s3-rpc_server rename NTLMSSP functions to auth_generic..()

[mat/samba.git] / source3 / rpc_server / srv_pipe.c

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 878f5d07922dcba54c8415f270818383ef8155fc..5b2c78ab145b5e6a4fc1ec4353c6290078836449 100644 (file)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -43,6 +43,7 @@
 #include "ntdomain.h"
 #include "rpc_server/srv_pipe.h"
 #include "rpc_server/rpc_contexts.h"
+#include "lib/param/param.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@@ -356,10 +357,10 @@ static bool check_bind_req(struct pipes_struct *p,
                return false;
        }
 
-       context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
+       context_fns = talloc(p, struct pipe_rpc_fns);
        if (context_fns == NULL) {
-               DEBUG(0,("check_bind_req: malloc() failed!\n"));
-               return False;
+               DEBUG(0,("check_bind_req: talloc() failed!\n"));
+               return false;
        }
 
        context_fns->next = context_fns->prev = NULL;
@@ -442,6 +443,7 @@ static bool pipe_spnego_auth_bind(struct pipes_struct *p,
                                          true,
                                          &auth_info->credentials,
                                          response,
+                                         p->remote_address,
                                          &spnego_ctx);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(0, ("Failed SPNEGO negotiate (%s)\n",
@@ -476,6 +478,7 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
        struct netlogon_creds_CredentialState *creds;
        enum ndr_err_code ndr_err;
        struct schannel_state *schannel_auth;
+       struct loadparm_context *lp_ctx;
 
        ndr_err = ndr_pull_struct_blob(
                        &auth_info->credentials, mem_ctx, &neg,
@@ -494,6 +497,12 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
                return false;
        }
 
+       lp_ctx = loadparm_init_s3(p, loadparm_s3_context());
+       if (!lp_ctx) {
+               DEBUG(0,("pipe_schannel_auth_bind: loadparm_init_s3() failed!\n"));
+               return false;
+       }
+
        /*
         * The neg.oem_netbios_computer.a key here must match the remote computer name
         * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
@@ -501,10 +510,11 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
         */
 
        become_root();
-       status = schannel_get_creds_state(p, lp_private_dir(),
+       status = schannel_get_creds_state(p, lp_ctx,
                                            neg.oem_netbios_computer.a, &creds);
        unbecome_root();
-
+       
+       talloc_unlink(p, lp_ctx);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
                return False;
@@ -579,7 +589,7 @@ static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
                                   struct dcerpc_auth *auth_info,
                                   DATA_BLOB *response)
 {
-       struct auth_ntlmssp_state *ntlmssp_state = NULL;
+       struct gensec_security *gensec_security = NULL;
         NTSTATUS status;
 
        if (strncmp((char *)auth_info->credentials.data, "NTLMSSP", 7) != 0) {
@@ -588,7 +598,8 @@ static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
         }
 
        /* We have an NTLMSSP blob. */
-       status = ntlmssp_server_auth_start(p,
+       status = auth_generic_server_start(p,
+                                          OID_NTLMSSP,
                                           (auth_info->auth_level ==
                                                DCERPC_AUTH_LEVEL_INTEGRITY),
                                           (auth_info->auth_level ==
@@ -596,7 +607,8 @@ static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
                                           true,
                                           &auth_info->credentials,
                                           response,
-                                          &ntlmssp_state);
+                                          p->remote_address,
+                                          &gensec_security);
        if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
                DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n",
                          nt_errstr(status)));
@@ -606,7 +618,7 @@ static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
        /* Make sure data is bound to the memctx, to be freed the caller */
        talloc_steal(mem_ctx, response->data);
 
-       p->auth.auth_ctx = ntlmssp_state;
+       p->auth.auth_ctx = gensec_security;
        p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
 
        DEBUG(10, (__location__ ": NTLMSSP auth started\n"));
@@ -622,37 +634,33 @@ static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
 *******************************************************************/
 
 static bool pipe_ntlmssp_verify_final(TALLOC_CTX *mem_ctx,
-                               struct auth_ntlmssp_state *ntlmssp_ctx,
+                               struct gensec_security *gensec_security,
                                enum dcerpc_AuthLevel auth_level,
-                               struct client_address *client_id,
-                               struct ndr_syntax_id *syntax,
-                               struct auth_serversupplied_info **session_info)
+                               struct auth_session_info **session_info)
 {
        NTSTATUS status;
        bool ret;
 
-       DEBUG(5, (__location__ ": pipe %s checking user details\n",
-                get_pipe_name_from_syntax(talloc_tos(), syntax)));
+       DEBUG(5, (__location__ ": checking user details\n"));
 
        /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
           ensure the underlying NTLMSSP flags are also set. If not we should
           refuse the bind. */
 
-       status = ntlmssp_server_check_flags(ntlmssp_ctx,
+       status = auth_generic_server_check_flags(gensec_security,
                                            (auth_level ==
                                                DCERPC_AUTH_LEVEL_INTEGRITY),
                                            (auth_level ==
                                                DCERPC_AUTH_LEVEL_PRIVACY));
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(0, (__location__ ": Client failed to negotatie proper "
-                         "security for pipe %s\n",
-                         get_pipe_name_from_syntax(talloc_tos(), syntax)));
+                         "security for rpc connection\n"));
                return false;
        }
 
        TALLOC_FREE(*session_info);
 
-       status = ntlmssp_server_get_user_info(ntlmssp_ctx,
+       status = auth_generic_server_get_user_info(gensec_security,
                                                mem_ctx, session_info);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(0, (__location__ ": failed to obtain the server info "
@@ -724,8 +732,8 @@ err:
 
 static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
                                         struct gse_context *gse_ctx,
-                                        struct client_address *client_id,
-                                        struct auth_serversupplied_info **session_info)
+                                        const struct tsocket_address *remote_address,
+                                        struct auth_session_info **session_info)
 {
        NTSTATUS status;
        bool bret;
@@ -741,7 +749,7 @@ static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
        }
 
        status = gssapi_server_get_user_info(gse_ctx, mem_ctx,
-                                            client_id, session_info);
+                                            remote_address, session_info);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(0, (__location__ ": failed to obtain the server info "
                          "for authenticated user: %s\n", nt_errstr(status)));
@@ -765,7 +773,7 @@ static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
 {
        enum spnego_mech auth_type;
-       struct auth_ntlmssp_state *ntlmssp_ctx;
+       struct gensec_security *gensec_security;
        struct spnego_context *spnego_ctx;
        struct gse_context *gse_ctx;
        void *mech_ctx;
@@ -773,11 +781,10 @@ static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
 
        switch (p->auth.auth_type) {
        case DCERPC_AUTH_TYPE_NTLMSSP:
-               ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
-                                                   struct auth_ntlmssp_state);
-               if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
+               gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
+                                                       struct gensec_security);
+               if (!pipe_ntlmssp_verify_final(p, gensec_security,
                                                p->auth.auth_level,
-                                               p->client_id, &p->syntax,
                                                &p->session_info)) {
                        return NT_STATUS_ACCESS_DENIED;
                }
@@ -786,7 +793,7 @@ static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
                gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
                                                struct gse_context);
                status = pipe_gssapi_verify_final(p, gse_ctx,
-                                                 p->client_id,
+                                                 p->remote_address,
                                                  &p->session_info);
                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(1, ("gssapi bind failed with: %s",
@@ -809,7 +816,7 @@ static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
                        gse_ctx = talloc_get_type_abort(mech_ctx,
                                                        struct gse_context);
                        status = pipe_gssapi_verify_final(p, gse_ctx,
-                                                         p->client_id,
+                                                         p->remote_address,
                                                          &p->session_info);
                        if (!NT_STATUS_IS_OK(status)) {
                                DEBUG(1, ("gssapi bind failed with: %s",
@@ -818,12 +825,10 @@ static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
                        }
                        break;
                case SPNEGO_NTLMSSP:
-                       ntlmssp_ctx = talloc_get_type_abort(mech_ctx,
-                                               struct auth_ntlmssp_state);
-                       if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
+                       gensec_security = talloc_get_type_abort(mech_ctx,
+                                               struct gensec_security);
+                       if (!pipe_ntlmssp_verify_final(p, gensec_security,
                                                        p->auth.auth_level,
-                                                       p->client_id,
-                                                       &p->syntax,
                                                        &p->session_info)) {
                                return NT_STATUS_ACCESS_DENIED;
                        }
@@ -1159,7 +1164,7 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
 {
        struct dcerpc_auth auth_info;
        DATA_BLOB response = data_blob_null;
-       struct auth_ntlmssp_state *ntlmssp_ctx;
+       struct gensec_security *gensec_security;
        struct spnego_context *spnego_ctx;
        struct gse_context *gse_ctx;
        NTSTATUS status;
@@ -1207,9 +1212,9 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
 
        switch (auth_info.auth_type) {
        case DCERPC_AUTH_TYPE_NTLMSSP:
-               ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
-                                                   struct auth_ntlmssp_state);
-               status = ntlmssp_server_step(ntlmssp_ctx,
+               gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
+                                                   struct gensec_security);
+               status = auth_generic_server_step(gensec_security,
                                             pkt, &auth_info.credentials,
                                             &response);
                break;
@@ -1278,7 +1283,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
        DATA_BLOB auth_resp = data_blob_null;
        DATA_BLOB auth_blob = data_blob_null;
        int pad_len = 0;
-       struct auth_ntlmssp_state *ntlmssp_ctx;
+       struct gensec_security *gensec_security;
        struct spnego_context *spnego_ctx;
        struct gse_context *gse_ctx;
 
@@ -1375,9 +1380,9 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
                                                    &auth_resp);
                        break;
                case DCERPC_AUTH_TYPE_NTLMSSP:
-                       ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
-                                                   struct auth_ntlmssp_state);
-                       status = ntlmssp_server_step(ntlmssp_ctx,
+                       gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
+                                                   struct gensec_security);
+                       status = auth_generic_server_step(gensec_security,
                                                     pkt,
                                                     &auth_info.credentials,
                                                     &auth_resp);
@@ -1526,18 +1531,18 @@ static bool api_pipe_request(struct pipes_struct *p,
                                struct ncacn_packet *pkt)
 {
        bool ret = False;
-       bool changed_user = False;
-       PIPE_RPC_FNS *pipe_fns;
-
-       if (p->pipe_bound &&
-           ((p->auth.auth_type == DCERPC_AUTH_TYPE_NTLMSSP) ||
-            (p->auth.auth_type == DCERPC_AUTH_TYPE_KRB5) ||
-            (p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO))) {
-               if(!become_authenticated_pipe_user(p->session_info)) {
-                       data_blob_free(&p->out_data.rdata);
-                       return False;
-               }
-               changed_user = True;
+       struct pipe_rpc_fns *pipe_fns;
+
+       if (!p->pipe_bound) {
+               DEBUG(1, ("Pipe not bound!\n"));
+               data_blob_free(&p->out_data.rdata);
+               return false;
+       }
+
+       if (!become_authenticated_pipe_user(p->session_info)) {
+               DEBUG(1, ("Failed to become pipe user!\n"));
+               data_blob_free(&p->out_data.rdata);
+               return false;
        }
 
        /* get the set of RPC functions for this context */
@@ -1562,9 +1567,7 @@ static bool api_pipe_request(struct pipes_struct *p,
                          pkt->u.request.context_id));
        }
 
-       if (changed_user) {
-               unbecome_authenticated_pipe_user();
-       }
+       unbecome_authenticated_pipe_user();
 
        return ret;
 }
@@ -1694,8 +1697,8 @@ void set_incoming_fault(struct pipes_struct *p)
        p->in_data.pdu_needed_len = 0;
        p->in_data.pdu.length = 0;
        p->fault_state = True;
-       DEBUG(10, ("set_incoming_fault: Setting fault state on pipe %s\n",
-                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
+
+       DEBUG(10, ("Setting fault state\n"));
 }
 
 static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
@@ -1829,8 +1832,7 @@ void process_complete_pdu(struct pipes_struct *p)
        bool reply = False;
 
        if(p->fault_state) {
-               DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n",
-                         get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
+               DEBUG(10,("RPC connection in fault state.\n"));
                goto done;
        }
 
@@ -1862,7 +1864,7 @@ void process_complete_pdu(struct pipes_struct *p)
        /* Store the call_id */
        p->call_id = pkt->call_id;
 
-       DEBUG(10, ("Processing packet type %d\n", (int)pkt->ptype));
+       DEBUG(10, ("Processing packet type %u\n", (unsigned int)pkt->ptype));
 
        switch (pkt->ptype) {
        case DCERPC_PKT_REQUEST:
@@ -1870,19 +1872,12 @@ void process_complete_pdu(struct pipes_struct *p)
                break;
 
        case DCERPC_PKT_PING: /* CL request - ignore... */
-               DEBUG(0, ("process_complete_pdu: Error. "
-                         "Connectionless packet type %d received on "
-                         "pipe %s.\n", (int)pkt->ptype,
-                        get_pipe_name_from_syntax(talloc_tos(),
-                                                  &p->syntax)));
+               DEBUG(0, ("Error - Connectionless packet type %u received\n",
+                         (unsigned int)pkt->ptype));
                break;
 
        case DCERPC_PKT_RESPONSE: /* No responses here. */
-               DEBUG(0, ("process_complete_pdu: Error. "
-                         "DCERPC_PKT_RESPONSE received from client "
-                         "on pipe %s.\n",
-                        get_pipe_name_from_syntax(talloc_tos(),
-                                                  &p->syntax)));
+               DEBUG(0, ("Error - DCERPC_PKT_RESPONSE received from client"));
                break;
 
        case DCERPC_PKT_FAULT:
@@ -1895,11 +1890,8 @@ void process_complete_pdu(struct pipes_struct *p)
        case DCERPC_PKT_CL_CANCEL:
        case DCERPC_PKT_FACK:
        case DCERPC_PKT_CANCEL_ACK:
-               DEBUG(0, ("process_complete_pdu: Error. "
-                         "Connectionless packet type %u received on "
-                         "pipe %s.\n", (unsigned int)pkt->ptype,
-                        get_pipe_name_from_syntax(talloc_tos(),
-                                                  &p->syntax)));
+               DEBUG(0, ("Error - Connectionless packet type %u received\n",
+                         (unsigned int)pkt->ptype));
                break;
 
        case DCERPC_PKT_BIND:
@@ -1913,12 +1905,9 @@ void process_complete_pdu(struct pipes_struct *p)
 
        case DCERPC_PKT_BIND_ACK:
        case DCERPC_PKT_BIND_NAK:
-               DEBUG(0, ("process_complete_pdu: Error. "
-                         "DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK "
-                         "packet type %u received on pipe %s.\n",
-                         (unsigned int)pkt->ptype,
-                        get_pipe_name_from_syntax(talloc_tos(),
-                                                  &p->syntax)));
+               DEBUG(0, ("Error - DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK "
+                         "packet type %u received.\n",
+                         (unsigned int)pkt->ptype));
                break;
 
 
@@ -1932,11 +1921,8 @@ void process_complete_pdu(struct pipes_struct *p)
                break;
 
        case DCERPC_PKT_ALTER_RESP:
-               DEBUG(0, ("process_complete_pdu: Error. "
-                         "DCERPC_PKT_ALTER_RESP on pipe %s: "
-                         "Should only be server -> client.\n",
-                        get_pipe_name_from_syntax(talloc_tos(),
-                                                  &p->syntax)));
+               DEBUG(0, ("Error - DCERPC_PKT_ALTER_RESP received: "
+                         "Should only be server -> client.\n"));
                break;
 
        case DCERPC_PKT_AUTH3:
@@ -1949,11 +1935,8 @@ void process_complete_pdu(struct pipes_struct *p)
                break;
 
        case DCERPC_PKT_SHUTDOWN:
-               DEBUG(0, ("process_complete_pdu: Error. "
-                         "DCERPC_PKT_SHUTDOWN on pipe %s: "
-                         "Should only be server -> client.\n",
-                        get_pipe_name_from_syntax(talloc_tos(),
-                                                  &p->syntax)));
+               DEBUG(0, ("Error - DCERPC_PKT_SHUTDOWN received: "
+                         "Should only be server -> client.\n"));
                break;
 
        case DCERPC_PKT_CO_CANCEL:
@@ -1998,9 +1981,7 @@ void process_complete_pdu(struct pipes_struct *p)
 
 done:
        if (!reply) {
-               DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on "
-                        "pipe %s\n", get_pipe_name_from_syntax(talloc_tos(),
-                                                               &p->syntax)));
+               DEBUG(3,("DCE/RPC fault sent!"));
                set_incoming_fault(p);
                setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
                TALLOC_FREE(pkt);