search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
make proto
[Samba/gbeck.git] / source / rpc_server / srv_pipe.c
blobbc5b2ab473b057d805ea05e48d8073caf8bbf644
1 /*
2 * Unix SMB/Netbios implementation.
3 * Version 1.9.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1997-1998.
8 * Copyright (C) Jeremy Allison 1999.
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
28 *
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
32 *
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
36 *
37 * ... if you read the docs. or stare at packets for weeks on end.
38 *
39 */
40
41 #include "includes.h"
42
43 extern int DEBUGLEVEL;
44
45 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
46 {
47 unsigned char *hash = p->ntlmssp_hash;
48 unsigned char index_i = hash[256];
49 unsigned char index_j = hash[257];
50 int ind;
51
52 for( ind = 0; ind < len; ind++) {
53 unsigned char tc;
54 unsigned char t;
55
56 index_i++;
57 index_j += hash[index_i];
58
59 tc = hash[index_i];
60 hash[index_i] = hash[index_j];
61 hash[index_j] = tc;
62
63 t = hash[index_i] + hash[index_j];
64 data[ind] = data[ind] ^ hash[t];
65 }
66
67 hash[256] = index_i;
68 hash[257] = index_j;
69 }
70
71 /*******************************************************************
72 Generate the next PDU to be returned from the data in p->rdata.
73 We cheat here as this function doesn't handle the special auth
74 footers of the authenticated bind response reply.
75 ********************************************************************/
76
77 BOOL create_next_pdu(pipes_struct *p)
78 {
79 RPC_HDR_RESP hdr_resp;
80 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
81 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
82 uint32 data_len;
83 uint32 data_space_available;
84 uint32 data_len_left;
85 prs_struct outgoing_pdu;
86 char *data;
87 char *data_from;
88 uint32 data_pos;
89
90 /*
91 * If we're in the fault state, keep returning fault PDU's until
92 * the pipe gets closed. JRA.
93 */
94
95 if(p->fault_state) {
96 setup_fault_pdu(p);
97 return True;
98 }
99
100 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
101
102 /* Change the incoming request header to a response. */
103 p->hdr.pkt_type = RPC_RESPONSE;
104
105 /* Set up rpc header flags. */
106 if (p->out_data.data_sent_length == 0)
107 p->hdr.flags = RPC_FLG_FIRST;
108 else
109 p->hdr.flags = 0;
110
111 /*
112 * Work out how much we can fit in a single PDU.
113 */
114
115 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
116 if(p->ntlmssp_auth_validated)
117 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
118
119 /*
120 * The amount we send is the minimum of the available
121 * space and the amount left to send.
122 */
123
124 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
125
126 /*
127 * Ensure there really is data left to send.
128 */
129
130 if(!data_len_left) {
131 DEBUG(0,("create_next_pdu: no data left to send !\n"));
132 return False;
133 }
134
135 data_len = MIN(data_len_left, data_space_available);
136
137 /*
138 * Set up the alloc hint. This should be the data left to
139 * send.
140 */
141
142 hdr_resp.alloc_hint = data_len_left;
143
144 /*
145 * Set up the header lengths.
146 */
147
148 if (p->ntlmssp_auth_validated) {
149 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
150 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
151 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
152 } else {
153 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
154 p->hdr.auth_len = 0;
155 }
156
157 /*
158 * Work out if this PDU will be the last.
159 */
160
161 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
162 p->hdr.flags |= RPC_FLG_LAST;
163
164 /*
165 * Init the parse struct to point at the outgoing
166 * data.
167 */
168
169 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
170 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
171
172 /* Store the header in the data stream. */
173 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
174 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
175 prs_mem_free(&outgoing_pdu);
176 return False;
177 }
178
179 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
180 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
181 prs_mem_free(&outgoing_pdu);
182 return False;
183 }
184
185 /* Store the current offset. */
186 data_pos = prs_offset(&outgoing_pdu);
187
188 /* Copy the data into the PDU. */
189 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
190
191 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
192 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
193 prs_mem_free(&outgoing_pdu);
194 return False;
195 }
196
197 /*
198 * Set data to point to where we copied the data into.
199 */
200
201 data = prs_data_p(&outgoing_pdu) + data_pos;
202
203 if (p->hdr.auth_len > 0) {
204 uint32 crc32 = 0;
205
206 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
207 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
208
209 if (auth_seal) {
210 crc32 = crc32_calc_buffer(data, data_len);
211 NTLMSSPcalc_p(p, (uchar*)data, data_len);
212 }
213
214 if (auth_seal || auth_verify) {
215 RPC_HDR_AUTH auth_info;
216
217 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
218 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
219 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
220 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
221 prs_mem_free(&outgoing_pdu);
222 return False;
223 }
224 }
225
226 if (auth_verify) {
227 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
228 char *auth_data = prs_data_p(&outgoing_pdu);
229
230 p->ntlmssp_seq_num++;
231 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
232 crc32, p->ntlmssp_seq_num++);
233 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
234 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
235 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
236 prs_mem_free(&outgoing_pdu);
237 return False;
238 }
239 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
240 }
241 }
242
243 /*
244 * Setup the counts for this PDU.
245 */
246
247 p->out_data.data_sent_length += data_len;
248 p->out_data.current_pdu_len = p->hdr.frag_len;
249 p->out_data.current_pdu_sent = 0;
250
251 prs_mem_free(&outgoing_pdu);
252 return True;
253 }
254
255 /*******************************************************************
256 Process an NTLMSSP authentication response.
257 If this function succeeds, the user has been authenticated
258 and their domain, name and calling workstation stored in
259 the pipe struct.
260 The initial challenge is stored in p->challenge.
261 *******************************************************************/
262
263 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
264 {
265 uchar lm_owf[24];
266 uchar nt_owf[24];
267 fstring user_name;
268 fstring pipe_user_name;
269 fstring domain;
270 fstring wks;
271 BOOL guest_user = False;
272 SAM_ACCOUNT *sampass = NULL;
273 uchar null_smb_passwd[16];
274 uchar *smb_passwd_ptr = NULL;
275
276 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
277
278 memset(p->user_name, '\0', sizeof(p->user_name));
279 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
280 memset(p->domain, '\0', sizeof(p->domain));
281 memset(p->wks, '\0', sizeof(p->wks));
282
283 /* Set up for non-authenticated user. */
284 delete_nt_token(&p->pipe_user.nt_user_token);
285 p->pipe_user.ngroups = 0;
286 safe_free( p->pipe_user.groups);
287
288 /*
289 * Setup an empty password for a guest user.
290 */
291
292 memset(null_smb_passwd,0,16);
293
294 /*
295 * We always negotiate UNICODE.
296 */
297
298 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
299 fstrcpy(user_name, dos_unistrn2((uint16*)ntlmssp_resp->user, ntlmssp_resp->hdr_usr.str_str_len/2));
300 fstrcpy(domain, dos_unistrn2((uint16*)ntlmssp_resp->domain, ntlmssp_resp->hdr_domain.str_str_len/2));
301 fstrcpy(wks, dos_unistrn2((uint16*)ntlmssp_resp->wks, ntlmssp_resp->hdr_wks.str_str_len/2));
302 } else {
303 fstrcpy(user_name, ntlmssp_resp->user);
304 fstrcpy(domain, ntlmssp_resp->domain);
305 fstrcpy(wks, ntlmssp_resp->wks);
306 }
307
308 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
309
310 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
311 memcpy(nt_owf, ntlmssp_resp->nt_resp, sizeof(nt_owf));
312
313 #ifdef DEBUG_PASSWORD
314 DEBUG(100,("lm, nt owfs, chal\n"));
315 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
316 dump_data(100, (char *)nt_owf, sizeof(nt_owf));
317 dump_data(100, (char *)p->challenge, 8);
318 #endif
319
320 /*
321 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
322 */
323
324 if((strlen(user_name) == 0) &&
325 (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
326 {
327 guest_user = True;
328
329 fstrcpy(pipe_user_name, lp_guestaccount(-1));
330 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
331
332 smb_passwd_ptr = null_smb_passwd;
333
334 } else {
335
336 /*
337 * Pass the user through the NT -> unix user mapping
338 * function.
339 */
340
341 fstrcpy(pipe_user_name, user_name);
342 (void)map_username(pipe_user_name);
343
344 /*
345 * Do the length checking only if user is not NULL.
346 */
347
348 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
349 return False;
350 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
351 return False;
352 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
353 return False;
354 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
355 return False;
356 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
357 return False;
358
359 }
360
361 if(!guest_user) {
362
363 become_root();
364
365 if(!(p->ntlmssp_auth_validated = pass_check_smb(pipe_user_name, domain,
366 (uchar*)p->challenge, lm_owf, nt_owf, NULL))) {
367 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
368 failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name ));
369 unbecome_root();
370 return False;
371 }
372
373 if(!(sampass = pdb_getsampwnam(pipe_user_name))) {
374 DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
375 pipe_user_name));
376 unbecome_root();
377 return False;
378 }
379
380 unbecome_root();
381
382 /* Quit if the account was disabled. */
383 if((pdb_get_acct_ctrl(sampass) & ACB_DISABLED) || !pdb_get_lanman_passwd(sampass)) {
384 DEBUG(1,("Account for user '%s' was disabled.\n", pipe_user_name));
385 return(False);
386 }
387
388 if(!pdb_get_nt_passwd(sampass)) {
389 DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name));
390 return(False);
391 }
392
393 smb_passwd_ptr = pdb_get_lanman_passwd(sampass);
394 }
395
396 /*
397 * Set up the sign/seal data.
398 */
399
400 {
401 uchar p24[24];
402 NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
403 {
404 unsigned char j = 0;
405 int ind;
406
407 unsigned char k2[8];
408
409 memcpy(k2, p24, 5);
410 k2[5] = 0xe5;
411 k2[6] = 0x38;
412 k2[7] = 0xb0;
413
414 for (ind = 0; ind < 256; ind++)
415 p->ntlmssp_hash[ind] = (unsigned char)ind;
416
417 for( ind = 0; ind < 256; ind++) {
418 unsigned char tc;
419
420 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
421
422 tc = p->ntlmssp_hash[ind];
423 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
424 p->ntlmssp_hash[j] = tc;
425 }
426
427 p->ntlmssp_hash[256] = 0;
428 p->ntlmssp_hash[257] = 0;
429 }
430 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
431 p->ntlmssp_seq_num = 0;
432
433 }
434
435 fstrcpy(p->user_name, user_name);
436 fstrcpy(p->pipe_user_name, pipe_user_name);
437 fstrcpy(p->domain, domain);
438 fstrcpy(p->wks, wks);
439
440 /*
441 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
442 */
443
444 p->pipe_user.uid = pdb_get_uid(sampass);
445 p->pipe_user.gid = pdb_get_uid(sampass);
446
447 /* Set up pipe user group membership. */
448 initialise_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
449 get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
450
451 /* Create an NT_USER_TOKEN struct for this user. */
452 p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
453 p->pipe_user.ngroups, p->pipe_user.groups,
454 guest_user);
455
456 p->ntlmssp_auth_validated = True;
457 return True;
458 }
459
460 /*******************************************************************
461 The switch table for the pipe names and the functions to handle them.
462 *******************************************************************/
463
464 struct api_cmd
465 {
466 char * pipe_clnt_name;
467 char * pipe_srv_name;
468 BOOL (*fn) (pipes_struct *);
469 };
470
471 static struct api_cmd api_fd_commands[] =
472 {
473 { "lsarpc", "lsass", api_ntlsa_rpc },
474 { "samr", "lsass", api_samr_rpc },
475 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
476 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
477 { "NETLOGON", "lsass", api_netlog_rpc },
478 { "winreg", "winreg", api_reg_rpc },
479 { "spoolss", "spoolss", api_spoolss_rpc },
480 #ifdef WITH_MSDFS
481 { "netdfs", "netdfs" , api_netdfs_rpc },
482 #endif
483 { NULL, NULL, NULL }
484 };
485
486 /*******************************************************************
487 This is the client reply to our challenge for an authenticated
488 bind request. The challenge we sent is in p->challenge.
489 *******************************************************************/
490
491 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
492 {
493 RPC_HDR_AUTHA autha_info;
494 RPC_AUTH_VERIFIER auth_verifier;
495 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
496
497 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
498
499 if (p->hdr.auth_len == 0) {
500 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
501 return False;
502 }
503
504 /*
505 * Decode the authentication verifier response.
506 */
507
508 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
509 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
510 return False;
511 }
512
513 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
514 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
515 (int)autha_info.auth_type, (int)autha_info.auth_level ));
516 return False;
517 }
518
519 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
520 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
521 return False;
522 }
523
524 /*
525 * Ensure this is a NTLMSSP_AUTH packet type.
526 */
527
528 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
529 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
530 return False;
531 }
532
533 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
534 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
535 return False;
536 }
537
538 /*
539 * The following call actually checks the challenge/response data.
540 * for correctness against the given DOMAIN\user name.
541 */
542
543 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
544 return False;
545
546 p->pipe_bound = True
547 ;
548 return True;
549 }
550
551 /*******************************************************************
552 Marshall a bind_nak pdu.
553 *******************************************************************/
554
555 static BOOL setup_bind_nak(pipes_struct *p)
556 {
557 prs_struct outgoing_rpc;
558 RPC_HDR nak_hdr;
559 uint16 zero = 0;
560
561 /* Free any memory in the current return data buffer. */
562 prs_mem_free(&p->out_data.rdata);
563
564 /*
565 * Marshall directly into the outgoing PDU space. We
566 * must do this as we need to set to the bind response
567 * header and are never sending more than one PDU here.
568 */
569
570 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
571 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
572
573
574 /*
575 * Initialize a bind_nak header.
576 */
577
578 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
579 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
580
581 /*
582 * Marshall the header into the outgoing PDU.
583 */
584
585 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
586 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
587 prs_mem_free(&outgoing_rpc);
588 return False;
589 }
590
591 /*
592 * Now add the reject reason.
593 */
594
595 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
596 prs_mem_free(&outgoing_rpc);
597 return False;
598 }
599
600 p->out_data.data_sent_length = 0;
601 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
602 p->out_data.current_pdu_sent = 0;
603
604 p->pipe_bound = False;
605
606 return True;
607 }
608
609 /*******************************************************************
610 Marshall a fault pdu.
611 *******************************************************************/
612
613 BOOL setup_fault_pdu(pipes_struct *p)
614 {
615 prs_struct outgoing_pdu;
616 RPC_HDR fault_hdr;
617 RPC_HDR_RESP hdr_resp;
618 RPC_HDR_FAULT fault_resp;
619
620 /* Free any memory in the current return data buffer. */
621 prs_mem_free(&p->out_data.rdata);
622
623 /*
624 * Marshall directly into the outgoing PDU space. We
625 * must do this as we need to set to the bind response
626 * header and are never sending more than one PDU here.
627 */
628
629 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
630 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
631
632 /*
633 * Initialize a fault header.
634 */
635
636 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
637 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
638
639 /*
640 * Initialize the HDR_RESP and FAULT parts of the PDU.
641 */
642
643 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
644
645 fault_resp.status = 0x1c010002;
646 fault_resp.reserved = 0;
647
648 /*
649 * Marshall the header into the outgoing PDU.
650 */
651
652 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
653 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
654 prs_mem_free(&outgoing_pdu);
655 return False;
656 }
657
658 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
659 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
660 prs_mem_free(&outgoing_pdu);
661 return False;
662 }
663
664 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
665 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
666 prs_mem_free(&outgoing_pdu);
667 return False;
668 }
669
670 p->out_data.data_sent_length = 0;
671 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
672 p->out_data.current_pdu_sent = 0;
673
674 prs_mem_free(&outgoing_pdu);
675 return True;
676 }
677
678 /*******************************************************************
679 Ensure a bind request has the correct abstract & transfer interface.
680 Used to reject unknown binds from Win2k.
681 *******************************************************************/
682
683 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
684 RPC_IFACE* transfer)
685 {
686 extern struct pipe_id_info pipe_names[];
687 int i=0;
688 fstring pname;
689 fstrcpy(pname,"\\PIPE\\");
690 fstrcat(pname,pipe_name);
691
692 for(i=0;pipe_names[i].client_pipe; i++) {
693 if(strequal(pipe_names[i].client_pipe, pname))
694 break;
695 }
696
697 if(pipe_names[i].client_pipe == NULL)
698 return False;
699
700 /* check the abstract interface */
701 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
702 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
703 sizeof(RPC_UUID)) != 0))
704 return False;
705
706 /* check the transfer interface */
707 if((transfer->version != pipe_names[i].trans_syntax.version) ||
708 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
709 sizeof(RPC_UUID)) != 0))
710 return False;
711
712 return True;
713 }
714
715 /*******************************************************************
716 Respond to a pipe bind request.
717 *******************************************************************/
718
719 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
720 {
721 RPC_HDR_BA hdr_ba;
722 RPC_HDR_RB hdr_rb;
723 RPC_HDR_AUTH auth_info;
724 uint16 assoc_gid;
725 fstring ack_pipe_name;
726 prs_struct out_hdr_ba;
727 prs_struct out_auth;
728 prs_struct outgoing_rpc;
729 int i = 0;
730 int auth_len = 0;
731 enum RPC_PKT_TYPE reply_pkt_type;
732
733 p->ntlmssp_auth_requested = False;
734
735 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
736
737 /*
738 * Try and find the correct pipe name to ensure
739 * that this is a pipe name we support.
740 */
741
742 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
743 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
744 api_fd_commands[i].fn != NULL) {
745 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
746 api_fd_commands[i].pipe_clnt_name,
747 api_fd_commands[i].pipe_srv_name));
748 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
749 break;
750 }
751 }
752
753 if (api_fd_commands[i].fn == NULL) {
754 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
755 p->name ));
756 if(!setup_bind_nak(p))
757 return False;
758 return True;
759 }
760
761 /* decode the bind request */
762 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
763 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
764 return False;
765 }
766
767 /*
768 * Check if this is an authenticated request.
769 */
770
771 if (p->hdr.auth_len != 0) {
772 RPC_AUTH_VERIFIER auth_verifier;
773 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
774
775 /*
776 * Decode the authentication verifier.
777 */
778
779 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
780 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
781 return False;
782 }
783
784 /*
785 * We only support NTLMSSP_AUTH_TYPE requests.
786 */
787
788 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
789 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
790 auth_info.auth_type ));
791 return False;
792 }
793
794 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
795 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
796 return False;
797 }
798
799 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
800 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
801 return False;
802 }
803
804 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
805 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
806 auth_verifier.msg_type));
807 return False;
808 }
809
810 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
811 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
812 return False;
813 }
814
815 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
816 p->ntlmssp_auth_requested = True;
817 }
818
819 switch(p->hdr.pkt_type) {
820 case RPC_BIND:
821 /* name has to be \PIPE\xxxxx */
822 fstrcpy(ack_pipe_name, "\\PIPE\\");
823 fstrcat(ack_pipe_name, p->pipe_srv_name);
824 reply_pkt_type = RPC_BINDACK;
825 break;
826 case RPC_ALTCONT:
827 /* secondary address CAN be NULL
828 * as the specs say it's ignored.
829 * It MUST NULL to have the spoolss working.
830 */
831 fstrcpy(ack_pipe_name,"");
832 reply_pkt_type = RPC_ALTCONTRESP;
833 break;
834 default:
835 return False;
836 }
837
838 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
839
840 /*
841 * Marshall directly into the outgoing PDU space. We
842 * must do this as we need to set to the bind response
843 * header and are never sending more than one PDU here.
844 */
845
846 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
847 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
848
849 /*
850 * Setup the memory to marshall the ba header, and the
851 * auth footers.
852 */
853
854 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
855 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
856 prs_mem_free(&outgoing_rpc);
857 return False;
858 }
859
860 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
861 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
862 prs_mem_free(&outgoing_rpc);
863 prs_mem_free(&out_hdr_ba);
864 return False;
865 }
866
867 if (p->ntlmssp_auth_requested)
868 assoc_gid = 0x7a77;
869 else
870 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
871
872 /*
873 * Create the bind response struct.
874 */
875
876 /* If the requested abstract synt uuid doesn't match our client pipe,
877 reject the bind_ack & set the transfer interface synt to all 0's,
878 ver 0 (observed when NT5 attempts to bind to abstract interfaces
879 unknown to NT4)
880 Needed when adding entries to a DACL from NT5 - SK */
881
882 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
883 init_rpc_hdr_ba(&hdr_ba,
884 MAX_PDU_FRAG_LEN,
885 MAX_PDU_FRAG_LEN,
886 assoc_gid,
887 ack_pipe_name,
888 0x1, 0x0, 0x0,
889 &hdr_rb.transfer);
890 } else {
891 RPC_IFACE null_interface;
892 ZERO_STRUCT(null_interface);
893 /* Rejection reason: abstract syntax not supported */
894 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
895 MAX_PDU_FRAG_LEN, assoc_gid,
896 ack_pipe_name, 0x1, 0x2, 0x1,
897 &null_interface);
898 }
899
900 /*
901 * and marshall it.
902 */
903
904 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
905 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
906 goto err_exit;
907 }
908
909 /*
910 * Now the authentication.
911 */
912
913 if (p->ntlmssp_auth_requested) {
914 RPC_AUTH_VERIFIER auth_verifier;
915 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
916
917 generate_random_buffer(p->challenge, 8, False);
918
919 /*** Authentication info ***/
920
921 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
922 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
923 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
924 goto err_exit;
925 }
926
927 /*** NTLMSSP verifier ***/
928
929 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
930 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
931 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
932 goto err_exit;
933 }
934
935 /* NTLMSSP challenge ***/
936
937 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
938 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
939 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
940 goto err_exit;
941 }
942
943 /* Auth len in the rpc header doesn't include auth_header. */
944 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
945 }
946
947 /*
948 * Create the header, now we know the length.
949 */
950
951 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
952 p->hdr.call_id,
953 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
954 auth_len);
955
956 /*
957 * Marshall the header into the outgoing PDU.
958 */
959
960 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
961 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
962 goto err_exit;
963 }
964
965 /*
966 * Now add the RPC_HDR_BA and any auth needed.
967 */
968
969 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
970 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
971 goto err_exit;
972 }
973
974 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
975 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
976 goto err_exit;
977 }
978
979 if(!p->ntlmssp_auth_requested)
980 p->pipe_bound = True;
981
982 /*
983 * Setup the lengths for the initial reply.
984 */
985
986 p->out_data.data_sent_length = 0;
987 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
988 p->out_data.current_pdu_sent = 0;
989
990 prs_mem_free(&out_hdr_ba);
991 prs_mem_free(&out_auth);
992
993 return True;
994
995 err_exit:
996
997 prs_mem_free(&outgoing_rpc);
998 prs_mem_free(&out_hdr_ba);
999 prs_mem_free(&out_auth);
1000 return False;
1001 }
1002
1003 /****************************************************************************
1004 Deal with sign & seal processing on an RPC request.
1005 ****************************************************************************/
1006
1007 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1008 {
1009 /*
1010 * We always negotiate the following two bits....
1011 */
1012 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1013 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1014 int data_len;
1015 int auth_len;
1016 uint32 old_offset;
1017 uint32 crc32 = 0;
1018
1019 auth_len = p->hdr.auth_len;
1020
1021 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1022 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1023 return False;
1024 }
1025
1026 /*
1027 * The following is that length of the data we must verify or unseal.
1028 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1029 * preceeding the auth_data.
1030 */
1031
1032 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1033 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1034
1035 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1036 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1037
1038 if (auth_seal) {
1039 /*
1040 * The data in rpc_in doesn't contain the RPC_HEADER as this
1041 * has already been consumed.
1042 */
1043 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1044 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1045 crc32 = crc32_calc_buffer(data, data_len);
1046 }
1047
1048 old_offset = prs_offset(rpc_in);
1049
1050 if (auth_seal || auth_verify) {
1051 RPC_HDR_AUTH auth_info;
1052
1053 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1054 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1055 (unsigned int)old_offset + data_len ));
1056 return False;
1057 }
1058
1059 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1060 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1061 return False;
1062 }
1063 }
1064
1065 if (auth_verify) {
1066 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1067 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1068
1069 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1070
1071 /*
1072 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1073 * incoming buffer.
1074 */
1075 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1076 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1077 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1078 return False;
1079 }
1080
1081 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1082 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1083 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1084 return False;
1085 }
1086
1087 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1088 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1089 return False;
1090 }
1091 }
1092
1093 /*
1094 * Return the current pointer to the data offset.
1095 */
1096
1097 if(!prs_set_offset(rpc_in, old_offset)) {
1098 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1099 (unsigned int)old_offset ));
1100 return False;
1101 }
1102
1103 return True;
1104 }
1105
1106 /****************************************************************************
1107 Find the correct RPC function to call for this request.
1108 If the pipe is authenticated then become the correct UNIX user
1109 before doing the call.
1110 ****************************************************************************/
1111
1112 BOOL api_pipe_request(pipes_struct *p)
1113 {
1114 int i = 0;
1115 BOOL ret = False;
1116 BOOL changed_user_id = False;
1117
1118 if (p->ntlmssp_auth_validated) {
1119
1120 if(!become_authenticated_pipe_user(p)) {
1121 prs_mem_free(&p->out_data.rdata);
1122 return False;
1123 }
1124
1125 changed_user_id = True;
1126 }
1127
1128 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1129 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1130 api_fd_commands[i].fn != NULL) {
1131 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1132 set_current_rpc_talloc(p->mem_ctx);
1133 ret = api_fd_commands[i].fn(p);
1134 set_current_rpc_talloc(NULL);
1135 }
1136 }
1137
1138 if(changed_user_id)
1139 unbecome_authenticated_pipe_user(p);
1140
1141 return ret;
1142 }
1143
1144 /*******************************************************************
1145 Calls the underlying RPC function for a named pipe.
1146 ********************************************************************/
1147
1148 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1149 struct api_struct *api_rpc_cmds)
1150 {
1151 int fn_num;
1152 fstring name;
1153 uint32 offset1, offset2;
1154
1155 /* interpret the command */
1156 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1157
1158 slprintf(name, sizeof(name), "in_%s", rpc_name);
1159 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1160
1161 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1162 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1163 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1164 break;
1165 }
1166 }
1167
1168 if (api_rpc_cmds[fn_num].name == NULL) {
1169 /*
1170 * For an unknown RPC just return a fault PDU but
1171 * return True to allow RPC's on the pipe to continue
1172 * and not put the pipe into fault state. JRA.
1173 */
1174 DEBUG(4, ("unknown\n"));
1175 setup_fault_pdu(p);
1176 return True;
1177 }
1178
1179 offset1 = prs_offset(&p->out_data.rdata);
1180
1181 /* do the actual command */
1182 if(!api_rpc_cmds[fn_num].fn(p)) {
1183 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1184 prs_mem_free(&p->out_data.rdata);
1185 return False;
1186 }
1187
1188 slprintf(name, sizeof(name), "out_%s", rpc_name);
1189 offset2 = prs_offset(&p->out_data.rdata);
1190 prs_set_offset(&p->out_data.rdata, offset1);
1191 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1192 prs_set_offset(&p->out_data.rdata, offset2);
1193
1194 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1195
1196 /* Check for buffer underflow in rpc parsing */
1197
1198 if ((DEBUGLEVEL >= 10) &&
1199 (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1200 int data_len = p->in_data.data.buffer_size -
1201 p->in_data.data.data_offset;
1202 char *data;
1203
1204 data = malloc(data_len);
1205
1206 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1207 if (data) {
1208 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data,
1209 data_len);
1210 free(data);
1211 }
1212
1213 }
1214
1215 return True;
1216 }
WIP