Changeset 745 for trunk/server/source3/rpc_server/srv_pipe.c
- Timestamp:
- Nov 27, 2012, 4:43:17 PM (13 years ago)
- Location:
- trunk/server
- Files:
-
- 2 edited
-
. (modified) (1 prop)
-
source3/rpc_server/srv_pipe.c (modified) (46 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/server
- Property svn:mergeinfo changed
/vendor/current merged: 581,587,591,594,597,600,615,618,740
- Property svn:mergeinfo changed
-
trunk/server/source3/rpc_server/srv_pipe.c
r590 r745 2 2 * Unix SMB/CIFS implementation. 3 3 * RPC Pipe client / server routines 4 * Almost completely rewritten by (C) Jeremy Allison 2005 .4 * Almost completely rewritten by (C) Jeremy Allison 2005 5 5 * 6 6 * This program is free software; you can redistribute it and/or modify … … 29 29 30 30 #include "includes.h" 31 32 31 33 #include "../librpc/gen_ndr/ndr_schannel.h" 32 34 #include "../libcli/auth/schannel.h" 33 35 #include "../libcli/auth/spnego.h" 34 35 extern struct current_user current_user; 36 #include "dcesrv_ntlmssp.h" 37 #include "dcesrv_gssapi.h" 38 #include "dcesrv_spnego.h" 39 #include "rpc_server.h" 40 #include "rpc_dce.h" 41 #include "smbd/smbd.h" 42 #include "auth.h" 43 #include "ntdomain.h" 44 #include "rpc_server/srv_pipe.h" 36 45 37 46 #undef DBGC_CLASS 38 47 #define DBGC_CLASS DBGC_RPC_SRV 39 48 40 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth) 41 { 42 AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state; 43 44 if (a) { 45 auth_ntlmssp_end(&a); 46 } 47 auth->a_u.auth_ntlmssp_state = NULL; 49 /** 50 * Dump everything from the start of the end up of the provided data 51 * into a file, but only at debug level >= 50 52 **/ 53 static void dump_pdu_region(const char *name, int v, 54 DATA_BLOB *data, size_t start, size_t end) 55 { 56 int fd, i; 57 char *fname = NULL; 58 ssize_t sz; 59 60 if (DEBUGLEVEL < 50) return; 61 62 if (start > data->length || end > data->length || start > end) return; 63 64 for (i = 1; i < 100; i++) { 65 if (v != -1) { 66 fname = talloc_asprintf(talloc_tos(), 67 "/tmp/%s_%d.%d.prs", 68 name, v, i); 69 } else { 70 fname = talloc_asprintf(talloc_tos(), 71 "/tmp/%s_%d.prs", 72 name, i); 73 } 74 if (!fname) { 75 return; 76 } 77 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644); 78 if (fd != -1 || errno != EEXIST) break; 79 } 80 if (fd != -1) { 81 sz = write(fd, data->data + start, end - start); 82 i = close(fd); 83 if ((sz != end - start) || (i != 0) ) { 84 DEBUG(0, ("Error writing/closing %s: %ld!=%ld %d\n", 85 fname, (unsigned long)sz, 86 (unsigned long)end - start, i)); 87 } else { 88 DEBUG(0,("created %s\n", fname)); 89 } 90 } 91 TALLOC_FREE(fname); 48 92 } 49 93 50 94 static DATA_BLOB generic_session_key(void) 51 95 { 52 return data_blob ("SystemLibraryDTC", 16);96 return data_blob("SystemLibraryDTC", 16); 53 97 } 54 98 55 99 /******************************************************************* 56 Generate the next PDU to be returned from the data in p->rdata. 57 Handle NTLMSSP. 58 ********************************************************************/ 59 60 static bool create_next_pdu_ntlmssp(pipes_struct *p) 61 { 62 RPC_HDR_RESP hdr_resp; 63 uint32 ss_padding_len = 0; 64 uint32 data_space_available; 65 uint32 data_len_left; 66 uint32 data_len; 100 Generate the next PDU to be returned from the data. 101 ********************************************************************/ 102 103 static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx, 104 struct pipe_auth_data *auth, 105 uint32_t call_id, 106 DATA_BLOB *rdata, 107 size_t data_sent_length, 108 DATA_BLOB *frag, 109 size_t *pdu_size) 110 { 111 union dcerpc_payload u; 112 uint8_t pfc_flags; 113 size_t data_left; 114 size_t data_to_send; 115 size_t frag_len; 116 size_t pad_len = 0; 117 size_t auth_len = 0; 67 118 NTSTATUS status; 68 DATA_BLOB auth_blob; 69 RPC_HDR_AUTH auth_info; 70 uint8 auth_type, auth_level; 71 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state; 72 73 /* 74 * If we're in the fault state, keep returning fault PDU's until 75 * the pipe gets closed. JRA. 76 */ 77 78 if(p->fault_state) { 79 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR)); 80 return True; 81 } 82 83 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp)); 84 85 /* Change the incoming request header to a response. */ 86 p->hdr.pkt_type = DCERPC_PKT_RESPONSE; 87 88 /* Set up rpc header flags. */ 89 if (p->out_data.data_sent_length == 0) { 90 p->hdr.flags = DCERPC_PFC_FLAG_FIRST; 119 120 ZERO_STRUCT(u.response); 121 122 /* Set up rpc packet pfc flags. */ 123 if (data_sent_length == 0) { 124 pfc_flags = DCERPC_PFC_FLAG_FIRST; 91 125 } else { 92 p->hdr.flags = 0; 93 } 94 95 /* 96 * Work out how much we can fit in a single PDU. 97 */ 98 99 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length; 100 101 /* 102 * Ensure there really is data left to send. 103 */ 104 105 if(!data_len_left) { 106 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n")); 107 return False; 108 } 109 110 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN 111 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE; 112 113 /* 114 * The amount we send is the minimum of the available 115 * space and the amount left to send. 116 */ 117 118 data_len = MIN(data_len_left, data_space_available); 119 120 /* 121 * Set up the alloc hint. This should be the data left to 122 * send. 123 */ 124 125 hdr_resp.alloc_hint = data_len_left; 126 127 /* 128 * Work out if this PDU will be the last. 129 */ 130 131 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) { 132 p->hdr.flags |= DCERPC_PFC_FLAG_LAST; 133 if (data_len_left % 8) { 134 ss_padding_len = 8 - (data_len_left % 8); 135 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n", 136 ss_padding_len )); 137 } 138 } 139 140 /* 141 * Set up the header lengths. 142 */ 143 144 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + 145 data_len + ss_padding_len + 146 RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE; 147 p->hdr.auth_len = NTLMSSP_SIG_SIZE; 148 149 150 /* 151 * Init the parse struct to point at the outgoing 152 * data. 153 */ 154 155 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL); 156 157 /* Store the header in the data stream. */ 158 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) { 159 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n")); 160 prs_mem_free(&p->out_data.frag); 161 return False; 162 } 163 164 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) { 165 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n")); 166 prs_mem_free(&p->out_data.frag); 167 return False; 168 } 169 170 /* Copy the data into the PDU. */ 171 172 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata, 173 p->out_data.data_sent_length, data_len)) { 174 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len)); 175 prs_mem_free(&p->out_data.frag); 176 return False; 177 } 178 179 /* Copy the sign/seal padding data. */ 180 if (ss_padding_len) { 181 char pad[8]; 182 183 memset(pad, '\0', 8); 184 if (!prs_copy_data_in(&p->out_data.frag, pad, 185 ss_padding_len)) { 186 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n", 187 (unsigned int)ss_padding_len)); 188 prs_mem_free(&p->out_data.frag); 189 return False; 190 } 191 } 192 193 194 /* Now write out the auth header and null blob. */ 195 if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) { 196 auth_type = DCERPC_AUTH_TYPE_NTLMSSP; 197 } else { 198 auth_type = DCERPC_AUTH_TYPE_SPNEGO; 199 } 200 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { 201 auth_level = DCERPC_AUTH_LEVEL_PRIVACY; 202 } else { 203 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY; 204 } 205 206 init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */); 207 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &p->out_data.frag, 208 0)) { 209 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n")); 210 prs_mem_free(&p->out_data.frag); 211 return False; 212 } 213 214 /* Generate the sign blob. */ 215 216 switch (p->auth.auth_level) { 217 case DCERPC_AUTH_LEVEL_PRIVACY: 218 /* Data portion is encrypted. */ 219 status = ntlmssp_seal_packet( 220 a->ntlmssp_state, 221 (uint8_t *)prs_data_p(&p->out_data.frag) 222 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN, 223 data_len + ss_padding_len, 224 (unsigned char *)prs_data_p(&p->out_data.frag), 225 (size_t)prs_offset(&p->out_data.frag), 226 &auth_blob); 227 if (!NT_STATUS_IS_OK(status)) { 228 data_blob_free(&auth_blob); 229 prs_mem_free(&p->out_data.frag); 230 return False; 231 } 232 break; 233 case DCERPC_AUTH_LEVEL_INTEGRITY: 234 /* Data is signed. */ 235 status = ntlmssp_sign_packet( 236 a->ntlmssp_state, 237 (unsigned char *)prs_data_p(&p->out_data.frag) 238 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN, 239 data_len + ss_padding_len, 240 (unsigned char *)prs_data_p(&p->out_data.frag), 241 (size_t)prs_offset(&p->out_data.frag), 242 &auth_blob); 243 if (!NT_STATUS_IS_OK(status)) { 244 data_blob_free(&auth_blob); 245 prs_mem_free(&p->out_data.frag); 246 return False; 247 } 248 break; 249 default: 250 prs_mem_free(&p->out_data.frag); 251 return False; 252 } 253 254 /* Append the auth blob. */ 255 if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data, 256 NTLMSSP_SIG_SIZE)) { 257 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n", 258 (unsigned int)NTLMSSP_SIG_SIZE)); 259 data_blob_free(&auth_blob); 260 prs_mem_free(&p->out_data.frag); 261 return False; 262 } 263 264 data_blob_free(&auth_blob); 265 266 /* 267 * Setup the counts for this PDU. 268 */ 269 270 p->out_data.data_sent_length += data_len; 271 p->out_data.current_pdu_sent = 0; 272 273 return True; 274 } 275 276 /******************************************************************* 277 Generate the next PDU to be returned from the data in p->rdata. 278 Return an schannel authenticated fragment. 279 ********************************************************************/ 280 281 static bool create_next_pdu_schannel(pipes_struct *p) 282 { 283 RPC_HDR_RESP hdr_resp; 284 uint32 ss_padding_len = 0; 285 uint32 data_len; 286 uint32 data_space_available; 287 uint32 data_len_left; 288 uint32 data_pos; 289 NTSTATUS status; 290 291 /* 292 * If we're in the fault state, keep returning fault PDU's until 293 * the pipe gets closed. JRA. 294 */ 295 296 if(p->fault_state) { 297 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR)); 298 return True; 299 } 300 301 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp)); 302 303 /* Change the incoming request header to a response. */ 304 p->hdr.pkt_type = DCERPC_PKT_RESPONSE; 305 306 /* Set up rpc header flags. */ 307 if (p->out_data.data_sent_length == 0) { 308 p->hdr.flags = DCERPC_PFC_FLAG_FIRST; 309 } else { 310 p->hdr.flags = 0; 311 } 312 313 /* 314 * Work out how much we can fit in a single PDU. 315 */ 316 317 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length; 318 319 /* 320 * Ensure there really is data left to send. 321 */ 322 323 if(!data_len_left) { 324 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n")); 325 return False; 326 } 327 328 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN 329 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN 330 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN; 331 332 /* 333 * The amount we send is the minimum of the available 334 * space and the amount left to send. 335 */ 336 337 data_len = MIN(data_len_left, data_space_available); 338 339 /* 340 * Set up the alloc hint. This should be the data left to 341 * send. 342 */ 343 344 hdr_resp.alloc_hint = data_len_left; 345 346 /* 347 * Work out if this PDU will be the last. 348 */ 349 350 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) { 351 p->hdr.flags |= DCERPC_PFC_FLAG_LAST; 352 if (data_len_left % 8) { 353 ss_padding_len = 8 - (data_len_left % 8); 354 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n", 355 ss_padding_len )); 356 } 357 } 358 359 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len + 360 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN; 361 p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN; 362 363 /* 364 * Init the parse struct to point at the outgoing 365 * data. 366 */ 367 368 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL); 369 370 /* Store the header in the data stream. */ 371 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) { 372 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n")); 373 prs_mem_free(&p->out_data.frag); 374 return False; 375 } 376 377 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) { 378 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n")); 379 prs_mem_free(&p->out_data.frag); 380 return False; 381 } 382 383 /* Store the current offset. */ 384 data_pos = prs_offset(&p->out_data.frag); 385 386 /* Copy the data into the PDU. */ 387 388 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata, 389 p->out_data.data_sent_length, data_len)) { 390 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len)); 391 prs_mem_free(&p->out_data.frag); 392 return False; 393 } 394 395 /* Copy the sign/seal padding data. */ 396 if (ss_padding_len) { 397 char pad[8]; 398 memset(pad, '\0', 8); 399 if (!prs_copy_data_in(&p->out_data.frag, pad, 400 ss_padding_len)) { 401 DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len)); 402 prs_mem_free(&p->out_data.frag); 403 return False; 404 } 405 } 406 407 { 408 /* 409 * Schannel processing. 410 */ 411 RPC_HDR_AUTH auth_info; 412 DATA_BLOB blob; 413 uint8_t *data; 414 415 /* Check it's the type of reply we were expecting to decode */ 416 417 init_rpc_hdr_auth(&auth_info, 418 DCERPC_AUTH_TYPE_SCHANNEL, 419 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ? 420 DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY, 421 ss_padding_len, 1); 422 423 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, 424 &p->out_data.frag, 0)) { 425 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n")); 426 prs_mem_free(&p->out_data.frag); 427 return False; 428 } 429 430 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos; 431 432 switch (p->auth.auth_level) { 433 case DCERPC_AUTH_LEVEL_PRIVACY: 434 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth, 435 talloc_tos(), 436 true, 437 data, 438 data_len + ss_padding_len, 439 &blob); 440 break; 441 case DCERPC_AUTH_LEVEL_INTEGRITY: 442 status = netsec_outgoing_packet(p->auth.a_u.schannel_auth, 443 talloc_tos(), 444 false, 445 data, 446 data_len + ss_padding_len, 447 &blob); 448 break; 449 default: 450 status = NT_STATUS_INTERNAL_ERROR; 451 break; 452 } 453 126 pfc_flags = 0; 127 } 128 129 /* Work out how much we can fit in a single PDU. */ 130 data_left = rdata->length - data_sent_length; 131 132 /* Ensure there really is data left to send. */ 133 if (!data_left) { 134 DEBUG(0, ("No data left to send !\n")); 135 return NT_STATUS_BUFFER_TOO_SMALL; 136 } 137 138 status = dcerpc_guess_sizes(auth, 139 DCERPC_RESPONSE_LENGTH, 140 data_left, 141 RPC_MAX_PDU_FRAG_LEN, 142 SERVER_NDR_PADDING_SIZE, 143 &data_to_send, &frag_len, 144 &auth_len, &pad_len); 145 if (!NT_STATUS_IS_OK(status)) { 146 return status; 147 } 148 149 /* Set up the alloc hint. This should be the data left to send. */ 150 u.response.alloc_hint = data_left; 151 152 /* Work out if this PDU will be the last. */ 153 if (data_sent_length + data_to_send >= rdata->length) { 154 pfc_flags |= DCERPC_PFC_FLAG_LAST; 155 } 156 157 /* Prepare data to be NDR encoded. */ 158 u.response.stub_and_verifier = 159 data_blob_const(rdata->data + data_sent_length, data_to_send); 160 161 /* Store the packet in the data stream. */ 162 status = dcerpc_push_ncacn_packet(mem_ctx, DCERPC_PKT_RESPONSE, 163 pfc_flags, auth_len, call_id, 164 &u, frag); 165 if (!NT_STATUS_IS_OK(status)) { 166 DEBUG(0, ("Failed to marshall RPC Packet.\n")); 167 return status; 168 } 169 170 if (auth_len) { 171 /* Set the proper length on the pdu, including padding. 172 * Only needed if an auth trailer will be appended. */ 173 dcerpc_set_frag_length(frag, frag->length 174 + pad_len 175 + DCERPC_AUTH_TRAILER_LENGTH 176 + auth_len); 177 } 178 179 if (auth_len) { 180 status = dcerpc_add_auth_footer(auth, pad_len, frag); 454 181 if (!NT_STATUS_IS_OK(status)) { 455 DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n", 456 nt_errstr(status))); 457 prs_mem_free(&p->out_data.frag); 458 return false; 459 } 460 461 /* Finally marshall the blob. */ 462 463 if (DEBUGLEVEL >= 10) { 464 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob); 465 } 466 467 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) { 468 prs_mem_free(&p->out_data.frag); 469 return false; 470 } 471 } 472 473 /* 474 * Setup the counts for this PDU. 475 */ 476 477 p->out_data.data_sent_length += data_len; 478 p->out_data.current_pdu_sent = 0; 479 480 return True; 481 } 482 483 /******************************************************************* 484 Generate the next PDU to be returned from the data in p->rdata. 485 No authentication done. 486 ********************************************************************/ 487 488 static bool create_next_pdu_noauth(pipes_struct *p) 489 { 490 RPC_HDR_RESP hdr_resp; 491 uint32 data_len; 492 uint32 data_space_available; 493 uint32 data_len_left; 494 495 /* 496 * If we're in the fault state, keep returning fault PDU's until 497 * the pipe gets closed. JRA. 498 */ 499 500 if(p->fault_state) { 501 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR)); 502 return True; 503 } 504 505 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp)); 506 507 /* Change the incoming request header to a response. */ 508 p->hdr.pkt_type = DCERPC_PKT_RESPONSE; 509 510 /* Set up rpc header flags. */ 511 if (p->out_data.data_sent_length == 0) { 512 p->hdr.flags = DCERPC_PFC_FLAG_FIRST; 513 } else { 514 p->hdr.flags = 0; 515 } 516 517 /* 518 * Work out how much we can fit in a single PDU. 519 */ 520 521 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length; 522 523 /* 524 * Ensure there really is data left to send. 525 */ 526 527 if(!data_len_left) { 528 DEBUG(0,("create_next_pdu_noath: no data left to send !\n")); 529 return False; 530 } 531 532 data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN 533 - RPC_HDR_RESP_LEN; 534 535 /* 536 * The amount we send is the minimum of the available 537 * space and the amount left to send. 538 */ 539 540 data_len = MIN(data_len_left, data_space_available); 541 542 /* 543 * Set up the alloc hint. This should be the data left to 544 * send. 545 */ 546 547 hdr_resp.alloc_hint = data_len_left; 548 549 /* 550 * Work out if this PDU will be the last. 551 */ 552 553 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) { 554 p->hdr.flags |= DCERPC_PFC_FLAG_LAST; 555 } 556 557 /* 558 * Set up the header lengths. 559 */ 560 561 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len; 562 p->hdr.auth_len = 0; 563 564 /* 565 * Init the parse struct to point at the outgoing 566 * data. 567 */ 568 569 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL); 570 571 /* Store the header in the data stream. */ 572 if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) { 573 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n")); 574 prs_mem_free(&p->out_data.frag); 575 return False; 576 } 577 578 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) { 579 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n")); 580 prs_mem_free(&p->out_data.frag); 581 return False; 582 } 583 584 /* Copy the data into the PDU. */ 585 586 if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata, 587 p->out_data.data_sent_length, data_len)) { 588 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len)); 589 prs_mem_free(&p->out_data.frag); 590 return False; 591 } 592 593 /* 594 * Setup the counts for this PDU. 595 */ 596 597 p->out_data.data_sent_length += data_len; 598 p->out_data.current_pdu_sent = 0; 599 600 return True; 182 data_blob_free(frag); 183 return status; 184 } 185 } 186 187 *pdu_size = data_to_send; 188 return NT_STATUS_OK; 601 189 } 602 190 … … 605 193 ********************************************************************/ 606 194 607 bool create_next_pdu(pipes_struct *p) 608 { 609 switch(p->auth.auth_level) { 610 case DCERPC_AUTH_LEVEL_NONE: 611 case DCERPC_AUTH_LEVEL_CONNECT: 612 /* This is incorrect for auth level connect. Fixme. JRA */ 613 return create_next_pdu_noauth(p); 614 615 default: 616 switch(p->auth.auth_type) { 617 case PIPE_AUTH_TYPE_NTLMSSP: 618 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP: 619 return create_next_pdu_ntlmssp(p); 620 case PIPE_AUTH_TYPE_SCHANNEL: 621 return create_next_pdu_schannel(p); 622 default: 623 break; 624 } 625 } 626 627 DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u", 628 (unsigned int)p->auth.auth_level, 629 (unsigned int)p->auth.auth_type)); 630 return False; 631 } 632 633 /******************************************************************* 634 Process an NTLMSSP authentication response. 635 If this function succeeds, the user has been authenticated 636 and their domain, name and calling workstation stored in 637 the pipe struct. 638 *******************************************************************/ 639 640 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob) 641 { 642 DATA_BLOB session_key, reply; 195 bool create_next_pdu(struct pipes_struct *p) 196 { 197 size_t pdu_size = 0; 643 198 NTSTATUS status; 644 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state; 645 bool ret; 646 647 DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", 648 get_pipe_name_from_syntax(talloc_tos(), &p->syntax))); 649 650 ZERO_STRUCT(reply); 651 652 /* this has to be done as root in order to verify the password */ 653 become_root(); 654 status = auth_ntlmssp_update(a, *p_resp_blob, &reply); 655 unbecome_root(); 656 657 /* Don't generate a reply. */ 658 data_blob_free(&reply); 659 199 200 /* 201 * If we're in the fault state, keep returning fault PDU's until 202 * the pipe gets closed. JRA. 203 */ 204 if (p->fault_state) { 205 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR)); 206 return true; 207 } 208 209 status = create_next_packet(p->mem_ctx, &p->auth, 210 p->call_id, &p->out_data.rdata, 211 p->out_data.data_sent_length, 212 &p->out_data.frag, &pdu_size); 660 213 if (!NT_STATUS_IS_OK(status)) { 661 return False; 662 } 663 664 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal) 665 ensure the underlying NTLMSSP flags are also set. If not we should 666 refuse the bind. */ 667 668 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { 669 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) { 670 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested " 671 "but client declined signing.\n", 672 get_pipe_name_from_syntax(talloc_tos(), 673 &p->syntax))); 674 return False; 675 } 676 } 677 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { 678 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) { 679 DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested " 680 "but client declined sealing.\n", 681 get_pipe_name_from_syntax(talloc_tos(), 682 &p->syntax))); 683 return False; 684 } 685 } 686 687 DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s " 688 "workstation: %s\n", a->ntlmssp_state->user, 689 a->ntlmssp_state->domain, a->ntlmssp_state->workstation)); 690 691 if (a->server_info->ptok == NULL) { 692 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n")); 693 return False; 694 } 695 696 TALLOC_FREE(p->server_info); 697 698 p->server_info = copy_serverinfo(p, a->server_info); 699 if (p->server_info == NULL) { 700 DEBUG(0, ("copy_serverinfo failed\n")); 214 DEBUG(0, ("Failed to create packet with error %s, " 215 "(auth level %u / type %u)\n", 216 nt_errstr(status), 217 (unsigned int)p->auth.auth_level, 218 (unsigned int)p->auth.auth_type)); 701 219 return false; 702 220 } 703 221 704 /* 705 * We're an authenticated bind over smb, so the session key needs to 706 * be set to "SystemLibraryDTC". Weird, but this is what Windows 707 * does. See the RPC-SAMBA3SESSIONKEY. 708 */ 709 710 session_key = generic_session_key(); 711 if (session_key.data == NULL) { 712 return False; 713 } 714 715 ret = server_info_set_session_key(p->server_info, session_key); 716 717 data_blob_free(&session_key); 718 719 return True; 720 } 721 722 /******************************************************************* 723 The switch table for the pipe names and the functions to handle them. 724 *******************************************************************/ 725 726 struct rpc_table { 727 struct { 728 const char *clnt; 729 const char *srv; 730 } pipe; 731 struct ndr_syntax_id rpc_interface; 732 const struct api_struct *cmds; 733 int n_cmds; 734 }; 735 736 static struct rpc_table *rpc_lookup; 737 static int rpc_lookup_size; 738 739 /******************************************************************* 740 This is the "stage3" NTLMSSP response after a bind request and reply. 741 *******************************************************************/ 742 743 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p) 744 { 745 RPC_HDR_AUTH auth_info; 746 uint32 pad = 0; 747 DATA_BLOB blob; 748 749 ZERO_STRUCT(blob); 750 751 DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__)); 752 753 if (p->hdr.auth_len == 0) { 754 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n")); 755 goto err; 756 } 757 758 /* 4 bytes padding. */ 759 if (!prs_uint32("pad", rpc_in_p, 0, &pad)) { 760 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n")); 761 goto err; 762 } 763 764 /* 765 * Decode the authentication verifier response. 766 */ 767 768 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) { 769 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n")); 770 goto err; 771 } 772 773 if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) { 774 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n", 775 (unsigned int)auth_info.auth_type )); 776 return False; 777 } 778 779 blob = data_blob(NULL,p->hdr.auth_len); 780 781 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) { 782 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n", 783 (unsigned int)p->hdr.auth_len )); 784 goto err; 785 } 786 787 /* 788 * The following call actually checks the challenge/response data. 789 * for correctness against the given DOMAIN\user name. 790 */ 791 792 if (!pipe_ntlmssp_verify_final(p, &blob)) { 793 goto err; 794 } 795 796 data_blob_free(&blob); 797 798 p->pipe_bound = True; 799 800 return True; 801 802 err: 803 804 data_blob_free(&blob); 805 free_pipe_ntlmssp_auth_data(&p->auth); 806 p->auth.a_u.auth_ntlmssp_state = NULL; 807 808 return False; 809 } 222 /* Setup the counts for this PDU. */ 223 p->out_data.data_sent_length += pdu_size; 224 p->out_data.current_pdu_sent = 0; 225 return true; 226 } 227 228 229 static bool pipe_init_outgoing_data(struct pipes_struct *p); 810 230 811 231 /******************************************************************* … … 813 233 *******************************************************************/ 814 234 815 static bool setup_bind_nak( pipes_struct *p)816 { 817 RPC_HDR nak_hdr;818 u int16 zero = 0;235 static bool setup_bind_nak() 236 { 237 ; 238 u; 819 239 820 240 /* Free any memory in the current return data buffer. */ 821 prs_mem_free(&p->out_data.rdata); 241 pipe_init_outgoing_data(p); 242 243 /* 244 * Initialize a bind_nak header. 245 */ 246 247 ZERO_STRUCT(u); 248 249 u.bind_nak.reject_reason = 0; 822 250 823 251 /* … … 827 255 */ 828 256 829 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL); 830 831 /* 832 * Initialize a bind_nak header. 833 */ 834 835 init_rpc_hdr(&nak_hdr, DCERPC_PKT_BIND_NAK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST, 836 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0); 837 838 /* 839 * Marshall the header into the outgoing PDU. 840 */ 841 842 if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) { 843 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n")); 844 prs_mem_free(&p->out_data.frag); 845 return False; 846 } 847 848 /* 849 * Now add the reject reason. 850 */ 851 852 if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) { 853 prs_mem_free(&p->out_data.frag); 257 status = dcerpc_push_ncacn_packet(p->mem_ctx, 258 DCERPC_PKT_BIND_NAK, 259 DCERPC_PFC_FLAG_FIRST | 260 DCERPC_PFC_FLAG_LAST, 261 0, 262 pkt->call_id, 263 &u, 264 &p->out_data.frag); 265 if (!NT_STATUS_IS_OK(status)) { 854 266 return False; 855 267 } … … 858 270 p->out_data.current_pdu_sent = 0; 859 271 860 if (p->auth.auth_data_free_func) { 861 (*p->auth.auth_data_free_func)(&p->auth); 862 } 272 TALLOC_FREE(p->auth.auth_ctx); 863 273 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE; 864 p->auth.auth_type = PIPE_AUTH_TYPE_NONE;274 p->auth.auth_type = _AUTH_TYPE_NONE; 865 275 p->pipe_bound = False; 866 276 … … 872 282 *******************************************************************/ 873 283 874 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status) 875 { 876 RPC_HDR fault_hdr; 877 RPC_HDR_RESP hdr_resp; 878 RPC_HDR_FAULT fault_resp; 284 bool setup_fault_pdu(struct pipes_struct *p, NTSTATUS fault_status) 285 { 286 NTSTATUS status; 287 union dcerpc_payload u; 879 288 880 289 /* Free any memory in the current return data buffer. */ 881 prs_mem_free(&p->out_data.rdata); 290 pipe_init_outgoing_data(p); 291 292 /* 293 * Initialize a fault header. 294 */ 295 296 ZERO_STRUCT(u); 297 298 u.fault.status = NT_STATUS_V(fault_status); 299 u.fault._pad = data_blob_talloc_zero(p->mem_ctx, 4); 882 300 883 301 /* … … 887 305 */ 888 306 889 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL); 890 891 /* 892 * Initialize a fault header. 893 */ 894 895 init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE, 896 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0); 897 898 /* 899 * Initialize the HDR_RESP and FAULT parts of the PDU. 900 */ 901 902 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp)); 903 904 fault_resp.status = status; 905 fault_resp.reserved = 0; 906 907 /* 908 * Marshall the header into the outgoing PDU. 909 */ 910 911 if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) { 912 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n")); 913 prs_mem_free(&p->out_data.frag); 914 return False; 915 } 916 917 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) { 918 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n")); 919 prs_mem_free(&p->out_data.frag); 920 return False; 921 } 922 923 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) { 924 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n")); 925 prs_mem_free(&p->out_data.frag); 307 status = dcerpc_push_ncacn_packet(p->mem_ctx, 308 DCERPC_PKT_FAULT, 309 DCERPC_PFC_FLAG_FIRST | 310 DCERPC_PFC_FLAG_LAST | 311 DCERPC_PFC_FLAG_DID_NOT_EXECUTE, 312 0, 313 p->call_id, 314 &u, 315 &p->out_data.frag); 316 if (!NT_STATUS_IS_OK(status)) { 926 317 return False; 927 318 } … … 932 323 return True; 933 324 } 934 935 #if 0936 /*******************************************************************937 Marshall a cancel_ack pdu.938 We should probably check the auth-verifier here.939 *******************************************************************/940 941 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)942 {943 prs_struct outgoing_pdu;944 RPC_HDR ack_reply_hdr;945 946 /* Free any memory in the current return data buffer. */947 prs_mem_free(&p->out_data.rdata);948 949 /*950 * Marshall directly into the outgoing PDU space. We951 * must do this as we need to set to the bind response952 * header and are never sending more than one PDU here.953 */954 955 prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);956 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);957 958 /*959 * Initialize a cancel_ack header.960 */961 962 init_rpc_hdr(&ack_reply_hdr, DCERPC_PKT_CANCEL_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,963 p->hdr.call_id, RPC_HEADER_LEN, 0);964 965 /*966 * Marshall the header into the outgoing PDU.967 */968 969 if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {970 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));971 prs_mem_free(&outgoing_pdu);972 return False;973 }974 975 p->out_data.data_sent_length = 0;976 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);977 p->out_data.current_pdu_sent = 0;978 979 prs_mem_free(&outgoing_pdu);980 return True;981 }982 #endif983 325 984 326 /******************************************************************* … … 992 334 uint32 context_id) 993 335 { 994 int i=0;995 336 struct pipe_rpc_fns *context_fns; 996 337 … … 999 340 1000 341 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */ 1001 1002 for (i=0; i<rpc_lookup_size; i++) { 1003 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt)); 1004 if (ndr_syntax_id_equal( 1005 abstract, &rpc_lookup[i].rpc_interface) 1006 && ndr_syntax_id_equal( 1007 transfer, &ndr_transfer_syntax)) { 1008 break; 1009 } 1010 } 1011 1012 if (i == rpc_lookup_size) { 342 if (rpc_srv_pipe_exists_by_id(abstract) && 343 ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) { 344 DEBUG(3, ("check_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n", 345 rpc_srv_get_pipe_cli_name(abstract), 346 rpc_srv_get_pipe_srv_name(abstract))); 347 } else { 1013 348 return false; 1014 349 } … … 1020 355 } 1021 356 1022 context_fns->cmds = rpc_lookup[i].cmds; 1023 context_fns->n_cmds = rpc_lookup[i].n_cmds; 357 context_fns->next = context_fns->prev = NULL; 358 context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract); 359 context_fns->cmds = rpc_srv_get_pipe_cmds(abstract); 1024 360 context_fns->context_id = context_id; 1025 361 … … 1029 365 1030 366 return True; 1031 }1032 1033 /*******************************************************************1034 Register commands to an RPC pipe1035 *******************************************************************/1036 1037 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,1038 const struct ndr_interface_table *iface,1039 const struct api_struct *cmds, int size)1040 {1041 struct rpc_table *rpc_entry;1042 1043 if (!clnt || !srv || !cmds) {1044 return NT_STATUS_INVALID_PARAMETER;1045 }1046 1047 if (version != SMB_RPC_INTERFACE_VERSION) {1048 DEBUG(0,("Can't register rpc commands!\n"1049 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"1050 ", while this version of samba uses version %d!\n",1051 version,SMB_RPC_INTERFACE_VERSION));1052 return NT_STATUS_OBJECT_TYPE_MISMATCH;1053 }1054 1055 /* TODO:1056 *1057 * we still need to make sure that don't register the same commands twice!!!1058 *1059 * --metze1060 */1061 1062 /* We use a temporary variable because this call can fail and1063 rpc_lookup will still be valid afterwards. It could then succeed if1064 called again later */1065 rpc_lookup_size++;1066 rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);1067 if (NULL == rpc_entry) {1068 rpc_lookup_size--;1069 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));1070 return NT_STATUS_NO_MEMORY;1071 } else {1072 rpc_lookup = rpc_entry;1073 }1074 1075 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);1076 ZERO_STRUCTP(rpc_entry);1077 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);1078 rpc_entry->pipe.srv = SMB_STRDUP(srv);1079 rpc_entry->rpc_interface = iface->syntax_id;1080 rpc_entry->cmds = cmds;1081 rpc_entry->n_cmds = size;1082 1083 return NT_STATUS_OK;1084 367 } 1085 368 … … 1092 375 { 1093 376 const char *pipename = cli_filename; 1094 int i;1095 377 NTSTATUS status; 1096 378 … … 1108 390 } 1109 391 1110 for (i=0; i<rpc_lookup_size; i++) { 1111 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) { 1112 *syntax = rpc_lookup[i].rpc_interface; 1113 return true; 1114 } 392 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) { 393 return true; 1115 394 } 1116 395 … … 1125 404 * Scan the list again for the interface id 1126 405 */ 1127 1128 for (i=0; i<rpc_lookup_size; i++) { 1129 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) { 1130 *syntax = rpc_lookup[i].rpc_interface; 1131 return true; 1132 } 406 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) { 407 return true; 1133 408 } 1134 409 … … 1137 412 1138 413 return false; 1139 }1140 1141 /*******************************************************************1142 Handle a SPNEGO krb5 bind auth.1143 *******************************************************************/1144 1145 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,1146 DATA_BLOB *psecblob, prs_struct *pout_auth)1147 {1148 return False;1149 414 } 1150 415 … … 1153 418 *******************************************************************/ 1154 419 1155 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p, 1156 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth) 1157 { 1158 DATA_BLOB blob; 1159 DATA_BLOB secblob; 1160 DATA_BLOB response; 1161 DATA_BLOB chal; 1162 char *OIDs[ASN1_MAX_OIDS]; 1163 int i; 420 static bool pipe_spnego_auth_bind(struct pipes_struct *p, 421 TALLOC_CTX *mem_ctx, 422 struct dcerpc_auth *auth_info, 423 DATA_BLOB *response) 424 { 425 struct spnego_context *spnego_ctx; 1164 426 NTSTATUS status; 1165 bool got_kerberos_mechanism = false; 1166 AUTH_NTLMSSP_STATE *a = NULL; 1167 RPC_HDR_AUTH auth_info; 1168 1169 ZERO_STRUCT(secblob); 1170 ZERO_STRUCT(chal); 1171 ZERO_STRUCT(response); 1172 1173 /* Grab the SPNEGO blob. */ 1174 blob = data_blob(NULL,p->hdr.auth_len); 1175 1176 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) { 1177 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n", 1178 (unsigned int)p->hdr.auth_len )); 1179 goto err; 1180 } 1181 1182 if (blob.data[0] != ASN1_APPLICATION(0)) { 1183 goto err; 1184 } 1185 1186 /* parse out the OIDs and the first sec blob */ 1187 if (!parse_negTokenTarg(blob, OIDs, &secblob) || 1188 OIDs[0] == NULL) { 1189 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n")); 1190 goto err; 1191 } 1192 1193 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) { 1194 got_kerberos_mechanism = true; 1195 } 1196 1197 for (i=0;OIDs[i];i++) { 1198 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i])); 1199 TALLOC_FREE(OIDs[i]); 1200 } 1201 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length)); 1202 1203 if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) { 1204 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth); 1205 data_blob_free(&secblob); 1206 data_blob_free(&blob); 1207 return ret; 1208 } 1209 1210 if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) { 1211 /* Free any previous auth type. */ 1212 free_pipe_ntlmssp_auth_data(&p->auth); 1213 } 1214 1215 if (!got_kerberos_mechanism) { 1216 /* Initialize the NTLM engine. */ 1217 status = auth_ntlmssp_start(&a); 1218 if (!NT_STATUS_IS_OK(status)) { 1219 goto err; 1220 } 1221 1222 /* 1223 * Pass the first security blob of data to it. 1224 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED 1225 * which means we need another packet to complete the bind. 1226 */ 1227 1228 status = auth_ntlmssp_update(a, secblob, &chal); 1229 1230 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { 1231 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n")); 1232 goto err; 1233 } 1234 1235 /* Generate the response blob we need for step 2 of the bind. */ 1236 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP); 1237 } else { 1238 /* 1239 * SPNEGO negotiate down to NTLMSSP. The subsequent 1240 * code to process follow-up packets is not complete 1241 * yet. JRA. 1242 */ 1243 response = spnego_gen_auth_response(NULL, 1244 NT_STATUS_MORE_PROCESSING_REQUIRED, 1245 OID_NTLMSSP); 1246 } 1247 1248 /* Copy the blob into the pout_auth parse struct */ 1249 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1); 1250 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) { 1251 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n")); 1252 goto err; 1253 } 1254 1255 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) { 1256 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n")); 1257 goto err; 1258 } 1259 1260 p->auth.a_u.auth_ntlmssp_state = a; 1261 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data; 1262 p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP; 1263 1264 data_blob_free(&blob); 1265 data_blob_free(&secblob); 1266 data_blob_free(&chal); 1267 data_blob_free(&response); 1268 1269 /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */ 1270 return True; 1271 1272 err: 1273 1274 data_blob_free(&blob); 1275 data_blob_free(&secblob); 1276 data_blob_free(&chal); 1277 data_blob_free(&response); 1278 1279 p->auth.a_u.auth_ntlmssp_state = NULL; 1280 1281 return False; 1282 } 1283 1284 /******************************************************************* 1285 Handle the second part of a SPNEGO bind auth. 1286 *******************************************************************/ 1287 1288 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p, 1289 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth) 1290 { 1291 RPC_HDR_AUTH auth_info; 1292 DATA_BLOB spnego_blob; 1293 DATA_BLOB auth_blob; 1294 DATA_BLOB auth_reply; 1295 DATA_BLOB response; 1296 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state; 1297 1298 ZERO_STRUCT(spnego_blob); 1299 ZERO_STRUCT(auth_blob); 1300 ZERO_STRUCT(auth_reply); 1301 ZERO_STRUCT(response); 1302 1303 /* 1304 * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently 1305 * fail here as 'a' == NULL. 1306 */ 1307 if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) { 1308 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n")); 1309 goto err; 1310 } 1311 1312 /* Grab the SPNEGO blob. */ 1313 spnego_blob = data_blob(NULL,p->hdr.auth_len); 1314 1315 if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) { 1316 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n", 1317 (unsigned int)p->hdr.auth_len )); 1318 goto err; 1319 } 1320 1321 if (spnego_blob.data[0] != ASN1_CONTEXT(1)) { 1322 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n")); 1323 goto err; 1324 } 1325 1326 if (!spnego_parse_auth(spnego_blob, &auth_blob)) { 1327 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n")); 1328 goto err; 1329 } 1330 1331 /* 1332 * The following call actually checks the challenge/response data. 1333 * for correctness against the given DOMAIN\user name. 1334 */ 1335 1336 if (!pipe_ntlmssp_verify_final(p, &auth_blob)) { 1337 goto err; 1338 } 1339 1340 data_blob_free(&spnego_blob); 1341 data_blob_free(&auth_blob); 1342 1343 /* Generate the spnego "accept completed" blob - no incoming data. */ 1344 response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP); 1345 1346 /* Copy the blob into the pout_auth parse struct */ 1347 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1); 1348 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) { 1349 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n")); 1350 goto err; 1351 } 1352 1353 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) { 1354 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n")); 1355 goto err; 1356 } 1357 1358 data_blob_free(&auth_reply); 1359 data_blob_free(&response); 1360 1361 p->pipe_bound = True; 1362 1363 return True; 1364 1365 err: 1366 1367 data_blob_free(&spnego_blob); 1368 data_blob_free(&auth_blob); 1369 data_blob_free(&auth_reply); 1370 data_blob_free(&response); 1371 1372 free_pipe_ntlmssp_auth_data(&p->auth); 1373 p->auth.a_u.auth_ntlmssp_state = NULL; 1374 1375 return False; 427 428 status = spnego_server_auth_start(p, 429 (auth_info->auth_level == 430 DCERPC_AUTH_LEVEL_INTEGRITY), 431 (auth_info->auth_level == 432 DCERPC_AUTH_LEVEL_PRIVACY), 433 true, 434 &auth_info->credentials, 435 response, 436 &spnego_ctx); 437 if (!NT_STATUS_IS_OK(status)) { 438 DEBUG(0, ("Failed SPNEGO negotiate (%s)\n", 439 nt_errstr(status))); 440 return false; 441 } 442 443 /* Make sure data is bound to the memctx, to be freed the caller */ 444 talloc_steal(mem_ctx, response->data); 445 446 p->auth.auth_ctx = spnego_ctx; 447 p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO; 448 449 DEBUG(10, ("SPNEGO auth started\n")); 450 451 return true; 1376 452 } 1377 453 … … 1380 456 *******************************************************************/ 1381 457 1382 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p, 1383 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth) 1384 { 1385 RPC_HDR_AUTH auth_info; 458 static bool pipe_schannel_auth_bind(struct pipes_struct *p, 459 TALLOC_CTX *mem_ctx, 460 struct dcerpc_auth *auth_info, 461 DATA_BLOB *response) 462 { 1386 463 struct NL_AUTH_MESSAGE neg; 1387 464 struct NL_AUTH_MESSAGE reply; … … 1389 466 NTSTATUS status; 1390 467 struct netlogon_creds_CredentialState *creds; 1391 DATA_BLOB session_key;1392 468 enum ndr_err_code ndr_err; 1393 DATA_BLOB blob; 1394 1395 blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p), 1396 prs_data_size(rpc_in_p)); 1397 1398 ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg, 1399 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE); 469 struct schannel_state *schannel_auth; 470 471 ndr_err = ndr_pull_struct_blob( 472 &auth_info->credentials, mem_ctx, &neg, 473 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE); 1400 474 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { 1401 475 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n")); … … 1419 493 1420 494 become_root(); 1421 status = schannel_fetch_session_key(p, 1422 neg.oem_netbios_computer.a, 1423 &creds); 495 status = schannel_get_creds_state(p, lp_private_dir(), 496 neg.oem_netbios_computer.a, &creds); 1424 497 unbecome_root(); 1425 498 … … 1429 502 } 1430 503 1431 p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);1432 if (! p->auth.a_u.schannel_auth) {504 schannel_auth = talloc(p, struct schannel_state); 505 if (!schannel_auth) { 1433 506 TALLOC_FREE(creds); 1434 507 return False; 1435 508 } 1436 509 1437 p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;1438 p->auth.a_u.schannel_auth->seq_num = 0;1439 p->auth.a_u.schannel_auth->initiator = false;1440 p->auth.a_u.schannel_auth->creds = creds;510 schannel_auth->state = SCHANNEL_STATE_START; 511 schannel_auth->seq_num = 0; 512 schannel_auth->initiator = false; 513 schannel_auth->creds = creds; 1441 514 1442 515 /* … … 1451 524 */ 1452 525 1453 session_key = generic_session_key();1454 if (session_key.data == NULL) { 1455 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"1456 " key\n"));526 ); 527 528 529 \n")); 1457 530 return false; 1458 }1459 1460 ret = server_info_set_session_key(p->server_info, session_key);1461 1462 data_blob_free(&session_key);1463 1464 if (!ret) {1465 DEBUG(0, ("server_info_set_session_key failed\n"));1466 return false;1467 }1468 1469 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);1470 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {1471 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));1472 return False;1473 531 } 1474 532 … … 1481 539 * here - gd */ 1482 540 1483 ndr_err = ndr_push_struct_blob( &blob, talloc_tos(), NULL, &reply,541 ndr_err = ndr_push_struct_blob(, &reply, 1484 542 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE); 1485 543 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { … … 1492 550 } 1493 551 1494 if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {1495 return false;1496 }1497 1498 552 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n", 1499 553 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a)); 1500 554 1501 555 /* We're finished with this bind - no more packets. */ 1502 p->auth.auth_ data_free_func = NULL;1503 p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;556 p->auth.auth_; 557 p->auth.auth_type = _AUTH_TYPE_SCHANNEL; 1504 558 1505 559 p->pipe_bound = True; … … 1512 566 *******************************************************************/ 1513 567 1514 static bool pipe_ntlmssp_auth_bind( pipes_struct *p, prs_struct *rpc_in_p,1515 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)1516 { 1517 RPC_HDR_AUTH auth_info;1518 DATA_BLOB blob; 1519 DATA_BLOB response;568 static bool pipe_ntlmssp_auth_bind(p, 569 570 struct dcerpc_auth *auth_info, 571 572 { 573 ; 1520 574 NTSTATUS status; 1521 AUTH_NTLMSSP_STATE *a = NULL; 1522 1523 ZERO_STRUCT(blob); 1524 ZERO_STRUCT(response); 1525 1526 /* Grab the NTLMSSP blob. */ 1527 blob = data_blob(NULL,p->hdr.auth_len); 1528 1529 if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) { 1530 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n", 1531 (unsigned int)p->hdr.auth_len )); 575 576 if (strncmp((char *)auth_info->credentials.data, "NTLMSSP", 7) != 0) { 577 DEBUG(0, ("Failed to read NTLMSSP in blob\n")); 578 return false; 579 } 580 581 /* We have an NTLMSSP blob. */ 582 status = ntlmssp_server_auth_start(p, 583 (auth_info->auth_level == 584 DCERPC_AUTH_LEVEL_INTEGRITY), 585 (auth_info->auth_level == 586 DCERPC_AUTH_LEVEL_PRIVACY), 587 true, 588 &auth_info->credentials, 589 response, 590 &ntlmssp_state); 591 if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) { 592 DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n", 593 nt_errstr(status))); 594 return false; 595 } 596 597 /* Make sure data is bound to the memctx, to be freed the caller */ 598 talloc_steal(mem_ctx, response->data); 599 600 p->auth.auth_ctx = ntlmssp_state; 601 p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP; 602 603 DEBUG(10, (__location__ ": NTLMSSP auth started\n")); 604 605 return true; 606 } 607 608 /******************************************************************* 609 Process an NTLMSSP authentication response. 610 If this function succeeds, the user has been authenticated 611 and their domain, name and calling workstation stored in 612 the pipe struct. 613 *******************************************************************/ 614 615 static bool pipe_ntlmssp_verify_final(TALLOC_CTX *mem_ctx, 616 struct auth_ntlmssp_state *ntlmssp_ctx, 617 enum dcerpc_AuthLevel auth_level, 618 struct client_address *client_id, 619 struct ndr_syntax_id *syntax, 620 struct auth_serversupplied_info **session_info) 621 { 622 NTSTATUS status; 623 bool ret; 624 625 DEBUG(5, (__location__ ": pipe %s checking user details\n", 626 get_pipe_name_from_syntax(talloc_tos(), syntax))); 627 628 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal) 629 ensure the underlying NTLMSSP flags are also set. If not we should 630 refuse the bind. */ 631 632 status = ntlmssp_server_check_flags(ntlmssp_ctx, 633 (auth_level == 634 DCERPC_AUTH_LEVEL_INTEGRITY), 635 (auth_level == 636 DCERPC_AUTH_LEVEL_PRIVACY)); 637 if (!NT_STATUS_IS_OK(status)) { 638 DEBUG(0, (__location__ ": Client failed to negotatie proper " 639 "security for pipe %s\n", 640 get_pipe_name_from_syntax(talloc_tos(), syntax))); 641 return false; 642 } 643 644 TALLOC_FREE(*session_info); 645 646 status = ntlmssp_server_get_user_info(ntlmssp_ctx, 647 mem_ctx, session_info); 648 if (!NT_STATUS_IS_OK(status)) { 649 DEBUG(0, (__location__ ": failed to obtain the server info " 650 "for authenticated user: %s\n", nt_errstr(status))); 651 return false; 652 } 653 654 if ((*session_info)->security_token == NULL) { 655 DEBUG(1, ("Auth module failed to provide nt_user_token\n")); 656 return false; 657 } 658 659 /* 660 * We're an authenticated bind over smb, so the session key needs to 661 * be set to "SystemLibraryDTC". Weird, but this is what Windows 662 * does. See the RPC-SAMBA3SESSIONKEY. 663 */ 664 665 ret = session_info_set_session_key((*session_info), generic_session_key()); 666 if (!ret) { 667 DEBUG(0, ("Failed to set session key!\n")); 668 return false; 669 } 670 671 return true; 672 } 673 674 /******************************************************************* 675 Handle a GSSAPI bind auth. 676 *******************************************************************/ 677 678 static bool pipe_gssapi_auth_bind(struct pipes_struct *p, 679 TALLOC_CTX *mem_ctx, 680 struct dcerpc_auth *auth_info, 681 DATA_BLOB *response) 682 { 683 NTSTATUS status; 684 struct gse_context *gse_ctx = NULL; 685 686 status = gssapi_server_auth_start(p, 687 (auth_info->auth_level == 688 DCERPC_AUTH_LEVEL_INTEGRITY), 689 (auth_info->auth_level == 690 DCERPC_AUTH_LEVEL_PRIVACY), 691 true, 692 &auth_info->credentials, 693 response, 694 &gse_ctx); 695 if (!NT_STATUS_IS_OK(status)) { 696 DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n", 697 nt_errstr(status))); 1532 698 goto err; 1533 699 } 1534 700 1535 if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) { 1536 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n")); 1537 goto err; 1538 } 1539 1540 /* We have an NTLMSSP blob. */ 1541 status = auth_ntlmssp_start(&a); 701 /* Make sure data is bound to the memctx, to be freed the caller */ 702 talloc_steal(mem_ctx, response->data); 703 704 p->auth.auth_ctx = gse_ctx; 705 p->auth.auth_type = DCERPC_AUTH_TYPE_KRB5; 706 707 DEBUG(10, ("KRB5 auth started\n")); 708 709 return true; 710 711 err: 712 TALLOC_FREE(gse_ctx); 713 return false; 714 } 715 716 static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx, 717 struct gse_context *gse_ctx, 718 struct client_address *client_id, 719 struct auth_serversupplied_info **session_info) 720 { 721 NTSTATUS status; 722 bool bret; 723 724 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal) 725 ensure the underlying flags are also set. If not we should 726 refuse the bind. */ 727 728 status = gssapi_server_check_flags(gse_ctx); 1542 729 if (!NT_STATUS_IS_OK(status)) { 1543 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n", 1544 nt_errstr(status) )); 1545 goto err; 1546 } 1547 1548 status = auth_ntlmssp_update(a, blob, &response); 1549 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { 1550 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n", 1551 nt_errstr(status) )); 1552 goto err; 1553 } 1554 1555 data_blob_free(&blob); 1556 1557 /* Copy the blob into the pout_auth parse struct */ 1558 init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1); 1559 if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) { 1560 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n")); 1561 goto err; 1562 } 1563 1564 if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) { 1565 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n")); 1566 goto err; 1567 } 1568 1569 p->auth.a_u.auth_ntlmssp_state = a; 1570 p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data; 1571 p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP; 1572 1573 data_blob_free(&blob); 1574 data_blob_free(&response); 1575 1576 DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n")); 1577 1578 /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */ 1579 return True; 1580 1581 err: 1582 1583 data_blob_free(&blob); 1584 data_blob_free(&response); 1585 1586 free_pipe_ntlmssp_auth_data(&p->auth); 1587 p->auth.a_u.auth_ntlmssp_state = NULL; 1588 return False; 730 DEBUG(0, ("Requested Security Layers not honored!\n")); 731 return status; 732 } 733 734 status = gssapi_server_get_user_info(gse_ctx, mem_ctx, 735 client_id, session_info); 736 if (!NT_STATUS_IS_OK(status)) { 737 DEBUG(0, (__location__ ": failed to obtain the server info " 738 "for authenticated user: %s\n", nt_errstr(status))); 739 return status; 740 } 741 742 if ((*session_info)->security_token == NULL) { 743 status = create_local_token(*session_info); 744 if (!NT_STATUS_IS_OK(status)) { 745 DEBUG(1, ("Failed to create local user token (%s)\n", 746 nt_errstr(status))); 747 status = NT_STATUS_ACCESS_DENIED; 748 return status; 749 } 750 } 751 752 /* TODO: this is what the ntlmssp code does with the session_key, check 753 * it is ok with gssapi too */ 754 /* 755 * We're an authenticated bind over smb, so the session key needs to 756 * be set to "SystemLibraryDTC". Weird, but this is what Windows 757 * does. See the RPC-SAMBA3SESSIONKEY. 758 */ 759 760 bret = session_info_set_session_key((*session_info), generic_session_key()); 761 if (!bret) { 762 return NT_STATUS_ACCESS_DENIED; 763 } 764 765 return NT_STATUS_OK; 766 } 767 768 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p) 769 { 770 enum spnego_mech auth_type; 771 struct auth_ntlmssp_state *ntlmssp_ctx; 772 struct spnego_context *spnego_ctx; 773 struct gse_context *gse_ctx; 774 void *mech_ctx; 775 NTSTATUS status; 776 777 switch (p->auth.auth_type) { 778 case DCERPC_AUTH_TYPE_NTLMSSP: 779 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx, 780 struct auth_ntlmssp_state); 781 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx, 782 p->auth.auth_level, 783 p->client_id, &p->syntax, 784 &p->session_info)) { 785 return NT_STATUS_ACCESS_DENIED; 786 } 787 break; 788 case DCERPC_AUTH_TYPE_KRB5: 789 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx, 790 struct gse_context); 791 status = pipe_gssapi_verify_final(p, gse_ctx, 792 p->client_id, 793 &p->session_info); 794 if (!NT_STATUS_IS_OK(status)) { 795 DEBUG(1, ("gssapi bind failed with: %s", 796 nt_errstr(status))); 797 return status; 798 } 799 break; 800 case DCERPC_AUTH_TYPE_SPNEGO: 801 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx, 802 struct spnego_context); 803 status = spnego_get_negotiated_mech(spnego_ctx, 804 &auth_type, &mech_ctx); 805 if (!NT_STATUS_IS_OK(status)) { 806 DEBUG(0, ("Bad SPNEGO state (%s)\n", 807 nt_errstr(status))); 808 return status; 809 } 810 switch(auth_type) { 811 case SPNEGO_KRB5: 812 gse_ctx = talloc_get_type_abort(mech_ctx, 813 struct gse_context); 814 status = pipe_gssapi_verify_final(p, gse_ctx, 815 p->client_id, 816 &p->session_info); 817 if (!NT_STATUS_IS_OK(status)) { 818 DEBUG(1, ("gssapi bind failed with: %s", 819 nt_errstr(status))); 820 return status; 821 } 822 break; 823 case SPNEGO_NTLMSSP: 824 ntlmssp_ctx = talloc_get_type_abort(mech_ctx, 825 struct auth_ntlmssp_state); 826 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx, 827 p->auth.auth_level, 828 p->client_id, 829 &p->syntax, 830 &p->session_info)) { 831 return NT_STATUS_ACCESS_DENIED; 832 } 833 break; 834 default: 835 DEBUG(0, (__location__ ": incorrect spnego type " 836 "(%d).\n", auth_type)); 837 return NT_STATUS_ACCESS_DENIED; 838 } 839 break; 840 default: 841 DEBUG(0, (__location__ ": incorrect auth type (%u).\n", 842 (unsigned int)p->auth.auth_type)); 843 return NT_STATUS_ACCESS_DENIED; 844 } 845 846 p->pipe_bound = true; 847 848 return NT_STATUS_OK; 1589 849 } 1590 850 … … 1593 853 *******************************************************************/ 1594 854 1595 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p) 1596 { 1597 RPC_HDR_BA hdr_ba; 1598 RPC_HDR_RB hdr_rb; 1599 RPC_HDR_AUTH auth_info; 855 static bool api_pipe_bind_req(struct pipes_struct *p, 856 struct ncacn_packet *pkt) 857 { 858 struct dcerpc_auth auth_info; 1600 859 uint16 assoc_gid; 1601 fstring ack_pipe_name;1602 prs_struct out_hdr_ba;1603 prs_struct out_auth;1604 int i = 0;1605 int auth_len = 0;1606 860 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE; 861 862 863 864 865 866 1607 867 1608 868 /* No rebinds on a bound pipe - use alter context. */ … … 1611 871 "pipe %s.\n", 1612 872 get_pipe_name_from_syntax(talloc_tos(), &p->syntax))); 1613 return setup_bind_nak(p); 1614 } 1615 1616 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL); 1617 1618 /* 1619 * Marshall directly into the outgoing PDU space. We 1620 * must do this as we need to set to the bind response 1621 * header and are never sending more than one PDU here. 1622 */ 1623 1624 /* 1625 * Setup the memory to marshall the ba header, and the 1626 * auth footers. 1627 */ 1628 1629 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) { 1630 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n")); 1631 prs_mem_free(&p->out_data.frag); 1632 return False; 1633 } 1634 1635 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) { 1636 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n")); 1637 prs_mem_free(&p->out_data.frag); 1638 prs_mem_free(&out_hdr_ba); 1639 return False; 1640 } 1641 1642 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__)); 1643 1644 ZERO_STRUCT(hdr_rb); 1645 1646 /* decode the bind request */ 1647 1648 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) { 1649 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB " 1650 "struct.\n")); 1651 goto err_exit; 1652 } 1653 1654 if (hdr_rb.num_contexts == 0) { 873 return setup_bind_nak(p, pkt); 874 } 875 876 if (pkt->u.bind.num_contexts == 0) { 1655 877 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n")); 1656 878 goto err_exit; … … 1661 883 * that this is a pipe name we support. 1662 884 */ 1663 1664 for (i = 0; i < rpc_lookup_size; i++) { 1665 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface, 1666 &hdr_rb.rpc_context[0].abstract)) { 1667 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n", 1668 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv)); 1669 break; 1670 } 1671 } 1672 1673 if (i == rpc_lookup_size) { 1674 NTSTATUS status; 1675 885 id = pkt->u.bind.ctx_list[0].abstract_syntax; 886 if (rpc_srv_pipe_exists_by_id(&id)) { 887 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n", 888 rpc_srv_get_pipe_cli_name(&id), 889 rpc_srv_get_pipe_srv_name(&id))); 890 } else { 1676 891 status = smb_probe_module( 1677 892 "rpc", get_pipe_name_from_syntax( 1678 893 talloc_tos(), 1679 & hdr_rb.rpc_context[0].abstract));894 &)); 1680 895 1681 896 if (NT_STATUS_IS_ERR(status)) { … … 1683 898 get_pipe_name_from_syntax( 1684 899 talloc_tos(), 1685 &hdr_rb.rpc_context[0].abstract))); 1686 prs_mem_free(&p->out_data.frag); 1687 prs_mem_free(&out_hdr_ba); 1688 prs_mem_free(&out_auth); 1689 1690 return setup_bind_nak(p); 1691 } 1692 1693 for (i = 0; i < rpc_lookup_size; i++) { 1694 if (strequal(rpc_lookup[i].pipe.clnt, 1695 get_pipe_name_from_syntax(talloc_tos(), 1696 &p->syntax))) { 1697 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n", 1698 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv)); 1699 break; 1700 } 1701 } 1702 1703 if (i == rpc_lookup_size) { 900 &pkt->u.bind.ctx_list[0].abstract_syntax))); 901 902 return setup_bind_nak(p, pkt); 903 } 904 905 if (rpc_srv_get_pipe_interface_by_cli_name( 906 get_pipe_name_from_syntax(talloc_tos(), 907 &p->syntax), 908 &id)) { 909 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n", 910 rpc_srv_get_pipe_cli_name(&id), 911 rpc_srv_get_pipe_srv_name(&id))); 912 } else { 1704 913 DEBUG(0, ("module %s doesn't provide functions for " 1705 914 "pipe %s!\n", … … 1708 917 get_pipe_name_from_syntax(talloc_tos(), 1709 918 &p->syntax))); 1710 goto err_exit; 1711 } 1712 } 1713 1714 /* name has to be \PIPE\xxxxx */ 1715 fstrcpy(ack_pipe_name, "\\PIPE\\"); 1716 fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv); 919 return setup_bind_nak(p, pkt); 920 } 921 } 1717 922 1718 923 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__)); 1719 924 1720 /* 1721 * Check if this is an authenticated bind request. 1722 */ 1723 1724 if (p->hdr.auth_len) { 1725 /* 1726 * Decode the authentication verifier. 1727 */ 1728 1729 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) { 1730 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n")); 1731 goto err_exit; 1732 } 1733 1734 auth_type = auth_info.auth_type; 1735 1736 /* Work out if we have to sign or seal etc. */ 1737 switch (auth_info.auth_level) { 1738 case DCERPC_AUTH_LEVEL_INTEGRITY: 1739 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY; 1740 break; 1741 case DCERPC_AUTH_LEVEL_PRIVACY: 1742 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY; 1743 break; 1744 default: 1745 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n", 1746 (unsigned int)auth_info.auth_level )); 1747 goto err_exit; 1748 } 925 if (pkt->u.bind.assoc_group_id != 0) { 926 assoc_gid = pkt->u.bind.assoc_group_id; 1749 927 } else { 1750 ZERO_STRUCT(auth_info); 1751 } 1752 1753 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0; 1754 1755 switch(auth_type) { 1756 case DCERPC_AUTH_TYPE_NTLMSSP: 1757 if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) { 1758 goto err_exit; 1759 } 1760 assoc_gid = 0x7a77; 1761 break; 1762 1763 case DCERPC_AUTH_TYPE_SCHANNEL: 1764 if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) { 1765 goto err_exit; 1766 } 1767 break; 1768 1769 case DCERPC_AUTH_TYPE_SPNEGO: 1770 if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) { 1771 goto err_exit; 1772 } 1773 break; 1774 1775 case DCERPC_AUTH_TYPE_NONE: 1776 /* Unauthenticated bind request. */ 1777 /* We're finished - no more packets. */ 1778 p->auth.auth_type = PIPE_AUTH_TYPE_NONE; 1779 /* We must set the pipe auth_level here also. */ 1780 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE; 1781 p->pipe_bound = True; 1782 /* The session key was initialized from the SMB 1783 * session in make_internal_rpc_pipe_p */ 1784 break; 1785 1786 default: 1787 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type )); 1788 goto err_exit; 928 assoc_gid = 0x53f0; 1789 929 } 1790 930 … … 1799 939 Needed when adding entries to a DACL from NT5 - SK */ 1800 940 1801 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0], 1802 hdr_rb.rpc_context[0].context_id )) { 1803 init_rpc_hdr_ba(&hdr_ba, 1804 RPC_MAX_PDU_FRAG_LEN, 1805 RPC_MAX_PDU_FRAG_LEN, 1806 assoc_gid, 1807 ack_pipe_name, 1808 0x1, 0x0, 0x0, 1809 &hdr_rb.rpc_context[0].transfer[0]); 941 if (check_bind_req(p, 942 &pkt->u.bind.ctx_list[0].abstract_syntax, 943 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0], 944 pkt->u.bind.ctx_list[0].context_id)) { 945 946 bind_ack_ctx.result = 0; 947 bind_ack_ctx.reason = 0; 948 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0]; 1810 949 } else { 950 1811 951 /* Rejection reason: abstract syntax not supported */ 1812 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN, 1813 RPC_MAX_PDU_FRAG_LEN, assoc_gid, 1814 ack_pipe_name, 0x1, 0x2, 0x1, 1815 &null_ndr_syntax_id); 1816 p->pipe_bound = False; 1817 } 1818 1819 /* 1820 * and marshall it. 1821 */ 1822 1823 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) { 1824 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n")); 952 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT; 953 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX; 954 bind_ack_ctx.syntax = null_ndr_syntax_id; 955 } 956 957 /* 958 * Check if this is an authenticated bind request. 959 */ 960 if (pkt->auth_length) { 961 /* Quick length check. Won't catch a bad auth footer, 962 * prevents overrun. */ 963 964 if (pkt->frag_length < RPC_HEADER_LEN + 965 DCERPC_AUTH_TRAILER_LENGTH + 966 pkt->auth_length) { 967 DEBUG(0,("api_pipe_bind_req: auth_len (%u) " 968 "too long for fragment %u.\n", 969 (unsigned int)pkt->auth_length, 970 (unsigned int)pkt->frag_length)); 971 goto err_exit; 972 } 973 974 /* 975 * Decode the authentication verifier. 976 */ 977 status = dcerpc_pull_dcerpc_auth(pkt, 978 &pkt->u.bind.auth_info, 979 &auth_info, p->endian); 980 if (!NT_STATUS_IS_OK(status)) { 981 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n")); 982 goto err_exit; 983 } 984 985 auth_type = auth_info.auth_type; 986 987 /* Work out if we have to sign or seal etc. */ 988 switch (auth_info.auth_level) { 989 case DCERPC_AUTH_LEVEL_INTEGRITY: 990 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY; 991 break; 992 case DCERPC_AUTH_LEVEL_PRIVACY: 993 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY; 994 break; 995 case DCERPC_AUTH_LEVEL_CONNECT: 996 p->auth.auth_level = DCERPC_AUTH_LEVEL_CONNECT; 997 break; 998 default: 999 DEBUG(0, ("Unexpected auth level (%u).\n", 1000 (unsigned int)auth_info.auth_level )); 1001 goto err_exit; 1002 } 1003 1004 switch (auth_type) { 1005 case DCERPC_AUTH_TYPE_NTLMSSP: 1006 if (!pipe_ntlmssp_auth_bind(p, pkt, 1007 &auth_info, &auth_resp)) { 1008 goto err_exit; 1009 } 1010 assoc_gid = 0x7a77; 1011 break; 1012 1013 case DCERPC_AUTH_TYPE_SCHANNEL: 1014 if (!pipe_schannel_auth_bind(p, pkt, 1015 &auth_info, &auth_resp)) { 1016 goto err_exit; 1017 } 1018 break; 1019 1020 case DCERPC_AUTH_TYPE_SPNEGO: 1021 if (!pipe_spnego_auth_bind(p, pkt, 1022 &auth_info, &auth_resp)) { 1023 goto err_exit; 1024 } 1025 break; 1026 1027 case DCERPC_AUTH_TYPE_KRB5: 1028 if (!pipe_gssapi_auth_bind(p, pkt, 1029 &auth_info, &auth_resp)) { 1030 goto err_exit; 1031 } 1032 break; 1033 1034 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM: 1035 if (p->transport == NCALRPC && p->ncalrpc_as_system) { 1036 TALLOC_FREE(p->session_info); 1037 1038 status = make_session_info_system(p, 1039 &p->session_info); 1040 if (!NT_STATUS_IS_OK(status)) { 1041 goto err_exit; 1042 } 1043 1044 auth_resp = data_blob_talloc(pkt, 1045 "NCALRPC_AUTH_OK", 1046 15); 1047 1048 p->auth.auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM; 1049 p->pipe_bound = true; 1050 } else { 1051 goto err_exit; 1052 } 1053 break; 1054 1055 case DCERPC_AUTH_TYPE_NONE: 1056 break; 1057 1058 default: 1059 DEBUG(0, ("Unknown auth type %x requested.\n", auth_type)); 1060 goto err_exit; 1061 } 1062 } 1063 1064 if (auth_type == DCERPC_AUTH_TYPE_NONE) { 1065 /* Unauthenticated bind request. */ 1066 /* We're finished - no more packets. */ 1067 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE; 1068 /* We must set the pipe auth_level here also. */ 1069 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE; 1070 p->pipe_bound = True; 1071 /* The session key was initialized from the SMB 1072 * session in make_internal_rpc_pipe_p */ 1073 } 1074 1075 ZERO_STRUCT(u.bind_ack); 1076 u.bind_ack.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN; 1077 u.bind_ack.max_recv_frag = RPC_MAX_PDU_FRAG_LEN; 1078 u.bind_ack.assoc_group_id = assoc_gid; 1079 1080 /* name has to be \PIPE\xxxxx */ 1081 u.bind_ack.secondary_address = 1082 talloc_asprintf(pkt, "\\PIPE\\%s", 1083 rpc_srv_get_pipe_srv_name(&id)); 1084 if (!u.bind_ack.secondary_address) { 1085 DEBUG(0, ("Out of memory!\n")); 1825 1086 goto err_exit; 1826 1087 } 1827 1828 /* 1829 * Create the header, now we know the length. 1830 */ 1831 1832 if (prs_offset(&out_auth)) { 1833 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN; 1834 } 1835 1836 init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST, 1837 p->hdr.call_id, 1838 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth), 1839 auth_len); 1840 1841 /* 1842 * Marshall the header into the outgoing PDU. 1843 */ 1844 1845 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) { 1846 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n")); 1847 goto err_exit; 1848 } 1849 1850 /* 1851 * Now add the RPC_HDR_BA and any auth needed. 1852 */ 1853 1854 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) { 1855 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n")); 1856 goto err_exit; 1857 } 1858 1859 if (auth_len && !prs_append_prs_data( &p->out_data.frag, &out_auth)) { 1860 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n")); 1861 goto err_exit; 1088 u.bind_ack.secondary_address_size = 1089 strlen(u.bind_ack.secondary_address) + 1; 1090 1091 u.bind_ack.num_results = 1; 1092 u.bind_ack.ctx_list = &bind_ack_ctx; 1093 1094 /* NOTE: We leave the auth_info empty so we can calculate the padding 1095 * later and then append the auth_info --simo */ 1096 1097 /* 1098 * Marshall directly into the outgoing PDU space. We 1099 * must do this as we need to set to the bind response 1100 * header and are never sending more than one PDU here. 1101 */ 1102 1103 status = dcerpc_push_ncacn_packet(p->mem_ctx, 1104 DCERPC_PKT_BIND_ACK, 1105 DCERPC_PFC_FLAG_FIRST | 1106 DCERPC_PFC_FLAG_LAST, 1107 auth_resp.length, 1108 pkt->call_id, 1109 &u, 1110 &p->out_data.frag); 1111 if (!NT_STATUS_IS_OK(status)) { 1112 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n", 1113 nt_errstr(status))); 1114 } 1115 1116 if (auth_resp.length) { 1117 1118 status = dcerpc_push_dcerpc_auth(pkt, 1119 auth_type, 1120 auth_info.auth_level, 1121 0, 1122 1, /* auth_context_id */ 1123 &auth_resp, 1124 &auth_blob); 1125 if (!NT_STATUS_IS_OK(status)) { 1126 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n")); 1127 goto err_exit; 1128 } 1129 } 1130 1131 /* Now that we have the auth len store it into the right place in 1132 * the dcerpc header */ 1133 dcerpc_set_frag_length(&p->out_data.frag, 1134 p->out_data.frag.length + auth_blob.length); 1135 1136 if (auth_blob.length) { 1137 1138 if (!data_blob_append(p->mem_ctx, &p->out_data.frag, 1139 auth_blob.data, auth_blob.length)) { 1140 DEBUG(0, ("Append of auth info failed.\n")); 1141 goto err_exit; 1142 } 1862 1143 } 1863 1144 … … 1869 1150 p->out_data.current_pdu_sent = 0; 1870 1151 1871 prs_mem_free(&out_hdr_ba); 1872 prs_mem_free(&out_auth); 1873 1152 TALLOC_FREE(auth_blob.data); 1874 1153 return True; 1875 1154 1876 1155 err_exit: 1877 1156 1878 prs_mem_free(&p->out_data.frag); 1879 prs_mem_free(&out_hdr_ba); 1880 prs_mem_free(&out_auth); 1881 return setup_bind_nak(p); 1157 data_blob_free(&p->out_data.frag); 1158 TALLOC_FREE(auth_blob.data); 1159 return setup_bind_nak(p, pkt); 1160 } 1161 1162 /******************************************************************* 1163 This is the "stage3" response after a bind request and reply. 1164 *******************************************************************/ 1165 1166 bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt) 1167 { 1168 struct dcerpc_auth auth_info; 1169 DATA_BLOB response = data_blob_null; 1170 struct auth_ntlmssp_state *ntlmssp_ctx; 1171 struct spnego_context *spnego_ctx; 1172 struct gse_context *gse_ctx; 1173 NTSTATUS status; 1174 1175 DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__)); 1176 1177 if (pkt->auth_length == 0) { 1178 DEBUG(0, ("No auth field sent for bind request!\n")); 1179 goto err; 1180 } 1181 1182 /* Ensure there's enough data for an authenticated request. */ 1183 if (pkt->frag_length < RPC_HEADER_LEN 1184 + DCERPC_AUTH_TRAILER_LENGTH 1185 + pkt->auth_length) { 1186 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len " 1187 "%u is too large.\n", 1188 (unsigned int)pkt->auth_length)); 1189 goto err; 1190 } 1191 1192 /* 1193 * Decode the authentication verifier response. 1194 */ 1195 1196 status = dcerpc_pull_dcerpc_auth(pkt, 1197 &pkt->u.auth3.auth_info, 1198 &auth_info, p->endian); 1199 if (!NT_STATUS_IS_OK(status)) { 1200 DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n")); 1201 goto err; 1202 } 1203 1204 /* We must NEVER look at auth_info->auth_pad_len here, 1205 * as old Samba client code gets it wrong and sends it 1206 * as zero. JRA. 1207 */ 1208 1209 if (auth_info.auth_type != p->auth.auth_type) { 1210 DEBUG(0, ("Auth type mismatch! Client sent %d, " 1211 "but auth was started as type %d!\n", 1212 auth_info.auth_type, p->auth.auth_type)); 1213 goto err; 1214 } 1215 1216 switch (auth_info.auth_type) { 1217 case DCERPC_AUTH_TYPE_NTLMSSP: 1218 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx, 1219 struct auth_ntlmssp_state); 1220 status = ntlmssp_server_step(ntlmssp_ctx, 1221 pkt, &auth_info.credentials, 1222 &response); 1223 break; 1224 case DCERPC_AUTH_TYPE_KRB5: 1225 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx, 1226 struct gse_context); 1227 status = gssapi_server_step(gse_ctx, 1228 pkt, &auth_info.credentials, 1229 &response); 1230 break; 1231 case DCERPC_AUTH_TYPE_SPNEGO: 1232 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx, 1233 struct spnego_context); 1234 status = spnego_server_step(spnego_ctx, 1235 pkt, &auth_info.credentials, 1236 &response); 1237 break; 1238 default: 1239 DEBUG(0, (__location__ ": incorrect auth type (%u).\n", 1240 (unsigned int)auth_info.auth_type)); 1241 return false; 1242 } 1243 1244 if (NT_STATUS_EQUAL(status, 1245 NT_STATUS_MORE_PROCESSING_REQUIRED) || 1246 response.length) { 1247 DEBUG(0, (__location__ ": This was supposed to be the final " 1248 "leg, but crypto machinery claims a response is " 1249 "needed, aborting auth!\n")); 1250 data_blob_free(&response); 1251 goto err; 1252 } 1253 if (!NT_STATUS_IS_OK(status)) { 1254 DEBUG(0, ("Auth failed (%s)\n", nt_errstr(status))); 1255 goto err; 1256 } 1257 1258 /* Now verify auth was indeed successful and extract server info */ 1259 status = pipe_auth_verify_final(p); 1260 if (!NT_STATUS_IS_OK(status)) { 1261 DEBUG(0, ("Auth Verify failed (%s)\n", nt_errstr(status))); 1262 goto err; 1263 } 1264 1265 return true; 1266 1267 err: 1268 1269 TALLOC_FREE(p->auth.auth_ctx); 1270 return false; 1882 1271 } 1883 1272 … … 1887 1276 ****************************************************************************/ 1888 1277 1889 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p) 1890 { 1891 RPC_HDR_BA hdr_ba; 1892 RPC_HDR_RB hdr_rb; 1893 RPC_HDR_AUTH auth_info; 1278 static bool api_pipe_alter_context(struct pipes_struct *p, 1279 struct ncacn_packet *pkt) 1280 { 1281 struct dcerpc_auth auth_info; 1894 1282 uint16 assoc_gid; 1895 fstring ack_pipe_name; 1896 prs_struct out_hdr_ba; 1897 prs_struct out_auth; 1898 int auth_len = 0; 1899 1900 prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL); 1901 1902 /* 1903 * Marshall directly into the outgoing PDU space. We 1904 * must do this as we need to set to the bind response 1905 * header and are never sending more than one PDU here. 1906 */ 1907 1908 /* 1909 * Setup the memory to marshall the ba header, and the 1910 * auth footers. 1911 */ 1912 1913 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) { 1914 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n")); 1915 prs_mem_free(&p->out_data.frag); 1916 return False; 1917 } 1918 1919 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) { 1920 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n")); 1921 prs_mem_free(&p->out_data.frag); 1922 prs_mem_free(&out_hdr_ba); 1923 return False; 1924 } 1925 1926 ZERO_STRUCT(hdr_rb); 1927 1928 DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__)); 1929 1930 /* decode the alter context request */ 1931 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) { 1932 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n")); 1933 goto err_exit; 1934 } 1935 1936 /* secondary address CAN be NULL 1937 * as the specs say it's ignored. 1938 * It MUST be NULL to have the spoolss working. 1939 */ 1940 fstrcpy(ack_pipe_name,""); 1283 NTSTATUS status; 1284 union dcerpc_payload u; 1285 struct dcerpc_ack_ctx bind_ack_ctx; 1286 DATA_BLOB auth_resp = data_blob_null; 1287 DATA_BLOB auth_blob = data_blob_null; 1288 int pad_len = 0; 1289 struct auth_ntlmssp_state *ntlmssp_ctx; 1290 struct spnego_context *spnego_ctx; 1291 struct gse_context *gse_ctx; 1941 1292 1942 1293 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__)); 1943 1294 1944 /* 1945 * Check if this is an authenticated alter context request. 1946 */ 1947 1948 if (p->hdr.auth_len != 0) { 1949 /* 1950 * Decode the authentication verifier. 1951 */ 1952 1953 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) { 1954 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n")); 1955 goto err_exit; 1956 } 1957 1958 /* 1959 * Currently only the SPNEGO auth type uses the alter ctx 1960 * response in place of the NTLMSSP auth3 type. 1961 */ 1962 1963 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) { 1964 /* We can only finish if the pipe is unbound. */ 1965 if (!p->pipe_bound) { 1966 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) { 1967 goto err_exit; 1968 } 1969 } else { 1970 goto err_exit; 1971 } 1972 } 1295 if (pkt->u.bind.assoc_group_id != 0) { 1296 assoc_gid = pkt->u.bind.assoc_group_id; 1973 1297 } else { 1974 ZERO_STRUCT(auth_info); 1975 } 1976 1977 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0; 1298 assoc_gid = 0x53f0; 1299 } 1978 1300 1979 1301 /* … … 1987 1309 Needed when adding entries to a DACL from NT5 - SK */ 1988 1310 1989 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0], 1990 hdr_rb.rpc_context[0].context_id )) { 1991 init_rpc_hdr_ba(&hdr_ba, 1992 RPC_MAX_PDU_FRAG_LEN, 1993 RPC_MAX_PDU_FRAG_LEN, 1994 assoc_gid, 1995 ack_pipe_name, 1996 0x1, 0x0, 0x0, 1997 &hdr_rb.rpc_context[0].transfer[0]); 1311 if (check_bind_req(p, 1312 &pkt->u.bind.ctx_list[0].abstract_syntax, 1313 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0], 1314 pkt->u.bind.ctx_list[0].context_id)) { 1315 1316 bind_ack_ctx.result = 0; 1317 bind_ack_ctx.reason = 0; 1318 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0]; 1998 1319 } else { 1320 1999 1321 /* Rejection reason: abstract syntax not supported */ 2000 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN, 2001 RPC_MAX_PDU_FRAG_LEN, assoc_gid, 2002 ack_pipe_name, 0x1, 0x2, 0x1, 2003 &null_ndr_syntax_id); 2004 p->pipe_bound = False; 2005 } 2006 2007 /* 2008 * and marshall it. 2009 */ 2010 2011 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) { 2012 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n")); 2013 goto err_exit; 2014 } 2015 2016 /* 2017 * Create the header, now we know the length. 2018 */ 2019 2020 if (prs_offset(&out_auth)) { 2021 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN; 2022 } 2023 2024 init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST, 2025 p->hdr.call_id, 2026 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth), 2027 auth_len); 2028 2029 /* 2030 * Marshall the header into the outgoing PDU. 2031 */ 2032 2033 if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) { 2034 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n")); 2035 goto err_exit; 2036 } 2037 2038 /* 2039 * Now add the RPC_HDR_BA and any auth needed. 2040 */ 2041 2042 if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) { 2043 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n")); 2044 goto err_exit; 2045 } 2046 2047 if (auth_len && !prs_append_prs_data(&p->out_data.frag, &out_auth)) { 2048 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n")); 2049 goto err_exit; 1322 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT; 1323 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX; 1324 bind_ack_ctx.syntax = null_ndr_syntax_id; 1325 } 1326 1327 /* 1328 * Check if this is an authenticated alter context request. 1329 */ 1330 if (pkt->auth_length) { 1331 /* Quick length check. Won't catch a bad auth footer, 1332 * prevents overrun. */ 1333 1334 if (pkt->frag_length < RPC_HEADER_LEN + 1335 DCERPC_AUTH_TRAILER_LENGTH + 1336 pkt->auth_length) { 1337 DEBUG(0,("api_pipe_alter_context: auth_len (%u) " 1338 "too long for fragment %u.\n", 1339 (unsigned int)pkt->auth_length, 1340 (unsigned int)pkt->frag_length )); 1341 goto err_exit; 1342 } 1343 1344 status = dcerpc_pull_dcerpc_auth(pkt, 1345 &pkt->u.bind.auth_info, 1346 &auth_info, p->endian); 1347 if (!NT_STATUS_IS_OK(status)) { 1348 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n")); 1349 goto err_exit; 1350 } 1351 1352 /* We can only finish if the pipe is unbound for now */ 1353 if (p->pipe_bound) { 1354 DEBUG(0, (__location__ ": Pipe already bound, " 1355 "Altering Context not yet supported!\n")); 1356 goto err_exit; 1357 } 1358 1359 if (auth_info.auth_type != p->auth.auth_type) { 1360 DEBUG(0, ("Auth type mismatch! Client sent %d, " 1361 "but auth was started as type %d!\n", 1362 auth_info.auth_type, p->auth.auth_type)); 1363 goto err_exit; 1364 } 1365 1366 1367 switch (auth_info.auth_type) { 1368 case DCERPC_AUTH_TYPE_SPNEGO: 1369 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx, 1370 struct spnego_context); 1371 status = spnego_server_step(spnego_ctx, 1372 pkt, 1373 &auth_info.credentials, 1374 &auth_resp); 1375 break; 1376 1377 case DCERPC_AUTH_TYPE_KRB5: 1378 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx, 1379 struct gse_context); 1380 status = gssapi_server_step(gse_ctx, 1381 pkt, 1382 &auth_info.credentials, 1383 &auth_resp); 1384 break; 1385 case DCERPC_AUTH_TYPE_NTLMSSP: 1386 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx, 1387 struct auth_ntlmssp_state); 1388 status = ntlmssp_server_step(ntlmssp_ctx, 1389 pkt, 1390 &auth_info.credentials, 1391 &auth_resp); 1392 break; 1393 1394 default: 1395 DEBUG(3, (__location__ ": Usupported auth type (%d) " 1396 "in alter-context call\n", 1397 auth_info.auth_type)); 1398 goto err_exit; 1399 } 1400 1401 if (NT_STATUS_IS_OK(status)) { 1402 /* third leg of auth, verify auth info */ 1403 status = pipe_auth_verify_final(p); 1404 if (!NT_STATUS_IS_OK(status)) { 1405 DEBUG(0, ("Auth Verify failed (%s)\n", 1406 nt_errstr(status))); 1407 goto err_exit; 1408 } 1409 } else if (NT_STATUS_EQUAL(status, 1410 NT_STATUS_MORE_PROCESSING_REQUIRED)) { 1411 DEBUG(10, ("More auth legs required.\n")); 1412 } else { 1413 DEBUG(0, ("Auth step returned an error (%s)\n", 1414 nt_errstr(status))); 1415 goto err_exit; 1416 } 1417 } 1418 1419 ZERO_STRUCT(u.alter_resp); 1420 u.alter_resp.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN; 1421 u.alter_resp.max_recv_frag = RPC_MAX_PDU_FRAG_LEN; 1422 u.alter_resp.assoc_group_id = assoc_gid; 1423 1424 /* secondary address CAN be NULL 1425 * as the specs say it's ignored. 1426 * It MUST be NULL to have the spoolss working. 1427 */ 1428 u.alter_resp.secondary_address = ""; 1429 u.alter_resp.secondary_address_size = 1; 1430 1431 u.alter_resp.num_results = 1; 1432 u.alter_resp.ctx_list = &bind_ack_ctx; 1433 1434 /* NOTE: We leave the auth_info empty so we can calculate the padding 1435 * later and then append the auth_info --simo */ 1436 1437 /* 1438 * Marshall directly into the outgoing PDU space. We 1439 * must do this as we need to set to the bind response 1440 * header and are never sending more than one PDU here. 1441 */ 1442 1443 status = dcerpc_push_ncacn_packet(p->mem_ctx, 1444 DCERPC_PKT_ALTER_RESP, 1445 DCERPC_PFC_FLAG_FIRST | 1446 DCERPC_PFC_FLAG_LAST, 1447 auth_resp.length, 1448 pkt->call_id, 1449 &u, 1450 &p->out_data.frag); 1451 if (!NT_STATUS_IS_OK(status)) { 1452 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n", 1453 nt_errstr(status))); 1454 } 1455 1456 if (auth_resp.length) { 1457 1458 /* Work out any padding needed before the auth footer. */ 1459 pad_len = p->out_data.frag.length % SERVER_NDR_PADDING_SIZE; 1460 if (pad_len) { 1461 pad_len = SERVER_NDR_PADDING_SIZE - pad_len; 1462 DEBUG(10, ("auth pad_len = %u\n", 1463 (unsigned int)pad_len)); 1464 } 1465 1466 status = dcerpc_push_dcerpc_auth(pkt, 1467 auth_info.auth_type, 1468 auth_info.auth_level, 1469 pad_len, 1470 1, /* auth_context_id */ 1471 &auth_resp, 1472 &auth_blob); 1473 if (!NT_STATUS_IS_OK(status)) { 1474 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n")); 1475 goto err_exit; 1476 } 1477 } 1478 1479 /* Now that we have the auth len store it into the right place in 1480 * the dcerpc header */ 1481 dcerpc_set_frag_length(&p->out_data.frag, 1482 p->out_data.frag.length + 1483 pad_len + auth_blob.length); 1484 1485 if (auth_resp.length) { 1486 if (pad_len) { 1487 char pad[SERVER_NDR_PADDING_SIZE]; 1488 memset(pad, '\0', SERVER_NDR_PADDING_SIZE); 1489 if (!data_blob_append(p->mem_ctx, 1490 &p->out_data.frag, 1491 pad, pad_len)) { 1492 DEBUG(0, ("api_pipe_bind_req: failed to add " 1493 "%u bytes of pad data.\n", 1494 (unsigned int)pad_len)); 1495 goto err_exit; 1496 } 1497 } 1498 1499 if (!data_blob_append(p->mem_ctx, &p->out_data.frag, 1500 auth_blob.data, auth_blob.length)) { 1501 DEBUG(0, ("Append of auth info failed.\n")); 1502 goto err_exit; 1503 } 2050 1504 } 2051 1505 … … 2057 1511 p->out_data.current_pdu_sent = 0; 2058 1512 2059 prs_mem_free(&out_hdr_ba); 2060 prs_mem_free(&out_auth); 2061 1513 TALLOC_FREE(auth_blob.data); 2062 1514 return True; 2063 1515 2064 1516 err_exit: 2065 1517 2066 prs_mem_free(&p->out_data.frag); 2067 prs_mem_free(&out_hdr_ba); 2068 prs_mem_free(&out_auth); 2069 return setup_bind_nak(p); 2070 } 2071 2072 /**************************************************************************** 2073 Deal with NTLMSSP sign & seal processing on an RPC request. 2074 ****************************************************************************/ 2075 2076 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in, 2077 uint32 *p_ss_padding_len, NTSTATUS *pstatus) 2078 { 2079 RPC_HDR_AUTH auth_info; 2080 uint32 auth_len = p->hdr.auth_len; 2081 uint32 save_offset = prs_offset(rpc_in); 2082 AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state; 2083 unsigned char *data = NULL; 2084 size_t data_len; 2085 unsigned char *full_packet_data = NULL; 2086 size_t full_packet_data_len; 2087 DATA_BLOB auth_blob; 2088 2089 *pstatus = NT_STATUS_OK; 2090 2091 if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) { 2092 return True; 2093 } 2094 2095 if (!a) { 2096 *pstatus = NT_STATUS_INVALID_PARAMETER; 2097 return False; 2098 } 2099 2100 /* Ensure there's enough data for an authenticated request. */ 2101 if ((auth_len > RPC_MAX_SIGN_SIZE) || 2102 (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) { 2103 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n", 2104 (unsigned int)auth_len )); 2105 *pstatus = NT_STATUS_INVALID_PARAMETER; 2106 return False; 2107 } 2108 2109 /* 2110 * We need the full packet data + length (minus auth stuff) as well as the packet data + length 2111 * after the RPC header. 2112 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal 2113 * functions as NTLMv2 checks the rpc headers also. 2114 */ 2115 2116 data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN); 2117 data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len); 2118 2119 full_packet_data = p->in_data.current_in_pdu; 2120 full_packet_data_len = p->hdr.frag_len - auth_len; 2121 2122 /* Pull the auth header and the following data into a blob. */ 2123 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) { 2124 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n", 2125 (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len )); 2126 *pstatus = NT_STATUS_INVALID_PARAMETER; 2127 return False; 2128 } 2129 2130 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) { 2131 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n")); 2132 *pstatus = NT_STATUS_INVALID_PARAMETER; 2133 return False; 2134 } 2135 2136 auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in); 2137 auth_blob.length = auth_len; 2138 2139 switch (p->auth.auth_level) { 2140 case DCERPC_AUTH_LEVEL_PRIVACY: 2141 /* Data is encrypted. */ 2142 *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state, 2143 data, data_len, 2144 full_packet_data, 2145 full_packet_data_len, 2146 &auth_blob); 2147 if (!NT_STATUS_IS_OK(*pstatus)) { 2148 return False; 2149 } 2150 break; 2151 case DCERPC_AUTH_LEVEL_INTEGRITY: 2152 /* Data is signed. */ 2153 *pstatus = ntlmssp_check_packet(a->ntlmssp_state, 2154 data, data_len, 2155 full_packet_data, 2156 full_packet_data_len, 2157 &auth_blob); 2158 if (!NT_STATUS_IS_OK(*pstatus)) { 2159 return False; 2160 } 2161 break; 2162 default: 2163 *pstatus = NT_STATUS_INVALID_PARAMETER; 2164 return False; 2165 } 2166 2167 /* 2168 * Return the current pointer to the data offset. 2169 */ 2170 2171 if(!prs_set_offset(rpc_in, save_offset)) { 2172 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n", 2173 (unsigned int)save_offset )); 2174 *pstatus = NT_STATUS_INVALID_PARAMETER; 2175 return False; 2176 } 2177 2178 /* 2179 * Remember the padding length. We must remove it from the real data 2180 * stream once the sign/seal is done. 2181 */ 2182 2183 *p_ss_padding_len = auth_info.auth_pad_len; 2184 2185 return True; 2186 } 2187 2188 /**************************************************************************** 2189 Deal with schannel processing on an RPC request. 2190 ****************************************************************************/ 2191 2192 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len) 2193 { 2194 uint32 data_len; 2195 uint32 auth_len; 2196 uint32 save_offset = prs_offset(rpc_in); 2197 RPC_HDR_AUTH auth_info; 2198 DATA_BLOB blob; 2199 NTSTATUS status; 2200 uint8_t *data; 2201 2202 auth_len = p->hdr.auth_len; 2203 2204 if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN || 2205 auth_len > RPC_HEADER_LEN + 2206 RPC_HDR_REQ_LEN + 2207 RPC_HDR_AUTH_LEN + 2208 auth_len) { 2209 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len )); 2210 return False; 2211 } 2212 2213 /* 2214 * The following is that length of the data we must verify or unseal. 2215 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN 2216 * preceeding the auth_data. 2217 */ 2218 2219 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) { 2220 DEBUG(0,("Incorrect frag %u, auth %u.\n", 2221 (unsigned int)p->hdr.frag_len, 2222 (unsigned int)auth_len )); 2223 return False; 2224 } 2225 2226 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 2227 RPC_HDR_AUTH_LEN - auth_len; 2228 2229 DEBUG(5,("data %d auth %d\n", data_len, auth_len)); 2230 2231 if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) { 2232 DEBUG(0,("cannot move offset to %u.\n", 2233 (unsigned int)RPC_HDR_REQ_LEN + data_len )); 2234 return False; 2235 } 2236 2237 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) { 2238 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n")); 2239 return False; 2240 } 2241 2242 if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { 2243 DEBUG(0,("Invalid auth info %d on schannel\n", 2244 auth_info.auth_type)); 2245 return False; 2246 } 2247 2248 blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len); 2249 2250 if (DEBUGLEVEL >= 10) { 2251 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob); 2252 } 2253 2254 data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN; 2255 2256 switch (auth_info.auth_level) { 2257 case DCERPC_AUTH_LEVEL_PRIVACY: 2258 status = netsec_incoming_packet(p->auth.a_u.schannel_auth, 2259 talloc_tos(), 2260 true, 2261 data, 2262 data_len, 2263 &blob); 2264 break; 2265 case DCERPC_AUTH_LEVEL_INTEGRITY: 2266 status = netsec_incoming_packet(p->auth.a_u.schannel_auth, 2267 talloc_tos(), 2268 false, 2269 data, 2270 data_len, 2271 &blob); 2272 break; 2273 default: 2274 status = NT_STATUS_INTERNAL_ERROR; 2275 break; 2276 } 2277 2278 if (!NT_STATUS_IS_OK(status)) { 2279 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status))); 2280 return false; 2281 } 2282 2283 /* 2284 * Return the current pointer to the data offset. 2285 */ 2286 2287 if(!prs_set_offset(rpc_in, save_offset)) { 2288 DEBUG(0,("failed to set offset back to %u\n", 2289 (unsigned int)save_offset )); 2290 return False; 2291 } 2292 2293 /* 2294 * Remember the padding length. We must remove it from the real data 2295 * stream once the sign/seal is done. 2296 */ 2297 2298 *p_ss_padding_len = auth_info.auth_pad_len; 2299 2300 return True; 1518 data_blob_free(&p->out_data.frag); 1519 TALLOC_FREE(auth_blob.data); 1520 return setup_bind_nak(p, pkt); 2301 1521 } 2302 1522 … … 2321 1541 } 2322 1542 2323 /**************************************************************************** 2324 Memory cleanup. 2325 ****************************************************************************/ 2326 2327 void free_pipe_rpc_context( PIPE_RPC_FNS *list ) 2328 { 2329 PIPE_RPC_FNS *tmp = list; 2330 PIPE_RPC_FNS *tmp2; 2331 2332 while (tmp) { 2333 tmp2 = tmp->next; 2334 SAFE_FREE(tmp); 2335 tmp = tmp2; 2336 } 2337 2338 return; 2339 } 2340 2341 static bool api_rpcTNP(pipes_struct *p, 1543 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt, 2342 1544 const struct api_struct *api_rpc_cmds, int n_cmds); 2343 1545 … … 2348 1550 ****************************************************************************/ 2349 1551 2350 bool api_pipe_request(pipes_struct *p) 1552 static bool api_pipe_request(struct pipes_struct *p, 1553 struct ncacn_packet *pkt) 2351 1554 { 2352 1555 bool ret = False; … … 2355 1558 2356 1559 if (p->pipe_bound && 2357 ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) || 2358 (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) { 2359 if(!become_authenticated_pipe_user(p)) { 2360 prs_mem_free(&p->out_data.rdata); 1560 ((p->auth.auth_type == DCERPC_AUTH_TYPE_NTLMSSP) || 1561 (p->auth.auth_type == DCERPC_AUTH_TYPE_KRB5) || 1562 (p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO))) { 1563 if(!become_authenticated_pipe_user(p->session_info)) { 1564 data_blob_free(&p->out_data.rdata); 2361 1565 return False; 2362 1566 } … … 2369 1573 /* get the set of RPC functions for this context */ 2370 1574 2371 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id); 1575 pipe_fns = find_pipe_fns_by_context(p->contexts, 1576 pkt->u.request.context_id); 2372 1577 2373 1578 if ( pipe_fns ) { 2374 1579 TALLOC_CTX *frame = talloc_stackframe(); 2375 ret = api_rpcTNP(p, p ipe_fns->cmds, pipe_fns->n_cmds);1580 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds); 2376 1581 TALLOC_FREE(frame); 2377 1582 } 2378 1583 else { 2379 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n", 2380 p->hdr_req.context_id, 2381 get_pipe_name_from_syntax(talloc_tos(), &p->syntax))); 1584 DEBUG(0, ("No rpc function table associated with context " 1585 "[%d] on pipe [%s]\n", 1586 pkt->u.request.context_id, 1587 get_pipe_name_from_syntax(talloc_tos(), 1588 &p->syntax))); 2382 1589 } 2383 1590 … … 2393 1600 ********************************************************************/ 2394 1601 2395 static bool api_rpcTNP( pipes_struct *p,1602 static bool api_rpcTNP(, 2396 1603 const struct api_struct *api_rpc_cmds, int n_cmds) 2397 1604 { 2398 1605 int fn_num; 2399 uint32 offset1, offset2;1606 uint32; 2400 1607 2401 1608 /* interpret the command */ 2402 1609 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", 2403 1610 get_pipe_name_from_syntax(talloc_tos(), &p->syntax), 2404 p ->hdr_req.opnum));1611 p.opnum)); 2405 1612 2406 1613 if (DEBUGLEVEL >= 50) { … … 2408 1615 slprintf(name, sizeof(name)-1, "in_%s", 2409 1616 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)); 2410 prs_dump(name, p->hdr_req.opnum, &p->in_data.data); 1617 dump_pdu_region(name, pkt->u.request.opnum, 1618 &p->in_data.data, 0, 1619 p->in_data.data.length); 2411 1620 } 2412 1621 2413 1622 for (fn_num = 0; fn_num < n_cmds; fn_num++) { 2414 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) { 2415 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name)); 1623 if (api_rpc_cmds[fn_num].opnum == pkt->u.request.opnum && 1624 api_rpc_cmds[fn_num].fn != NULL) { 1625 DEBUG(3, ("api_rpcTNP: rpc command: %s\n", 1626 api_rpc_cmds[fn_num].name)); 2416 1627 break; 2417 1628 } … … 2429 1640 } 2430 1641 2431 offset1 = p rs_offset(&p->out_data.rdata);1642 offset1 = p; 2432 1643 2433 1644 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", … … 2438 1649 get_pipe_name_from_syntax(talloc_tos(), &p->syntax), 2439 1650 api_rpc_cmds[fn_num].name)); 2440 prs_mem_free(&p->out_data.rdata);1651 _free(&p->out_data.rdata); 2441 1652 return False; 2442 1653 } … … 2456 1667 } 2457 1668 2458 offset2 = prs_offset(&p->out_data.rdata);2459 prs_set_offset(&p->out_data.rdata, offset1);2460 1669 if (DEBUGLEVEL >= 50) { 2461 1670 fstring name; 2462 1671 slprintf(name, sizeof(name)-1, "out_%s", 2463 1672 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)); 2464 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata); 2465 } 2466 prs_set_offset(&p->out_data.rdata, offset2); 1673 dump_pdu_region(name, pkt->u.request.opnum, 1674 &p->out_data.rdata, offset1, 1675 p->out_data.rdata.length); 1676 } 2467 1677 2468 1678 DEBUG(5,("api_rpcTNP: called %s successfully\n", … … 2470 1680 2471 1681 /* Check for buffer underflow in rpc parsing */ 2472 2473 if ((DEBUGLEVEL >= 10) && 2474 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) { 2475 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data); 2476 char *data = (char *)SMB_MALLOC(data_len); 2477 1682 if ((DEBUGLEVEL >= 10) && 1683 (pkt->frag_length < p->in_data.data.length)) { 2478 1684 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n")); 2479 if (data) { 2480 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len); 2481 SAFE_FREE(data); 2482 } 2483 1685 dump_data(10, p->in_data.data.data + pkt->frag_length, 1686 p->in_data.data.length - pkt->frag_length); 2484 1687 } 2485 1688 2486 1689 return True; 2487 1690 } 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 2043
Note:
See TracChangeset
for help on using the changeset viewer.
