3 * Unix SMB/Netbios implementation.
5 * RPC Pipe client / server routines
6 * Copyright (C) Andrew Tridgell 1992-1998
7 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
8 * Copyright (C) Paul Ashton 1997-1998.
9 * Copyright (C) Jeremy Allison 1999.
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 /* this module apparently provides an implementation of DCE/RPC over a
27 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
28 * documentation are available (in on-line form) from the X-Open group.
30 * this module should provide a level of abstraction between SMB
31 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
32 * data copies, and network traffic.
34 * in this version, which takes a "let's learn what's going on and
35 * get something running" approach, there is additional network
36 * traffic generated, but the code should be easier to understand...
38 * ... if you read the docs. or stare at packets for weeks on end.
44 extern int DEBUGLEVEL;
46 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
48 unsigned char *hash = p->ntlmssp_hash;
49 unsigned char index_i = hash[256];
50 unsigned char index_j = hash[257];
53 for( ind = 0; ind < len; ind++) {
58 index_j += hash[index_i];
61 hash[index_i] = hash[index_j];
64 t = hash[index_i] + hash[index_j];
65 data[ind] = data[ind] ^ hash[t];
72 /*******************************************************************
73 Generate the next PDU to be returned from the data in p->rdata.
74 We cheat here as this function doesn't handle the special auth
75 footers of the authenticated bind response reply.
76 ********************************************************************/
78 BOOL create_next_pdu(pipes_struct *p)
80 RPC_HDR_RESP hdr_resp;
81 BOOL auth_verify = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SIGN);
82 BOOL auth_seal = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SEAL);
84 uint32 data_space_available;
86 prs_struct outgoing_pdu;
92 * If we're in the fault state, keep returning fault PDU's until
93 * the pipe gets closed. JRA.
101 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
103 /* Change the incoming request header to a response. */
104 p->hdr.pkt_type = RPC_RESPONSE;
106 /* Set up rpc header flags. */
107 if (p->out_data.data_sent_length == 0)
108 p->hdr.flags = RPC_FLG_FIRST;
113 * Work out how much we can fit in a single PDU.
116 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
117 if(p->ntlmssp_auth_validated)
118 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
121 * The amount we send is the minimum of the available
122 * space and the amount left to send.
125 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
128 * Ensure there really is data left to send.
132 DEBUG(0,("create_next_pdu: no data left to send !\n"));
136 data_len = MIN(data_len_left, data_space_available);
139 * Set up the alloc hint. This should be the data left to
143 hdr_resp.alloc_hint = data_len_left;
146 * Set up the header lengths.
149 if (p->ntlmssp_auth_validated) {
150 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
151 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
152 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
154 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
159 * Work out if this PDU will be the last.
162 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
163 p->hdr.flags |= RPC_FLG_LAST;
166 * Init the parse struct to point at the outgoing
170 prs_init( &outgoing_pdu, 0, 4, p->mem_ctx, MARSHALL);
171 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
173 /* Store the header in the data stream. */
174 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
175 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
176 prs_mem_free(&outgoing_pdu);
180 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
181 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
182 prs_mem_free(&outgoing_pdu);
186 /* Store the current offset. */
187 data_pos = prs_offset(&outgoing_pdu);
189 /* Copy the data into the PDU. */
190 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
192 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
193 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
194 prs_mem_free(&outgoing_pdu);
199 * Set data to point to where we copied the data into.
202 data = prs_data_p(&outgoing_pdu) + data_pos;
204 if (p->hdr.auth_len > 0) {
207 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
208 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
211 crc32 = crc32_calc_buffer(data, data_len);
212 NTLMSSPcalc_p(p, (uchar*)data, data_len);
215 if (auth_seal || auth_verify) {
216 RPC_HDR_AUTH auth_info;
218 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
219 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
220 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
221 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
222 prs_mem_free(&outgoing_pdu);
228 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
229 char *auth_data = prs_data_p(&outgoing_pdu);
231 p->ntlmssp_seq_num++;
232 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
233 crc32, p->ntlmssp_seq_num++);
234 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
235 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
236 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
237 prs_mem_free(&outgoing_pdu);
240 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
245 * Setup the counts for this PDU.
248 p->out_data.data_sent_length += data_len;
249 p->out_data.current_pdu_len = p->hdr.frag_len;
250 p->out_data.current_pdu_sent = 0;
252 prs_mem_free(&outgoing_pdu);
256 /*******************************************************************
257 Process an NTLMSSP authentication response.
258 If this function succeeds, the user has been authenticated
259 and their domain, name and calling workstation stored in
261 The initial challenge is stored in p->challenge.
262 *******************************************************************/
264 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
269 fstring pipe_user_name;
272 BOOL guest_user = False;
273 struct smb_passwd *smb_pass = NULL;
274 struct passwd *pass = NULL;
275 uchar null_smb_passwd[16];
276 uchar *smb_passwd_ptr = NULL;
278 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
280 memset(p->user_name, '\0', sizeof(p->user_name));
281 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
282 memset(p->domain, '\0', sizeof(p->domain));
283 memset(p->wks, '\0', sizeof(p->wks));
286 * Setup an empty password for a guest user.
289 memset(null_smb_passwd,0,16);
292 * We always negotiate UNICODE.
295 if (IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_UNICODE)) {
296 fstrcpy(user_name, dos_unistrn2((uint16*)ntlmssp_resp->user, ntlmssp_resp->hdr_usr.str_str_len/2));
297 fstrcpy(domain, dos_unistrn2((uint16*)ntlmssp_resp->domain, ntlmssp_resp->hdr_domain.str_str_len/2));
298 fstrcpy(wks, dos_unistrn2((uint16*)ntlmssp_resp->wks, ntlmssp_resp->hdr_wks.str_str_len/2));
300 fstrcpy(user_name, ntlmssp_resp->user);
301 fstrcpy(domain, ntlmssp_resp->domain);
302 fstrcpy(wks, ntlmssp_resp->wks);
305 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
307 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
308 memcpy(nt_owf, ntlmssp_resp->nt_resp, sizeof(nt_owf));
310 #ifdef DEBUG_PASSWORD
311 DEBUG(100,("lm, nt owfs, chal\n"));
312 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
313 dump_data(100, (char *)nt_owf, sizeof(nt_owf));
314 dump_data(100, (char *)p->challenge, 8);
318 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
321 if((strlen(user_name) == 0) &&
322 (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
326 fstrcpy(pipe_user_name, lp_guestaccount(-1));
327 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
329 smb_passwd_ptr = null_smb_passwd;
334 * Pass the user through the NT -> unix user mapping
338 fstrcpy(pipe_user_name, user_name);
339 (void)map_username(pipe_user_name);
342 * Do the length checking only if user is not NULL.
345 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
347 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
349 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
351 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
353 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
359 * Find the user in the unix password db.
362 if(!(pass = Get_Pwnam(pipe_user_name,True))) {
363 DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",pipe_user_name));
371 if(!(p->ntlmssp_auth_validated = pass_check_smb(pipe_user_name, domain,
372 (uchar*)p->challenge, lm_owf, nt_owf, NULL))) {
373 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
374 failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name ));
379 if(!(smb_pass = getsmbpwnam(pipe_user_name))) {
380 DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
388 if (smb_pass == NULL) {
389 DEBUG(1,("api_pipe_ntlmssp_verify: Couldn't find user '%s' in smb_passwd file.\n",
394 /* Quit if the account was disabled. */
395 if((smb_pass->acct_ctrl & ACB_DISABLED) || !smb_pass->smb_passwd) {
396 DEBUG(1,("Account for user '%s' was disabled.\n", pipe_user_name));
400 if(!smb_pass->smb_nt_passwd) {
401 DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name));
405 smb_passwd_ptr = smb_pass->smb_passwd;
409 * Set up the sign/seal data.
414 NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
426 for (ind = 0; ind < 256; ind++)
427 p->ntlmssp_hash[ind] = (unsigned char)ind;
429 for( ind = 0; ind < 256; ind++) {
432 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
434 tc = p->ntlmssp_hash[ind];
435 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
436 p->ntlmssp_hash[j] = tc;
439 p->ntlmssp_hash[256] = 0;
440 p->ntlmssp_hash[257] = 0;
442 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
443 p->ntlmssp_seq_num = 0;
447 fstrcpy(p->user_name, user_name);
448 fstrcpy(p->pipe_user_name, pipe_user_name);
449 fstrcpy(p->domain, domain);
450 fstrcpy(p->wks, wks);
453 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
456 p->pipe_user.uid = pass->pw_uid;
457 p->pipe_user.gid = pass->pw_gid;
459 /* XXX also set up pipe user group membership */
461 p->ntlmssp_auth_validated = True;
465 /*******************************************************************
466 The switch table for the pipe names and the functions to handle them.
467 *******************************************************************/
471 char * pipe_clnt_name;
472 char * pipe_srv_name;
473 BOOL (*fn) (pipes_struct *);
476 static struct api_cmd api_fd_commands[] =
478 { "lsarpc", "lsass", api_ntlsa_rpc },
479 { "samr", "lsass", api_samr_rpc },
480 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
481 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
482 { "NETLOGON", "lsass", api_netlog_rpc },
483 { "winreg", "winreg", api_reg_rpc },
484 { "spoolss", "spoolss", api_spoolss_rpc },
486 { "netdfs", "netdfs" , api_netdfs_rpc },
491 /*******************************************************************
492 This is the client reply to our challenge for an authenticated
493 bind request. The challenge we sent is in p->challenge.
494 *******************************************************************/
496 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
498 RPC_HDR_AUTHA autha_info;
499 RPC_AUTH_VERIFIER auth_verifier;
500 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
502 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
504 if (p->hdr.auth_len == 0) {
505 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
510 * Decode the authentication verifier response.
513 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
514 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
518 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
519 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
520 (int)autha_info.auth_type, (int)autha_info.auth_level ));
524 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
525 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
530 * Ensure this is a NTLMSSP_AUTH packet type.
533 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
534 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
538 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
539 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
544 * The following call actually checks the challenge/response data.
545 * for correctness against the given DOMAIN\user name.
548 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
556 /*******************************************************************
557 Marshall a bind_nak pdu.
558 *******************************************************************/
560 static BOOL setup_bind_nak(pipes_struct *p)
562 prs_struct outgoing_rpc;
566 /* Free any memory in the current return data buffer. */
567 prs_mem_free(&p->out_data.rdata);
570 * Marshall directly into the outgoing PDU space. We
571 * must do this as we need to set to the bind response
572 * header and are never sending more than one PDU here.
575 prs_init( &outgoing_rpc, 0, 4, p->mem_ctx, MARSHALL);
576 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
580 * Initialize a bind_nak header.
583 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
584 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
587 * Marshall the header into the outgoing PDU.
590 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
591 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
592 prs_mem_free(&outgoing_rpc);
597 * Now add the reject reason.
600 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
601 prs_mem_free(&outgoing_rpc);
605 p->out_data.data_sent_length = 0;
606 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
607 p->out_data.current_pdu_sent = 0;
609 p->pipe_bound = False;
614 /*******************************************************************
615 Marshall a fault pdu.
616 *******************************************************************/
618 BOOL setup_fault_pdu(pipes_struct *p)
620 prs_struct outgoing_pdu;
622 RPC_HDR_RESP hdr_resp;
623 RPC_HDR_FAULT fault_resp;
625 /* Free any memory in the current return data buffer. */
626 prs_mem_free(&p->out_data.rdata);
629 * Marshall directly into the outgoing PDU space. We
630 * must do this as we need to set to the bind response
631 * header and are never sending more than one PDU here.
634 prs_init( &outgoing_pdu, 0, 4, p->mem_ctx, MARSHALL);
635 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
638 * Initialize a fault header.
641 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
642 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
645 * Initialize the HDR_RESP and FAULT parts of the PDU.
648 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
650 fault_resp.status = 0x1c010002;
651 fault_resp.reserved = 0;
654 * Marshall the header into the outgoing PDU.
657 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
658 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
659 prs_mem_free(&outgoing_pdu);
663 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
664 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
665 prs_mem_free(&outgoing_pdu);
669 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
670 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
671 prs_mem_free(&outgoing_pdu);
675 p->out_data.data_sent_length = 0;
676 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
677 p->out_data.current_pdu_sent = 0;
679 prs_mem_free(&outgoing_pdu);
683 /*******************************************************************
684 Ensure a bind request has the correct abstract & transfer interface.
685 Used to reject unknown binds from Win2k.
686 *******************************************************************/
688 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
691 extern struct pipe_id_info pipe_names[];
694 fstrcpy(pname,"\\PIPE\\");
695 fstrcat(pname,pipe_name);
697 for(i=0;pipe_names[i].client_pipe; i++) {
698 if(strequal(pipe_names[i].client_pipe, pname))
702 if(pipe_names[i].client_pipe == NULL)
705 /* check the abstract interface */
706 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
707 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
708 sizeof(RPC_UUID)) != 0))
711 /* check the transfer interface */
712 if((transfer->version != pipe_names[i].trans_syntax.version) ||
713 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
714 sizeof(RPC_UUID)) != 0))
720 /*******************************************************************
721 Respond to a pipe bind request.
722 *******************************************************************/
724 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
728 RPC_HDR_AUTH auth_info;
730 fstring ack_pipe_name;
731 prs_struct out_hdr_ba;
733 prs_struct outgoing_rpc;
736 enum RPC_PKT_TYPE reply_pkt_type;
738 p->ntlmssp_auth_requested = False;
740 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
743 * Try and find the correct pipe name to ensure
744 * that this is a pipe name we support.
747 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
748 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
749 api_fd_commands[i].fn != NULL) {
750 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
751 api_fd_commands[i].pipe_clnt_name,
752 api_fd_commands[i].pipe_srv_name));
753 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
758 if (api_fd_commands[i].fn == NULL) {
759 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
761 if(!setup_bind_nak(p))
766 /* decode the bind request */
767 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
768 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
773 * Check if this is an authenticated request.
776 if (p->hdr.auth_len != 0) {
777 RPC_AUTH_VERIFIER auth_verifier;
778 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
781 * Decode the authentication verifier.
784 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
785 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
790 * We only support NTLMSSP_AUTH_TYPE requests.
793 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
794 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
795 auth_info.auth_type ));
799 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
800 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
804 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
805 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
809 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
810 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
811 auth_verifier.msg_type));
815 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
816 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
820 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
821 p->ntlmssp_auth_requested = True;
824 switch(p->hdr.pkt_type) {
826 /* name has to be \PIPE\xxxxx */
827 fstrcpy(ack_pipe_name, "\\PIPE\\");
828 fstrcat(ack_pipe_name, p->pipe_srv_name);
829 reply_pkt_type = RPC_BINDACK;
832 /* secondary address CAN be NULL
833 * as the specs say it's ignored.
834 * It MUST NULL to have the spoolss working.
836 fstrcpy(ack_pipe_name,"");
837 reply_pkt_type = RPC_ALTCONTRESP;
843 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
846 * Marshall directly into the outgoing PDU space. We
847 * must do this as we need to set to the bind response
848 * header and are never sending more than one PDU here.
851 prs_init( &outgoing_rpc, 0, 4, p->mem_ctx, MARSHALL);
852 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
855 * Setup the memory to marshall the ba header, and the
859 if(!prs_init(&out_hdr_ba, 1024, 4, p->mem_ctx, MARSHALL)) {
860 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
861 prs_mem_free(&outgoing_rpc);
865 if(!prs_init(&out_auth, 1024, 4, p->mem_ctx, MARSHALL)) {
866 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
867 prs_mem_free(&outgoing_rpc);
868 prs_mem_free(&out_hdr_ba);
872 if (p->ntlmssp_auth_requested)
875 assoc_gid = hdr_rb.bba.assoc_gid;
878 * Create the bind response struct.
881 /* If the requested abstract synt uuid doesn't match our client pipe,
882 reject the bind_ack & set the transfer interface synt to all 0's,
883 ver 0 (observed when NT5 attempts to bind to abstract interfaces
885 Needed when adding entries to a DACL from NT5 - SK */
887 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
888 init_rpc_hdr_ba(&hdr_ba,
896 RPC_IFACE null_interface;
897 ZERO_STRUCT(null_interface);
898 /* Rejection reason: abstract syntax not supported */
899 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
900 MAX_PDU_FRAG_LEN, assoc_gid,
901 ack_pipe_name, 0x1, 0x2, 0x1,
909 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
910 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
915 * Now the authentication.
918 if (p->ntlmssp_auth_requested) {
919 RPC_AUTH_VERIFIER auth_verifier;
920 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
922 generate_random_buffer(p->challenge, 8, False);
924 /*** Authentication info ***/
926 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
927 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
928 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
932 /*** NTLMSSP verifier ***/
934 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
935 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
936 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
940 /* NTLMSSP challenge ***/
942 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
943 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
944 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
948 /* Auth len in the rpc header doesn't include auth_header. */
949 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
953 * Create the header, now we know the length.
956 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
958 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
962 * Marshall the header into the outgoing PDU.
965 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
966 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
971 * Now add the RPC_HDR_BA and any auth needed.
974 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
975 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
979 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
980 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
984 if(!p->ntlmssp_auth_requested)
985 p->pipe_bound = True;
988 * Setup the lengths for the initial reply.
991 p->out_data.data_sent_length = 0;
992 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
993 p->out_data.current_pdu_sent = 0;
995 prs_mem_free(&out_hdr_ba);
996 prs_mem_free(&out_auth);
1002 prs_mem_free(&outgoing_rpc);
1003 prs_mem_free(&out_hdr_ba);
1004 prs_mem_free(&out_auth);
1008 /****************************************************************************
1009 Deal with sign & seal processing on an RPC request.
1010 ****************************************************************************/
1012 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1015 * We always negotiate the following two bits....
1017 BOOL auth_verify = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SIGN);
1018 BOOL auth_seal = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SEAL);
1024 auth_len = p->hdr.auth_len;
1026 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1027 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1032 * The following is that length of the data we must verify or unseal.
1033 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1034 * preceeding the auth_data.
1037 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1038 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1040 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1041 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1045 * The data in rpc_in doesn't contain the RPC_HEADER as this
1046 * has already been consumed.
1048 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1049 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1050 crc32 = crc32_calc_buffer(data, data_len);
1053 old_offset = prs_offset(rpc_in);
1055 if (auth_seal || auth_verify) {
1056 RPC_HDR_AUTH auth_info;
1058 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1059 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1060 (unsigned int)old_offset + data_len ));
1064 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1065 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1071 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1072 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1074 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1077 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1080 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1081 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1082 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1086 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1087 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1088 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1092 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1093 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1099 * Return the current pointer to the data offset.
1102 if(!prs_set_offset(rpc_in, old_offset)) {
1103 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1104 (unsigned int)old_offset ));
1111 /****************************************************************************
1112 Find the correct RPC function to call for this request.
1113 If the pipe is authenticated then become the correct UNIX user
1114 before doing the call.
1115 ****************************************************************************/
1117 BOOL api_pipe_request(pipes_struct *p)
1121 BOOL changed_user_id = False;
1123 if (p->ntlmssp_auth_validated) {
1125 if(!become_authenticated_pipe_user(p)) {
1126 prs_mem_free(&p->out_data.rdata);
1130 changed_user_id = True;
1133 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1134 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1135 api_fd_commands[i].fn != NULL) {
1136 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1137 ret = api_fd_commands[i].fn(p);
1142 unbecome_authenticated_pipe_user(p);
1147 /*******************************************************************
1148 Calls the underlying RPC function for a named pipe.
1149 ********************************************************************/
1151 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1152 struct api_struct *api_rpc_cmds)
1156 uint32 offset1, offset2;
1158 /* interpret the command */
1159 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1161 slprintf(name, sizeof(name), "in_%s", rpc_name);
1162 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1164 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1165 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1166 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1171 if (api_rpc_cmds[fn_num].name == NULL) {
1173 * For an unknown RPC just return a fault PDU but
1174 * return True to allow RPC's on the pipe to continue
1175 * and not put the pipe into fault state. JRA.
1177 DEBUG(4, ("unknown\n"));
1182 offset1 = prs_offset(&p->out_data.rdata);
1184 /* do the actual command */
1185 if(!api_rpc_cmds[fn_num].fn(p)) {
1186 DEBUG(0,("api_rpcTNP: %s: failed.\n", rpc_name));
1187 prs_mem_free(&p->out_data.rdata);
1191 slprintf(name, sizeof(name), "out_%s", rpc_name);
1192 offset2 = prs_offset(&p->out_data.rdata);
1193 prs_set_offset(&p->out_data.rdata, offset1);
1194 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1195 prs_set_offset(&p->out_data.rdata, offset2);
1197 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));