Removed save directory argument to become_root() calls. Probably most of
[samba.git] / source3 / rpc_server / srv_pipe.c
1 #define OLD_NTDOMAIN 1
2 /* 
3  *  Unix SMB/Netbios implementation.
4  *  Version 1.9.
5  *  RPC Pipe client / server routines
6  *  Copyright (C) Andrew Tridgell              1992-1998
7  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
8  *  Copyright (C) Paul Ashton                  1997-1998.
9  *  Copyright (C) Jeremy Allison                    1999.
10  *  
11  *  This program is free software; you can redistribute it and/or modify
12  *  it under the terms of the GNU General Public License as published by
13  *  the Free Software Foundation; either version 2 of the License, or
14  *  (at your option) any later version.
15  *  
16  *  This program is distributed in the hope that it will be useful,
17  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
18  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19  *  GNU General Public License for more details.
20  *  
21  *  You should have received a copy of the GNU General Public License
22  *  along with this program; if not, write to the Free Software
23  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24  */
25
26 /*  this module apparently provides an implementation of DCE/RPC over a
27  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
28  *  documentation are available (in on-line form) from the X-Open group.
29  *
30  *  this module should provide a level of abstraction between SMB
31  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
32  *  data copies, and network traffic.
33  *
34  *  in this version, which takes a "let's learn what's going on and
35  *  get something running" approach, there is additional network
36  *  traffic generated, but the code should be easier to understand...
37  *
38  *  ... if you read the docs.  or stare at packets for weeks on end.
39  *
40  */
41
42 #include "includes.h"
43
44 extern int DEBUGLEVEL;
45
46 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
47 {
48     unsigned char *hash = p->ntlmssp_hash;
49     unsigned char index_i = hash[256];
50     unsigned char index_j = hash[257];
51     int ind;
52
53     for( ind = 0; ind < len; ind++) {
54         unsigned char tc;
55         unsigned char t;
56
57         index_i++;
58         index_j += hash[index_i];
59
60         tc = hash[index_i];
61         hash[index_i] = hash[index_j];
62         hash[index_j] = tc;
63
64         t = hash[index_i] + hash[index_j];
65         data[ind] = data[ind] ^ hash[t];
66     }
67
68     hash[256] = index_i;
69     hash[257] = index_j;
70 }
71
72 /*******************************************************************
73  Generate the next PDU to be returned from the data in p->rdata. 
74  We cheat here as this function doesn't handle the special auth
75  footers of the authenticated bind response reply.
76  ********************************************************************/
77
78 BOOL create_next_pdu(pipes_struct *p)
79 {
80         RPC_HDR_RESP hdr_resp;
81         BOOL auth_verify = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SIGN);
82         BOOL auth_seal   = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SEAL);
83         uint32 data_len;
84         uint32 data_space_available;
85         uint32 data_len_left;
86         prs_struct outgoing_pdu;
87         char *data;
88         char *data_from;
89         uint32 data_pos;
90
91         /*
92          * If we're in the fault state, keep returning fault PDU's until
93          * the pipe gets closed. JRA.
94          */
95
96         if(p->fault_state) {
97                 setup_fault_pdu(p);
98                 return True;
99         }
100
101         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
102
103         /* Change the incoming request header to a response. */
104         p->hdr.pkt_type = RPC_RESPONSE;
105
106         /* Set up rpc header flags. */
107         if (p->out_data.data_sent_length == 0)
108                 p->hdr.flags = RPC_FLG_FIRST;
109         else
110                 p->hdr.flags = 0;
111
112         /*
113          * Work out how much we can fit in a single PDU.
114          */
115
116         data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
117         if(p->ntlmssp_auth_validated)
118                 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
119
120         /*
121          * The amount we send is the minimum of the available
122          * space and the amount left to send.
123          */
124
125         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
126
127         /*
128          * Ensure there really is data left to send.
129          */
130
131         if(!data_len_left) {
132                 DEBUG(0,("create_next_pdu: no data left to send !\n"));
133                 return False;
134         }
135
136         data_len = MIN(data_len_left, data_space_available);
137
138         /*
139          * Set up the alloc hint. This should be the data left to
140          * send.
141          */
142
143         hdr_resp.alloc_hint = data_len_left;
144
145         /*
146          * Set up the header lengths.
147          */
148
149         if (p->ntlmssp_auth_validated) {
150                 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
151                                         RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
152                 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
153         } else {
154                 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
155                 p->hdr.auth_len = 0;
156         }
157
158         /*
159          * Work out if this PDU will be the last.
160          */
161
162         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
163                 p->hdr.flags |= RPC_FLG_LAST;
164
165         /*
166          * Init the parse struct to point at the outgoing
167          * data.
168          */
169
170         prs_init( &outgoing_pdu, 0, 4, MARSHALL);
171         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
172
173         /* Store the header in the data stream. */
174         if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
175                 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
176                 return False;
177         }
178
179         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
180                 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
181                 return False;
182         }
183
184         /* Store the current offset. */
185         data_pos = prs_offset(&outgoing_pdu);
186
187         /* Copy the data into the PDU. */
188         data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
189
190         if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
191                 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
192                 return False;
193         }
194
195         /*
196          * Set data to point to where we copied the data into.
197          */
198
199         data = prs_data_p(&outgoing_pdu) + data_pos;
200
201         if (p->hdr.auth_len > 0) {
202                 uint32 crc32 = 0;
203
204                 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
205                          BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
206
207                 if (auth_seal) {
208                         crc32 = crc32_calc_buffer(data, data_len);
209                         NTLMSSPcalc_p(p, (uchar*)data, data_len);
210                 }
211
212                 if (auth_seal || auth_verify) {
213                         RPC_HDR_AUTH auth_info;
214
215                         init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 
216                                         (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
217                         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
218                                 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
219                                 return False;
220                         }
221                 }
222
223                 if (auth_verify) {
224                         RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
225                         char *auth_data = prs_data_p(&outgoing_pdu);
226
227                         p->ntlmssp_seq_num++;
228                         init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
229                                         crc32, p->ntlmssp_seq_num++);
230                         auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
231                         if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
232                                 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
233                                 return False;
234                         }
235                         NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
236                 }
237         }
238
239         /*
240          * Setup the counts for this PDU.
241          */
242
243         p->out_data.data_sent_length += data_len;
244         p->out_data.current_pdu_len = p->hdr.frag_len;
245         p->out_data.current_pdu_sent = 0;
246
247         return True;
248 }
249
250 /*******************************************************************
251  Process an NTLMSSP authentication response.
252  If this function succeeds, the user has been authenticated
253  and their domain, name and calling workstation stored in
254  the pipe struct.
255  The initial challenge is stored in p->challenge.
256  *******************************************************************/
257
258 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
259 {
260         uchar lm_owf[24];
261         uchar nt_owf[24];
262         fstring user_name;
263         fstring unix_user_name;
264         fstring domain;
265         fstring wks;
266         BOOL guest_user = False;
267         struct smb_passwd *smb_pass = NULL;
268         struct passwd *pass = NULL;
269         uchar null_smb_passwd[16];
270         uchar *smb_passwd_ptr = NULL;
271         
272         DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
273
274         memset(p->user_name, '\0', sizeof(p->user_name));
275         memset(p->unix_user_name, '\0', sizeof(p->unix_user_name));
276         memset(p->domain, '\0', sizeof(p->domain));
277         memset(p->wks, '\0', sizeof(p->wks));
278
279         /* 
280          * Setup an empty password for a guest user.
281          */
282
283         memset(null_smb_passwd,0,16);
284
285         /*
286          * We always negotiate UNICODE.
287          */
288
289         if (IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_UNICODE)) {
290                 fstrcpy(user_name, dos_unistrn2((uint16*)ntlmssp_resp->user, ntlmssp_resp->hdr_usr.str_str_len/2));
291                 fstrcpy(domain, dos_unistrn2((uint16*)ntlmssp_resp->domain, ntlmssp_resp->hdr_domain.str_str_len/2));
292                 fstrcpy(wks, dos_unistrn2((uint16*)ntlmssp_resp->wks, ntlmssp_resp->hdr_wks.str_str_len/2));
293         } else {
294                 fstrcpy(user_name, ntlmssp_resp->user);
295                 fstrcpy(domain, ntlmssp_resp->domain);
296                 fstrcpy(wks, ntlmssp_resp->wks);
297         }
298
299         DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
300
301         memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
302         memcpy(nt_owf, ntlmssp_resp->nt_resp, sizeof(nt_owf));
303
304 #ifdef DEBUG_PASSWORD
305         DEBUG(100,("lm, nt owfs, chal\n"));
306         dump_data(100, (char *)lm_owf, sizeof(lm_owf));
307         dump_data(100, (char *)nt_owf, sizeof(nt_owf));
308         dump_data(100, (char *)p->challenge, 8);
309 #endif
310
311         /*
312          * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
313          */
314
315         if((strlen(user_name) == 0) && 
316            (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
317           {
318                 guest_user = True;
319
320         fstrcpy(unix_user_name, lp_guestaccount(-1));
321                 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", unix_user_name));
322
323                 smb_passwd_ptr = null_smb_passwd;
324
325         } else {
326
327                 /*
328                  * Pass the user through the NT -> unix user mapping
329                  * function.
330                  */
331
332                 fstrcpy(unix_user_name, user_name);
333                 (void)map_username(unix_user_name);
334
335                 /* 
336                  * Do the length checking only if user is not NULL.
337                  */
338
339                 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
340                         return False;
341                 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
342                         return False;
343                 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
344                         return False;
345                 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
346                         return False;
347                 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
348                         return False;
349
350         }
351
352         /*
353          * Find the user in the unix password db.
354          */
355
356         if(!(pass = Get_Pwnam(unix_user_name,True))) {
357                 DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",unix_user_name));
358                 return(False);
359         }
360
361         if(!guest_user) {
362
363                 become_root();
364
365                 if(!(p->ntlmssp_auth_validated = pass_check_smb(unix_user_name, domain,
366                                       (uchar*)p->challenge, lm_owf, nt_owf, NULL))) {
367                         DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
368 failed authentication on named pipe %s.\n", domain, unix_user_name, wks, p->name ));
369                         unbecome_root();
370                         return False;
371                 }
372
373                 if(!(smb_pass = getsmbpwnam(unix_user_name))) {
374                         DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
375                                 unix_user_name));
376                         unbecome_root();
377                         return False;
378                 }
379
380                 unbecome_root();
381
382                 if (smb_pass == NULL) {
383                         DEBUG(1,("api_pipe_ntlmssp_verify: Couldn't find user '%s' in smb_passwd file.\n", 
384                                 unix_user_name));
385                         return(False);
386                 }
387
388                 /* Quit if the account was disabled. */
389                 if((smb_pass->acct_ctrl & ACB_DISABLED) || !smb_pass->smb_passwd) {
390                         DEBUG(1,("Account for user '%s' was disabled.\n", unix_user_name));
391                         return(False);
392                 }
393
394                 if(!smb_pass->smb_nt_passwd) {
395                         DEBUG(1,("Account for user '%s' has no NT password hash.\n", unix_user_name));
396                         return(False);
397                 }
398
399                 smb_passwd_ptr = smb_pass->smb_passwd;
400         }
401
402         /*
403          * Set up the sign/seal data.
404          */
405
406         {
407                 uchar p24[24];
408                 NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
409                 {
410                         unsigned char j = 0;
411                         int ind;
412
413                         unsigned char k2[8];
414
415                         memcpy(k2, p24, 5);
416                         k2[5] = 0xe5;
417                         k2[6] = 0x38;
418                         k2[7] = 0xb0;
419
420                         for (ind = 0; ind < 256; ind++)
421                                 p->ntlmssp_hash[ind] = (unsigned char)ind;
422
423                         for( ind = 0; ind < 256; ind++) {
424                                 unsigned char tc;
425
426                                 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
427
428                                 tc = p->ntlmssp_hash[ind];
429                                 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
430                                 p->ntlmssp_hash[j] = tc;
431                         }
432
433                         p->ntlmssp_hash[256] = 0;
434                         p->ntlmssp_hash[257] = 0;
435                 }
436 /*              NTLMSSPhash(p->ntlmssp_hash, p24); */
437                 p->ntlmssp_seq_num = 0;
438
439         }
440
441         fstrcpy(p->user_name, user_name);
442         fstrcpy(p->unix_user_name, unix_user_name);
443         fstrcpy(p->domain, domain);
444         fstrcpy(p->wks, wks);
445
446         /*
447          * Store the UNIX credential data (uid/gid pair) in the pipe structure.
448          */
449
450         p->uid = pass->pw_uid;
451         p->gid = pass->pw_gid;
452
453         p->ntlmssp_auth_validated = True;
454         return True;
455 }
456
457 /*******************************************************************
458  The switch table for the pipe names and the functions to handle them.
459  *******************************************************************/
460
461 struct api_cmd
462 {
463   char * pipe_clnt_name;
464   char * pipe_srv_name;
465   BOOL (*fn) (pipes_struct *);
466 };
467
468 static struct api_cmd api_fd_commands[] =
469 {
470     { "lsarpc",   "lsass",   api_ntlsa_rpc },
471     { "samr",     "lsass",   api_samr_rpc },
472     { "srvsvc",   "ntsvcs",  api_srvsvc_rpc },
473     { "wkssvc",   "ntsvcs",  api_wkssvc_rpc },
474     { "NETLOGON", "lsass",   api_netlog_rpc },
475     { "winreg",   "winreg",  api_reg_rpc },
476     { "spoolss",  "spoolss", api_spoolss_rpc },
477 #ifdef WITH_MSDFS
478     { "netdfs",   "netdfs" , api_netdfs_rpc },
479 #endif
480     { NULL,       NULL,      NULL }
481 };
482
483 /*******************************************************************
484  This is the client reply to our challenge for an authenticated 
485  bind request. The challenge we sent is in p->challenge.
486 *******************************************************************/
487
488 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
489 {
490         RPC_HDR_AUTHA autha_info;
491         RPC_AUTH_VERIFIER auth_verifier;
492         RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
493
494         DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
495
496         if (p->hdr.auth_len == 0) {
497                 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
498                 return False;
499         }
500
501         /*
502          * Decode the authentication verifier response.
503          */
504
505         if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
506                 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
507                 return False;
508         }
509
510         if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
511                 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
512                         (int)autha_info.auth_type, (int)autha_info.auth_level ));
513                 return False;
514         }
515
516         if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
517                 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
518                 return False;
519         }
520
521         /*
522          * Ensure this is a NTLMSSP_AUTH packet type.
523          */
524
525         if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
526                 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
527                 return False;
528         }
529
530         if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
531                 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
532                 return False;
533         }
534
535         /*
536          * The following call actually checks the challenge/response data.
537          * for correctness against the given DOMAIN\user name.
538          */
539         
540         if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
541                 return False;
542
543         p->pipe_bound = True
544 ;
545         return True;
546 }
547
548 /*******************************************************************
549  Marshall a bind_nak pdu.
550 *******************************************************************/
551
552 static BOOL setup_bind_nak(pipes_struct *p)
553 {
554         prs_struct outgoing_rpc;
555         RPC_HDR nak_hdr;
556         uint16 zero = 0;
557
558         /* Free any memory in the current return data buffer. */
559         prs_mem_free(&p->out_data.rdata);
560
561         /*
562          * Marshall directly into the outgoing PDU space. We
563          * must do this as we need to set to the bind response
564          * header and are never sending more than one PDU here.
565          */
566
567         prs_init( &outgoing_rpc, 0, 4, MARSHALL);
568         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
569
570
571         /*
572          * Initialize a bind_nak header.
573          */
574
575         init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
576             p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
577
578         /*
579          * Marshall the header into the outgoing PDU.
580          */
581
582         if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
583                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
584                 return False;
585         }
586
587         /*
588          * Now add the reject reason.
589          */
590
591         if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero))
592         return False;
593
594         p->out_data.data_sent_length = 0;
595         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
596         p->out_data.current_pdu_sent = 0;
597
598         p->pipe_bound = False;
599
600         return True;
601 }
602
603 /*******************************************************************
604  Marshall a fault pdu.
605 *******************************************************************/
606
607 BOOL setup_fault_pdu(pipes_struct *p)
608 {
609         prs_struct outgoing_pdu;
610         RPC_HDR fault_hdr;
611         RPC_HDR_RESP hdr_resp;
612         RPC_HDR_FAULT fault_resp;
613
614         /* Free any memory in the current return data buffer. */
615         prs_mem_free(&p->out_data.rdata);
616
617         /*
618          * Marshall directly into the outgoing PDU space. We
619          * must do this as we need to set to the bind response
620          * header and are never sending more than one PDU here.
621          */
622
623         prs_init( &outgoing_pdu, 0, 4, MARSHALL);
624         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
625
626         /*
627          * Initialize a fault header.
628          */
629
630         init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
631             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
632
633         /*
634          * Initialize the HDR_RESP and FAULT parts of the PDU.
635          */
636
637         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
638
639         fault_resp.status = 0x1c010002;
640         fault_resp.reserved = 0;
641
642         /*
643          * Marshall the header into the outgoing PDU.
644          */
645
646         if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
647                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
648                 return False;
649         }
650
651         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
652                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
653                 return False;
654         }
655
656         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
657                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
658                 return False;
659         }
660
661         p->out_data.data_sent_length = 0;
662         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
663         p->out_data.current_pdu_sent = 0;
664
665         return True;
666 }
667
668 /*******************************************************************
669  Ensure a bind request has the correct abstract & transfer interface.
670  Used to reject unknown binds from Win2k.
671 *******************************************************************/
672
673 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
674                                         RPC_IFACE* transfer)
675 {
676         extern struct pipe_id_info pipe_names[];
677         int i=0;
678         fstring pname;
679         fstrcpy(pname,"\\PIPE\\");
680         fstrcat(pname,pipe_name);
681
682         for(i=0;pipe_names[i].client_pipe; i++) {
683                 if(strequal(pipe_names[i].client_pipe, pname))
684                         break;
685         }
686
687         if(pipe_names[i].client_pipe == NULL)
688                 return False;
689
690         /* check the abstract interface */
691         if((abstract->version != pipe_names[i].abstr_syntax.version) ||
692                 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
693                         sizeof(RPC_UUID)) != 0))
694                 return False;
695
696         /* check the transfer interface */
697         if((transfer->version != pipe_names[i].trans_syntax.version) ||
698                 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
699                         sizeof(RPC_UUID)) != 0))
700                 return False;
701
702         return True;
703 }
704
705 /*******************************************************************
706  Respond to a pipe bind request.
707 *******************************************************************/
708
709 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
710 {
711         RPC_HDR_BA hdr_ba;
712         RPC_HDR_RB hdr_rb;
713         RPC_HDR_AUTH auth_info;
714         uint16 assoc_gid;
715         fstring ack_pipe_name;
716         prs_struct out_hdr_ba;
717         prs_struct out_auth;
718         prs_struct outgoing_rpc;
719         int i = 0;
720         int auth_len = 0;
721         enum RPC_PKT_TYPE reply_pkt_type;
722
723         p->ntlmssp_auth_requested = False;
724
725         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
726
727         /*
728          * Try and find the correct pipe name to ensure
729          * that this is a pipe name we support.
730          */
731
732         for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
733                 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
734                     api_fd_commands[i].fn != NULL) {
735                         DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
736                                    api_fd_commands[i].pipe_clnt_name,
737                                    api_fd_commands[i].pipe_srv_name));
738                         fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
739                         break;
740                 }
741         }
742
743         if (api_fd_commands[i].fn == NULL) {
744                 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
745                         p->name ));
746                 if(!setup_bind_nak(p))
747                         return False;
748                 return True;
749         }
750
751         /* decode the bind request */
752         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
753                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
754                 return False;
755         }
756
757         /*
758          * Check if this is an authenticated request.
759          */
760
761         if (p->hdr.auth_len != 0) {
762                 RPC_AUTH_VERIFIER auth_verifier;
763                 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
764
765                 /* 
766                  * Decode the authentication verifier.
767                  */
768
769                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
770                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
771                         return False;
772                 }
773
774                 /*
775                  * We only support NTLMSSP_AUTH_TYPE requests.
776                  */
777
778                 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
779                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
780                                 auth_info.auth_type ));
781                         return False;
782                 }
783
784                 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
785                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
786                         return False;
787                 }
788
789                 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
790                         DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
791                         return False;
792                 }
793
794                 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
795                         DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
796                                 auth_verifier.msg_type));
797                         return False;
798                 }
799
800                 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
801                         DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
802                         return False;
803                 }
804
805                 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
806                 p->ntlmssp_auth_requested = True;
807         }
808
809         switch(p->hdr.pkt_type) {
810                 case RPC_BIND:
811                         /* name has to be \PIPE\xxxxx */
812                         fstrcpy(ack_pipe_name, "\\PIPE\\");
813                         fstrcat(ack_pipe_name, p->pipe_srv_name);
814                         reply_pkt_type = RPC_BINDACK;
815                         break;
816                 case RPC_ALTCONT:
817                         /* secondary address CAN be NULL
818                          * as the specs say it's ignored.
819                          * It MUST NULL to have the spoolss working.
820                          */
821                         fstrcpy(ack_pipe_name,"");
822                         reply_pkt_type = RPC_ALTCONTRESP;
823                         break;
824                 default:
825                         return False;
826         }
827
828         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
829
830         /* 
831          * Marshall directly into the outgoing PDU space. We
832          * must do this as we need to set to the bind response
833          * header and are never sending more than one PDU here.
834          */
835
836         prs_init( &outgoing_rpc, 0, 4, MARSHALL);
837         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
838
839         /*
840          * Setup the memory to marshall the ba header, and the
841          * auth footers.
842          */
843
844         if(!prs_init(&out_hdr_ba, 1024, 4, MARSHALL)) {
845                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
846                 return False;
847         }
848
849         if(!prs_init(&out_auth, 1024, 4, MARSHALL)) {
850                 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
851                 prs_mem_free(&out_hdr_ba);
852                 return False;
853         }
854
855         if (p->ntlmssp_auth_requested)
856                 assoc_gid = 0x7a77;
857         else
858                 assoc_gid = hdr_rb.bba.assoc_gid;
859
860         /*
861          * Create the bind response struct.
862          */
863
864         /* If the requested abstract synt uuid doesn't match our client pipe,
865                 reject the bind_ack & set the transfer interface synt to all 0's,
866                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
867                 unknown to NT4)
868                 Needed when adding entries to a DACL from NT5 - SK */
869
870         if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
871                 init_rpc_hdr_ba(&hdr_ba,
872                         MAX_PDU_FRAG_LEN,
873                         MAX_PDU_FRAG_LEN,
874                         assoc_gid,
875                         ack_pipe_name,
876                         0x1, 0x0, 0x0,
877                         &hdr_rb.transfer);
878         } else {
879                 RPC_IFACE null_interface;
880                 ZERO_STRUCT(null_interface);
881                 /* Rejection reason: abstract syntax not supported */
882                 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
883                                         MAX_PDU_FRAG_LEN, assoc_gid,
884                                         ack_pipe_name, 0x1, 0x2, 0x1,
885                                         &null_interface);
886         }
887
888         /*
889          * and marshall it.
890          */
891
892         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
893                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
894                 goto err_exit;
895         }
896
897         /*
898          * Now the authentication.
899          */
900
901         if (p->ntlmssp_auth_requested) {
902                 RPC_AUTH_VERIFIER auth_verifier;
903                 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
904
905                 generate_random_buffer(p->challenge, 8, False);
906
907                 /*** Authentication info ***/
908
909                 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
910                 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
911                         DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
912                         goto err_exit;
913                 }
914
915                 /*** NTLMSSP verifier ***/
916
917                 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
918                 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
919                         DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
920                         goto err_exit;
921                 }
922
923                 /* NTLMSSP challenge ***/
924
925                 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
926                 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
927                         DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
928                         goto err_exit;
929                 }
930
931                 /* Auth len in the rpc header doesn't include auth_header. */
932                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
933         }
934
935         /*
936          * Create the header, now we know the length.
937          */
938
939         init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
940                         p->hdr.call_id,
941                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
942                         auth_len);
943
944         /*
945          * Marshall the header into the outgoing PDU.
946          */
947
948         if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
949                 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
950                 goto err_exit;
951         }
952
953         /*
954          * Now add the RPC_HDR_BA and any auth needed.
955          */
956
957         if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
958                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
959                 goto err_exit;
960         }
961
962         if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
963                 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
964                 goto err_exit;
965         }
966
967         if(!p->ntlmssp_auth_requested)
968                 p->pipe_bound = True;
969
970         /*
971          * Setup the lengths for the initial reply.
972          */
973
974         p->out_data.data_sent_length = 0;
975         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
976         p->out_data.current_pdu_sent = 0;
977
978         prs_mem_free(&out_hdr_ba);
979         prs_mem_free(&out_auth);
980
981         return True;
982
983   err_exit:
984
985         prs_mem_free(&out_hdr_ba);
986         prs_mem_free(&out_auth);
987         return False;
988 }
989
990 /****************************************************************************
991  Deal with sign & seal processing on an RPC request.
992 ****************************************************************************/
993
994 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
995 {
996         /*
997          * We always negotiate the following two bits....
998          */
999         BOOL auth_verify = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SIGN);
1000         BOOL auth_seal   = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SEAL);
1001         int data_len;
1002         int auth_len;
1003         uint32 old_offset;
1004         uint32 crc32 = 0;
1005
1006         auth_len = p->hdr.auth_len;
1007
1008         if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1009                 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1010                 return False;
1011         }
1012
1013         /*
1014          * The following is that length of the data we must verify or unseal.
1015          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1016          * preceeding the auth_data.
1017          */
1018
1019         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
1020                         (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1021         
1022         DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1023                  BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1024
1025         if (auth_seal) {
1026                 /*
1027                  * The data in rpc_in doesn't contain the RPC_HEADER as this
1028                  * has already been consumed.
1029                  */
1030                 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1031                 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1032                 crc32 = crc32_calc_buffer(data, data_len);
1033         }
1034
1035         old_offset = prs_offset(rpc_in);
1036
1037         if (auth_seal || auth_verify) {
1038                 RPC_HDR_AUTH auth_info;
1039
1040                 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1041                         DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1042                                 (unsigned int)old_offset + data_len ));
1043                         return False;
1044                 }
1045
1046                 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1047                         DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1048                         return False;
1049                 }
1050         }
1051
1052         if (auth_verify) {
1053                 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1054                 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1055
1056                 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1057
1058                 /*
1059                  * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1060                  * incoming buffer.
1061                  */
1062                 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1063                         DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1064                                 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1065                         return False;
1066                 }
1067
1068                 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1069                 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1070                         DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1071                         return False;
1072                 }
1073
1074                 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1075                         DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1076                         return False;
1077                 }
1078         }
1079
1080         /*
1081          * Return the current pointer to the data offset.
1082          */
1083
1084         if(!prs_set_offset(rpc_in, old_offset)) {
1085                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1086                         (unsigned int)old_offset ));
1087                 return False;
1088         }
1089
1090         return True;
1091 }
1092
1093 /****************************************************************************
1094  Find the correct RPC function to call for this request.
1095  If the pipe is authenticated then become the correct UNIX user
1096  before doing the call.
1097 ****************************************************************************/
1098
1099 BOOL api_pipe_request(pipes_struct *p)
1100 {
1101         int i = 0;
1102         BOOL ret = False;
1103         BOOL changed_user_id = False;
1104
1105         if (p->ntlmssp_auth_validated) {
1106
1107                 if(!become_authenticated_pipe_user(p)) {
1108                         prs_mem_free(&p->out_data.rdata);
1109                         return False;
1110                 }
1111
1112                 changed_user_id = True;
1113         }
1114
1115         for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1116                 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1117                     api_fd_commands[i].fn != NULL) {
1118                         DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1119                         ret = api_fd_commands[i].fn(p);
1120                 }
1121         }
1122
1123         if(changed_user_id)
1124                 unbecome_authenticated_pipe_user(p);
1125
1126         return ret;
1127 }
1128
1129 /*******************************************************************
1130  Calls the underlying RPC function for a named pipe.
1131  ********************************************************************/
1132
1133 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name, 
1134                 struct api_struct *api_rpc_cmds)
1135 {
1136         int fn_num;
1137         fstring name;
1138         uint32 offset1, offset2;
1139  
1140         /* interpret the command */
1141         DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1142
1143         slprintf(name, sizeof(name), "in_%s", rpc_name);
1144         prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1145
1146         for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1147                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1148                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1149                         break;
1150                 }
1151         }
1152
1153         if (api_rpc_cmds[fn_num].name == NULL) {
1154                 /*
1155                  * For an unknown RPC just return a fault PDU but
1156                  * return True to allow RPC's on the pipe to continue
1157                  * and not put the pipe into fault state. JRA.
1158                  */
1159                 DEBUG(4, ("unknown\n"));
1160                 setup_fault_pdu(p);
1161                 return True;
1162         }
1163
1164         offset1 = prs_offset(&p->out_data.rdata);
1165
1166         /* do the actual command */
1167         if(!api_rpc_cmds[fn_num].fn(p)) {
1168                 DEBUG(0,("api_rpcTNP: %s: failed.\n", rpc_name));
1169                 prs_mem_free(&p->out_data.rdata);
1170                 return False;
1171         }
1172
1173         slprintf(name, sizeof(name), "out_%s", rpc_name);
1174         offset2 = prs_offset(&p->out_data.rdata);
1175         prs_set_offset(&p->out_data.rdata, offset1);
1176         prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1177         prs_set_offset(&p->out_data.rdata, offset2);
1178
1179         DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1180
1181         return True;
1182 }
1183
1184 #undef OLD_NTDOMAIN