2 * Unix SMB/Netbios implementation.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1997-1998.
8 * Copyright (C) Jeremy Allison 1999.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
43 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
45 unsigned char *hash = p->ntlmssp_hash;
46 unsigned char index_i = hash[256];
47 unsigned char index_j = hash[257];
50 for( ind = 0; ind < len; ind++) {
55 index_j += hash[index_i];
58 hash[index_i] = hash[index_j];
61 t = hash[index_i] + hash[index_j];
62 data[ind] = data[ind] ^ hash[t];
69 /*******************************************************************
70 Generate the next PDU to be returned from the data in p->rdata.
71 We cheat here as this function doesn't handle the special auth
72 footers of the authenticated bind response reply.
73 ********************************************************************/
75 BOOL create_next_pdu(pipes_struct *p)
77 RPC_HDR_RESP hdr_resp;
78 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
79 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
81 uint32 data_space_available;
83 prs_struct outgoing_pdu;
89 * If we're in the fault state, keep returning fault PDU's until
90 * the pipe gets closed. JRA.
94 setup_fault_pdu(p, NT_STATUS(0x1c010002));
98 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
100 /* Change the incoming request header to a response. */
101 p->hdr.pkt_type = RPC_RESPONSE;
103 /* Set up rpc header flags. */
104 if (p->out_data.data_sent_length == 0)
105 p->hdr.flags = RPC_FLG_FIRST;
110 * Work out how much we can fit in a single PDU.
113 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
114 if(p->ntlmssp_auth_validated)
115 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
118 * The amount we send is the minimum of the available
119 * space and the amount left to send.
122 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
125 * Ensure there really is data left to send.
129 DEBUG(0,("create_next_pdu: no data left to send !\n"));
133 data_len = MIN(data_len_left, data_space_available);
136 * Set up the alloc hint. This should be the data left to
140 hdr_resp.alloc_hint = data_len_left;
143 * Set up the header lengths.
146 if (p->ntlmssp_auth_validated) {
147 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
148 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
149 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
151 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
156 * Work out if this PDU will be the last.
159 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
160 p->hdr.flags |= RPC_FLG_LAST;
163 * Init the parse struct to point at the outgoing
167 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
168 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
170 /* Store the header in the data stream. */
171 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
172 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
173 prs_mem_free(&outgoing_pdu);
177 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
178 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
179 prs_mem_free(&outgoing_pdu);
183 /* Store the current offset. */
184 data_pos = prs_offset(&outgoing_pdu);
186 /* Copy the data into the PDU. */
187 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
189 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
190 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
191 prs_mem_free(&outgoing_pdu);
196 * Set data to point to where we copied the data into.
199 data = prs_data_p(&outgoing_pdu) + data_pos;
201 if (p->hdr.auth_len > 0) {
204 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
205 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
208 crc32 = crc32_calc_buffer(data, data_len);
209 NTLMSSPcalc_p(p, (uchar*)data, data_len);
212 if (auth_seal || auth_verify) {
213 RPC_HDR_AUTH auth_info;
215 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
216 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
217 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
218 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
219 prs_mem_free(&outgoing_pdu);
225 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
226 char *auth_data = prs_data_p(&outgoing_pdu);
228 p->ntlmssp_seq_num++;
229 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
230 crc32, p->ntlmssp_seq_num++);
231 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
232 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
233 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
234 prs_mem_free(&outgoing_pdu);
237 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
242 * Setup the counts for this PDU.
245 p->out_data.data_sent_length += data_len;
246 p->out_data.current_pdu_len = p->hdr.frag_len;
247 p->out_data.current_pdu_sent = 0;
249 prs_mem_free(&outgoing_pdu);
253 /*******************************************************************
254 Process an NTLMSSP authentication response.
255 If this function succeeds, the user has been authenticated
256 and their domain, name and calling workstation stored in
258 The initial challenge is stored in p->challenge.
259 *******************************************************************/
261 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
273 struct auth_context *auth_context = NULL;
274 auth_usersupplied_info *user_info = NULL;
275 auth_serversupplied_info *server_info = NULL;
280 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
282 memset(p->user_name, '\0', sizeof(p->user_name));
283 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
284 memset(p->domain, '\0', sizeof(p->domain));
285 memset(p->wks, '\0', sizeof(p->wks));
287 /* Set up for non-authenticated user. */
288 delete_nt_token(&p->pipe_user.nt_user_token);
289 p->pipe_user.ngroups = 0;
290 SAFE_FREE( p->pipe_user.groups);
293 * Setup an empty password for a guest user.
297 * We always negotiate UNICODE.
300 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
301 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
302 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
303 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
305 pull_ascii_fstring(user_name, ntlmssp_resp->user);
306 pull_ascii_fstring(domain, ntlmssp_resp->domain);
307 pull_ascii_fstring(wks, ntlmssp_resp->wks);
310 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
312 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
313 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
315 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
316 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
318 #ifdef DEBUG_PASSWORD
319 DEBUG(100,("lm, nt owfs, chal\n"));
320 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
321 dump_data(100, (char *)nt_owf, nt_pw_len);
322 dump_data(100, (char *)p->challenge, 8);
326 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
332 * Do the length checking only if user is not NULL.
335 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
337 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
339 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
341 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
343 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
348 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
350 if (!make_user_info_netlogon_network(&user_info,
351 user_name, domain, wks,
353 nt_owf, nt_pw_len)) {
354 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
358 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
360 (auth_context->free)(&auth_context);
361 free_user_info(&user_info);
363 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
365 if (!p->ntlmssp_auth_validated) {
366 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
367 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
368 free_server_info(&server_info);
373 * Set up the sign/seal data.
378 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
390 for (ind = 0; ind < 256; ind++)
391 p->ntlmssp_hash[ind] = (unsigned char)ind;
393 for( ind = 0; ind < 256; ind++) {
396 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
398 tc = p->ntlmssp_hash[ind];
399 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
400 p->ntlmssp_hash[j] = tc;
403 p->ntlmssp_hash[256] = 0;
404 p->ntlmssp_hash[257] = 0;
406 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
407 p->ntlmssp_seq_num = 0;
411 fstrcpy(p->user_name, user_name);
412 fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
413 fstrcpy(p->domain, domain);
414 fstrcpy(p->wks, wks);
417 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
420 if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
421 DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
422 free_server_info(&server_info);
426 memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
428 uid = pdb_get_uid(server_info->sam_account);
429 gid = pdb_get_gid(server_info->sam_account);
431 p->pipe_user.uid = uid;
432 p->pipe_user.gid = gid;
434 /* Set up pipe user group membership. */
435 initialise_groups(p->pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
436 get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
438 if (server_info->ptok)
439 add_supplementary_nt_login_groups(&p->pipe_user.ngroups, &p->pipe_user.groups, &server_info->ptok);
441 /* Create an NT_USER_TOKEN struct for this user. */
442 p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
443 p->pipe_user.ngroups, p->pipe_user.groups,
444 server_info->guest, server_info->ptok);
446 p->ntlmssp_auth_validated = True;
448 pdb_free_sam(&server_info->sam_account);
452 /*******************************************************************
453 The switch table for the pipe names and the functions to handle them.
454 *******************************************************************/
458 char * pipe_clnt_name;
459 char * pipe_srv_name;
460 BOOL (*fn) (pipes_struct *);
463 static struct api_cmd api_fd_commands[] =
465 { "lsarpc", "lsass", api_ntlsa_rpc },
466 { "samr", "lsass", api_samr_rpc },
467 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
468 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
469 { "NETLOGON", "lsass", api_netlog_rpc },
470 { "winreg", "winreg", api_reg_rpc },
471 { "spoolss", "spoolss", api_spoolss_rpc },
472 { "netdfs", "netdfs" , api_netdfs_rpc },
476 /*******************************************************************
477 This is the client reply to our challenge for an authenticated
478 bind request. The challenge we sent is in p->challenge.
479 *******************************************************************/
481 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
483 RPC_HDR_AUTHA autha_info;
484 RPC_AUTH_VERIFIER auth_verifier;
485 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
487 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
489 if (p->hdr.auth_len == 0) {
490 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
495 * Decode the authentication verifier response.
498 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
499 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
503 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
504 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
505 (int)autha_info.auth_type, (int)autha_info.auth_level ));
509 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
510 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
515 * Ensure this is a NTLMSSP_AUTH packet type.
518 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
519 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
523 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
524 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
529 * The following call actually checks the challenge/response data.
530 * for correctness against the given DOMAIN\user name.
533 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
541 /*******************************************************************
542 Marshall a bind_nak pdu.
543 *******************************************************************/
545 static BOOL setup_bind_nak(pipes_struct *p)
547 prs_struct outgoing_rpc;
551 /* Free any memory in the current return data buffer. */
552 prs_mem_free(&p->out_data.rdata);
555 * Marshall directly into the outgoing PDU space. We
556 * must do this as we need to set to the bind response
557 * header and are never sending more than one PDU here.
560 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
561 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
565 * Initialize a bind_nak header.
568 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
569 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
572 * Marshall the header into the outgoing PDU.
575 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
576 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
577 prs_mem_free(&outgoing_rpc);
582 * Now add the reject reason.
585 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
586 prs_mem_free(&outgoing_rpc);
590 p->out_data.data_sent_length = 0;
591 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
592 p->out_data.current_pdu_sent = 0;
594 p->pipe_bound = False;
599 /*******************************************************************
600 Marshall a fault pdu.
601 *******************************************************************/
603 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
605 prs_struct outgoing_pdu;
607 RPC_HDR_RESP hdr_resp;
608 RPC_HDR_FAULT fault_resp;
610 /* Free any memory in the current return data buffer. */
611 prs_mem_free(&p->out_data.rdata);
614 * Marshall directly into the outgoing PDU space. We
615 * must do this as we need to set to the bind response
616 * header and are never sending more than one PDU here.
619 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
620 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
623 * Initialize a fault header.
626 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
627 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
630 * Initialize the HDR_RESP and FAULT parts of the PDU.
633 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
635 fault_resp.status = status;
636 fault_resp.reserved = 0;
639 * Marshall the header into the outgoing PDU.
642 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
643 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
644 prs_mem_free(&outgoing_pdu);
648 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
649 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
650 prs_mem_free(&outgoing_pdu);
654 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
655 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
656 prs_mem_free(&outgoing_pdu);
660 p->out_data.data_sent_length = 0;
661 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
662 p->out_data.current_pdu_sent = 0;
664 prs_mem_free(&outgoing_pdu);
668 /*******************************************************************
669 Ensure a bind request has the correct abstract & transfer interface.
670 Used to reject unknown binds from Win2k.
671 *******************************************************************/
673 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
676 extern struct pipe_id_info pipe_names[];
679 fstrcpy(pname,"\\PIPE\\");
680 fstrcat(pname,pipe_name);
682 for(i=0;pipe_names[i].client_pipe; i++) {
683 if(strequal(pipe_names[i].client_pipe, pname))
687 if(pipe_names[i].client_pipe == NULL)
690 /* check the abstract interface */
691 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
692 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
693 sizeof(RPC_UUID)) != 0))
696 /* check the transfer interface */
697 if((transfer->version != pipe_names[i].trans_syntax.version) ||
698 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
699 sizeof(RPC_UUID)) != 0))
705 /*******************************************************************
706 Respond to a pipe bind request.
707 *******************************************************************/
709 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
713 RPC_HDR_AUTH auth_info;
715 fstring ack_pipe_name;
716 prs_struct out_hdr_ba;
718 prs_struct outgoing_rpc;
721 enum RPC_PKT_TYPE reply_pkt_type;
723 p->ntlmssp_auth_requested = False;
725 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
728 * Try and find the correct pipe name to ensure
729 * that this is a pipe name we support.
732 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
733 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
734 api_fd_commands[i].fn != NULL) {
735 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
736 api_fd_commands[i].pipe_clnt_name,
737 api_fd_commands[i].pipe_srv_name));
738 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
743 if (api_fd_commands[i].fn == NULL) {
744 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
746 if(!setup_bind_nak(p))
751 /* decode the bind request */
752 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
753 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
758 * Check if this is an authenticated request.
761 if (p->hdr.auth_len != 0) {
762 RPC_AUTH_VERIFIER auth_verifier;
763 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
766 * Decode the authentication verifier.
769 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
770 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
775 * We only support NTLMSSP_AUTH_TYPE requests.
778 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
779 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
780 auth_info.auth_type ));
784 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
785 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
789 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
790 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
794 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
795 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
796 auth_verifier.msg_type));
800 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
801 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
805 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
806 p->ntlmssp_auth_requested = True;
809 switch(p->hdr.pkt_type) {
811 /* name has to be \PIPE\xxxxx */
812 fstrcpy(ack_pipe_name, "\\PIPE\\");
813 fstrcat(ack_pipe_name, p->pipe_srv_name);
814 reply_pkt_type = RPC_BINDACK;
817 /* secondary address CAN be NULL
818 * as the specs say it's ignored.
819 * It MUST NULL to have the spoolss working.
821 fstrcpy(ack_pipe_name,"");
822 reply_pkt_type = RPC_ALTCONTRESP;
828 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
831 * Marshall directly into the outgoing PDU space. We
832 * must do this as we need to set to the bind response
833 * header and are never sending more than one PDU here.
836 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
837 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
840 * Setup the memory to marshall the ba header, and the
844 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
845 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
846 prs_mem_free(&outgoing_rpc);
850 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
851 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
852 prs_mem_free(&outgoing_rpc);
853 prs_mem_free(&out_hdr_ba);
857 if (p->ntlmssp_auth_requested)
860 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
863 * Create the bind response struct.
866 /* If the requested abstract synt uuid doesn't match our client pipe,
867 reject the bind_ack & set the transfer interface synt to all 0's,
868 ver 0 (observed when NT5 attempts to bind to abstract interfaces
870 Needed when adding entries to a DACL from NT5 - SK */
872 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
873 init_rpc_hdr_ba(&hdr_ba,
881 RPC_IFACE null_interface;
882 ZERO_STRUCT(null_interface);
883 /* Rejection reason: abstract syntax not supported */
884 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
885 MAX_PDU_FRAG_LEN, assoc_gid,
886 ack_pipe_name, 0x1, 0x2, 0x1,
894 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
895 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
900 * Now the authentication.
903 if (p->ntlmssp_auth_requested) {
904 RPC_AUTH_VERIFIER auth_verifier;
905 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
907 generate_random_buffer(p->challenge, 8, False);
909 /*** Authentication info ***/
911 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
912 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
913 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
917 /*** NTLMSSP verifier ***/
919 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
920 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
921 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
925 /* NTLMSSP challenge ***/
927 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
928 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
929 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
933 /* Auth len in the rpc header doesn't include auth_header. */
934 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
938 * Create the header, now we know the length.
941 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
943 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
947 * Marshall the header into the outgoing PDU.
950 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
951 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
956 * Now add the RPC_HDR_BA and any auth needed.
959 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
960 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
964 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
965 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
969 if(!p->ntlmssp_auth_requested)
970 p->pipe_bound = True;
973 * Setup the lengths for the initial reply.
976 p->out_data.data_sent_length = 0;
977 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
978 p->out_data.current_pdu_sent = 0;
980 prs_mem_free(&out_hdr_ba);
981 prs_mem_free(&out_auth);
987 prs_mem_free(&outgoing_rpc);
988 prs_mem_free(&out_hdr_ba);
989 prs_mem_free(&out_auth);
993 /****************************************************************************
994 Deal with sign & seal processing on an RPC request.
995 ****************************************************************************/
997 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1000 * We always negotiate the following two bits....
1002 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1003 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1009 auth_len = p->hdr.auth_len;
1011 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1012 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1017 * The following is that length of the data we must verify or unseal.
1018 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1019 * preceeding the auth_data.
1022 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1023 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1025 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1026 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1030 * The data in rpc_in doesn't contain the RPC_HEADER as this
1031 * has already been consumed.
1033 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1034 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1035 crc32 = crc32_calc_buffer(data, data_len);
1038 old_offset = prs_offset(rpc_in);
1040 if (auth_seal || auth_verify) {
1041 RPC_HDR_AUTH auth_info;
1043 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1044 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1045 (unsigned int)old_offset + data_len ));
1049 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1050 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1056 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1057 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1059 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1062 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1065 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1066 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1067 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1071 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1072 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1073 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1077 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1078 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1084 * Return the current pointer to the data offset.
1087 if(!prs_set_offset(rpc_in, old_offset)) {
1088 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1089 (unsigned int)old_offset ));
1096 /****************************************************************************
1097 Return a user struct for a pipe user.
1098 ****************************************************************************/
1100 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1102 if (p->ntlmssp_auth_validated) {
1103 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1105 extern struct current_user current_user;
1106 memcpy(user, ¤t_user, sizeof(struct current_user));
1112 /****************************************************************************
1113 Find the correct RPC function to call for this request.
1114 If the pipe is authenticated then become the correct UNIX user
1115 before doing the call.
1116 ****************************************************************************/
1118 BOOL api_pipe_request(pipes_struct *p)
1123 if (p->ntlmssp_auth_validated) {
1125 if(!become_authenticated_pipe_user(p)) {
1126 prs_mem_free(&p->out_data.rdata);
1131 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1132 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1133 api_fd_commands[i].fn != NULL) {
1134 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1135 set_current_rpc_talloc(p->mem_ctx);
1136 ret = api_fd_commands[i].fn(p);
1137 set_current_rpc_talloc(NULL);
1141 if(p->ntlmssp_auth_validated)
1142 unbecome_authenticated_pipe_user();
1147 /*******************************************************************
1148 Calls the underlying RPC function for a named pipe.
1149 ********************************************************************/
1151 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1152 struct api_struct *api_rpc_cmds)
1156 uint32 offset1, offset2;
1158 /* interpret the command */
1159 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1161 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1162 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1164 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1165 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1166 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1171 if (api_rpc_cmds[fn_num].name == NULL) {
1173 * For an unknown RPC just return a fault PDU but
1174 * return True to allow RPC's on the pipe to continue
1175 * and not put the pipe into fault state. JRA.
1177 DEBUG(4, ("unknown\n"));
1178 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1182 offset1 = prs_offset(&p->out_data.rdata);
1184 /* do the actual command */
1185 if(!api_rpc_cmds[fn_num].fn(p)) {
1186 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1187 prs_mem_free(&p->out_data.rdata);
1191 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1192 offset2 = prs_offset(&p->out_data.rdata);
1193 prs_set_offset(&p->out_data.rdata, offset1);
1194 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1195 prs_set_offset(&p->out_data.rdata, offset2);
1197 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1199 /* Check for buffer underflow in rpc parsing */
1201 if ((DEBUGLEVEL >= 10) &&
1202 (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1203 int data_len = p->in_data.data.buffer_size -
1204 p->in_data.data.data_offset;
1207 data = malloc(data_len);
1209 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1211 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data,