search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Correct PPTP server firewall rules chain.
[tomato/davidwu.git] / release / src / router / samba / source / rpc_server / srv_pipe.c
blobbbf8e5424325177d2aa1155b782319bfefe9f7b9
1 /*
2 * Unix SMB/Netbios implementation.
3 * Version 1.9.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1997-1998.
8 * Copyright (C) Jeremy Allison 1999.
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
28 *
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
32 *
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
36 *
37 * ... if you read the docs. or stare at packets for weeks on end.
38 *
39 */
40
41 #include "includes.h"
42 #include "nterr.h"
43
44 extern int DEBUGLEVEL;
45
46 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
47 {
48 unsigned char *hash = p->ntlmssp_hash;
49 unsigned char index_i = hash[256];
50 unsigned char index_j = hash[257];
51 int ind;
52
53 for( ind = 0; ind < len; ind++) {
54 unsigned char tc;
55 unsigned char t;
56
57 index_i++;
58 index_j += hash[index_i];
59
60 tc = hash[index_i];
61 hash[index_i] = hash[index_j];
62 hash[index_j] = tc;
63
64 t = hash[index_i] + hash[index_j];
65 data[ind] = data[ind] ^ hash[t];
66 }
67
68 hash[256] = index_i;
69 hash[257] = index_j;
70 }
71
72 /*******************************************************************
73 Generate the next PDU to be returned from the data in p->rdata.
74 We cheat here as this function doesn't handle the special auth
75 footers of the authenticated bind response reply.
76 ********************************************************************/
77
78 BOOL create_next_pdu(pipes_struct *p)
79 {
80 RPC_HDR_RESP hdr_resp;
81 BOOL auth_verify = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SIGN);
82 BOOL auth_seal = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SEAL);
83 uint32 data_len;
84 uint32 data_space_available;
85 uint32 data_len_left;
86 prs_struct outgoing_pdu;
87 char *data;
88 char *data_from;
89 uint32 data_pos;
90
91 /*
92 * If we're in the fault state, keep returning fault PDU's until
93 * the pipe gets closed. JRA.
94 */
95
96 if(p->fault_state) {
97 setup_fault_pdu(p);
98 return True;
99 }
100
101 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
102
103 /* Change the incoming request header to a response. */
104 p->hdr.pkt_type = RPC_RESPONSE;
105
106 /* Set up rpc header flags. */
107 if (p->out_data.data_sent_length == 0)
108 p->hdr.flags = RPC_FLG_FIRST;
109 else
110 p->hdr.flags = 0;
111
112 /*
113 * Work out how much we can fit in a sigle PDU.
114 */
115
116 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
117 if(p->ntlmssp_auth_validated)
118 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
119
120 /*
121 * The amount we send is the minimum of the available
122 * space and the amount left to send.
123 */
124
125 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
126
127 /*
128 * Ensure there really is data left to send.
129 */
130
131 if(!data_len_left) {
132 DEBUG(0,("create_next_pdu: no data left to send !\n"));
133 return False;
134 }
135
136 data_len = MIN(data_len_left, data_space_available);
137
138 /*
139 * Set up the alloc hint. This should be the data left to
140 * send.
141 */
142
143 hdr_resp.alloc_hint = data_len_left;
144
145 /*
146 * Set up the header lengths.
147 */
148
149 if (p->ntlmssp_auth_validated) {
150 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
151 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
152 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
153 } else {
154 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
155 p->hdr.auth_len = 0;
156 }
157
158 /*
159 * Work out if this PDU will be the last.
160 */
161
162 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
163 p->hdr.flags |= RPC_FLG_LAST;
164
165 /*
166 * Init the parse struct to point at the outgoing
167 * data.
168 */
169
170 prs_init( &outgoing_pdu, 0, 4, MARSHALL);
171 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
172
173 /* Store the header in the data stream. */
174 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
175 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
176 return False;
177 }
178
179 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
180 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
181 return False;
182 }
183
184 /* Store the current offset. */
185 data_pos = prs_offset(&outgoing_pdu);
186
187 /* Copy the data into the PDU. */
188 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
189
190 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
191 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
192 return False;
193 }
194
195 /*
196 * Set data to point to where we copied the data into.
197 */
198
199 data = prs_data_p(&outgoing_pdu) + data_pos;
200
201 if (p->hdr.auth_len > 0) {
202 uint32 crc32 = 0;
203
204 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
205 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
206
207 if (auth_seal) {
208 crc32 = crc32_calc_buffer(data, data_len);
209 NTLMSSPcalc_p(p, (uchar*)data, data_len);
210 }
211
212 if (auth_seal || auth_verify) {
213 RPC_HDR_AUTH auth_info;
214
215 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
216 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
217 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
218 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
219 return False;
220 }
221 }
222
223 if (auth_verify) {
224 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
225 char *auth_data = prs_data_p(&outgoing_pdu);
226
227 p->ntlmssp_seq_num++;
228 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
229 crc32, p->ntlmssp_seq_num++);
230 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
231 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
232 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
233 return False;
234 }
235 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
236 }
237 }
238
239 /*
240 * Setup the counts for this PDU.
241 */
242
243 p->out_data.data_sent_length += data_len;
244 p->out_data.current_pdu_len = p->hdr.frag_len;
245 p->out_data.current_pdu_sent = 0;
246
247 return True;
248 }
249
250 /*******************************************************************
251 Process an NTLMSSP authentication response.
252 If this function succeeds, the user has been authenticated
253 and their domain, name and calling workstation stored in
254 the pipe struct.
255 The initial challenge is stored in p->challenge.
256 *******************************************************************/
257
258 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
259 {
260 uchar lm_owf[24];
261 uchar nt_owf[24];
262 fstring user_name;
263 fstring unix_user_name;
264 fstring domain;
265 fstring wks;
266 BOOL guest_user = False;
267 struct smb_passwd *smb_pass = NULL;
268 struct passwd *pass = NULL;
269 uchar null_smb_passwd[16];
270 uchar *smb_passwd_ptr = NULL;
271
272 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
273
274 memset(p->user_name, '\0', sizeof(p->user_name));
275 memset(p->unix_user_name, '\0', sizeof(p->unix_user_name));
276 memset(p->domain, '\0', sizeof(p->domain));
277 memset(p->wks, '\0', sizeof(p->wks));
278
279 /*
280 * Setup an empty password for a guest user.
281 */
282
283 memset(null_smb_passwd,0,16);
284
285 /*
286 * We always negotiate UNICODE.
287 */
288
289 if (IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_UNICODE)) {
290 fstrcpy(user_name, dos_unistrn2((uint16*)ntlmssp_resp->user, ntlmssp_resp->hdr_usr.str_str_len/2));
291 fstrcpy(domain, dos_unistrn2((uint16*)ntlmssp_resp->domain, ntlmssp_resp->hdr_domain.str_str_len/2));
292 fstrcpy(wks, dos_unistrn2((uint16*)ntlmssp_resp->wks, ntlmssp_resp->hdr_wks.str_str_len/2));
293 } else {
294 fstrcpy(user_name, ntlmssp_resp->user);
295 fstrcpy(domain, ntlmssp_resp->domain);
296 fstrcpy(wks, ntlmssp_resp->wks);
297 }
298
299 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
300
301 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
302 memcpy(nt_owf, ntlmssp_resp->nt_resp, sizeof(nt_owf));
303
304 #ifdef DEBUG_PASSWORD
305 DEBUG(100,("lm, nt owfs, chal\n"));
306 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
307 dump_data(100, (char *)nt_owf, sizeof(nt_owf));
308 dump_data(100, (char *)p->challenge, 8);
309 #endif
310
311 /*
312 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
313 */
314
315 if((strlen(user_name) == 0) &&
316 (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
317 {
318 guest_user = True;
319
320 fstrcpy(unix_user_name, lp_guestaccount(-1));
321 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", unix_user_name));
322
323 smb_passwd_ptr = null_smb_passwd;
324
325 } else {
326
327 /*
328 * Pass the user through the NT -> unix user mapping
329 * function.
330 */
331
332 fstrcpy(unix_user_name, user_name);
333 (void)map_username(unix_user_name);
334
335 /*
336 * Do the length checking only if user is not NULL.
337 */
338
339 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
340 return False;
341 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
342 return False;
343 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
344 return False;
345 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
346 return False;
347 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
348 return False;
349
350 }
351
352 /*
353 * Find the user in the unix password db.
354 */
355
356 if(!(pass = Get_Pwnam(unix_user_name,True))) {
357 DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",unix_user_name));
358 return(False);
359 }
360
361 if(!guest_user) {
362
363 become_root(True);
364
365 if(!(p->ntlmssp_auth_validated = pass_check_smb(unix_user_name, domain,
366 (uchar*)p->challenge, lm_owf, nt_owf, NULL))) {
367 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
368 failed authentication on named pipe %s.\n", domain, unix_user_name, wks, p->name ));
369 unbecome_root(True);
370 return False;
371 }
372
373 if(!(smb_pass = getsmbpwnam(unix_user_name))) {
374 DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
375 unix_user_name));
376 unbecome_root(True);
377 return False;
378 }
379
380 unbecome_root(True);
381
382 if (smb_pass == NULL) {
383 DEBUG(1,("api_pipe_ntlmssp_verify: Couldn't find user '%s' in smb_passwd file.\n",
384 unix_user_name));
385 return(False);
386 }
387
388 /* Quit if the account was disabled. */
389 if((smb_pass->acct_ctrl & ACB_DISABLED) || !smb_pass->smb_passwd) {
390 DEBUG(1,("Account for user '%s' was disabled.\n", unix_user_name));
391 return(False);
392 }
393
394 if(!smb_pass->smb_nt_passwd) {
395 DEBUG(1,("Account for user '%s' has no NT password hash.\n", unix_user_name));
396 return(False);
397 }
398
399 smb_passwd_ptr = smb_pass->smb_passwd;
400 }
401
402 /*
403 * Set up the sign/seal data.
404 */
405
406 {
407 uchar p24[24];
408 NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
409 {
410 unsigned char j = 0;
411 int ind;
412
413 unsigned char k2[8];
414
415 memcpy(k2, p24, 5);
416 k2[5] = 0xe5;
417 k2[6] = 0x38;
418 k2[7] = 0xb0;
419
420 for (ind = 0; ind < 256; ind++)
421 p->ntlmssp_hash[ind] = (unsigned char)ind;
422
423 for( ind = 0; ind < 256; ind++) {
424 unsigned char tc;
425
426 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
427
428 tc = p->ntlmssp_hash[ind];
429 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
430 p->ntlmssp_hash[j] = tc;
431 }
432
433 p->ntlmssp_hash[256] = 0;
434 p->ntlmssp_hash[257] = 0;
435 }
436 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
437 p->ntlmssp_seq_num = 0;
438
439 }
440
441 fstrcpy(p->user_name, user_name);
442 fstrcpy(p->unix_user_name, unix_user_name);
443 fstrcpy(p->domain, domain);
444 fstrcpy(p->wks, wks);
445
446 /*
447 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
448 */
449
450 p->uid = pass->pw_uid;
451 p->gid = pass->pw_gid;
452
453 p->ntlmssp_auth_validated = True;
454 return True;
455 }
456
457 /*******************************************************************
458 The switch table for the pipe names and the functions to handle them.
459 *******************************************************************/
460
461 struct api_cmd
462 {
463 char * pipe_clnt_name;
464 char * pipe_srv_name;
465 BOOL (*fn) (pipes_struct *, prs_struct *);
466 };
467
468 static struct api_cmd api_fd_commands[] =
469 {
470 { "lsarpc", "lsass", api_ntlsa_rpc },
471 { "samr", "lsass", api_samr_rpc },
472 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
473 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
474 { "NETLOGON", "lsass", api_netlog_rpc },
475 #if 1 /* DISABLED_IN_2_0 JRATEST */
476 { "winreg", "winreg", api_reg_rpc },
477 #endif
478 { NULL, NULL, NULL }
479 };
480
481 /*******************************************************************
482 This is the client reply to our challenge for an authenticated
483 bind request. The challenge we sent is in p->challenge.
484 *******************************************************************/
485
486 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
487 {
488 RPC_HDR_AUTHA autha_info;
489 RPC_AUTH_VERIFIER auth_verifier;
490 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
491
492 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
493
494 if (p->hdr.auth_len == 0) {
495 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
496 return False;
497 }
498
499 /*
500 * Decode the authentication verifier response.
501 */
502
503 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
504 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
505 return False;
506 }
507
508 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
509 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
510 (int)autha_info.auth_type, (int)autha_info.auth_level ));
511 return False;
512 }
513
514 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
515 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
516 return False;
517 }
518
519 /*
520 * Ensure this is a NTLMSSP_AUTH packet type.
521 */
522
523 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
524 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
525 return False;
526 }
527
528 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
529 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
530 return False;
531 }
532
533 /*
534 * The following call actually checks the challenge/response data.
535 * for correctness against the given DOMAIN\user name.
536 */
537
538 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
539 return False;
540
541 p->pipe_bound = True
542 ;
543 return True;
544 }
545
546 /*******************************************************************
547 Marshall a bind_nak pdu.
548 *******************************************************************/
549
550 static BOOL setup_bind_nak(pipes_struct *p)
551 {
552 prs_struct outgoing_rpc;
553 RPC_HDR nak_hdr;
554 uint16 zero = 0;
555
556 /* Free any memory in the current return data buffer. */
557 prs_mem_free(&p->out_data.rdata);
558
559 /*
560 * Marshall directly into the outgoing PDU space. We
561 * must do this as we need to set to the bind response
562 * header and are never sending more than one PDU here.
563 */
564
565 prs_init( &outgoing_rpc, 0, 4, MARSHALL);
566 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
567
568
569 /*
570 * Initialize a bind_nak header.
571 */
572
573 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
574 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
575
576 /*
577 * Marshall the header into the outgoing PDU.
578 */
579
580 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
581 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
582 return False;
583 }
584
585 /*
586 * Now add the reject reason.
587 */
588
589 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero))
590 return False;
591
592 p->out_data.data_sent_length = 0;
593 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
594 p->out_data.current_pdu_sent = 0;
595
596 p->pipe_bound = False;
597
598 return True;
599 }
600
601 /*******************************************************************
602 Marshall a fault pdu.
603 *******************************************************************/
604
605 BOOL setup_fault_pdu(pipes_struct *p)
606 {
607 prs_struct outgoing_pdu;
608 RPC_HDR fault_hdr;
609 RPC_HDR_RESP hdr_resp;
610 RPC_HDR_FAULT fault_resp;
611
612 /* Free any memory in the current return data buffer. */
613 prs_mem_free(&p->out_data.rdata);
614
615 /*
616 * Marshall directly into the outgoing PDU space. We
617 * must do this as we need to set to the bind response
618 * header and are never sending more than one PDU here.
619 */
620
621 prs_init( &outgoing_pdu, 0, 4, MARSHALL);
622 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
623
624 /*
625 * Initialize a fault header.
626 */
627
628 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
629 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
630
631 /*
632 * Initialize the HDR_RESP and FAULT parts of the PDU.
633 */
634
635 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
636
637 fault_resp.status = 0x1c010002;
638 fault_resp.reserved = 0;
639
640 /*
641 * Marshall the header into the outgoing PDU.
642 */
643
644 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
645 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
646 return False;
647 }
648
649 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
650 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
651 return False;
652 }
653
654 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
655 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
656 return False;
657 }
658
659 p->out_data.data_sent_length = 0;
660 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
661 p->out_data.current_pdu_sent = 0;
662
663 return True;
664 }
665
666 /*******************************************************************
667 Respond to a pipe bind request.
668 *******************************************************************/
669
670 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
671 {
672 RPC_HDR_BA hdr_ba;
673 RPC_HDR_RB hdr_rb;
674 RPC_HDR_AUTH auth_info;
675 uint16 assoc_gid;
676 fstring ack_pipe_name;
677 prs_struct out_hdr_ba;
678 prs_struct out_auth;
679 prs_struct outgoing_rpc;
680 int i = 0;
681 int auth_len = 0;
682 enum RPC_PKT_TYPE reply_pkt_type;
683
684 p->ntlmssp_auth_requested = False;
685
686 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
687
688 /*
689 * Try and find the correct pipe name to ensure
690 * that this is a pipe name we support.
691 */
692
693 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
694 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
695 api_fd_commands[i].fn != NULL) {
696 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
697 api_fd_commands[i].pipe_clnt_name,
698 api_fd_commands[i].pipe_srv_name));
699 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
700 break;
701 }
702 }
703
704 if (api_fd_commands[i].fn == NULL) {
705 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
706 p->name ));
707 if(!setup_bind_nak(p))
708 return False;
709 return True;
710 }
711
712 /* decode the bind request */
713 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
714 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
715 return False;
716 }
717
718 /*
719 * Check if this is an authenticated request.
720 */
721
722 if (p->hdr.auth_len != 0) {
723 RPC_AUTH_VERIFIER auth_verifier;
724 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
725
726 /*
727 * Decode the authentication verifier.
728 */
729
730 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
731 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
732 return False;
733 }
734
735 /*
736 * We only support NTLMSSP_AUTH_TYPE requests.
737 */
738
739 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
740 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
741 auth_info.auth_type ));
742 return False;
743 }
744
745 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
746 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
747 return False;
748 }
749
750 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
751 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
752 return False;
753 }
754
755 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
756 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
757 auth_verifier.msg_type));
758 return False;
759 }
760
761 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
762 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
763 return False;
764 }
765
766 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
767 p->ntlmssp_auth_requested = True;
768 }
769
770 switch(p->hdr.pkt_type) {
771 case RPC_BIND:
772 /* name has to be \PIPE\xxxxx */
773 fstrcpy(ack_pipe_name, "\\PIPE\\");
774 fstrcat(ack_pipe_name, p->pipe_srv_name);
775 reply_pkt_type = RPC_BINDACK;
776 break;
777 case RPC_ALTCONT:
778 /* secondary address CAN be NULL
779 * as the specs say it's ignored.
780 * It MUST NULL to have the spoolss working.
781 */
782 fstrcpy(ack_pipe_name,"");
783 reply_pkt_type = RPC_ALTCONTRESP;
784 break;
785 default:
786 return False;
787 }
788
789 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
790
791 /*
792 * Marshall directly into the outgoing PDU space. We
793 * must do this as we need to set to the bind response
794 * header and are never sending more than one PDU here.
795 */
796
797 prs_init( &outgoing_rpc, 0, 4, MARSHALL);
798 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
799
800 /*
801 * Setup the memory to marshall the ba header, and the
802 * auth footers.
803 */
804
805 if(!prs_init(&out_hdr_ba, 1024, 4, MARSHALL)) {
806 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
807 return False;
808 }
809
810 if(!prs_init(&out_auth, 1024, 4, MARSHALL)) {
811 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
812 prs_mem_free(&out_hdr_ba);
813 return False;
814 }
815
816 if (p->ntlmssp_auth_requested)
817 assoc_gid = 0x7a77;
818 else
819 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
820
821 /*
822 * Create the bind response struct.
823 */
824
825 init_rpc_hdr_ba(&hdr_ba,
826 MAX_PDU_FRAG_LEN,
827 MAX_PDU_FRAG_LEN,
828 assoc_gid,
829 ack_pipe_name,
830 0x1, 0x0, 0x0,
831 &hdr_rb.transfer);
832
833 /*
834 * and marshall it.
835 */
836
837 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
838 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
839 goto err_exit;
840 }
841
842 /*
843 * Now the authentication.
844 */
845
846 if (p->ntlmssp_auth_requested) {
847 RPC_AUTH_VERIFIER auth_verifier;
848 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
849
850 generate_random_buffer(p->challenge, 8, False);
851
852 /*** Authentication info ***/
853
854 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
855 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
856 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
857 goto err_exit;
858 }
859
860 /*** NTLMSSP verifier ***/
861
862 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
863 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
864 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
865 goto err_exit;
866 }
867
868 /* NTLMSSP challenge ***/
869
870 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
871 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
872 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
873 goto err_exit;
874 }
875
876 /* Auth len in the rpc header doesn't include auth_header. */
877 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
878 }
879
880 /*
881 * Create the header, now we know the length.
882 */
883
884 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
885 p->hdr.call_id,
886 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
887 auth_len);
888
889 /*
890 * Marshall the header into the outgoing PDU.
891 */
892
893 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
894 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
895 goto err_exit;
896 }
897
898 /*
899 * Now add the RPC_HDR_BA and any auth needed.
900 */
901
902 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
903 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
904 goto err_exit;
905 }
906
907 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
908 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
909 goto err_exit;
910 }
911
912 if(!p->ntlmssp_auth_requested)
913 p->pipe_bound = True;
914
915 /*
916 * Setup the lengths for the initial reply.
917 */
918
919 p->out_data.data_sent_length = 0;
920 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
921 p->out_data.current_pdu_sent = 0;
922
923 prs_mem_free(&out_hdr_ba);
924 prs_mem_free(&out_auth);
925
926 return True;
927
928 err_exit:
929
930 prs_mem_free(&out_hdr_ba);
931 prs_mem_free(&out_auth);
932 return False;
933 }
934
935 /****************************************************************************
936 Deal with sign & seal processing on an RPC request.
937 ****************************************************************************/
938
939 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
940 {
941 /*
942 * We always negotiate the following two bits....
943 */
944 BOOL auth_verify = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SIGN);
945 BOOL auth_seal = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SEAL);
946 int data_len;
947 int auth_len;
948 uint32 old_offset;
949 uint32 crc32 = 0;
950
951 auth_len = p->hdr.auth_len;
952
953 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
954 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
955 return False;
956 }
957
958 /*
959 * The following is that length of the data we must verify or unseal.
960 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
961 * preceeding the auth_data.
962 */
963
964 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
965 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
966
967 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
968 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
969
970 if (auth_seal) {
971 /*
972 * The data in rpc_in doesn't contain the RPC_HEADER as this
973 * has already been consumed.
974 */
975 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
976 NTLMSSPcalc_p(p, (uchar*)data, data_len);
977 crc32 = crc32_calc_buffer(data, data_len);
978 }
979
980 old_offset = prs_offset(rpc_in);
981
982 if (auth_seal || auth_verify) {
983 RPC_HDR_AUTH auth_info;
984
985 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
986 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
987 (unsigned int)old_offset + data_len ));
988 return False;
989 }
990
991 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
992 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
993 return False;
994 }
995 }
996
997 if (auth_verify) {
998 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
999 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1000
1001 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1002
1003 /*
1004 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1005 * incoming buffer.
1006 */
1007 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1008 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1009 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1010 return False;
1011 }
1012
1013 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1014 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1015 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1016 return False;
1017 }
1018
1019 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1020 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1021 return False;
1022 }
1023 }
1024
1025 /*
1026 * Return the current pointer to the data offset.
1027 */
1028
1029 if(!prs_set_offset(rpc_in, old_offset)) {
1030 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1031 (unsigned int)old_offset ));
1032 return False;
1033 }
1034
1035 return True;
1036 }
1037
1038 /****************************************************************************
1039 Find the correct RPC function to call for this request.
1040 If the pipe is authenticated then become the correct UNIX user
1041 before doing the call.
1042 ****************************************************************************/
1043
1044 BOOL api_pipe_request(pipes_struct *p)
1045 {
1046 int i = 0;
1047 BOOL ret = False;
1048 BOOL changed_user_id = False;
1049
1050 if (p->ntlmssp_auth_validated) {
1051
1052 if(!become_authenticated_pipe_user(p)) {
1053 prs_mem_free(&p->out_data.rdata);
1054 return False;
1055 }
1056
1057 changed_user_id = True;
1058 }
1059
1060 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1061 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1062 api_fd_commands[i].fn != NULL) {
1063 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1064 ret = api_fd_commands[i].fn(p, &p->in_data.data);
1065 }
1066 }
1067
1068 if(changed_user_id)
1069 unbecome_authenticated_pipe_user(p);
1070
1071 return ret;
1072 }
1073
1074 /*******************************************************************
1075 Calls the underlying RPC function for a named pipe.
1076 ********************************************************************/
1077
1078 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name, struct api_struct *api_rpc_cmds,
1079 prs_struct *rpc_in)
1080 {
1081 int fn_num;
1082
1083 /* interpret the command */
1084 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1085
1086 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1087 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1088 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1089 break;
1090 }
1091 }
1092
1093 if (api_rpc_cmds[fn_num].name == NULL) {
1094 /*
1095 * For an unknown RPC just return a fault PDU but
1096 * return True to allow RPC's on the pipe to continue
1097 * and not put the pipe into fault state. JRA.
1098 */
1099 DEBUG(4, ("unknown\n"));
1100 setup_fault_pdu(p);
1101 return True;
1102 }
1103
1104 /* do the actual command */
1105 if(!api_rpc_cmds[fn_num].fn(p->vuid, rpc_in, &p->out_data.rdata)) {
1106 DEBUG(0,("api_rpcTNP: %s: failed.\n", rpc_name));
1107 prs_mem_free(&p->out_data.rdata);
1108 return False;
1109 }
1110
1111 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1112
1113 return True;
1114 }