search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Large commit which restructures the local password storage API.
[Samba.git] / source / rpc_server / srv_pipe.c
blobd15f0452523f26628162d2e1cc8ea02cfe32ac9c
1 #define OLD_NTDOMAIN 1
2 /*
3 * Unix SMB/Netbios implementation.
4 * Version 1.9.
5 * RPC Pipe client / server routines
6 * Copyright (C) Andrew Tridgell 1992-1998
7 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
8 * Copyright (C) Paul Ashton 1997-1998.
9 * Copyright (C) Jeremy Allison 1999.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 */
25
26 /* this module apparently provides an implementation of DCE/RPC over a
27 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
28 * documentation are available (in on-line form) from the X-Open group.
29 *
30 * this module should provide a level of abstraction between SMB
31 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
32 * data copies, and network traffic.
33 *
34 * in this version, which takes a "let's learn what's going on and
35 * get something running" approach, there is additional network
36 * traffic generated, but the code should be easier to understand...
37 *
38 * ... if you read the docs. or stare at packets for weeks on end.
39 *
40 */
41
42 #include "includes.h"
43
44 extern int DEBUGLEVEL;
45
46 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
47 {
48 unsigned char *hash = p->ntlmssp_hash;
49 unsigned char index_i = hash[256];
50 unsigned char index_j = hash[257];
51 int ind;
52
53 for( ind = 0; ind < len; ind++) {
54 unsigned char tc;
55 unsigned char t;
56
57 index_i++;
58 index_j += hash[index_i];
59
60 tc = hash[index_i];
61 hash[index_i] = hash[index_j];
62 hash[index_j] = tc;
63
64 t = hash[index_i] + hash[index_j];
65 data[ind] = data[ind] ^ hash[t];
66 }
67
68 hash[256] = index_i;
69 hash[257] = index_j;
70 }
71
72 /*******************************************************************
73 Generate the next PDU to be returned from the data in p->rdata.
74 We cheat here as this function doesn't handle the special auth
75 footers of the authenticated bind response reply.
76 ********************************************************************/
77
78 BOOL create_next_pdu(pipes_struct *p)
79 {
80 RPC_HDR_RESP hdr_resp;
81 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
82 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
83 uint32 data_len;
84 uint32 data_space_available;
85 uint32 data_len_left;
86 prs_struct outgoing_pdu;
87 char *data;
88 char *data_from;
89 uint32 data_pos;
90
91 /*
92 * If we're in the fault state, keep returning fault PDU's until
93 * the pipe gets closed. JRA.
94 */
95
96 if(p->fault_state) {
97 setup_fault_pdu(p);
98 return True;
99 }
100
101 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
102
103 /* Change the incoming request header to a response. */
104 p->hdr.pkt_type = RPC_RESPONSE;
105
106 /* Set up rpc header flags. */
107 if (p->out_data.data_sent_length == 0)
108 p->hdr.flags = RPC_FLG_FIRST;
109 else
110 p->hdr.flags = 0;
111
112 /*
113 * Work out how much we can fit in a single PDU.
114 */
115
116 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
117 if(p->ntlmssp_auth_validated)
118 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
119
120 /*
121 * The amount we send is the minimum of the available
122 * space and the amount left to send.
123 */
124
125 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
126
127 /*
128 * Ensure there really is data left to send.
129 */
130
131 if(!data_len_left) {
132 DEBUG(0,("create_next_pdu: no data left to send !\n"));
133 return False;
134 }
135
136 data_len = MIN(data_len_left, data_space_available);
137
138 /*
139 * Set up the alloc hint. This should be the data left to
140 * send.
141 */
142
143 hdr_resp.alloc_hint = data_len_left;
144
145 /*
146 * Set up the header lengths.
147 */
148
149 if (p->ntlmssp_auth_validated) {
150 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
151 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
152 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
153 } else {
154 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
155 p->hdr.auth_len = 0;
156 }
157
158 /*
159 * Work out if this PDU will be the last.
160 */
161
162 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
163 p->hdr.flags |= RPC_FLG_LAST;
164
165 /*
166 * Init the parse struct to point at the outgoing
167 * data.
168 */
169
170 prs_init( &outgoing_pdu, 0, 4, p->mem_ctx, MARSHALL);
171 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
172
173 /* Store the header in the data stream. */
174 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
175 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
176 prs_mem_free(&outgoing_pdu);
177 return False;
178 }
179
180 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
181 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
182 prs_mem_free(&outgoing_pdu);
183 return False;
184 }
185
186 /* Store the current offset. */
187 data_pos = prs_offset(&outgoing_pdu);
188
189 /* Copy the data into the PDU. */
190 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
191
192 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
193 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
194 prs_mem_free(&outgoing_pdu);
195 return False;
196 }
197
198 /*
199 * Set data to point to where we copied the data into.
200 */
201
202 data = prs_data_p(&outgoing_pdu) + data_pos;
203
204 if (p->hdr.auth_len > 0) {
205 uint32 crc32 = 0;
206
207 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
208 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
209
210 if (auth_seal) {
211 crc32 = crc32_calc_buffer(data, data_len);
212 NTLMSSPcalc_p(p, (uchar*)data, data_len);
213 }
214
215 if (auth_seal || auth_verify) {
216 RPC_HDR_AUTH auth_info;
217
218 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
219 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
220 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
221 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
222 prs_mem_free(&outgoing_pdu);
223 return False;
224 }
225 }
226
227 if (auth_verify) {
228 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
229 char *auth_data = prs_data_p(&outgoing_pdu);
230
231 p->ntlmssp_seq_num++;
232 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
233 crc32, p->ntlmssp_seq_num++);
234 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
235 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
236 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
237 prs_mem_free(&outgoing_pdu);
238 return False;
239 }
240 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
241 }
242 }
243
244 /*
245 * Setup the counts for this PDU.
246 */
247
248 p->out_data.data_sent_length += data_len;
249 p->out_data.current_pdu_len = p->hdr.frag_len;
250 p->out_data.current_pdu_sent = 0;
251
252 prs_mem_free(&outgoing_pdu);
253 return True;
254 }
255
256 /*******************************************************************
257 Process an NTLMSSP authentication response.
258 If this function succeeds, the user has been authenticated
259 and their domain, name and calling workstation stored in
260 the pipe struct.
261 The initial challenge is stored in p->challenge.
262 *******************************************************************/
263
264 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
265 {
266 uchar lm_owf[24];
267 uchar nt_owf[24];
268 fstring user_name;
269 fstring pipe_user_name;
270 fstring domain;
271 fstring wks;
272 BOOL guest_user = False;
273 SAM_ACCOUNT *sam_pass = NULL;
274 BYTE null_smb_passwd[16];
275 BYTE *smb_passwd_ptr = NULL;
276
277 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
278
279 memset(p->user_name, '\0', sizeof(p->user_name));
280 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
281 memset(p->domain, '\0', sizeof(p->domain));
282 memset(p->wks, '\0', sizeof(p->wks));
283
284 /* Set up for non-authenticated user. */
285 delete_nt_token(&p->pipe_user.nt_user_token);
286 p->pipe_user.ngroups = 0;
287 safe_free( p->pipe_user.groups);
288
289 /*
290 * Setup an empty password for a guest user.
291 */
292
293 memset(null_smb_passwd,0,16);
294
295 /*
296 * We always negotiate UNICODE.
297 */
298
299 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
300 fstrcpy(user_name, dos_unistrn2((uint16*)ntlmssp_resp->user, ntlmssp_resp->hdr_usr.str_str_len/2));
301 fstrcpy(domain, dos_unistrn2((uint16*)ntlmssp_resp->domain, ntlmssp_resp->hdr_domain.str_str_len/2));
302 fstrcpy(wks, dos_unistrn2((uint16*)ntlmssp_resp->wks, ntlmssp_resp->hdr_wks.str_str_len/2));
303 } else {
304 fstrcpy(user_name, ntlmssp_resp->user);
305 fstrcpy(domain, ntlmssp_resp->domain);
306 fstrcpy(wks, ntlmssp_resp->wks);
307 }
308
309 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
310
311 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
312 memcpy(nt_owf, ntlmssp_resp->nt_resp, sizeof(nt_owf));
313
314 #ifdef DEBUG_PASSWORD
315 DEBUG(100,("lm, nt owfs, chal\n"));
316 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
317 dump_data(100, (char *)nt_owf, sizeof(nt_owf));
318 dump_data(100, (char *)p->challenge, 8);
319 #endif
320
321 /*
322 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
323 */
324
325 if((strlen(user_name) == 0) &&
326 (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
327 {
328 guest_user = True;
329
330 fstrcpy(pipe_user_name, lp_guestaccount(-1));
331 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
332
333 smb_passwd_ptr = null_smb_passwd;
334
335 } else {
336
337 /*
338 * Pass the user through the NT -> unix user mapping
339 * function.
340 */
341
342 fstrcpy(pipe_user_name, user_name);
343 (void)map_username(pipe_user_name);
344
345 /*
346 * Do the length checking only if user is not NULL.
347 */
348
349 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
350 return False;
351 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
352 return False;
353 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
354 return False;
355 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
356 return False;
357 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
358 return False;
359
360 }
361 /* unnecessary as the passdb validates the user before returning --jerry */
362 #if 0
363 /*
364 * Find the user in the unix password db.
365 */
366
367 if(!(pass = Get_Pwnam(pipe_user_name,True))) {
368 DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",pipe_user_name));
369 return(False);
370 }
371
372 #endif /* 0 */
373
374 if(!guest_user) {
375
376 become_root();
377
378 if(!(p->ntlmssp_auth_validated = pass_check_smb(pipe_user_name, domain,
379 (uchar*)p->challenge, lm_owf, nt_owf, NULL))) {
380 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
381 failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name ));
382 unbecome_root();
383 return False;
384 }
385
386 if(!(sam_pass = pdb_getsampwnam(pipe_user_name))) {
387 DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in passdb.\n",
388 pipe_user_name));
389 unbecome_root();
390 return False;
391 }
392
393 unbecome_root();
394
395 if (sam_pass == NULL) {
396 DEBUG(1,("api_pipe_ntlmssp_verify: Couldn't find user '%s' in passdb.\n",
397 pipe_user_name));
398 return(False);
399 }
400
401 /* Quit if the account was disabled. */
402 if((pdb_get_acct_ctrl(sam_pass) & ACB_DISABLED) || !pdb_get_lanman_passwd(sam_pass)) {
403 DEBUG(1,("Account for user '%s' was disabled.\n", pipe_user_name));
404 return(False);
405 }
406
407 if(!pdb_get_nt_passwd(sam_pass)) {
408 DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name));
409 return(False);
410 }
411
412 smb_passwd_ptr = pdb_get_lanman_passwd(sam_pass);
413 }
414
415 /*
416 * Set up the sign/seal data.
417 */
418
419 {
420 uchar p24[24];
421 NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
422 {
423 unsigned char j = 0;
424 int ind;
425
426 unsigned char k2[8];
427
428 memcpy(k2, p24, 5);
429 k2[5] = 0xe5;
430 k2[6] = 0x38;
431 k2[7] = 0xb0;
432
433 for (ind = 0; ind < 256; ind++)
434 p->ntlmssp_hash[ind] = (unsigned char)ind;
435
436 for( ind = 0; ind < 256; ind++) {
437 unsigned char tc;
438
439 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
440
441 tc = p->ntlmssp_hash[ind];
442 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
443 p->ntlmssp_hash[j] = tc;
444 }
445
446 p->ntlmssp_hash[256] = 0;
447 p->ntlmssp_hash[257] = 0;
448 }
449 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
450 p->ntlmssp_seq_num = 0;
451
452 }
453
454 fstrcpy(p->user_name, user_name);
455 fstrcpy(p->pipe_user_name, pipe_user_name);
456 fstrcpy(p->domain, domain);
457 fstrcpy(p->wks, wks);
458
459 /*
460 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
461 */
462 p->pipe_user.uid = pdb_get_uid(sam_pass);
463 p->pipe_user.gid = pdb_get_gid(sam_pass);
464
465 /* Set up pipe user group membership. */
466 initialise_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
467 get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
468
469 /* Create an NT_USER_TOKEN struct for this user. */
470 p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
471 p->pipe_user.ngroups, p->pipe_user.groups);
472
473 p->ntlmssp_auth_validated = True;
474 return True;
475 }
476
477 /*******************************************************************
478 The switch table for the pipe names and the functions to handle them.
479 *******************************************************************/
480
481 struct api_cmd
482 {
483 char * pipe_clnt_name;
484 char * pipe_srv_name;
485 BOOL (*fn) (pipes_struct *);
486 };
487
488 static struct api_cmd api_fd_commands[] =
489 {
490 { "lsarpc", "lsass", api_ntlsa_rpc },
491 { "samr", "lsass", api_samr_rpc },
492 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
493 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
494 { "NETLOGON", "lsass", api_netlog_rpc },
495 { "winreg", "winreg", api_reg_rpc },
496 { "spoolss", "spoolss", api_spoolss_rpc },
497 #ifdef WITH_MSDFS
498 { "netdfs", "netdfs" , api_netdfs_rpc },
499 #endif
500 { NULL, NULL, NULL }
501 };
502
503 /*******************************************************************
504 This is the client reply to our challenge for an authenticated
505 bind request. The challenge we sent is in p->challenge.
506 *******************************************************************/
507
508 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
509 {
510 RPC_HDR_AUTHA autha_info;
511 RPC_AUTH_VERIFIER auth_verifier;
512 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
513
514 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
515
516 if (p->hdr.auth_len == 0) {
517 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
518 return False;
519 }
520
521 /*
522 * Decode the authentication verifier response.
523 */
524
525 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
526 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
527 return False;
528 }
529
530 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
531 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
532 (int)autha_info.auth_type, (int)autha_info.auth_level ));
533 return False;
534 }
535
536 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
537 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
538 return False;
539 }
540
541 /*
542 * Ensure this is a NTLMSSP_AUTH packet type.
543 */
544
545 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
546 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
547 return False;
548 }
549
550 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
551 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
552 return False;
553 }
554
555 /*
556 * The following call actually checks the challenge/response data.
557 * for correctness against the given DOMAIN\user name.
558 */
559
560 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
561 return False;
562
563 p->pipe_bound = True
564 ;
565 return True;
566 }
567
568 /*******************************************************************
569 Marshall a bind_nak pdu.
570 *******************************************************************/
571
572 static BOOL setup_bind_nak(pipes_struct *p)
573 {
574 prs_struct outgoing_rpc;
575 RPC_HDR nak_hdr;
576 uint16 zero = 0;
577
578 /* Free any memory in the current return data buffer. */
579 prs_mem_free(&p->out_data.rdata);
580
581 /*
582 * Marshall directly into the outgoing PDU space. We
583 * must do this as we need to set to the bind response
584 * header and are never sending more than one PDU here.
585 */
586
587 prs_init( &outgoing_rpc, 0, 4, p->mem_ctx, MARSHALL);
588 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
589
590
591 /*
592 * Initialize a bind_nak header.
593 */
594
595 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
596 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
597
598 /*
599 * Marshall the header into the outgoing PDU.
600 */
601
602 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
603 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
604 prs_mem_free(&outgoing_rpc);
605 return False;
606 }
607
608 /*
609 * Now add the reject reason.
610 */
611
612 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
613 prs_mem_free(&outgoing_rpc);
614 return False;
615 }
616
617 p->out_data.data_sent_length = 0;
618 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
619 p->out_data.current_pdu_sent = 0;
620
621 p->pipe_bound = False;
622
623 return True;
624 }
625
626 /*******************************************************************
627 Marshall a fault pdu.
628 *******************************************************************/
629
630 BOOL setup_fault_pdu(pipes_struct *p)
631 {
632 prs_struct outgoing_pdu;
633 RPC_HDR fault_hdr;
634 RPC_HDR_RESP hdr_resp;
635 RPC_HDR_FAULT fault_resp;
636
637 /* Free any memory in the current return data buffer. */
638 prs_mem_free(&p->out_data.rdata);
639
640 /*
641 * Marshall directly into the outgoing PDU space. We
642 * must do this as we need to set to the bind response
643 * header and are never sending more than one PDU here.
644 */
645
646 prs_init( &outgoing_pdu, 0, 4, p->mem_ctx, MARSHALL);
647 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
648
649 /*
650 * Initialize a fault header.
651 */
652
653 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
654 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
655
656 /*
657 * Initialize the HDR_RESP and FAULT parts of the PDU.
658 */
659
660 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
661
662 fault_resp.status = 0x1c010002;
663 fault_resp.reserved = 0;
664
665 /*
666 * Marshall the header into the outgoing PDU.
667 */
668
669 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
670 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
671 prs_mem_free(&outgoing_pdu);
672 return False;
673 }
674
675 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
676 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
677 prs_mem_free(&outgoing_pdu);
678 return False;
679 }
680
681 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
682 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
683 prs_mem_free(&outgoing_pdu);
684 return False;
685 }
686
687 p->out_data.data_sent_length = 0;
688 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
689 p->out_data.current_pdu_sent = 0;
690
691 prs_mem_free(&outgoing_pdu);
692 return True;
693 }
694
695 /*******************************************************************
696 Ensure a bind request has the correct abstract & transfer interface.
697 Used to reject unknown binds from Win2k.
698 *******************************************************************/
699
700 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
701 RPC_IFACE* transfer)
702 {
703 extern struct pipe_id_info pipe_names[];
704 int i=0;
705 fstring pname;
706 fstrcpy(pname,"\\PIPE\\");
707 fstrcat(pname,pipe_name);
708
709 for(i=0;pipe_names[i].client_pipe; i++) {
710 if(strequal(pipe_names[i].client_pipe, pname))
711 break;
712 }
713
714 if(pipe_names[i].client_pipe == NULL)
715 return False;
716
717 /* check the abstract interface */
718 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
719 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
720 sizeof(RPC_UUID)) != 0))
721 return False;
722
723 /* check the transfer interface */
724 if((transfer->version != pipe_names[i].trans_syntax.version) ||
725 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
726 sizeof(RPC_UUID)) != 0))
727 return False;
728
729 return True;
730 }
731
732 /*******************************************************************
733 Respond to a pipe bind request.
734 *******************************************************************/
735
736 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
737 {
738 RPC_HDR_BA hdr_ba;
739 RPC_HDR_RB hdr_rb;
740 RPC_HDR_AUTH auth_info;
741 uint16 assoc_gid;
742 fstring ack_pipe_name;
743 prs_struct out_hdr_ba;
744 prs_struct out_auth;
745 prs_struct outgoing_rpc;
746 int i = 0;
747 int auth_len = 0;
748 enum RPC_PKT_TYPE reply_pkt_type;
749
750 p->ntlmssp_auth_requested = False;
751
752 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
753
754 /*
755 * Try and find the correct pipe name to ensure
756 * that this is a pipe name we support.
757 */
758
759 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
760 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
761 api_fd_commands[i].fn != NULL) {
762 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
763 api_fd_commands[i].pipe_clnt_name,
764 api_fd_commands[i].pipe_srv_name));
765 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
766 break;
767 }
768 }
769
770 if (api_fd_commands[i].fn == NULL) {
771 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
772 p->name ));
773 if(!setup_bind_nak(p))
774 return False;
775 return True;
776 }
777
778 /* decode the bind request */
779 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
780 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
781 return False;
782 }
783
784 /*
785 * Check if this is an authenticated request.
786 */
787
788 if (p->hdr.auth_len != 0) {
789 RPC_AUTH_VERIFIER auth_verifier;
790 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
791
792 /*
793 * Decode the authentication verifier.
794 */
795
796 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
797 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
798 return False;
799 }
800
801 /*
802 * We only support NTLMSSP_AUTH_TYPE requests.
803 */
804
805 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
806 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
807 auth_info.auth_type ));
808 return False;
809 }
810
811 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
812 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
813 return False;
814 }
815
816 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
817 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
818 return False;
819 }
820
821 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
822 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
823 auth_verifier.msg_type));
824 return False;
825 }
826
827 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
828 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
829 return False;
830 }
831
832 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
833 p->ntlmssp_auth_requested = True;
834 }
835
836 switch(p->hdr.pkt_type) {
837 case RPC_BIND:
838 /* name has to be \PIPE\xxxxx */
839 fstrcpy(ack_pipe_name, "\\PIPE\\");
840 fstrcat(ack_pipe_name, p->pipe_srv_name);
841 reply_pkt_type = RPC_BINDACK;
842 break;
843 case RPC_ALTCONT:
844 /* secondary address CAN be NULL
845 * as the specs say it's ignored.
846 * It MUST NULL to have the spoolss working.
847 */
848 fstrcpy(ack_pipe_name,"");
849 reply_pkt_type = RPC_ALTCONTRESP;
850 break;
851 default:
852 return False;
853 }
854
855 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
856
857 /*
858 * Marshall directly into the outgoing PDU space. We
859 * must do this as we need to set to the bind response
860 * header and are never sending more than one PDU here.
861 */
862
863 prs_init( &outgoing_rpc, 0, 4, p->mem_ctx, MARSHALL);
864 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
865
866 /*
867 * Setup the memory to marshall the ba header, and the
868 * auth footers.
869 */
870
871 if(!prs_init(&out_hdr_ba, 1024, 4, p->mem_ctx, MARSHALL)) {
872 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
873 prs_mem_free(&outgoing_rpc);
874 return False;
875 }
876
877 if(!prs_init(&out_auth, 1024, 4, p->mem_ctx, MARSHALL)) {
878 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
879 prs_mem_free(&outgoing_rpc);
880 prs_mem_free(&out_hdr_ba);
881 return False;
882 }
883
884 if (p->ntlmssp_auth_requested)
885 assoc_gid = 0x7a77;
886 else
887 assoc_gid = hdr_rb.bba.assoc_gid;
888
889 /*
890 * Create the bind response struct.
891 */
892
893 /* If the requested abstract synt uuid doesn't match our client pipe,
894 reject the bind_ack & set the transfer interface synt to all 0's,
895 ver 0 (observed when NT5 attempts to bind to abstract interfaces
896 unknown to NT4)
897 Needed when adding entries to a DACL from NT5 - SK */
898
899 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
900 init_rpc_hdr_ba(&hdr_ba,
901 MAX_PDU_FRAG_LEN,
902 MAX_PDU_FRAG_LEN,
903 assoc_gid,
904 ack_pipe_name,
905 0x1, 0x0, 0x0,
906 &hdr_rb.transfer);
907 } else {
908 RPC_IFACE null_interface;
909 ZERO_STRUCT(null_interface);
910 /* Rejection reason: abstract syntax not supported */
911 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
912 MAX_PDU_FRAG_LEN, assoc_gid,
913 ack_pipe_name, 0x1, 0x2, 0x1,
914 &null_interface);
915 }
916
917 /*
918 * and marshall it.
919 */
920
921 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
922 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
923 goto err_exit;
924 }
925
926 /*
927 * Now the authentication.
928 */
929
930 if (p->ntlmssp_auth_requested) {
931 RPC_AUTH_VERIFIER auth_verifier;
932 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
933
934 generate_random_buffer(p->challenge, 8, False);
935
936 /*** Authentication info ***/
937
938 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
939 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
940 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
941 goto err_exit;
942 }
943
944 /*** NTLMSSP verifier ***/
945
946 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
947 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
948 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
949 goto err_exit;
950 }
951
952 /* NTLMSSP challenge ***/
953
954 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
955 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
956 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
957 goto err_exit;
958 }
959
960 /* Auth len in the rpc header doesn't include auth_header. */
961 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
962 }
963
964 /*
965 * Create the header, now we know the length.
966 */
967
968 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
969 p->hdr.call_id,
970 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
971 auth_len);
972
973 /*
974 * Marshall the header into the outgoing PDU.
975 */
976
977 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
978 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
979 goto err_exit;
980 }
981
982 /*
983 * Now add the RPC_HDR_BA and any auth needed.
984 */
985
986 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
987 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
988 goto err_exit;
989 }
990
991 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
992 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
993 goto err_exit;
994 }
995
996 if(!p->ntlmssp_auth_requested)
997 p->pipe_bound = True;
998
999 /*
1000 * Setup the lengths for the initial reply.
1001 */
1002
1003 p->out_data.data_sent_length = 0;
1004 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1005 p->out_data.current_pdu_sent = 0;
1006
1007 prs_mem_free(&out_hdr_ba);
1008 prs_mem_free(&out_auth);
1009
1010 return True;
1011
1012 err_exit:
1013
1014 prs_mem_free(&outgoing_rpc);
1015 prs_mem_free(&out_hdr_ba);
1016 prs_mem_free(&out_auth);
1017 return False;
1018 }
1019
1020 /****************************************************************************
1021 Deal with sign & seal processing on an RPC request.
1022 ****************************************************************************/
1023
1024 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1025 {
1026 /*
1027 * We always negotiate the following two bits....
1028 */
1029 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1030 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1031 int data_len;
1032 int auth_len;
1033 uint32 old_offset;
1034 uint32 crc32 = 0;
1035
1036 auth_len = p->hdr.auth_len;
1037
1038 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1039 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1040 return False;
1041 }
1042
1043 /*
1044 * The following is that length of the data we must verify or unseal.
1045 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1046 * preceeding the auth_data.
1047 */
1048
1049 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1050 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1051
1052 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1053 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1054
1055 if (auth_seal) {
1056 /*
1057 * The data in rpc_in doesn't contain the RPC_HEADER as this
1058 * has already been consumed.
1059 */
1060 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1061 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1062 crc32 = crc32_calc_buffer(data, data_len);
1063 }
1064
1065 old_offset = prs_offset(rpc_in);
1066
1067 if (auth_seal || auth_verify) {
1068 RPC_HDR_AUTH auth_info;
1069
1070 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1071 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1072 (unsigned int)old_offset + data_len ));
1073 return False;
1074 }
1075
1076 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1077 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1078 return False;
1079 }
1080 }
1081
1082 if (auth_verify) {
1083 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1084 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1085
1086 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1087
1088 /*
1089 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1090 * incoming buffer.
1091 */
1092 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1093 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1094 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1095 return False;
1096 }
1097
1098 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1099 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1100 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1101 return False;
1102 }
1103
1104 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1105 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1106 return False;
1107 }
1108 }
1109
1110 /*
1111 * Return the current pointer to the data offset.
1112 */
1113
1114 if(!prs_set_offset(rpc_in, old_offset)) {
1115 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1116 (unsigned int)old_offset ));
1117 return False;
1118 }
1119
1120 return True;
1121 }
1122
1123 /****************************************************************************
1124 Find the correct RPC function to call for this request.
1125 If the pipe is authenticated then become the correct UNIX user
1126 before doing the call.
1127 ****************************************************************************/
1128
1129 BOOL api_pipe_request(pipes_struct *p)
1130 {
1131 int i = 0;
1132 BOOL ret = False;
1133 BOOL changed_user_id = False;
1134
1135 if (p->ntlmssp_auth_validated) {
1136
1137 if(!become_authenticated_pipe_user(p)) {
1138 prs_mem_free(&p->out_data.rdata);
1139 return False;
1140 }
1141
1142 changed_user_id = True;
1143 }
1144
1145 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1146 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1147 api_fd_commands[i].fn != NULL) {
1148 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1149 ret = api_fd_commands[i].fn(p);
1150 }
1151 }
1152
1153 if(changed_user_id)
1154 unbecome_authenticated_pipe_user(p);
1155
1156 return ret;
1157 }
1158
1159 /*******************************************************************
1160 Calls the underlying RPC function for a named pipe.
1161 ********************************************************************/
1162
1163 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1164 struct api_struct *api_rpc_cmds)
1165 {
1166 int fn_num;
1167 fstring name;
1168 uint32 offset1, offset2;
1169
1170 /* interpret the command */
1171 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1172
1173 slprintf(name, sizeof(name), "in_%s", rpc_name);
1174 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1175
1176 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1177 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1178 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1179 break;
1180 }
1181 }
1182
1183 if (api_rpc_cmds[fn_num].name == NULL) {
1184 /*
1185 * For an unknown RPC just return a fault PDU but
1186 * return True to allow RPC's on the pipe to continue
1187 * and not put the pipe into fault state. JRA.
1188 */
1189 DEBUG(4, ("unknown\n"));
1190 setup_fault_pdu(p);
1191 return True;
1192 }
1193
1194 offset1 = prs_offset(&p->out_data.rdata);
1195
1196 /* do the actual command */
1197 if(!api_rpc_cmds[fn_num].fn(p)) {
1198 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1199 prs_mem_free(&p->out_data.rdata);
1200 return False;
1201 }
1202
1203 slprintf(name, sizeof(name), "out_%s", rpc_name);
1204 offset2 = prs_offset(&p->out_data.rdata);
1205 prs_set_offset(&p->out_data.rdata, offset1);
1206 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1207 prs_set_offset(&p->out_data.rdata, offset2);
1208
1209 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1210
1211 /* Check for buffer underflow in rpc parsing */
1212
1213 if ((DEBUGLEVEL >= 10) &&
1214 (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1215 int data_len = p->in_data.data.buffer_size -
1216 p->in_data.data.data_offset;
1217 char *data;
1218
1219 data = malloc(data_len);
1220
1221 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1222 if (data) {
1223 prs_uint8s(False, "", &p->in_data.data, 0, data,
1224 data_len);
1225 free(data);
1226 }
1227
1228 }
1229
1230 return True;
1231 }
1232
1233 #undef OLD_NTDOMAIN
Samba GIT mirror