search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r1643: syncing all changes from 3.0 and hopefully get 3.0.6rc2 out tomorrow
[Samba.git] / source / rpc_server / srv_pipe.c
blobbcf5eb533fd743afd567484386d451e57ab84c0d
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998,
7 * Copyright (C) Jeremy Allison 1999,
8 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003.
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
28 *
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
32 *
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
36 *
37 * ... if you read the docs. or stare at packets for weeks on end.
38 *
39 */
40
41 #include "includes.h"
42
43 #undef DBGC_CLASS
44 #define DBGC_CLASS DBGC_RPC_SRV
45
46 /*************************************************************
47 HACK Alert!
48 We need to transfer the session key from one rpc bind to the
49 next. This is the way the netlogon schannel works.
50 **************************************************************/
51 struct dcinfo last_dcinfo;
52
53 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
54 {
55 unsigned char *hash = p->ntlmssp_hash;
56 unsigned char index_i = hash[256];
57 unsigned char index_j = hash[257];
58 int ind;
59
60 for( ind = 0; ind < len; ind++) {
61 unsigned char tc;
62 unsigned char t;
63
64 index_i++;
65 index_j += hash[index_i];
66
67 tc = hash[index_i];
68 hash[index_i] = hash[index_j];
69 hash[index_j] = tc;
70
71 t = hash[index_i] + hash[index_j];
72 data[ind] = data[ind] ^ hash[t];
73 }
74
75 hash[256] = index_i;
76 hash[257] = index_j;
77 }
78
79 /*******************************************************************
80 Generate the next PDU to be returned from the data in p->rdata.
81 We cheat here as this function doesn't handle the special auth
82 footers of the authenticated bind response reply.
83 ********************************************************************/
84
85 BOOL create_next_pdu(pipes_struct *p)
86 {
87 RPC_HDR_RESP hdr_resp;
88 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
89 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
90 uint32 ss_padding_len = 0;
91 uint32 data_len;
92 uint32 data_space_available;
93 uint32 data_len_left;
94 prs_struct outgoing_pdu;
95 uint32 data_pos;
96
97 /*
98 * If we're in the fault state, keep returning fault PDU's until
99 * the pipe gets closed. JRA.
100 */
101
102 if(p->fault_state) {
103 setup_fault_pdu(p, NT_STATUS(0x1c010002));
104 return True;
105 }
106
107 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
108
109 /* Change the incoming request header to a response. */
110 p->hdr.pkt_type = RPC_RESPONSE;
111
112 /* Set up rpc header flags. */
113 if (p->out_data.data_sent_length == 0) {
114 p->hdr.flags = RPC_FLG_FIRST;
115 } else {
116 p->hdr.flags = 0;
117 }
118
119 /*
120 * Work out how much we can fit in a single PDU.
121 */
122
123 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
124 if(p->ntlmssp_auth_validated) {
125 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
126 } else if(p->netsec_auth_validated) {
127 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN);
128 }
129
130 /*
131 * The amount we send is the minimum of the available
132 * space and the amount left to send.
133 */
134
135 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
136
137 /*
138 * Ensure there really is data left to send.
139 */
140
141 if(!data_len_left) {
142 DEBUG(0,("create_next_pdu: no data left to send !\n"));
143 return False;
144 }
145
146 data_len = MIN(data_len_left, data_space_available);
147
148 /*
149 * Set up the alloc hint. This should be the data left to
150 * send.
151 */
152
153 hdr_resp.alloc_hint = data_len_left;
154
155 /*
156 * Work out if this PDU will be the last.
157 */
158
159 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
160 p->hdr.flags |= RPC_FLG_LAST;
161 if ((auth_seal || auth_verify) && (data_len_left % 8)) {
162 ss_padding_len = 8 - (data_len_left % 8);
163 DEBUG(10,("create_next_pdu: adding sign/seal padding of %u\n",
164 ss_padding_len ));
165 }
166 }
167
168 /*
169 * Set up the header lengths.
170 */
171
172 if (p->ntlmssp_auth_validated) {
173 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
174 data_len + ss_padding_len +
175 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
176 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
177 } else if (p->netsec_auth_validated) {
178 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
179 data_len + ss_padding_len +
180 RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN;
181 p->hdr.auth_len = RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN;
182 } else {
183 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
184 p->hdr.auth_len = 0;
185 }
186
187 /*
188 * Init the parse struct to point at the outgoing
189 * data.
190 */
191
192 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
193 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
194
195 /* Store the header in the data stream. */
196 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
197 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
198 prs_mem_free(&outgoing_pdu);
199 return False;
200 }
201
202 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
203 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
204 prs_mem_free(&outgoing_pdu);
205 return False;
206 }
207
208 /* Store the current offset. */
209 data_pos = prs_offset(&outgoing_pdu);
210
211 /* Copy the data into the PDU. */
212
213 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
214 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
215 prs_mem_free(&outgoing_pdu);
216 return False;
217 }
218
219 /* Copy the sign/seal padding data. */
220 if (ss_padding_len) {
221 char pad[8];
222 memset(pad, '\0', 8);
223 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
224 DEBUG(0,("create_next_pdu: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
225 prs_mem_free(&outgoing_pdu);
226 return False;
227 }
228 }
229
230 if (p->ntlmssp_auth_validated) {
231 /*
232 * NTLMSSP processing. Mutually exclusive with Schannel.
233 */
234 uint32 crc32 = 0;
235 char *data;
236
237 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
238 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len + ss_padding_len, p->hdr.auth_len));
239
240 /*
241 * Set data to point to where we copied the data into.
242 */
243
244 data = prs_data_p(&outgoing_pdu) + data_pos;
245
246 if (auth_seal) {
247 crc32 = crc32_calc_buffer(data, data_len + ss_padding_len);
248 NTLMSSPcalc_p(p, (uchar*)data, data_len + ss_padding_len);
249 }
250
251 if (auth_seal || auth_verify) {
252 RPC_HDR_AUTH auth_info;
253
254 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE,
255 auth_seal ? RPC_PIPE_AUTH_SEAL_LEVEL : RPC_PIPE_AUTH_SIGN_LEVEL,
256 (auth_verify ? ss_padding_len : 0), (auth_verify ? 1 : 0));
257 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
258 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
259 prs_mem_free(&outgoing_pdu);
260 return False;
261 }
262 }
263
264 if (auth_verify) {
265 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
266 char *auth_data = prs_data_p(&outgoing_pdu);
267
268 p->ntlmssp_seq_num++;
269 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
270 crc32, p->ntlmssp_seq_num++);
271 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
272 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
273 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
274 prs_mem_free(&outgoing_pdu);
275 return False;
276 }
277 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
278 }
279 } else if (p->netsec_auth_validated) {
280 /*
281 * Schannel processing. Mutually exclusive with NTLMSSP.
282 */
283 int auth_type, auth_level;
284 char *data;
285 RPC_HDR_AUTH auth_info;
286
287 RPC_AUTH_NETSEC_CHK verf;
288 prs_struct rverf;
289 prs_struct rauth;
290
291 data = prs_data_p(&outgoing_pdu) + data_pos;
292 /* Check it's the type of reply we were expecting to decode */
293
294 get_auth_type_level(p->netsec_auth.auth_flags, &auth_type, &auth_level);
295 init_rpc_hdr_auth(&auth_info, auth_type, auth_level,
296 ss_padding_len, 1);
297
298 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
299 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
300 prs_mem_free(&outgoing_pdu);
301 return False;
302 }
303
304 prs_init(&rverf, 0, p->mem_ctx, MARSHALL);
305 prs_init(&rauth, 0, p->mem_ctx, MARSHALL);
306
307 netsec_encode(&p->netsec_auth,
308 p->netsec_auth.auth_flags,
309 SENDER_IS_ACCEPTOR,
310 &verf, data, data_len + ss_padding_len);
311
312 smb_io_rpc_auth_netsec_chk("", RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN,
313 &verf, &outgoing_pdu, 0);
314
315 p->netsec_auth.seq_num++;
316 }
317
318 /*
319 * Setup the counts for this PDU.
320 */
321
322 p->out_data.data_sent_length += data_len;
323 p->out_data.current_pdu_len = p->hdr.frag_len;
324 p->out_data.current_pdu_sent = 0;
325
326 prs_mem_free(&outgoing_pdu);
327 return True;
328 }
329
330 /*******************************************************************
331 Process an NTLMSSP authentication response.
332 If this function succeeds, the user has been authenticated
333 and their domain, name and calling workstation stored in
334 the pipe struct.
335 The initial challenge is stored in p->challenge.
336 *******************************************************************/
337
338 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
339 {
340 uchar lm_owf[24];
341 uchar nt_owf[128];
342 int nt_pw_len;
343 int lm_pw_len;
344 fstring user_name;
345 fstring domain;
346 fstring wks;
347
348 NTSTATUS nt_status;
349
350 struct auth_context *auth_context = NULL;
351 auth_usersupplied_info *user_info = NULL;
352 auth_serversupplied_info *server_info = NULL;
353
354 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
355
356 memset(p->user_name, '\0', sizeof(p->user_name));
357 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
358 memset(p->domain, '\0', sizeof(p->domain));
359 memset(p->wks, '\0', sizeof(p->wks));
360
361 /* Set up for non-authenticated user. */
362 delete_nt_token(&p->pipe_user.nt_user_token);
363 p->pipe_user.ngroups = 0;
364 SAFE_FREE( p->pipe_user.groups);
365
366 /*
367 * Setup an empty password for a guest user.
368 */
369
370 /*
371 * We always negotiate UNICODE.
372 */
373
374 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
375 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
376 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
377 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
378 } else {
379 pull_ascii_fstring(user_name, ntlmssp_resp->user);
380 pull_ascii_fstring(domain, ntlmssp_resp->domain);
381 pull_ascii_fstring(wks, ntlmssp_resp->wks);
382 }
383
384 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
385
386 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
387 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
388
389 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
390 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
391
392 #ifdef DEBUG_PASSWORD
393 DEBUG(100,("lm, nt owfs, chal\n"));
394 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
395 dump_data(100, (char *)nt_owf, nt_pw_len);
396 dump_data(100, (char *)p->challenge, 8);
397 #endif
398
399 /*
400 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
401 */
402
403 if (*user_name) {
404
405 /*
406 * Do the length checking only if user is not NULL.
407 */
408
409 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
410 return False;
411 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
412 return False;
413 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
414 return False;
415 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
416 return False;
417 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
418 return False;
419
420 }
421
422 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
423
424 if (!make_user_info_netlogon_network(&user_info,
425 user_name, domain, wks,
426 lm_owf, lm_pw_len,
427 nt_owf, nt_pw_len)) {
428 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
429 return False;
430 }
431
432 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
433
434 (auth_context->free)(&auth_context);
435 free_user_info(&user_info);
436
437 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
438
439 if (!p->ntlmssp_auth_validated) {
440 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
441 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
442 free_server_info(&server_info);
443 return False;
444 }
445
446 /*
447 * Set up the sign/seal data.
448 */
449
450 if (server_info->lm_session_key.length != 16) {
451 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
452 succeeded authentication on named pipe %s, but session key was of incorrect length [%u].\n",
453 domain, user_name, wks, p->name, server_info->lm_session_key.length));
454 free_server_info(&server_info);
455 return False;
456 } else {
457 uchar p24[24];
458 NTLMSSPOWFencrypt(server_info->lm_session_key.data, lm_owf, p24);
459 {
460 unsigned char j = 0;
461 int ind;
462
463 unsigned char k2[8];
464
465 memcpy(k2, p24, 5);
466 k2[5] = 0xe5;
467 k2[6] = 0x38;
468 k2[7] = 0xb0;
469
470 for (ind = 0; ind < 256; ind++)
471 p->ntlmssp_hash[ind] = (unsigned char)ind;
472
473 for( ind = 0; ind < 256; ind++) {
474 unsigned char tc;
475
476 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
477
478 tc = p->ntlmssp_hash[ind];
479 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
480 p->ntlmssp_hash[j] = tc;
481 }
482
483 p->ntlmssp_hash[256] = 0;
484 p->ntlmssp_hash[257] = 0;
485 }
486
487 dump_data_pw("NTLMSSP hash (v1)\n", p->ntlmssp_hash,
488 sizeof(p->ntlmssp_hash));
489
490 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
491 p->ntlmssp_seq_num = 0;
492
493 }
494
495 fstrcpy(p->user_name, user_name);
496 fstrcpy(p->pipe_user_name, server_info->unix_name);
497 fstrcpy(p->domain, domain);
498 fstrcpy(p->wks, wks);
499
500 /*
501 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
502 */
503
504 if (p->session_key.data) {
505 data_blob_free(&p->session_key);
506 }
507 p->session_key = data_blob(server_info->lm_session_key.data, server_info->lm_session_key.length);
508
509 p->pipe_user.uid = server_info->uid;
510 p->pipe_user.gid = server_info->gid;
511
512 p->pipe_user.ngroups = server_info->n_groups;
513 if (p->pipe_user.ngroups) {
514 if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
515 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
516 free_server_info(&server_info);
517 return False;
518 }
519 }
520
521 if (server_info->ptok)
522 p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
523 else {
524 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
525 p->pipe_user.nt_user_token = NULL;
526 free_server_info(&server_info);
527 return False;
528 }
529
530 p->ntlmssp_auth_validated = True;
531
532 free_server_info(&server_info);
533 return True;
534 }
535
536 /*******************************************************************
537 The switch table for the pipe names and the functions to handle them.
538 *******************************************************************/
539
540 struct rpc_table
541 {
542 struct
543 {
544 const char *clnt;
545 const char *srv;
546 } pipe;
547 struct api_struct *cmds;
548 int n_cmds;
549 };
550
551 static struct rpc_table *rpc_lookup;
552 static int rpc_lookup_size;
553
554 /*******************************************************************
555 This is the client reply to our challenge for an authenticated
556 bind request. The challenge we sent is in p->challenge.
557 *******************************************************************/
558
559 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
560 {
561 RPC_HDR_AUTHA autha_info;
562 RPC_AUTH_VERIFIER auth_verifier;
563 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
564
565 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
566
567 if (p->hdr.auth_len == 0) {
568 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
569 return False;
570 }
571
572 /*
573 * Decode the authentication verifier response.
574 */
575
576 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
577 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
578 return False;
579 }
580
581 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != RPC_PIPE_AUTH_SEAL_LEVEL) {
582 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
583 (int)autha_info.auth_type, (int)autha_info.auth_level ));
584 return False;
585 }
586
587 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
588 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
589 return False;
590 }
591
592 /*
593 * Ensure this is a NTLMSSP_AUTH packet type.
594 */
595
596 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
597 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
598 return False;
599 }
600
601 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
602 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
603 return False;
604 }
605
606 /*
607 * The following call actually checks the challenge/response data.
608 * for correctness against the given DOMAIN\user name.
609 */
610
611 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
612 return False;
613
614 p->pipe_bound = True
615 ;
616 return True;
617 }
618
619 /*******************************************************************
620 Marshall a bind_nak pdu.
621 *******************************************************************/
622
623 static BOOL setup_bind_nak(pipes_struct *p)
624 {
625 prs_struct outgoing_rpc;
626 RPC_HDR nak_hdr;
627 uint16 zero = 0;
628
629 /* Free any memory in the current return data buffer. */
630 prs_mem_free(&p->out_data.rdata);
631
632 /*
633 * Marshall directly into the outgoing PDU space. We
634 * must do this as we need to set to the bind response
635 * header and are never sending more than one PDU here.
636 */
637
638 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
639 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
640
641
642 /*
643 * Initialize a bind_nak header.
644 */
645
646 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
647 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
648
649 /*
650 * Marshall the header into the outgoing PDU.
651 */
652
653 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
654 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
655 prs_mem_free(&outgoing_rpc);
656 return False;
657 }
658
659 /*
660 * Now add the reject reason.
661 */
662
663 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
664 prs_mem_free(&outgoing_rpc);
665 return False;
666 }
667
668 p->out_data.data_sent_length = 0;
669 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
670 p->out_data.current_pdu_sent = 0;
671
672 p->pipe_bound = False;
673
674 return True;
675 }
676
677 /*******************************************************************
678 Marshall a fault pdu.
679 *******************************************************************/
680
681 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
682 {
683 prs_struct outgoing_pdu;
684 RPC_HDR fault_hdr;
685 RPC_HDR_RESP hdr_resp;
686 RPC_HDR_FAULT fault_resp;
687
688 /* Free any memory in the current return data buffer. */
689 prs_mem_free(&p->out_data.rdata);
690
691 /*
692 * Marshall directly into the outgoing PDU space. We
693 * must do this as we need to set to the bind response
694 * header and are never sending more than one PDU here.
695 */
696
697 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
698 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
699
700 /*
701 * Initialize a fault header.
702 */
703
704 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
705 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
706
707 /*
708 * Initialize the HDR_RESP and FAULT parts of the PDU.
709 */
710
711 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
712
713 fault_resp.status = status;
714 fault_resp.reserved = 0;
715
716 /*
717 * Marshall the header into the outgoing PDU.
718 */
719
720 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
721 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
722 prs_mem_free(&outgoing_pdu);
723 return False;
724 }
725
726 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
727 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
728 prs_mem_free(&outgoing_pdu);
729 return False;
730 }
731
732 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
733 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
734 prs_mem_free(&outgoing_pdu);
735 return False;
736 }
737
738 p->out_data.data_sent_length = 0;
739 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
740 p->out_data.current_pdu_sent = 0;
741
742 prs_mem_free(&outgoing_pdu);
743 return True;
744 }
745
746 /*******************************************************************
747 Ensure a bind request has the correct abstract & transfer interface.
748 Used to reject unknown binds from Win2k.
749 *******************************************************************/
750
751 BOOL check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
752 RPC_IFACE* transfer, uint32 context_id)
753 {
754 extern struct pipe_id_info pipe_names[];
755 char *pipe_name = p->name;
756 int i=0;
757 fstring pname;
758
759 fstrcpy(pname,"\\PIPE\\");
760 fstrcat(pname,pipe_name);
761
762 DEBUG(3,("check_bind_req for %s\n", pname));
763
764 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
765
766 for ( i=0; pipe_names[i].client_pipe; i++ )
767 {
768 if ( strequal(pipe_names[i].client_pipe, pname)
769 && (abstract->version == pipe_names[i].abstr_syntax.version)
770 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct uuid)) == 0)
771 && (transfer->version == pipe_names[i].trans_syntax.version)
772 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(struct uuid)) == 0) )
773 {
774 struct api_struct *fns = NULL;
775 int n_fns = 0;
776 PIPE_RPC_FNS *context_fns;
777
778 if ( !(context_fns = malloc(sizeof(PIPE_RPC_FNS))) ) {
779 DEBUG(0,("check_bind_req: malloc() failed!\n"));
780 return False;
781 }
782
783 /* save the RPC function table associated with this bind */
784
785 get_pipe_fns(i, &fns, &n_fns);
786
787 context_fns->cmds = fns;
788 context_fns->n_cmds = n_fns;
789 context_fns->context_id = context_id;
790
791 /* add to the list of open contexts */
792
793 DLIST_ADD( p->contexts, context_fns );
794
795 break;
796 }
797 }
798
799 if(pipe_names[i].client_pipe == NULL)
800 return False;
801
802 return True;
803 }
804
805 /*******************************************************************
806 Register commands to an RPC pipe
807 *******************************************************************/
808 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
809 {
810 struct rpc_table *rpc_entry;
811
812 if (!clnt || !srv || !cmds) {
813 return NT_STATUS_INVALID_PARAMETER;
814 }
815
816 if (version != SMB_RPC_INTERFACE_VERSION) {
817 DEBUG(0,("Can't register rpc commands!\n"
818 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
819 ", while this version of samba uses version %d!\n",
820 version,SMB_RPC_INTERFACE_VERSION));
821 return NT_STATUS_OBJECT_TYPE_MISMATCH;
822 }
823
824 /* TODO:
825 *
826 * we still need to make sure that don't register the same commands twice!!!
827 *
828 * --metze
829 */
830
831 /* We use a temporary variable because this call can fail and
832 rpc_lookup will still be valid afterwards. It could then succeed if
833 called again later */
834 rpc_entry = realloc(rpc_lookup,
835 ++rpc_lookup_size*sizeof(struct rpc_table));
836 if (NULL == rpc_entry) {
837 rpc_lookup_size--;
838 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
839 return NT_STATUS_NO_MEMORY;
840 } else {
841 rpc_lookup = rpc_entry;
842 }
843
844 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
845 ZERO_STRUCTP(rpc_entry);
846 rpc_entry->pipe.clnt = strdup(clnt);
847 rpc_entry->pipe.srv = strdup(srv);
848 rpc_entry->cmds = realloc(rpc_entry->cmds,
849 (rpc_entry->n_cmds + size) *
850 sizeof(struct api_struct));
851 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds,
852 size * sizeof(struct api_struct));
853 rpc_entry->n_cmds += size;
854
855 return NT_STATUS_OK;
856 }
857
858 /*******************************************************************
859 Respond to a pipe bind request.
860 *******************************************************************/
861
862 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
863 {
864 RPC_HDR_BA hdr_ba;
865 RPC_HDR_RB hdr_rb;
866 RPC_HDR_AUTH auth_info;
867 uint16 assoc_gid;
868 fstring ack_pipe_name;
869 prs_struct out_hdr_ba;
870 prs_struct out_auth;
871 prs_struct outgoing_rpc;
872 int i = 0;
873 int auth_len = 0;
874 enum RPC_PKT_TYPE reply_pkt_type;
875
876 p->ntlmssp_auth_requested = False;
877 p->netsec_auth_validated = False;
878
879 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
880
881 /*
882 * Try and find the correct pipe name to ensure
883 * that this is a pipe name we support.
884 */
885
886
887 for (i = 0; i < rpc_lookup_size; i++) {
888 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
889 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
890 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
891 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
892 break;
893 }
894 }
895
896 if (i == rpc_lookup_size) {
897 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
898 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
899 p->name ));
900 if(!setup_bind_nak(p))
901 return False;
902 return True;
903 }
904
905 for (i = 0; i < rpc_lookup_size; i++) {
906 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
907 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
908 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
909 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
910 break;
911 }
912 }
913
914 if (i == rpc_lookup_size) {
915 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
916 return False;
917 }
918 }
919
920 /* decode the bind request */
921 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
922 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
923 return False;
924 }
925
926 /*
927 * Check if this is an authenticated request.
928 */
929
930 if (p->hdr.auth_len != 0) {
931 RPC_AUTH_VERIFIER auth_verifier;
932 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
933
934 /*
935 * Decode the authentication verifier.
936 */
937
938 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
939 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
940 return False;
941 }
942
943 if(auth_info.auth_type == NTLMSSP_AUTH_TYPE) {
944
945 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
946 DEBUG(0,("api_pipe_bind_req: unable to "
947 "unmarshall RPC_HDR_AUTH struct.\n"));
948 return False;
949 }
950
951 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
952 DEBUG(0,("api_pipe_bind_req: "
953 "auth_verifier.signature != NTLMSSP\n"));
954 return False;
955 }
956
957 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
958 DEBUG(0,("api_pipe_bind_req: "
959 "auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
960 auth_verifier.msg_type));
961 return False;
962 }
963
964 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
965 DEBUG(0,("api_pipe_bind_req: "
966 "Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
967 return False;
968 }
969
970 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
971 p->ntlmssp_auth_requested = True;
972
973 } else if (auth_info.auth_type == NETSEC_AUTH_TYPE) {
974
975 RPC_AUTH_NETSEC_NEG neg;
976 struct netsec_auth_struct *a = &(p->netsec_auth);
977
978 if (!smb_io_rpc_auth_netsec_neg("", &neg, rpc_in_p, 0)) {
979 DEBUG(0,("api_pipe_bind_req: "
980 "Could not unmarshal SCHANNEL auth neg\n"));
981 return False;
982 }
983
984 p->netsec_auth_validated = True;
985
986 memset(a->sess_key, 0, sizeof(a->sess_key));
987 memcpy(a->sess_key, last_dcinfo.sess_key, sizeof(last_dcinfo.sess_key));
988
989 a->seq_num = 0;
990
991 DEBUG(10,("schannel auth: domain [%s] myname [%s]\n",
992 neg.domain, neg.myname));
993
994 } else {
995 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
996 auth_info.auth_type ));
997 return False;
998 }
999 }
1000
1001 switch(p->hdr.pkt_type) {
1002 case RPC_BIND:
1003 /* name has to be \PIPE\xxxxx */
1004 fstrcpy(ack_pipe_name, "\\PIPE\\");
1005 fstrcat(ack_pipe_name, p->pipe_srv_name);
1006 reply_pkt_type = RPC_BINDACK;
1007 break;
1008 case RPC_ALTCONT:
1009 /* secondary address CAN be NULL
1010 * as the specs say it's ignored.
1011 * It MUST NULL to have the spoolss working.
1012 */
1013 fstrcpy(ack_pipe_name,"");
1014 reply_pkt_type = RPC_ALTCONTRESP;
1015 break;
1016 default:
1017 return False;
1018 }
1019
1020 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1021
1022 /*
1023 * Marshall directly into the outgoing PDU space. We
1024 * must do this as we need to set to the bind response
1025 * header and are never sending more than one PDU here.
1026 */
1027
1028 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1029 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1030
1031 /*
1032 * Setup the memory to marshall the ba header, and the
1033 * auth footers.
1034 */
1035
1036 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1037 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1038 prs_mem_free(&outgoing_rpc);
1039 return False;
1040 }
1041
1042 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1043 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
1044 prs_mem_free(&outgoing_rpc);
1045 prs_mem_free(&out_hdr_ba);
1046 return False;
1047 }
1048
1049 if (p->ntlmssp_auth_requested)
1050 assoc_gid = 0x7a77;
1051 else
1052 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1053
1054 /*
1055 * Create the bind response struct.
1056 */
1057
1058 /* If the requested abstract synt uuid doesn't match our client pipe,
1059 reject the bind_ack & set the transfer interface synt to all 0's,
1060 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1061 unknown to NT4)
1062 Needed when adding entries to a DACL from NT5 - SK */
1063
1064 if(check_bind_req(p, &hdr_rb.abstract, &hdr_rb.transfer, hdr_rb.context_id ))
1065 {
1066 init_rpc_hdr_ba(&hdr_ba,
1067 MAX_PDU_FRAG_LEN,
1068 MAX_PDU_FRAG_LEN,
1069 assoc_gid,
1070 ack_pipe_name,
1071 0x1, 0x0, 0x0,
1072 &hdr_rb.transfer);
1073 } else {
1074 RPC_IFACE null_interface;
1075 ZERO_STRUCT(null_interface);
1076 /* Rejection reason: abstract syntax not supported */
1077 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
1078 MAX_PDU_FRAG_LEN, assoc_gid,
1079 ack_pipe_name, 0x1, 0x2, 0x1,
1080 &null_interface);
1081 }
1082
1083 /*
1084 * and marshall it.
1085 */
1086
1087 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1088 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1089 goto err_exit;
1090 }
1091
1092 /*
1093 * Now the authentication.
1094 */
1095
1096 if (p->ntlmssp_auth_requested) {
1097 RPC_AUTH_VERIFIER auth_verifier;
1098 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
1099
1100 generate_random_buffer(p->challenge, 8);
1101
1102 /*** Authentication info ***/
1103
1104 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, RPC_PIPE_AUTH_SEAL_LEVEL, RPC_HDR_AUTH_LEN, 1);
1105 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1106 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1107 goto err_exit;
1108 }
1109
1110 /*** NTLMSSP verifier ***/
1111
1112 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
1113 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
1114 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1115 goto err_exit;
1116 }
1117
1118 /* NTLMSSP challenge ***/
1119
1120 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
1121 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
1122 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
1123 goto err_exit;
1124 }
1125
1126 /* Auth len in the rpc header doesn't include auth_header. */
1127 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1128 }
1129
1130 if (p->netsec_auth_validated) {
1131 RPC_AUTH_VERIFIER auth_verifier;
1132 uint32 flags;
1133
1134 /* The client opens a second RPC NETLOGON pipe without
1135 doing a auth2. The credentials for the schannel are
1136 re-used from the auth2 the client did before. */
1137 p->dc = last_dcinfo;
1138
1139 init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, auth_info.auth_level, RPC_HDR_AUTH_LEN, 1);
1140 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1141 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1142 goto err_exit;
1143 }
1144
1145 /*** NETSEC verifier ***/
1146
1147 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1148 if(!smb_io_rpc_netsec_verifier("", &auth_verifier, &out_auth, 0)) {
1149 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1150 goto err_exit;
1151 }
1152
1153 prs_align(&out_auth);
1154
1155 flags = 5;
1156 if(!prs_uint32("flags ", &out_auth, 0, &flags))
1157 goto err_exit;
1158
1159 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1160 }
1161
1162 /*
1163 * Create the header, now we know the length.
1164 */
1165
1166 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
1167 p->hdr.call_id,
1168 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1169 auth_len);
1170
1171 /*
1172 * Marshall the header into the outgoing PDU.
1173 */
1174
1175 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1176 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1177 goto err_exit;
1178 }
1179
1180 /*
1181 * Now add the RPC_HDR_BA and any auth needed.
1182 */
1183
1184 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1185 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1186 goto err_exit;
1187 }
1188
1189 if((p->ntlmssp_auth_requested|p->netsec_auth_validated) &&
1190 !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1191 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1192 goto err_exit;
1193 }
1194
1195 if(!p->ntlmssp_auth_requested)
1196 p->pipe_bound = True;
1197
1198 /*
1199 * Setup the lengths for the initial reply.
1200 */
1201
1202 p->out_data.data_sent_length = 0;
1203 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1204 p->out_data.current_pdu_sent = 0;
1205
1206 prs_mem_free(&out_hdr_ba);
1207 prs_mem_free(&out_auth);
1208
1209 return True;
1210
1211 err_exit:
1212
1213 prs_mem_free(&outgoing_rpc);
1214 prs_mem_free(&out_hdr_ba);
1215 prs_mem_free(&out_auth);
1216 return False;
1217 }
1218
1219 /****************************************************************************
1220 Deal with sign & seal processing on an RPC request.
1221 ****************************************************************************/
1222
1223 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1224 {
1225 /*
1226 * We always negotiate the following two bits....
1227 */
1228 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1229 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1230 int data_len;
1231 int auth_len;
1232 uint32 old_offset;
1233 uint32 crc32 = 0;
1234
1235 auth_len = p->hdr.auth_len;
1236
1237 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1238 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1239 return False;
1240 }
1241
1242 /*
1243 * The following is that length of the data we must verify or unseal.
1244 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1245 * preceeding the auth_data.
1246 */
1247
1248 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1249 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1250
1251 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1252 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1253
1254 if (auth_seal) {
1255 /*
1256 * The data in rpc_in doesn't contain the RPC_HEADER as this
1257 * has already been consumed.
1258 */
1259 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1260 dump_data_pw("NTLMSSP hash (v1)\n", p->ntlmssp_hash,
1261 sizeof(p->ntlmssp_hash));
1262
1263 dump_data_pw("Incoming RPC PDU (NTLMSSP sealed)\n",
1264 (const unsigned char *)data, data_len);
1265 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1266 dump_data_pw("Incoming RPC PDU (NTLMSSP unsealed)\n",
1267 (const unsigned char *)data, data_len);
1268 crc32 = crc32_calc_buffer(data, data_len);
1269 }
1270
1271 old_offset = prs_offset(rpc_in);
1272
1273 if (auth_seal || auth_verify) {
1274 RPC_HDR_AUTH auth_info;
1275
1276 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1277 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1278 (unsigned int)old_offset + data_len ));
1279 return False;
1280 }
1281
1282 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1283 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1284 return False;
1285 }
1286 }
1287
1288 if (auth_verify) {
1289 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1290 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1291
1292 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1293
1294 /*
1295 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1296 * incoming buffer.
1297 */
1298 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1299 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1300 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1301 return False;
1302 }
1303
1304 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1305 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1306 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1307 return False;
1308 }
1309
1310 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1311 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1312 return False;
1313 }
1314 }
1315
1316 /*
1317 * Return the current pointer to the data offset.
1318 */
1319
1320 if(!prs_set_offset(rpc_in, old_offset)) {
1321 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1322 (unsigned int)old_offset ));
1323 return False;
1324 }
1325
1326 return True;
1327 }
1328
1329 /****************************************************************************
1330 Deal with schannel processing on an RPC request.
1331 ****************************************************************************/
1332 BOOL api_pipe_netsec_process(pipes_struct *p, prs_struct *rpc_in)
1333 {
1334 /*
1335 * We always negotiate the following two bits....
1336 */
1337 int data_len;
1338 int auth_len;
1339 uint32 old_offset;
1340 RPC_HDR_AUTH auth_info;
1341 RPC_AUTH_NETSEC_CHK netsec_chk;
1342
1343
1344 auth_len = p->hdr.auth_len;
1345
1346 if (auth_len != RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN) {
1347 DEBUG(0,("Incorrect auth_len %d.\n", auth_len ));
1348 return False;
1349 }
1350
1351 /*
1352 * The following is that length of the data we must verify or unseal.
1353 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1354 * preceeding the auth_data.
1355 */
1356
1357 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1358 RPC_HDR_AUTH_LEN - auth_len;
1359
1360 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
1361
1362 old_offset = prs_offset(rpc_in);
1363
1364 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1365 DEBUG(0,("cannot move offset to %u.\n",
1366 (unsigned int)old_offset + data_len ));
1367 return False;
1368 }
1369
1370 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1371 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
1372 return False;
1373 }
1374
1375 if (auth_info.auth_type != NETSEC_AUTH_TYPE) {
1376 DEBUG(0,("Invalid auth info %d on schannel\n",
1377 auth_info.auth_type));
1378 return False;
1379 }
1380
1381 if (auth_info.auth_level == RPC_PIPE_AUTH_SEAL_LEVEL) {
1382 p->netsec_auth.auth_flags = AUTH_PIPE_NETSEC|AUTH_PIPE_SIGN|AUTH_PIPE_SEAL;
1383 } else if (auth_info.auth_level == RPC_PIPE_AUTH_SIGN_LEVEL) {
1384 p->netsec_auth.auth_flags = AUTH_PIPE_NETSEC|AUTH_PIPE_SIGN;
1385 } else {
1386 DEBUG(0,("Invalid auth level %d on schannel\n",
1387 auth_info.auth_level));
1388 return False;
1389 }
1390
1391 if(!smb_io_rpc_auth_netsec_chk("", RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN,
1392 &netsec_chk, rpc_in, 0))
1393 {
1394 DEBUG(0,("failed to unmarshal RPC_AUTH_NETSEC_CHK.\n"));
1395 return False;
1396 }
1397
1398 if (!netsec_decode(&p->netsec_auth,
1399 p->netsec_auth.auth_flags,
1400 SENDER_IS_INITIATOR,
1401 &netsec_chk,
1402 prs_data_p(rpc_in)+old_offset, data_len)) {
1403 DEBUG(3,("failed to decode PDU\n"));
1404 return False;
1405 }
1406
1407 /*
1408 * Return the current pointer to the data offset.
1409 */
1410
1411 if(!prs_set_offset(rpc_in, old_offset)) {
1412 DEBUG(0,("failed to set offset back to %u\n",
1413 (unsigned int)old_offset ));
1414 return False;
1415 }
1416
1417 /* The sequence number gets incremented on both send and receive. */
1418 p->netsec_auth.seq_num++;
1419
1420 return True;
1421 }
1422
1423 /****************************************************************************
1424 Return a user struct for a pipe user.
1425 ****************************************************************************/
1426
1427 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1428 {
1429 if (p->ntlmssp_auth_validated) {
1430 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1431 } else {
1432 extern struct current_user current_user;
1433 memcpy(user, &current_user, sizeof(struct current_user));
1434 }
1435
1436 return user;
1437 }
1438
1439 /****************************************************************************
1440 Find the set of RPC functions associated with this context_id
1441 ****************************************************************************/
1442
1443 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
1444 {
1445 PIPE_RPC_FNS *fns = NULL;
1446 PIPE_RPC_FNS *tmp = NULL;
1447
1448 if ( !list ) {
1449 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
1450 return NULL;
1451 }
1452
1453 for (tmp=list; tmp; tmp=tmp->next ) {
1454 if ( tmp->context_id == context_id )
1455 break;
1456 }
1457
1458 fns = tmp;
1459
1460 return fns;
1461 }
1462
1463 /****************************************************************************
1464 memory cleanup
1465 ****************************************************************************/
1466
1467 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
1468 {
1469 PIPE_RPC_FNS *tmp = list;
1470 PIPE_RPC_FNS *tmp2;
1471
1472 while (tmp) {
1473 tmp2 = tmp->next;
1474 SAFE_FREE(tmp);
1475 tmp = tmp2;
1476 }
1477
1478 return;
1479 }
1480
1481 /****************************************************************************
1482 Find the correct RPC function to call for this request.
1483 If the pipe is authenticated then become the correct UNIX user
1484 before doing the call.
1485 ****************************************************************************/
1486
1487 BOOL api_pipe_request(pipes_struct *p)
1488 {
1489 BOOL ret = False;
1490 PIPE_RPC_FNS *pipe_fns;
1491
1492 if (p->ntlmssp_auth_validated) {
1493
1494 if(!become_authenticated_pipe_user(p)) {
1495 prs_mem_free(&p->out_data.rdata);
1496 return False;
1497 }
1498 }
1499
1500 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
1501
1502 /* get the set of RPC functions for this context */
1503
1504 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
1505
1506 if ( pipe_fns ) {
1507 set_current_rpc_talloc(p->mem_ctx);
1508 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
1509 set_current_rpc_talloc(NULL);
1510 }
1511 else {
1512 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
1513 p->hdr_req.context_id, p->name));
1514 }
1515
1516 if(p->ntlmssp_auth_validated)
1517 unbecome_authenticated_pipe_user();
1518
1519 return ret;
1520 }
1521
1522 /*******************************************************************
1523 Calls the underlying RPC function for a named pipe.
1524 ********************************************************************/
1525
1526 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
1527 const struct api_struct *api_rpc_cmds, int n_cmds)
1528 {
1529 int fn_num;
1530 fstring name;
1531 uint32 offset1, offset2;
1532
1533 /* interpret the command */
1534 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1535
1536 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1537 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1538
1539 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1540 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1541 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1542 break;
1543 }
1544 }
1545
1546 if (fn_num == n_cmds) {
1547 /*
1548 * For an unknown RPC just return a fault PDU but
1549 * return True to allow RPC's on the pipe to continue
1550 * and not put the pipe into fault state. JRA.
1551 */
1552 DEBUG(4, ("unknown\n"));
1553 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1554 return True;
1555 }
1556
1557 offset1 = prs_offset(&p->out_data.rdata);
1558
1559 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1560 fn_num, api_rpc_cmds[fn_num].fn));
1561 /* do the actual command */
1562 if(!api_rpc_cmds[fn_num].fn(p)) {
1563 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1564 prs_mem_free(&p->out_data.rdata);
1565 return False;
1566 }
1567
1568 if (p->bad_handle_fault_state) {
1569 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1570 p->bad_handle_fault_state = False;
1571 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1572 return True;
1573 }
1574
1575 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1576 offset2 = prs_offset(&p->out_data.rdata);
1577 prs_set_offset(&p->out_data.rdata, offset1);
1578 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1579 prs_set_offset(&p->out_data.rdata, offset2);
1580
1581 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1582
1583 /* Check for buffer underflow in rpc parsing */
1584
1585 if ((DEBUGLEVEL >= 10) &&
1586 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
1587 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
1588 char *data;
1589
1590 data = malloc(data_len);
1591
1592 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1593 if (data) {
1594 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
1595 SAFE_FREE(data);
1596 }
1597
1598 }
1599
1600 return True;
1601 }
1602
1603 /*******************************************************************
1604 *******************************************************************/
1605
1606 void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
1607 {
1608 struct api_struct *cmds = NULL;
1609 int n_cmds = 0;
1610
1611 switch ( idx ) {
1612 case PI_LSARPC:
1613 lsa_get_pipe_fns( &cmds, &n_cmds );
1614 break;
1615 case PI_LSARPC_DS:
1616 lsa_ds_get_pipe_fns( &cmds, &n_cmds );
1617 break;
1618 case PI_SAMR:
1619 samr_get_pipe_fns( &cmds, &n_cmds );
1620 break;
1621 case PI_NETLOGON:
1622 netlog_get_pipe_fns( &cmds, &n_cmds );
1623 break;
1624 case PI_SRVSVC:
1625 srvsvc_get_pipe_fns( &cmds, &n_cmds );
1626 break;
1627 case PI_WKSSVC:
1628 wkssvc_get_pipe_fns( &cmds, &n_cmds );
1629 break;
1630 case PI_WINREG:
1631 reg_get_pipe_fns( &cmds, &n_cmds );
1632 break;
1633 case PI_SPOOLSS:
1634 spoolss_get_pipe_fns( &cmds, &n_cmds );
1635 break;
1636 case PI_NETDFS:
1637 netdfs_get_pipe_fns( &cmds, &n_cmds );
1638 break;
1639 #ifdef DEVELOPER
1640 case PI_ECHO:
1641 echo_get_pipe_fns( &cmds, &n_cmds );
1642 break;
1643 #endif
1644 default:
1645 DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));
1646 }
1647
1648 *fns = cmds;
1649 *n_fns = n_cmds;
1650
1651 return;
1652 }
1653
1654
Samba GIT mirror