistime; 759 ssize_t ret; 1426 760 int err; 1427 761 1428 re ceived = read_packet_recv(subreq, state->p, &state->p->msg, &err);762 ret = tstream_readv_pdu_queue_recv(subreq, &err); 1429 763 TALLOC_FREE(subreq); 1430 if (re ceived== -1) {764 if (ret == -1) { 1431 765 tevent_req_nterror(req, map_nt_error_from_unix(err)); 1432 766 return; 1433 767 } 1434 768 1435 thistime = MIN(received, state->len); 1436 1437 memcpy(state->data, state->p->msg, thistime); 1438 state->p->sent = thistime; 1439 state->nread = thistime; 1440 1441 if (state->p->sent < received) { 1442 state->is_data_outstanding = true; 1443 } else { 1444 TALLOC_FREE(state->p->msg); 1445 state->is_data_outstanding = false; 1446 } 769 state->nread = ret; 770 state->is_data_outstanding = (state->next_vector.remaining > 0); 1447 771 1448 772 tevent_req_done(req); … … 1460 784 return status; 1461 785 } 786 787 DEBUG(10, ("Received %d bytes. There is %smore data outstanding\n", 788 (int)state->nread, state->is_data_outstanding?"":"no ")); 789 1462 790 *nread = state->nread; 1463 791 *is_data_outstanding = state->is_data_outstanding; 1464 792 return NT_STATUS_OK; 1465 793 } 1466 1467 /**1468 * Create a new RPC client context which uses a local dispatch function.1469 */1470 NTSTATUS rpc_pipe_open_internal(TALLOC_CTX *mem_ctx,1471 const struct ndr_syntax_id *abstract_syntax,1472 NTSTATUS (*dispatch) (struct rpc_pipe_client *cli,1473 TALLOC_CTX *mem_ctx,1474 const struct ndr_interface_table *table,1475 uint32_t opnum, void *r),1476 struct auth_serversupplied_info *serversupplied_info,1477 struct rpc_pipe_client **presult)1478 {1479 struct rpc_pipe_client *result;1480 1481 result = TALLOC_ZERO_P(mem_ctx, struct rpc_pipe_client);1482 if (result == NULL) {1483 return NT_STATUS_NO_MEMORY;1484 }1485 1486 result->abstract_syntax = *abstract_syntax;1487 result->transfer_syntax = ndr_transfer_syntax;1488 result->dispatch = dispatch;1489 1490 result->pipes_struct = make_internal_rpc_pipe_p(1491 result, abstract_syntax, "", serversupplied_info);1492 if (result->pipes_struct == NULL) {1493 TALLOC_FREE(result);1494 return NT_STATUS_NO_MEMORY;1495 }1496 1497 result->max_xmit_frag = -1;1498 result->max_recv_frag = -1;1499 1500 *presult = result;1501 return NT_STATUS_OK;1502 }1503 1504 /*******************************************************************1505 gets a domain user's groups from their already-calculated NT_USER_TOKEN1506 ********************************************************************/1507 1508 static NTSTATUS nt_token_to_group_list(TALLOC_CTX *mem_ctx,1509 const DOM_SID *domain_sid,1510 size_t num_sids,1511 const DOM_SID *sids,1512 int *numgroups,1513 struct samr_RidWithAttribute **pgids)1514 {1515 int i;1516 1517 *numgroups=0;1518 *pgids = NULL;1519 1520 for (i=0; i<num_sids; i++) {1521 struct samr_RidWithAttribute gid;1522 if (!sid_peek_check_rid(domain_sid, &sids[i], &gid.rid)) {1523 continue;1524 }1525 gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|1526 SE_GROUP_ENABLED);1527 ADD_TO_ARRAY(mem_ctx, struct samr_RidWithAttribute,1528 gid, pgids, numgroups);1529 if (*pgids == NULL) {1530 return NT_STATUS_NO_MEMORY;1531 }1532 }1533 return NT_STATUS_OK;1534 }1535 1536 /****************************************************************************1537 inits a netr_SamBaseInfo structure from an auth_serversupplied_info.1538 *****************************************************************************/1539 1540 static NTSTATUS serverinfo_to_SamInfo_base(TALLOC_CTX *mem_ctx,1541 struct auth_serversupplied_info *server_info,1542 uint8_t *pipe_session_key,1543 size_t pipe_session_key_len,1544 struct netr_SamBaseInfo *base)1545 {1546 struct samu *sampw;1547 struct samr_RidWithAttribute *gids = NULL;1548 const DOM_SID *user_sid = NULL;1549 const DOM_SID *group_sid = NULL;1550 DOM_SID domain_sid;1551 uint32 user_rid, group_rid;1552 NTSTATUS status;1553 1554 int num_gids = 0;1555 const char *my_name;1556 1557 struct netr_UserSessionKey user_session_key;1558 struct netr_LMSessionKey lm_session_key;1559 1560 NTTIME last_logon, last_logoff, acct_expiry, last_password_change;1561 NTTIME allow_password_change, force_password_change;1562 struct samr_RidWithAttributeArray groups;1563 int i;1564 struct dom_sid2 *sid = NULL;1565 1566 ZERO_STRUCT(user_session_key);1567 ZERO_STRUCT(lm_session_key);1568 1569 sampw = server_info->sam_account;1570 1571 user_sid = pdb_get_user_sid(sampw);1572 group_sid = pdb_get_group_sid(sampw);1573 1574 if (pipe_session_key && pipe_session_key_len != 16) {1575 DEBUG(0,("serverinfo_to_SamInfo3: invalid "1576 "pipe_session_key_len[%zu] != 16\n",1577 pipe_session_key_len));1578 return NT_STATUS_INTERNAL_ERROR;1579 }1580 1581 if ((user_sid == NULL) || (group_sid == NULL)) {1582 DEBUG(1, ("_netr_LogonSamLogon: User without group or user SID\n"));1583 return NT_STATUS_UNSUCCESSFUL;1584 }1585 1586 sid_copy(&domain_sid, user_sid);1587 sid_split_rid(&domain_sid, &user_rid);1588 1589 sid = sid_dup_talloc(mem_ctx, &domain_sid);1590 if (!sid) {1591 return NT_STATUS_NO_MEMORY;1592 }1593 1594 if (!sid_peek_check_rid(&domain_sid, group_sid, &group_rid)) {1595 DEBUG(1, ("_netr_LogonSamLogon: user %s\\%s has user sid "1596 "%s\n but group sid %s.\n"1597 "The conflicting domain portions are not "1598 "supported for NETLOGON calls\n",1599 pdb_get_domain(sampw),1600 pdb_get_username(sampw),1601 sid_string_dbg(user_sid),1602 sid_string_dbg(group_sid)));1603 return NT_STATUS_UNSUCCESSFUL;1604 }1605 1606 if(server_info->login_server) {1607 my_name = server_info->login_server;1608 } else {1609 my_name = global_myname();1610 }1611 1612 status = nt_token_to_group_list(mem_ctx, &domain_sid,1613 server_info->num_sids,1614 server_info->sids,1615 &num_gids, &gids);1616 1617 if (!NT_STATUS_IS_OK(status)) {1618 return status;1619 }1620 1621 if (server_info->user_session_key.length) {1622 memcpy(user_session_key.key,1623 server_info->user_session_key.data,1624 MIN(sizeof(user_session_key.key),1625 server_info->user_session_key.length));1626 if (pipe_session_key) {1627 arcfour_crypt(user_session_key.key, pipe_session_key, 16);1628 }1629 }1630 if (server_info->lm_session_key.length) {1631 memcpy(lm_session_key.key,1632 server_info->lm_session_key.data,1633 MIN(sizeof(lm_session_key.key),1634 server_info->lm_session_key.length));1635 if (pipe_session_key) {1636 arcfour_crypt(lm_session_key.key, pipe_session_key, 8);1637 }1638 }1639 1640 groups.count = num_gids;1641 groups.rids = TALLOC_ARRAY(mem_ctx, struct samr_RidWithAttribute, groups.count);1642 if (!groups.rids) {1643 return NT_STATUS_NO_MEMORY;1644 }1645 1646 for (i=0; i < groups.count; i++) {1647 groups.rids[i].rid = gids[i].rid;1648 groups.rids[i].attributes = gids[i].attributes;1649 }1650 1651 unix_to_nt_time(&last_logon, pdb_get_logon_time(sampw));1652 unix_to_nt_time(&last_logoff, get_time_t_max());1653 unix_to_nt_time(&acct_expiry, get_time_t_max());1654 unix_to_nt_time(&last_password_change, pdb_get_pass_last_set_time(sampw));1655 unix_to_nt_time(&allow_password_change, pdb_get_pass_can_change_time(sampw));1656 unix_to_nt_time(&force_password_change, pdb_get_pass_must_change_time(sampw));1657 1658 base->last_logon = last_logon;1659 base->last_logoff = last_logoff;1660 base->acct_expiry = acct_expiry;1661 base->last_password_change = last_password_change;1662 base->allow_password_change = allow_password_change;1663 base->force_password_change = force_password_change;1664 base->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(sampw));1665 base->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(sampw));1666 base->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(sampw));1667 base->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(sampw));1668 base->home_directory.string = talloc_strdup(mem_ctx, pdb_get_homedir(sampw));1669 base->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(sampw));1670 base->logon_count = 0; /* ?? */1671 base->bad_password_count = 0; /* ?? */1672 base->rid = user_rid;1673 base->primary_gid = group_rid;1674 base->groups = groups;1675 base->user_flags = NETLOGON_EXTRA_SIDS;1676 base->key = user_session_key;1677 base->logon_server.string = talloc_strdup(mem_ctx, my_name);1678 base->domain.string = talloc_strdup(mem_ctx, pdb_get_domain(sampw));1679 base->domain_sid = sid;1680 base->LMSessKey = lm_session_key;1681 base->acct_flags = pdb_get_acct_ctrl(sampw);1682 1683 ZERO_STRUCT(user_session_key);1684 ZERO_STRUCT(lm_session_key);1685 1686 return NT_STATUS_OK;1687 }1688 1689 /****************************************************************************1690 inits a netr_SamInfo2 structure from an auth_serversupplied_info. sam2 must1691 already be initialized and is used as the talloc parent for its members.1692 *****************************************************************************/1693 1694 NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,1695 uint8_t *pipe_session_key,1696 size_t pipe_session_key_len,1697 struct netr_SamInfo2 *sam2)1698 {1699 NTSTATUS status;1700 1701 status = serverinfo_to_SamInfo_base(sam2,1702 server_info,1703 pipe_session_key,1704 pipe_session_key_len,1705 &sam2->base);1706 if (!NT_STATUS_IS_OK(status)) {1707 return status;1708 }1709 1710 return NT_STATUS_OK;1711 }1712 1713 /****************************************************************************1714 inits a netr_SamInfo3 structure from an auth_serversupplied_info. sam3 must1715 already be initialized and is used as the talloc parent for its members.1716 *****************************************************************************/1717 1718 NTSTATUS serverinfo_to_SamInfo3(struct auth_serversupplied_info *server_info,1719 uint8_t *pipe_session_key,1720 size_t pipe_session_key_len,1721 struct netr_SamInfo3 *sam3)1722 {1723 NTSTATUS status;1724 1725 status = serverinfo_to_SamInfo_base(sam3,1726 server_info,1727 pipe_session_key,1728 pipe_session_key_len,1729 &sam3->base);1730 if (!NT_STATUS_IS_OK(status)) {1731 return status;1732 }1733 1734 sam3->sidcount = 0;1735 sam3->sids = NULL;1736 1737 return NT_STATUS_OK;1738 }1739 1740 /****************************************************************************1741 inits a netr_SamInfo6 structure from an auth_serversupplied_info. sam6 must1742 already be initialized and is used as the talloc parent for its members.1743 *****************************************************************************/1744 1745 NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,1746 uint8_t *pipe_session_key,1747 size_t pipe_session_key_len,1748 struct netr_SamInfo6 *sam6)1749 {1750 NTSTATUS status;1751 struct pdb_domain_info *dominfo;1752 1753 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {1754 DEBUG(10,("Not adding validation info level 6 "1755 "without ADS passdb backend\n"));1756 return NT_STATUS_INVALID_INFO_CLASS;1757 }1758 1759 dominfo = pdb_get_domain_info(sam6);1760 if (dominfo == NULL) {1761 return NT_STATUS_NO_MEMORY;1762 }1763 1764 status = serverinfo_to_SamInfo_base(sam6,1765 server_info,1766 pipe_session_key,1767 pipe_session_key_len,1768 &sam6->base);1769 if (!NT_STATUS_IS_OK(status)) {1770 return status;1771 }1772 1773 sam6->sidcount = 0;1774 sam6->sids = NULL;1775 1776 sam6->forest.string = talloc_strdup(sam6, dominfo->dns_forest);1777 if (sam6->forest.string == NULL) {1778 return NT_STATUS_NO_MEMORY;1779 }1780 1781 sam6->principle.string = talloc_asprintf(sam6, "%s@%s",1782 pdb_get_username(server_info->sam_account),1783 dominfo->dns_domain);1784 if (sam6->principle.string == NULL) {1785 return NT_STATUS_NO_MEMORY;1786 }1787 1788 return NT_STATUS_OK;1789 }
Note:
See TracChangeset
for help on using the changeset viewer.
