search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
sync'ing up for 3.0alpha20 release
[Samba.git] / source / rpc_server / srv_pipe.c
blob1947d5514e5d500f625482a5cc8f93c006cdcaf4
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998.
7 * Copyright (C) Jeremy Allison 1999.
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 /* this module apparently provides an implementation of DCE/RPC over a
25 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
26 * documentation are available (in on-line form) from the X-Open group.
27 *
28 * this module should provide a level of abstraction between SMB
29 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
30 * data copies, and network traffic.
31 *
32 * in this version, which takes a "let's learn what's going on and
33 * get something running" approach, there is additional network
34 * traffic generated, but the code should be easier to understand...
35 *
36 * ... if you read the docs. or stare at packets for weeks on end.
37 *
38 */
39
40 #include "includes.h"
41
42 #undef DBGC_CLASS
43 #define DBGC_CLASS DBGC_RPC_SRV
44
45 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
46 {
47 unsigned char *hash = p->ntlmssp_hash;
48 unsigned char index_i = hash[256];
49 unsigned char index_j = hash[257];
50 int ind;
51
52 for( ind = 0; ind < len; ind++) {
53 unsigned char tc;
54 unsigned char t;
55
56 index_i++;
57 index_j += hash[index_i];
58
59 tc = hash[index_i];
60 hash[index_i] = hash[index_j];
61 hash[index_j] = tc;
62
63 t = hash[index_i] + hash[index_j];
64 data[ind] = data[ind] ^ hash[t];
65 }
66
67 hash[256] = index_i;
68 hash[257] = index_j;
69 }
70
71 /*******************************************************************
72 Generate the next PDU to be returned from the data in p->rdata.
73 We cheat here as this function doesn't handle the special auth
74 footers of the authenticated bind response reply.
75 ********************************************************************/
76
77 BOOL create_next_pdu(pipes_struct *p)
78 {
79 RPC_HDR_RESP hdr_resp;
80 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
81 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
82 uint32 data_len;
83 uint32 data_space_available;
84 uint32 data_len_left;
85 prs_struct outgoing_pdu;
86 char *data;
87 char *data_from;
88 uint32 data_pos;
89
90 /*
91 * If we're in the fault state, keep returning fault PDU's until
92 * the pipe gets closed. JRA.
93 */
94
95 if(p->fault_state) {
96 setup_fault_pdu(p, NT_STATUS(0x1c010002));
97 return True;
98 }
99
100 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
101
102 /* Change the incoming request header to a response. */
103 p->hdr.pkt_type = RPC_RESPONSE;
104
105 /* Set up rpc header flags. */
106 if (p->out_data.data_sent_length == 0)
107 p->hdr.flags = RPC_FLG_FIRST;
108 else
109 p->hdr.flags = 0;
110
111 /*
112 * Work out how much we can fit in a single PDU.
113 */
114
115 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
116 if(p->ntlmssp_auth_validated)
117 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
118
119 /*
120 * The amount we send is the minimum of the available
121 * space and the amount left to send.
122 */
123
124 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
125
126 /*
127 * Ensure there really is data left to send.
128 */
129
130 if(!data_len_left) {
131 DEBUG(0,("create_next_pdu: no data left to send !\n"));
132 return False;
133 }
134
135 data_len = MIN(data_len_left, data_space_available);
136
137 /*
138 * Set up the alloc hint. This should be the data left to
139 * send.
140 */
141
142 hdr_resp.alloc_hint = data_len_left;
143
144 /*
145 * Set up the header lengths.
146 */
147
148 if (p->ntlmssp_auth_validated) {
149 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
150 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
151 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
152 } else {
153 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
154 p->hdr.auth_len = 0;
155 }
156
157 /*
158 * Work out if this PDU will be the last.
159 */
160
161 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
162 p->hdr.flags |= RPC_FLG_LAST;
163
164 /*
165 * Init the parse struct to point at the outgoing
166 * data.
167 */
168
169 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
170 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
171
172 /* Store the header in the data stream. */
173 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
174 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
175 prs_mem_free(&outgoing_pdu);
176 return False;
177 }
178
179 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
180 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
181 prs_mem_free(&outgoing_pdu);
182 return False;
183 }
184
185 /* Store the current offset. */
186 data_pos = prs_offset(&outgoing_pdu);
187
188 /* Copy the data into the PDU. */
189 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
190
191 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
192 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
193 prs_mem_free(&outgoing_pdu);
194 return False;
195 }
196
197 /*
198 * Set data to point to where we copied the data into.
199 */
200
201 data = prs_data_p(&outgoing_pdu) + data_pos;
202
203 if (p->hdr.auth_len > 0) {
204 uint32 crc32 = 0;
205
206 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
207 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
208
209 if (auth_seal) {
210 crc32 = crc32_calc_buffer(data, data_len);
211 NTLMSSPcalc_p(p, (uchar*)data, data_len);
212 }
213
214 if (auth_seal || auth_verify) {
215 RPC_HDR_AUTH auth_info;
216
217 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
218 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
219 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
220 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
221 prs_mem_free(&outgoing_pdu);
222 return False;
223 }
224 }
225
226 if (auth_verify) {
227 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
228 char *auth_data = prs_data_p(&outgoing_pdu);
229
230 p->ntlmssp_seq_num++;
231 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
232 crc32, p->ntlmssp_seq_num++);
233 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
234 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
235 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
236 prs_mem_free(&outgoing_pdu);
237 return False;
238 }
239 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
240 }
241 }
242
243 /*
244 * Setup the counts for this PDU.
245 */
246
247 p->out_data.data_sent_length += data_len;
248 p->out_data.current_pdu_len = p->hdr.frag_len;
249 p->out_data.current_pdu_sent = 0;
250
251 prs_mem_free(&outgoing_pdu);
252 return True;
253 }
254
255 /*******************************************************************
256 Process an NTLMSSP authentication response.
257 If this function succeeds, the user has been authenticated
258 and their domain, name and calling workstation stored in
259 the pipe struct.
260 The initial challenge is stored in p->challenge.
261 *******************************************************************/
262
263 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
264 {
265 uchar lm_owf[24];
266 uchar nt_owf[128];
267 int nt_pw_len;
268 int lm_pw_len;
269 fstring user_name;
270 fstring domain;
271 fstring wks;
272
273 NTSTATUS nt_status;
274
275 struct auth_context *auth_context = NULL;
276 auth_usersupplied_info *user_info = NULL;
277 auth_serversupplied_info *server_info = NULL;
278
279 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
280
281 memset(p->user_name, '\0', sizeof(p->user_name));
282 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
283 memset(p->domain, '\0', sizeof(p->domain));
284 memset(p->wks, '\0', sizeof(p->wks));
285
286 /* Set up for non-authenticated user. */
287 delete_nt_token(&p->pipe_user.nt_user_token);
288 p->pipe_user.ngroups = 0;
289 SAFE_FREE( p->pipe_user.groups);
290
291 /*
292 * Setup an empty password for a guest user.
293 */
294
295 /*
296 * We always negotiate UNICODE.
297 */
298
299 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
300 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
301 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
302 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
303 } else {
304 pull_ascii_fstring(user_name, ntlmssp_resp->user);
305 pull_ascii_fstring(domain, ntlmssp_resp->domain);
306 pull_ascii_fstring(wks, ntlmssp_resp->wks);
307 }
308
309 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
310
311 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
312 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
313
314 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
315 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
316
317 #ifdef DEBUG_PASSWORD
318 DEBUG(100,("lm, nt owfs, chal\n"));
319 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
320 dump_data(100, (char *)nt_owf, nt_pw_len);
321 dump_data(100, (char *)p->challenge, 8);
322 #endif
323
324 /*
325 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
326 */
327
328 if (*user_name) {
329
330 /*
331 * Do the length checking only if user is not NULL.
332 */
333
334 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
335 return False;
336 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
337 return False;
338 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
339 return False;
340 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
341 return False;
342 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
343 return False;
344
345 }
346
347 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
348
349 if (!make_user_info_netlogon_network(&user_info,
350 user_name, domain, wks,
351 lm_owf, lm_pw_len,
352 nt_owf, nt_pw_len)) {
353 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
354 return False;
355 }
356
357 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
358
359 (auth_context->free)(&auth_context);
360 free_user_info(&user_info);
361
362 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
363
364 if (!p->ntlmssp_auth_validated) {
365 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
366 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
367 free_server_info(&server_info);
368 return False;
369 }
370
371 /*
372 * Set up the sign/seal data.
373 */
374
375 {
376 uchar p24[24];
377 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
378 {
379 unsigned char j = 0;
380 int ind;
381
382 unsigned char k2[8];
383
384 memcpy(k2, p24, 5);
385 k2[5] = 0xe5;
386 k2[6] = 0x38;
387 k2[7] = 0xb0;
388
389 for (ind = 0; ind < 256; ind++)
390 p->ntlmssp_hash[ind] = (unsigned char)ind;
391
392 for( ind = 0; ind < 256; ind++) {
393 unsigned char tc;
394
395 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
396
397 tc = p->ntlmssp_hash[ind];
398 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
399 p->ntlmssp_hash[j] = tc;
400 }
401
402 p->ntlmssp_hash[256] = 0;
403 p->ntlmssp_hash[257] = 0;
404 }
405 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
406 p->ntlmssp_seq_num = 0;
407
408 }
409
410 fstrcpy(p->user_name, user_name);
411 fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
412 fstrcpy(p->domain, domain);
413 fstrcpy(p->wks, wks);
414
415 /*
416 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
417 */
418
419 if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
420 DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
421 free_server_info(&server_info);
422 return False;
423 }
424
425 memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
426
427 p->pipe_user.uid = pdb_get_uid(server_info->sam_account);
428 p->pipe_user.gid = pdb_get_gid(server_info->sam_account);
429
430 p->pipe_user.ngroups = server_info->n_groups;
431 if (p->pipe_user.ngroups) {
432 if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
433 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
434 free_server_info(&server_info);
435 return False;
436 }
437 }
438
439 if (server_info->ptok)
440 p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
441 else {
442 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
443 p->pipe_user.nt_user_token = NULL;
444 free_server_info(&server_info);
445 return False;
446 }
447
448 p->ntlmssp_auth_validated = True;
449
450 free_server_info(&server_info);
451 return True;
452 }
453
454 /*******************************************************************
455 The switch table for the pipe names and the functions to handle them.
456 *******************************************************************/
457
458 struct api_cmd
459 {
460 char * pipe_clnt_name;
461 char * pipe_srv_name;
462 BOOL (*fn) (pipes_struct *);
463 };
464
465 static struct api_cmd api_fd_commands[] =
466 {
467 { "lsarpc", "lsass", api_ntlsa_rpc },
468 { "samr", "lsass", api_samr_rpc },
469 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
470 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
471 { "NETLOGON", "lsass", api_netlog_rpc },
472 { "winreg", "winreg", api_reg_rpc },
473 { "spoolss", "spoolss", api_spoolss_rpc },
474 { "netdfs", "netdfs" , api_netdfs_rpc },
475 { NULL, NULL, NULL }
476 };
477
478 /*******************************************************************
479 This is the client reply to our challenge for an authenticated
480 bind request. The challenge we sent is in p->challenge.
481 *******************************************************************/
482
483 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
484 {
485 RPC_HDR_AUTHA autha_info;
486 RPC_AUTH_VERIFIER auth_verifier;
487 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
488
489 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
490
491 if (p->hdr.auth_len == 0) {
492 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
493 return False;
494 }
495
496 /*
497 * Decode the authentication verifier response.
498 */
499
500 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
501 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
502 return False;
503 }
504
505 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
506 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
507 (int)autha_info.auth_type, (int)autha_info.auth_level ));
508 return False;
509 }
510
511 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
512 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
513 return False;
514 }
515
516 /*
517 * Ensure this is a NTLMSSP_AUTH packet type.
518 */
519
520 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
521 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
522 return False;
523 }
524
525 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
526 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
527 return False;
528 }
529
530 /*
531 * The following call actually checks the challenge/response data.
532 * for correctness against the given DOMAIN\user name.
533 */
534
535 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
536 return False;
537
538 p->pipe_bound = True
539 ;
540 return True;
541 }
542
543 /*******************************************************************
544 Marshall a bind_nak pdu.
545 *******************************************************************/
546
547 static BOOL setup_bind_nak(pipes_struct *p)
548 {
549 prs_struct outgoing_rpc;
550 RPC_HDR nak_hdr;
551 uint16 zero = 0;
552
553 /* Free any memory in the current return data buffer. */
554 prs_mem_free(&p->out_data.rdata);
555
556 /*
557 * Marshall directly into the outgoing PDU space. We
558 * must do this as we need to set to the bind response
559 * header and are never sending more than one PDU here.
560 */
561
562 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
563 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
564
565
566 /*
567 * Initialize a bind_nak header.
568 */
569
570 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
571 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
572
573 /*
574 * Marshall the header into the outgoing PDU.
575 */
576
577 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
578 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
579 prs_mem_free(&outgoing_rpc);
580 return False;
581 }
582
583 /*
584 * Now add the reject reason.
585 */
586
587 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
588 prs_mem_free(&outgoing_rpc);
589 return False;
590 }
591
592 p->out_data.data_sent_length = 0;
593 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
594 p->out_data.current_pdu_sent = 0;
595
596 p->pipe_bound = False;
597
598 return True;
599 }
600
601 /*******************************************************************
602 Marshall a fault pdu.
603 *******************************************************************/
604
605 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
606 {
607 prs_struct outgoing_pdu;
608 RPC_HDR fault_hdr;
609 RPC_HDR_RESP hdr_resp;
610 RPC_HDR_FAULT fault_resp;
611
612 /* Free any memory in the current return data buffer. */
613 prs_mem_free(&p->out_data.rdata);
614
615 /*
616 * Marshall directly into the outgoing PDU space. We
617 * must do this as we need to set to the bind response
618 * header and are never sending more than one PDU here.
619 */
620
621 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
622 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
623
624 /*
625 * Initialize a fault header.
626 */
627
628 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
629 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
630
631 /*
632 * Initialize the HDR_RESP and FAULT parts of the PDU.
633 */
634
635 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
636
637 fault_resp.status = status;
638 fault_resp.reserved = 0;
639
640 /*
641 * Marshall the header into the outgoing PDU.
642 */
643
644 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
645 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
646 prs_mem_free(&outgoing_pdu);
647 return False;
648 }
649
650 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
651 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
652 prs_mem_free(&outgoing_pdu);
653 return False;
654 }
655
656 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
657 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
658 prs_mem_free(&outgoing_pdu);
659 return False;
660 }
661
662 p->out_data.data_sent_length = 0;
663 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
664 p->out_data.current_pdu_sent = 0;
665
666 prs_mem_free(&outgoing_pdu);
667 return True;
668 }
669
670 /*******************************************************************
671 Ensure a bind request has the correct abstract & transfer interface.
672 Used to reject unknown binds from Win2k.
673 *******************************************************************/
674
675 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
676 RPC_IFACE* transfer)
677 {
678 extern struct pipe_id_info pipe_names[];
679 int i=0;
680 fstring pname;
681 fstrcpy(pname,"\\PIPE\\");
682 fstrcat(pname,pipe_name);
683
684 for(i=0;pipe_names[i].client_pipe; i++) {
685 if(strequal(pipe_names[i].client_pipe, pname))
686 break;
687 }
688
689 if(pipe_names[i].client_pipe == NULL)
690 return False;
691
692 /* check the abstract interface */
693 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
694 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
695 sizeof(RPC_UUID)) != 0))
696 return False;
697
698 /* check the transfer interface */
699 if((transfer->version != pipe_names[i].trans_syntax.version) ||
700 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
701 sizeof(RPC_UUID)) != 0))
702 return False;
703
704 return True;
705 }
706
707 /*******************************************************************
708 Respond to a pipe bind request.
709 *******************************************************************/
710
711 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
712 {
713 RPC_HDR_BA hdr_ba;
714 RPC_HDR_RB hdr_rb;
715 RPC_HDR_AUTH auth_info;
716 uint16 assoc_gid;
717 fstring ack_pipe_name;
718 prs_struct out_hdr_ba;
719 prs_struct out_auth;
720 prs_struct outgoing_rpc;
721 int i = 0;
722 int auth_len = 0;
723 enum RPC_PKT_TYPE reply_pkt_type;
724
725 p->ntlmssp_auth_requested = False;
726
727 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
728
729 /*
730 * Try and find the correct pipe name to ensure
731 * that this is a pipe name we support.
732 */
733
734 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
735 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
736 api_fd_commands[i].fn != NULL) {
737 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
738 api_fd_commands[i].pipe_clnt_name,
739 api_fd_commands[i].pipe_srv_name));
740 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
741 break;
742 }
743 }
744
745 if (api_fd_commands[i].fn == NULL) {
746 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
747 p->name ));
748 if(!setup_bind_nak(p))
749 return False;
750 return True;
751 }
752
753 /* decode the bind request */
754 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
755 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
756 return False;
757 }
758
759 /*
760 * Check if this is an authenticated request.
761 */
762
763 if (p->hdr.auth_len != 0) {
764 RPC_AUTH_VERIFIER auth_verifier;
765 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
766
767 /*
768 * Decode the authentication verifier.
769 */
770
771 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
772 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
773 return False;
774 }
775
776 /*
777 * We only support NTLMSSP_AUTH_TYPE requests.
778 */
779
780 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
781 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
782 auth_info.auth_type ));
783 return False;
784 }
785
786 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
787 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
788 return False;
789 }
790
791 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
792 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
793 return False;
794 }
795
796 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
797 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
798 auth_verifier.msg_type));
799 return False;
800 }
801
802 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
803 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
804 return False;
805 }
806
807 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
808 p->ntlmssp_auth_requested = True;
809 }
810
811 switch(p->hdr.pkt_type) {
812 case RPC_BIND:
813 /* name has to be \PIPE\xxxxx */
814 fstrcpy(ack_pipe_name, "\\PIPE\\");
815 fstrcat(ack_pipe_name, p->pipe_srv_name);
816 reply_pkt_type = RPC_BINDACK;
817 break;
818 case RPC_ALTCONT:
819 /* secondary address CAN be NULL
820 * as the specs say it's ignored.
821 * It MUST NULL to have the spoolss working.
822 */
823 fstrcpy(ack_pipe_name,"");
824 reply_pkt_type = RPC_ALTCONTRESP;
825 break;
826 default:
827 return False;
828 }
829
830 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
831
832 /*
833 * Marshall directly into the outgoing PDU space. We
834 * must do this as we need to set to the bind response
835 * header and are never sending more than one PDU here.
836 */
837
838 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
839 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
840
841 /*
842 * Setup the memory to marshall the ba header, and the
843 * auth footers.
844 */
845
846 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
847 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
848 prs_mem_free(&outgoing_rpc);
849 return False;
850 }
851
852 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
853 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
854 prs_mem_free(&outgoing_rpc);
855 prs_mem_free(&out_hdr_ba);
856 return False;
857 }
858
859 if (p->ntlmssp_auth_requested)
860 assoc_gid = 0x7a77;
861 else
862 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
863
864 /*
865 * Create the bind response struct.
866 */
867
868 /* If the requested abstract synt uuid doesn't match our client pipe,
869 reject the bind_ack & set the transfer interface synt to all 0's,
870 ver 0 (observed when NT5 attempts to bind to abstract interfaces
871 unknown to NT4)
872 Needed when adding entries to a DACL from NT5 - SK */
873
874 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
875 init_rpc_hdr_ba(&hdr_ba,
876 MAX_PDU_FRAG_LEN,
877 MAX_PDU_FRAG_LEN,
878 assoc_gid,
879 ack_pipe_name,
880 0x1, 0x0, 0x0,
881 &hdr_rb.transfer);
882 } else {
883 RPC_IFACE null_interface;
884 ZERO_STRUCT(null_interface);
885 /* Rejection reason: abstract syntax not supported */
886 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
887 MAX_PDU_FRAG_LEN, assoc_gid,
888 ack_pipe_name, 0x1, 0x2, 0x1,
889 &null_interface);
890 }
891
892 /*
893 * and marshall it.
894 */
895
896 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
897 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
898 goto err_exit;
899 }
900
901 /*
902 * Now the authentication.
903 */
904
905 if (p->ntlmssp_auth_requested) {
906 RPC_AUTH_VERIFIER auth_verifier;
907 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
908
909 generate_random_buffer(p->challenge, 8, False);
910
911 /*** Authentication info ***/
912
913 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
914 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
915 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
916 goto err_exit;
917 }
918
919 /*** NTLMSSP verifier ***/
920
921 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
922 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
923 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
924 goto err_exit;
925 }
926
927 /* NTLMSSP challenge ***/
928
929 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
930 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
931 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
932 goto err_exit;
933 }
934
935 /* Auth len in the rpc header doesn't include auth_header. */
936 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
937 }
938
939 /*
940 * Create the header, now we know the length.
941 */
942
943 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
944 p->hdr.call_id,
945 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
946 auth_len);
947
948 /*
949 * Marshall the header into the outgoing PDU.
950 */
951
952 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
953 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
954 goto err_exit;
955 }
956
957 /*
958 * Now add the RPC_HDR_BA and any auth needed.
959 */
960
961 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
962 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
963 goto err_exit;
964 }
965
966 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
967 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
968 goto err_exit;
969 }
970
971 if(!p->ntlmssp_auth_requested)
972 p->pipe_bound = True;
973
974 /*
975 * Setup the lengths for the initial reply.
976 */
977
978 p->out_data.data_sent_length = 0;
979 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
980 p->out_data.current_pdu_sent = 0;
981
982 prs_mem_free(&out_hdr_ba);
983 prs_mem_free(&out_auth);
984
985 return True;
986
987 err_exit:
988
989 prs_mem_free(&outgoing_rpc);
990 prs_mem_free(&out_hdr_ba);
991 prs_mem_free(&out_auth);
992 return False;
993 }
994
995 /****************************************************************************
996 Deal with sign & seal processing on an RPC request.
997 ****************************************************************************/
998
999 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1000 {
1001 /*
1002 * We always negotiate the following two bits....
1003 */
1004 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1005 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1006 int data_len;
1007 int auth_len;
1008 uint32 old_offset;
1009 uint32 crc32 = 0;
1010
1011 auth_len = p->hdr.auth_len;
1012
1013 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1014 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1015 return False;
1016 }
1017
1018 /*
1019 * The following is that length of the data we must verify or unseal.
1020 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1021 * preceeding the auth_data.
1022 */
1023
1024 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1025 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1026
1027 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1028 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1029
1030 if (auth_seal) {
1031 /*
1032 * The data in rpc_in doesn't contain the RPC_HEADER as this
1033 * has already been consumed.
1034 */
1035 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1036 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1037 crc32 = crc32_calc_buffer(data, data_len);
1038 }
1039
1040 old_offset = prs_offset(rpc_in);
1041
1042 if (auth_seal || auth_verify) {
1043 RPC_HDR_AUTH auth_info;
1044
1045 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1046 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1047 (unsigned int)old_offset + data_len ));
1048 return False;
1049 }
1050
1051 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1052 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1053 return False;
1054 }
1055 }
1056
1057 if (auth_verify) {
1058 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1059 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1060
1061 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1062
1063 /*
1064 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1065 * incoming buffer.
1066 */
1067 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1068 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1069 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1070 return False;
1071 }
1072
1073 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1074 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1075 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1076 return False;
1077 }
1078
1079 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1080 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1081 return False;
1082 }
1083 }
1084
1085 /*
1086 * Return the current pointer to the data offset.
1087 */
1088
1089 if(!prs_set_offset(rpc_in, old_offset)) {
1090 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1091 (unsigned int)old_offset ));
1092 return False;
1093 }
1094
1095 return True;
1096 }
1097
1098 /****************************************************************************
1099 Return a user struct for a pipe user.
1100 ****************************************************************************/
1101
1102 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1103 {
1104 if (p->ntlmssp_auth_validated) {
1105 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1106 } else {
1107 extern struct current_user current_user;
1108 memcpy(user, &current_user, sizeof(struct current_user));
1109 }
1110
1111 return user;
1112 }
1113
1114 /****************************************************************************
1115 Find the correct RPC function to call for this request.
1116 If the pipe is authenticated then become the correct UNIX user
1117 before doing the call.
1118 ****************************************************************************/
1119
1120 BOOL api_pipe_request(pipes_struct *p)
1121 {
1122 int i = 0;
1123 BOOL ret = False;
1124
1125 if (p->ntlmssp_auth_validated) {
1126
1127 if(!become_authenticated_pipe_user(p)) {
1128 prs_mem_free(&p->out_data.rdata);
1129 return False;
1130 }
1131 }
1132
1133 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1134 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1135 api_fd_commands[i].fn != NULL) {
1136 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1137 set_current_rpc_talloc(p->mem_ctx);
1138 ret = api_fd_commands[i].fn(p);
1139 set_current_rpc_talloc(NULL);
1140 }
1141 }
1142
1143 if(p->ntlmssp_auth_validated)
1144 unbecome_authenticated_pipe_user();
1145
1146 return ret;
1147 }
1148
1149 /*******************************************************************
1150 Calls the underlying RPC function for a named pipe.
1151 ********************************************************************/
1152
1153 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1154 const struct api_struct *api_rpc_cmds)
1155 {
1156 int fn_num;
1157 fstring name;
1158 uint32 offset1, offset2;
1159
1160 /* interpret the command */
1161 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1162
1163 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1164 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1165
1166 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1167 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1168 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1169 break;
1170 }
1171 }
1172
1173 if (api_rpc_cmds[fn_num].name == NULL) {
1174 /*
1175 * For an unknown RPC just return a fault PDU but
1176 * return True to allow RPC's on the pipe to continue
1177 * and not put the pipe into fault state. JRA.
1178 */
1179 DEBUG(4, ("unknown\n"));
1180 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1181 return True;
1182 }
1183
1184 offset1 = prs_offset(&p->out_data.rdata);
1185
1186 /* do the actual command */
1187 if(!api_rpc_cmds[fn_num].fn(p)) {
1188 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1189 prs_mem_free(&p->out_data.rdata);
1190 return False;
1191 }
1192
1193 if (p->bad_handle_fault_state) {
1194 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1195 p->bad_handle_fault_state = False;
1196 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1197 return True;
1198 }
1199
1200 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1201 offset2 = prs_offset(&p->out_data.rdata);
1202 prs_set_offset(&p->out_data.rdata, offset1);
1203 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1204 prs_set_offset(&p->out_data.rdata, offset2);
1205
1206 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1207
1208 /* Check for buffer underflow in rpc parsing */
1209
1210 if ((DEBUGLEVEL >= 10) &&
1211 (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1212 int data_len = p->in_data.data.buffer_size -
1213 p->in_data.data.data_offset;
1214 char *data;
1215
1216 data = malloc(data_len);
1217
1218 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1219 if (data) {
1220 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data,
1221 data_len);
1222 SAFE_FREE(data);
1223 }
1224
1225 }
1226
1227 return True;
1228 }
Samba GIT mirror