search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
merging for 2.2.6pre1
[Samba.git] / source / rpc_server / srv_pipe.c
blob1ad57a9b01687062742ff1805f9a9c5d2774461f
1 /*
2 * Unix SMB/Netbios implementation.
3 * Version 1.9.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1997-1998.
8 * Copyright (C) Jeremy Allison 1999.
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
28 *
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
32 *
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
36 *
37 * ... if you read the docs. or stare at packets for weeks on end.
38 *
39 */
40
41 #include "includes.h"
42
43 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
44 {
45 unsigned char *hash = p->ntlmssp_hash;
46 unsigned char index_i = hash[256];
47 unsigned char index_j = hash[257];
48 int ind;
49
50 for( ind = 0; ind < len; ind++) {
51 unsigned char tc;
52 unsigned char t;
53
54 index_i++;
55 index_j += hash[index_i];
56
57 tc = hash[index_i];
58 hash[index_i] = hash[index_j];
59 hash[index_j] = tc;
60
61 t = hash[index_i] + hash[index_j];
62 data[ind] = data[ind] ^ hash[t];
63 }
64
65 hash[256] = index_i;
66 hash[257] = index_j;
67 }
68
69 /*******************************************************************
70 Generate the next PDU to be returned from the data in p->rdata.
71 We cheat here as this function doesn't handle the special auth
72 footers of the authenticated bind response reply.
73 ********************************************************************/
74
75 BOOL create_next_pdu(pipes_struct *p)
76 {
77 RPC_HDR_RESP hdr_resp;
78 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
79 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
80 uint32 data_len;
81 uint32 data_space_available;
82 uint32 data_len_left;
83 prs_struct outgoing_pdu;
84 char *data;
85 char *data_from;
86 uint32 data_pos;
87
88 /*
89 * If we're in the fault state, keep returning fault PDU's until
90 * the pipe gets closed. JRA.
91 */
92
93 if(p->fault_state) {
94 setup_fault_pdu(p, NT_STATUS(0x1c010002));
95 return True;
96 }
97
98 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
99
100 /* Change the incoming request header to a response. */
101 p->hdr.pkt_type = RPC_RESPONSE;
102
103 /* Set up rpc header flags. */
104 if (p->out_data.data_sent_length == 0)
105 p->hdr.flags = RPC_FLG_FIRST;
106 else
107 p->hdr.flags = 0;
108
109 /*
110 * Work out how much we can fit in a single PDU.
111 */
112
113 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
114 if(p->ntlmssp_auth_validated)
115 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
116
117 /*
118 * The amount we send is the minimum of the available
119 * space and the amount left to send.
120 */
121
122 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
123
124 /*
125 * Ensure there really is data left to send.
126 */
127
128 if(!data_len_left) {
129 DEBUG(0,("create_next_pdu: no data left to send !\n"));
130 return False;
131 }
132
133 data_len = MIN(data_len_left, data_space_available);
134
135 /*
136 * Set up the alloc hint. This should be the data left to
137 * send.
138 */
139
140 hdr_resp.alloc_hint = data_len_left;
141
142 /*
143 * Set up the header lengths.
144 */
145
146 if (p->ntlmssp_auth_validated) {
147 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
148 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
149 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
150 } else {
151 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
152 p->hdr.auth_len = 0;
153 }
154
155 /*
156 * Work out if this PDU will be the last.
157 */
158
159 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
160 p->hdr.flags |= RPC_FLG_LAST;
161
162 /*
163 * Init the parse struct to point at the outgoing
164 * data.
165 */
166
167 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
168 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
169
170 /* Store the header in the data stream. */
171 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
172 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
173 prs_mem_free(&outgoing_pdu);
174 return False;
175 }
176
177 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
178 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
179 prs_mem_free(&outgoing_pdu);
180 return False;
181 }
182
183 /* Store the current offset. */
184 data_pos = prs_offset(&outgoing_pdu);
185
186 /* Copy the data into the PDU. */
187 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
188
189 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
190 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
191 prs_mem_free(&outgoing_pdu);
192 return False;
193 }
194
195 /*
196 * Set data to point to where we copied the data into.
197 */
198
199 data = prs_data_p(&outgoing_pdu) + data_pos;
200
201 if (p->hdr.auth_len > 0) {
202 uint32 crc32 = 0;
203
204 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
205 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
206
207 if (auth_seal) {
208 crc32 = crc32_calc_buffer(data, data_len);
209 NTLMSSPcalc_p(p, (uchar*)data, data_len);
210 }
211
212 if (auth_seal || auth_verify) {
213 RPC_HDR_AUTH auth_info;
214
215 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
216 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
217 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
218 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
219 prs_mem_free(&outgoing_pdu);
220 return False;
221 }
222 }
223
224 if (auth_verify) {
225 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
226 char *auth_data = prs_data_p(&outgoing_pdu);
227
228 p->ntlmssp_seq_num++;
229 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
230 crc32, p->ntlmssp_seq_num++);
231 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
232 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
233 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
234 prs_mem_free(&outgoing_pdu);
235 return False;
236 }
237 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
238 }
239 }
240
241 /*
242 * Setup the counts for this PDU.
243 */
244
245 p->out_data.data_sent_length += data_len;
246 p->out_data.current_pdu_len = p->hdr.frag_len;
247 p->out_data.current_pdu_sent = 0;
248
249 prs_mem_free(&outgoing_pdu);
250 return True;
251 }
252
253 /*******************************************************************
254 Process an NTLMSSP authentication response.
255 If this function succeeds, the user has been authenticated
256 and their domain, name and calling workstation stored in
257 the pipe struct.
258 The initial challenge is stored in p->challenge.
259 *******************************************************************/
260
261 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
262 {
263 uchar lm_owf[24];
264 uchar nt_owf[24];
265 fstring user_name;
266 fstring pipe_user_name;
267 fstring domain;
268 fstring wks;
269 BOOL guest_user = False;
270 SAM_ACCOUNT *sampass = NULL;
271 uchar null_smb_passwd[16];
272 uchar *smb_passwd_ptr = NULL;
273
274 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
275
276 memset(p->user_name, '\0', sizeof(p->user_name));
277 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
278 memset(p->domain, '\0', sizeof(p->domain));
279 memset(p->wks, '\0', sizeof(p->wks));
280
281 /* Set up for non-authenticated user. */
282 delete_nt_token(&p->pipe_user.nt_user_token);
283 p->pipe_user.ngroups = 0;
284 safe_free( p->pipe_user.groups);
285
286 /*
287 * Setup an empty password for a guest user.
288 */
289
290 memset(null_smb_passwd,0,16);
291
292 /*
293 * We always negotiate UNICODE.
294 */
295
296 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
297 fstrcpy(user_name, dos_unistrn2((uint16*)ntlmssp_resp->user, ntlmssp_resp->hdr_usr.str_str_len/2));
298 fstrcpy(domain, dos_unistrn2((uint16*)ntlmssp_resp->domain, ntlmssp_resp->hdr_domain.str_str_len/2));
299 fstrcpy(wks, dos_unistrn2((uint16*)ntlmssp_resp->wks, ntlmssp_resp->hdr_wks.str_str_len/2));
300 } else {
301 fstrcpy(user_name, ntlmssp_resp->user);
302 fstrcpy(domain, ntlmssp_resp->domain);
303 fstrcpy(wks, ntlmssp_resp->wks);
304 }
305
306 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
307
308 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
309 memcpy(nt_owf, ntlmssp_resp->nt_resp, sizeof(nt_owf));
310
311 #ifdef DEBUG_PASSWORD
312 DEBUG(100,("lm, nt owfs, chal\n"));
313 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
314 dump_data(100, (char *)nt_owf, sizeof(nt_owf));
315 dump_data(100, (char *)p->challenge, 8);
316 #endif
317
318 /*
319 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
320 */
321
322 if((strlen(user_name) == 0) &&
323 (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
324 {
325 guest_user = True;
326
327 fstrcpy(pipe_user_name, lp_guestaccount(-1));
328 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
329
330 smb_passwd_ptr = null_smb_passwd;
331
332 } else {
333
334 /*
335 * Pass the user through the NT -> unix user mapping
336 * function.
337 */
338
339 fstrcpy(pipe_user_name, user_name);
340 (void)map_username(pipe_user_name);
341
342 /*
343 * Do the length checking only if user is not NULL.
344 */
345
346 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
347 return False;
348 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
349 return False;
350 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
351 return False;
352 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
353 return False;
354 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
355 return False;
356
357 }
358
359 if(!guest_user) {
360
361 become_root();
362
363 if(!(p->ntlmssp_auth_validated = pass_check_smb(pipe_user_name, domain,
364 (uchar*)p->challenge, lm_owf, nt_owf, NULL))) {
365 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
366 failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name ));
367 unbecome_root();
368 return False;
369 }
370
371 pdb_init_sam(&sampass);
372
373 if(!pdb_getsampwnam(sampass, pipe_user_name)) {
374 DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
375 pipe_user_name));
376 pdb_free_sam(sampass);
377 unbecome_root();
378 return False;
379 }
380
381 unbecome_root();
382
383 /* Quit if the account was disabled. */
384 if((pdb_get_acct_ctrl(sampass) & ACB_DISABLED) || !pdb_get_lanman_passwd(sampass)) {
385 DEBUG(1,("Account for user '%s' was disabled.\n", pipe_user_name));
386 pdb_free_sam(sampass);
387 return False;
388 }
389
390 if(!pdb_get_nt_passwd(sampass)) {
391 DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name));
392 pdb_free_sam(sampass);
393 return False;
394 }
395
396 smb_passwd_ptr = pdb_get_lanman_passwd(sampass);
397 }
398
399 /*
400 * Set up the sign/seal data.
401 */
402
403 {
404 uchar p24[24];
405 NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
406 {
407 unsigned char j = 0;
408 int ind;
409
410 unsigned char k2[8];
411
412 memcpy(k2, p24, 5);
413 k2[5] = 0xe5;
414 k2[6] = 0x38;
415 k2[7] = 0xb0;
416
417 for (ind = 0; ind < 256; ind++)
418 p->ntlmssp_hash[ind] = (unsigned char)ind;
419
420 for( ind = 0; ind < 256; ind++) {
421 unsigned char tc;
422
423 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
424
425 tc = p->ntlmssp_hash[ind];
426 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
427 p->ntlmssp_hash[j] = tc;
428 }
429
430 p->ntlmssp_hash[256] = 0;
431 p->ntlmssp_hash[257] = 0;
432 }
433 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
434 p->ntlmssp_seq_num = 0;
435
436 }
437
438 fstrcpy(p->user_name, user_name);
439 fstrcpy(p->pipe_user_name, pipe_user_name);
440 fstrcpy(p->domain, domain);
441 fstrcpy(p->wks, wks);
442
443 /*
444 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
445 */
446
447 p->pipe_user.uid = pdb_get_uid(sampass);
448 p->pipe_user.gid = pdb_get_gid(sampass);
449
450 /* Set up pipe user group membership. */
451 initialise_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
452 get_current_groups( p->pipe_user.gid, &p->pipe_user.ngroups, &p->pipe_user.groups);
453
454 /* Create an NT_USER_TOKEN struct for this user. */
455 p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
456 p->pipe_user.ngroups, p->pipe_user.groups,
457 guest_user, NULL);
458
459 p->ntlmssp_auth_validated = True;
460 pdb_free_sam(sampass);
461 return True;
462 }
463
464 /*******************************************************************
465 The switch table for the pipe names and the functions to handle them.
466 *******************************************************************/
467
468 struct api_cmd
469 {
470 char * pipe_clnt_name;
471 char * pipe_srv_name;
472 BOOL (*fn) (pipes_struct *);
473 };
474
475 static struct api_cmd api_fd_commands[] =
476 {
477 { "lsarpc", "lsass", api_ntlsa_rpc },
478 { "samr", "lsass", api_samr_rpc },
479 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
480 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
481 { "NETLOGON", "lsass", api_netlog_rpc },
482 { "winreg", "winreg", api_reg_rpc },
483 { "spoolss", "spoolss", api_spoolss_rpc },
484 #ifdef WITH_MSDFS
485 { "netdfs", "netdfs" , api_netdfs_rpc },
486 #endif
487 { NULL, NULL, NULL }
488 };
489
490 /*******************************************************************
491 This is the client reply to our challenge for an authenticated
492 bind request. The challenge we sent is in p->challenge.
493 *******************************************************************/
494
495 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
496 {
497 RPC_HDR_AUTHA autha_info;
498 RPC_AUTH_VERIFIER auth_verifier;
499 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
500
501 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
502
503 if (p->hdr.auth_len == 0) {
504 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
505 return False;
506 }
507
508 /*
509 * Decode the authentication verifier response.
510 */
511
512 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
513 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
514 return False;
515 }
516
517 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
518 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
519 (int)autha_info.auth_type, (int)autha_info.auth_level ));
520 return False;
521 }
522
523 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
524 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
525 return False;
526 }
527
528 /*
529 * Ensure this is a NTLMSSP_AUTH packet type.
530 */
531
532 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
533 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
534 return False;
535 }
536
537 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
538 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
539 return False;
540 }
541
542 /*
543 * The following call actually checks the challenge/response data.
544 * for correctness against the given DOMAIN\user name.
545 */
546
547 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
548 return False;
549
550 p->pipe_bound = True
551 ;
552 return True;
553 }
554
555 /*******************************************************************
556 Marshall a bind_nak pdu.
557 *******************************************************************/
558
559 static BOOL setup_bind_nak(pipes_struct *p)
560 {
561 prs_struct outgoing_rpc;
562 RPC_HDR nak_hdr;
563 uint16 zero = 0;
564
565 /* Free any memory in the current return data buffer. */
566 prs_mem_free(&p->out_data.rdata);
567
568 /*
569 * Marshall directly into the outgoing PDU space. We
570 * must do this as we need to set to the bind response
571 * header and are never sending more than one PDU here.
572 */
573
574 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
575 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
576
577
578 /*
579 * Initialize a bind_nak header.
580 */
581
582 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
583 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
584
585 /*
586 * Marshall the header into the outgoing PDU.
587 */
588
589 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
590 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
591 prs_mem_free(&outgoing_rpc);
592 return False;
593 }
594
595 /*
596 * Now add the reject reason.
597 */
598
599 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
600 prs_mem_free(&outgoing_rpc);
601 return False;
602 }
603
604 p->out_data.data_sent_length = 0;
605 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
606 p->out_data.current_pdu_sent = 0;
607
608 p->pipe_bound = False;
609
610 return True;
611 }
612
613 /*******************************************************************
614 Marshall a fault pdu.
615 *******************************************************************/
616
617 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
618 {
619 prs_struct outgoing_pdu;
620 RPC_HDR fault_hdr;
621 RPC_HDR_RESP hdr_resp;
622 RPC_HDR_FAULT fault_resp;
623
624 /* Free any memory in the current return data buffer. */
625 prs_mem_free(&p->out_data.rdata);
626
627 /*
628 * Marshall directly into the outgoing PDU space. We
629 * must do this as we need to set to the bind response
630 * header and are never sending more than one PDU here.
631 */
632
633 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
634 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
635
636 /*
637 * Initialize a fault header.
638 */
639
640 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
641 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
642
643 /*
644 * Initialize the HDR_RESP and FAULT parts of the PDU.
645 */
646
647 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
648
649 fault_resp.status = status;
650 fault_resp.reserved = 0;
651
652 /*
653 * Marshall the header into the outgoing PDU.
654 */
655
656 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
657 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
658 prs_mem_free(&outgoing_pdu);
659 return False;
660 }
661
662 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
663 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
664 prs_mem_free(&outgoing_pdu);
665 return False;
666 }
667
668 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
669 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
670 prs_mem_free(&outgoing_pdu);
671 return False;
672 }
673
674 p->out_data.data_sent_length = 0;
675 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
676 p->out_data.current_pdu_sent = 0;
677
678 prs_mem_free(&outgoing_pdu);
679 return True;
680 }
681
682 /*******************************************************************
683 Ensure a bind request has the correct abstract & transfer interface.
684 Used to reject unknown binds from Win2k.
685 *******************************************************************/
686
687 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
688 RPC_IFACE* transfer)
689 {
690 extern struct pipe_id_info pipe_names[];
691 int i=0;
692 fstring pname;
693 fstrcpy(pname,"\\PIPE\\");
694 fstrcat(pname,pipe_name);
695
696 for(i=0;pipe_names[i].client_pipe; i++) {
697 if(strequal(pipe_names[i].client_pipe, pname))
698 break;
699 }
700
701 if(pipe_names[i].client_pipe == NULL)
702 return False;
703
704 /* check the abstract interface */
705 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
706 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
707 sizeof(RPC_UUID)) != 0))
708 return False;
709
710 /* check the transfer interface */
711 if((transfer->version != pipe_names[i].trans_syntax.version) ||
712 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
713 sizeof(RPC_UUID)) != 0))
714 return False;
715
716 return True;
717 }
718
719 /*******************************************************************
720 Respond to a pipe bind request.
721 *******************************************************************/
722
723 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
724 {
725 RPC_HDR_BA hdr_ba;
726 RPC_HDR_RB hdr_rb;
727 RPC_HDR_AUTH auth_info;
728 uint16 assoc_gid;
729 fstring ack_pipe_name;
730 prs_struct out_hdr_ba;
731 prs_struct out_auth;
732 prs_struct outgoing_rpc;
733 int i = 0;
734 int auth_len = 0;
735 enum RPC_PKT_TYPE reply_pkt_type;
736
737 p->ntlmssp_auth_requested = False;
738
739 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
740
741 /*
742 * Try and find the correct pipe name to ensure
743 * that this is a pipe name we support.
744 */
745
746 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
747 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
748 api_fd_commands[i].fn != NULL) {
749 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
750 api_fd_commands[i].pipe_clnt_name,
751 api_fd_commands[i].pipe_srv_name));
752 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
753 break;
754 }
755 }
756
757 if (api_fd_commands[i].fn == NULL) {
758 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
759 p->name ));
760 if(!setup_bind_nak(p))
761 return False;
762 return True;
763 }
764
765 /* decode the bind request */
766 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
767 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
768 return False;
769 }
770
771 /*
772 * Check if this is an authenticated request.
773 */
774
775 if (p->hdr.auth_len != 0) {
776 RPC_AUTH_VERIFIER auth_verifier;
777 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
778
779 /*
780 * Decode the authentication verifier.
781 */
782
783 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
784 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
785 return False;
786 }
787
788 /*
789 * We only support NTLMSSP_AUTH_TYPE requests.
790 */
791
792 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
793 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
794 auth_info.auth_type ));
795 return False;
796 }
797
798 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
799 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
800 return False;
801 }
802
803 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
804 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
805 return False;
806 }
807
808 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
809 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
810 auth_verifier.msg_type));
811 return False;
812 }
813
814 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
815 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
816 return False;
817 }
818
819 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
820 p->ntlmssp_auth_requested = True;
821 }
822
823 switch(p->hdr.pkt_type) {
824 case RPC_BIND:
825 /* name has to be \PIPE\xxxxx */
826 fstrcpy(ack_pipe_name, "\\PIPE\\");
827 fstrcat(ack_pipe_name, p->pipe_srv_name);
828 reply_pkt_type = RPC_BINDACK;
829 break;
830 case RPC_ALTCONT:
831 /* secondary address CAN be NULL
832 * as the specs say it's ignored.
833 * It MUST NULL to have the spoolss working.
834 */
835 fstrcpy(ack_pipe_name,"");
836 reply_pkt_type = RPC_ALTCONTRESP;
837 break;
838 default:
839 return False;
840 }
841
842 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
843
844 /*
845 * Marshall directly into the outgoing PDU space. We
846 * must do this as we need to set to the bind response
847 * header and are never sending more than one PDU here.
848 */
849
850 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
851 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
852
853 /*
854 * Setup the memory to marshall the ba header, and the
855 * auth footers.
856 */
857
858 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
859 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
860 prs_mem_free(&outgoing_rpc);
861 return False;
862 }
863
864 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
865 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
866 prs_mem_free(&outgoing_rpc);
867 prs_mem_free(&out_hdr_ba);
868 return False;
869 }
870
871 if (p->ntlmssp_auth_requested)
872 assoc_gid = 0x7a77;
873 else
874 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
875
876 /*
877 * Create the bind response struct.
878 */
879
880 /* If the requested abstract synt uuid doesn't match our client pipe,
881 reject the bind_ack & set the transfer interface synt to all 0's,
882 ver 0 (observed when NT5 attempts to bind to abstract interfaces
883 unknown to NT4)
884 Needed when adding entries to a DACL from NT5 - SK */
885
886 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
887 init_rpc_hdr_ba(&hdr_ba,
888 MAX_PDU_FRAG_LEN,
889 MAX_PDU_FRAG_LEN,
890 assoc_gid,
891 ack_pipe_name,
892 0x1, 0x0, 0x0,
893 &hdr_rb.transfer);
894 } else {
895 RPC_IFACE null_interface;
896 ZERO_STRUCT(null_interface);
897 /* Rejection reason: abstract syntax not supported */
898 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
899 MAX_PDU_FRAG_LEN, assoc_gid,
900 ack_pipe_name, 0x1, 0x2, 0x1,
901 &null_interface);
902 }
903
904 /*
905 * and marshall it.
906 */
907
908 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
909 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
910 goto err_exit;
911 }
912
913 /*
914 * Now the authentication.
915 */
916
917 if (p->ntlmssp_auth_requested) {
918 RPC_AUTH_VERIFIER auth_verifier;
919 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
920
921 generate_random_buffer(p->challenge, 8, False);
922
923 /*** Authentication info ***/
924
925 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
926 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
927 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
928 goto err_exit;
929 }
930
931 /*** NTLMSSP verifier ***/
932
933 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
934 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
935 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
936 goto err_exit;
937 }
938
939 /* NTLMSSP challenge ***/
940
941 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
942 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
943 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
944 goto err_exit;
945 }
946
947 /* Auth len in the rpc header doesn't include auth_header. */
948 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
949 }
950
951 /*
952 * Create the header, now we know the length.
953 */
954
955 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
956 p->hdr.call_id,
957 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
958 auth_len);
959
960 /*
961 * Marshall the header into the outgoing PDU.
962 */
963
964 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
965 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
966 goto err_exit;
967 }
968
969 /*
970 * Now add the RPC_HDR_BA and any auth needed.
971 */
972
973 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
974 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
975 goto err_exit;
976 }
977
978 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
979 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
980 goto err_exit;
981 }
982
983 if(!p->ntlmssp_auth_requested)
984 p->pipe_bound = True;
985
986 /*
987 * Setup the lengths for the initial reply.
988 */
989
990 p->out_data.data_sent_length = 0;
991 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
992 p->out_data.current_pdu_sent = 0;
993
994 prs_mem_free(&out_hdr_ba);
995 prs_mem_free(&out_auth);
996
997 return True;
998
999 err_exit:
1000
1001 prs_mem_free(&outgoing_rpc);
1002 prs_mem_free(&out_hdr_ba);
1003 prs_mem_free(&out_auth);
1004 return False;
1005 }
1006
1007 /****************************************************************************
1008 Deal with sign & seal processing on an RPC request.
1009 ****************************************************************************/
1010
1011 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1012 {
1013 /*
1014 * We always negotiate the following two bits....
1015 */
1016 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1017 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1018 int data_len;
1019 int auth_len;
1020 uint32 old_offset;
1021 uint32 crc32 = 0;
1022
1023 auth_len = p->hdr.auth_len;
1024
1025 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1026 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1027 return False;
1028 }
1029
1030 /*
1031 * The following is that length of the data we must verify or unseal.
1032 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1033 * preceeding the auth_data.
1034 */
1035
1036 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1037 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1038
1039 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1040 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1041
1042 if (auth_seal) {
1043 /*
1044 * The data in rpc_in doesn't contain the RPC_HEADER as this
1045 * has already been consumed.
1046 */
1047 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1048 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1049 crc32 = crc32_calc_buffer(data, data_len);
1050 }
1051
1052 old_offset = prs_offset(rpc_in);
1053
1054 if (auth_seal || auth_verify) {
1055 RPC_HDR_AUTH auth_info;
1056
1057 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1058 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1059 (unsigned int)old_offset + data_len ));
1060 return False;
1061 }
1062
1063 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1064 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1065 return False;
1066 }
1067 }
1068
1069 if (auth_verify) {
1070 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1071 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1072
1073 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1074
1075 /*
1076 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1077 * incoming buffer.
1078 */
1079 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1080 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1081 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1082 return False;
1083 }
1084
1085 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1086 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1087 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1088 return False;
1089 }
1090
1091 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1092 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1093 return False;
1094 }
1095 }
1096
1097 /*
1098 * Return the current pointer to the data offset.
1099 */
1100
1101 if(!prs_set_offset(rpc_in, old_offset)) {
1102 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1103 (unsigned int)old_offset ));
1104 return False;
1105 }
1106
1107 return True;
1108 }
1109
1110 /****************************************************************************
1111 Return a user struct for a pipe user.
1112 ****************************************************************************/
1113
1114 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1115 {
1116 if (p->ntlmssp_auth_validated) {
1117 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1118 } else {
1119 extern struct current_user current_user;
1120 memcpy(user, &current_user, sizeof(struct current_user));
1121 }
1122
1123 return user;
1124 }
1125
1126 /****************************************************************************
1127 Find the correct RPC function to call for this request.
1128 If the pipe is authenticated then become the correct UNIX user
1129 before doing the call.
1130 ****************************************************************************/
1131
1132 BOOL api_pipe_request(pipes_struct *p)
1133 {
1134 int i = 0;
1135 BOOL ret = False;
1136
1137 if (p->ntlmssp_auth_validated) {
1138
1139 if(!become_authenticated_pipe_user(p)) {
1140 prs_mem_free(&p->out_data.rdata);
1141 return False;
1142 }
1143 }
1144
1145 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1146 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1147 api_fd_commands[i].fn != NULL) {
1148 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1149 set_current_rpc_talloc(p->mem_ctx);
1150 ret = api_fd_commands[i].fn(p);
1151 set_current_rpc_talloc(NULL);
1152 }
1153 }
1154
1155 if (p->ntlmssp_auth_validated)
1156 unbecome_authenticated_pipe_user();
1157
1158 return ret;
1159 }
1160
1161 /*******************************************************************
1162 Calls the underlying RPC function for a named pipe.
1163 ********************************************************************/
1164
1165 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1166 struct api_struct *api_rpc_cmds)
1167 {
1168 int fn_num;
1169 fstring name;
1170 uint32 offset1, offset2;
1171
1172 /* interpret the command */
1173 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1174
1175 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1176 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1177
1178 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1179 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1180 DEBUG(3,("api_rpcTNP: pipe %u rpc command: %s\n", (unsigned int)p->pnum, api_rpc_cmds[fn_num].name));
1181 break;
1182 }
1183 }
1184
1185 if (api_rpc_cmds[fn_num].name == NULL) {
1186 /*
1187 * For an unknown RPC just return a fault PDU but
1188 * return True to allow RPC's on the pipe to continue
1189 * and not put the pipe into fault state. JRA.
1190 */
1191 DEBUG(4, ("unknown\n"));
1192 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1193 return True;
1194 }
1195
1196 offset1 = prs_offset(&p->out_data.rdata);
1197
1198 /* do the actual command */
1199 if(!api_rpc_cmds[fn_num].fn(p)) {
1200 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1201 prs_mem_free(&p->out_data.rdata);
1202 return False;
1203 }
1204
1205 if (p->bad_handle_fault_state) {
1206 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1207 p->bad_handle_fault_state = False;
1208 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1209 return True;
1210 }
1211
1212 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1213 offset2 = prs_offset(&p->out_data.rdata);
1214 prs_set_offset(&p->out_data.rdata, offset1);
1215 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1216 prs_set_offset(&p->out_data.rdata, offset2);
1217
1218 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1219
1220 /* Check for buffer underflow in rpc parsing */
1221
1222 if ((DEBUGLEVEL >= 10) &&
1223 (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1224 int data_len = p->in_data.data.buffer_size -
1225 p->in_data.data.data_offset;
1226 char *data;
1227
1228 data = malloc(data_len);
1229
1230 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1231 if (data) {
1232 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data,
1233 data_len);
1234 SAFE_FREE(data);
1235 }
1236
1237 }
1238
1239 return True;
1240 }
Samba GIT mirror