search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
First round of merging various UUID structures.
[Samba/gebeck_regimport.git] / source3 / rpc_server / srv_pipe.c
blob7bbe726f5ae04495c272ae2cbec4f2c14666d0a6
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998,
7 * Copyright (C) Jeremy Allison 1999,
8 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003.
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
28 *
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
32 *
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
36 *
37 * ... if you read the docs. or stare at packets for weeks on end.
38 *
39 */
40
41 #include "includes.h"
42
43 #undef DBGC_CLASS
44 #define DBGC_CLASS DBGC_RPC_SRV
45
46 /*************************************************************
47 HACK Alert!
48 We need to transfer the session key from one rpc bind to the
49 next. This is the way the netlogon schannel works.
50 **************************************************************/
51 struct dcinfo last_dcinfo;
52
53 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
54 {
55 unsigned char *hash = p->ntlmssp_hash;
56 unsigned char index_i = hash[256];
57 unsigned char index_j = hash[257];
58 int ind;
59
60 for( ind = 0; ind < len; ind++) {
61 unsigned char tc;
62 unsigned char t;
63
64 index_i++;
65 index_j += hash[index_i];
66
67 tc = hash[index_i];
68 hash[index_i] = hash[index_j];
69 hash[index_j] = tc;
70
71 t = hash[index_i] + hash[index_j];
72 data[ind] = data[ind] ^ hash[t];
73 }
74
75 hash[256] = index_i;
76 hash[257] = index_j;
77 }
78
79 /*******************************************************************
80 Generate the next PDU to be returned from the data in p->rdata.
81 We cheat here as this function doesn't handle the special auth
82 footers of the authenticated bind response reply.
83 ********************************************************************/
84
85 BOOL create_next_pdu(pipes_struct *p)
86 {
87 RPC_HDR_RESP hdr_resp;
88 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
89 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
90 uint32 data_len;
91 uint32 data_space_available;
92 uint32 data_len_left;
93 prs_struct outgoing_pdu;
94 uint32 data_pos;
95
96 /*
97 * If we're in the fault state, keep returning fault PDU's until
98 * the pipe gets closed. JRA.
99 */
100
101 if(p->fault_state) {
102 setup_fault_pdu(p, NT_STATUS(0x1c010002));
103 return True;
104 }
105
106 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
107
108 /* Change the incoming request header to a response. */
109 p->hdr.pkt_type = RPC_RESPONSE;
110
111 /* Set up rpc header flags. */
112 if (p->out_data.data_sent_length == 0)
113 p->hdr.flags = RPC_FLG_FIRST;
114 else
115 p->hdr.flags = 0;
116
117 /*
118 * Work out how much we can fit in a single PDU.
119 */
120
121 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
122 if(p->ntlmssp_auth_validated)
123 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
124
125 if(p->netsec_auth_validated)
126 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_CHK_LEN);
127
128 /*
129 * The amount we send is the minimum of the available
130 * space and the amount left to send.
131 */
132
133 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
134
135 /*
136 * Ensure there really is data left to send.
137 */
138
139 if(!data_len_left) {
140 DEBUG(0,("create_next_pdu: no data left to send !\n"));
141 return False;
142 }
143
144 data_len = MIN(data_len_left, data_space_available);
145
146 /*
147 * Set up the alloc hint. This should be the data left to
148 * send.
149 */
150
151 hdr_resp.alloc_hint = data_len_left;
152
153 /*
154 * Set up the header lengths.
155 */
156
157 if (p->ntlmssp_auth_validated) {
158 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
159 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
160 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
161 } else if (p->netsec_auth_validated) {
162 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
163 RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_CHK_LEN;
164 p->hdr.auth_len = RPC_AUTH_NETSEC_CHK_LEN;
165 } else {
166 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
167 p->hdr.auth_len = 0;
168 }
169
170 /*
171 * Work out if this PDU will be the last.
172 */
173
174 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
175 p->hdr.flags |= RPC_FLG_LAST;
176
177 /*
178 * Init the parse struct to point at the outgoing
179 * data.
180 */
181
182 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
183 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
184
185 /* Store the header in the data stream. */
186 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
187 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
188 prs_mem_free(&outgoing_pdu);
189 return False;
190 }
191
192 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
193 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
194 prs_mem_free(&outgoing_pdu);
195 return False;
196 }
197
198 /* Store the current offset. */
199 data_pos = prs_offset(&outgoing_pdu);
200
201 /* Copy the data into the PDU. */
202
203 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
204 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
205 prs_mem_free(&outgoing_pdu);
206 return False;
207 }
208
209 if (p->ntlmssp_auth_validated) {
210 uint32 crc32 = 0;
211 char *data;
212
213 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
214 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
215
216 /*
217 * Set data to point to where we copied the data into.
218 */
219
220 data = prs_data_p(&outgoing_pdu) + data_pos;
221
222 if (auth_seal) {
223 crc32 = crc32_calc_buffer(data, data_len);
224 NTLMSSPcalc_p(p, (uchar*)data, data_len);
225 }
226
227 if (auth_seal || auth_verify) {
228 RPC_HDR_AUTH auth_info;
229
230 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, RPC_PIPE_AUTH_SEAL_LEVEL,
231 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
232 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
233 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
234 prs_mem_free(&outgoing_pdu);
235 return False;
236 }
237 }
238
239 if (auth_verify) {
240 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
241 char *auth_data = prs_data_p(&outgoing_pdu);
242
243 p->ntlmssp_seq_num++;
244 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
245 crc32, p->ntlmssp_seq_num++);
246 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
247 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
248 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
249 prs_mem_free(&outgoing_pdu);
250 return False;
251 }
252 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
253 }
254 }
255
256 if (p->netsec_auth_validated) {
257 int auth_type, auth_level;
258 char *data;
259 RPC_HDR_AUTH auth_info;
260
261 RPC_AUTH_NETSEC_CHK verf;
262 prs_struct rverf;
263 prs_struct rauth;
264
265 data = prs_data_p(&outgoing_pdu) + data_pos;
266 /* Check it's the type of reply we were expecting to decode */
267
268 get_auth_type_level(p->netsec_auth.auth_flags, &auth_type, &auth_level);
269 init_rpc_hdr_auth(&auth_info, auth_type, auth_level,
270 RPC_HDR_AUTH_LEN, 1);
271
272 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
273 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
274 prs_mem_free(&outgoing_pdu);
275 return False;
276 }
277
278 prs_init(&rverf, 0, p->mem_ctx, MARSHALL);
279 prs_init(&rauth, 0, p->mem_ctx, MARSHALL);
280
281 netsec_encode(&p->netsec_auth,
282 p->netsec_auth.auth_flags,
283 SENDER_IS_ACCEPTOR,
284 &verf, data, data_len);
285
286 smb_io_rpc_auth_netsec_chk("", &verf, &outgoing_pdu, 0);
287
288 p->netsec_auth.seq_num++;
289 }
290
291 /*
292 * Setup the counts for this PDU.
293 */
294
295 p->out_data.data_sent_length += data_len;
296 p->out_data.current_pdu_len = p->hdr.frag_len;
297 p->out_data.current_pdu_sent = 0;
298
299 prs_mem_free(&outgoing_pdu);
300 return True;
301 }
302
303 /*******************************************************************
304 Process an NTLMSSP authentication response.
305 If this function succeeds, the user has been authenticated
306 and their domain, name and calling workstation stored in
307 the pipe struct.
308 The initial challenge is stored in p->challenge.
309 *******************************************************************/
310
311 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
312 {
313 uchar lm_owf[24];
314 uchar nt_owf[128];
315 int nt_pw_len;
316 int lm_pw_len;
317 fstring user_name;
318 fstring domain;
319 fstring wks;
320
321 NTSTATUS nt_status;
322
323 struct auth_context *auth_context = NULL;
324 auth_usersupplied_info *user_info = NULL;
325 auth_serversupplied_info *server_info = NULL;
326
327 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
328
329 memset(p->user_name, '\0', sizeof(p->user_name));
330 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
331 memset(p->domain, '\0', sizeof(p->domain));
332 memset(p->wks, '\0', sizeof(p->wks));
333
334 /* Set up for non-authenticated user. */
335 delete_nt_token(&p->pipe_user.nt_user_token);
336 p->pipe_user.ngroups = 0;
337 SAFE_FREE( p->pipe_user.groups);
338
339 /*
340 * Setup an empty password for a guest user.
341 */
342
343 /*
344 * We always negotiate UNICODE.
345 */
346
347 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
348 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
349 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
350 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
351 } else {
352 pull_ascii_fstring(user_name, ntlmssp_resp->user);
353 pull_ascii_fstring(domain, ntlmssp_resp->domain);
354 pull_ascii_fstring(wks, ntlmssp_resp->wks);
355 }
356
357 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
358
359 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
360 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
361
362 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
363 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
364
365 #ifdef DEBUG_PASSWORD
366 DEBUG(100,("lm, nt owfs, chal\n"));
367 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
368 dump_data(100, (char *)nt_owf, nt_pw_len);
369 dump_data(100, (char *)p->challenge, 8);
370 #endif
371
372 /*
373 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
374 */
375
376 if (*user_name) {
377
378 /*
379 * Do the length checking only if user is not NULL.
380 */
381
382 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
383 return False;
384 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
385 return False;
386 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
387 return False;
388 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
389 return False;
390 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
391 return False;
392
393 }
394
395 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
396
397 if (!make_user_info_netlogon_network(&user_info,
398 user_name, domain, wks,
399 lm_owf, lm_pw_len,
400 nt_owf, nt_pw_len)) {
401 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
402 return False;
403 }
404
405 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
406
407 (auth_context->free)(&auth_context);
408 free_user_info(&user_info);
409
410 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
411
412 if (!p->ntlmssp_auth_validated) {
413 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
414 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
415 free_server_info(&server_info);
416 return False;
417 }
418
419 /*
420 * Set up the sign/seal data.
421 */
422
423 {
424 uchar p24[24];
425 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
426 {
427 unsigned char j = 0;
428 int ind;
429
430 unsigned char k2[8];
431
432 memcpy(k2, p24, 5);
433 k2[5] = 0xe5;
434 k2[6] = 0x38;
435 k2[7] = 0xb0;
436
437 for (ind = 0; ind < 256; ind++)
438 p->ntlmssp_hash[ind] = (unsigned char)ind;
439
440 for( ind = 0; ind < 256; ind++) {
441 unsigned char tc;
442
443 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
444
445 tc = p->ntlmssp_hash[ind];
446 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
447 p->ntlmssp_hash[j] = tc;
448 }
449
450 p->ntlmssp_hash[256] = 0;
451 p->ntlmssp_hash[257] = 0;
452 }
453
454 dump_data_pw("NTLMSSP hash (v1)\n", p->ntlmssp_hash,
455 sizeof(p->ntlmssp_hash));
456
457 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
458 p->ntlmssp_seq_num = 0;
459
460 }
461
462 fstrcpy(p->user_name, user_name);
463 fstrcpy(p->pipe_user_name, server_info->unix_name);
464 fstrcpy(p->domain, domain);
465 fstrcpy(p->wks, wks);
466
467 /*
468 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
469 */
470
471 memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
472
473 p->pipe_user.uid = server_info->uid;
474 p->pipe_user.gid = server_info->gid;
475
476 p->pipe_user.ngroups = server_info->n_groups;
477 if (p->pipe_user.ngroups) {
478 if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
479 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
480 free_server_info(&server_info);
481 return False;
482 }
483 }
484
485 if (server_info->ptok)
486 p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
487 else {
488 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
489 p->pipe_user.nt_user_token = NULL;
490 free_server_info(&server_info);
491 return False;
492 }
493
494 p->ntlmssp_auth_validated = True;
495
496 free_server_info(&server_info);
497 return True;
498 }
499
500 /*******************************************************************
501 The switch table for the pipe names and the functions to handle them.
502 *******************************************************************/
503
504 struct rpc_table
505 {
506 struct
507 {
508 const char *clnt;
509 const char *srv;
510 } pipe;
511 struct api_struct *cmds;
512 int n_cmds;
513 };
514
515 static struct rpc_table *rpc_lookup;
516 static int rpc_lookup_size;
517
518 /*******************************************************************
519 This is the client reply to our challenge for an authenticated
520 bind request. The challenge we sent is in p->challenge.
521 *******************************************************************/
522
523 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
524 {
525 RPC_HDR_AUTHA autha_info;
526 RPC_AUTH_VERIFIER auth_verifier;
527 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
528
529 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
530
531 if (p->hdr.auth_len == 0) {
532 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
533 return False;
534 }
535
536 /*
537 * Decode the authentication verifier response.
538 */
539
540 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
541 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
542 return False;
543 }
544
545 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != RPC_PIPE_AUTH_SEAL_LEVEL) {
546 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
547 (int)autha_info.auth_type, (int)autha_info.auth_level ));
548 return False;
549 }
550
551 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
552 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
553 return False;
554 }
555
556 /*
557 * Ensure this is a NTLMSSP_AUTH packet type.
558 */
559
560 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
561 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
562 return False;
563 }
564
565 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
566 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
567 return False;
568 }
569
570 /*
571 * The following call actually checks the challenge/response data.
572 * for correctness against the given DOMAIN\user name.
573 */
574
575 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
576 return False;
577
578 p->pipe_bound = True
579 ;
580 return True;
581 }
582
583 /*******************************************************************
584 Marshall a bind_nak pdu.
585 *******************************************************************/
586
587 static BOOL setup_bind_nak(pipes_struct *p)
588 {
589 prs_struct outgoing_rpc;
590 RPC_HDR nak_hdr;
591 uint16 zero = 0;
592
593 /* Free any memory in the current return data buffer. */
594 prs_mem_free(&p->out_data.rdata);
595
596 /*
597 * Marshall directly into the outgoing PDU space. We
598 * must do this as we need to set to the bind response
599 * header and are never sending more than one PDU here.
600 */
601
602 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
603 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
604
605
606 /*
607 * Initialize a bind_nak header.
608 */
609
610 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
611 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
612
613 /*
614 * Marshall the header into the outgoing PDU.
615 */
616
617 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
618 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
619 prs_mem_free(&outgoing_rpc);
620 return False;
621 }
622
623 /*
624 * Now add the reject reason.
625 */
626
627 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
628 prs_mem_free(&outgoing_rpc);
629 return False;
630 }
631
632 p->out_data.data_sent_length = 0;
633 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
634 p->out_data.current_pdu_sent = 0;
635
636 p->pipe_bound = False;
637
638 return True;
639 }
640
641 /*******************************************************************
642 Marshall a fault pdu.
643 *******************************************************************/
644
645 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
646 {
647 prs_struct outgoing_pdu;
648 RPC_HDR fault_hdr;
649 RPC_HDR_RESP hdr_resp;
650 RPC_HDR_FAULT fault_resp;
651
652 /* Free any memory in the current return data buffer. */
653 prs_mem_free(&p->out_data.rdata);
654
655 /*
656 * Marshall directly into the outgoing PDU space. We
657 * must do this as we need to set to the bind response
658 * header and are never sending more than one PDU here.
659 */
660
661 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
662 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
663
664 /*
665 * Initialize a fault header.
666 */
667
668 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
669 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
670
671 /*
672 * Initialize the HDR_RESP and FAULT parts of the PDU.
673 */
674
675 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
676
677 fault_resp.status = status;
678 fault_resp.reserved = 0;
679
680 /*
681 * Marshall the header into the outgoing PDU.
682 */
683
684 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
685 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
686 prs_mem_free(&outgoing_pdu);
687 return False;
688 }
689
690 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
691 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
692 prs_mem_free(&outgoing_pdu);
693 return False;
694 }
695
696 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
697 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
698 prs_mem_free(&outgoing_pdu);
699 return False;
700 }
701
702 p->out_data.data_sent_length = 0;
703 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
704 p->out_data.current_pdu_sent = 0;
705
706 prs_mem_free(&outgoing_pdu);
707 return True;
708 }
709
710 /*******************************************************************
711 Ensure a bind request has the correct abstract & transfer interface.
712 Used to reject unknown binds from Win2k.
713 *******************************************************************/
714
715 BOOL check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
716 RPC_IFACE* transfer, uint32 context_id)
717 {
718 extern struct pipe_id_info pipe_names[];
719 char *pipe_name = p->name;
720 int i=0;
721 fstring pname;
722
723 fstrcpy(pname,"\\PIPE\\");
724 fstrcat(pname,pipe_name);
725
726 DEBUG(3,("check_bind_req for %s\n", pname));
727
728 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
729
730 for ( i=0; pipe_names[i].client_pipe; i++ )
731 {
732 if ( strequal(pipe_names[i].client_pipe, pname)
733 && (abstract->version == pipe_names[i].abstr_syntax.version)
734 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct uuid)) == 0)
735 && (transfer->version == pipe_names[i].trans_syntax.version)
736 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(struct uuid)) == 0) )
737 {
738 struct api_struct *fns = NULL;
739 int n_fns = 0;
740 PIPE_RPC_FNS *context_fns;
741
742 if ( !(context_fns = malloc(sizeof(PIPE_RPC_FNS))) ) {
743 DEBUG(0,("check_bind_req: malloc() failed!\n"));
744 return False;
745 }
746
747 /* save the RPC function table associated with this bind */
748
749 get_pipe_fns(i, &fns, &n_fns);
750
751 context_fns->cmds = fns;
752 context_fns->n_cmds = n_fns;
753 context_fns->context_id = context_id;
754
755 /* add to the list of open contexts */
756
757 DLIST_ADD( p->contexts, context_fns );
758
759 break;
760 }
761 }
762
763 if(pipe_names[i].client_pipe == NULL)
764 return False;
765
766 return True;
767 }
768
769 /*******************************************************************
770 Register commands to an RPC pipe
771 *******************************************************************/
772 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
773 {
774 struct rpc_table *rpc_entry;
775
776 if (!clnt || !srv || !cmds) {
777 return NT_STATUS_INVALID_PARAMETER;
778 }
779
780 if (version != SMB_RPC_INTERFACE_VERSION) {
781 DEBUG(0,("Can't register rpc commands!\n"
782 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
783 ", while this version of samba uses version %d!\n",
784 version,SMB_RPC_INTERFACE_VERSION));
785 return NT_STATUS_OBJECT_TYPE_MISMATCH;
786 }
787
788 /* TODO:
789 *
790 * we still need to make sure that don't register the same commands twice!!!
791 *
792 * --metze
793 */
794
795 /* We use a temporary variable because this call can fail and
796 rpc_lookup will still be valid afterwards. It could then succeed if
797 called again later */
798 rpc_entry = realloc(rpc_lookup,
799 ++rpc_lookup_size*sizeof(struct rpc_table));
800 if (NULL == rpc_entry) {
801 rpc_lookup_size--;
802 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
803 return NT_STATUS_NO_MEMORY;
804 } else {
805 rpc_lookup = rpc_entry;
806 }
807
808 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
809 ZERO_STRUCTP(rpc_entry);
810 rpc_entry->pipe.clnt = strdup(clnt);
811 rpc_entry->pipe.srv = strdup(srv);
812 rpc_entry->cmds = realloc(rpc_entry->cmds,
813 (rpc_entry->n_cmds + size) *
814 sizeof(struct api_struct));
815 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds,
816 size * sizeof(struct api_struct));
817 rpc_entry->n_cmds += size;
818
819 return NT_STATUS_OK;
820 }
821
822 /*******************************************************************
823 Respond to a pipe bind request.
824 *******************************************************************/
825
826 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
827 {
828 RPC_HDR_BA hdr_ba;
829 RPC_HDR_RB hdr_rb;
830 RPC_HDR_AUTH auth_info;
831 uint16 assoc_gid;
832 fstring ack_pipe_name;
833 prs_struct out_hdr_ba;
834 prs_struct out_auth;
835 prs_struct outgoing_rpc;
836 int i = 0;
837 int auth_len = 0;
838 enum RPC_PKT_TYPE reply_pkt_type;
839
840 p->ntlmssp_auth_requested = False;
841 p->netsec_auth_validated = False;
842
843 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
844
845 /*
846 * Try and find the correct pipe name to ensure
847 * that this is a pipe name we support.
848 */
849
850
851 for (i = 0; i < rpc_lookup_size; i++) {
852 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
853 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
854 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
855 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
856 break;
857 }
858 }
859
860 if (i == rpc_lookup_size) {
861 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
862 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
863 p->name ));
864 if(!setup_bind_nak(p))
865 return False;
866 return True;
867 }
868
869 for (i = 0; i < rpc_lookup_size; i++) {
870 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
871 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
872 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
873 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
874 break;
875 }
876 }
877
878 if (i == rpc_lookup_size) {
879 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
880 return False;
881 }
882 }
883
884 /* decode the bind request */
885 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
886 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
887 return False;
888 }
889
890 /*
891 * Check if this is an authenticated request.
892 */
893
894 if (p->hdr.auth_len != 0) {
895 RPC_AUTH_VERIFIER auth_verifier;
896 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
897
898 /*
899 * Decode the authentication verifier.
900 */
901
902 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
903 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
904 return False;
905 }
906
907 if(auth_info.auth_type == NTLMSSP_AUTH_TYPE) {
908
909 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
910 DEBUG(0,("api_pipe_bind_req: unable to "
911 "unmarshall RPC_HDR_AUTH struct.\n"));
912 return False;
913 }
914
915 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
916 DEBUG(0,("api_pipe_bind_req: "
917 "auth_verifier.signature != NTLMSSP\n"));
918 return False;
919 }
920
921 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
922 DEBUG(0,("api_pipe_bind_req: "
923 "auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
924 auth_verifier.msg_type));
925 return False;
926 }
927
928 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
929 DEBUG(0,("api_pipe_bind_req: "
930 "Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
931 return False;
932 }
933
934 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
935 p->ntlmssp_auth_requested = True;
936
937 } else if (auth_info.auth_type == NETSEC_AUTH_TYPE) {
938
939 RPC_AUTH_NETSEC_NEG neg;
940 struct netsec_auth_struct *a = &(p->netsec_auth);
941
942 if (!smb_io_rpc_auth_netsec_neg("", &neg, rpc_in_p, 0)) {
943 DEBUG(0,("api_pipe_bind_req: "
944 "Could not unmarshal SCHANNEL auth neg\n"));
945 return False;
946 }
947
948 p->netsec_auth_validated = True;
949
950 memset(a->sess_key, 0, sizeof(a->sess_key));
951 memcpy(a->sess_key, last_dcinfo.sess_key, sizeof(last_dcinfo.sess_key));
952
953 a->seq_num = 0;
954
955 DEBUG(10,("schannel auth: domain [%s] myname [%s]\n",
956 neg.domain, neg.myname));
957
958 } else {
959 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
960 auth_info.auth_type ));
961 return False;
962 }
963 }
964
965 switch(p->hdr.pkt_type) {
966 case RPC_BIND:
967 /* name has to be \PIPE\xxxxx */
968 fstrcpy(ack_pipe_name, "\\PIPE\\");
969 fstrcat(ack_pipe_name, p->pipe_srv_name);
970 reply_pkt_type = RPC_BINDACK;
971 break;
972 case RPC_ALTCONT:
973 /* secondary address CAN be NULL
974 * as the specs say it's ignored.
975 * It MUST NULL to have the spoolss working.
976 */
977 fstrcpy(ack_pipe_name,"");
978 reply_pkt_type = RPC_ALTCONTRESP;
979 break;
980 default:
981 return False;
982 }
983
984 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
985
986 /*
987 * Marshall directly into the outgoing PDU space. We
988 * must do this as we need to set to the bind response
989 * header and are never sending more than one PDU here.
990 */
991
992 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
993 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
994
995 /*
996 * Setup the memory to marshall the ba header, and the
997 * auth footers.
998 */
999
1000 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1001 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1002 prs_mem_free(&outgoing_rpc);
1003 return False;
1004 }
1005
1006 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1007 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
1008 prs_mem_free(&outgoing_rpc);
1009 prs_mem_free(&out_hdr_ba);
1010 return False;
1011 }
1012
1013 if (p->ntlmssp_auth_requested)
1014 assoc_gid = 0x7a77;
1015 else
1016 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1017
1018 /*
1019 * Create the bind response struct.
1020 */
1021
1022 /* If the requested abstract synt uuid doesn't match our client pipe,
1023 reject the bind_ack & set the transfer interface synt to all 0's,
1024 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1025 unknown to NT4)
1026 Needed when adding entries to a DACL from NT5 - SK */
1027
1028 if(check_bind_req(p, &hdr_rb.abstract, &hdr_rb.transfer, hdr_rb.context_id ))
1029 {
1030 init_rpc_hdr_ba(&hdr_ba,
1031 MAX_PDU_FRAG_LEN,
1032 MAX_PDU_FRAG_LEN,
1033 assoc_gid,
1034 ack_pipe_name,
1035 0x1, 0x0, 0x0,
1036 &hdr_rb.transfer);
1037 } else {
1038 RPC_IFACE null_interface;
1039 ZERO_STRUCT(null_interface);
1040 /* Rejection reason: abstract syntax not supported */
1041 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
1042 MAX_PDU_FRAG_LEN, assoc_gid,
1043 ack_pipe_name, 0x1, 0x2, 0x1,
1044 &null_interface);
1045 }
1046
1047 /*
1048 * and marshall it.
1049 */
1050
1051 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1052 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1053 goto err_exit;
1054 }
1055
1056 /*
1057 * Now the authentication.
1058 */
1059
1060 if (p->ntlmssp_auth_requested) {
1061 RPC_AUTH_VERIFIER auth_verifier;
1062 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
1063
1064 generate_random_buffer(p->challenge, 8, False);
1065
1066 /*** Authentication info ***/
1067
1068 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, RPC_PIPE_AUTH_SEAL_LEVEL, RPC_HDR_AUTH_LEN, 1);
1069 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1070 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1071 goto err_exit;
1072 }
1073
1074 /*** NTLMSSP verifier ***/
1075
1076 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
1077 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
1078 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1079 goto err_exit;
1080 }
1081
1082 /* NTLMSSP challenge ***/
1083
1084 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
1085 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
1086 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
1087 goto err_exit;
1088 }
1089
1090 /* Auth len in the rpc header doesn't include auth_header. */
1091 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1092 }
1093
1094 if (p->netsec_auth_validated) {
1095 RPC_AUTH_VERIFIER auth_verifier;
1096 uint32 flags;
1097
1098 /* The client opens a second RPC NETLOGON pipe without
1099 doing a auth2. The credentials for the schannel are
1100 re-used from the auth2 the client did before. */
1101 p->dc = last_dcinfo;
1102
1103 init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, RPC_PIPE_AUTH_SEAL_LEVEL, RPC_HDR_AUTH_LEN, 1);
1104 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1105 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1106 goto err_exit;
1107 }
1108
1109 /*** NETSEC verifier ***/
1110
1111 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1112 if(!smb_io_rpc_netsec_verifier("", &auth_verifier, &out_auth, 0)) {
1113 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1114 goto err_exit;
1115 }
1116
1117 prs_align(&out_auth);
1118
1119 flags = 5;
1120 if(!prs_uint32("flags ", &out_auth, 0, &flags))
1121 goto err_exit;
1122
1123 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1124 }
1125
1126 /*
1127 * Create the header, now we know the length.
1128 */
1129
1130 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
1131 p->hdr.call_id,
1132 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1133 auth_len);
1134
1135 /*
1136 * Marshall the header into the outgoing PDU.
1137 */
1138
1139 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1140 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1141 goto err_exit;
1142 }
1143
1144 /*
1145 * Now add the RPC_HDR_BA and any auth needed.
1146 */
1147
1148 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1149 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1150 goto err_exit;
1151 }
1152
1153 if((p->ntlmssp_auth_requested|p->netsec_auth_validated) &&
1154 !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1155 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1156 goto err_exit;
1157 }
1158
1159 if(!p->ntlmssp_auth_requested)
1160 p->pipe_bound = True;
1161
1162 /*
1163 * Setup the lengths for the initial reply.
1164 */
1165
1166 p->out_data.data_sent_length = 0;
1167 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1168 p->out_data.current_pdu_sent = 0;
1169
1170 prs_mem_free(&out_hdr_ba);
1171 prs_mem_free(&out_auth);
1172
1173 return True;
1174
1175 err_exit:
1176
1177 prs_mem_free(&outgoing_rpc);
1178 prs_mem_free(&out_hdr_ba);
1179 prs_mem_free(&out_auth);
1180 return False;
1181 }
1182
1183 /****************************************************************************
1184 Deal with sign & seal processing on an RPC request.
1185 ****************************************************************************/
1186
1187 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1188 {
1189 /*
1190 * We always negotiate the following two bits....
1191 */
1192 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1193 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1194 int data_len;
1195 int auth_len;
1196 uint32 old_offset;
1197 uint32 crc32 = 0;
1198
1199 auth_len = p->hdr.auth_len;
1200
1201 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1202 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1203 return False;
1204 }
1205
1206 /*
1207 * The following is that length of the data we must verify or unseal.
1208 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1209 * preceeding the auth_data.
1210 */
1211
1212 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1213 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1214
1215 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1216 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1217
1218 if (auth_seal) {
1219 /*
1220 * The data in rpc_in doesn't contain the RPC_HEADER as this
1221 * has already been consumed.
1222 */
1223 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1224 dump_data_pw("NTLMSSP hash (v1)\n", p->ntlmssp_hash,
1225 sizeof(p->ntlmssp_hash));
1226
1227 dump_data_pw("Incoming RPC PDU (NTLMSSP sealed)\n",
1228 (const unsigned char *)data, data_len);
1229 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1230 dump_data_pw("Incoming RPC PDU (NTLMSSP unsealed)\n",
1231 (const unsigned char *)data, data_len);
1232 crc32 = crc32_calc_buffer(data, data_len);
1233 }
1234
1235 old_offset = prs_offset(rpc_in);
1236
1237 if (auth_seal || auth_verify) {
1238 RPC_HDR_AUTH auth_info;
1239
1240 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1241 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1242 (unsigned int)old_offset + data_len ));
1243 return False;
1244 }
1245
1246 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1247 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1248 return False;
1249 }
1250 }
1251
1252 if (auth_verify) {
1253 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1254 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1255
1256 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1257
1258 /*
1259 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1260 * incoming buffer.
1261 */
1262 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1263 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1264 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1265 return False;
1266 }
1267
1268 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1269 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1270 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1271 return False;
1272 }
1273
1274 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1275 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1276 return False;
1277 }
1278 }
1279
1280 /*
1281 * Return the current pointer to the data offset.
1282 */
1283
1284 if(!prs_set_offset(rpc_in, old_offset)) {
1285 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1286 (unsigned int)old_offset ));
1287 return False;
1288 }
1289
1290 return True;
1291 }
1292
1293 /****************************************************************************
1294 Deal with schannel processing on an RPC request.
1295 ****************************************************************************/
1296 BOOL api_pipe_netsec_process(pipes_struct *p, prs_struct *rpc_in)
1297 {
1298 /*
1299 * We always negotiate the following two bits....
1300 */
1301 int data_len;
1302 int auth_len;
1303 uint32 old_offset;
1304 RPC_HDR_AUTH auth_info;
1305 RPC_AUTH_NETSEC_CHK netsec_chk;
1306
1307
1308 auth_len = p->hdr.auth_len;
1309
1310 if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
1311 DEBUG(0,("Incorrect auth_len %d.\n", auth_len ));
1312 return False;
1313 }
1314
1315 /*
1316 * The following is that length of the data we must verify or unseal.
1317 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1318 * preceeding the auth_data.
1319 */
1320
1321 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1322 RPC_HDR_AUTH_LEN - auth_len;
1323
1324 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
1325
1326 old_offset = prs_offset(rpc_in);
1327
1328 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1329 DEBUG(0,("cannot move offset to %u.\n",
1330 (unsigned int)old_offset + data_len ));
1331 return False;
1332 }
1333
1334 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1335 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
1336 return False;
1337 }
1338
1339 if (auth_info.auth_type != NETSEC_AUTH_TYPE) {
1340 DEBUG(0,("Invalid auth info %d on schannel\n",
1341 auth_info.auth_type));
1342 return False;
1343 }
1344
1345 if (auth_info.auth_level == RPC_PIPE_AUTH_SEAL_LEVEL) {
1346 p->netsec_auth.auth_flags = AUTH_PIPE_NETSEC|AUTH_PIPE_SIGN|AUTH_PIPE_SEAL;
1347 } else if (auth_info.auth_level == RPC_PIPE_AUTH_SIGN_LEVEL) {
1348 p->netsec_auth.auth_flags = AUTH_PIPE_NETSEC|AUTH_PIPE_SIGN;
1349 } else {
1350 DEBUG(0,("Invalid auth level %d on schannel\n",
1351 auth_info.auth_level));
1352 return False;
1353 }
1354
1355 if(!smb_io_rpc_auth_netsec_chk("", &netsec_chk, rpc_in, 0)) {
1356 DEBUG(0,("failed to unmarshal RPC_AUTH_NETSEC_CHK.\n"));
1357 return False;
1358 }
1359
1360 if (!netsec_decode(&p->netsec_auth,
1361 p->netsec_auth.auth_flags,
1362 SENDER_IS_INITIATOR,
1363 &netsec_chk,
1364 prs_data_p(rpc_in)+old_offset, data_len)) {
1365 DEBUG(0,("failed to decode PDU\n"));
1366 return False;
1367 }
1368
1369 /*
1370 * Return the current pointer to the data offset.
1371 */
1372
1373 if(!prs_set_offset(rpc_in, old_offset)) {
1374 DEBUG(0,("failed to set offset back to %u\n",
1375 (unsigned int)old_offset ));
1376 return False;
1377 }
1378
1379 /* The sequence number gets incremented on both send and receive. */
1380 p->netsec_auth.seq_num++;
1381
1382 return True;
1383 }
1384
1385 /****************************************************************************
1386 Return a user struct for a pipe user.
1387 ****************************************************************************/
1388
1389 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1390 {
1391 if (p->ntlmssp_auth_validated) {
1392 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1393 } else {
1394 extern struct current_user current_user;
1395 memcpy(user, &current_user, sizeof(struct current_user));
1396 }
1397
1398 return user;
1399 }
1400
1401 /****************************************************************************
1402 Find the set of RPC functions associated with this context_id
1403 ****************************************************************************/
1404
1405 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
1406 {
1407 PIPE_RPC_FNS *fns = NULL;
1408 PIPE_RPC_FNS *tmp = NULL;
1409
1410 if ( !list ) {
1411 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
1412 return NULL;
1413 }
1414
1415 for (tmp=list; tmp; tmp=tmp->next ) {
1416 if ( tmp->context_id == context_id )
1417 break;
1418 }
1419
1420 fns = tmp;
1421
1422 return fns;
1423 }
1424
1425 /****************************************************************************
1426 memory cleanup
1427 ****************************************************************************/
1428
1429 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
1430 {
1431 PIPE_RPC_FNS *tmp = list;
1432 PIPE_RPC_FNS *tmp2;
1433
1434 while (tmp) {
1435 tmp2 = tmp->next;
1436 SAFE_FREE(tmp);
1437 tmp = tmp2;
1438 }
1439
1440 return;
1441 }
1442
1443 /****************************************************************************
1444 Find the correct RPC function to call for this request.
1445 If the pipe is authenticated then become the correct UNIX user
1446 before doing the call.
1447 ****************************************************************************/
1448
1449 BOOL api_pipe_request(pipes_struct *p)
1450 {
1451 BOOL ret = False;
1452 PIPE_RPC_FNS *pipe_fns;
1453
1454 if (p->ntlmssp_auth_validated) {
1455
1456 if(!become_authenticated_pipe_user(p)) {
1457 prs_mem_free(&p->out_data.rdata);
1458 return False;
1459 }
1460 }
1461
1462 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
1463
1464 /* get the set of RPC functions for this context */
1465
1466 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
1467
1468 if ( pipe_fns ) {
1469 set_current_rpc_talloc(p->mem_ctx);
1470 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
1471 set_current_rpc_talloc(NULL);
1472 }
1473 else {
1474 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
1475 p->hdr_req.context_id, p->name));
1476 }
1477
1478 if(p->ntlmssp_auth_validated)
1479 unbecome_authenticated_pipe_user();
1480
1481 return ret;
1482 }
1483
1484 /*******************************************************************
1485 Calls the underlying RPC function for a named pipe.
1486 ********************************************************************/
1487
1488 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
1489 const struct api_struct *api_rpc_cmds, int n_cmds)
1490 {
1491 int fn_num;
1492 fstring name;
1493 uint32 offset1, offset2;
1494
1495 /* interpret the command */
1496 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1497
1498 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1499 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1500
1501 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1502 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1503 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1504 break;
1505 }
1506 }
1507
1508 if (fn_num == n_cmds) {
1509 /*
1510 * For an unknown RPC just return a fault PDU but
1511 * return True to allow RPC's on the pipe to continue
1512 * and not put the pipe into fault state. JRA.
1513 */
1514 DEBUG(4, ("unknown\n"));
1515 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1516 return True;
1517 }
1518
1519 offset1 = prs_offset(&p->out_data.rdata);
1520
1521 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1522 fn_num, api_rpc_cmds[fn_num].fn));
1523 /* do the actual command */
1524 if(!api_rpc_cmds[fn_num].fn(p)) {
1525 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1526 prs_mem_free(&p->out_data.rdata);
1527 return False;
1528 }
1529
1530 if (p->bad_handle_fault_state) {
1531 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1532 p->bad_handle_fault_state = False;
1533 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1534 return True;
1535 }
1536
1537 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1538 offset2 = prs_offset(&p->out_data.rdata);
1539 prs_set_offset(&p->out_data.rdata, offset1);
1540 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1541 prs_set_offset(&p->out_data.rdata, offset2);
1542
1543 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1544
1545 /* Check for buffer underflow in rpc parsing */
1546
1547 if ((DEBUGLEVEL >= 10) &&
1548 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
1549 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
1550 char *data;
1551
1552 data = malloc(data_len);
1553
1554 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1555 if (data) {
1556 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
1557 SAFE_FREE(data);
1558 }
1559
1560 }
1561
1562 return True;
1563 }
1564
1565 /*******************************************************************
1566 *******************************************************************/
1567
1568 void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
1569 {
1570 struct api_struct *cmds = NULL;
1571 int n_cmds = 0;
1572
1573 switch ( idx ) {
1574 case PI_LSARPC:
1575 lsa_get_pipe_fns( &cmds, &n_cmds );
1576 break;
1577 case PI_LSARPC_DS:
1578 lsa_ds_get_pipe_fns( &cmds, &n_cmds );
1579 break;
1580 case PI_SAMR:
1581 samr_get_pipe_fns( &cmds, &n_cmds );
1582 break;
1583 case PI_NETLOGON:
1584 netlog_get_pipe_fns( &cmds, &n_cmds );
1585 break;
1586 case PI_SRVSVC:
1587 srvsvc_get_pipe_fns( &cmds, &n_cmds );
1588 break;
1589 case PI_WKSSVC:
1590 wkssvc_get_pipe_fns( &cmds, &n_cmds );
1591 break;
1592 case PI_WINREG:
1593 reg_get_pipe_fns( &cmds, &n_cmds );
1594 break;
1595 case PI_SPOOLSS:
1596 spoolss_get_pipe_fns( &cmds, &n_cmds );
1597 break;
1598 case PI_NETDFS:
1599 netdfs_get_pipe_fns( &cmds, &n_cmds );
1600 break;
1601 #ifdef DEVELOPER
1602 case PI_ECHO:
1603 echo_get_pipe_fns( &cmds, &n_cmds );
1604 break;
1605 #endif
1606 case PI_EPM:
1607 epm_get_pipe_fns( &cmds, &n_cmds );
1608 break;
1609 default:
1610 DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));
1611 }
1612
1613 *fns = cmds;
1614 *n_fns = n_cmds;
1615
1616 return;
1617 }
1618
1619
reg import