3 * Unix SMB/Netbios implementation.
5 * RPC Pipe client / server routines
6 * Copyright (C) Andrew Tridgell 1992-1998
7 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
8 * Copyright (C) Paul Ashton 1997-1998.
9 * Copyright (C) Jeremy Allison 1999.
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 /* this module apparently provides an implementation of DCE/RPC over a
27 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
28 * documentation are available (in on-line form) from the X-Open group.
30 * this module should provide a level of abstraction between SMB
31 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
32 * data copies, and network traffic.
34 * in this version, which takes a "let's learn what's going on and
35 * get something running" approach, there is additional network
36 * traffic generated, but the code should be easier to understand...
38 * ... if you read the docs. or stare at packets for weeks on end.
44 extern int DEBUGLEVEL;
46 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
48 unsigned char *hash = p->ntlmssp_hash;
49 unsigned char index_i = hash[256];
50 unsigned char index_j = hash[257];
53 for( ind = 0; ind < len; ind++) {
58 index_j += hash[index_i];
61 hash[index_i] = hash[index_j];
64 t = hash[index_i] + hash[index_j];
65 data[ind] = data[ind] ^ hash[t];
72 /*******************************************************************
73 Generate the next PDU to be returned from the data in p->rdata.
74 We cheat here as this function doesn't handle the special auth
75 footers of the authenticated bind response reply.
76 ********************************************************************/
78 BOOL create_next_pdu(pipes_struct *p)
80 RPC_HDR_RESP hdr_resp;
81 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
82 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
84 uint32 data_space_available;
86 prs_struct outgoing_pdu;
92 * If we're in the fault state, keep returning fault PDU's until
93 * the pipe gets closed. JRA.
101 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
103 /* Change the incoming request header to a response. */
104 p->hdr.pkt_type = RPC_RESPONSE;
106 /* Set up rpc header flags. */
107 if (p->out_data.data_sent_length == 0)
108 p->hdr.flags = RPC_FLG_FIRST;
113 * Work out how much we can fit in a single PDU.
116 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
117 if(p->ntlmssp_auth_validated)
118 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
121 * The amount we send is the minimum of the available
122 * space and the amount left to send.
125 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
128 * Ensure there really is data left to send.
132 DEBUG(0,("create_next_pdu: no data left to send !\n"));
136 data_len = MIN(data_len_left, data_space_available);
139 * Set up the alloc hint. This should be the data left to
143 hdr_resp.alloc_hint = data_len_left;
146 * Set up the header lengths.
149 if (p->ntlmssp_auth_validated) {
150 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
151 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
152 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
154 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
159 * Work out if this PDU will be the last.
162 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
163 p->hdr.flags |= RPC_FLG_LAST;
166 * Init the parse struct to point at the outgoing
170 prs_init( &outgoing_pdu, 0, 4, p->mem_ctx, MARSHALL);
171 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
173 /* Store the header in the data stream. */
174 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
175 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
176 prs_mem_free(&outgoing_pdu);
180 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
181 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
182 prs_mem_free(&outgoing_pdu);
186 /* Store the current offset. */
187 data_pos = prs_offset(&outgoing_pdu);
189 /* Copy the data into the PDU. */
190 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
192 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
193 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
194 prs_mem_free(&outgoing_pdu);
199 * Set data to point to where we copied the data into.
202 data = prs_data_p(&outgoing_pdu) + data_pos;
204 if (p->hdr.auth_len > 0) {
207 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
208 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
211 crc32 = crc32_calc_buffer(data, data_len);
212 NTLMSSPcalc_p(p, (uchar*)data, data_len);
215 if (auth_seal || auth_verify) {
216 RPC_HDR_AUTH auth_info;
218 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
219 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
220 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
221 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
222 prs_mem_free(&outgoing_pdu);
228 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
229 char *auth_data = prs_data_p(&outgoing_pdu);
231 p->ntlmssp_seq_num++;
232 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
233 crc32, p->ntlmssp_seq_num++);
234 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
235 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
236 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
237 prs_mem_free(&outgoing_pdu);
240 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
245 * Setup the counts for this PDU.
248 p->out_data.data_sent_length += data_len;
249 p->out_data.current_pdu_len = p->hdr.frag_len;
250 p->out_data.current_pdu_sent = 0;
252 prs_mem_free(&outgoing_pdu);
256 /*******************************************************************
257 Process an NTLMSSP authentication response.
258 If this function succeeds, the user has been authenticated
259 and their domain, name and calling workstation stored in
261 The initial challenge is stored in p->challenge.
262 *******************************************************************/
264 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
269 fstring pipe_user_name;
272 BOOL guest_user = False;
273 SAM_ACCOUNT *sam_pass = NULL;
274 BYTE null_smb_passwd[16];
275 BYTE *smb_passwd_ptr = NULL;
277 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
279 memset(p->user_name, '\0', sizeof(p->user_name));
280 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
281 memset(p->domain, '\0', sizeof(p->domain));
282 memset(p->wks, '\0', sizeof(p->wks));
284 /* Set up for non-authenticated user. */
285 delete_nt_token(&p->pipe_user.nt_user_token);
286 p->pipe_user.ngroups = 0;
287 safe_free( p->pipe_user.groups);
290 * Setup an empty password for a guest user.
293 memset(null_smb_passwd,0,16);
296 * We always negotiate UNICODE.
299 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
300 fstrcpy(user_name, dos_unistrn2((uint16*)ntlmssp_resp->user, ntlmssp_resp->hdr_usr.str_str_len/2));
301 fstrcpy(domain, dos_unistrn2((uint16*)ntlmssp_resp->domain, ntlmssp_resp->hdr_domain.str_str_len/2));
302 fstrcpy(wks, dos_unistrn2((uint16*)ntlmssp_resp->wks, ntlmssp_resp->hdr_wks.str_str_len/2));
304 fstrcpy(user_name, ntlmssp_resp->user);
305 fstrcpy(domain, ntlmssp_resp->domain);
306 fstrcpy(wks, ntlmssp_resp->wks);
309 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
311 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
312 memcpy(nt_owf, ntlmssp_resp->nt_resp, sizeof(nt_owf));
314 #ifdef DEBUG_PASSWORD
315 DEBUG(100,("lm, nt owfs, chal\n"));
316 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
317 dump_data(100, (char *)nt_owf, sizeof(nt_owf));
318 dump_data(100, (char *)p->challenge, 8);
322 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
325 if((strlen(user_name) == 0) &&
326 (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
330 fstrcpy(pipe_user_name, lp_guestaccount(-1));
331 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
333 smb_passwd_ptr = null_smb_passwd;
338 * Pass the user through the NT -> unix user mapping
342 fstrcpy(pipe_user_name, user_name);
343 (void)map_username(pipe_user_name);
346 * Do the length checking only if user is not NULL.
349 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
351 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
353 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
355 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
357 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
361 /* unnecessary as the passdb validates the user before returning --jerry */
364 * Find the user in the unix password db.
367 if(!(pass = Get_Pwnam(pipe_user_name,True))) {
368 DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",pipe_user_name));
378 if(!(p->ntlmssp_auth_validated = pass_check_smb(pipe_user_name, domain,
379 (uchar*)p->challenge, lm_owf, nt_owf, NULL))) {
380 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
381 failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name ));
386 if(!(sam_pass = pdb_getsampwnam(pipe_user_name))) {
387 DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in passdb.\n",
395 if (sam_pass == NULL) {
396 DEBUG(1,("api_pipe_ntlmssp_verify: Couldn't find user '%s' in passdb.\n",
401 /* Quit if the account was disabled. */
402 if((pdb_get_acct_ctrl(sam_pass) & ACB_DISABLED) || !pdb_get_lanman_passwd(sam_pass)) {
403 DEBUG(1,("Account for user '%s' was disabled.\n", pipe_user_name));
407 if(!pdb_get_nt_passwd(sam_pass)) {
408 DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name));
412 smb_passwd_ptr = pdb_get_lanman_passwd(sam_pass);
416 * Set up the sign/seal data.
421 NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
433 for (ind = 0; ind < 256; ind++)
434 p->ntlmssp_hash[ind] = (unsigned char)ind;
436 for( ind = 0; ind < 256; ind++) {
439 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
441 tc = p->ntlmssp_hash[ind];
442 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
443 p->ntlmssp_hash[j] = tc;
446 p->ntlmssp_hash[256] = 0;
447 p->ntlmssp_hash[257] = 0;
449 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
450 p->ntlmssp_seq_num = 0;
454 fstrcpy(p->user_name, user_name);
455 fstrcpy(p->pipe_user_name, pipe_user_name);
456 fstrcpy(p->domain, domain);
457 fstrcpy(p->wks, wks);
460 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
462 p->pipe_user.uid = pdb_get_uid(sam_pass);
463 p->pipe_user.gid = pdb_get_gid(sam_pass);
465 /* Set up pipe user group membership. */
466 initialise_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
467 get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
469 /* Create an NT_USER_TOKEN struct for this user. */
470 p->pipe_user.nt_user_token =
471 create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
472 p->pipe_user.ngroups, p->pipe_user.groups,
475 p->ntlmssp_auth_validated = True;
479 /*******************************************************************
480 The switch table for the pipe names and the functions to handle them.
481 *******************************************************************/
485 char * pipe_clnt_name;
486 char * pipe_srv_name;
487 BOOL (*fn) (pipes_struct *);
490 static struct api_cmd api_fd_commands[] =
492 { "lsarpc", "lsass", api_ntlsa_rpc },
493 { "samr", "lsass", api_samr_rpc },
494 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
495 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
496 { "NETLOGON", "lsass", api_netlog_rpc },
497 { "winreg", "winreg", api_reg_rpc },
498 { "spoolss", "spoolss", api_spoolss_rpc },
500 { "netdfs", "netdfs" , api_netdfs_rpc },
505 /*******************************************************************
506 This is the client reply to our challenge for an authenticated
507 bind request. The challenge we sent is in p->challenge.
508 *******************************************************************/
510 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
512 RPC_HDR_AUTHA autha_info;
513 RPC_AUTH_VERIFIER auth_verifier;
514 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
516 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
518 if (p->hdr.auth_len == 0) {
519 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
524 * Decode the authentication verifier response.
527 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
528 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
532 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
533 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
534 (int)autha_info.auth_type, (int)autha_info.auth_level ));
538 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
539 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
544 * Ensure this is a NTLMSSP_AUTH packet type.
547 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
548 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
552 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
553 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
558 * The following call actually checks the challenge/response data.
559 * for correctness against the given DOMAIN\user name.
562 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
570 /*******************************************************************
571 Marshall a bind_nak pdu.
572 *******************************************************************/
574 static BOOL setup_bind_nak(pipes_struct *p)
576 prs_struct outgoing_rpc;
580 /* Free any memory in the current return data buffer. */
581 prs_mem_free(&p->out_data.rdata);
584 * Marshall directly into the outgoing PDU space. We
585 * must do this as we need to set to the bind response
586 * header and are never sending more than one PDU here.
589 prs_init( &outgoing_rpc, 0, 4, p->mem_ctx, MARSHALL);
590 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
594 * Initialize a bind_nak header.
597 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
598 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
601 * Marshall the header into the outgoing PDU.
604 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
605 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
606 prs_mem_free(&outgoing_rpc);
611 * Now add the reject reason.
614 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
615 prs_mem_free(&outgoing_rpc);
619 p->out_data.data_sent_length = 0;
620 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
621 p->out_data.current_pdu_sent = 0;
623 p->pipe_bound = False;
628 /*******************************************************************
629 Marshall a fault pdu.
630 *******************************************************************/
632 BOOL setup_fault_pdu(pipes_struct *p)
634 prs_struct outgoing_pdu;
636 RPC_HDR_RESP hdr_resp;
637 RPC_HDR_FAULT fault_resp;
639 /* Free any memory in the current return data buffer. */
640 prs_mem_free(&p->out_data.rdata);
643 * Marshall directly into the outgoing PDU space. We
644 * must do this as we need to set to the bind response
645 * header and are never sending more than one PDU here.
648 prs_init( &outgoing_pdu, 0, 4, p->mem_ctx, MARSHALL);
649 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
652 * Initialize a fault header.
655 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
656 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
659 * Initialize the HDR_RESP and FAULT parts of the PDU.
662 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
664 fault_resp.status = 0x1c010002;
665 fault_resp.reserved = 0;
668 * Marshall the header into the outgoing PDU.
671 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
672 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
673 prs_mem_free(&outgoing_pdu);
677 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
678 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
679 prs_mem_free(&outgoing_pdu);
683 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
684 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
685 prs_mem_free(&outgoing_pdu);
689 p->out_data.data_sent_length = 0;
690 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
691 p->out_data.current_pdu_sent = 0;
693 prs_mem_free(&outgoing_pdu);
697 /*******************************************************************
698 Ensure a bind request has the correct abstract & transfer interface.
699 Used to reject unknown binds from Win2k.
700 *******************************************************************/
702 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
705 extern struct pipe_id_info pipe_names[];
708 fstrcpy(pname,"\\PIPE\\");
709 fstrcat(pname,pipe_name);
711 for(i=0;pipe_names[i].client_pipe; i++) {
712 if(strequal(pipe_names[i].client_pipe, pname))
716 if(pipe_names[i].client_pipe == NULL)
719 /* check the abstract interface */
720 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
721 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
722 sizeof(RPC_UUID)) != 0))
725 /* check the transfer interface */
726 if((transfer->version != pipe_names[i].trans_syntax.version) ||
727 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
728 sizeof(RPC_UUID)) != 0))
734 /*******************************************************************
735 Respond to a pipe bind request.
736 *******************************************************************/
738 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
742 RPC_HDR_AUTH auth_info;
744 fstring ack_pipe_name;
745 prs_struct out_hdr_ba;
747 prs_struct outgoing_rpc;
750 enum RPC_PKT_TYPE reply_pkt_type;
752 p->ntlmssp_auth_requested = False;
754 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
757 * Try and find the correct pipe name to ensure
758 * that this is a pipe name we support.
761 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
762 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
763 api_fd_commands[i].fn != NULL) {
764 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
765 api_fd_commands[i].pipe_clnt_name,
766 api_fd_commands[i].pipe_srv_name));
767 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
772 if (api_fd_commands[i].fn == NULL) {
773 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
775 if(!setup_bind_nak(p))
780 /* decode the bind request */
781 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
782 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
787 * Check if this is an authenticated request.
790 if (p->hdr.auth_len != 0) {
791 RPC_AUTH_VERIFIER auth_verifier;
792 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
795 * Decode the authentication verifier.
798 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
799 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
804 * We only support NTLMSSP_AUTH_TYPE requests.
807 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
808 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
809 auth_info.auth_type ));
813 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
814 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
818 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
819 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
823 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
824 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
825 auth_verifier.msg_type));
829 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
830 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
834 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
835 p->ntlmssp_auth_requested = True;
838 switch(p->hdr.pkt_type) {
840 /* name has to be \PIPE\xxxxx */
841 fstrcpy(ack_pipe_name, "\\PIPE\\");
842 fstrcat(ack_pipe_name, p->pipe_srv_name);
843 reply_pkt_type = RPC_BINDACK;
846 /* secondary address CAN be NULL
847 * as the specs say it's ignored.
848 * It MUST NULL to have the spoolss working.
850 fstrcpy(ack_pipe_name,"");
851 reply_pkt_type = RPC_ALTCONTRESP;
857 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
860 * Marshall directly into the outgoing PDU space. We
861 * must do this as we need to set to the bind response
862 * header and are never sending more than one PDU here.
865 prs_init( &outgoing_rpc, 0, 4, p->mem_ctx, MARSHALL);
866 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
869 * Setup the memory to marshall the ba header, and the
873 if(!prs_init(&out_hdr_ba, 1024, 4, p->mem_ctx, MARSHALL)) {
874 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
875 prs_mem_free(&outgoing_rpc);
879 if(!prs_init(&out_auth, 1024, 4, p->mem_ctx, MARSHALL)) {
880 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
881 prs_mem_free(&outgoing_rpc);
882 prs_mem_free(&out_hdr_ba);
886 if (p->ntlmssp_auth_requested)
889 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
892 * Create the bind response struct.
895 /* If the requested abstract synt uuid doesn't match our client pipe,
896 reject the bind_ack & set the transfer interface synt to all 0's,
897 ver 0 (observed when NT5 attempts to bind to abstract interfaces
899 Needed when adding entries to a DACL from NT5 - SK */
901 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
902 init_rpc_hdr_ba(&hdr_ba,
910 RPC_IFACE null_interface;
911 ZERO_STRUCT(null_interface);
912 /* Rejection reason: abstract syntax not supported */
913 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
914 MAX_PDU_FRAG_LEN, assoc_gid,
915 ack_pipe_name, 0x1, 0x2, 0x1,
923 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
924 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
929 * Now the authentication.
932 if (p->ntlmssp_auth_requested) {
933 RPC_AUTH_VERIFIER auth_verifier;
934 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
936 generate_random_buffer(p->challenge, 8, False);
938 /*** Authentication info ***/
940 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
941 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
942 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
946 /*** NTLMSSP verifier ***/
948 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
949 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
950 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
954 /* NTLMSSP challenge ***/
956 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
957 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
958 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
962 /* Auth len in the rpc header doesn't include auth_header. */
963 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
967 * Create the header, now we know the length.
970 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
972 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
976 * Marshall the header into the outgoing PDU.
979 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
980 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
985 * Now add the RPC_HDR_BA and any auth needed.
988 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
989 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
993 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
994 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
998 if(!p->ntlmssp_auth_requested)
999 p->pipe_bound = True;
1002 * Setup the lengths for the initial reply.
1005 p->out_data.data_sent_length = 0;
1006 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1007 p->out_data.current_pdu_sent = 0;
1009 prs_mem_free(&out_hdr_ba);
1010 prs_mem_free(&out_auth);
1016 prs_mem_free(&outgoing_rpc);
1017 prs_mem_free(&out_hdr_ba);
1018 prs_mem_free(&out_auth);
1022 /****************************************************************************
1023 Deal with sign & seal processing on an RPC request.
1024 ****************************************************************************/
1026 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1029 * We always negotiate the following two bits....
1031 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1032 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1038 auth_len = p->hdr.auth_len;
1040 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1041 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1046 * The following is that length of the data we must verify or unseal.
1047 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1048 * preceeding the auth_data.
1051 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1052 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1054 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1055 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1059 * The data in rpc_in doesn't contain the RPC_HEADER as this
1060 * has already been consumed.
1062 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1063 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1064 crc32 = crc32_calc_buffer(data, data_len);
1067 old_offset = prs_offset(rpc_in);
1069 if (auth_seal || auth_verify) {
1070 RPC_HDR_AUTH auth_info;
1072 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1073 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1074 (unsigned int)old_offset + data_len ));
1078 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1079 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1085 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1086 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1088 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1091 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1094 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1095 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1096 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1100 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1101 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1102 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1106 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1107 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1113 * Return the current pointer to the data offset.
1116 if(!prs_set_offset(rpc_in, old_offset)) {
1117 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1118 (unsigned int)old_offset ));
1125 /****************************************************************************
1126 Find the correct RPC function to call for this request.
1127 If the pipe is authenticated then become the correct UNIX user
1128 before doing the call.
1129 ****************************************************************************/
1131 BOOL api_pipe_request(pipes_struct *p)
1135 BOOL changed_user_id = False;
1137 if (p->ntlmssp_auth_validated) {
1139 if(!become_authenticated_pipe_user(p)) {
1140 prs_mem_free(&p->out_data.rdata);
1144 changed_user_id = True;
1147 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1148 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1149 api_fd_commands[i].fn != NULL) {
1150 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1151 ret = api_fd_commands[i].fn(p);
1156 unbecome_authenticated_pipe_user(p);
1161 /*******************************************************************
1162 Calls the underlying RPC function for a named pipe.
1163 ********************************************************************/
1165 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1166 struct api_struct *api_rpc_cmds)
1170 uint32 offset1, offset2;
1172 /* interpret the command */
1173 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1175 slprintf(name, sizeof(name), "in_%s", rpc_name);
1176 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1178 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1179 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1180 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1185 if (api_rpc_cmds[fn_num].name == NULL) {
1187 * For an unknown RPC just return a fault PDU but
1188 * return True to allow RPC's on the pipe to continue
1189 * and not put the pipe into fault state. JRA.
1191 DEBUG(4, ("unknown\n"));
1196 offset1 = prs_offset(&p->out_data.rdata);
1198 /* do the actual command */
1199 if(!api_rpc_cmds[fn_num].fn(p)) {
1200 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1201 prs_mem_free(&p->out_data.rdata);
1205 slprintf(name, sizeof(name), "out_%s", rpc_name);
1206 offset2 = prs_offset(&p->out_data.rdata);
1207 prs_set_offset(&p->out_data.rdata, offset1);
1208 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1209 prs_set_offset(&p->out_data.rdata, offset2);
1211 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1213 /* Check for buffer underflow in rpc parsing */
1215 if ((DEBUGLEVEL >= 10) &&
1216 (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1217 int data_len = p->in_data.data.buffer_size -
1218 p->in_data.data.data_offset;
1221 data = malloc(data_len);
1223 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1225 prs_uint8s(False, "", &p->in_data.data, 0, data,