2 * Unix SMB/Netbios implementation.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1997-1998.
8 * Copyright (C) Jeremy Allison 1999.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
43 extern int DEBUGLEVEL;
45 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
47 unsigned char *hash = p->ntlmssp_hash;
48 unsigned char index_i = hash[256];
49 unsigned char index_j = hash[257];
52 for( ind = 0; ind < len; ind++) {
57 index_j += hash[index_i];
60 hash[index_i] = hash[index_j];
63 t = hash[index_i] + hash[index_j];
64 data[ind] = data[ind] ^ hash[t];
71 /*******************************************************************
72 Generate the next PDU to be returned from the data in p->rdata.
73 We cheat here as this function doesn't handle the special auth
74 footers of the authenticated bind response reply.
75 ********************************************************************/
77 BOOL create_next_pdu(pipes_struct *p)
79 RPC_HDR_RESP hdr_resp;
80 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
81 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
83 uint32 data_space_available;
85 prs_struct outgoing_pdu;
91 * If we're in the fault state, keep returning fault PDU's until
92 * the pipe gets closed. JRA.
96 setup_fault_pdu(p, NT_STATUS(0x1c010002));
100 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
102 /* Change the incoming request header to a response. */
103 p->hdr.pkt_type = RPC_RESPONSE;
105 /* Set up rpc header flags. */
106 if (p->out_data.data_sent_length == 0)
107 p->hdr.flags = RPC_FLG_FIRST;
112 * Work out how much we can fit in a single PDU.
115 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
116 if(p->ntlmssp_auth_validated)
117 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
120 * The amount we send is the minimum of the available
121 * space and the amount left to send.
124 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
127 * Ensure there really is data left to send.
131 DEBUG(0,("create_next_pdu: no data left to send !\n"));
135 data_len = MIN(data_len_left, data_space_available);
138 * Set up the alloc hint. This should be the data left to
142 hdr_resp.alloc_hint = data_len_left;
145 * Set up the header lengths.
148 if (p->ntlmssp_auth_validated) {
149 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
150 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
151 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
153 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
158 * Work out if this PDU will be the last.
161 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
162 p->hdr.flags |= RPC_FLG_LAST;
165 * Init the parse struct to point at the outgoing
169 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
170 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
172 /* Store the header in the data stream. */
173 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
174 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
175 prs_mem_free(&outgoing_pdu);
179 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
180 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
181 prs_mem_free(&outgoing_pdu);
185 /* Store the current offset. */
186 data_pos = prs_offset(&outgoing_pdu);
188 /* Copy the data into the PDU. */
189 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
191 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
192 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
193 prs_mem_free(&outgoing_pdu);
198 * Set data to point to where we copied the data into.
201 data = prs_data_p(&outgoing_pdu) + data_pos;
203 if (p->hdr.auth_len > 0) {
206 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
207 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
210 crc32 = crc32_calc_buffer(data, data_len);
211 NTLMSSPcalc_p(p, (uchar*)data, data_len);
214 if (auth_seal || auth_verify) {
215 RPC_HDR_AUTH auth_info;
217 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
218 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
219 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
220 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
221 prs_mem_free(&outgoing_pdu);
227 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
228 char *auth_data = prs_data_p(&outgoing_pdu);
230 p->ntlmssp_seq_num++;
231 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
232 crc32, p->ntlmssp_seq_num++);
233 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
234 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
235 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
236 prs_mem_free(&outgoing_pdu);
239 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
244 * Setup the counts for this PDU.
247 p->out_data.data_sent_length += data_len;
248 p->out_data.current_pdu_len = p->hdr.frag_len;
249 p->out_data.current_pdu_sent = 0;
251 prs_mem_free(&outgoing_pdu);
255 /*******************************************************************
256 Process an NTLMSSP authentication response.
257 If this function succeeds, the user has been authenticated
258 and their domain, name and calling workstation stored in
260 The initial challenge is stored in p->challenge.
261 *******************************************************************/
263 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
270 fstring pipe_user_name;
273 BOOL guest_user = False;
274 SAM_ACCOUNT *sampass = NULL;
275 uchar null_smb_passwd[16];
276 uchar *smb_passwd_ptr = NULL;
278 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
280 memset(p->user_name, '\0', sizeof(p->user_name));
281 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
282 memset(p->domain, '\0', sizeof(p->domain));
283 memset(p->wks, '\0', sizeof(p->wks));
285 /* Set up for non-authenticated user. */
286 delete_nt_token(&p->pipe_user.nt_user_token);
287 p->pipe_user.ngroups = 0;
288 SAFE_FREE( p->pipe_user.groups);
291 * Setup an empty password for a guest user.
294 memset(null_smb_passwd,0,16);
297 * We always negotiate UNICODE.
300 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
301 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
302 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
303 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
305 pull_ascii_fstring(user_name, ntlmssp_resp->user);
306 pull_ascii_fstring(domain, ntlmssp_resp->domain);
307 pull_ascii_fstring(wks, ntlmssp_resp->wks);
310 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
312 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
313 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
315 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
316 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
318 #ifdef DEBUG_PASSWORD
319 DEBUG(100,("lm, nt owfs, chal\n"));
320 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
321 dump_data(100, (char *)nt_owf, nt_pw_len);
322 dump_data(100, (char *)p->challenge, 8);
326 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
329 if((strlen(user_name) == 0) &&
330 (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
334 fstrcpy(pipe_user_name, lp_guestaccount(-1));
335 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
337 smb_passwd_ptr = null_smb_passwd;
342 * Pass the user through the NT -> unix user mapping
346 fstrcpy(pipe_user_name, user_name);
347 (void)map_username(pipe_user_name);
350 * Do the length checking only if user is not NULL.
353 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
355 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
357 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
359 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
361 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
370 p->ntlmssp_auth_validated =
371 NT_STATUS_IS_OK(pass_check_smb_with_chal(pipe_user_name, NULL,
373 (uchar*)p->challenge,
376 if (!p->ntlmssp_auth_validated) {
377 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
378 failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name ));
383 pdb_init_sam(&sampass);
385 if(!pdb_getsampwnam(sampass, pipe_user_name)) {
386 DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
388 pdb_free_sam(&sampass);
395 if(!pdb_get_nt_passwd(sampass)) {
396 DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name));
397 pdb_free_sam(&sampass);
401 smb_passwd_ptr = pdb_get_lanman_passwd(sampass);
405 * Set up the sign/seal data.
410 NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
422 for (ind = 0; ind < 256; ind++)
423 p->ntlmssp_hash[ind] = (unsigned char)ind;
425 for( ind = 0; ind < 256; ind++) {
428 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
430 tc = p->ntlmssp_hash[ind];
431 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
432 p->ntlmssp_hash[j] = tc;
435 p->ntlmssp_hash[256] = 0;
436 p->ntlmssp_hash[257] = 0;
438 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
439 p->ntlmssp_seq_num = 0;
443 fstrcpy(p->user_name, user_name);
444 fstrcpy(p->pipe_user_name, pipe_user_name);
445 fstrcpy(p->domain, domain);
446 fstrcpy(p->wks, wks);
449 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
452 p->pipe_user.uid = pdb_get_uid(sampass);
453 p->pipe_user.gid = pdb_get_gid(sampass);
455 /* Set up pipe user group membership. */
456 initialise_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
457 get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
459 /* Create an NT_USER_TOKEN struct for this user. */
460 p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
461 p->pipe_user.ngroups, p->pipe_user.groups,
464 p->ntlmssp_auth_validated = True;
466 pdb_free_sam(&sampass);
470 /*******************************************************************
471 The switch table for the pipe names and the functions to handle them.
472 *******************************************************************/
476 char * pipe_clnt_name;
477 char * pipe_srv_name;
478 BOOL (*fn) (pipes_struct *);
481 static struct api_cmd api_fd_commands[] =
483 { "lsarpc", "lsass", api_ntlsa_rpc },
484 { "samr", "lsass", api_samr_rpc },
485 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
486 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
487 { "NETLOGON", "lsass", api_netlog_rpc },
488 { "winreg", "winreg", api_reg_rpc },
489 { "spoolss", "spoolss", api_spoolss_rpc },
490 { "netdfs", "netdfs" , api_netdfs_rpc },
494 /*******************************************************************
495 This is the client reply to our challenge for an authenticated
496 bind request. The challenge we sent is in p->challenge.
497 *******************************************************************/
499 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
501 RPC_HDR_AUTHA autha_info;
502 RPC_AUTH_VERIFIER auth_verifier;
503 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
505 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
507 if (p->hdr.auth_len == 0) {
508 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
513 * Decode the authentication verifier response.
516 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
517 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
521 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
522 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
523 (int)autha_info.auth_type, (int)autha_info.auth_level ));
527 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
528 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
533 * Ensure this is a NTLMSSP_AUTH packet type.
536 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
537 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
541 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
542 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
547 * The following call actually checks the challenge/response data.
548 * for correctness against the given DOMAIN\user name.
551 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
559 /*******************************************************************
560 Marshall a bind_nak pdu.
561 *******************************************************************/
563 static BOOL setup_bind_nak(pipes_struct *p)
565 prs_struct outgoing_rpc;
569 /* Free any memory in the current return data buffer. */
570 prs_mem_free(&p->out_data.rdata);
573 * Marshall directly into the outgoing PDU space. We
574 * must do this as we need to set to the bind response
575 * header and are never sending more than one PDU here.
578 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
579 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
583 * Initialize a bind_nak header.
586 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
587 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
590 * Marshall the header into the outgoing PDU.
593 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
594 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
595 prs_mem_free(&outgoing_rpc);
600 * Now add the reject reason.
603 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
604 prs_mem_free(&outgoing_rpc);
608 p->out_data.data_sent_length = 0;
609 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
610 p->out_data.current_pdu_sent = 0;
612 p->pipe_bound = False;
617 /*******************************************************************
618 Marshall a fault pdu.
619 *******************************************************************/
621 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
623 prs_struct outgoing_pdu;
625 RPC_HDR_RESP hdr_resp;
626 RPC_HDR_FAULT fault_resp;
628 /* Free any memory in the current return data buffer. */
629 prs_mem_free(&p->out_data.rdata);
632 * Marshall directly into the outgoing PDU space. We
633 * must do this as we need to set to the bind response
634 * header and are never sending more than one PDU here.
637 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
638 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
641 * Initialize a fault header.
644 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
645 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
648 * Initialize the HDR_RESP and FAULT parts of the PDU.
651 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
653 fault_resp.status = status;
654 fault_resp.reserved = 0;
657 * Marshall the header into the outgoing PDU.
660 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
661 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
662 prs_mem_free(&outgoing_pdu);
666 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
667 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
668 prs_mem_free(&outgoing_pdu);
672 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
673 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
674 prs_mem_free(&outgoing_pdu);
678 p->out_data.data_sent_length = 0;
679 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
680 p->out_data.current_pdu_sent = 0;
682 prs_mem_free(&outgoing_pdu);
686 /*******************************************************************
687 Ensure a bind request has the correct abstract & transfer interface.
688 Used to reject unknown binds from Win2k.
689 *******************************************************************/
691 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
694 extern struct pipe_id_info pipe_names[];
697 fstrcpy(pname,"\\PIPE\\");
698 fstrcat(pname,pipe_name);
700 for(i=0;pipe_names[i].client_pipe; i++) {
701 if(strequal(pipe_names[i].client_pipe, pname))
705 if(pipe_names[i].client_pipe == NULL)
708 /* check the abstract interface */
709 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
710 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
711 sizeof(RPC_UUID)) != 0))
714 /* check the transfer interface */
715 if((transfer->version != pipe_names[i].trans_syntax.version) ||
716 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
717 sizeof(RPC_UUID)) != 0))
723 /*******************************************************************
724 Respond to a pipe bind request.
725 *******************************************************************/
727 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
731 RPC_HDR_AUTH auth_info;
733 fstring ack_pipe_name;
734 prs_struct out_hdr_ba;
736 prs_struct outgoing_rpc;
739 enum RPC_PKT_TYPE reply_pkt_type;
741 p->ntlmssp_auth_requested = False;
743 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
746 * Try and find the correct pipe name to ensure
747 * that this is a pipe name we support.
750 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
751 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
752 api_fd_commands[i].fn != NULL) {
753 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
754 api_fd_commands[i].pipe_clnt_name,
755 api_fd_commands[i].pipe_srv_name));
756 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
761 if (api_fd_commands[i].fn == NULL) {
762 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
764 if(!setup_bind_nak(p))
769 /* decode the bind request */
770 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
771 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
776 * Check if this is an authenticated request.
779 if (p->hdr.auth_len != 0) {
780 RPC_AUTH_VERIFIER auth_verifier;
781 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
784 * Decode the authentication verifier.
787 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
788 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
793 * We only support NTLMSSP_AUTH_TYPE requests.
796 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
797 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
798 auth_info.auth_type ));
802 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
803 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
807 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
808 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
812 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
813 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
814 auth_verifier.msg_type));
818 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
819 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
823 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
824 p->ntlmssp_auth_requested = True;
827 switch(p->hdr.pkt_type) {
829 /* name has to be \PIPE\xxxxx */
830 fstrcpy(ack_pipe_name, "\\PIPE\\");
831 fstrcat(ack_pipe_name, p->pipe_srv_name);
832 reply_pkt_type = RPC_BINDACK;
835 /* secondary address CAN be NULL
836 * as the specs say it's ignored.
837 * It MUST NULL to have the spoolss working.
839 fstrcpy(ack_pipe_name,"");
840 reply_pkt_type = RPC_ALTCONTRESP;
846 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
849 * Marshall directly into the outgoing PDU space. We
850 * must do this as we need to set to the bind response
851 * header and are never sending more than one PDU here.
854 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
855 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
858 * Setup the memory to marshall the ba header, and the
862 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
863 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
864 prs_mem_free(&outgoing_rpc);
868 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
869 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
870 prs_mem_free(&outgoing_rpc);
871 prs_mem_free(&out_hdr_ba);
875 if (p->ntlmssp_auth_requested)
878 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
881 * Create the bind response struct.
884 /* If the requested abstract synt uuid doesn't match our client pipe,
885 reject the bind_ack & set the transfer interface synt to all 0's,
886 ver 0 (observed when NT5 attempts to bind to abstract interfaces
888 Needed when adding entries to a DACL from NT5 - SK */
890 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
891 init_rpc_hdr_ba(&hdr_ba,
899 RPC_IFACE null_interface;
900 ZERO_STRUCT(null_interface);
901 /* Rejection reason: abstract syntax not supported */
902 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
903 MAX_PDU_FRAG_LEN, assoc_gid,
904 ack_pipe_name, 0x1, 0x2, 0x1,
912 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
913 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
918 * Now the authentication.
921 if (p->ntlmssp_auth_requested) {
922 RPC_AUTH_VERIFIER auth_verifier;
923 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
925 generate_random_buffer(p->challenge, 8, False);
927 /*** Authentication info ***/
929 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
930 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
931 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
935 /*** NTLMSSP verifier ***/
937 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
938 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
939 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
943 /* NTLMSSP challenge ***/
945 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
946 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
947 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
951 /* Auth len in the rpc header doesn't include auth_header. */
952 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
956 * Create the header, now we know the length.
959 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
961 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
965 * Marshall the header into the outgoing PDU.
968 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
969 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
974 * Now add the RPC_HDR_BA and any auth needed.
977 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
978 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
982 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
983 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
987 if(!p->ntlmssp_auth_requested)
988 p->pipe_bound = True;
991 * Setup the lengths for the initial reply.
994 p->out_data.data_sent_length = 0;
995 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
996 p->out_data.current_pdu_sent = 0;
998 prs_mem_free(&out_hdr_ba);
999 prs_mem_free(&out_auth);
1005 prs_mem_free(&outgoing_rpc);
1006 prs_mem_free(&out_hdr_ba);
1007 prs_mem_free(&out_auth);
1011 /****************************************************************************
1012 Deal with sign & seal processing on an RPC request.
1013 ****************************************************************************/
1015 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1018 * We always negotiate the following two bits....
1020 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1021 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1027 auth_len = p->hdr.auth_len;
1029 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1030 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1035 * The following is that length of the data we must verify or unseal.
1036 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1037 * preceeding the auth_data.
1040 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1041 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1043 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1044 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1048 * The data in rpc_in doesn't contain the RPC_HEADER as this
1049 * has already been consumed.
1051 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1052 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1053 crc32 = crc32_calc_buffer(data, data_len);
1056 old_offset = prs_offset(rpc_in);
1058 if (auth_seal || auth_verify) {
1059 RPC_HDR_AUTH auth_info;
1061 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1062 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1063 (unsigned int)old_offset + data_len ));
1067 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1068 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1074 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1075 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1077 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1080 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1083 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1084 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1085 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1089 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1090 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1091 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1095 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1096 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1102 * Return the current pointer to the data offset.
1105 if(!prs_set_offset(rpc_in, old_offset)) {
1106 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1107 (unsigned int)old_offset ));
1114 /****************************************************************************
1115 Return a user struct for a pipe user.
1116 ****************************************************************************/
1118 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1120 if (p->ntlmssp_auth_validated) {
1121 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1123 extern struct current_user current_user;
1124 memcpy(user, ¤t_user, sizeof(struct current_user));
1130 /****************************************************************************
1131 Find the correct RPC function to call for this request.
1132 If the pipe is authenticated then become the correct UNIX user
1133 before doing the call.
1134 ****************************************************************************/
1136 BOOL api_pipe_request(pipes_struct *p)
1140 BOOL changed_user_id = False;
1142 if (p->ntlmssp_auth_validated) {
1144 if(!become_authenticated_pipe_user(p)) {
1145 prs_mem_free(&p->out_data.rdata);
1149 changed_user_id = True;
1152 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1153 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1154 api_fd_commands[i].fn != NULL) {
1155 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1156 set_current_rpc_talloc(p->mem_ctx);
1157 ret = api_fd_commands[i].fn(p);
1158 set_current_rpc_talloc(NULL);
1163 unbecome_authenticated_pipe_user(p);
1168 /*******************************************************************
1169 Calls the underlying RPC function for a named pipe.
1170 ********************************************************************/
1172 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1173 struct api_struct *api_rpc_cmds)
1177 uint32 offset1, offset2;
1179 /* interpret the command */
1180 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1182 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1183 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1185 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1186 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1187 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1192 if (api_rpc_cmds[fn_num].name == NULL) {
1194 * For an unknown RPC just return a fault PDU but
1195 * return True to allow RPC's on the pipe to continue
1196 * and not put the pipe into fault state. JRA.
1198 DEBUG(4, ("unknown\n"));
1199 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1203 offset1 = prs_offset(&p->out_data.rdata);
1205 /* do the actual command */
1206 if(!api_rpc_cmds[fn_num].fn(p)) {
1207 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1208 prs_mem_free(&p->out_data.rdata);
1212 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1213 offset2 = prs_offset(&p->out_data.rdata);
1214 prs_set_offset(&p->out_data.rdata, offset1);
1215 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1216 prs_set_offset(&p->out_data.rdata, offset2);
1218 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1220 /* Check for buffer underflow in rpc parsing */
1222 if ((DEBUGLEVEL >= 10) &&
1223 (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1224 int data_len = p->in_data.data.buffer_size -
1225 p->in_data.data.data_offset;
1228 data = malloc(data_len);
1230 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1232 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data,