Better explanation message for dmalloc.
[ira/wip.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/Netbios implementation.
3  *  Version 1.9.
4  *  RPC Pipe client / server routines
5  *  Copyright (C) Andrew Tridgell              1992-1998
6  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7  *  Copyright (C) Paul Ashton                  1997-1998.
8  *  Copyright (C) Jeremy Allison                    1999.
9  *  
10  *  This program is free software; you can redistribute it and/or modify
11  *  it under the terms of the GNU General Public License as published by
12  *  the Free Software Foundation; either version 2 of the License, or
13  *  (at your option) any later version.
14  *  
15  *  This program is distributed in the hope that it will be useful,
16  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
17  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18  *  GNU General Public License for more details.
19  *  
20  *  You should have received a copy of the GNU General Public License
21  *  along with this program; if not, write to the Free Software
22  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23  */
24
25 /*  this module apparently provides an implementation of DCE/RPC over a
26  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
27  *  documentation are available (in on-line form) from the X-Open group.
28  *
29  *  this module should provide a level of abstraction between SMB
30  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
31  *  data copies, and network traffic.
32  *
33  *  in this version, which takes a "let's learn what's going on and
34  *  get something running" approach, there is additional network
35  *  traffic generated, but the code should be easier to understand...
36  *
37  *  ... if you read the docs.  or stare at packets for weeks on end.
38  *
39  */
40
41 #include "includes.h"
42
43 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
44 {
45     unsigned char *hash = p->ntlmssp_hash;
46     unsigned char index_i = hash[256];
47     unsigned char index_j = hash[257];
48     int ind;
49
50     for( ind = 0; ind < len; ind++) {
51         unsigned char tc;
52         unsigned char t;
53
54         index_i++;
55         index_j += hash[index_i];
56
57         tc = hash[index_i];
58         hash[index_i] = hash[index_j];
59         hash[index_j] = tc;
60
61         t = hash[index_i] + hash[index_j];
62         data[ind] = data[ind] ^ hash[t];
63     }
64
65     hash[256] = index_i;
66     hash[257] = index_j;
67 }
68
69 /*******************************************************************
70  Generate the next PDU to be returned from the data in p->rdata. 
71  We cheat here as this function doesn't handle the special auth
72  footers of the authenticated bind response reply.
73  ********************************************************************/
74
75 BOOL create_next_pdu(pipes_struct *p)
76 {
77         RPC_HDR_RESP hdr_resp;
78         BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
79         BOOL auth_seal   = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
80         uint32 data_len;
81         uint32 data_space_available;
82         uint32 data_len_left;
83         prs_struct outgoing_pdu;
84         char *data;
85         char *data_from;
86         uint32 data_pos;
87
88         /*
89          * If we're in the fault state, keep returning fault PDU's until
90          * the pipe gets closed. JRA.
91          */
92
93         if(p->fault_state) {
94                 setup_fault_pdu(p, NT_STATUS(0x1c010002));
95                 return True;
96         }
97
98         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
99
100         /* Change the incoming request header to a response. */
101         p->hdr.pkt_type = RPC_RESPONSE;
102
103         /* Set up rpc header flags. */
104         if (p->out_data.data_sent_length == 0)
105                 p->hdr.flags = RPC_FLG_FIRST;
106         else
107                 p->hdr.flags = 0;
108
109         /*
110          * Work out how much we can fit in a single PDU.
111          */
112
113         data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
114         if(p->ntlmssp_auth_validated)
115                 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
116
117         /*
118          * The amount we send is the minimum of the available
119          * space and the amount left to send.
120          */
121
122         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
123
124         /*
125          * Ensure there really is data left to send.
126          */
127
128         if(!data_len_left) {
129                 DEBUG(0,("create_next_pdu: no data left to send !\n"));
130                 return False;
131         }
132
133         data_len = MIN(data_len_left, data_space_available);
134
135         /*
136          * Set up the alloc hint. This should be the data left to
137          * send.
138          */
139
140         hdr_resp.alloc_hint = data_len_left;
141
142         /*
143          * Set up the header lengths.
144          */
145
146         if (p->ntlmssp_auth_validated) {
147                 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
148                                         RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
149                 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
150         } else {
151                 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
152                 p->hdr.auth_len = 0;
153         }
154
155         /*
156          * Work out if this PDU will be the last.
157          */
158
159         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
160                 p->hdr.flags |= RPC_FLG_LAST;
161
162         /*
163          * Init the parse struct to point at the outgoing
164          * data.
165          */
166
167         prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
168         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
169
170         /* Store the header in the data stream. */
171         if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
172                 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
173                 prs_mem_free(&outgoing_pdu);
174                 return False;
175         }
176
177         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
178                 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
179                 prs_mem_free(&outgoing_pdu);
180                 return False;
181         }
182
183         /* Store the current offset. */
184         data_pos = prs_offset(&outgoing_pdu);
185
186         /* Copy the data into the PDU. */
187         data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
188
189         if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
190                 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
191                 prs_mem_free(&outgoing_pdu);
192                 return False;
193         }
194
195         /*
196          * Set data to point to where we copied the data into.
197          */
198
199         data = prs_data_p(&outgoing_pdu) + data_pos;
200
201         if (p->hdr.auth_len > 0) {
202                 uint32 crc32 = 0;
203
204                 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
205                          BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
206
207                 if (auth_seal) {
208                         crc32 = crc32_calc_buffer(data, data_len);
209                         NTLMSSPcalc_p(p, (uchar*)data, data_len);
210                 }
211
212                 if (auth_seal || auth_verify) {
213                         RPC_HDR_AUTH auth_info;
214
215                         init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 
216                                         (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
217                         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
218                                 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
219                                 prs_mem_free(&outgoing_pdu);
220                                 return False;
221                         }
222                 }
223
224                 if (auth_verify) {
225                         RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
226                         char *auth_data = prs_data_p(&outgoing_pdu);
227
228                         p->ntlmssp_seq_num++;
229                         init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
230                                         crc32, p->ntlmssp_seq_num++);
231                         auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
232                         if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
233                                 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
234                                 prs_mem_free(&outgoing_pdu);
235                                 return False;
236                         }
237                         NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
238                 }
239         }
240
241         /*
242          * Setup the counts for this PDU.
243          */
244
245         p->out_data.data_sent_length += data_len;
246         p->out_data.current_pdu_len = p->hdr.frag_len;
247         p->out_data.current_pdu_sent = 0;
248
249         prs_mem_free(&outgoing_pdu);
250         return True;
251 }
252
253 /*******************************************************************
254  Process an NTLMSSP authentication response.
255  If this function succeeds, the user has been authenticated
256  and their domain, name and calling workstation stored in
257  the pipe struct.
258  The initial challenge is stored in p->challenge.
259  *******************************************************************/
260
261 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
262 {
263         uchar lm_owf[24];
264         uchar nt_owf[128];
265         int nt_pw_len;
266         int lm_pw_len;
267         fstring user_name;
268         fstring domain;
269         fstring wks;
270
271         NTSTATUS nt_status;
272
273         struct auth_context *auth_context = NULL;
274         auth_usersupplied_info *user_info = NULL;
275         auth_serversupplied_info *server_info = NULL;
276
277         uid_t uid;
278         uid_t gid;
279
280         DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
281
282         memset(p->user_name, '\0', sizeof(p->user_name));
283         memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
284         memset(p->domain, '\0', sizeof(p->domain));
285         memset(p->wks, '\0', sizeof(p->wks));
286
287         /* Set up for non-authenticated user. */
288         delete_nt_token(&p->pipe_user.nt_user_token);
289         p->pipe_user.ngroups = 0;
290         SAFE_FREE( p->pipe_user.groups);
291
292         /* 
293          * Setup an empty password for a guest user.
294          */
295
296         /*
297          * We always negotiate UNICODE.
298          */
299
300         if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
301                 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
302                 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
303                 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
304         } else {
305                 pull_ascii_fstring(user_name, ntlmssp_resp->user);
306                 pull_ascii_fstring(domain, ntlmssp_resp->domain);
307                 pull_ascii_fstring(wks, ntlmssp_resp->wks);
308         }
309
310         DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
311
312         nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
313         lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
314
315         memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
316         memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
317
318 #ifdef DEBUG_PASSWORD
319         DEBUG(100,("lm, nt owfs, chal\n"));
320         dump_data(100, (char *)lm_owf, sizeof(lm_owf));
321         dump_data(100, (char *)nt_owf, nt_pw_len);
322         dump_data(100, (char *)p->challenge, 8);
323 #endif
324
325         /*
326          * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
327          */
328
329         if (*user_name) {
330
331                 /* 
332                  * Do the length checking only if user is not NULL.
333                  */
334
335                 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
336                         return False;
337                 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
338                         return False;
339                 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
340                         return False;
341                 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
342                         return False;
343                 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
344                         return False;
345
346         }
347         
348         make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
349
350         if (!make_user_info_netlogon_network(&user_info, 
351                                              user_name, domain, wks,
352                                              lm_owf, lm_pw_len, 
353                                              nt_owf, nt_pw_len)) {
354                 DEBUG(0,("make_user_info_netlogon_network failed!  Failing authenticaion.\n"));
355                 return False;
356         }
357         
358         nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info); 
359         
360         (auth_context->free)(&auth_context);
361         free_user_info(&user_info);
362         
363         p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
364         
365         if (!p->ntlmssp_auth_validated) {
366                 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
367 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
368                 free_server_info(&server_info);
369                 return False;
370         }
371
372         /*
373          * Set up the sign/seal data.
374          */
375
376         {
377                 uchar p24[24];
378                 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
379                 {
380                         unsigned char j = 0;
381                         int ind;
382
383                         unsigned char k2[8];
384
385                         memcpy(k2, p24, 5);
386                         k2[5] = 0xe5;
387                         k2[6] = 0x38;
388                         k2[7] = 0xb0;
389
390                         for (ind = 0; ind < 256; ind++)
391                                 p->ntlmssp_hash[ind] = (unsigned char)ind;
392
393                         for( ind = 0; ind < 256; ind++) {
394                                 unsigned char tc;
395
396                                 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
397
398                                 tc = p->ntlmssp_hash[ind];
399                                 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
400                                 p->ntlmssp_hash[j] = tc;
401                         }
402
403                         p->ntlmssp_hash[256] = 0;
404                         p->ntlmssp_hash[257] = 0;
405                 }
406 /*              NTLMSSPhash(p->ntlmssp_hash, p24); */
407                 p->ntlmssp_seq_num = 0;
408
409         }
410
411         fstrcpy(p->user_name, user_name);
412         fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
413         fstrcpy(p->domain, domain);
414         fstrcpy(p->wks, wks);
415
416         /*
417          * Store the UNIX credential data (uid/gid pair) in the pipe structure.
418          */
419
420         if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
421                 DEBUG(0,("Attempted authenticated pipe with invalid user.  No uid/gid in SAM_ACCOUNT\n"));
422                 free_server_info(&server_info);
423                 return False;
424         }
425         
426         uid = pdb_get_uid(server_info->sam_account);
427         gid = pdb_get_gid(server_info->sam_account);
428
429         p->pipe_user.uid = uid;
430         p->pipe_user.gid = gid;
431
432         /* Set up pipe user group membership. */
433         initialise_groups(p->pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
434         get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
435
436         if (server_info->ptok)
437                 add_supplementary_nt_login_groups(&p->pipe_user.ngroups, &p->pipe_user.groups, &server_info->ptok);
438
439         /* Create an NT_USER_TOKEN struct for this user. */
440         p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
441                                                      p->pipe_user.ngroups, p->pipe_user.groups,
442                                                      server_info->guest, server_info->ptok);
443
444         p->ntlmssp_auth_validated = True;
445
446         pdb_free_sam(&server_info->sam_account);
447         return True;
448 }
449
450 /*******************************************************************
451  The switch table for the pipe names and the functions to handle them.
452  *******************************************************************/
453
454 struct api_cmd
455 {
456   char * pipe_clnt_name;
457   char * pipe_srv_name;
458   BOOL (*fn) (pipes_struct *);
459 };
460
461 static struct api_cmd api_fd_commands[] =
462 {
463     { "lsarpc",   "lsass",   api_ntlsa_rpc },
464     { "samr",     "lsass",   api_samr_rpc },
465     { "srvsvc",   "ntsvcs",  api_srvsvc_rpc },
466     { "wkssvc",   "ntsvcs",  api_wkssvc_rpc },
467     { "NETLOGON", "lsass",   api_netlog_rpc },
468     { "winreg",   "winreg",  api_reg_rpc },
469     { "spoolss",  "spoolss", api_spoolss_rpc },
470     { "netdfs",   "netdfs" , api_netdfs_rpc },
471     { NULL,       NULL,      NULL }
472 };
473
474 /*******************************************************************
475  This is the client reply to our challenge for an authenticated 
476  bind request. The challenge we sent is in p->challenge.
477 *******************************************************************/
478
479 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
480 {
481         RPC_HDR_AUTHA autha_info;
482         RPC_AUTH_VERIFIER auth_verifier;
483         RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
484
485         DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
486
487         if (p->hdr.auth_len == 0) {
488                 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
489                 return False;
490         }
491
492         /*
493          * Decode the authentication verifier response.
494          */
495
496         if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
497                 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
498                 return False;
499         }
500
501         if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
502                 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
503                         (int)autha_info.auth_type, (int)autha_info.auth_level ));
504                 return False;
505         }
506
507         if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
508                 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
509                 return False;
510         }
511
512         /*
513          * Ensure this is a NTLMSSP_AUTH packet type.
514          */
515
516         if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
517                 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
518                 return False;
519         }
520
521         if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
522                 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
523                 return False;
524         }
525
526         /*
527          * The following call actually checks the challenge/response data.
528          * for correctness against the given DOMAIN\user name.
529          */
530         
531         if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
532                 return False;
533
534         p->pipe_bound = True
535 ;
536         return True;
537 }
538
539 /*******************************************************************
540  Marshall a bind_nak pdu.
541 *******************************************************************/
542
543 static BOOL setup_bind_nak(pipes_struct *p)
544 {
545         prs_struct outgoing_rpc;
546         RPC_HDR nak_hdr;
547         uint16 zero = 0;
548
549         /* Free any memory in the current return data buffer. */
550         prs_mem_free(&p->out_data.rdata);
551
552         /*
553          * Marshall directly into the outgoing PDU space. We
554          * must do this as we need to set to the bind response
555          * header and are never sending more than one PDU here.
556          */
557
558         prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
559         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
560
561
562         /*
563          * Initialize a bind_nak header.
564          */
565
566         init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
567             p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
568
569         /*
570          * Marshall the header into the outgoing PDU.
571          */
572
573         if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
574                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
575                 prs_mem_free(&outgoing_rpc);
576                 return False;
577         }
578
579         /*
580          * Now add the reject reason.
581          */
582
583         if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
584                 prs_mem_free(&outgoing_rpc);
585         return False;
586         }
587
588         p->out_data.data_sent_length = 0;
589         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
590         p->out_data.current_pdu_sent = 0;
591
592         p->pipe_bound = False;
593
594         return True;
595 }
596
597 /*******************************************************************
598  Marshall a fault pdu.
599 *******************************************************************/
600
601 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
602 {
603         prs_struct outgoing_pdu;
604         RPC_HDR fault_hdr;
605         RPC_HDR_RESP hdr_resp;
606         RPC_HDR_FAULT fault_resp;
607
608         /* Free any memory in the current return data buffer. */
609         prs_mem_free(&p->out_data.rdata);
610
611         /*
612          * Marshall directly into the outgoing PDU space. We
613          * must do this as we need to set to the bind response
614          * header and are never sending more than one PDU here.
615          */
616
617         prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
618         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
619
620         /*
621          * Initialize a fault header.
622          */
623
624         init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
625             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
626
627         /*
628          * Initialize the HDR_RESP and FAULT parts of the PDU.
629          */
630
631         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
632
633         fault_resp.status = status;
634         fault_resp.reserved = 0;
635
636         /*
637          * Marshall the header into the outgoing PDU.
638          */
639
640         if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
641                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
642                 prs_mem_free(&outgoing_pdu);
643                 return False;
644         }
645
646         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
647                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
648                 prs_mem_free(&outgoing_pdu);
649                 return False;
650         }
651
652         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
653                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
654                 prs_mem_free(&outgoing_pdu);
655                 return False;
656         }
657
658         p->out_data.data_sent_length = 0;
659         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
660         p->out_data.current_pdu_sent = 0;
661
662         prs_mem_free(&outgoing_pdu);
663         return True;
664 }
665
666 /*******************************************************************
667  Ensure a bind request has the correct abstract & transfer interface.
668  Used to reject unknown binds from Win2k.
669 *******************************************************************/
670
671 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
672                                         RPC_IFACE* transfer)
673 {
674         extern struct pipe_id_info pipe_names[];
675         int i=0;
676         fstring pname;
677         fstrcpy(pname,"\\PIPE\\");
678         fstrcat(pname,pipe_name);
679
680         for(i=0;pipe_names[i].client_pipe; i++) {
681                 if(strequal(pipe_names[i].client_pipe, pname))
682                         break;
683         }
684
685         if(pipe_names[i].client_pipe == NULL)
686                 return False;
687
688         /* check the abstract interface */
689         if((abstract->version != pipe_names[i].abstr_syntax.version) ||
690                 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
691                         sizeof(RPC_UUID)) != 0))
692                 return False;
693
694         /* check the transfer interface */
695         if((transfer->version != pipe_names[i].trans_syntax.version) ||
696                 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
697                         sizeof(RPC_UUID)) != 0))
698                 return False;
699
700         return True;
701 }
702
703 /*******************************************************************
704  Respond to a pipe bind request.
705 *******************************************************************/
706
707 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
708 {
709         RPC_HDR_BA hdr_ba;
710         RPC_HDR_RB hdr_rb;
711         RPC_HDR_AUTH auth_info;
712         uint16 assoc_gid;
713         fstring ack_pipe_name;
714         prs_struct out_hdr_ba;
715         prs_struct out_auth;
716         prs_struct outgoing_rpc;
717         int i = 0;
718         int auth_len = 0;
719         enum RPC_PKT_TYPE reply_pkt_type;
720
721         p->ntlmssp_auth_requested = False;
722
723         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
724
725         /*
726          * Try and find the correct pipe name to ensure
727          * that this is a pipe name we support.
728          */
729
730         for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
731                 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
732                     api_fd_commands[i].fn != NULL) {
733                         DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
734                                    api_fd_commands[i].pipe_clnt_name,
735                                    api_fd_commands[i].pipe_srv_name));
736                         fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
737                         break;
738                 }
739         }
740
741         if (api_fd_commands[i].fn == NULL) {
742                 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
743                         p->name ));
744                 if(!setup_bind_nak(p))
745                         return False;
746                 return True;
747         }
748
749         /* decode the bind request */
750         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
751                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
752                 return False;
753         }
754
755         /*
756          * Check if this is an authenticated request.
757          */
758
759         if (p->hdr.auth_len != 0) {
760                 RPC_AUTH_VERIFIER auth_verifier;
761                 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
762
763                 /* 
764                  * Decode the authentication verifier.
765                  */
766
767                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
768                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
769                         return False;
770                 }
771
772                 /*
773                  * We only support NTLMSSP_AUTH_TYPE requests.
774                  */
775
776                 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
777                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
778                                 auth_info.auth_type ));
779                         return False;
780                 }
781
782                 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
783                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
784                         return False;
785                 }
786
787                 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
788                         DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
789                         return False;
790                 }
791
792                 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
793                         DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
794                                 auth_verifier.msg_type));
795                         return False;
796                 }
797
798                 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
799                         DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
800                         return False;
801                 }
802
803                 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
804                 p->ntlmssp_auth_requested = True;
805         }
806
807         switch(p->hdr.pkt_type) {
808                 case RPC_BIND:
809                         /* name has to be \PIPE\xxxxx */
810                         fstrcpy(ack_pipe_name, "\\PIPE\\");
811                         fstrcat(ack_pipe_name, p->pipe_srv_name);
812                         reply_pkt_type = RPC_BINDACK;
813                         break;
814                 case RPC_ALTCONT:
815                         /* secondary address CAN be NULL
816                          * as the specs say it's ignored.
817                          * It MUST NULL to have the spoolss working.
818                          */
819                         fstrcpy(ack_pipe_name,"");
820                         reply_pkt_type = RPC_ALTCONTRESP;
821                         break;
822                 default:
823                         return False;
824         }
825
826         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
827
828         /* 
829          * Marshall directly into the outgoing PDU space. We
830          * must do this as we need to set to the bind response
831          * header and are never sending more than one PDU here.
832          */
833
834         prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
835         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
836
837         /*
838          * Setup the memory to marshall the ba header, and the
839          * auth footers.
840          */
841
842         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
843                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
844                 prs_mem_free(&outgoing_rpc);
845                 return False;
846         }
847
848         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
849                 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
850                 prs_mem_free(&outgoing_rpc);
851                 prs_mem_free(&out_hdr_ba);
852                 return False;
853         }
854
855         if (p->ntlmssp_auth_requested)
856                 assoc_gid = 0x7a77;
857         else
858                 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
859
860         /*
861          * Create the bind response struct.
862          */
863
864         /* If the requested abstract synt uuid doesn't match our client pipe,
865                 reject the bind_ack & set the transfer interface synt to all 0's,
866                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
867                 unknown to NT4)
868                 Needed when adding entries to a DACL from NT5 - SK */
869
870         if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
871                 init_rpc_hdr_ba(&hdr_ba,
872                         MAX_PDU_FRAG_LEN,
873                         MAX_PDU_FRAG_LEN,
874                         assoc_gid,
875                         ack_pipe_name,
876                         0x1, 0x0, 0x0,
877                         &hdr_rb.transfer);
878         } else {
879                 RPC_IFACE null_interface;
880                 ZERO_STRUCT(null_interface);
881                 /* Rejection reason: abstract syntax not supported */
882                 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
883                                         MAX_PDU_FRAG_LEN, assoc_gid,
884                                         ack_pipe_name, 0x1, 0x2, 0x1,
885                                         &null_interface);
886         }
887
888         /*
889          * and marshall it.
890          */
891
892         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
893                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
894                 goto err_exit;
895         }
896
897         /*
898          * Now the authentication.
899          */
900
901         if (p->ntlmssp_auth_requested) {
902                 RPC_AUTH_VERIFIER auth_verifier;
903                 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
904
905                 generate_random_buffer(p->challenge, 8, False);
906
907                 /*** Authentication info ***/
908
909                 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
910                 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
911                         DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
912                         goto err_exit;
913                 }
914
915                 /*** NTLMSSP verifier ***/
916
917                 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
918                 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
919                         DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
920                         goto err_exit;
921                 }
922
923                 /* NTLMSSP challenge ***/
924
925                 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
926                 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
927                         DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
928                         goto err_exit;
929                 }
930
931                 /* Auth len in the rpc header doesn't include auth_header. */
932                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
933         }
934
935         /*
936          * Create the header, now we know the length.
937          */
938
939         init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
940                         p->hdr.call_id,
941                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
942                         auth_len);
943
944         /*
945          * Marshall the header into the outgoing PDU.
946          */
947
948         if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
949                 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
950                 goto err_exit;
951         }
952
953         /*
954          * Now add the RPC_HDR_BA and any auth needed.
955          */
956
957         if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
958                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
959                 goto err_exit;
960         }
961
962         if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
963                 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
964                 goto err_exit;
965         }
966
967         if(!p->ntlmssp_auth_requested)
968                 p->pipe_bound = True;
969
970         /*
971          * Setup the lengths for the initial reply.
972          */
973
974         p->out_data.data_sent_length = 0;
975         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
976         p->out_data.current_pdu_sent = 0;
977
978         prs_mem_free(&out_hdr_ba);
979         prs_mem_free(&out_auth);
980
981         return True;
982
983   err_exit:
984
985         prs_mem_free(&outgoing_rpc);
986         prs_mem_free(&out_hdr_ba);
987         prs_mem_free(&out_auth);
988         return False;
989 }
990
991 /****************************************************************************
992  Deal with sign & seal processing on an RPC request.
993 ****************************************************************************/
994
995 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
996 {
997         /*
998          * We always negotiate the following two bits....
999          */
1000         BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1001         BOOL auth_seal   = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1002         int data_len;
1003         int auth_len;
1004         uint32 old_offset;
1005         uint32 crc32 = 0;
1006
1007         auth_len = p->hdr.auth_len;
1008
1009         if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1010                 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1011                 return False;
1012         }
1013
1014         /*
1015          * The following is that length of the data we must verify or unseal.
1016          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1017          * preceeding the auth_data.
1018          */
1019
1020         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
1021                         (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1022         
1023         DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1024                  BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1025
1026         if (auth_seal) {
1027                 /*
1028                  * The data in rpc_in doesn't contain the RPC_HEADER as this
1029                  * has already been consumed.
1030                  */
1031                 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1032                 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1033                 crc32 = crc32_calc_buffer(data, data_len);
1034         }
1035
1036         old_offset = prs_offset(rpc_in);
1037
1038         if (auth_seal || auth_verify) {
1039                 RPC_HDR_AUTH auth_info;
1040
1041                 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1042                         DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1043                                 (unsigned int)old_offset + data_len ));
1044                         return False;
1045                 }
1046
1047                 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1048                         DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1049                         return False;
1050                 }
1051         }
1052
1053         if (auth_verify) {
1054                 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1055                 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1056
1057                 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1058
1059                 /*
1060                  * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1061                  * incoming buffer.
1062                  */
1063                 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1064                         DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1065                                 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1066                         return False;
1067                 }
1068
1069                 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1070                 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1071                         DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1072                         return False;
1073                 }
1074
1075                 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1076                         DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1077                         return False;
1078                 }
1079         }
1080
1081         /*
1082          * Return the current pointer to the data offset.
1083          */
1084
1085         if(!prs_set_offset(rpc_in, old_offset)) {
1086                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1087                         (unsigned int)old_offset ));
1088                 return False;
1089         }
1090
1091         return True;
1092 }
1093
1094 /****************************************************************************
1095  Return a user struct for a pipe user.
1096 ****************************************************************************/
1097
1098 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1099 {
1100         if (p->ntlmssp_auth_validated) {
1101                 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1102         } else {
1103                 extern struct current_user current_user;
1104                 memcpy(user, &current_user, sizeof(struct current_user));
1105         }
1106
1107         return user;
1108 }
1109
1110 /****************************************************************************
1111  Find the correct RPC function to call for this request.
1112  If the pipe is authenticated then become the correct UNIX user
1113  before doing the call.
1114 ****************************************************************************/
1115
1116 BOOL api_pipe_request(pipes_struct *p)
1117 {
1118         int i = 0;
1119         BOOL ret = False;
1120
1121         if (p->ntlmssp_auth_validated) {
1122
1123                 if(!become_authenticated_pipe_user(p)) {
1124                         prs_mem_free(&p->out_data.rdata);
1125                         return False;
1126                 }
1127         }
1128
1129         for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1130                 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1131                     api_fd_commands[i].fn != NULL) {
1132                         DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1133                         set_current_rpc_talloc(p->mem_ctx);
1134                         ret = api_fd_commands[i].fn(p);
1135                         set_current_rpc_talloc(NULL);
1136                 }
1137         }
1138
1139         if(p->ntlmssp_auth_validated)
1140                 unbecome_authenticated_pipe_user();
1141
1142         return ret;
1143 }
1144
1145 /*******************************************************************
1146  Calls the underlying RPC function for a named pipe.
1147  ********************************************************************/
1148
1149 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name, 
1150                 struct api_struct *api_rpc_cmds)
1151 {
1152         int fn_num;
1153         fstring name;
1154         uint32 offset1, offset2;
1155  
1156         /* interpret the command */
1157         DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1158
1159         slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1160         prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1161
1162         for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1163                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1164                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1165                         break;
1166                 }
1167         }
1168
1169         if (api_rpc_cmds[fn_num].name == NULL) {
1170                 /*
1171                  * For an unknown RPC just return a fault PDU but
1172                  * return True to allow RPC's on the pipe to continue
1173                  * and not put the pipe into fault state. JRA.
1174                  */
1175                 DEBUG(4, ("unknown\n"));
1176                 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1177                 return True;
1178         }
1179
1180         offset1 = prs_offset(&p->out_data.rdata);
1181
1182         /* do the actual command */
1183         if(!api_rpc_cmds[fn_num].fn(p)) {
1184                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1185                 prs_mem_free(&p->out_data.rdata);
1186                 return False;
1187         }
1188
1189         slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1190         offset2 = prs_offset(&p->out_data.rdata);
1191         prs_set_offset(&p->out_data.rdata, offset1);
1192         prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1193         prs_set_offset(&p->out_data.rdata, offset2);
1194
1195         DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1196
1197         /* Check for buffer underflow in rpc parsing */
1198
1199         if ((DEBUGLEVEL >= 10) && 
1200             (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1201                 int data_len = p->in_data.data.buffer_size - 
1202                         p->in_data.data.data_offset;
1203                 char *data;
1204
1205                 data = malloc(data_len);
1206
1207                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1208                 if (data) {
1209                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data,
1210                                    data_len);
1211                         SAFE_FREE(data);
1212                 }
1213
1214         }
1215
1216         return True;
1217 }