search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r1383: sync from 3.0 tree
[Samba.git] / source / rpc_server / srv_pipe.c
blob36929150e545c2c7ee1736104cd51e0c940c02ce
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998,
7 * Copyright (C) Jeremy Allison 1999,
8 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003.
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
28 *
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
32 *
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
36 *
37 * ... if you read the docs. or stare at packets for weeks on end.
38 *
39 */
40
41 #include "includes.h"
42
43 #undef DBGC_CLASS
44 #define DBGC_CLASS DBGC_RPC_SRV
45
46 /*************************************************************
47 HACK Alert!
48 We need to transfer the session key from one rpc bind to the
49 next. This is the way the netlogon schannel works.
50 **************************************************************/
51 struct dcinfo last_dcinfo;
52
53 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
54 {
55 unsigned char *hash = p->ntlmssp_hash;
56 unsigned char index_i = hash[256];
57 unsigned char index_j = hash[257];
58 int ind;
59
60 for( ind = 0; ind < len; ind++) {
61 unsigned char tc;
62 unsigned char t;
63
64 index_i++;
65 index_j += hash[index_i];
66
67 tc = hash[index_i];
68 hash[index_i] = hash[index_j];
69 hash[index_j] = tc;
70
71 t = hash[index_i] + hash[index_j];
72 data[ind] = data[ind] ^ hash[t];
73 }
74
75 hash[256] = index_i;
76 hash[257] = index_j;
77 }
78
79 /*******************************************************************
80 Generate the next PDU to be returned from the data in p->rdata.
81 We cheat here as this function doesn't handle the special auth
82 footers of the authenticated bind response reply.
83 ********************************************************************/
84
85 BOOL create_next_pdu(pipes_struct *p)
86 {
87 RPC_HDR_RESP hdr_resp;
88 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
89 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
90 uint32 ss_padding_len = 0;
91 uint32 data_len;
92 uint32 data_space_available;
93 uint32 data_len_left;
94 prs_struct outgoing_pdu;
95 uint32 data_pos;
96
97 /*
98 * If we're in the fault state, keep returning fault PDU's until
99 * the pipe gets closed. JRA.
100 */
101
102 if(p->fault_state) {
103 setup_fault_pdu(p, NT_STATUS(0x1c010002));
104 return True;
105 }
106
107 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
108
109 /* Change the incoming request header to a response. */
110 p->hdr.pkt_type = RPC_RESPONSE;
111
112 /* Set up rpc header flags. */
113 if (p->out_data.data_sent_length == 0) {
114 p->hdr.flags = RPC_FLG_FIRST;
115 } else {
116 p->hdr.flags = 0;
117 }
118
119 /*
120 * Work out how much we can fit in a single PDU.
121 */
122
123 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
124 if(p->ntlmssp_auth_validated) {
125 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
126 } else if(p->netsec_auth_validated) {
127 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN);
128 }
129
130 /*
131 * The amount we send is the minimum of the available
132 * space and the amount left to send.
133 */
134
135 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
136
137 /*
138 * Ensure there really is data left to send.
139 */
140
141 if(!data_len_left) {
142 DEBUG(0,("create_next_pdu: no data left to send !\n"));
143 return False;
144 }
145
146 data_len = MIN(data_len_left, data_space_available);
147
148 /*
149 * Set up the alloc hint. This should be the data left to
150 * send.
151 */
152
153 hdr_resp.alloc_hint = data_len_left;
154
155 /*
156 * Work out if this PDU will be the last.
157 */
158
159 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
160 p->hdr.flags |= RPC_FLG_LAST;
161 if ((auth_seal || auth_verify) && (data_len_left % 8)) {
162 ss_padding_len = 8 - (data_len_left % 8);
163 DEBUG(10,("create_next_pdu: adding sign/seal padding of %u\n",
164 ss_padding_len ));
165 }
166 }
167
168 /*
169 * Set up the header lengths.
170 */
171
172 if (p->ntlmssp_auth_validated) {
173 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
174 data_len + ss_padding_len +
175 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
176 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
177 } else if (p->netsec_auth_validated) {
178 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
179 data_len + ss_padding_len +
180 RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN;
181 p->hdr.auth_len = RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN;
182 } else {
183 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
184 p->hdr.auth_len = 0;
185 }
186
187 /*
188 * Init the parse struct to point at the outgoing
189 * data.
190 */
191
192 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
193 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
194
195 /* Store the header in the data stream. */
196 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
197 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
198 prs_mem_free(&outgoing_pdu);
199 return False;
200 }
201
202 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
203 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
204 prs_mem_free(&outgoing_pdu);
205 return False;
206 }
207
208 /* Store the current offset. */
209 data_pos = prs_offset(&outgoing_pdu);
210
211 /* Copy the data into the PDU. */
212
213 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
214 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
215 prs_mem_free(&outgoing_pdu);
216 return False;
217 }
218
219 /* Copy the sign/seal padding data. */
220 if (ss_padding_len) {
221 char pad[8];
222 memset(pad, '\0', 8);
223 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
224 DEBUG(0,("create_next_pdu: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
225 prs_mem_free(&outgoing_pdu);
226 return False;
227 }
228 }
229
230 if (p->ntlmssp_auth_validated) {
231 /*
232 * NTLMSSP processing. Mutually exclusive with Schannel.
233 */
234 uint32 crc32 = 0;
235 char *data;
236
237 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
238 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len + ss_padding_len, p->hdr.auth_len));
239
240 /*
241 * Set data to point to where we copied the data into.
242 */
243
244 data = prs_data_p(&outgoing_pdu) + data_pos;
245
246 if (auth_seal) {
247 crc32 = crc32_calc_buffer(data, data_len + ss_padding_len);
248 NTLMSSPcalc_p(p, (uchar*)data, data_len + ss_padding_len);
249 }
250
251 if (auth_seal || auth_verify) {
252 RPC_HDR_AUTH auth_info;
253
254 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE,
255 auth_seal ? RPC_PIPE_AUTH_SEAL_LEVEL : RPC_PIPE_AUTH_SIGN_LEVEL,
256 (auth_verify ? ss_padding_len : 0), (auth_verify ? 1 : 0));
257 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
258 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
259 prs_mem_free(&outgoing_pdu);
260 return False;
261 }
262 }
263
264 if (auth_verify) {
265 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
266 char *auth_data = prs_data_p(&outgoing_pdu);
267
268 p->ntlmssp_seq_num++;
269 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
270 crc32, p->ntlmssp_seq_num++);
271 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
272 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
273 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
274 prs_mem_free(&outgoing_pdu);
275 return False;
276 }
277 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
278 }
279 } else if (p->netsec_auth_validated) {
280 /*
281 * Schannel processing. Mutually exclusive with NTLMSSP.
282 */
283 int auth_type, auth_level;
284 char *data;
285 RPC_HDR_AUTH auth_info;
286
287 RPC_AUTH_NETSEC_CHK verf;
288 prs_struct rverf;
289 prs_struct rauth;
290
291 data = prs_data_p(&outgoing_pdu) + data_pos;
292 /* Check it's the type of reply we were expecting to decode */
293
294 get_auth_type_level(p->netsec_auth.auth_flags, &auth_type, &auth_level);
295 init_rpc_hdr_auth(&auth_info, auth_type, auth_level,
296 ss_padding_len, 1);
297
298 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
299 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
300 prs_mem_free(&outgoing_pdu);
301 return False;
302 }
303
304 prs_init(&rverf, 0, p->mem_ctx, MARSHALL);
305 prs_init(&rauth, 0, p->mem_ctx, MARSHALL);
306
307 netsec_encode(&p->netsec_auth,
308 p->netsec_auth.auth_flags,
309 SENDER_IS_ACCEPTOR,
310 &verf, data, data_len + ss_padding_len);
311
312 smb_io_rpc_auth_netsec_chk("", RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN,
313 &verf, &outgoing_pdu, 0);
314
315 p->netsec_auth.seq_num++;
316 }
317
318 /*
319 * Setup the counts for this PDU.
320 */
321
322 p->out_data.data_sent_length += data_len;
323 p->out_data.current_pdu_len = p->hdr.frag_len;
324 p->out_data.current_pdu_sent = 0;
325
326 prs_mem_free(&outgoing_pdu);
327 return True;
328 }
329
330 /*******************************************************************
331 Process an NTLMSSP authentication response.
332 If this function succeeds, the user has been authenticated
333 and their domain, name and calling workstation stored in
334 the pipe struct.
335 The initial challenge is stored in p->challenge.
336 *******************************************************************/
337
338 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
339 {
340 uchar lm_owf[24];
341 uchar nt_owf[128];
342 int nt_pw_len;
343 int lm_pw_len;
344 fstring user_name;
345 fstring domain;
346 fstring wks;
347
348 NTSTATUS nt_status;
349
350 struct auth_context *auth_context = NULL;
351 auth_usersupplied_info *user_info = NULL;
352 auth_serversupplied_info *server_info = NULL;
353
354 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
355
356 memset(p->user_name, '\0', sizeof(p->user_name));
357 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
358 memset(p->domain, '\0', sizeof(p->domain));
359 memset(p->wks, '\0', sizeof(p->wks));
360
361 /* Set up for non-authenticated user. */
362 delete_nt_token(&p->pipe_user.nt_user_token);
363 p->pipe_user.ngroups = 0;
364 SAFE_FREE( p->pipe_user.groups);
365
366 /*
367 * Setup an empty password for a guest user.
368 */
369
370 /*
371 * We always negotiate UNICODE.
372 */
373
374 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
375 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
376 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
377 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
378 } else {
379 pull_ascii_fstring(user_name, ntlmssp_resp->user);
380 pull_ascii_fstring(domain, ntlmssp_resp->domain);
381 pull_ascii_fstring(wks, ntlmssp_resp->wks);
382 }
383
384 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
385
386 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
387 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
388
389 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
390 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
391
392 #ifdef DEBUG_PASSWORD
393 DEBUG(100,("lm, nt owfs, chal\n"));
394 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
395 dump_data(100, (char *)nt_owf, nt_pw_len);
396 dump_data(100, (char *)p->challenge, 8);
397 #endif
398
399 /*
400 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
401 */
402
403 if (*user_name) {
404
405 /*
406 * Do the length checking only if user is not NULL.
407 */
408
409 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
410 return False;
411 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
412 return False;
413 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
414 return False;
415 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
416 return False;
417 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
418 return False;
419
420 }
421
422 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
423
424 if (!make_user_info_netlogon_network(&user_info,
425 user_name, domain, wks,
426 lm_owf, lm_pw_len,
427 nt_owf, nt_pw_len)) {
428 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
429 return False;
430 }
431
432 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
433
434 (auth_context->free)(&auth_context);
435 free_user_info(&user_info);
436
437 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
438
439 if (!p->ntlmssp_auth_validated) {
440 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
441 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
442 free_server_info(&server_info);
443 return False;
444 }
445
446 /*
447 * Set up the sign/seal data.
448 */
449
450 if (server_info->lm_session_key.length != 16) {
451 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
452 succeeded authentication on named pipe %s, but session key was of incorrect length [%u].\n",
453 domain, user_name, wks, p->name, server_info->lm_session_key.length));
454 free_server_info(&server_info);
455 return False;
456 } else {
457 uchar p24[24];
458 NTLMSSPOWFencrypt(server_info->lm_session_key.data, lm_owf, p24);
459 {
460 unsigned char j = 0;
461 int ind;
462
463 unsigned char k2[8];
464
465 memcpy(k2, p24, 5);
466 k2[5] = 0xe5;
467 k2[6] = 0x38;
468 k2[7] = 0xb0;
469
470 for (ind = 0; ind < 256; ind++)
471 p->ntlmssp_hash[ind] = (unsigned char)ind;
472
473 for( ind = 0; ind < 256; ind++) {
474 unsigned char tc;
475
476 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
477
478 tc = p->ntlmssp_hash[ind];
479 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
480 p->ntlmssp_hash[j] = tc;
481 }
482
483 p->ntlmssp_hash[256] = 0;
484 p->ntlmssp_hash[257] = 0;
485 }
486
487 dump_data_pw("NTLMSSP hash (v1)\n", p->ntlmssp_hash,
488 sizeof(p->ntlmssp_hash));
489
490 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
491 p->ntlmssp_seq_num = 0;
492
493 }
494
495 fstrcpy(p->user_name, user_name);
496 fstrcpy(p->pipe_user_name, server_info->unix_name);
497 fstrcpy(p->domain, domain);
498 fstrcpy(p->wks, wks);
499
500 /*
501 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
502 */
503
504 p->session_key = data_blob(server_info->lm_session_key.data, server_info->lm_session_key.length);
505
506 p->pipe_user.uid = server_info->uid;
507 p->pipe_user.gid = server_info->gid;
508
509 p->pipe_user.ngroups = server_info->n_groups;
510 if (p->pipe_user.ngroups) {
511 if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
512 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
513 free_server_info(&server_info);
514 return False;
515 }
516 }
517
518 if (server_info->ptok)
519 p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
520 else {
521 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
522 p->pipe_user.nt_user_token = NULL;
523 free_server_info(&server_info);
524 return False;
525 }
526
527 p->ntlmssp_auth_validated = True;
528
529 free_server_info(&server_info);
530 return True;
531 }
532
533 /*******************************************************************
534 The switch table for the pipe names and the functions to handle them.
535 *******************************************************************/
536
537 struct rpc_table
538 {
539 struct
540 {
541 const char *clnt;
542 const char *srv;
543 } pipe;
544 struct api_struct *cmds;
545 int n_cmds;
546 };
547
548 static struct rpc_table *rpc_lookup;
549 static int rpc_lookup_size;
550
551 /*******************************************************************
552 This is the client reply to our challenge for an authenticated
553 bind request. The challenge we sent is in p->challenge.
554 *******************************************************************/
555
556 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
557 {
558 RPC_HDR_AUTHA autha_info;
559 RPC_AUTH_VERIFIER auth_verifier;
560 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
561
562 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
563
564 if (p->hdr.auth_len == 0) {
565 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
566 return False;
567 }
568
569 /*
570 * Decode the authentication verifier response.
571 */
572
573 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
574 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
575 return False;
576 }
577
578 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != RPC_PIPE_AUTH_SEAL_LEVEL) {
579 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
580 (int)autha_info.auth_type, (int)autha_info.auth_level ));
581 return False;
582 }
583
584 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
585 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
586 return False;
587 }
588
589 /*
590 * Ensure this is a NTLMSSP_AUTH packet type.
591 */
592
593 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
594 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
595 return False;
596 }
597
598 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
599 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
600 return False;
601 }
602
603 /*
604 * The following call actually checks the challenge/response data.
605 * for correctness against the given DOMAIN\user name.
606 */
607
608 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
609 return False;
610
611 p->pipe_bound = True
612 ;
613 return True;
614 }
615
616 /*******************************************************************
617 Marshall a bind_nak pdu.
618 *******************************************************************/
619
620 static BOOL setup_bind_nak(pipes_struct *p)
621 {
622 prs_struct outgoing_rpc;
623 RPC_HDR nak_hdr;
624 uint16 zero = 0;
625
626 /* Free any memory in the current return data buffer. */
627 prs_mem_free(&p->out_data.rdata);
628
629 /*
630 * Marshall directly into the outgoing PDU space. We
631 * must do this as we need to set to the bind response
632 * header and are never sending more than one PDU here.
633 */
634
635 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
636 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
637
638
639 /*
640 * Initialize a bind_nak header.
641 */
642
643 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
644 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
645
646 /*
647 * Marshall the header into the outgoing PDU.
648 */
649
650 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
651 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
652 prs_mem_free(&outgoing_rpc);
653 return False;
654 }
655
656 /*
657 * Now add the reject reason.
658 */
659
660 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
661 prs_mem_free(&outgoing_rpc);
662 return False;
663 }
664
665 p->out_data.data_sent_length = 0;
666 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
667 p->out_data.current_pdu_sent = 0;
668
669 p->pipe_bound = False;
670
671 return True;
672 }
673
674 /*******************************************************************
675 Marshall a fault pdu.
676 *******************************************************************/
677
678 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
679 {
680 prs_struct outgoing_pdu;
681 RPC_HDR fault_hdr;
682 RPC_HDR_RESP hdr_resp;
683 RPC_HDR_FAULT fault_resp;
684
685 /* Free any memory in the current return data buffer. */
686 prs_mem_free(&p->out_data.rdata);
687
688 /*
689 * Marshall directly into the outgoing PDU space. We
690 * must do this as we need to set to the bind response
691 * header and are never sending more than one PDU here.
692 */
693
694 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
695 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
696
697 /*
698 * Initialize a fault header.
699 */
700
701 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
702 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
703
704 /*
705 * Initialize the HDR_RESP and FAULT parts of the PDU.
706 */
707
708 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
709
710 fault_resp.status = status;
711 fault_resp.reserved = 0;
712
713 /*
714 * Marshall the header into the outgoing PDU.
715 */
716
717 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
718 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
719 prs_mem_free(&outgoing_pdu);
720 return False;
721 }
722
723 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
724 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
725 prs_mem_free(&outgoing_pdu);
726 return False;
727 }
728
729 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
730 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
731 prs_mem_free(&outgoing_pdu);
732 return False;
733 }
734
735 p->out_data.data_sent_length = 0;
736 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
737 p->out_data.current_pdu_sent = 0;
738
739 prs_mem_free(&outgoing_pdu);
740 return True;
741 }
742
743 /*******************************************************************
744 Ensure a bind request has the correct abstract & transfer interface.
745 Used to reject unknown binds from Win2k.
746 *******************************************************************/
747
748 BOOL check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
749 RPC_IFACE* transfer, uint32 context_id)
750 {
751 extern struct pipe_id_info pipe_names[];
752 char *pipe_name = p->name;
753 int i=0;
754 fstring pname;
755
756 fstrcpy(pname,"\\PIPE\\");
757 fstrcat(pname,pipe_name);
758
759 DEBUG(3,("check_bind_req for %s\n", pname));
760
761 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
762
763 for ( i=0; pipe_names[i].client_pipe; i++ )
764 {
765 if ( strequal(pipe_names[i].client_pipe, pname)
766 && (abstract->version == pipe_names[i].abstr_syntax.version)
767 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct uuid)) == 0)
768 && (transfer->version == pipe_names[i].trans_syntax.version)
769 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(struct uuid)) == 0) )
770 {
771 struct api_struct *fns = NULL;
772 int n_fns = 0;
773 PIPE_RPC_FNS *context_fns;
774
775 if ( !(context_fns = malloc(sizeof(PIPE_RPC_FNS))) ) {
776 DEBUG(0,("check_bind_req: malloc() failed!\n"));
777 return False;
778 }
779
780 /* save the RPC function table associated with this bind */
781
782 get_pipe_fns(i, &fns, &n_fns);
783
784 context_fns->cmds = fns;
785 context_fns->n_cmds = n_fns;
786 context_fns->context_id = context_id;
787
788 /* add to the list of open contexts */
789
790 DLIST_ADD( p->contexts, context_fns );
791
792 break;
793 }
794 }
795
796 if(pipe_names[i].client_pipe == NULL)
797 return False;
798
799 return True;
800 }
801
802 /*******************************************************************
803 Register commands to an RPC pipe
804 *******************************************************************/
805 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
806 {
807 struct rpc_table *rpc_entry;
808
809 if (!clnt || !srv || !cmds) {
810 return NT_STATUS_INVALID_PARAMETER;
811 }
812
813 if (version != SMB_RPC_INTERFACE_VERSION) {
814 DEBUG(0,("Can't register rpc commands!\n"
815 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
816 ", while this version of samba uses version %d!\n",
817 version,SMB_RPC_INTERFACE_VERSION));
818 return NT_STATUS_OBJECT_TYPE_MISMATCH;
819 }
820
821 /* TODO:
822 *
823 * we still need to make sure that don't register the same commands twice!!!
824 *
825 * --metze
826 */
827
828 /* We use a temporary variable because this call can fail and
829 rpc_lookup will still be valid afterwards. It could then succeed if
830 called again later */
831 rpc_entry = realloc(rpc_lookup,
832 ++rpc_lookup_size*sizeof(struct rpc_table));
833 if (NULL == rpc_entry) {
834 rpc_lookup_size--;
835 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
836 return NT_STATUS_NO_MEMORY;
837 } else {
838 rpc_lookup = rpc_entry;
839 }
840
841 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
842 ZERO_STRUCTP(rpc_entry);
843 rpc_entry->pipe.clnt = strdup(clnt);
844 rpc_entry->pipe.srv = strdup(srv);
845 rpc_entry->cmds = realloc(rpc_entry->cmds,
846 (rpc_entry->n_cmds + size) *
847 sizeof(struct api_struct));
848 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds,
849 size * sizeof(struct api_struct));
850 rpc_entry->n_cmds += size;
851
852 return NT_STATUS_OK;
853 }
854
855 /*******************************************************************
856 Respond to a pipe bind request.
857 *******************************************************************/
858
859 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
860 {
861 RPC_HDR_BA hdr_ba;
862 RPC_HDR_RB hdr_rb;
863 RPC_HDR_AUTH auth_info;
864 uint16 assoc_gid;
865 fstring ack_pipe_name;
866 prs_struct out_hdr_ba;
867 prs_struct out_auth;
868 prs_struct outgoing_rpc;
869 int i = 0;
870 int auth_len = 0;
871 enum RPC_PKT_TYPE reply_pkt_type;
872
873 p->ntlmssp_auth_requested = False;
874 p->netsec_auth_validated = False;
875
876 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
877
878 /*
879 * Try and find the correct pipe name to ensure
880 * that this is a pipe name we support.
881 */
882
883
884 for (i = 0; i < rpc_lookup_size; i++) {
885 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
886 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
887 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
888 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
889 break;
890 }
891 }
892
893 if (i == rpc_lookup_size) {
894 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
895 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
896 p->name ));
897 if(!setup_bind_nak(p))
898 return False;
899 return True;
900 }
901
902 for (i = 0; i < rpc_lookup_size; i++) {
903 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
904 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
905 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
906 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
907 break;
908 }
909 }
910
911 if (i == rpc_lookup_size) {
912 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
913 return False;
914 }
915 }
916
917 /* decode the bind request */
918 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
919 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
920 return False;
921 }
922
923 /*
924 * Check if this is an authenticated request.
925 */
926
927 if (p->hdr.auth_len != 0) {
928 RPC_AUTH_VERIFIER auth_verifier;
929 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
930
931 /*
932 * Decode the authentication verifier.
933 */
934
935 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
936 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
937 return False;
938 }
939
940 if(auth_info.auth_type == NTLMSSP_AUTH_TYPE) {
941
942 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
943 DEBUG(0,("api_pipe_bind_req: unable to "
944 "unmarshall RPC_HDR_AUTH struct.\n"));
945 return False;
946 }
947
948 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
949 DEBUG(0,("api_pipe_bind_req: "
950 "auth_verifier.signature != NTLMSSP\n"));
951 return False;
952 }
953
954 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
955 DEBUG(0,("api_pipe_bind_req: "
956 "auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
957 auth_verifier.msg_type));
958 return False;
959 }
960
961 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
962 DEBUG(0,("api_pipe_bind_req: "
963 "Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
964 return False;
965 }
966
967 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
968 p->ntlmssp_auth_requested = True;
969
970 } else if (auth_info.auth_type == NETSEC_AUTH_TYPE) {
971
972 RPC_AUTH_NETSEC_NEG neg;
973 struct netsec_auth_struct *a = &(p->netsec_auth);
974
975 if (!smb_io_rpc_auth_netsec_neg("", &neg, rpc_in_p, 0)) {
976 DEBUG(0,("api_pipe_bind_req: "
977 "Could not unmarshal SCHANNEL auth neg\n"));
978 return False;
979 }
980
981 p->netsec_auth_validated = True;
982
983 memset(a->sess_key, 0, sizeof(a->sess_key));
984 memcpy(a->sess_key, last_dcinfo.sess_key, sizeof(last_dcinfo.sess_key));
985
986 a->seq_num = 0;
987
988 DEBUG(10,("schannel auth: domain [%s] myname [%s]\n",
989 neg.domain, neg.myname));
990
991 } else {
992 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
993 auth_info.auth_type ));
994 return False;
995 }
996 }
997
998 switch(p->hdr.pkt_type) {
999 case RPC_BIND:
1000 /* name has to be \PIPE\xxxxx */
1001 fstrcpy(ack_pipe_name, "\\PIPE\\");
1002 fstrcat(ack_pipe_name, p->pipe_srv_name);
1003 reply_pkt_type = RPC_BINDACK;
1004 break;
1005 case RPC_ALTCONT:
1006 /* secondary address CAN be NULL
1007 * as the specs say it's ignored.
1008 * It MUST NULL to have the spoolss working.
1009 */
1010 fstrcpy(ack_pipe_name,"");
1011 reply_pkt_type = RPC_ALTCONTRESP;
1012 break;
1013 default:
1014 return False;
1015 }
1016
1017 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1018
1019 /*
1020 * Marshall directly into the outgoing PDU space. We
1021 * must do this as we need to set to the bind response
1022 * header and are never sending more than one PDU here.
1023 */
1024
1025 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1026 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1027
1028 /*
1029 * Setup the memory to marshall the ba header, and the
1030 * auth footers.
1031 */
1032
1033 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1034 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1035 prs_mem_free(&outgoing_rpc);
1036 return False;
1037 }
1038
1039 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1040 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
1041 prs_mem_free(&outgoing_rpc);
1042 prs_mem_free(&out_hdr_ba);
1043 return False;
1044 }
1045
1046 if (p->ntlmssp_auth_requested)
1047 assoc_gid = 0x7a77;
1048 else
1049 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1050
1051 /*
1052 * Create the bind response struct.
1053 */
1054
1055 /* If the requested abstract synt uuid doesn't match our client pipe,
1056 reject the bind_ack & set the transfer interface synt to all 0's,
1057 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1058 unknown to NT4)
1059 Needed when adding entries to a DACL from NT5 - SK */
1060
1061 if(check_bind_req(p, &hdr_rb.abstract, &hdr_rb.transfer, hdr_rb.context_id ))
1062 {
1063 init_rpc_hdr_ba(&hdr_ba,
1064 MAX_PDU_FRAG_LEN,
1065 MAX_PDU_FRAG_LEN,
1066 assoc_gid,
1067 ack_pipe_name,
1068 0x1, 0x0, 0x0,
1069 &hdr_rb.transfer);
1070 } else {
1071 RPC_IFACE null_interface;
1072 ZERO_STRUCT(null_interface);
1073 /* Rejection reason: abstract syntax not supported */
1074 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
1075 MAX_PDU_FRAG_LEN, assoc_gid,
1076 ack_pipe_name, 0x1, 0x2, 0x1,
1077 &null_interface);
1078 }
1079
1080 /*
1081 * and marshall it.
1082 */
1083
1084 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1085 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1086 goto err_exit;
1087 }
1088
1089 /*
1090 * Now the authentication.
1091 */
1092
1093 if (p->ntlmssp_auth_requested) {
1094 RPC_AUTH_VERIFIER auth_verifier;
1095 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
1096
1097 generate_random_buffer(p->challenge, 8, False);
1098
1099 /*** Authentication info ***/
1100
1101 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, RPC_PIPE_AUTH_SEAL_LEVEL, RPC_HDR_AUTH_LEN, 1);
1102 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1103 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1104 goto err_exit;
1105 }
1106
1107 /*** NTLMSSP verifier ***/
1108
1109 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
1110 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
1111 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1112 goto err_exit;
1113 }
1114
1115 /* NTLMSSP challenge ***/
1116
1117 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
1118 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
1119 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
1120 goto err_exit;
1121 }
1122
1123 /* Auth len in the rpc header doesn't include auth_header. */
1124 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1125 }
1126
1127 if (p->netsec_auth_validated) {
1128 RPC_AUTH_VERIFIER auth_verifier;
1129 uint32 flags;
1130
1131 /* The client opens a second RPC NETLOGON pipe without
1132 doing a auth2. The credentials for the schannel are
1133 re-used from the auth2 the client did before. */
1134 p->dc = last_dcinfo;
1135
1136 init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, auth_info.auth_level, RPC_HDR_AUTH_LEN, 1);
1137 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1138 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1139 goto err_exit;
1140 }
1141
1142 /*** NETSEC verifier ***/
1143
1144 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1145 if(!smb_io_rpc_netsec_verifier("", &auth_verifier, &out_auth, 0)) {
1146 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1147 goto err_exit;
1148 }
1149
1150 prs_align(&out_auth);
1151
1152 flags = 5;
1153 if(!prs_uint32("flags ", &out_auth, 0, &flags))
1154 goto err_exit;
1155
1156 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1157 }
1158
1159 /*
1160 * Create the header, now we know the length.
1161 */
1162
1163 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
1164 p->hdr.call_id,
1165 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1166 auth_len);
1167
1168 /*
1169 * Marshall the header into the outgoing PDU.
1170 */
1171
1172 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1173 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1174 goto err_exit;
1175 }
1176
1177 /*
1178 * Now add the RPC_HDR_BA and any auth needed.
1179 */
1180
1181 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1182 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1183 goto err_exit;
1184 }
1185
1186 if((p->ntlmssp_auth_requested|p->netsec_auth_validated) &&
1187 !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1188 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1189 goto err_exit;
1190 }
1191
1192 if(!p->ntlmssp_auth_requested)
1193 p->pipe_bound = True;
1194
1195 /*
1196 * Setup the lengths for the initial reply.
1197 */
1198
1199 p->out_data.data_sent_length = 0;
1200 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1201 p->out_data.current_pdu_sent = 0;
1202
1203 prs_mem_free(&out_hdr_ba);
1204 prs_mem_free(&out_auth);
1205
1206 return True;
1207
1208 err_exit:
1209
1210 prs_mem_free(&outgoing_rpc);
1211 prs_mem_free(&out_hdr_ba);
1212 prs_mem_free(&out_auth);
1213 return False;
1214 }
1215
1216 /****************************************************************************
1217 Deal with sign & seal processing on an RPC request.
1218 ****************************************************************************/
1219
1220 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1221 {
1222 /*
1223 * We always negotiate the following two bits....
1224 */
1225 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1226 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1227 int data_len;
1228 int auth_len;
1229 uint32 old_offset;
1230 uint32 crc32 = 0;
1231
1232 auth_len = p->hdr.auth_len;
1233
1234 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1235 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1236 return False;
1237 }
1238
1239 /*
1240 * The following is that length of the data we must verify or unseal.
1241 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1242 * preceeding the auth_data.
1243 */
1244
1245 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1246 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1247
1248 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1249 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1250
1251 if (auth_seal) {
1252 /*
1253 * The data in rpc_in doesn't contain the RPC_HEADER as this
1254 * has already been consumed.
1255 */
1256 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1257 dump_data_pw("NTLMSSP hash (v1)\n", p->ntlmssp_hash,
1258 sizeof(p->ntlmssp_hash));
1259
1260 dump_data_pw("Incoming RPC PDU (NTLMSSP sealed)\n",
1261 (const unsigned char *)data, data_len);
1262 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1263 dump_data_pw("Incoming RPC PDU (NTLMSSP unsealed)\n",
1264 (const unsigned char *)data, data_len);
1265 crc32 = crc32_calc_buffer(data, data_len);
1266 }
1267
1268 old_offset = prs_offset(rpc_in);
1269
1270 if (auth_seal || auth_verify) {
1271 RPC_HDR_AUTH auth_info;
1272
1273 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1274 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1275 (unsigned int)old_offset + data_len ));
1276 return False;
1277 }
1278
1279 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1280 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1281 return False;
1282 }
1283 }
1284
1285 if (auth_verify) {
1286 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1287 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1288
1289 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1290
1291 /*
1292 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1293 * incoming buffer.
1294 */
1295 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1296 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1297 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1298 return False;
1299 }
1300
1301 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1302 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1303 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1304 return False;
1305 }
1306
1307 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1308 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1309 return False;
1310 }
1311 }
1312
1313 /*
1314 * Return the current pointer to the data offset.
1315 */
1316
1317 if(!prs_set_offset(rpc_in, old_offset)) {
1318 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1319 (unsigned int)old_offset ));
1320 return False;
1321 }
1322
1323 return True;
1324 }
1325
1326 /****************************************************************************
1327 Deal with schannel processing on an RPC request.
1328 ****************************************************************************/
1329 BOOL api_pipe_netsec_process(pipes_struct *p, prs_struct *rpc_in)
1330 {
1331 /*
1332 * We always negotiate the following two bits....
1333 */
1334 int data_len;
1335 int auth_len;
1336 uint32 old_offset;
1337 RPC_HDR_AUTH auth_info;
1338 RPC_AUTH_NETSEC_CHK netsec_chk;
1339
1340
1341 auth_len = p->hdr.auth_len;
1342
1343 if (auth_len != RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN) {
1344 DEBUG(0,("Incorrect auth_len %d.\n", auth_len ));
1345 return False;
1346 }
1347
1348 /*
1349 * The following is that length of the data we must verify or unseal.
1350 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1351 * preceeding the auth_data.
1352 */
1353
1354 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1355 RPC_HDR_AUTH_LEN - auth_len;
1356
1357 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
1358
1359 old_offset = prs_offset(rpc_in);
1360
1361 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1362 DEBUG(0,("cannot move offset to %u.\n",
1363 (unsigned int)old_offset + data_len ));
1364 return False;
1365 }
1366
1367 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1368 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
1369 return False;
1370 }
1371
1372 if (auth_info.auth_type != NETSEC_AUTH_TYPE) {
1373 DEBUG(0,("Invalid auth info %d on schannel\n",
1374 auth_info.auth_type));
1375 return False;
1376 }
1377
1378 if (auth_info.auth_level == RPC_PIPE_AUTH_SEAL_LEVEL) {
1379 p->netsec_auth.auth_flags = AUTH_PIPE_NETSEC|AUTH_PIPE_SIGN|AUTH_PIPE_SEAL;
1380 } else if (auth_info.auth_level == RPC_PIPE_AUTH_SIGN_LEVEL) {
1381 p->netsec_auth.auth_flags = AUTH_PIPE_NETSEC|AUTH_PIPE_SIGN;
1382 } else {
1383 DEBUG(0,("Invalid auth level %d on schannel\n",
1384 auth_info.auth_level));
1385 return False;
1386 }
1387
1388 if(!smb_io_rpc_auth_netsec_chk("", RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN,
1389 &netsec_chk, rpc_in, 0))
1390 {
1391 DEBUG(0,("failed to unmarshal RPC_AUTH_NETSEC_CHK.\n"));
1392 return False;
1393 }
1394
1395 if (!netsec_decode(&p->netsec_auth,
1396 p->netsec_auth.auth_flags,
1397 SENDER_IS_INITIATOR,
1398 &netsec_chk,
1399 prs_data_p(rpc_in)+old_offset, data_len)) {
1400 DEBUG(3,("failed to decode PDU\n"));
1401 return False;
1402 }
1403
1404 /*
1405 * Return the current pointer to the data offset.
1406 */
1407
1408 if(!prs_set_offset(rpc_in, old_offset)) {
1409 DEBUG(0,("failed to set offset back to %u\n",
1410 (unsigned int)old_offset ));
1411 return False;
1412 }
1413
1414 /* The sequence number gets incremented on both send and receive. */
1415 p->netsec_auth.seq_num++;
1416
1417 return True;
1418 }
1419
1420 /****************************************************************************
1421 Return a user struct for a pipe user.
1422 ****************************************************************************/
1423
1424 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1425 {
1426 if (p->ntlmssp_auth_validated) {
1427 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1428 } else {
1429 extern struct current_user current_user;
1430 memcpy(user, &current_user, sizeof(struct current_user));
1431 }
1432
1433 return user;
1434 }
1435
1436 /****************************************************************************
1437 Find the set of RPC functions associated with this context_id
1438 ****************************************************************************/
1439
1440 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
1441 {
1442 PIPE_RPC_FNS *fns = NULL;
1443 PIPE_RPC_FNS *tmp = NULL;
1444
1445 if ( !list ) {
1446 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
1447 return NULL;
1448 }
1449
1450 for (tmp=list; tmp; tmp=tmp->next ) {
1451 if ( tmp->context_id == context_id )
1452 break;
1453 }
1454
1455 fns = tmp;
1456
1457 return fns;
1458 }
1459
1460 /****************************************************************************
1461 memory cleanup
1462 ****************************************************************************/
1463
1464 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
1465 {
1466 PIPE_RPC_FNS *tmp = list;
1467 PIPE_RPC_FNS *tmp2;
1468
1469 while (tmp) {
1470 tmp2 = tmp->next;
1471 SAFE_FREE(tmp);
1472 tmp = tmp2;
1473 }
1474
1475 return;
1476 }
1477
1478 /****************************************************************************
1479 Find the correct RPC function to call for this request.
1480 If the pipe is authenticated then become the correct UNIX user
1481 before doing the call.
1482 ****************************************************************************/
1483
1484 BOOL api_pipe_request(pipes_struct *p)
1485 {
1486 BOOL ret = False;
1487 PIPE_RPC_FNS *pipe_fns;
1488
1489 if (p->ntlmssp_auth_validated) {
1490
1491 if(!become_authenticated_pipe_user(p)) {
1492 prs_mem_free(&p->out_data.rdata);
1493 return False;
1494 }
1495 }
1496
1497 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
1498
1499 /* get the set of RPC functions for this context */
1500
1501 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
1502
1503 if ( pipe_fns ) {
1504 set_current_rpc_talloc(p->mem_ctx);
1505 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
1506 set_current_rpc_talloc(NULL);
1507 }
1508 else {
1509 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
1510 p->hdr_req.context_id, p->name));
1511 }
1512
1513 if(p->ntlmssp_auth_validated)
1514 unbecome_authenticated_pipe_user();
1515
1516 return ret;
1517 }
1518
1519 /*******************************************************************
1520 Calls the underlying RPC function for a named pipe.
1521 ********************************************************************/
1522
1523 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
1524 const struct api_struct *api_rpc_cmds, int n_cmds)
1525 {
1526 int fn_num;
1527 fstring name;
1528 uint32 offset1, offset2;
1529
1530 /* interpret the command */
1531 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1532
1533 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1534 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1535
1536 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1537 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1538 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1539 break;
1540 }
1541 }
1542
1543 if (fn_num == n_cmds) {
1544 /*
1545 * For an unknown RPC just return a fault PDU but
1546 * return True to allow RPC's on the pipe to continue
1547 * and not put the pipe into fault state. JRA.
1548 */
1549 DEBUG(4, ("unknown\n"));
1550 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1551 return True;
1552 }
1553
1554 offset1 = prs_offset(&p->out_data.rdata);
1555
1556 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1557 fn_num, api_rpc_cmds[fn_num].fn));
1558 /* do the actual command */
1559 if(!api_rpc_cmds[fn_num].fn(p)) {
1560 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1561 prs_mem_free(&p->out_data.rdata);
1562 return False;
1563 }
1564
1565 if (p->bad_handle_fault_state) {
1566 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1567 p->bad_handle_fault_state = False;
1568 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1569 return True;
1570 }
1571
1572 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1573 offset2 = prs_offset(&p->out_data.rdata);
1574 prs_set_offset(&p->out_data.rdata, offset1);
1575 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1576 prs_set_offset(&p->out_data.rdata, offset2);
1577
1578 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1579
1580 /* Check for buffer underflow in rpc parsing */
1581
1582 if ((DEBUGLEVEL >= 10) &&
1583 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
1584 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
1585 char *data;
1586
1587 data = malloc(data_len);
1588
1589 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1590 if (data) {
1591 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
1592 SAFE_FREE(data);
1593 }
1594
1595 }
1596
1597 return True;
1598 }
1599
1600 /*******************************************************************
1601 *******************************************************************/
1602
1603 void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
1604 {
1605 struct api_struct *cmds = NULL;
1606 int n_cmds = 0;
1607
1608 switch ( idx ) {
1609 case PI_LSARPC:
1610 lsa_get_pipe_fns( &cmds, &n_cmds );
1611 break;
1612 case PI_LSARPC_DS:
1613 lsa_ds_get_pipe_fns( &cmds, &n_cmds );
1614 break;
1615 case PI_SAMR:
1616 samr_get_pipe_fns( &cmds, &n_cmds );
1617 break;
1618 case PI_NETLOGON:
1619 netlog_get_pipe_fns( &cmds, &n_cmds );
1620 break;
1621 case PI_SRVSVC:
1622 srvsvc_get_pipe_fns( &cmds, &n_cmds );
1623 break;
1624 case PI_WKSSVC:
1625 wkssvc_get_pipe_fns( &cmds, &n_cmds );
1626 break;
1627 case PI_WINREG:
1628 reg_get_pipe_fns( &cmds, &n_cmds );
1629 break;
1630 case PI_SPOOLSS:
1631 spoolss_get_pipe_fns( &cmds, &n_cmds );
1632 break;
1633 case PI_NETDFS:
1634 netdfs_get_pipe_fns( &cmds, &n_cmds );
1635 break;
1636 #ifdef DEVELOPER
1637 case PI_ECHO:
1638 echo_get_pipe_fns( &cmds, &n_cmds );
1639 break;
1640 #endif
1641 default:
1642 DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));
1643 }
1644
1645 *fns = cmds;
1646 *n_fns = n_cmds;
1647
1648 return;
1649 }
1650
1651
Samba GIT mirror