search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fixed the w2ksp2 joining a domain bug.
[Samba/ekacnet.git] / source / rpc_server / srv_pipe.c
blobd16290985ec1b15ae7c5b8061ed4b4bbe9adadba
1 /*
2 * Unix SMB/Netbios implementation.
3 * Version 1.9.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1997-1998.
8 * Copyright (C) Jeremy Allison 1999.
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
28 *
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
32 *
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
36 *
37 * ... if you read the docs. or stare at packets for weeks on end.
38 *
39 */
40
41 #include "includes.h"
42
43 extern int DEBUGLEVEL;
44
45 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
46 {
47 unsigned char *hash = p->ntlmssp_hash;
48 unsigned char index_i = hash[256];
49 unsigned char index_j = hash[257];
50 int ind;
51
52 for( ind = 0; ind < len; ind++) {
53 unsigned char tc;
54 unsigned char t;
55
56 index_i++;
57 index_j += hash[index_i];
58
59 tc = hash[index_i];
60 hash[index_i] = hash[index_j];
61 hash[index_j] = tc;
62
63 t = hash[index_i] + hash[index_j];
64 data[ind] = data[ind] ^ hash[t];
65 }
66
67 hash[256] = index_i;
68 hash[257] = index_j;
69 }
70
71 /*******************************************************************
72 Generate the next PDU to be returned from the data in p->rdata.
73 We cheat here as this function doesn't handle the special auth
74 footers of the authenticated bind response reply.
75 ********************************************************************/
76
77 BOOL create_next_pdu(pipes_struct *p)
78 {
79 RPC_HDR_RESP hdr_resp;
80 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
81 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
82 uint32 data_len;
83 uint32 data_space_available;
84 uint32 data_len_left;
85 prs_struct outgoing_pdu;
86 char *data;
87 char *data_from;
88 uint32 data_pos;
89
90 /*
91 * If we're in the fault state, keep returning fault PDU's until
92 * the pipe gets closed. JRA.
93 */
94
95 if(p->fault_state) {
96 setup_fault_pdu(p, 0x1c010002);
97 return True;
98 }
99
100 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
101
102 /* Change the incoming request header to a response. */
103 p->hdr.pkt_type = RPC_RESPONSE;
104
105 /* Set up rpc header flags. */
106 if (p->out_data.data_sent_length == 0)
107 p->hdr.flags = RPC_FLG_FIRST;
108 else
109 p->hdr.flags = 0;
110
111 /*
112 * Work out how much we can fit in a single PDU.
113 */
114
115 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
116 if(p->ntlmssp_auth_validated)
117 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
118
119 /*
120 * The amount we send is the minimum of the available
121 * space and the amount left to send.
122 */
123
124 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
125
126 /*
127 * Ensure there really is data left to send.
128 */
129
130 if(!data_len_left) {
131 DEBUG(0,("create_next_pdu: no data left to send !\n"));
132 return False;
133 }
134
135 data_len = MIN(data_len_left, data_space_available);
136
137 /*
138 * Set up the alloc hint. This should be the data left to
139 * send.
140 */
141
142 hdr_resp.alloc_hint = data_len_left;
143
144 /*
145 * Set up the header lengths.
146 */
147
148 if (p->ntlmssp_auth_validated) {
149 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
150 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
151 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
152 } else {
153 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
154 p->hdr.auth_len = 0;
155 }
156
157 /*
158 * Work out if this PDU will be the last.
159 */
160
161 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
162 p->hdr.flags |= RPC_FLG_LAST;
163
164 /*
165 * Init the parse struct to point at the outgoing
166 * data.
167 */
168
169 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
170 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
171
172 /* Store the header in the data stream. */
173 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
174 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
175 prs_mem_free(&outgoing_pdu);
176 return False;
177 }
178
179 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
180 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
181 prs_mem_free(&outgoing_pdu);
182 return False;
183 }
184
185 /* Store the current offset. */
186 data_pos = prs_offset(&outgoing_pdu);
187
188 /* Copy the data into the PDU. */
189 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
190
191 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
192 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
193 prs_mem_free(&outgoing_pdu);
194 return False;
195 }
196
197 /*
198 * Set data to point to where we copied the data into.
199 */
200
201 data = prs_data_p(&outgoing_pdu) + data_pos;
202
203 if (p->hdr.auth_len > 0) {
204 uint32 crc32 = 0;
205
206 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
207 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
208
209 if (auth_seal) {
210 crc32 = crc32_calc_buffer(data, data_len);
211 NTLMSSPcalc_p(p, (uchar*)data, data_len);
212 }
213
214 if (auth_seal || auth_verify) {
215 RPC_HDR_AUTH auth_info;
216
217 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
218 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
219 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
220 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
221 prs_mem_free(&outgoing_pdu);
222 return False;
223 }
224 }
225
226 if (auth_verify) {
227 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
228 char *auth_data = prs_data_p(&outgoing_pdu);
229
230 p->ntlmssp_seq_num++;
231 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
232 crc32, p->ntlmssp_seq_num++);
233 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
234 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
235 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
236 prs_mem_free(&outgoing_pdu);
237 return False;
238 }
239 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
240 }
241 }
242
243 /*
244 * Setup the counts for this PDU.
245 */
246
247 p->out_data.data_sent_length += data_len;
248 p->out_data.current_pdu_len = p->hdr.frag_len;
249 p->out_data.current_pdu_sent = 0;
250
251 prs_mem_free(&outgoing_pdu);
252 return True;
253 }
254
255 /*******************************************************************
256 Process an NTLMSSP authentication response.
257 If this function succeeds, the user has been authenticated
258 and their domain, name and calling workstation stored in
259 the pipe struct.
260 The initial challenge is stored in p->challenge.
261 *******************************************************************/
262
263 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
264 {
265 uchar lm_owf[24];
266 uchar nt_owf[24];
267 fstring user_name;
268 fstring pipe_user_name;
269 fstring domain;
270 fstring wks;
271 BOOL guest_user = False;
272 struct smb_passwd *smb_pass = NULL;
273 struct passwd *pass = NULL;
274 uchar null_smb_passwd[16];
275 uchar *smb_passwd_ptr = NULL;
276
277 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
278
279 memset(p->user_name, '\0', sizeof(p->user_name));
280 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
281 memset(p->domain, '\0', sizeof(p->domain));
282 memset(p->wks, '\0', sizeof(p->wks));
283
284 /* Set up for non-authenticated user. */
285 delete_nt_token(&p->pipe_user.nt_user_token);
286 p->pipe_user.ngroups = 0;
287 safe_free( p->pipe_user.groups);
288
289 /*
290 * Setup an empty password for a guest user.
291 */
292
293 memset(null_smb_passwd,0,16);
294
295 /*
296 * We always negotiate UNICODE.
297 */
298
299 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
300 fstrcpy(user_name, dos_unistrn2((uint16*)ntlmssp_resp->user, ntlmssp_resp->hdr_usr.str_str_len/2));
301 fstrcpy(domain, dos_unistrn2((uint16*)ntlmssp_resp->domain, ntlmssp_resp->hdr_domain.str_str_len/2));
302 fstrcpy(wks, dos_unistrn2((uint16*)ntlmssp_resp->wks, ntlmssp_resp->hdr_wks.str_str_len/2));
303 } else {
304 fstrcpy(user_name, ntlmssp_resp->user);
305 fstrcpy(domain, ntlmssp_resp->domain);
306 fstrcpy(wks, ntlmssp_resp->wks);
307 }
308
309 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
310
311 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
312 memcpy(nt_owf, ntlmssp_resp->nt_resp, sizeof(nt_owf));
313
314 #ifdef DEBUG_PASSWORD
315 DEBUG(100,("lm, nt owfs, chal\n"));
316 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
317 dump_data(100, (char *)nt_owf, sizeof(nt_owf));
318 dump_data(100, (char *)p->challenge, 8);
319 #endif
320
321 /*
322 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
323 */
324
325 if((strlen(user_name) == 0) &&
326 (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
327 {
328 guest_user = True;
329
330 fstrcpy(pipe_user_name, lp_guestaccount(-1));
331 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
332
333 smb_passwd_ptr = null_smb_passwd;
334
335 } else {
336
337 /*
338 * Pass the user through the NT -> unix user mapping
339 * function.
340 */
341
342 fstrcpy(pipe_user_name, user_name);
343 (void)map_username(pipe_user_name);
344
345 /*
346 * Do the length checking only if user is not NULL.
347 */
348
349 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
350 return False;
351 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
352 return False;
353 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
354 return False;
355 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
356 return False;
357 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
358 return False;
359
360 }
361
362 /*
363 * Find the user in the unix password db.
364 */
365
366 if(!(pass = Get_Pwnam(pipe_user_name,True))) {
367 DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",pipe_user_name));
368 return(False);
369 }
370
371 if(!guest_user) {
372
373 become_root();
374
375 if(!(p->ntlmssp_auth_validated = pass_check_smb(pipe_user_name, domain,
376 (uchar*)p->challenge, lm_owf, nt_owf, NULL))) {
377 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
378 failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name ));
379 unbecome_root();
380 return False;
381 }
382
383 if(!(smb_pass = getsmbpwnam(pipe_user_name))) {
384 DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
385 pipe_user_name));
386 unbecome_root();
387 return False;
388 }
389
390 unbecome_root();
391
392 if (smb_pass == NULL) {
393 DEBUG(1,("api_pipe_ntlmssp_verify: Couldn't find user '%s' in smb_passwd file.\n",
394 pipe_user_name));
395 return(False);
396 }
397
398 /* Quit if the account was disabled. */
399 if((smb_pass->acct_ctrl & ACB_DISABLED) || !smb_pass->smb_passwd) {
400 DEBUG(1,("Account for user '%s' was disabled.\n", pipe_user_name));
401 return(False);
402 }
403
404 if(!smb_pass->smb_nt_passwd) {
405 DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name));
406 return(False);
407 }
408
409 smb_passwd_ptr = smb_pass->smb_passwd;
410 }
411
412 /*
413 * Set up the sign/seal data.
414 */
415
416 {
417 uchar p24[24];
418 NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
419 {
420 unsigned char j = 0;
421 int ind;
422
423 unsigned char k2[8];
424
425 memcpy(k2, p24, 5);
426 k2[5] = 0xe5;
427 k2[6] = 0x38;
428 k2[7] = 0xb0;
429
430 for (ind = 0; ind < 256; ind++)
431 p->ntlmssp_hash[ind] = (unsigned char)ind;
432
433 for( ind = 0; ind < 256; ind++) {
434 unsigned char tc;
435
436 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
437
438 tc = p->ntlmssp_hash[ind];
439 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
440 p->ntlmssp_hash[j] = tc;
441 }
442
443 p->ntlmssp_hash[256] = 0;
444 p->ntlmssp_hash[257] = 0;
445 }
446 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
447 p->ntlmssp_seq_num = 0;
448
449 }
450
451 fstrcpy(p->user_name, user_name);
452 fstrcpy(p->pipe_user_name, pipe_user_name);
453 fstrcpy(p->domain, domain);
454 fstrcpy(p->wks, wks);
455
456 /*
457 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
458 */
459
460 p->pipe_user.uid = pass->pw_uid;
461 p->pipe_user.gid = pass->pw_gid;
462
463 /* Set up pipe user group membership. */
464 initialise_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
465 get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
466
467 /* Create an NT_USER_TOKEN struct for this user. */
468 p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
469 p->pipe_user.ngroups, p->pipe_user.groups,
470 guest_user);
471
472 p->ntlmssp_auth_validated = True;
473 return True;
474 }
475
476 /*******************************************************************
477 The switch table for the pipe names and the functions to handle them.
478 *******************************************************************/
479
480 struct api_cmd
481 {
482 char * pipe_clnt_name;
483 char * pipe_srv_name;
484 BOOL (*fn) (pipes_struct *);
485 };
486
487 static struct api_cmd api_fd_commands[] =
488 {
489 { "lsarpc", "lsass", api_ntlsa_rpc },
490 { "samr", "lsass", api_samr_rpc },
491 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
492 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
493 { "NETLOGON", "lsass", api_netlog_rpc },
494 { "winreg", "winreg", api_reg_rpc },
495 { "spoolss", "spoolss", api_spoolss_rpc },
496 #ifdef WITH_MSDFS
497 { "netdfs", "netdfs" , api_netdfs_rpc },
498 #endif
499 { NULL, NULL, NULL }
500 };
501
502 /*******************************************************************
503 This is the client reply to our challenge for an authenticated
504 bind request. The challenge we sent is in p->challenge.
505 *******************************************************************/
506
507 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
508 {
509 RPC_HDR_AUTHA autha_info;
510 RPC_AUTH_VERIFIER auth_verifier;
511 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
512
513 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
514
515 if (p->hdr.auth_len == 0) {
516 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
517 return False;
518 }
519
520 /*
521 * Decode the authentication verifier response.
522 */
523
524 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
525 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
526 return False;
527 }
528
529 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
530 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
531 (int)autha_info.auth_type, (int)autha_info.auth_level ));
532 return False;
533 }
534
535 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
536 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
537 return False;
538 }
539
540 /*
541 * Ensure this is a NTLMSSP_AUTH packet type.
542 */
543
544 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
545 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
546 return False;
547 }
548
549 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
550 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
551 return False;
552 }
553
554 /*
555 * The following call actually checks the challenge/response data.
556 * for correctness against the given DOMAIN\user name.
557 */
558
559 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
560 return False;
561
562 p->pipe_bound = True
563 ;
564 return True;
565 }
566
567 /*******************************************************************
568 Marshall a bind_nak pdu.
569 *******************************************************************/
570
571 static BOOL setup_bind_nak(pipes_struct *p)
572 {
573 prs_struct outgoing_rpc;
574 RPC_HDR nak_hdr;
575 uint16 zero = 0;
576
577 /* Free any memory in the current return data buffer. */
578 prs_mem_free(&p->out_data.rdata);
579
580 /*
581 * Marshall directly into the outgoing PDU space. We
582 * must do this as we need to set to the bind response
583 * header and are never sending more than one PDU here.
584 */
585
586 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
587 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
588
589
590 /*
591 * Initialize a bind_nak header.
592 */
593
594 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
595 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
596
597 /*
598 * Marshall the header into the outgoing PDU.
599 */
600
601 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
602 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
603 prs_mem_free(&outgoing_rpc);
604 return False;
605 }
606
607 /*
608 * Now add the reject reason.
609 */
610
611 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
612 prs_mem_free(&outgoing_rpc);
613 return False;
614 }
615
616 p->out_data.data_sent_length = 0;
617 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
618 p->out_data.current_pdu_sent = 0;
619
620 p->pipe_bound = False;
621
622 return True;
623 }
624
625 /*******************************************************************
626 Marshall a fault pdu.
627 *******************************************************************/
628
629 BOOL setup_fault_pdu(pipes_struct *p, uint32 status)
630 {
631 prs_struct outgoing_pdu;
632 RPC_HDR fault_hdr;
633 RPC_HDR_RESP hdr_resp;
634 RPC_HDR_FAULT fault_resp;
635
636 /* Free any memory in the current return data buffer. */
637 prs_mem_free(&p->out_data.rdata);
638
639 /*
640 * Marshall directly into the outgoing PDU space. We
641 * must do this as we need to set to the bind response
642 * header and are never sending more than one PDU here.
643 */
644
645 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
646 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
647
648 /*
649 * Initialize a fault header.
650 */
651
652 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
653 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
654
655 /*
656 * Initialize the HDR_RESP and FAULT parts of the PDU.
657 */
658
659 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
660
661 fault_resp.status = status;
662 fault_resp.reserved = 0;
663
664 /*
665 * Marshall the header into the outgoing PDU.
666 */
667
668 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
669 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
670 prs_mem_free(&outgoing_pdu);
671 return False;
672 }
673
674 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
675 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
676 prs_mem_free(&outgoing_pdu);
677 return False;
678 }
679
680 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
681 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
682 prs_mem_free(&outgoing_pdu);
683 return False;
684 }
685
686 p->out_data.data_sent_length = 0;
687 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
688 p->out_data.current_pdu_sent = 0;
689
690 prs_mem_free(&outgoing_pdu);
691 return True;
692 }
693
694 /*******************************************************************
695 Ensure a bind request has the correct abstract & transfer interface.
696 Used to reject unknown binds from Win2k.
697 *******************************************************************/
698
699 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
700 RPC_IFACE* transfer)
701 {
702 extern struct pipe_id_info pipe_names[];
703 int i=0;
704 fstring pname;
705 fstrcpy(pname,"\\PIPE\\");
706 fstrcat(pname,pipe_name);
707
708 for(i=0;pipe_names[i].client_pipe; i++) {
709 if(strequal(pipe_names[i].client_pipe, pname))
710 break;
711 }
712
713 if(pipe_names[i].client_pipe == NULL)
714 return False;
715
716 /* check the abstract interface */
717 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
718 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
719 sizeof(RPC_UUID)) != 0))
720 return False;
721
722 /* check the transfer interface */
723 if((transfer->version != pipe_names[i].trans_syntax.version) ||
724 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
725 sizeof(RPC_UUID)) != 0))
726 return False;
727
728 return True;
729 }
730
731 /*******************************************************************
732 Respond to a pipe bind request.
733 *******************************************************************/
734
735 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
736 {
737 RPC_HDR_BA hdr_ba;
738 RPC_HDR_RB hdr_rb;
739 RPC_HDR_AUTH auth_info;
740 uint16 assoc_gid;
741 fstring ack_pipe_name;
742 prs_struct out_hdr_ba;
743 prs_struct out_auth;
744 prs_struct outgoing_rpc;
745 int i = 0;
746 int auth_len = 0;
747 enum RPC_PKT_TYPE reply_pkt_type;
748
749 p->ntlmssp_auth_requested = False;
750
751 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
752
753 /*
754 * Try and find the correct pipe name to ensure
755 * that this is a pipe name we support.
756 */
757
758 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
759 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
760 api_fd_commands[i].fn != NULL) {
761 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
762 api_fd_commands[i].pipe_clnt_name,
763 api_fd_commands[i].pipe_srv_name));
764 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
765 break;
766 }
767 }
768
769 if (api_fd_commands[i].fn == NULL) {
770 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
771 p->name ));
772 if(!setup_bind_nak(p))
773 return False;
774 return True;
775 }
776
777 /* decode the bind request */
778 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
779 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
780 return False;
781 }
782
783 /*
784 * Check if this is an authenticated request.
785 */
786
787 if (p->hdr.auth_len != 0) {
788 RPC_AUTH_VERIFIER auth_verifier;
789 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
790
791 /*
792 * Decode the authentication verifier.
793 */
794
795 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
796 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
797 return False;
798 }
799
800 /*
801 * We only support NTLMSSP_AUTH_TYPE requests.
802 */
803
804 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
805 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
806 auth_info.auth_type ));
807 return False;
808 }
809
810 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
811 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
812 return False;
813 }
814
815 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
816 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
817 return False;
818 }
819
820 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
821 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
822 auth_verifier.msg_type));
823 return False;
824 }
825
826 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
827 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
828 return False;
829 }
830
831 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
832 p->ntlmssp_auth_requested = True;
833 }
834
835 switch(p->hdr.pkt_type) {
836 case RPC_BIND:
837 /* name has to be \PIPE\xxxxx */
838 fstrcpy(ack_pipe_name, "\\PIPE\\");
839 fstrcat(ack_pipe_name, p->pipe_srv_name);
840 reply_pkt_type = RPC_BINDACK;
841 break;
842 case RPC_ALTCONT:
843 /* secondary address CAN be NULL
844 * as the specs say it's ignored.
845 * It MUST NULL to have the spoolss working.
846 */
847 fstrcpy(ack_pipe_name,"");
848 reply_pkt_type = RPC_ALTCONTRESP;
849 break;
850 default:
851 return False;
852 }
853
854 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
855
856 /*
857 * Marshall directly into the outgoing PDU space. We
858 * must do this as we need to set to the bind response
859 * header and are never sending more than one PDU here.
860 */
861
862 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
863 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
864
865 /*
866 * Setup the memory to marshall the ba header, and the
867 * auth footers.
868 */
869
870 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
871 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
872 prs_mem_free(&outgoing_rpc);
873 return False;
874 }
875
876 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
877 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
878 prs_mem_free(&outgoing_rpc);
879 prs_mem_free(&out_hdr_ba);
880 return False;
881 }
882
883 if (p->ntlmssp_auth_requested)
884 assoc_gid = 0x7a77;
885 else
886 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
887
888 /*
889 * Create the bind response struct.
890 */
891
892 /* If the requested abstract synt uuid doesn't match our client pipe,
893 reject the bind_ack & set the transfer interface synt to all 0's,
894 ver 0 (observed when NT5 attempts to bind to abstract interfaces
895 unknown to NT4)
896 Needed when adding entries to a DACL from NT5 - SK */
897
898 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
899 init_rpc_hdr_ba(&hdr_ba,
900 MAX_PDU_FRAG_LEN,
901 MAX_PDU_FRAG_LEN,
902 assoc_gid,
903 ack_pipe_name,
904 0x1, 0x0, 0x0,
905 &hdr_rb.transfer);
906 } else {
907 RPC_IFACE null_interface;
908 ZERO_STRUCT(null_interface);
909 /* Rejection reason: abstract syntax not supported */
910 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
911 MAX_PDU_FRAG_LEN, assoc_gid,
912 ack_pipe_name, 0x1, 0x2, 0x1,
913 &null_interface);
914 }
915
916 /*
917 * and marshall it.
918 */
919
920 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
921 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
922 goto err_exit;
923 }
924
925 /*
926 * Now the authentication.
927 */
928
929 if (p->ntlmssp_auth_requested) {
930 RPC_AUTH_VERIFIER auth_verifier;
931 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
932
933 generate_random_buffer(p->challenge, 8, False);
934
935 /*** Authentication info ***/
936
937 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
938 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
939 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
940 goto err_exit;
941 }
942
943 /*** NTLMSSP verifier ***/
944
945 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
946 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
947 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
948 goto err_exit;
949 }
950
951 /* NTLMSSP challenge ***/
952
953 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
954 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
955 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
956 goto err_exit;
957 }
958
959 /* Auth len in the rpc header doesn't include auth_header. */
960 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
961 }
962
963 /*
964 * Create the header, now we know the length.
965 */
966
967 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
968 p->hdr.call_id,
969 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
970 auth_len);
971
972 /*
973 * Marshall the header into the outgoing PDU.
974 */
975
976 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
977 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
978 goto err_exit;
979 }
980
981 /*
982 * Now add the RPC_HDR_BA and any auth needed.
983 */
984
985 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
986 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
987 goto err_exit;
988 }
989
990 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
991 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
992 goto err_exit;
993 }
994
995 if(!p->ntlmssp_auth_requested)
996 p->pipe_bound = True;
997
998 /*
999 * Setup the lengths for the initial reply.
1000 */
1001
1002 p->out_data.data_sent_length = 0;
1003 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1004 p->out_data.current_pdu_sent = 0;
1005
1006 prs_mem_free(&out_hdr_ba);
1007 prs_mem_free(&out_auth);
1008
1009 return True;
1010
1011 err_exit:
1012
1013 prs_mem_free(&outgoing_rpc);
1014 prs_mem_free(&out_hdr_ba);
1015 prs_mem_free(&out_auth);
1016 return False;
1017 }
1018
1019 /****************************************************************************
1020 Deal with sign & seal processing on an RPC request.
1021 ****************************************************************************/
1022
1023 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1024 {
1025 /*
1026 * We always negotiate the following two bits....
1027 */
1028 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1029 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1030 int data_len;
1031 int auth_len;
1032 uint32 old_offset;
1033 uint32 crc32 = 0;
1034
1035 auth_len = p->hdr.auth_len;
1036
1037 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1038 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1039 return False;
1040 }
1041
1042 /*
1043 * The following is that length of the data we must verify or unseal.
1044 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1045 * preceeding the auth_data.
1046 */
1047
1048 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1049 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1050
1051 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1052 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1053
1054 if (auth_seal) {
1055 /*
1056 * The data in rpc_in doesn't contain the RPC_HEADER as this
1057 * has already been consumed.
1058 */
1059 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1060 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1061 crc32 = crc32_calc_buffer(data, data_len);
1062 }
1063
1064 old_offset = prs_offset(rpc_in);
1065
1066 if (auth_seal || auth_verify) {
1067 RPC_HDR_AUTH auth_info;
1068
1069 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1070 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1071 (unsigned int)old_offset + data_len ));
1072 return False;
1073 }
1074
1075 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1076 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1077 return False;
1078 }
1079 }
1080
1081 if (auth_verify) {
1082 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1083 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1084
1085 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1086
1087 /*
1088 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1089 * incoming buffer.
1090 */
1091 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1092 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1093 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1094 return False;
1095 }
1096
1097 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1098 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1099 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1100 return False;
1101 }
1102
1103 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1104 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1105 return False;
1106 }
1107 }
1108
1109 /*
1110 * Return the current pointer to the data offset.
1111 */
1112
1113 if(!prs_set_offset(rpc_in, old_offset)) {
1114 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1115 (unsigned int)old_offset ));
1116 return False;
1117 }
1118
1119 return True;
1120 }
1121
1122 /****************************************************************************
1123 Return a user struct for a pipe user.
1124 ****************************************************************************/
1125
1126 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1127 {
1128 if (p->ntlmssp_auth_validated) {
1129 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1130 } else {
1131 extern struct current_user current_user;
1132 memcpy(user, &current_user, sizeof(struct current_user));
1133 }
1134
1135 return user;
1136 }
1137
1138 /****************************************************************************
1139 Find the correct RPC function to call for this request.
1140 If the pipe is authenticated then become the correct UNIX user
1141 before doing the call.
1142 ****************************************************************************/
1143
1144 BOOL api_pipe_request(pipes_struct *p)
1145 {
1146 int i = 0;
1147 BOOL ret = False;
1148 BOOL changed_user_id = False;
1149
1150 if (p->ntlmssp_auth_validated) {
1151
1152 if(!become_authenticated_pipe_user(p)) {
1153 prs_mem_free(&p->out_data.rdata);
1154 return False;
1155 }
1156
1157 changed_user_id = True;
1158 }
1159
1160 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1161 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1162 api_fd_commands[i].fn != NULL) {
1163 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1164 set_current_rpc_talloc(p->mem_ctx);
1165 ret = api_fd_commands[i].fn(p);
1166 set_current_rpc_talloc(NULL);
1167 }
1168 }
1169
1170 if(changed_user_id)
1171 unbecome_authenticated_pipe_user(p);
1172
1173 return ret;
1174 }
1175
1176 /*******************************************************************
1177 Calls the underlying RPC function for a named pipe.
1178 ********************************************************************/
1179
1180 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1181 struct api_struct *api_rpc_cmds)
1182 {
1183 int fn_num;
1184 fstring name;
1185 uint32 offset1, offset2;
1186
1187 /* interpret the command */
1188 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1189
1190 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1191 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1192
1193 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1194 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1195 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1196 break;
1197 }
1198 }
1199
1200 if (api_rpc_cmds[fn_num].name == NULL) {
1201 /*
1202 * For an unknown RPC just return a fault PDU but
1203 * return True to allow RPC's on the pipe to continue
1204 * and not put the pipe into fault state. JRA.
1205 */
1206 DEBUG(4, ("unknown\n"));
1207 setup_fault_pdu(p, 0x1c010002);
1208 return True;
1209 }
1210
1211 offset1 = prs_offset(&p->out_data.rdata);
1212
1213 /* do the actual command */
1214 if(!api_rpc_cmds[fn_num].fn(p)) {
1215 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1216 prs_mem_free(&p->out_data.rdata);
1217 return False;
1218 }
1219
1220 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1221 offset2 = prs_offset(&p->out_data.rdata);
1222 prs_set_offset(&p->out_data.rdata, offset1);
1223 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1224 prs_set_offset(&p->out_data.rdata, offset2);
1225
1226 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1227
1228 /* Check for buffer underflow in rpc parsing */
1229
1230 if ((DEBUGLEVEL >= 10) &&
1231 (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1232 int data_len = p->in_data.data.buffer_size -
1233 p->in_data.data.data_offset;
1234 char *data;
1235
1236 data = malloc(data_len);
1237
1238 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1239 if (data) {
1240 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data,
1241 data_len);
1242 free(data);
1243 }
1244
1245 }
1246
1247 return True;
1248 }