static bool pipe_auth_generic_verify_final(TALLOC_CTX *mem_ctx, struct gensec_security *gensec_security, enum dcerpc_AuthLevel auth_level, struct auth_session_info **session_info) { NTSTATUS status; bool ret; DEBUG(5, (__location__ ": checking user details\n")); /* Finally - if the pipe negotiated integrity (sign) or privacy (seal) ensure the underlying NTLMSSP flags are also set. If not we should refuse the bind. */ status = auth_generic_server_check_flags(gensec_security, (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY), (auth_level == DCERPC_AUTH_LEVEL_PRIVACY)); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, (__location__ ": Client failed to negotatie proper " "security for rpc connection\n")); return false; } TALLOC_FREE(*session_info); status = auth_generic_server_get_user_info(gensec_security, mem_ctx, session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, (__location__ ": failed to obtain the server info " "for authenticated user: %s\n", nt_errstr(status))); return false; } if ((*session_info)->security_token == NULL) { DEBUG(1, ("Auth module failed to provide nt_user_token\n")); return false; } if ((*session_info)->unix_token == NULL) { DEBUG(1, ("Auth module failed to provide unix_token\n")); return false; } /* * We're an authenticated bind over smb, so the session key needs to * be set to "SystemLibraryDTC". Weird, but this is what Windows * does. See the RPC-SAMBA3SESSIONKEY. */ ret = session_info_set_session_key((*session_info), generic_session_key()); if (!ret) { DEBUG(0, ("Failed to set session key!\n")); return false; } return true; }
static bool api_pipe_bind_req(struct pipes_struct *p, struct ncacn_packet *pkt) { struct dcerpc_auth auth_info; uint16 assoc_gid; unsigned int auth_type = DCERPC_AUTH_TYPE_NONE; NTSTATUS status; struct ndr_syntax_id id; uint8_t pfc_flags = 0; union dcerpc_payload u; struct dcerpc_ack_ctx bind_ack_ctx; DATA_BLOB auth_resp = data_blob_null; DATA_BLOB auth_blob = data_blob_null; const struct ndr_interface_table *table; /* No rebinds on a bound pipe - use alter context. */ if (p->pipe_bound) { DEBUG(2,("Rejecting bind request on bound rpc connection\n")); return setup_bind_nak(p, pkt); } if (pkt->u.bind.num_contexts == 0) { DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n")); goto err_exit; } /* * Try and find the correct pipe name to ensure * that this is a pipe name we support. */ id = pkt->u.bind.ctx_list[0].abstract_syntax; table = ndr_table_by_uuid(&id.uuid); if (table == NULL) { DEBUG(0,("unknown interface\n")); return false; } if (rpc_srv_pipe_exists_by_id(&id)) { DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n", rpc_srv_get_pipe_cli_name(&id), rpc_srv_get_pipe_srv_name(&id))); } else { status = smb_probe_module( "rpc", dcerpc_default_transport_endpoint(pkt, NCACN_NP, table)); if (NT_STATUS_IS_ERR(status)) { DEBUG(3,("api_pipe_bind_req: Unknown rpc service name " "%s in bind request.\n", ndr_interface_name(&id.uuid, id.if_version))); return setup_bind_nak(p, pkt); } if (rpc_srv_get_pipe_interface_by_cli_name( dcerpc_default_transport_endpoint(pkt, NCACN_NP, table), &id)) { DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n", rpc_srv_get_pipe_cli_name(&id), rpc_srv_get_pipe_srv_name(&id))); } else { DEBUG(0, ("module %s doesn't provide functions for " "pipe %s!\n", ndr_interface_name(&id.uuid, id.if_version), ndr_interface_name(&id.uuid, id.if_version))); return setup_bind_nak(p, pkt); } } DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__)); if (pkt->u.bind.assoc_group_id != 0) { assoc_gid = pkt->u.bind.assoc_group_id; } else { assoc_gid = 0x53f0; } /* * Create the bind response struct. */ /* If the requested abstract synt uuid doesn't match our client pipe, reject the bind_ack & set the transfer interface synt to all 0's, ver 0 (observed when NT5 attempts to bind to abstract interfaces unknown to NT4) Needed when adding entries to a DACL from NT5 - SK */ if (check_bind_req(p, &pkt->u.bind.ctx_list[0].abstract_syntax, &pkt->u.bind.ctx_list[0].transfer_syntaxes[0], pkt->u.bind.ctx_list[0].context_id)) { bind_ack_ctx.result = 0; bind_ack_ctx.reason.value = 0; bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0]; } else { p->pipe_bound = False; /* Rejection reason: abstract syntax not supported */ bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT; bind_ack_ctx.reason.value = DCERPC_BIND_REASON_ASYNTAX; bind_ack_ctx.syntax = ndr_syntax_id_null; } /* * Check if this is an authenticated bind request. */ if (pkt->auth_length) { /* Quick length check. Won't catch a bad auth footer, * prevents overrun. */ if (pkt->frag_length < RPC_HEADER_LEN + DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length) { DEBUG(0,("api_pipe_bind_req: auth_len (%u) " "too long for fragment %u.\n", (unsigned int)pkt->auth_length, (unsigned int)pkt->frag_length)); goto err_exit; } /* * Decode the authentication verifier. */ status = dcerpc_pull_dcerpc_auth(pkt, &pkt->u.bind.auth_info, &auth_info, p->endian); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n")); goto err_exit; } auth_type = auth_info.auth_type; /* Work out if we have to sign or seal etc. */ switch (auth_info.auth_level) { case DCERPC_AUTH_LEVEL_INTEGRITY: p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY; break; case DCERPC_AUTH_LEVEL_PRIVACY: p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY; break; case DCERPC_AUTH_LEVEL_CONNECT: p->auth.auth_level = DCERPC_AUTH_LEVEL_CONNECT; break; default: DEBUG(0, ("Unexpected auth level (%u).\n", (unsigned int)auth_info.auth_level )); goto err_exit; } switch (auth_type) { case DCERPC_AUTH_TYPE_NTLMSSP: if (!pipe_auth_generic_bind(p, pkt, &auth_info, &auth_resp)) { goto err_exit; } assoc_gid = 0x7a77; break; case DCERPC_AUTH_TYPE_SCHANNEL: if (!pipe_auth_generic_bind(p, pkt, &auth_info, &auth_resp)) { goto err_exit; } if (!session_info_set_session_key(p->session_info, generic_session_key())) { DEBUG(0, ("session_info_set_session_key failed\n")); goto err_exit; } p->pipe_bound = true; break; case DCERPC_AUTH_TYPE_SPNEGO: case DCERPC_AUTH_TYPE_KRB5: if (!pipe_auth_generic_bind(p, pkt, &auth_info, &auth_resp)) { goto err_exit; } break; case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM: if (p->transport == NCALRPC && p->ncalrpc_as_system) { TALLOC_FREE(p->session_info); status = make_session_info_system(p, &p->session_info); if (!NT_STATUS_IS_OK(status)) { goto err_exit; } auth_resp = data_blob_talloc(pkt, "NCALRPC_AUTH_OK", 15); p->auth.auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM; p->pipe_bound = true; } else { goto err_exit; } break; case DCERPC_AUTH_TYPE_NONE: break; default: DEBUG(0, ("Unknown auth type %x requested.\n", auth_type)); goto err_exit; } } if (auth_type == DCERPC_AUTH_TYPE_NONE) { /* Unauthenticated bind request. */ /* We're finished - no more packets. */ p->auth.auth_type = DCERPC_AUTH_TYPE_NONE; /* We must set the pipe auth_level here also. */ p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE; p->pipe_bound = True; /* The session key was initialized from the SMB * session in make_internal_rpc_pipe_p */ } ZERO_STRUCT(u.bind_ack); u.bind_ack.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN; u.bind_ack.max_recv_frag = RPC_MAX_PDU_FRAG_LEN; u.bind_ack.assoc_group_id = assoc_gid; /* name has to be \PIPE\xxxxx */ u.bind_ack.secondary_address = talloc_asprintf(pkt, "\\PIPE\\%s", rpc_srv_get_pipe_srv_name(&id)); if (!u.bind_ack.secondary_address) { DEBUG(0, ("Out of memory!\n")); goto err_exit; } u.bind_ack.secondary_address_size = strlen(u.bind_ack.secondary_address) + 1; u.bind_ack.num_results = 1; u.bind_ack.ctx_list = &bind_ack_ctx; /* NOTE: We leave the auth_info empty so we can calculate the padding * later and then append the auth_info --simo */ /* * Marshall directly into the outgoing PDU space. We * must do this as we need to set to the bind response * header and are never sending more than one PDU here. */ pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST; if (p->auth.hdr_signing) { pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN; } status = dcerpc_push_ncacn_packet(p->mem_ctx, DCERPC_PKT_BIND_ACK, pfc_flags, auth_resp.length, pkt->call_id, &u, &p->out_data.frag); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n", nt_errstr(status))); } if (auth_resp.length) { status = dcerpc_push_dcerpc_auth(pkt, auth_type, auth_info.auth_level, 0, 1, /* auth_context_id */ &auth_resp, &auth_blob); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Marshalling of dcerpc_auth failed.\n")); goto err_exit; } } /* Now that we have the auth len store it into the right place in * the dcerpc header */ dcerpc_set_frag_length(&p->out_data.frag, p->out_data.frag.length + auth_blob.length); if (auth_blob.length) { if (!data_blob_append(p->mem_ctx, &p->out_data.frag, auth_blob.data, auth_blob.length)) { DEBUG(0, ("Append of auth info failed.\n")); goto err_exit; } } /* * Setup the lengths for the initial reply. */ p->out_data.data_sent_length = 0; p->out_data.current_pdu_sent = 0; TALLOC_FREE(auth_blob.data); return True; err_exit: data_blob_free(&p->out_data.frag); TALLOC_FREE(auth_blob.data); return setup_bind_nak(p, pkt); }