source: vendor/current/source3/rpc_server/srv_pipe.c@ 587

Last change on this file since 587 was 587, checked in by Herwig Bauernfeind, 14 years ago

Samba 3.5: Update vendor to version 3.5.6
File size: 69.1 KB
Line 
1/*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20/* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30#include "includes.h"
31#include "../librpc/gen_ndr/ndr_schannel.h"
32#include "../libcli/auth/schannel.h"
33#include "../libcli/auth/spnego.h"
34
35extern struct current_user current_user;
36
37#undef DBGC_CLASS
38#define DBGC_CLASS DBGC_RPC_SRV
39
40static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
41{
42 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
43
44 if (a) {
45 auth_ntlmssp_end(&a);
46 }
47 auth->a_u.auth_ntlmssp_state = NULL;
48}
49
50static DATA_BLOB generic_session_key(void)
51{
52 return data_blob("SystemLibraryDTC", 16);
53}
54
55/*******************************************************************
56 Generate the next PDU to be returned from the data in p->rdata.
57 Handle NTLMSSP.
58 ********************************************************************/
59
60static bool create_next_pdu_ntlmssp(pipes_struct *p)
61{
62 RPC_HDR_RESP hdr_resp;
63 uint32 ss_padding_len = 0;
64 uint32 data_space_available;
65 uint32 data_len_left;
66 uint32 data_len;
67 NTSTATUS status;
68 DATA_BLOB auth_blob;
69 RPC_HDR_AUTH auth_info;
70 uint8 auth_type, auth_level;
71 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
72
73 /*
74 * If we're in the fault state, keep returning fault PDU's until
75 * the pipe gets closed. JRA.
76 */
77
78 if(p->fault_state) {
79 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
80 return True;
81 }
82
83 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
84
85 /* Change the incoming request header to a response. */
86 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
87
88 /* Set up rpc header flags. */
89 if (p->out_data.data_sent_length == 0) {
90 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
91 } else {
92 p->hdr.flags = 0;
93 }
94
95 /*
96 * Work out how much we can fit in a single PDU.
97 */
98
99 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
100
101 /*
102 * Ensure there really is data left to send.
103 */
104
105 if(!data_len_left) {
106 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
107 return False;
108 }
109
110 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
111 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
112
113 /*
114 * The amount we send is the minimum of the available
115 * space and the amount left to send.
116 */
117
118 data_len = MIN(data_len_left, data_space_available);
119
120 /*
121 * Set up the alloc hint. This should be the data left to
122 * send.
123 */
124
125 hdr_resp.alloc_hint = data_len_left;
126
127 /*
128 * Work out if this PDU will be the last.
129 */
130
131 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
132 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
133 if (data_len_left % 8) {
134 ss_padding_len = 8 - (data_len_left % 8);
135 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
136 ss_padding_len ));
137 }
138 }
139
140 /*
141 * Set up the header lengths.
142 */
143
144 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
145 data_len + ss_padding_len +
146 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
147 p->hdr.auth_len = NTLMSSP_SIG_SIZE;
148
149
150 /*
151 * Init the parse struct to point at the outgoing
152 * data.
153 */
154
155 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
156
157 /* Store the header in the data stream. */
158 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
159 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
160 prs_mem_free(&p->out_data.frag);
161 return False;
162 }
163
164 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
165 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
166 prs_mem_free(&p->out_data.frag);
167 return False;
168 }
169
170 /* Copy the data into the PDU. */
171
172 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
173 p->out_data.data_sent_length, data_len)) {
174 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
175 prs_mem_free(&p->out_data.frag);
176 return False;
177 }
178
179 /* Copy the sign/seal padding data. */
180 if (ss_padding_len) {
181 char pad[8];
182
183 memset(pad, '\0', 8);
184 if (!prs_copy_data_in(&p->out_data.frag, pad,
185 ss_padding_len)) {
186 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
187 (unsigned int)ss_padding_len));
188 prs_mem_free(&p->out_data.frag);
189 return False;
190 }
191 }
192
193
194 /* Now write out the auth header and null blob. */
195 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
196 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
197 } else {
198 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
199 }
200 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
201 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
202 } else {
203 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
204 }
205
206 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
207 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &p->out_data.frag,
208 0)) {
209 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
210 prs_mem_free(&p->out_data.frag);
211 return False;
212 }
213
214 /* Generate the sign blob. */
215
216 switch (p->auth.auth_level) {
217 case DCERPC_AUTH_LEVEL_PRIVACY:
218 /* Data portion is encrypted. */
219 status = ntlmssp_seal_packet(
220 a->ntlmssp_state,
221 (uint8_t *)prs_data_p(&p->out_data.frag)
222 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
223 data_len + ss_padding_len,
224 (unsigned char *)prs_data_p(&p->out_data.frag),
225 (size_t)prs_offset(&p->out_data.frag),
226 &auth_blob);
227 if (!NT_STATUS_IS_OK(status)) {
228 data_blob_free(&auth_blob);
229 prs_mem_free(&p->out_data.frag);
230 return False;
231 }
232 break;
233 case DCERPC_AUTH_LEVEL_INTEGRITY:
234 /* Data is signed. */
235 status = ntlmssp_sign_packet(
236 a->ntlmssp_state,
237 (unsigned char *)prs_data_p(&p->out_data.frag)
238 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
239 data_len + ss_padding_len,
240 (unsigned char *)prs_data_p(&p->out_data.frag),
241 (size_t)prs_offset(&p->out_data.frag),
242 &auth_blob);
243 if (!NT_STATUS_IS_OK(status)) {
244 data_blob_free(&auth_blob);
245 prs_mem_free(&p->out_data.frag);
246 return False;
247 }
248 break;
249 default:
250 prs_mem_free(&p->out_data.frag);
251 return False;
252 }
253
254 /* Append the auth blob. */
255 if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
256 NTLMSSP_SIG_SIZE)) {
257 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
258 (unsigned int)NTLMSSP_SIG_SIZE));
259 data_blob_free(&auth_blob);
260 prs_mem_free(&p->out_data.frag);
261 return False;
262 }
263
264 data_blob_free(&auth_blob);
265
266 /*
267 * Setup the counts for this PDU.
268 */
269
270 p->out_data.data_sent_length += data_len;
271 p->out_data.current_pdu_sent = 0;
272
273 return True;
274}
275
276/*******************************************************************
277 Generate the next PDU to be returned from the data in p->rdata.
278 Return an schannel authenticated fragment.
279 ********************************************************************/
280
281static bool create_next_pdu_schannel(pipes_struct *p)
282{
283 RPC_HDR_RESP hdr_resp;
284 uint32 ss_padding_len = 0;
285 uint32 data_len;
286 uint32 data_space_available;
287 uint32 data_len_left;
288 uint32 data_pos;
289 NTSTATUS status;
290
291 /*
292 * If we're in the fault state, keep returning fault PDU's until
293 * the pipe gets closed. JRA.
294 */
295
296 if(p->fault_state) {
297 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
298 return True;
299 }
300
301 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
302
303 /* Change the incoming request header to a response. */
304 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
305
306 /* Set up rpc header flags. */
307 if (p->out_data.data_sent_length == 0) {
308 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
309 } else {
310 p->hdr.flags = 0;
311 }
312
313 /*
314 * Work out how much we can fit in a single PDU.
315 */
316
317 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
318
319 /*
320 * Ensure there really is data left to send.
321 */
322
323 if(!data_len_left) {
324 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
325 return False;
326 }
327
328 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
329 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
330 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
331
332 /*
333 * The amount we send is the minimum of the available
334 * space and the amount left to send.
335 */
336
337 data_len = MIN(data_len_left, data_space_available);
338
339 /*
340 * Set up the alloc hint. This should be the data left to
341 * send.
342 */
343
344 hdr_resp.alloc_hint = data_len_left;
345
346 /*
347 * Work out if this PDU will be the last.
348 */
349
350 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
351 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
352 if (data_len_left % 8) {
353 ss_padding_len = 8 - (data_len_left % 8);
354 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
355 ss_padding_len ));
356 }
357 }
358
359 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
360 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
361 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
362
363 /*
364 * Init the parse struct to point at the outgoing
365 * data.
366 */
367
368 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
369
370 /* Store the header in the data stream. */
371 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
372 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
373 prs_mem_free(&p->out_data.frag);
374 return False;
375 }
376
377 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
378 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
379 prs_mem_free(&p->out_data.frag);
380 return False;
381 }
382
383 /* Store the current offset. */
384 data_pos = prs_offset(&p->out_data.frag);
385
386 /* Copy the data into the PDU. */
387
388 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
389 p->out_data.data_sent_length, data_len)) {
390 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
391 prs_mem_free(&p->out_data.frag);
392 return False;
393 }
394
395 /* Copy the sign/seal padding data. */
396 if (ss_padding_len) {
397 char pad[8];
398 memset(pad, '\0', 8);
399 if (!prs_copy_data_in(&p->out_data.frag, pad,
400 ss_padding_len)) {
401 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
402 prs_mem_free(&p->out_data.frag);
403 return False;
404 }
405 }
406
407 {
408 /*
409 * Schannel processing.
410 */
411 RPC_HDR_AUTH auth_info;
412 DATA_BLOB blob;
413 uint8_t *data;
414
415 /* Check it's the type of reply we were expecting to decode */
416
417 init_rpc_hdr_auth(&auth_info,
418 DCERPC_AUTH_TYPE_SCHANNEL,
419 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
420 DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
421 ss_padding_len, 1);
422
423 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
424 &p->out_data.frag, 0)) {
425 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
426 prs_mem_free(&p->out_data.frag);
427 return False;
428 }
429
430 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos;
431
432 switch (p->auth.auth_level) {
433 case DCERPC_AUTH_LEVEL_PRIVACY:
434 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
435 talloc_tos(),
436 true,
437 data,
438 data_len + ss_padding_len,
439 &blob);
440 break;
441 case DCERPC_AUTH_LEVEL_INTEGRITY:
442 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
443 talloc_tos(),
444 false,
445 data,
446 data_len + ss_padding_len,
447 &blob);
448 break;
449 default:
450 status = NT_STATUS_INTERNAL_ERROR;
451 break;
452 }
453
454 if (!NT_STATUS_IS_OK(status)) {
455 DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
456 nt_errstr(status)));
457 prs_mem_free(&p->out_data.frag);
458 return false;
459 }
460
461 /* Finally marshall the blob. */
462
463 if (DEBUGLEVEL >= 10) {
464 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
465 }
466
467 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
468 prs_mem_free(&p->out_data.frag);
469 return false;
470 }
471 }
472
473 /*
474 * Setup the counts for this PDU.
475 */
476
477 p->out_data.data_sent_length += data_len;
478 p->out_data.current_pdu_sent = 0;
479
480 return True;
481}
482
483/*******************************************************************
484 Generate the next PDU to be returned from the data in p->rdata.
485 No authentication done.
486********************************************************************/
487
488static bool create_next_pdu_noauth(pipes_struct *p)
489{
490 RPC_HDR_RESP hdr_resp;
491 uint32 data_len;
492 uint32 data_space_available;
493 uint32 data_len_left;
494
495 /*
496 * If we're in the fault state, keep returning fault PDU's until
497 * the pipe gets closed. JRA.
498 */
499
500 if(p->fault_state) {
501 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
502 return True;
503 }
504
505 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
506
507 /* Change the incoming request header to a response. */
508 p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
509
510 /* Set up rpc header flags. */
511 if (p->out_data.data_sent_length == 0) {
512 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
513 } else {
514 p->hdr.flags = 0;
515 }
516
517 /*
518 * Work out how much we can fit in a single PDU.
519 */
520
521 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
522
523 /*
524 * Ensure there really is data left to send.
525 */
526
527 if(!data_len_left) {
528 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
529 return False;
530 }
531
532 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
533 - RPC_HDR_RESP_LEN;
534
535 /*
536 * The amount we send is the minimum of the available
537 * space and the amount left to send.
538 */
539
540 data_len = MIN(data_len_left, data_space_available);
541
542 /*
543 * Set up the alloc hint. This should be the data left to
544 * send.
545 */
546
547 hdr_resp.alloc_hint = data_len_left;
548
549 /*
550 * Work out if this PDU will be the last.
551 */
552
553 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
554 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
555 }
556
557 /*
558 * Set up the header lengths.
559 */
560
561 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
562 p->hdr.auth_len = 0;
563
564 /*
565 * Init the parse struct to point at the outgoing
566 * data.
567 */
568
569 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
570
571 /* Store the header in the data stream. */
572 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
573 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
574 prs_mem_free(&p->out_data.frag);
575 return False;
576 }
577
578 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
579 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
580 prs_mem_free(&p->out_data.frag);
581 return False;
582 }
583
584 /* Copy the data into the PDU. */
585
586 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
587 p->out_data.data_sent_length, data_len)) {
588 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
589 prs_mem_free(&p->out_data.frag);
590 return False;
591 }
592
593 /*
594 * Setup the counts for this PDU.
595 */
596
597 p->out_data.data_sent_length += data_len;
598 p->out_data.current_pdu_sent = 0;
599
600 return True;
601}
602
603/*******************************************************************
604 Generate the next PDU to be returned from the data in p->rdata.
605********************************************************************/
606
607bool create_next_pdu(pipes_struct *p)
608{
609 switch(p->auth.auth_level) {
610 case DCERPC_AUTH_LEVEL_NONE:
611 case DCERPC_AUTH_LEVEL_CONNECT:
612 /* This is incorrect for auth level connect. Fixme. JRA */
613 return create_next_pdu_noauth(p);
614
615 default:
616 switch(p->auth.auth_type) {
617 case PIPE_AUTH_TYPE_NTLMSSP:
618 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
619 return create_next_pdu_ntlmssp(p);
620 case PIPE_AUTH_TYPE_SCHANNEL:
621 return create_next_pdu_schannel(p);
622 default:
623 break;
624 }
625 }
626
627 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
628 (unsigned int)p->auth.auth_level,
629 (unsigned int)p->auth.auth_type));
630 return False;
631}
632
633/*******************************************************************
634 Process an NTLMSSP authentication response.
635 If this function succeeds, the user has been authenticated
636 and their domain, name and calling workstation stored in
637 the pipe struct.
638*******************************************************************/
639
640static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
641{
642 DATA_BLOB session_key, reply;
643 NTSTATUS status;
644 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
645 bool ret;
646
647 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
648 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
649
650 ZERO_STRUCT(reply);
651
652 /* this has to be done as root in order to verify the password */
653 become_root();
654 status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
655 unbecome_root();
656
657 /* Don't generate a reply. */
658 data_blob_free(&reply);
659
660 if (!NT_STATUS_IS_OK(status)) {
661 return False;
662 }
663
664 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
665 ensure the underlying NTLMSSP flags are also set. If not we should
666 refuse the bind. */
667
668 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
669 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
670 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
671 "but client declined signing.\n",
672 get_pipe_name_from_syntax(talloc_tos(),
673 &p->syntax)));
674 return False;
675 }
676 }
677 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
678 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
679 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
680 "but client declined sealing.\n",
681 get_pipe_name_from_syntax(talloc_tos(),
682 &p->syntax)));
683 return False;
684 }
685 }
686
687 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
688 "workstation: %s\n", a->ntlmssp_state->user,
689 a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
690
691 if (a->server_info->ptok == NULL) {
692 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
693 return False;
694 }
695
696 TALLOC_FREE(p->server_info);
697
698 p->server_info = copy_serverinfo(p, a->server_info);
699 if (p->server_info == NULL) {
700 DEBUG(0, ("copy_serverinfo failed\n"));
701 return false;
702 }
703
704 /*
705 * We're an authenticated bind over smb, so the session key needs to
706 * be set to "SystemLibraryDTC". Weird, but this is what Windows
707 * does. See the RPC-SAMBA3SESSIONKEY.
708 */
709
710 session_key = generic_session_key();
711 if (session_key.data == NULL) {
712 return False;
713 }
714
715 ret = server_info_set_session_key(p->server_info, session_key);
716
717 data_blob_free(&session_key);
718
719 return True;
720}
721
722/*******************************************************************
723 The switch table for the pipe names and the functions to handle them.
724*******************************************************************/
725
726struct rpc_table {
727 struct {
728 const char *clnt;
729 const char *srv;
730 } pipe;
731 struct ndr_syntax_id rpc_interface;
732 const struct api_struct *cmds;
733 int n_cmds;
734};
735
736static struct rpc_table *rpc_lookup;
737static int rpc_lookup_size;
738
739/*******************************************************************
740 This is the "stage3" NTLMSSP response after a bind request and reply.
741*******************************************************************/
742
743bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
744{
745 RPC_HDR_AUTH auth_info;
746 uint32 pad = 0;
747 DATA_BLOB blob;
748
749 ZERO_STRUCT(blob);
750
751 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
752
753 if (p->hdr.auth_len == 0) {
754 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
755 goto err;
756 }
757
758 /* 4 bytes padding. */
759 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
760 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
761 goto err;
762 }
763
764 /*
765 * Decode the authentication verifier response.
766 */
767
768 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
769 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
770 goto err;
771 }
772
773 if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
774 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
775 (unsigned int)auth_info.auth_type ));
776 return False;
777 }
778
779 blob = data_blob(NULL,p->hdr.auth_len);
780
781 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
782 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
783 (unsigned int)p->hdr.auth_len ));
784 goto err;
785 }
786
787 /*
788 * The following call actually checks the challenge/response data.
789 * for correctness against the given DOMAIN\user name.
790 */
791
792 if (!pipe_ntlmssp_verify_final(p, &blob)) {
793 goto err;
794 }
795
796 data_blob_free(&blob);
797
798 p->pipe_bound = True;
799
800 return True;
801
802 err:
803
804 data_blob_free(&blob);
805 free_pipe_ntlmssp_auth_data(&p->auth);
806 p->auth.a_u.auth_ntlmssp_state = NULL;
807
808 return False;
809}
810
811/*******************************************************************
812 Marshall a bind_nak pdu.
813*******************************************************************/
814
815static bool setup_bind_nak(pipes_struct *p)
816{
817 RPC_HDR nak_hdr;
818 uint16 zero = 0;
819
820 /* Free any memory in the current return data buffer. */
821 prs_mem_free(&p->out_data.rdata);
822
823 /*
824 * Marshall directly into the outgoing PDU space. We
825 * must do this as we need to set to the bind response
826 * header and are never sending more than one PDU here.
827 */
828
829 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
830
831 /*
832 * Initialize a bind_nak header.
833 */
834
835 init_rpc_hdr(&nak_hdr, DCERPC_PKT_BIND_NAK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
836 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
837
838 /*
839 * Marshall the header into the outgoing PDU.
840 */
841
842 if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
843 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
844 prs_mem_free(&p->out_data.frag);
845 return False;
846 }
847
848 /*
849 * Now add the reject reason.
850 */
851
852 if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
853 prs_mem_free(&p->out_data.frag);
854 return False;
855 }
856
857 p->out_data.data_sent_length = 0;
858 p->out_data.current_pdu_sent = 0;
859
860 if (p->auth.auth_data_free_func) {
861 (*p->auth.auth_data_free_func)(&p->auth);
862 }
863 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
864 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
865 p->pipe_bound = False;
866
867 return True;
868}
869
870/*******************************************************************
871 Marshall a fault pdu.
872*******************************************************************/
873
874bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
875{
876 RPC_HDR fault_hdr;
877 RPC_HDR_RESP hdr_resp;
878 RPC_HDR_FAULT fault_resp;
879
880 /* Free any memory in the current return data buffer. */
881 prs_mem_free(&p->out_data.rdata);
882
883 /*
884 * Marshall directly into the outgoing PDU space. We
885 * must do this as we need to set to the bind response
886 * header and are never sending more than one PDU here.
887 */
888
889 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
890
891 /*
892 * Initialize a fault header.
893 */
894
895 init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
896 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
897
898 /*
899 * Initialize the HDR_RESP and FAULT parts of the PDU.
900 */
901
902 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
903
904 fault_resp.status = status;
905 fault_resp.reserved = 0;
906
907 /*
908 * Marshall the header into the outgoing PDU.
909 */
910
911 if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
912 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
913 prs_mem_free(&p->out_data.frag);
914 return False;
915 }
916
917 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
918 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
919 prs_mem_free(&p->out_data.frag);
920 return False;
921 }
922
923 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
924 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
925 prs_mem_free(&p->out_data.frag);
926 return False;
927 }
928
929 p->out_data.data_sent_length = 0;
930 p->out_data.current_pdu_sent = 0;
931
932 return True;
933}
934
935#if 0
936/*******************************************************************
937 Marshall a cancel_ack pdu.
938 We should probably check the auth-verifier here.
939*******************************************************************/
940
941bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
942{
943 prs_struct outgoing_pdu;
944 RPC_HDR ack_reply_hdr;
945
946 /* Free any memory in the current return data buffer. */
947 prs_mem_free(&p->out_data.rdata);
948
949 /*
950 * Marshall directly into the outgoing PDU space. We
951 * must do this as we need to set to the bind response
952 * header and are never sending more than one PDU here.
953 */
954
955 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
956 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
957
958 /*
959 * Initialize a cancel_ack header.
960 */
961
962 init_rpc_hdr(&ack_reply_hdr, DCERPC_PKT_CANCEL_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
963 p->hdr.call_id, RPC_HEADER_LEN, 0);
964
965 /*
966 * Marshall the header into the outgoing PDU.
967 */
968
969 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
970 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
971 prs_mem_free(&outgoing_pdu);
972 return False;
973 }
974
975 p->out_data.data_sent_length = 0;
976 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
977 p->out_data.current_pdu_sent = 0;
978
979 prs_mem_free(&outgoing_pdu);
980 return True;
981}
982#endif
983
984/*******************************************************************
985 Ensure a bind request has the correct abstract & transfer interface.
986 Used to reject unknown binds from Win2k.
987*******************************************************************/
988
989static bool check_bind_req(struct pipes_struct *p,
990 struct ndr_syntax_id* abstract,
991 struct ndr_syntax_id* transfer,
992 uint32 context_id)
993{
994 int i=0;
995 struct pipe_rpc_fns *context_fns;
996
997 DEBUG(3,("check_bind_req for %s\n",
998 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
999
1000 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
1001
1002 for (i=0; i<rpc_lookup_size; i++) {
1003 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
1004 if (ndr_syntax_id_equal(
1005 abstract, &rpc_lookup[i].rpc_interface)
1006 && ndr_syntax_id_equal(
1007 transfer, &ndr_transfer_syntax)) {
1008 break;
1009 }
1010 }
1011
1012 if (i == rpc_lookup_size) {
1013 return false;
1014 }
1015
1016 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1017 if (context_fns == NULL) {
1018 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1019 return False;
1020 }
1021
1022 context_fns->cmds = rpc_lookup[i].cmds;
1023 context_fns->n_cmds = rpc_lookup[i].n_cmds;
1024 context_fns->context_id = context_id;
1025
1026 /* add to the list of open contexts */
1027
1028 DLIST_ADD( p->contexts, context_fns );
1029
1030 return True;
1031}
1032
1033/*******************************************************************
1034 Register commands to an RPC pipe
1035*******************************************************************/
1036
1037NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1038 const struct ndr_interface_table *iface,
1039 const struct api_struct *cmds, int size)
1040{
1041 struct rpc_table *rpc_entry;
1042
1043 if (!clnt || !srv || !cmds) {
1044 return NT_STATUS_INVALID_PARAMETER;
1045 }
1046
1047 if (version != SMB_RPC_INTERFACE_VERSION) {
1048 DEBUG(0,("Can't register rpc commands!\n"
1049 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1050 ", while this version of samba uses version %d!\n",
1051 version,SMB_RPC_INTERFACE_VERSION));
1052 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1053 }
1054
1055 /* TODO:
1056 *
1057 * we still need to make sure that don't register the same commands twice!!!
1058 *
1059 * --metze
1060 */
1061
1062 /* We use a temporary variable because this call can fail and
1063 rpc_lookup will still be valid afterwards. It could then succeed if
1064 called again later */
1065 rpc_lookup_size++;
1066 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1067 if (NULL == rpc_entry) {
1068 rpc_lookup_size--;
1069 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1070 return NT_STATUS_NO_MEMORY;
1071 } else {
1072 rpc_lookup = rpc_entry;
1073 }
1074
1075 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1076 ZERO_STRUCTP(rpc_entry);
1077 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1078 rpc_entry->pipe.srv = SMB_STRDUP(srv);
1079 rpc_entry->rpc_interface = iface->syntax_id;
1080 rpc_entry->cmds = cmds;
1081 rpc_entry->n_cmds = size;
1082
1083 return NT_STATUS_OK;
1084}
1085
1086/**
1087 * Is a named pipe known?
1088 * @param[in] cli_filename The pipe name requested by the client
1089 * @result Do we want to serve this?
1090 */
1091bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1092{
1093 const char *pipename = cli_filename;
1094 int i;
1095 NTSTATUS status;
1096
1097 if (strnequal(pipename, "\\PIPE\\", 6)) {
1098 pipename += 5;
1099 }
1100
1101 if (*pipename == '\\') {
1102 pipename += 1;
1103 }
1104
1105 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1106 DEBUG(10, ("refusing spoolss access\n"));
1107 return false;
1108 }
1109
1110 for (i=0; i<rpc_lookup_size; i++) {
1111 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1112 *syntax = rpc_lookup[i].rpc_interface;
1113 return true;
1114 }
1115 }
1116
1117 status = smb_probe_module("rpc", pipename);
1118 if (!NT_STATUS_IS_OK(status)) {
1119 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1120 return false;
1121 }
1122 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
1123
1124 /*
1125 * Scan the list again for the interface id
1126 */
1127
1128 for (i=0; i<rpc_lookup_size; i++) {
1129 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1130 *syntax = rpc_lookup[i].rpc_interface;
1131 return true;
1132 }
1133 }
1134
1135 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
1136 pipename));
1137
1138 return false;
1139}
1140
1141/*******************************************************************
1142 Handle a SPNEGO krb5 bind auth.
1143*******************************************************************/
1144
1145static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1146 DATA_BLOB *psecblob, prs_struct *pout_auth)
1147{
1148 return False;
1149}
1150
1151/*******************************************************************
1152 Handle the first part of a SPNEGO bind auth.
1153*******************************************************************/
1154
1155static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1156 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1157{
1158 DATA_BLOB blob;
1159 DATA_BLOB secblob;
1160 DATA_BLOB response;
1161 DATA_BLOB chal;
1162 char *OIDs[ASN1_MAX_OIDS];
1163 int i;
1164 NTSTATUS status;
1165 bool got_kerberos_mechanism = false;
1166 AUTH_NTLMSSP_STATE *a = NULL;
1167 RPC_HDR_AUTH auth_info;
1168
1169 ZERO_STRUCT(secblob);
1170 ZERO_STRUCT(chal);
1171 ZERO_STRUCT(response);
1172
1173 /* Grab the SPNEGO blob. */
1174 blob = data_blob(NULL,p->hdr.auth_len);
1175
1176 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1177 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1178 (unsigned int)p->hdr.auth_len ));
1179 goto err;
1180 }
1181
1182 if (blob.data[0] != ASN1_APPLICATION(0)) {
1183 goto err;
1184 }
1185
1186 /* parse out the OIDs and the first sec blob */
1187 if (!parse_negTokenTarg(blob, OIDs, &secblob) ||
1188 OIDs[0] == NULL) {
1189 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1190 goto err;
1191 }
1192
1193 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1194 got_kerberos_mechanism = true;
1195 }
1196
1197 for (i=0;OIDs[i];i++) {
1198 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1199 TALLOC_FREE(OIDs[i]);
1200 }
1201 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1202
1203 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1204 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1205 data_blob_free(&secblob);
1206 data_blob_free(&blob);
1207 return ret;
1208 }
1209
1210 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1211 /* Free any previous auth type. */
1212 free_pipe_ntlmssp_auth_data(&p->auth);
1213 }
1214
1215 if (!got_kerberos_mechanism) {
1216 /* Initialize the NTLM engine. */
1217 status = auth_ntlmssp_start(&a);
1218 if (!NT_STATUS_IS_OK(status)) {
1219 goto err;
1220 }
1221
1222 /*
1223 * Pass the first security blob of data to it.
1224 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1225 * which means we need another packet to complete the bind.
1226 */
1227
1228 status = auth_ntlmssp_update(a, secblob, &chal);
1229
1230 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1231 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1232 goto err;
1233 }
1234
1235 /* Generate the response blob we need for step 2 of the bind. */
1236 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1237 } else {
1238 /*
1239 * SPNEGO negotiate down to NTLMSSP. The subsequent
1240 * code to process follow-up packets is not complete
1241 * yet. JRA.
1242 */
1243 response = spnego_gen_auth_response(NULL,
1244 NT_STATUS_MORE_PROCESSING_REQUIRED,
1245 OID_NTLMSSP);
1246 }
1247
1248 /* Copy the blob into the pout_auth parse struct */
1249 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1250 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1251 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1252 goto err;
1253 }
1254
1255 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1256 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1257 goto err;
1258 }
1259
1260 p->auth.a_u.auth_ntlmssp_state = a;
1261 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1262 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1263
1264 data_blob_free(&blob);
1265 data_blob_free(&secblob);
1266 data_blob_free(&chal);
1267 data_blob_free(&response);
1268
1269 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1270 return True;
1271
1272 err:
1273
1274 data_blob_free(&blob);
1275 data_blob_free(&secblob);
1276 data_blob_free(&chal);
1277 data_blob_free(&response);
1278
1279 p->auth.a_u.auth_ntlmssp_state = NULL;
1280
1281 return False;
1282}
1283
1284/*******************************************************************
1285 Handle the second part of a SPNEGO bind auth.
1286*******************************************************************/
1287
1288static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1289 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1290{
1291 RPC_HDR_AUTH auth_info;
1292 DATA_BLOB spnego_blob;
1293 DATA_BLOB auth_blob;
1294 DATA_BLOB auth_reply;
1295 DATA_BLOB response;
1296 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1297
1298 ZERO_STRUCT(spnego_blob);
1299 ZERO_STRUCT(auth_blob);
1300 ZERO_STRUCT(auth_reply);
1301 ZERO_STRUCT(response);
1302
1303 /*
1304 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1305 * fail here as 'a' == NULL.
1306 */
1307 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1308 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1309 goto err;
1310 }
1311
1312 /* Grab the SPNEGO blob. */
1313 spnego_blob = data_blob(NULL,p->hdr.auth_len);
1314
1315 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1316 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1317 (unsigned int)p->hdr.auth_len ));
1318 goto err;
1319 }
1320
1321 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1322 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1323 goto err;
1324 }
1325
1326 if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1327 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1328 goto err;
1329 }
1330
1331 /*
1332 * The following call actually checks the challenge/response data.
1333 * for correctness against the given DOMAIN\user name.
1334 */
1335
1336 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1337 goto err;
1338 }
1339
1340 data_blob_free(&spnego_blob);
1341 data_blob_free(&auth_blob);
1342
1343 /* Generate the spnego "accept completed" blob - no incoming data. */
1344 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1345
1346 /* Copy the blob into the pout_auth parse struct */
1347 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1348 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1349 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1350 goto err;
1351 }
1352
1353 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1354 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1355 goto err;
1356 }
1357
1358 data_blob_free(&auth_reply);
1359 data_blob_free(&response);
1360
1361 p->pipe_bound = True;
1362
1363 return True;
1364
1365 err:
1366
1367 data_blob_free(&spnego_blob);
1368 data_blob_free(&auth_blob);
1369 data_blob_free(&auth_reply);
1370 data_blob_free(&response);
1371
1372 free_pipe_ntlmssp_auth_data(&p->auth);
1373 p->auth.a_u.auth_ntlmssp_state = NULL;
1374
1375 return False;
1376}
1377
1378/*******************************************************************
1379 Handle an schannel bind auth.
1380*******************************************************************/
1381
1382static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1383 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1384{
1385 RPC_HDR_AUTH auth_info;
1386 struct NL_AUTH_MESSAGE neg;
1387 struct NL_AUTH_MESSAGE reply;
1388 bool ret;
1389 NTSTATUS status;
1390 struct netlogon_creds_CredentialState *creds;
1391 DATA_BLOB session_key;
1392 enum ndr_err_code ndr_err;
1393 DATA_BLOB blob;
1394
1395 blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1396 prs_data_size(rpc_in_p));
1397
1398 ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg,
1399 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1400 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1401 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1402 return false;
1403 }
1404
1405 if (DEBUGLEVEL >= 10) {
1406 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1407 }
1408
1409 if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1410 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1411 return false;
1412 }
1413
1414 /*
1415 * The neg.oem_netbios_computer.a key here must match the remote computer name
1416 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1417 * operations that use credentials.
1418 */
1419
1420 become_root();
1421 status = schannel_fetch_session_key(p,
1422 neg.oem_netbios_computer.a,
1423 &creds);
1424 unbecome_root();
1425
1426 if (!NT_STATUS_IS_OK(status)) {
1427 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1428 return False;
1429 }
1430
1431 p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
1432 if (!p->auth.a_u.schannel_auth) {
1433 TALLOC_FREE(creds);
1434 return False;
1435 }
1436
1437 p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
1438 p->auth.a_u.schannel_auth->seq_num = 0;
1439 p->auth.a_u.schannel_auth->initiator = false;
1440 p->auth.a_u.schannel_auth->creds = creds;
1441
1442 /*
1443 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1444 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1445 * struct of the person who opened the pipe. I need to test this further. JRA.
1446 *
1447 * VL. As we are mapping this to guest set the generic key
1448 * "SystemLibraryDTC" key here. It's a bit difficult to test against
1449 * W2k3, as it does not allow schannel binds against SAMR and LSA
1450 * anymore.
1451 */
1452
1453 session_key = generic_session_key();
1454 if (session_key.data == NULL) {
1455 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1456 " key\n"));
1457 return false;
1458 }
1459
1460 ret = server_info_set_session_key(p->server_info, session_key);
1461
1462 data_blob_free(&session_key);
1463
1464 if (!ret) {
1465 DEBUG(0, ("server_info_set_session_key failed\n"));
1466 return false;
1467 }
1468
1469 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1470 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1471 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1472 return False;
1473 }
1474
1475 /*** SCHANNEL verifier ***/
1476
1477 reply.MessageType = NL_NEGOTIATE_RESPONSE;
1478 reply.Flags = 0;
1479 reply.Buffer.dummy = 5; /* ??? actually I don't think
1480 * this has any meaning
1481 * here - gd */
1482
1483 ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &reply,
1484 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1485 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1486 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1487 return false;
1488 }
1489
1490 if (DEBUGLEVEL >= 10) {
1491 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1492 }
1493
1494 if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1495 return false;
1496 }
1497
1498 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1499 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1500
1501 /* We're finished with this bind - no more packets. */
1502 p->auth.auth_data_free_func = NULL;
1503 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1504
1505 p->pipe_bound = True;
1506
1507 return True;
1508}
1509
1510/*******************************************************************
1511 Handle an NTLMSSP bind auth.
1512*******************************************************************/
1513
1514static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1515 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1516{
1517 RPC_HDR_AUTH auth_info;
1518 DATA_BLOB blob;
1519 DATA_BLOB response;
1520 NTSTATUS status;
1521 AUTH_NTLMSSP_STATE *a = NULL;
1522
1523 ZERO_STRUCT(blob);
1524 ZERO_STRUCT(response);
1525
1526 /* Grab the NTLMSSP blob. */
1527 blob = data_blob(NULL,p->hdr.auth_len);
1528
1529 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1530 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1531 (unsigned int)p->hdr.auth_len ));
1532 goto err;
1533 }
1534
1535 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1536 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1537 goto err;
1538 }
1539
1540 /* We have an NTLMSSP blob. */
1541 status = auth_ntlmssp_start(&a);
1542 if (!NT_STATUS_IS_OK(status)) {
1543 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1544 nt_errstr(status) ));
1545 goto err;
1546 }
1547
1548 status = auth_ntlmssp_update(a, blob, &response);
1549 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1550 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1551 nt_errstr(status) ));
1552 goto err;
1553 }
1554
1555 data_blob_free(&blob);
1556
1557 /* Copy the blob into the pout_auth parse struct */
1558 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1559 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1560 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1561 goto err;
1562 }
1563
1564 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1565 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1566 goto err;
1567 }
1568
1569 p->auth.a_u.auth_ntlmssp_state = a;
1570 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1571 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1572
1573 data_blob_free(&blob);
1574 data_blob_free(&response);
1575
1576 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1577
1578 /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1579 return True;
1580
1581 err:
1582
1583 data_blob_free(&blob);
1584 data_blob_free(&response);
1585
1586 free_pipe_ntlmssp_auth_data(&p->auth);
1587 p->auth.a_u.auth_ntlmssp_state = NULL;
1588 return False;
1589}
1590
1591/*******************************************************************
1592 Respond to a pipe bind request.
1593*******************************************************************/
1594
1595bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1596{
1597 RPC_HDR_BA hdr_ba;
1598 RPC_HDR_RB hdr_rb;
1599 RPC_HDR_AUTH auth_info;
1600 uint16 assoc_gid;
1601 fstring ack_pipe_name;
1602 prs_struct out_hdr_ba;
1603 prs_struct out_auth;
1604 int i = 0;
1605 int auth_len = 0;
1606 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1607
1608 /* No rebinds on a bound pipe - use alter context. */
1609 if (p->pipe_bound) {
1610 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1611 "pipe %s.\n",
1612 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1613 return setup_bind_nak(p);
1614 }
1615
1616 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1617
1618 /*
1619 * Marshall directly into the outgoing PDU space. We
1620 * must do this as we need to set to the bind response
1621 * header and are never sending more than one PDU here.
1622 */
1623
1624 /*
1625 * Setup the memory to marshall the ba header, and the
1626 * auth footers.
1627 */
1628
1629 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1630 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1631 prs_mem_free(&p->out_data.frag);
1632 return False;
1633 }
1634
1635 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1636 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1637 prs_mem_free(&p->out_data.frag);
1638 prs_mem_free(&out_hdr_ba);
1639 return False;
1640 }
1641
1642 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1643
1644 ZERO_STRUCT(hdr_rb);
1645
1646 /* decode the bind request */
1647
1648 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1649 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1650 "struct.\n"));
1651 goto err_exit;
1652 }
1653
1654 if (hdr_rb.num_contexts == 0) {
1655 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1656 goto err_exit;
1657 }
1658
1659 /*
1660 * Try and find the correct pipe name to ensure
1661 * that this is a pipe name we support.
1662 */
1663
1664 for (i = 0; i < rpc_lookup_size; i++) {
1665 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1666 &hdr_rb.rpc_context[0].abstract)) {
1667 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1668 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1669 break;
1670 }
1671 }
1672
1673 if (i == rpc_lookup_size) {
1674 NTSTATUS status;
1675
1676 status = smb_probe_module(
1677 "rpc", get_pipe_name_from_syntax(
1678 talloc_tos(),
1679 &hdr_rb.rpc_context[0].abstract));
1680
1681 if (NT_STATUS_IS_ERR(status)) {
1682 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1683 get_pipe_name_from_syntax(
1684 talloc_tos(),
1685 &hdr_rb.rpc_context[0].abstract)));
1686 prs_mem_free(&p->out_data.frag);
1687 prs_mem_free(&out_hdr_ba);
1688 prs_mem_free(&out_auth);
1689
1690 return setup_bind_nak(p);
1691 }
1692
1693 for (i = 0; i < rpc_lookup_size; i++) {
1694 if (strequal(rpc_lookup[i].pipe.clnt,
1695 get_pipe_name_from_syntax(talloc_tos(),
1696 &p->syntax))) {
1697 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1698 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1699 break;
1700 }
1701 }
1702
1703 if (i == rpc_lookup_size) {
1704 DEBUG(0, ("module %s doesn't provide functions for "
1705 "pipe %s!\n",
1706 get_pipe_name_from_syntax(talloc_tos(),
1707 &p->syntax),
1708 get_pipe_name_from_syntax(talloc_tos(),
1709 &p->syntax)));
1710 goto err_exit;
1711 }
1712 }
1713
1714 /* name has to be \PIPE\xxxxx */
1715 fstrcpy(ack_pipe_name, "\\PIPE\\");
1716 fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1717
1718 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1719
1720 /*
1721 * Check if this is an authenticated bind request.
1722 */
1723
1724 if (p->hdr.auth_len) {
1725 /*
1726 * Decode the authentication verifier.
1727 */
1728
1729 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1730 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1731 goto err_exit;
1732 }
1733
1734 auth_type = auth_info.auth_type;
1735
1736 /* Work out if we have to sign or seal etc. */
1737 switch (auth_info.auth_level) {
1738 case DCERPC_AUTH_LEVEL_INTEGRITY:
1739 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1740 break;
1741 case DCERPC_AUTH_LEVEL_PRIVACY:
1742 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1743 break;
1744 default:
1745 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1746 (unsigned int)auth_info.auth_level ));
1747 goto err_exit;
1748 }
1749 } else {
1750 ZERO_STRUCT(auth_info);
1751 }
1752
1753 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1754
1755 switch(auth_type) {
1756 case DCERPC_AUTH_TYPE_NTLMSSP:
1757 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1758 goto err_exit;
1759 }
1760 assoc_gid = 0x7a77;
1761 break;
1762
1763 case DCERPC_AUTH_TYPE_SCHANNEL:
1764 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1765 goto err_exit;
1766 }
1767 break;
1768
1769 case DCERPC_AUTH_TYPE_SPNEGO:
1770 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1771 goto err_exit;
1772 }
1773 break;
1774
1775 case DCERPC_AUTH_TYPE_NONE:
1776 /* Unauthenticated bind request. */
1777 /* We're finished - no more packets. */
1778 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1779 /* We must set the pipe auth_level here also. */
1780 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1781 p->pipe_bound = True;
1782 /* The session key was initialized from the SMB
1783 * session in make_internal_rpc_pipe_p */
1784 break;
1785
1786 default:
1787 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1788 goto err_exit;
1789 }
1790
1791 /*
1792 * Create the bind response struct.
1793 */
1794
1795 /* If the requested abstract synt uuid doesn't match our client pipe,
1796 reject the bind_ack & set the transfer interface synt to all 0's,
1797 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1798 unknown to NT4)
1799 Needed when adding entries to a DACL from NT5 - SK */
1800
1801 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1802 hdr_rb.rpc_context[0].context_id )) {
1803 init_rpc_hdr_ba(&hdr_ba,
1804 RPC_MAX_PDU_FRAG_LEN,
1805 RPC_MAX_PDU_FRAG_LEN,
1806 assoc_gid,
1807 ack_pipe_name,
1808 0x1, 0x0, 0x0,
1809 &hdr_rb.rpc_context[0].transfer[0]);
1810 } else {
1811 /* Rejection reason: abstract syntax not supported */
1812 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1813 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1814 ack_pipe_name, 0x1, 0x2, 0x1,
1815 &null_ndr_syntax_id);
1816 p->pipe_bound = False;
1817 }
1818
1819 /*
1820 * and marshall it.
1821 */
1822
1823 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1824 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1825 goto err_exit;
1826 }
1827
1828 /*
1829 * Create the header, now we know the length.
1830 */
1831
1832 if (prs_offset(&out_auth)) {
1833 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1834 }
1835
1836 init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1837 p->hdr.call_id,
1838 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1839 auth_len);
1840
1841 /*
1842 * Marshall the header into the outgoing PDU.
1843 */
1844
1845 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1846 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1847 goto err_exit;
1848 }
1849
1850 /*
1851 * Now add the RPC_HDR_BA and any auth needed.
1852 */
1853
1854 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1855 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1856 goto err_exit;
1857 }
1858
1859 if (auth_len && !prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1860 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1861 goto err_exit;
1862 }
1863
1864 /*
1865 * Setup the lengths for the initial reply.
1866 */
1867
1868 p->out_data.data_sent_length = 0;
1869 p->out_data.current_pdu_sent = 0;
1870
1871 prs_mem_free(&out_hdr_ba);
1872 prs_mem_free(&out_auth);
1873
1874 return True;
1875
1876 err_exit:
1877
1878 prs_mem_free(&p->out_data.frag);
1879 prs_mem_free(&out_hdr_ba);
1880 prs_mem_free(&out_auth);
1881 return setup_bind_nak(p);
1882}
1883
1884/****************************************************************************
1885 Deal with an alter context call. Can be third part of 3 leg auth request for
1886 SPNEGO calls.
1887****************************************************************************/
1888
1889bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1890{
1891 RPC_HDR_BA hdr_ba;
1892 RPC_HDR_RB hdr_rb;
1893 RPC_HDR_AUTH auth_info;
1894 uint16 assoc_gid;
1895 fstring ack_pipe_name;
1896 prs_struct out_hdr_ba;
1897 prs_struct out_auth;
1898 int auth_len = 0;
1899
1900 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1901
1902 /*
1903 * Marshall directly into the outgoing PDU space. We
1904 * must do this as we need to set to the bind response
1905 * header and are never sending more than one PDU here.
1906 */
1907
1908 /*
1909 * Setup the memory to marshall the ba header, and the
1910 * auth footers.
1911 */
1912
1913 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1914 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1915 prs_mem_free(&p->out_data.frag);
1916 return False;
1917 }
1918
1919 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1920 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1921 prs_mem_free(&p->out_data.frag);
1922 prs_mem_free(&out_hdr_ba);
1923 return False;
1924 }
1925
1926 ZERO_STRUCT(hdr_rb);
1927
1928 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1929
1930 /* decode the alter context request */
1931 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
1932 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1933 goto err_exit;
1934 }
1935
1936 /* secondary address CAN be NULL
1937 * as the specs say it's ignored.
1938 * It MUST be NULL to have the spoolss working.
1939 */
1940 fstrcpy(ack_pipe_name,"");
1941
1942 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1943
1944 /*
1945 * Check if this is an authenticated alter context request.
1946 */
1947
1948 if (p->hdr.auth_len != 0) {
1949 /*
1950 * Decode the authentication verifier.
1951 */
1952
1953 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1954 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1955 goto err_exit;
1956 }
1957
1958 /*
1959 * Currently only the SPNEGO auth type uses the alter ctx
1960 * response in place of the NTLMSSP auth3 type.
1961 */
1962
1963 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
1964 /* We can only finish if the pipe is unbound. */
1965 if (!p->pipe_bound) {
1966 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1967 goto err_exit;
1968 }
1969 } else {
1970 goto err_exit;
1971 }
1972 }
1973 } else {
1974 ZERO_STRUCT(auth_info);
1975 }
1976
1977 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1978
1979 /*
1980 * Create the bind response struct.
1981 */
1982
1983 /* If the requested abstract synt uuid doesn't match our client pipe,
1984 reject the bind_ack & set the transfer interface synt to all 0's,
1985 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1986 unknown to NT4)
1987 Needed when adding entries to a DACL from NT5 - SK */
1988
1989 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1990 hdr_rb.rpc_context[0].context_id )) {
1991 init_rpc_hdr_ba(&hdr_ba,
1992 RPC_MAX_PDU_FRAG_LEN,
1993 RPC_MAX_PDU_FRAG_LEN,
1994 assoc_gid,
1995 ack_pipe_name,
1996 0x1, 0x0, 0x0,
1997 &hdr_rb.rpc_context[0].transfer[0]);
1998 } else {
1999 /* Rejection reason: abstract syntax not supported */
2000 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
2001 RPC_MAX_PDU_FRAG_LEN, assoc_gid,
2002 ack_pipe_name, 0x1, 0x2, 0x1,
2003 &null_ndr_syntax_id);
2004 p->pipe_bound = False;
2005 }
2006
2007 /*
2008 * and marshall it.
2009 */
2010
2011 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
2012 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
2013 goto err_exit;
2014 }
2015
2016 /*
2017 * Create the header, now we know the length.
2018 */
2019
2020 if (prs_offset(&out_auth)) {
2021 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
2022 }
2023
2024 init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
2025 p->hdr.call_id,
2026 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
2027 auth_len);
2028
2029 /*
2030 * Marshall the header into the outgoing PDU.
2031 */
2032
2033 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
2034 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2035 goto err_exit;
2036 }
2037
2038 /*
2039 * Now add the RPC_HDR_BA and any auth needed.
2040 */
2041
2042 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
2043 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2044 goto err_exit;
2045 }
2046
2047 if (auth_len && !prs_append_prs_data(&p->out_data.frag, &out_auth)) {
2048 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2049 goto err_exit;
2050 }
2051
2052 /*
2053 * Setup the lengths for the initial reply.
2054 */
2055
2056 p->out_data.data_sent_length = 0;
2057 p->out_data.current_pdu_sent = 0;
2058
2059 prs_mem_free(&out_hdr_ba);
2060 prs_mem_free(&out_auth);
2061
2062 return True;
2063
2064 err_exit:
2065
2066 prs_mem_free(&p->out_data.frag);
2067 prs_mem_free(&out_hdr_ba);
2068 prs_mem_free(&out_auth);
2069 return setup_bind_nak(p);
2070}
2071
2072/****************************************************************************
2073 Deal with NTLMSSP sign & seal processing on an RPC request.
2074****************************************************************************/
2075
2076bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2077 uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2078{
2079 RPC_HDR_AUTH auth_info;
2080 uint32 auth_len = p->hdr.auth_len;
2081 uint32 save_offset = prs_offset(rpc_in);
2082 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2083 unsigned char *data = NULL;
2084 size_t data_len;
2085 unsigned char *full_packet_data = NULL;
2086 size_t full_packet_data_len;
2087 DATA_BLOB auth_blob;
2088
2089 *pstatus = NT_STATUS_OK;
2090
2091 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2092 return True;
2093 }
2094
2095 if (!a) {
2096 *pstatus = NT_STATUS_INVALID_PARAMETER;
2097 return False;
2098 }
2099
2100 /* Ensure there's enough data for an authenticated request. */
2101 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2102 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2103 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2104 (unsigned int)auth_len ));
2105 *pstatus = NT_STATUS_INVALID_PARAMETER;
2106 return False;
2107 }
2108
2109 /*
2110 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2111 * after the RPC header.
2112 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2113 * functions as NTLMv2 checks the rpc headers also.
2114 */
2115
2116 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2117 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2118
2119 full_packet_data = p->in_data.current_in_pdu;
2120 full_packet_data_len = p->hdr.frag_len - auth_len;
2121
2122 /* Pull the auth header and the following data into a blob. */
2123 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2124 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2125 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2126 *pstatus = NT_STATUS_INVALID_PARAMETER;
2127 return False;
2128 }
2129
2130 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2131 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2132 *pstatus = NT_STATUS_INVALID_PARAMETER;
2133 return False;
2134 }
2135
2136 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2137 auth_blob.length = auth_len;
2138
2139 switch (p->auth.auth_level) {
2140 case DCERPC_AUTH_LEVEL_PRIVACY:
2141 /* Data is encrypted. */
2142 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2143 data, data_len,
2144 full_packet_data,
2145 full_packet_data_len,
2146 &auth_blob);
2147 if (!NT_STATUS_IS_OK(*pstatus)) {
2148 return False;
2149 }
2150 break;
2151 case DCERPC_AUTH_LEVEL_INTEGRITY:
2152 /* Data is signed. */
2153 *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2154 data, data_len,
2155 full_packet_data,
2156 full_packet_data_len,
2157 &auth_blob);
2158 if (!NT_STATUS_IS_OK(*pstatus)) {
2159 return False;
2160 }
2161 break;
2162 default:
2163 *pstatus = NT_STATUS_INVALID_PARAMETER;
2164 return False;
2165 }
2166
2167 /*
2168 * Return the current pointer to the data offset.
2169 */
2170
2171 if(!prs_set_offset(rpc_in, save_offset)) {
2172 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2173 (unsigned int)save_offset ));
2174 *pstatus = NT_STATUS_INVALID_PARAMETER;
2175 return False;
2176 }
2177
2178 /*
2179 * Remember the padding length. We must remove it from the real data
2180 * stream once the sign/seal is done.
2181 */
2182
2183 *p_ss_padding_len = auth_info.auth_pad_len;
2184
2185 return True;
2186}
2187
2188/****************************************************************************
2189 Deal with schannel processing on an RPC request.
2190****************************************************************************/
2191
2192bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2193{
2194 uint32 data_len;
2195 uint32 auth_len;
2196 uint32 save_offset = prs_offset(rpc_in);
2197 RPC_HDR_AUTH auth_info;
2198 DATA_BLOB blob;
2199 NTSTATUS status;
2200 uint8_t *data;
2201
2202 auth_len = p->hdr.auth_len;
2203
2204 if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2205 auth_len > RPC_HEADER_LEN +
2206 RPC_HDR_REQ_LEN +
2207 RPC_HDR_AUTH_LEN +
2208 auth_len) {
2209 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2210 return False;
2211 }
2212
2213 /*
2214 * The following is that length of the data we must verify or unseal.
2215 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2216 * preceeding the auth_data.
2217 */
2218
2219 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2220 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2221 (unsigned int)p->hdr.frag_len,
2222 (unsigned int)auth_len ));
2223 return False;
2224 }
2225
2226 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
2227 RPC_HDR_AUTH_LEN - auth_len;
2228
2229 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2230
2231 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2232 DEBUG(0,("cannot move offset to %u.\n",
2233 (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2234 return False;
2235 }
2236
2237 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2238 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2239 return False;
2240 }
2241
2242 if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2243 DEBUG(0,("Invalid auth info %d on schannel\n",
2244 auth_info.auth_type));
2245 return False;
2246 }
2247
2248 blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2249
2250 if (DEBUGLEVEL >= 10) {
2251 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
2252 }
2253
2254 data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN;
2255
2256 switch (auth_info.auth_level) {
2257 case DCERPC_AUTH_LEVEL_PRIVACY:
2258 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2259 talloc_tos(),
2260 true,
2261 data,
2262 data_len,
2263 &blob);
2264 break;
2265 case DCERPC_AUTH_LEVEL_INTEGRITY:
2266 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2267 talloc_tos(),
2268 false,
2269 data,
2270 data_len,
2271 &blob);
2272 break;
2273 default:
2274 status = NT_STATUS_INTERNAL_ERROR;
2275 break;
2276 }
2277
2278 if (!NT_STATUS_IS_OK(status)) {
2279 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
2280 return false;
2281 }
2282
2283 /*
2284 * Return the current pointer to the data offset.
2285 */
2286
2287 if(!prs_set_offset(rpc_in, save_offset)) {
2288 DEBUG(0,("failed to set offset back to %u\n",
2289 (unsigned int)save_offset ));
2290 return False;
2291 }
2292
2293 /*
2294 * Remember the padding length. We must remove it from the real data
2295 * stream once the sign/seal is done.
2296 */
2297
2298 *p_ss_padding_len = auth_info.auth_pad_len;
2299
2300 return True;
2301}
2302
2303/****************************************************************************
2304 Find the set of RPC functions associated with this context_id
2305****************************************************************************/
2306
2307static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2308{
2309 PIPE_RPC_FNS *fns = NULL;
2310
2311 if ( !list ) {
2312 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
2313 return NULL;
2314 }
2315
2316 for (fns=list; fns; fns=fns->next ) {
2317 if ( fns->context_id == context_id )
2318 return fns;
2319 }
2320 return NULL;
2321}
2322
2323/****************************************************************************
2324 Memory cleanup.
2325****************************************************************************/
2326
2327void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2328{
2329 PIPE_RPC_FNS *tmp = list;
2330 PIPE_RPC_FNS *tmp2;
2331
2332 while (tmp) {
2333 tmp2 = tmp->next;
2334 SAFE_FREE(tmp);
2335 tmp = tmp2;
2336 }
2337
2338 return;
2339}
2340
2341static bool api_rpcTNP(pipes_struct *p,
2342 const struct api_struct *api_rpc_cmds, int n_cmds);
2343
2344/****************************************************************************
2345 Find the correct RPC function to call for this request.
2346 If the pipe is authenticated then become the correct UNIX user
2347 before doing the call.
2348****************************************************************************/
2349
2350bool api_pipe_request(pipes_struct *p)
2351{
2352 bool ret = False;
2353 bool changed_user = False;
2354 PIPE_RPC_FNS *pipe_fns;
2355
2356 if (p->pipe_bound &&
2357 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2358 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2359 if(!become_authenticated_pipe_user(p)) {
2360 prs_mem_free(&p->out_data.rdata);
2361 return False;
2362 }
2363 changed_user = True;
2364 }
2365
2366 DEBUG(5, ("Requested \\PIPE\\%s\n",
2367 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2368
2369 /* get the set of RPC functions for this context */
2370
2371 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2372
2373 if ( pipe_fns ) {
2374 TALLOC_CTX *frame = talloc_stackframe();
2375 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2376 TALLOC_FREE(frame);
2377 }
2378 else {
2379 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2380 p->hdr_req.context_id,
2381 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2382 }
2383
2384 if (changed_user) {
2385 unbecome_authenticated_pipe_user();
2386 }
2387
2388 return ret;
2389}
2390
2391/*******************************************************************
2392 Calls the underlying RPC function for a named pipe.
2393 ********************************************************************/
2394
2395static bool api_rpcTNP(pipes_struct *p,
2396 const struct api_struct *api_rpc_cmds, int n_cmds)
2397{
2398 int fn_num;
2399 uint32 offset1, offset2;
2400
2401 /* interpret the command */
2402 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2403 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2404 p->hdr_req.opnum));
2405
2406 if (DEBUGLEVEL >= 50) {
2407 fstring name;
2408 slprintf(name, sizeof(name)-1, "in_%s",
2409 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2410 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2411 }
2412
2413 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2414 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2415 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2416 break;
2417 }
2418 }
2419
2420 if (fn_num == n_cmds) {
2421 /*
2422 * For an unknown RPC just return a fault PDU but
2423 * return True to allow RPC's on the pipe to continue
2424 * and not put the pipe into fault state. JRA.
2425 */
2426 DEBUG(4, ("unknown\n"));
2427 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2428 return True;
2429 }
2430
2431 offset1 = prs_offset(&p->out_data.rdata);
2432
2433 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
2434 fn_num, api_rpc_cmds[fn_num].fn));
2435 /* do the actual command */
2436 if(!api_rpc_cmds[fn_num].fn(p)) {
2437 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2438 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2439 api_rpc_cmds[fn_num].name));
2440 prs_mem_free(&p->out_data.rdata);
2441 return False;
2442 }
2443
2444 if (p->bad_handle_fault_state) {
2445 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2446 p->bad_handle_fault_state = False;
2447 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2448 return True;
2449 }
2450
2451 if (p->rng_fault_state) {
2452 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2453 p->rng_fault_state = False;
2454 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2455 return True;
2456 }
2457
2458 offset2 = prs_offset(&p->out_data.rdata);
2459 prs_set_offset(&p->out_data.rdata, offset1);
2460 if (DEBUGLEVEL >= 50) {
2461 fstring name;
2462 slprintf(name, sizeof(name)-1, "out_%s",
2463 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2464 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2465 }
2466 prs_set_offset(&p->out_data.rdata, offset2);
2467
2468 DEBUG(5,("api_rpcTNP: called %s successfully\n",
2469 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2470
2471 /* Check for buffer underflow in rpc parsing */
2472
2473 if ((DEBUGLEVEL >= 10) &&
2474 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2475 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2476 char *data = (char *)SMB_MALLOC(data_len);
2477
2478 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2479 if (data) {
2480 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2481 SAFE_FREE(data);
2482 }
2483
2484 }
2485
2486 return True;
2487}
Note: See TracBrowser for help on using the repository browser.