search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
More code to store ACEs and SIDs. I have almost enough to start testing
[Samba/gebeck_regimport.git] / source3 / rpc_server / srv_pipe.c
blobb09058629af043b09a7e489936243f979e33c413
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998,
7 * Copyright (C) Jeremy Allison 1999,
8 * Copyright (C) Anthony Liguori 2003.
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
28 *
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
32 *
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
36 *
37 * ... if you read the docs. or stare at packets for weeks on end.
38 *
39 */
40
41 #include "includes.h"
42
43 #undef DBGC_CLASS
44 #define DBGC_CLASS DBGC_RPC_SRV
45
46 /*************************************************************
47 HACK Alert!
48 We need to transfer the session key from one rpc bind to the
49 next. This is the way the netlogon schannel works.
50 **************************************************************/
51 struct dcinfo last_dcinfo;
52
53 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
54 {
55 unsigned char *hash = p->ntlmssp_hash;
56 unsigned char index_i = hash[256];
57 unsigned char index_j = hash[257];
58 int ind;
59
60 for( ind = 0; ind < len; ind++) {
61 unsigned char tc;
62 unsigned char t;
63
64 index_i++;
65 index_j += hash[index_i];
66
67 tc = hash[index_i];
68 hash[index_i] = hash[index_j];
69 hash[index_j] = tc;
70
71 t = hash[index_i] + hash[index_j];
72 data[ind] = data[ind] ^ hash[t];
73 }
74
75 hash[256] = index_i;
76 hash[257] = index_j;
77 }
78
79 /*******************************************************************
80 Generate the next PDU to be returned from the data in p->rdata.
81 We cheat here as this function doesn't handle the special auth
82 footers of the authenticated bind response reply.
83 ********************************************************************/
84
85 BOOL create_next_pdu(pipes_struct *p)
86 {
87 RPC_HDR_RESP hdr_resp;
88 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
89 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
90 uint32 data_len;
91 uint32 data_space_available;
92 uint32 data_len_left;
93 prs_struct outgoing_pdu;
94 uint32 data_pos;
95
96 /*
97 * If we're in the fault state, keep returning fault PDU's until
98 * the pipe gets closed. JRA.
99 */
100
101 if(p->fault_state) {
102 setup_fault_pdu(p, NT_STATUS(0x1c010002));
103 return True;
104 }
105
106 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
107
108 /* Change the incoming request header to a response. */
109 p->hdr.pkt_type = RPC_RESPONSE;
110
111 /* Set up rpc header flags. */
112 if (p->out_data.data_sent_length == 0)
113 p->hdr.flags = RPC_FLG_FIRST;
114 else
115 p->hdr.flags = 0;
116
117 /*
118 * Work out how much we can fit in a single PDU.
119 */
120
121 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
122 if(p->ntlmssp_auth_validated)
123 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
124
125 if(p->netsec_auth_validated)
126 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_CHK_LEN);
127
128 /*
129 * The amount we send is the minimum of the available
130 * space and the amount left to send.
131 */
132
133 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
134
135 /*
136 * Ensure there really is data left to send.
137 */
138
139 if(!data_len_left) {
140 DEBUG(0,("create_next_pdu: no data left to send !\n"));
141 return False;
142 }
143
144 data_len = MIN(data_len_left, data_space_available);
145
146 /*
147 * Set up the alloc hint. This should be the data left to
148 * send.
149 */
150
151 hdr_resp.alloc_hint = data_len_left;
152
153 /*
154 * Set up the header lengths.
155 */
156
157 if (p->ntlmssp_auth_validated) {
158 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
159 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
160 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
161 } else if (p->netsec_auth_validated) {
162 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
163 RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_CHK_LEN;
164 p->hdr.auth_len = RPC_AUTH_NETSEC_CHK_LEN;
165 } else {
166 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
167 p->hdr.auth_len = 0;
168 }
169
170 /*
171 * Work out if this PDU will be the last.
172 */
173
174 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
175 p->hdr.flags |= RPC_FLG_LAST;
176
177 /*
178 * Init the parse struct to point at the outgoing
179 * data.
180 */
181
182 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
183 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
184
185 /* Store the header in the data stream. */
186 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
187 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
188 prs_mem_free(&outgoing_pdu);
189 return False;
190 }
191
192 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
193 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
194 prs_mem_free(&outgoing_pdu);
195 return False;
196 }
197
198 /* Store the current offset. */
199 data_pos = prs_offset(&outgoing_pdu);
200
201 /* Copy the data into the PDU. */
202
203 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
204 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
205 prs_mem_free(&outgoing_pdu);
206 return False;
207 }
208
209 if (p->ntlmssp_auth_validated) {
210 uint32 crc32 = 0;
211 char *data;
212
213 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
214 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
215
216 /*
217 * Set data to point to where we copied the data into.
218 */
219
220 data = prs_data_p(&outgoing_pdu) + data_pos;
221
222 if (auth_seal) {
223 crc32 = crc32_calc_buffer(data, data_len);
224 NTLMSSPcalc_p(p, (uchar*)data, data_len);
225 }
226
227 if (auth_seal || auth_verify) {
228 RPC_HDR_AUTH auth_info;
229
230 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
231 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
232 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
233 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
234 prs_mem_free(&outgoing_pdu);
235 return False;
236 }
237 }
238
239 if (auth_verify) {
240 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
241 char *auth_data = prs_data_p(&outgoing_pdu);
242
243 p->ntlmssp_seq_num++;
244 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
245 crc32, p->ntlmssp_seq_num++);
246 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
247 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
248 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
249 prs_mem_free(&outgoing_pdu);
250 return False;
251 }
252 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
253 }
254 }
255
256 if (p->netsec_auth_validated) {
257 char *data;
258 RPC_HDR_AUTH auth_info;
259 static const uchar netsec_sig[8] = NETSEC_SIGNATURE;
260 static const uchar nullbytes[8] = { 0,0,0,0,0,0,0,0 };
261
262 RPC_AUTH_NETSEC_CHK verf;
263 prs_struct rverf;
264 prs_struct rauth;
265
266 uchar sign[8];
267
268 data = prs_data_p(&outgoing_pdu) + data_pos;
269
270 init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, NETSEC_AUTH_LEVEL,
271 RPC_HDR_AUTH_LEN, 1);
272
273 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
274 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
275 prs_mem_free(&outgoing_pdu);
276 return False;
277 }
278
279 prs_init(&rverf, 0, p->mem_ctx, MARSHALL);
280 prs_init(&rauth, 0, p->mem_ctx, MARSHALL);
281
282 if ((p->netsec_auth.seq_num & 1) == 0) {
283 DEBUG(0,("SCHANNEL ERROR: seq_num must be odd in server! (seq_num=%d)\n",
284 p->netsec_auth.seq_num));
285 }
286
287 RSIVAL(sign, 0, p->netsec_auth.seq_num);
288 SIVAL(sign, 4, 0);
289
290 init_rpc_auth_netsec_chk(&verf, netsec_sig, nullbytes, sign, nullbytes);
291
292 netsec_encode(&p->netsec_auth, &verf, data, data_len);
293
294 smb_io_rpc_auth_netsec_chk("", &verf, &outgoing_pdu, 0);
295
296 p->netsec_auth.seq_num++;
297 }
298
299 /*
300 * Setup the counts for this PDU.
301 */
302
303 p->out_data.data_sent_length += data_len;
304 p->out_data.current_pdu_len = p->hdr.frag_len;
305 p->out_data.current_pdu_sent = 0;
306
307 prs_mem_free(&outgoing_pdu);
308 return True;
309 }
310
311 /*******************************************************************
312 Process an NTLMSSP authentication response.
313 If this function succeeds, the user has been authenticated
314 and their domain, name and calling workstation stored in
315 the pipe struct.
316 The initial challenge is stored in p->challenge.
317 *******************************************************************/
318
319 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
320 {
321 uchar lm_owf[24];
322 uchar nt_owf[128];
323 int nt_pw_len;
324 int lm_pw_len;
325 fstring user_name;
326 fstring domain;
327 fstring wks;
328
329 NTSTATUS nt_status;
330
331 struct auth_context *auth_context = NULL;
332 auth_usersupplied_info *user_info = NULL;
333 auth_serversupplied_info *server_info = NULL;
334
335 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
336
337 memset(p->user_name, '\0', sizeof(p->user_name));
338 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
339 memset(p->domain, '\0', sizeof(p->domain));
340 memset(p->wks, '\0', sizeof(p->wks));
341
342 /* Set up for non-authenticated user. */
343 delete_nt_token(&p->pipe_user.nt_user_token);
344 p->pipe_user.ngroups = 0;
345 SAFE_FREE( p->pipe_user.groups);
346
347 /*
348 * Setup an empty password for a guest user.
349 */
350
351 /*
352 * We always negotiate UNICODE.
353 */
354
355 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
356 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
357 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
358 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
359 } else {
360 pull_ascii_fstring(user_name, ntlmssp_resp->user);
361 pull_ascii_fstring(domain, ntlmssp_resp->domain);
362 pull_ascii_fstring(wks, ntlmssp_resp->wks);
363 }
364
365 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
366
367 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
368 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
369
370 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
371 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
372
373 #ifdef DEBUG_PASSWORD
374 DEBUG(100,("lm, nt owfs, chal\n"));
375 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
376 dump_data(100, (char *)nt_owf, nt_pw_len);
377 dump_data(100, (char *)p->challenge, 8);
378 #endif
379
380 /*
381 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
382 */
383
384 if (*user_name) {
385
386 /*
387 * Do the length checking only if user is not NULL.
388 */
389
390 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
391 return False;
392 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
393 return False;
394 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
395 return False;
396 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
397 return False;
398 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
399 return False;
400
401 }
402
403 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
404
405 if (!make_user_info_netlogon_network(&user_info,
406 user_name, domain, wks,
407 lm_owf, lm_pw_len,
408 nt_owf, nt_pw_len)) {
409 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
410 return False;
411 }
412
413 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
414
415 (auth_context->free)(&auth_context);
416 free_user_info(&user_info);
417
418 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
419
420 if (!p->ntlmssp_auth_validated) {
421 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
422 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
423 free_server_info(&server_info);
424 return False;
425 }
426
427 /*
428 * Set up the sign/seal data.
429 */
430
431 {
432 uchar p24[24];
433 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
434 {
435 unsigned char j = 0;
436 int ind;
437
438 unsigned char k2[8];
439
440 memcpy(k2, p24, 5);
441 k2[5] = 0xe5;
442 k2[6] = 0x38;
443 k2[7] = 0xb0;
444
445 for (ind = 0; ind < 256; ind++)
446 p->ntlmssp_hash[ind] = (unsigned char)ind;
447
448 for( ind = 0; ind < 256; ind++) {
449 unsigned char tc;
450
451 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
452
453 tc = p->ntlmssp_hash[ind];
454 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
455 p->ntlmssp_hash[j] = tc;
456 }
457
458 p->ntlmssp_hash[256] = 0;
459 p->ntlmssp_hash[257] = 0;
460 }
461 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
462 p->ntlmssp_seq_num = 0;
463
464 }
465
466 fstrcpy(p->user_name, user_name);
467 fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
468 fstrcpy(p->domain, domain);
469 fstrcpy(p->wks, wks);
470
471 /*
472 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
473 */
474
475 if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
476 DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
477 free_server_info(&server_info);
478 return False;
479 }
480
481 memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
482
483 p->pipe_user.uid = pdb_get_uid(server_info->sam_account);
484 p->pipe_user.gid = pdb_get_gid(server_info->sam_account);
485
486 p->pipe_user.ngroups = server_info->n_groups;
487 if (p->pipe_user.ngroups) {
488 if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
489 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
490 free_server_info(&server_info);
491 return False;
492 }
493 }
494
495 if (server_info->ptok)
496 p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
497 else {
498 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
499 p->pipe_user.nt_user_token = NULL;
500 free_server_info(&server_info);
501 return False;
502 }
503
504 p->ntlmssp_auth_validated = True;
505
506 free_server_info(&server_info);
507 return True;
508 }
509
510 /*******************************************************************
511 The switch table for the pipe names and the functions to handle them.
512 *******************************************************************/
513
514 struct rpc_table
515 {
516 struct
517 {
518 const char *clnt;
519 const char *srv;
520 } pipe;
521 struct api_struct *cmds;
522 int n_cmds;
523 };
524
525 static struct rpc_table *rpc_lookup;
526 static int rpc_lookup_size;
527
528 /*******************************************************************
529 This is the client reply to our challenge for an authenticated
530 bind request. The challenge we sent is in p->challenge.
531 *******************************************************************/
532
533 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
534 {
535 RPC_HDR_AUTHA autha_info;
536 RPC_AUTH_VERIFIER auth_verifier;
537 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
538
539 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
540
541 if (p->hdr.auth_len == 0) {
542 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
543 return False;
544 }
545
546 /*
547 * Decode the authentication verifier response.
548 */
549
550 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
551 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
552 return False;
553 }
554
555 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
556 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
557 (int)autha_info.auth_type, (int)autha_info.auth_level ));
558 return False;
559 }
560
561 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
562 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
563 return False;
564 }
565
566 /*
567 * Ensure this is a NTLMSSP_AUTH packet type.
568 */
569
570 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
571 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
572 return False;
573 }
574
575 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
576 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
577 return False;
578 }
579
580 /*
581 * The following call actually checks the challenge/response data.
582 * for correctness against the given DOMAIN\user name.
583 */
584
585 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
586 return False;
587
588 p->pipe_bound = True
589 ;
590 return True;
591 }
592
593 /*******************************************************************
594 Marshall a bind_nak pdu.
595 *******************************************************************/
596
597 static BOOL setup_bind_nak(pipes_struct *p)
598 {
599 prs_struct outgoing_rpc;
600 RPC_HDR nak_hdr;
601 uint16 zero = 0;
602
603 /* Free any memory in the current return data buffer. */
604 prs_mem_free(&p->out_data.rdata);
605
606 /*
607 * Marshall directly into the outgoing PDU space. We
608 * must do this as we need to set to the bind response
609 * header and are never sending more than one PDU here.
610 */
611
612 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
613 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
614
615
616 /*
617 * Initialize a bind_nak header.
618 */
619
620 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
621 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
622
623 /*
624 * Marshall the header into the outgoing PDU.
625 */
626
627 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
628 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
629 prs_mem_free(&outgoing_rpc);
630 return False;
631 }
632
633 /*
634 * Now add the reject reason.
635 */
636
637 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
638 prs_mem_free(&outgoing_rpc);
639 return False;
640 }
641
642 p->out_data.data_sent_length = 0;
643 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
644 p->out_data.current_pdu_sent = 0;
645
646 p->pipe_bound = False;
647
648 return True;
649 }
650
651 /*******************************************************************
652 Marshall a fault pdu.
653 *******************************************************************/
654
655 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
656 {
657 prs_struct outgoing_pdu;
658 RPC_HDR fault_hdr;
659 RPC_HDR_RESP hdr_resp;
660 RPC_HDR_FAULT fault_resp;
661
662 /* Free any memory in the current return data buffer. */
663 prs_mem_free(&p->out_data.rdata);
664
665 /*
666 * Marshall directly into the outgoing PDU space. We
667 * must do this as we need to set to the bind response
668 * header and are never sending more than one PDU here.
669 */
670
671 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
672 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
673
674 /*
675 * Initialize a fault header.
676 */
677
678 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
679 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
680
681 /*
682 * Initialize the HDR_RESP and FAULT parts of the PDU.
683 */
684
685 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
686
687 fault_resp.status = status;
688 fault_resp.reserved = 0;
689
690 /*
691 * Marshall the header into the outgoing PDU.
692 */
693
694 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
695 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
696 prs_mem_free(&outgoing_pdu);
697 return False;
698 }
699
700 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
701 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
702 prs_mem_free(&outgoing_pdu);
703 return False;
704 }
705
706 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
707 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
708 prs_mem_free(&outgoing_pdu);
709 return False;
710 }
711
712 p->out_data.data_sent_length = 0;
713 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
714 p->out_data.current_pdu_sent = 0;
715
716 prs_mem_free(&outgoing_pdu);
717 return True;
718 }
719
720 /*******************************************************************
721 Ensure a bind request has the correct abstract & transfer interface.
722 Used to reject unknown binds from Win2k.
723 *******************************************************************/
724
725 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
726 RPC_IFACE* transfer)
727 {
728 extern struct pipe_id_info pipe_names[];
729 int i=0;
730 fstring pname;
731 fstrcpy(pname,"\\PIPE\\");
732 fstrcat(pname,pipe_name);
733
734 DEBUG(3,("check_bind_req for %s\n", pname));
735
736 #ifndef SUPPORT_NEW_LSARPC_UUID
737
738 /* check for the first pipe matching the name */
739
740 for ( i=0; pipe_names[i].client_pipe; i++ ) {
741 if ( strequal(pipe_names[i].client_pipe, pname) )
742 break;
743 }
744 #else
745 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
746
747 for ( i=0; pipe_names[i].client_pipe; i++ )
748 {
749 if ( strequal(pipe_names[i].client_pipe, pname)
750 && (abstract->version == pipe_names[i].abstr_syntax.version)
751 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) == 0)
752 && (transfer->version == pipe_names[i].trans_syntax.version)
753 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) == 0) )
754 {
755 break;
756 }
757 }
758 #endif
759
760 if(pipe_names[i].client_pipe == NULL)
761 return False;
762
763 #ifndef SUPPORT_NEW_LSARPC_UUID
764 /* check the abstract interface */
765 if ( (abstract->version != pipe_names[i].abstr_syntax.version)
766 || (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) != 0) )
767 {
768 return False;
769 }
770
771 /* check the transfer interface */
772 if ( (transfer->version != pipe_names[i].trans_syntax.version)
773 || (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) != 0) )
774 {
775 return False;
776 }
777 #endif
778 return True;
779 }
780
781 /*******************************************************************
782 Register commands to an RPC pipe
783 *******************************************************************/
784 int rpc_pipe_register_commands(const char *clnt, const char *srv, const struct api_struct *cmds, int size)
785 {
786 struct rpc_table *rpc_entry;
787
788
789 /* We use a temporary variable because this call can fail and
790 rpc_lookup will still be valid afterwards. It could then succeed if
791 called again later */
792 rpc_entry = realloc(rpc_lookup,
793 ++rpc_lookup_size*sizeof(struct rpc_table));
794 if (NULL == rpc_entry) {
795 rpc_lookup_size--;
796 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
797 return 0;
798 } else {
799 rpc_lookup = rpc_entry;
800 }
801
802 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
803 ZERO_STRUCTP(rpc_entry);
804 rpc_entry->pipe.clnt = strdup(clnt);
805 rpc_entry->pipe.srv = strdup(srv);
806 rpc_entry->cmds = realloc(rpc_entry->cmds,
807 (rpc_entry->n_cmds + size) *
808 sizeof(struct api_struct));
809 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds,
810 size * sizeof(struct api_struct));
811 rpc_entry->n_cmds += size;
812
813 return size;
814 }
815
816 /*******************************************************************
817 Respond to a pipe bind request.
818 *******************************************************************/
819
820 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
821 {
822 RPC_HDR_BA hdr_ba;
823 RPC_HDR_RB hdr_rb;
824 RPC_HDR_AUTH auth_info;
825 uint16 assoc_gid;
826 fstring ack_pipe_name;
827 prs_struct out_hdr_ba;
828 prs_struct out_auth;
829 prs_struct outgoing_rpc;
830 int i = 0;
831 int auth_len = 0;
832 enum RPC_PKT_TYPE reply_pkt_type;
833
834 p->ntlmssp_auth_requested = False;
835 p->netsec_auth_validated = False;
836
837 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
838
839 /*
840 * Try and find the correct pipe name to ensure
841 * that this is a pipe name we support.
842 */
843
844
845 for (i = 0; i < rpc_lookup_size; i++) {
846 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
847 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
848 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
849 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
850 break;
851 }
852 }
853
854 if (i == rpc_lookup_size) {
855 if (!smb_probe_module("rpc", p->name)) {
856 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
857 p->name ));
858 if(!setup_bind_nak(p))
859 return False;
860 return True;
861 }
862
863 for (i = 0; i < rpc_lookup_size; i++) {
864 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
865 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
866 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
867 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
868 break;
869 }
870 }
871
872 if (i == rpc_lookup_size) {
873 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
874 return False;
875 }
876 }
877
878 /* decode the bind request */
879 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
880 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
881 return False;
882 }
883
884 /*
885 * Check if this is an authenticated request.
886 */
887
888 if (p->hdr.auth_len != 0) {
889 RPC_AUTH_VERIFIER auth_verifier;
890 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
891
892 /*
893 * Decode the authentication verifier.
894 */
895
896 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
897 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
898 return False;
899 }
900
901 if(auth_info.auth_type == NTLMSSP_AUTH_TYPE) {
902
903 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
904 DEBUG(0,("api_pipe_bind_req: unable to "
905 "unmarshall RPC_HDR_AUTH struct.\n"));
906 return False;
907 }
908
909 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
910 DEBUG(0,("api_pipe_bind_req: "
911 "auth_verifier.signature != NTLMSSP\n"));
912 return False;
913 }
914
915 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
916 DEBUG(0,("api_pipe_bind_req: "
917 "auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
918 auth_verifier.msg_type));
919 return False;
920 }
921
922 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
923 DEBUG(0,("api_pipe_bind_req: "
924 "Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
925 return False;
926 }
927
928 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
929 p->ntlmssp_auth_requested = True;
930
931 } else if (auth_info.auth_type == NETSEC_AUTH_TYPE) {
932
933 RPC_AUTH_NETSEC_NEG neg;
934 struct netsec_auth_struct *a = &(p->netsec_auth);
935
936 if (!smb_io_rpc_auth_netsec_neg("", &neg, rpc_in_p, 0)) {
937 DEBUG(0,("api_pipe_bind_req: "
938 "Could not unmarshal SCHANNEL auth neg\n"));
939 return False;
940 }
941
942 p->netsec_auth_validated = True;
943
944 memset(a->sess_key, 0, sizeof(a->sess_key));
945 memcpy(a->sess_key, last_dcinfo.sess_key, sizeof(last_dcinfo.sess_key));
946
947 a->seq_num = 0;
948
949 DEBUG(10,("schannel auth: domain [%s] myname [%s]\n",
950 neg.domain, neg.myname));
951
952 } else {
953 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
954 auth_info.auth_type ));
955 return False;
956 }
957 }
958
959 switch(p->hdr.pkt_type) {
960 case RPC_BIND:
961 /* name has to be \PIPE\xxxxx */
962 fstrcpy(ack_pipe_name, "\\PIPE\\");
963 fstrcat(ack_pipe_name, p->pipe_srv_name);
964 reply_pkt_type = RPC_BINDACK;
965 break;
966 case RPC_ALTCONT:
967 /* secondary address CAN be NULL
968 * as the specs say it's ignored.
969 * It MUST NULL to have the spoolss working.
970 */
971 fstrcpy(ack_pipe_name,"");
972 reply_pkt_type = RPC_ALTCONTRESP;
973 break;
974 default:
975 return False;
976 }
977
978 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
979
980 /*
981 * Marshall directly into the outgoing PDU space. We
982 * must do this as we need to set to the bind response
983 * header and are never sending more than one PDU here.
984 */
985
986 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
987 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
988
989 /*
990 * Setup the memory to marshall the ba header, and the
991 * auth footers.
992 */
993
994 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
995 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
996 prs_mem_free(&outgoing_rpc);
997 return False;
998 }
999
1000 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1001 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
1002 prs_mem_free(&outgoing_rpc);
1003 prs_mem_free(&out_hdr_ba);
1004 return False;
1005 }
1006
1007 if (p->ntlmssp_auth_requested)
1008 assoc_gid = 0x7a77;
1009 else
1010 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1011
1012 /*
1013 * Create the bind response struct.
1014 */
1015
1016 /* If the requested abstract synt uuid doesn't match our client pipe,
1017 reject the bind_ack & set the transfer interface synt to all 0's,
1018 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1019 unknown to NT4)
1020 Needed when adding entries to a DACL from NT5 - SK */
1021
1022 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
1023 init_rpc_hdr_ba(&hdr_ba,
1024 MAX_PDU_FRAG_LEN,
1025 MAX_PDU_FRAG_LEN,
1026 assoc_gid,
1027 ack_pipe_name,
1028 0x1, 0x0, 0x0,
1029 &hdr_rb.transfer);
1030 } else {
1031 RPC_IFACE null_interface;
1032 ZERO_STRUCT(null_interface);
1033 /* Rejection reason: abstract syntax not supported */
1034 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
1035 MAX_PDU_FRAG_LEN, assoc_gid,
1036 ack_pipe_name, 0x1, 0x2, 0x1,
1037 &null_interface);
1038 }
1039
1040 /*
1041 * and marshall it.
1042 */
1043
1044 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1045 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1046 goto err_exit;
1047 }
1048
1049 /*
1050 * Now the authentication.
1051 */
1052
1053 if (p->ntlmssp_auth_requested) {
1054 RPC_AUTH_VERIFIER auth_verifier;
1055 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
1056
1057 generate_random_buffer(p->challenge, 8, False);
1058
1059 /*** Authentication info ***/
1060
1061 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
1062 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1063 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1064 goto err_exit;
1065 }
1066
1067 /*** NTLMSSP verifier ***/
1068
1069 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
1070 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
1071 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1072 goto err_exit;
1073 }
1074
1075 /* NTLMSSP challenge ***/
1076
1077 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
1078 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
1079 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
1080 goto err_exit;
1081 }
1082
1083 /* Auth len in the rpc header doesn't include auth_header. */
1084 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1085 }
1086
1087 if (p->netsec_auth_validated) {
1088 RPC_AUTH_VERIFIER auth_verifier;
1089 uint32 flags;
1090
1091 /* The client opens a second RPC NETLOGON pipe without
1092 doing a auth2. The credentials for the schannel are
1093 re-used from the auth2 the client did before. */
1094 p->dc = last_dcinfo;
1095
1096 init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, NETSEC_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
1097 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1098 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1099 goto err_exit;
1100 }
1101
1102 /*** NETSEC verifier ***/
1103
1104 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1105 if(!smb_io_rpc_netsec_verifier("", &auth_verifier, &out_auth, 0)) {
1106 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1107 goto err_exit;
1108 }
1109
1110 prs_align(&out_auth);
1111
1112 flags = 5;
1113 if(!prs_uint32("flags ", &out_auth, 0, &flags))
1114 goto err_exit;
1115
1116 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1117 }
1118
1119 /*
1120 * Create the header, now we know the length.
1121 */
1122
1123 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
1124 p->hdr.call_id,
1125 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1126 auth_len);
1127
1128 /*
1129 * Marshall the header into the outgoing PDU.
1130 */
1131
1132 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1133 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1134 goto err_exit;
1135 }
1136
1137 /*
1138 * Now add the RPC_HDR_BA and any auth needed.
1139 */
1140
1141 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1142 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1143 goto err_exit;
1144 }
1145
1146 if((p->ntlmssp_auth_requested|p->netsec_auth_validated) &&
1147 !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1148 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1149 goto err_exit;
1150 }
1151
1152 if(!p->ntlmssp_auth_requested)
1153 p->pipe_bound = True;
1154
1155 /*
1156 * Setup the lengths for the initial reply.
1157 */
1158
1159 p->out_data.data_sent_length = 0;
1160 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1161 p->out_data.current_pdu_sent = 0;
1162
1163 prs_mem_free(&out_hdr_ba);
1164 prs_mem_free(&out_auth);
1165
1166 return True;
1167
1168 err_exit:
1169
1170 prs_mem_free(&outgoing_rpc);
1171 prs_mem_free(&out_hdr_ba);
1172 prs_mem_free(&out_auth);
1173 return False;
1174 }
1175
1176 /****************************************************************************
1177 Deal with sign & seal processing on an RPC request.
1178 ****************************************************************************/
1179
1180 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1181 {
1182 /*
1183 * We always negotiate the following two bits....
1184 */
1185 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1186 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1187 int data_len;
1188 int auth_len;
1189 uint32 old_offset;
1190 uint32 crc32 = 0;
1191
1192 auth_len = p->hdr.auth_len;
1193
1194 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1195 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1196 return False;
1197 }
1198
1199 /*
1200 * The following is that length of the data we must verify or unseal.
1201 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1202 * preceeding the auth_data.
1203 */
1204
1205 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1206 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1207
1208 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1209 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1210
1211 if (auth_seal) {
1212 /*
1213 * The data in rpc_in doesn't contain the RPC_HEADER as this
1214 * has already been consumed.
1215 */
1216 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1217 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1218 crc32 = crc32_calc_buffer(data, data_len);
1219 }
1220
1221 old_offset = prs_offset(rpc_in);
1222
1223 if (auth_seal || auth_verify) {
1224 RPC_HDR_AUTH auth_info;
1225
1226 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1227 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1228 (unsigned int)old_offset + data_len ));
1229 return False;
1230 }
1231
1232 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1233 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1234 return False;
1235 }
1236 }
1237
1238 if (auth_verify) {
1239 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1240 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1241
1242 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1243
1244 /*
1245 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1246 * incoming buffer.
1247 */
1248 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1249 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1250 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1251 return False;
1252 }
1253
1254 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1255 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1256 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1257 return False;
1258 }
1259
1260 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1261 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1262 return False;
1263 }
1264 }
1265
1266 /*
1267 * Return the current pointer to the data offset.
1268 */
1269
1270 if(!prs_set_offset(rpc_in, old_offset)) {
1271 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1272 (unsigned int)old_offset ));
1273 return False;
1274 }
1275
1276 return True;
1277 }
1278
1279 /****************************************************************************
1280 Deal with schannel processing on an RPC request.
1281 ****************************************************************************/
1282 BOOL api_pipe_netsec_process(pipes_struct *p, prs_struct *rpc_in)
1283 {
1284 /*
1285 * We always negotiate the following two bits....
1286 */
1287 int data_len;
1288 int auth_len;
1289 uint32 old_offset;
1290 RPC_HDR_AUTH auth_info;
1291 RPC_AUTH_NETSEC_CHK netsec_chk;
1292
1293
1294 auth_len = p->hdr.auth_len;
1295
1296 if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
1297 DEBUG(0,("Incorrect auth_len %d.\n", auth_len ));
1298 return False;
1299 }
1300
1301 /*
1302 * The following is that length of the data we must verify or unseal.
1303 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1304 * preceeding the auth_data.
1305 */
1306
1307 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1308 RPC_HDR_AUTH_LEN - auth_len;
1309
1310 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
1311
1312 old_offset = prs_offset(rpc_in);
1313
1314 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1315 DEBUG(0,("cannot move offset to %u.\n",
1316 (unsigned int)old_offset + data_len ));
1317 return False;
1318 }
1319
1320 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1321 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
1322 return False;
1323 }
1324
1325 if ((auth_info.auth_type != NETSEC_AUTH_TYPE) ||
1326 (auth_info.auth_level != NETSEC_AUTH_LEVEL)) {
1327 DEBUG(0,("Invalid auth info %d or level %d on schannel\n",
1328 auth_info.auth_type, auth_info.auth_level));
1329 return False;
1330 }
1331
1332 if(!smb_io_rpc_auth_netsec_chk("", &netsec_chk, rpc_in, 0)) {
1333 DEBUG(0,("failed to unmarshal RPC_AUTH_NETSEC_CHK.\n"));
1334 return False;
1335 }
1336
1337 if (!netsec_decode(&p->netsec_auth, &netsec_chk,
1338 prs_data_p(rpc_in)+old_offset, data_len)) {
1339 DEBUG(0,("failed to decode PDU\n"));
1340 return False;
1341 }
1342
1343 /*
1344 * Return the current pointer to the data offset.
1345 */
1346
1347 if(!prs_set_offset(rpc_in, old_offset)) {
1348 DEBUG(0,("failed to set offset back to %u\n",
1349 (unsigned int)old_offset ));
1350 return False;
1351 }
1352
1353 /* The sequence number gets incremented on both send and receive. */
1354 p->netsec_auth.seq_num++;
1355
1356 return True;
1357 }
1358
1359 /****************************************************************************
1360 Return a user struct for a pipe user.
1361 ****************************************************************************/
1362
1363 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1364 {
1365 if (p->ntlmssp_auth_validated) {
1366 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1367 } else {
1368 extern struct current_user current_user;
1369 memcpy(user, &current_user, sizeof(struct current_user));
1370 }
1371
1372 return user;
1373 }
1374
1375 /****************************************************************************
1376 Find the correct RPC function to call for this request.
1377 If the pipe is authenticated then become the correct UNIX user
1378 before doing the call.
1379 ****************************************************************************/
1380
1381 BOOL api_pipe_request(pipes_struct *p)
1382 {
1383 int i = 0;
1384 BOOL ret = False;
1385
1386 if (p->ntlmssp_auth_validated) {
1387
1388 if(!become_authenticated_pipe_user(p)) {
1389 prs_mem_free(&p->out_data.rdata);
1390 return False;
1391 }
1392 }
1393
1394 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
1395
1396 for (i = 0; i < rpc_lookup_size; i++) {
1397 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1398 DEBUG(3,("Doing \\PIPE\\%s\n",
1399 rpc_lookup[i].pipe.clnt));
1400 set_current_rpc_talloc(p->mem_ctx);
1401 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1402 rpc_lookup[i].cmds,
1403 rpc_lookup[i].n_cmds);
1404 set_current_rpc_talloc(NULL);
1405 break;
1406 }
1407 }
1408
1409
1410 if (i == rpc_lookup_size) {
1411 smb_probe_module("rpc", p->name);
1412
1413 for (i = 0; i < rpc_lookup_size; i++) {
1414 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1415 DEBUG(3,("Doing \\PIPE\\%s\n",
1416 rpc_lookup[i].pipe.clnt));
1417 set_current_rpc_talloc(p->mem_ctx);
1418 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1419 rpc_lookup[i].cmds,
1420 rpc_lookup[i].n_cmds);
1421 set_current_rpc_talloc(NULL);
1422 break;
1423 }
1424 }
1425 }
1426
1427 if(p->ntlmssp_auth_validated)
1428 unbecome_authenticated_pipe_user();
1429
1430 return ret;
1431 }
1432
1433 /*******************************************************************
1434 Calls the underlying RPC function for a named pipe.
1435 ********************************************************************/
1436
1437 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
1438 const struct api_struct *api_rpc_cmds, int n_cmds)
1439 {
1440 int fn_num;
1441 fstring name;
1442 uint32 offset1, offset2;
1443
1444 /* interpret the command */
1445 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1446
1447 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1448 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1449
1450 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1451 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1452 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1453 break;
1454 }
1455 }
1456
1457 if (fn_num == n_cmds) {
1458 /*
1459 * For an unknown RPC just return a fault PDU but
1460 * return True to allow RPC's on the pipe to continue
1461 * and not put the pipe into fault state. JRA.
1462 */
1463 DEBUG(4, ("unknown\n"));
1464 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1465 return True;
1466 }
1467
1468 offset1 = prs_offset(&p->out_data.rdata);
1469
1470 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1471 fn_num, api_rpc_cmds[fn_num].fn));
1472 /* do the actual command */
1473 if(!api_rpc_cmds[fn_num].fn(p)) {
1474 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1475 prs_mem_free(&p->out_data.rdata);
1476 return False;
1477 }
1478
1479 if (p->bad_handle_fault_state) {
1480 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1481 p->bad_handle_fault_state = False;
1482 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1483 return True;
1484 }
1485
1486 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1487 offset2 = prs_offset(&p->out_data.rdata);
1488 prs_set_offset(&p->out_data.rdata, offset1);
1489 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1490 prs_set_offset(&p->out_data.rdata, offset2);
1491
1492 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1493
1494 /* Check for buffer underflow in rpc parsing */
1495
1496 if ((DEBUGLEVEL >= 10) &&
1497 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
1498 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
1499 char *data;
1500
1501 data = malloc(data_len);
1502
1503 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1504 if (data) {
1505 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
1506 SAFE_FREE(data);
1507 }
1508
1509 }
1510
1511 return True;
1512 }
reg import