search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fixes to our LDAP/vampire codepaths:
[Samba.git] / source / rpc_server / srv_pipe.c
blobf7663204b2e69a6ca9dbcc6a50dcb1193f3c23bc
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998,
7 * Copyright (C) Jeremy Allison 1999,
8 * Copyright (C) Anthony Liguori 2003.
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
28 *
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
32 *
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
36 *
37 * ... if you read the docs. or stare at packets for weeks on end.
38 *
39 */
40
41 #include "includes.h"
42
43 #undef DBGC_CLASS
44 #define DBGC_CLASS DBGC_RPC_SRV
45
46 /*************************************************************
47 HACK Alert!
48 We need to transfer the session key from one rpc bind to the
49 next. This is the way the netlogon schannel works.
50 **************************************************************/
51 struct dcinfo last_dcinfo;
52
53 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
54 {
55 unsigned char *hash = p->ntlmssp_hash;
56 unsigned char index_i = hash[256];
57 unsigned char index_j = hash[257];
58 int ind;
59
60 for( ind = 0; ind < len; ind++) {
61 unsigned char tc;
62 unsigned char t;
63
64 index_i++;
65 index_j += hash[index_i];
66
67 tc = hash[index_i];
68 hash[index_i] = hash[index_j];
69 hash[index_j] = tc;
70
71 t = hash[index_i] + hash[index_j];
72 data[ind] = data[ind] ^ hash[t];
73 }
74
75 hash[256] = index_i;
76 hash[257] = index_j;
77 }
78
79 /*******************************************************************
80 Generate the next PDU to be returned from the data in p->rdata.
81 We cheat here as this function doesn't handle the special auth
82 footers of the authenticated bind response reply.
83 ********************************************************************/
84
85 BOOL create_next_pdu(pipes_struct *p)
86 {
87 RPC_HDR_RESP hdr_resp;
88 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
89 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
90 uint32 data_len;
91 uint32 data_space_available;
92 uint32 data_len_left;
93 prs_struct outgoing_pdu;
94 uint32 data_pos;
95
96 /*
97 * If we're in the fault state, keep returning fault PDU's until
98 * the pipe gets closed. JRA.
99 */
100
101 if(p->fault_state) {
102 setup_fault_pdu(p, NT_STATUS(0x1c010002));
103 return True;
104 }
105
106 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
107
108 /* Change the incoming request header to a response. */
109 p->hdr.pkt_type = RPC_RESPONSE;
110
111 /* Set up rpc header flags. */
112 if (p->out_data.data_sent_length == 0)
113 p->hdr.flags = RPC_FLG_FIRST;
114 else
115 p->hdr.flags = 0;
116
117 /*
118 * Work out how much we can fit in a single PDU.
119 */
120
121 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
122 if(p->ntlmssp_auth_validated)
123 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
124
125 if(p->netsec_auth_validated)
126 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_CHK_LEN);
127
128 /*
129 * The amount we send is the minimum of the available
130 * space and the amount left to send.
131 */
132
133 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
134
135 /*
136 * Ensure there really is data left to send.
137 */
138
139 if(!data_len_left) {
140 DEBUG(0,("create_next_pdu: no data left to send !\n"));
141 return False;
142 }
143
144 data_len = MIN(data_len_left, data_space_available);
145
146 /*
147 * Set up the alloc hint. This should be the data left to
148 * send.
149 */
150
151 hdr_resp.alloc_hint = data_len_left;
152
153 /*
154 * Set up the header lengths.
155 */
156
157 if (p->ntlmssp_auth_validated) {
158 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
159 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
160 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
161 } else if (p->netsec_auth_validated) {
162 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
163 RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_CHK_LEN;
164 p->hdr.auth_len = RPC_AUTH_NETSEC_CHK_LEN;
165 } else {
166 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
167 p->hdr.auth_len = 0;
168 }
169
170 /*
171 * Work out if this PDU will be the last.
172 */
173
174 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
175 p->hdr.flags |= RPC_FLG_LAST;
176
177 /*
178 * Init the parse struct to point at the outgoing
179 * data.
180 */
181
182 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
183 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
184
185 /* Store the header in the data stream. */
186 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
187 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
188 prs_mem_free(&outgoing_pdu);
189 return False;
190 }
191
192 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
193 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
194 prs_mem_free(&outgoing_pdu);
195 return False;
196 }
197
198 /* Store the current offset. */
199 data_pos = prs_offset(&outgoing_pdu);
200
201 /* Copy the data into the PDU. */
202
203 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
204 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
205 prs_mem_free(&outgoing_pdu);
206 return False;
207 }
208
209 if (p->ntlmssp_auth_validated) {
210 uint32 crc32 = 0;
211 char *data;
212
213 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
214 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
215
216 /*
217 * Set data to point to where we copied the data into.
218 */
219
220 data = prs_data_p(&outgoing_pdu) + data_pos;
221
222 if (auth_seal) {
223 crc32 = crc32_calc_buffer(data, data_len);
224 NTLMSSPcalc_p(p, (uchar*)data, data_len);
225 }
226
227 if (auth_seal || auth_verify) {
228 RPC_HDR_AUTH auth_info;
229
230 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
231 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
232 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
233 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
234 prs_mem_free(&outgoing_pdu);
235 return False;
236 }
237 }
238
239 if (auth_verify) {
240 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
241 char *auth_data = prs_data_p(&outgoing_pdu);
242
243 p->ntlmssp_seq_num++;
244 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
245 crc32, p->ntlmssp_seq_num++);
246 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
247 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
248 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
249 prs_mem_free(&outgoing_pdu);
250 return False;
251 }
252 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
253 }
254 }
255
256 if (p->netsec_auth_validated) {
257 char *data;
258 RPC_HDR_AUTH auth_info;
259 static const uchar netsec_sig[8] = NETSEC_SIGNATURE;
260 static const uchar nullbytes[8] = { 0,0,0,0,0,0,0,0 };
261
262 RPC_AUTH_NETSEC_CHK verf;
263 prs_struct rverf;
264 prs_struct rauth;
265
266 uchar sign[8];
267
268 data = prs_data_p(&outgoing_pdu) + data_pos;
269
270 init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, NETSEC_AUTH_LEVEL,
271 RPC_HDR_AUTH_LEN, 1);
272
273 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
274 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
275 prs_mem_free(&outgoing_pdu);
276 return False;
277 }
278
279 prs_init(&rverf, 0, p->mem_ctx, MARSHALL);
280 prs_init(&rauth, 0, p->mem_ctx, MARSHALL);
281
282 if ((p->netsec_auth.seq_num & 1) == 0) {
283 DEBUG(0,("SCHANNEL ERROR: seq_num must be odd in server! (seq_num=%d)\n",
284 p->netsec_auth.seq_num));
285 }
286
287 RSIVAL(sign, 0, p->netsec_auth.seq_num);
288 SIVAL(sign, 4, 0);
289
290 init_rpc_auth_netsec_chk(&verf, netsec_sig, nullbytes, sign, nullbytes);
291
292 netsec_encode(&p->netsec_auth, &verf, data, data_len);
293
294 smb_io_rpc_auth_netsec_chk("", &verf, &outgoing_pdu, 0);
295
296 p->netsec_auth.seq_num++;
297 }
298
299 /*
300 * Setup the counts for this PDU.
301 */
302
303 p->out_data.data_sent_length += data_len;
304 p->out_data.current_pdu_len = p->hdr.frag_len;
305 p->out_data.current_pdu_sent = 0;
306
307 prs_mem_free(&outgoing_pdu);
308 return True;
309 }
310
311 /*******************************************************************
312 Process an NTLMSSP authentication response.
313 If this function succeeds, the user has been authenticated
314 and their domain, name and calling workstation stored in
315 the pipe struct.
316 The initial challenge is stored in p->challenge.
317 *******************************************************************/
318
319 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
320 {
321 uchar lm_owf[24];
322 uchar nt_owf[128];
323 int nt_pw_len;
324 int lm_pw_len;
325 fstring user_name;
326 fstring domain;
327 fstring wks;
328
329 NTSTATUS nt_status;
330
331 struct auth_context *auth_context = NULL;
332 auth_usersupplied_info *user_info = NULL;
333 auth_serversupplied_info *server_info = NULL;
334
335 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
336
337 memset(p->user_name, '\0', sizeof(p->user_name));
338 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
339 memset(p->domain, '\0', sizeof(p->domain));
340 memset(p->wks, '\0', sizeof(p->wks));
341
342 /* Set up for non-authenticated user. */
343 delete_nt_token(&p->pipe_user.nt_user_token);
344 p->pipe_user.ngroups = 0;
345 SAFE_FREE( p->pipe_user.groups);
346
347 /*
348 * Setup an empty password for a guest user.
349 */
350
351 /*
352 * We always negotiate UNICODE.
353 */
354
355 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
356 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
357 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
358 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
359 } else {
360 pull_ascii_fstring(user_name, ntlmssp_resp->user);
361 pull_ascii_fstring(domain, ntlmssp_resp->domain);
362 pull_ascii_fstring(wks, ntlmssp_resp->wks);
363 }
364
365 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
366
367 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
368 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
369
370 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
371 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
372
373 #ifdef DEBUG_PASSWORD
374 DEBUG(100,("lm, nt owfs, chal\n"));
375 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
376 dump_data(100, (char *)nt_owf, nt_pw_len);
377 dump_data(100, (char *)p->challenge, 8);
378 #endif
379
380 /*
381 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
382 */
383
384 if (*user_name) {
385
386 /*
387 * Do the length checking only if user is not NULL.
388 */
389
390 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
391 return False;
392 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
393 return False;
394 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
395 return False;
396 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
397 return False;
398 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
399 return False;
400
401 }
402
403 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
404
405 if (!make_user_info_netlogon_network(&user_info,
406 user_name, domain, wks,
407 lm_owf, lm_pw_len,
408 nt_owf, nt_pw_len)) {
409 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
410 return False;
411 }
412
413 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
414
415 (auth_context->free)(&auth_context);
416 free_user_info(&user_info);
417
418 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
419
420 if (!p->ntlmssp_auth_validated) {
421 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
422 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
423 free_server_info(&server_info);
424 return False;
425 }
426
427 /*
428 * Set up the sign/seal data.
429 */
430
431 {
432 uchar p24[24];
433 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
434 {
435 unsigned char j = 0;
436 int ind;
437
438 unsigned char k2[8];
439
440 memcpy(k2, p24, 5);
441 k2[5] = 0xe5;
442 k2[6] = 0x38;
443 k2[7] = 0xb0;
444
445 for (ind = 0; ind < 256; ind++)
446 p->ntlmssp_hash[ind] = (unsigned char)ind;
447
448 for( ind = 0; ind < 256; ind++) {
449 unsigned char tc;
450
451 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
452
453 tc = p->ntlmssp_hash[ind];
454 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
455 p->ntlmssp_hash[j] = tc;
456 }
457
458 p->ntlmssp_hash[256] = 0;
459 p->ntlmssp_hash[257] = 0;
460 }
461 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
462 p->ntlmssp_seq_num = 0;
463
464 }
465
466 fstrcpy(p->user_name, user_name);
467 fstrcpy(p->pipe_user_name, server_info->unix_name);
468 fstrcpy(p->domain, domain);
469 fstrcpy(p->wks, wks);
470
471 /*
472 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
473 */
474
475 memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
476
477 p->pipe_user.uid = server_info->uid;
478 p->pipe_user.gid = server_info->gid;
479
480 p->pipe_user.ngroups = server_info->n_groups;
481 if (p->pipe_user.ngroups) {
482 if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
483 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
484 free_server_info(&server_info);
485 return False;
486 }
487 }
488
489 if (server_info->ptok)
490 p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
491 else {
492 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
493 p->pipe_user.nt_user_token = NULL;
494 free_server_info(&server_info);
495 return False;
496 }
497
498 p->ntlmssp_auth_validated = True;
499
500 free_server_info(&server_info);
501 return True;
502 }
503
504 /*******************************************************************
505 The switch table for the pipe names and the functions to handle them.
506 *******************************************************************/
507
508 struct rpc_table
509 {
510 struct
511 {
512 const char *clnt;
513 const char *srv;
514 } pipe;
515 struct api_struct *cmds;
516 int n_cmds;
517 };
518
519 static struct rpc_table *rpc_lookup;
520 static int rpc_lookup_size;
521
522 /*******************************************************************
523 This is the client reply to our challenge for an authenticated
524 bind request. The challenge we sent is in p->challenge.
525 *******************************************************************/
526
527 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
528 {
529 RPC_HDR_AUTHA autha_info;
530 RPC_AUTH_VERIFIER auth_verifier;
531 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
532
533 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
534
535 if (p->hdr.auth_len == 0) {
536 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
537 return False;
538 }
539
540 /*
541 * Decode the authentication verifier response.
542 */
543
544 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
545 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
546 return False;
547 }
548
549 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
550 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
551 (int)autha_info.auth_type, (int)autha_info.auth_level ));
552 return False;
553 }
554
555 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
556 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
557 return False;
558 }
559
560 /*
561 * Ensure this is a NTLMSSP_AUTH packet type.
562 */
563
564 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
565 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
566 return False;
567 }
568
569 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
570 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
571 return False;
572 }
573
574 /*
575 * The following call actually checks the challenge/response data.
576 * for correctness against the given DOMAIN\user name.
577 */
578
579 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
580 return False;
581
582 p->pipe_bound = True
583 ;
584 return True;
585 }
586
587 /*******************************************************************
588 Marshall a bind_nak pdu.
589 *******************************************************************/
590
591 static BOOL setup_bind_nak(pipes_struct *p)
592 {
593 prs_struct outgoing_rpc;
594 RPC_HDR nak_hdr;
595 uint16 zero = 0;
596
597 /* Free any memory in the current return data buffer. */
598 prs_mem_free(&p->out_data.rdata);
599
600 /*
601 * Marshall directly into the outgoing PDU space. We
602 * must do this as we need to set to the bind response
603 * header and are never sending more than one PDU here.
604 */
605
606 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
607 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
608
609
610 /*
611 * Initialize a bind_nak header.
612 */
613
614 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
615 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
616
617 /*
618 * Marshall the header into the outgoing PDU.
619 */
620
621 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
622 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
623 prs_mem_free(&outgoing_rpc);
624 return False;
625 }
626
627 /*
628 * Now add the reject reason.
629 */
630
631 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
632 prs_mem_free(&outgoing_rpc);
633 return False;
634 }
635
636 p->out_data.data_sent_length = 0;
637 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
638 p->out_data.current_pdu_sent = 0;
639
640 p->pipe_bound = False;
641
642 return True;
643 }
644
645 /*******************************************************************
646 Marshall a fault pdu.
647 *******************************************************************/
648
649 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
650 {
651 prs_struct outgoing_pdu;
652 RPC_HDR fault_hdr;
653 RPC_HDR_RESP hdr_resp;
654 RPC_HDR_FAULT fault_resp;
655
656 /* Free any memory in the current return data buffer. */
657 prs_mem_free(&p->out_data.rdata);
658
659 /*
660 * Marshall directly into the outgoing PDU space. We
661 * must do this as we need to set to the bind response
662 * header and are never sending more than one PDU here.
663 */
664
665 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
666 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
667
668 /*
669 * Initialize a fault header.
670 */
671
672 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
673 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
674
675 /*
676 * Initialize the HDR_RESP and FAULT parts of the PDU.
677 */
678
679 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
680
681 fault_resp.status = status;
682 fault_resp.reserved = 0;
683
684 /*
685 * Marshall the header into the outgoing PDU.
686 */
687
688 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
689 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
690 prs_mem_free(&outgoing_pdu);
691 return False;
692 }
693
694 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
695 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
696 prs_mem_free(&outgoing_pdu);
697 return False;
698 }
699
700 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
701 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
702 prs_mem_free(&outgoing_pdu);
703 return False;
704 }
705
706 p->out_data.data_sent_length = 0;
707 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
708 p->out_data.current_pdu_sent = 0;
709
710 prs_mem_free(&outgoing_pdu);
711 return True;
712 }
713
714 /*******************************************************************
715 Ensure a bind request has the correct abstract & transfer interface.
716 Used to reject unknown binds from Win2k.
717 *******************************************************************/
718
719 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
720 RPC_IFACE* transfer)
721 {
722 extern struct pipe_id_info pipe_names[];
723 int i=0;
724 fstring pname;
725 fstrcpy(pname,"\\PIPE\\");
726 fstrcat(pname,pipe_name);
727
728 DEBUG(3,("check_bind_req for %s\n", pname));
729
730 #ifndef SUPPORT_NEW_LSARPC_UUID
731
732 /* check for the first pipe matching the name */
733
734 for ( i=0; pipe_names[i].client_pipe; i++ ) {
735 if ( strequal(pipe_names[i].client_pipe, pname) )
736 break;
737 }
738 #else
739 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
740
741 for ( i=0; pipe_names[i].client_pipe; i++ )
742 {
743 if ( strequal(pipe_names[i].client_pipe, pname)
744 && (abstract->version == pipe_names[i].abstr_syntax.version)
745 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) == 0)
746 && (transfer->version == pipe_names[i].trans_syntax.version)
747 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) == 0) )
748 {
749 break;
750 }
751 }
752 #endif
753
754 if(pipe_names[i].client_pipe == NULL)
755 return False;
756
757 #ifndef SUPPORT_NEW_LSARPC_UUID
758 /* check the abstract interface */
759 if ( (abstract->version != pipe_names[i].abstr_syntax.version)
760 || (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) != 0) )
761 {
762 return False;
763 }
764
765 /* check the transfer interface */
766 if ( (transfer->version != pipe_names[i].trans_syntax.version)
767 || (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) != 0) )
768 {
769 return False;
770 }
771 #endif
772 return True;
773 }
774
775 /*******************************************************************
776 Register commands to an RPC pipe
777 *******************************************************************/
778 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
779 {
780 struct rpc_table *rpc_entry;
781
782 if (!clnt || !srv || !cmds) {
783 return NT_STATUS_INVALID_PARAMETER;
784 }
785
786 if (version != SMB_RPC_INTERFACE_VERSION) {
787 DEBUG(0,("Can't register rpc commands!\n"
788 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
789 ", while this version of samba uses version %d!\n",
790 version,SMB_RPC_INTERFACE_VERSION));
791 return NT_STATUS_OBJECT_TYPE_MISMATCH;
792 }
793
794 /* TODO:
795 *
796 * we still need to make sure that don't register the same commands twice!!!
797 *
798 * --metze
799 */
800
801 /* We use a temporary variable because this call can fail and
802 rpc_lookup will still be valid afterwards. It could then succeed if
803 called again later */
804 rpc_entry = realloc(rpc_lookup,
805 ++rpc_lookup_size*sizeof(struct rpc_table));
806 if (NULL == rpc_entry) {
807 rpc_lookup_size--;
808 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
809 return NT_STATUS_NO_MEMORY;
810 } else {
811 rpc_lookup = rpc_entry;
812 }
813
814 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
815 ZERO_STRUCTP(rpc_entry);
816 rpc_entry->pipe.clnt = strdup(clnt);
817 rpc_entry->pipe.srv = strdup(srv);
818 rpc_entry->cmds = realloc(rpc_entry->cmds,
819 (rpc_entry->n_cmds + size) *
820 sizeof(struct api_struct));
821 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds,
822 size * sizeof(struct api_struct));
823 rpc_entry->n_cmds += size;
824
825 return NT_STATUS_OK;
826 }
827
828 /*******************************************************************
829 Respond to a pipe bind request.
830 *******************************************************************/
831
832 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
833 {
834 RPC_HDR_BA hdr_ba;
835 RPC_HDR_RB hdr_rb;
836 RPC_HDR_AUTH auth_info;
837 uint16 assoc_gid;
838 fstring ack_pipe_name;
839 prs_struct out_hdr_ba;
840 prs_struct out_auth;
841 prs_struct outgoing_rpc;
842 int i = 0;
843 int auth_len = 0;
844 enum RPC_PKT_TYPE reply_pkt_type;
845
846 p->ntlmssp_auth_requested = False;
847 p->netsec_auth_validated = False;
848
849 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
850
851 /*
852 * Try and find the correct pipe name to ensure
853 * that this is a pipe name we support.
854 */
855
856
857 for (i = 0; i < rpc_lookup_size; i++) {
858 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
859 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
860 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
861 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
862 break;
863 }
864 }
865
866 if (i == rpc_lookup_size) {
867 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
868 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
869 p->name ));
870 if(!setup_bind_nak(p))
871 return False;
872 return True;
873 }
874
875 for (i = 0; i < rpc_lookup_size; i++) {
876 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
877 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
878 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
879 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
880 break;
881 }
882 }
883
884 if (i == rpc_lookup_size) {
885 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
886 return False;
887 }
888 }
889
890 /* decode the bind request */
891 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
892 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
893 return False;
894 }
895
896 /*
897 * Check if this is an authenticated request.
898 */
899
900 if (p->hdr.auth_len != 0) {
901 RPC_AUTH_VERIFIER auth_verifier;
902 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
903
904 /*
905 * Decode the authentication verifier.
906 */
907
908 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
909 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
910 return False;
911 }
912
913 if(auth_info.auth_type == NTLMSSP_AUTH_TYPE) {
914
915 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
916 DEBUG(0,("api_pipe_bind_req: unable to "
917 "unmarshall RPC_HDR_AUTH struct.\n"));
918 return False;
919 }
920
921 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
922 DEBUG(0,("api_pipe_bind_req: "
923 "auth_verifier.signature != NTLMSSP\n"));
924 return False;
925 }
926
927 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
928 DEBUG(0,("api_pipe_bind_req: "
929 "auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
930 auth_verifier.msg_type));
931 return False;
932 }
933
934 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
935 DEBUG(0,("api_pipe_bind_req: "
936 "Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
937 return False;
938 }
939
940 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
941 p->ntlmssp_auth_requested = True;
942
943 } else if (auth_info.auth_type == NETSEC_AUTH_TYPE) {
944
945 RPC_AUTH_NETSEC_NEG neg;
946 struct netsec_auth_struct *a = &(p->netsec_auth);
947
948 if (!smb_io_rpc_auth_netsec_neg("", &neg, rpc_in_p, 0)) {
949 DEBUG(0,("api_pipe_bind_req: "
950 "Could not unmarshal SCHANNEL auth neg\n"));
951 return False;
952 }
953
954 p->netsec_auth_validated = True;
955
956 memset(a->sess_key, 0, sizeof(a->sess_key));
957 memcpy(a->sess_key, last_dcinfo.sess_key, sizeof(last_dcinfo.sess_key));
958
959 a->seq_num = 0;
960
961 DEBUG(10,("schannel auth: domain [%s] myname [%s]\n",
962 neg.domain, neg.myname));
963
964 } else {
965 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
966 auth_info.auth_type ));
967 return False;
968 }
969 }
970
971 switch(p->hdr.pkt_type) {
972 case RPC_BIND:
973 /* name has to be \PIPE\xxxxx */
974 fstrcpy(ack_pipe_name, "\\PIPE\\");
975 fstrcat(ack_pipe_name, p->pipe_srv_name);
976 reply_pkt_type = RPC_BINDACK;
977 break;
978 case RPC_ALTCONT:
979 /* secondary address CAN be NULL
980 * as the specs say it's ignored.
981 * It MUST NULL to have the spoolss working.
982 */
983 fstrcpy(ack_pipe_name,"");
984 reply_pkt_type = RPC_ALTCONTRESP;
985 break;
986 default:
987 return False;
988 }
989
990 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
991
992 /*
993 * Marshall directly into the outgoing PDU space. We
994 * must do this as we need to set to the bind response
995 * header and are never sending more than one PDU here.
996 */
997
998 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
999 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1000
1001 /*
1002 * Setup the memory to marshall the ba header, and the
1003 * auth footers.
1004 */
1005
1006 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1007 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1008 prs_mem_free(&outgoing_rpc);
1009 return False;
1010 }
1011
1012 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1013 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
1014 prs_mem_free(&outgoing_rpc);
1015 prs_mem_free(&out_hdr_ba);
1016 return False;
1017 }
1018
1019 if (p->ntlmssp_auth_requested)
1020 assoc_gid = 0x7a77;
1021 else
1022 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1023
1024 /*
1025 * Create the bind response struct.
1026 */
1027
1028 /* If the requested abstract synt uuid doesn't match our client pipe,
1029 reject the bind_ack & set the transfer interface synt to all 0's,
1030 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1031 unknown to NT4)
1032 Needed when adding entries to a DACL from NT5 - SK */
1033
1034 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
1035 init_rpc_hdr_ba(&hdr_ba,
1036 MAX_PDU_FRAG_LEN,
1037 MAX_PDU_FRAG_LEN,
1038 assoc_gid,
1039 ack_pipe_name,
1040 0x1, 0x0, 0x0,
1041 &hdr_rb.transfer);
1042 } else {
1043 RPC_IFACE null_interface;
1044 ZERO_STRUCT(null_interface);
1045 /* Rejection reason: abstract syntax not supported */
1046 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
1047 MAX_PDU_FRAG_LEN, assoc_gid,
1048 ack_pipe_name, 0x1, 0x2, 0x1,
1049 &null_interface);
1050 }
1051
1052 /*
1053 * and marshall it.
1054 */
1055
1056 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1057 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1058 goto err_exit;
1059 }
1060
1061 /*
1062 * Now the authentication.
1063 */
1064
1065 if (p->ntlmssp_auth_requested) {
1066 RPC_AUTH_VERIFIER auth_verifier;
1067 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
1068
1069 generate_random_buffer(p->challenge, 8, False);
1070
1071 /*** Authentication info ***/
1072
1073 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
1074 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1075 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1076 goto err_exit;
1077 }
1078
1079 /*** NTLMSSP verifier ***/
1080
1081 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
1082 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
1083 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1084 goto err_exit;
1085 }
1086
1087 /* NTLMSSP challenge ***/
1088
1089 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
1090 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
1091 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
1092 goto err_exit;
1093 }
1094
1095 /* Auth len in the rpc header doesn't include auth_header. */
1096 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1097 }
1098
1099 if (p->netsec_auth_validated) {
1100 RPC_AUTH_VERIFIER auth_verifier;
1101 uint32 flags;
1102
1103 /* The client opens a second RPC NETLOGON pipe without
1104 doing a auth2. The credentials for the schannel are
1105 re-used from the auth2 the client did before. */
1106 p->dc = last_dcinfo;
1107
1108 init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, NETSEC_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
1109 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1110 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1111 goto err_exit;
1112 }
1113
1114 /*** NETSEC verifier ***/
1115
1116 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1117 if(!smb_io_rpc_netsec_verifier("", &auth_verifier, &out_auth, 0)) {
1118 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1119 goto err_exit;
1120 }
1121
1122 prs_align(&out_auth);
1123
1124 flags = 5;
1125 if(!prs_uint32("flags ", &out_auth, 0, &flags))
1126 goto err_exit;
1127
1128 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1129 }
1130
1131 /*
1132 * Create the header, now we know the length.
1133 */
1134
1135 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
1136 p->hdr.call_id,
1137 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1138 auth_len);
1139
1140 /*
1141 * Marshall the header into the outgoing PDU.
1142 */
1143
1144 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1145 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1146 goto err_exit;
1147 }
1148
1149 /*
1150 * Now add the RPC_HDR_BA and any auth needed.
1151 */
1152
1153 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1154 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1155 goto err_exit;
1156 }
1157
1158 if((p->ntlmssp_auth_requested|p->netsec_auth_validated) &&
1159 !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1160 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1161 goto err_exit;
1162 }
1163
1164 if(!p->ntlmssp_auth_requested)
1165 p->pipe_bound = True;
1166
1167 /*
1168 * Setup the lengths for the initial reply.
1169 */
1170
1171 p->out_data.data_sent_length = 0;
1172 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1173 p->out_data.current_pdu_sent = 0;
1174
1175 prs_mem_free(&out_hdr_ba);
1176 prs_mem_free(&out_auth);
1177
1178 return True;
1179
1180 err_exit:
1181
1182 prs_mem_free(&outgoing_rpc);
1183 prs_mem_free(&out_hdr_ba);
1184 prs_mem_free(&out_auth);
1185 return False;
1186 }
1187
1188 /****************************************************************************
1189 Deal with sign & seal processing on an RPC request.
1190 ****************************************************************************/
1191
1192 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1193 {
1194 /*
1195 * We always negotiate the following two bits....
1196 */
1197 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1198 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1199 int data_len;
1200 int auth_len;
1201 uint32 old_offset;
1202 uint32 crc32 = 0;
1203
1204 auth_len = p->hdr.auth_len;
1205
1206 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1207 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1208 return False;
1209 }
1210
1211 /*
1212 * The following is that length of the data we must verify or unseal.
1213 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1214 * preceeding the auth_data.
1215 */
1216
1217 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1218 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1219
1220 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1221 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1222
1223 if (auth_seal) {
1224 /*
1225 * The data in rpc_in doesn't contain the RPC_HEADER as this
1226 * has already been consumed.
1227 */
1228 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1229 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1230 crc32 = crc32_calc_buffer(data, data_len);
1231 }
1232
1233 old_offset = prs_offset(rpc_in);
1234
1235 if (auth_seal || auth_verify) {
1236 RPC_HDR_AUTH auth_info;
1237
1238 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1239 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1240 (unsigned int)old_offset + data_len ));
1241 return False;
1242 }
1243
1244 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1245 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1246 return False;
1247 }
1248 }
1249
1250 if (auth_verify) {
1251 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1252 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1253
1254 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1255
1256 /*
1257 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1258 * incoming buffer.
1259 */
1260 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1261 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1262 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1263 return False;
1264 }
1265
1266 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1267 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1268 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1269 return False;
1270 }
1271
1272 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1273 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1274 return False;
1275 }
1276 }
1277
1278 /*
1279 * Return the current pointer to the data offset.
1280 */
1281
1282 if(!prs_set_offset(rpc_in, old_offset)) {
1283 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1284 (unsigned int)old_offset ));
1285 return False;
1286 }
1287
1288 return True;
1289 }
1290
1291 /****************************************************************************
1292 Deal with schannel processing on an RPC request.
1293 ****************************************************************************/
1294 BOOL api_pipe_netsec_process(pipes_struct *p, prs_struct *rpc_in)
1295 {
1296 /*
1297 * We always negotiate the following two bits....
1298 */
1299 int data_len;
1300 int auth_len;
1301 uint32 old_offset;
1302 RPC_HDR_AUTH auth_info;
1303 RPC_AUTH_NETSEC_CHK netsec_chk;
1304
1305
1306 auth_len = p->hdr.auth_len;
1307
1308 if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
1309 DEBUG(0,("Incorrect auth_len %d.\n", auth_len ));
1310 return False;
1311 }
1312
1313 /*
1314 * The following is that length of the data we must verify or unseal.
1315 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1316 * preceeding the auth_data.
1317 */
1318
1319 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1320 RPC_HDR_AUTH_LEN - auth_len;
1321
1322 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
1323
1324 old_offset = prs_offset(rpc_in);
1325
1326 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1327 DEBUG(0,("cannot move offset to %u.\n",
1328 (unsigned int)old_offset + data_len ));
1329 return False;
1330 }
1331
1332 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1333 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
1334 return False;
1335 }
1336
1337 if ((auth_info.auth_type != NETSEC_AUTH_TYPE) ||
1338 (auth_info.auth_level != NETSEC_AUTH_LEVEL)) {
1339 DEBUG(0,("Invalid auth info %d or level %d on schannel\n",
1340 auth_info.auth_type, auth_info.auth_level));
1341 return False;
1342 }
1343
1344 if(!smb_io_rpc_auth_netsec_chk("", &netsec_chk, rpc_in, 0)) {
1345 DEBUG(0,("failed to unmarshal RPC_AUTH_NETSEC_CHK.\n"));
1346 return False;
1347 }
1348
1349 if (!netsec_decode(&p->netsec_auth, &netsec_chk,
1350 prs_data_p(rpc_in)+old_offset, data_len)) {
1351 DEBUG(0,("failed to decode PDU\n"));
1352 return False;
1353 }
1354
1355 /*
1356 * Return the current pointer to the data offset.
1357 */
1358
1359 if(!prs_set_offset(rpc_in, old_offset)) {
1360 DEBUG(0,("failed to set offset back to %u\n",
1361 (unsigned int)old_offset ));
1362 return False;
1363 }
1364
1365 /* The sequence number gets incremented on both send and receive. */
1366 p->netsec_auth.seq_num++;
1367
1368 return True;
1369 }
1370
1371 /****************************************************************************
1372 Return a user struct for a pipe user.
1373 ****************************************************************************/
1374
1375 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1376 {
1377 if (p->ntlmssp_auth_validated) {
1378 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1379 } else {
1380 extern struct current_user current_user;
1381 memcpy(user, &current_user, sizeof(struct current_user));
1382 }
1383
1384 return user;
1385 }
1386
1387 /****************************************************************************
1388 Find the correct RPC function to call for this request.
1389 If the pipe is authenticated then become the correct UNIX user
1390 before doing the call.
1391 ****************************************************************************/
1392
1393 BOOL api_pipe_request(pipes_struct *p)
1394 {
1395 int i = 0;
1396 BOOL ret = False;
1397
1398 if (p->ntlmssp_auth_validated) {
1399
1400 if(!become_authenticated_pipe_user(p)) {
1401 prs_mem_free(&p->out_data.rdata);
1402 return False;
1403 }
1404 }
1405
1406 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
1407
1408 for (i = 0; i < rpc_lookup_size; i++) {
1409 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1410 DEBUG(3,("Doing \\PIPE\\%s\n",
1411 rpc_lookup[i].pipe.clnt));
1412 set_current_rpc_talloc(p->mem_ctx);
1413 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1414 rpc_lookup[i].cmds,
1415 rpc_lookup[i].n_cmds);
1416 set_current_rpc_talloc(NULL);
1417 break;
1418 }
1419 }
1420
1421
1422 if (i == rpc_lookup_size) {
1423 smb_probe_module("rpc", p->name);
1424
1425 for (i = 0; i < rpc_lookup_size; i++) {
1426 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1427 DEBUG(3,("Doing \\PIPE\\%s\n",
1428 rpc_lookup[i].pipe.clnt));
1429 set_current_rpc_talloc(p->mem_ctx);
1430 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1431 rpc_lookup[i].cmds,
1432 rpc_lookup[i].n_cmds);
1433 set_current_rpc_talloc(NULL);
1434 break;
1435 }
1436 }
1437 }
1438
1439 if(p->ntlmssp_auth_validated)
1440 unbecome_authenticated_pipe_user();
1441
1442 return ret;
1443 }
1444
1445 /*******************************************************************
1446 Calls the underlying RPC function for a named pipe.
1447 ********************************************************************/
1448
1449 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
1450 const struct api_struct *api_rpc_cmds, int n_cmds)
1451 {
1452 int fn_num;
1453 fstring name;
1454 uint32 offset1, offset2;
1455
1456 /* interpret the command */
1457 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1458
1459 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1460 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1461
1462 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1463 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1464 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1465 break;
1466 }
1467 }
1468
1469 if (fn_num == n_cmds) {
1470 /*
1471 * For an unknown RPC just return a fault PDU but
1472 * return True to allow RPC's on the pipe to continue
1473 * and not put the pipe into fault state. JRA.
1474 */
1475 DEBUG(4, ("unknown\n"));
1476 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1477 return True;
1478 }
1479
1480 offset1 = prs_offset(&p->out_data.rdata);
1481
1482 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1483 fn_num, api_rpc_cmds[fn_num].fn));
1484 /* do the actual command */
1485 if(!api_rpc_cmds[fn_num].fn(p)) {
1486 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1487 prs_mem_free(&p->out_data.rdata);
1488 return False;
1489 }
1490
1491 if (p->bad_handle_fault_state) {
1492 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1493 p->bad_handle_fault_state = False;
1494 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1495 return True;
1496 }
1497
1498 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1499 offset2 = prs_offset(&p->out_data.rdata);
1500 prs_set_offset(&p->out_data.rdata, offset1);
1501 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1502 prs_set_offset(&p->out_data.rdata, offset2);
1503
1504 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1505
1506 /* Check for buffer underflow in rpc parsing */
1507
1508 if ((DEBUGLEVEL >= 10) &&
1509 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
1510 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
1511 char *data;
1512
1513 data = malloc(data_len);
1514
1515 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1516 if (data) {
1517 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
1518 SAFE_FREE(data);
1519 }
1520
1521 }
1522
1523 return True;
1524 }
Samba GIT mirror