2 * Unix SMB/Netbios implementation.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1997-1998.
8 * Copyright (C) Jeremy Allison 1999.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
43 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
45 unsigned char *hash = p->ntlmssp_hash;
46 unsigned char index_i = hash[256];
47 unsigned char index_j = hash[257];
50 for( ind = 0; ind < len; ind++) {
55 index_j += hash[index_i];
58 hash[index_i] = hash[index_j];
61 t = hash[index_i] + hash[index_j];
62 data[ind] = data[ind] ^ hash[t];
69 /*******************************************************************
70 Generate the next PDU to be returned from the data in p->rdata.
71 We cheat here as this function doesn't handle the special auth
72 footers of the authenticated bind response reply.
73 ********************************************************************/
75 BOOL create_next_pdu(pipes_struct *p)
77 RPC_HDR_RESP hdr_resp;
78 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
79 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
81 uint32 data_space_available;
83 prs_struct outgoing_pdu;
89 * If we're in the fault state, keep returning fault PDU's until
90 * the pipe gets closed. JRA.
94 setup_fault_pdu(p, NT_STATUS(0x1c010002));
98 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
100 /* Change the incoming request header to a response. */
101 p->hdr.pkt_type = RPC_RESPONSE;
103 /* Set up rpc header flags. */
104 if (p->out_data.data_sent_length == 0)
105 p->hdr.flags = RPC_FLG_FIRST;
110 * Work out how much we can fit in a single PDU.
113 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
114 if(p->ntlmssp_auth_validated)
115 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
118 * The amount we send is the minimum of the available
119 * space and the amount left to send.
122 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
125 * Ensure there really is data left to send.
129 DEBUG(0,("create_next_pdu: no data left to send !\n"));
133 data_len = MIN(data_len_left, data_space_available);
136 * Set up the alloc hint. This should be the data left to
140 hdr_resp.alloc_hint = data_len_left;
143 * Set up the header lengths.
146 if (p->ntlmssp_auth_validated) {
147 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
148 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
149 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
151 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
156 * Work out if this PDU will be the last.
159 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
160 p->hdr.flags |= RPC_FLG_LAST;
163 * Init the parse struct to point at the outgoing
167 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
168 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
170 /* Store the header in the data stream. */
171 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
172 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
173 prs_mem_free(&outgoing_pdu);
177 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
178 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
179 prs_mem_free(&outgoing_pdu);
183 /* Store the current offset. */
184 data_pos = prs_offset(&outgoing_pdu);
186 /* Copy the data into the PDU. */
187 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
189 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
190 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
191 prs_mem_free(&outgoing_pdu);
196 * Set data to point to where we copied the data into.
199 data = prs_data_p(&outgoing_pdu) + data_pos;
201 if (p->hdr.auth_len > 0) {
204 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
205 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
208 crc32 = crc32_calc_buffer(data, data_len);
209 NTLMSSPcalc_p(p, (uchar*)data, data_len);
212 if (auth_seal || auth_verify) {
213 RPC_HDR_AUTH auth_info;
215 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
216 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
217 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
218 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
219 prs_mem_free(&outgoing_pdu);
225 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
226 char *auth_data = prs_data_p(&outgoing_pdu);
228 p->ntlmssp_seq_num++;
229 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
230 crc32, p->ntlmssp_seq_num++);
231 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
232 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
233 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
234 prs_mem_free(&outgoing_pdu);
237 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
242 * Setup the counts for this PDU.
245 p->out_data.data_sent_length += data_len;
246 p->out_data.current_pdu_len = p->hdr.frag_len;
247 p->out_data.current_pdu_sent = 0;
249 prs_mem_free(&outgoing_pdu);
253 /*******************************************************************
254 Process an NTLMSSP authentication response.
255 If this function succeeds, the user has been authenticated
256 and their domain, name and calling workstation stored in
258 The initial challenge is stored in p->challenge.
259 *******************************************************************/
261 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
268 fstring pipe_user_name;
271 BOOL guest_user = False;
273 auth_usersupplied_info *user_info = NULL;
274 auth_serversupplied_info *server_info = NULL;
279 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
281 memset(p->user_name, '\0', sizeof(p->user_name));
282 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
283 memset(p->domain, '\0', sizeof(p->domain));
284 memset(p->wks, '\0', sizeof(p->wks));
286 /* Set up for non-authenticated user. */
287 delete_nt_token(&p->pipe_user.nt_user_token);
288 p->pipe_user.ngroups = 0;
289 SAFE_FREE( p->pipe_user.groups);
292 * Setup an empty password for a guest user.
296 * We always negotiate UNICODE.
299 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
300 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
301 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
302 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
304 pull_ascii_fstring(user_name, ntlmssp_resp->user);
305 pull_ascii_fstring(domain, ntlmssp_resp->domain);
306 pull_ascii_fstring(wks, ntlmssp_resp->wks);
309 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
311 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
312 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
314 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
315 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
317 #ifdef DEBUG_PASSWORD
318 DEBUG(100,("lm, nt owfs, chal\n"));
319 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
320 dump_data(100, (char *)nt_owf, nt_pw_len);
321 dump_data(100, (char *)p->challenge, 8);
325 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
328 if((strlen(user_name) == 0) &&
329 (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
333 fstrcpy(pipe_user_name, lp_guestaccount(-1));
334 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
339 * Do the length checking only if user is not NULL.
342 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
344 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
346 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
348 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
350 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
358 if (!make_user_info_netlogon_network(&user_info,
359 user_name, domain, wks, (uchar*)p->challenge,
361 nt_owf, nt_pw_len)) {
362 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
366 nt_status = check_password(user_info, &server_info);
368 free_user_info(&user_info);
370 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
372 if (!p->ntlmssp_auth_validated) {
373 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
374 failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name ));
375 free_server_info(&server_info);
379 /* This includes a NULLed out first_8_lm_hash */
380 make_server_info_guest(&server_info);
384 * Set up the sign/seal data.
389 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
401 for (ind = 0; ind < 256; ind++)
402 p->ntlmssp_hash[ind] = (unsigned char)ind;
404 for( ind = 0; ind < 256; ind++) {
407 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
409 tc = p->ntlmssp_hash[ind];
410 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
411 p->ntlmssp_hash[j] = tc;
414 p->ntlmssp_hash[256] = 0;
415 p->ntlmssp_hash[257] = 0;
417 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
418 p->ntlmssp_seq_num = 0;
422 fstrcpy(p->user_name, user_name);
423 fstrcpy(p->pipe_user_name, pipe_user_name);
424 fstrcpy(p->domain, domain);
425 fstrcpy(p->wks, wks);
428 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
431 puid = pdb_get_uid(server_info->sam_account);
432 pgid = pdb_get_gid(server_info->sam_account);
434 if (!puid || !pgid) {
435 DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
436 free_server_info(&server_info);
440 p->pipe_user.uid = *puid;
441 p->pipe_user.gid = *pgid;
443 /* Set up pipe user group membership. */
444 initialise_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
445 get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
447 /* Create an NT_USER_TOKEN struct for this user. */
448 p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
449 p->pipe_user.ngroups, p->pipe_user.groups,
452 p->ntlmssp_auth_validated = True;
454 pdb_free_sam(&server_info->sam_account);
458 /*******************************************************************
459 The switch table for the pipe names and the functions to handle them.
460 *******************************************************************/
464 char * pipe_clnt_name;
465 char * pipe_srv_name;
466 BOOL (*fn) (pipes_struct *);
469 static struct api_cmd api_fd_commands[] =
471 { "lsarpc", "lsass", api_ntlsa_rpc },
472 { "samr", "lsass", api_samr_rpc },
473 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
474 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
475 { "NETLOGON", "lsass", api_netlog_rpc },
476 { "winreg", "winreg", api_reg_rpc },
477 { "spoolss", "spoolss", api_spoolss_rpc },
478 { "netdfs", "netdfs" , api_netdfs_rpc },
482 /*******************************************************************
483 This is the client reply to our challenge for an authenticated
484 bind request. The challenge we sent is in p->challenge.
485 *******************************************************************/
487 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
489 RPC_HDR_AUTHA autha_info;
490 RPC_AUTH_VERIFIER auth_verifier;
491 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
493 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
495 if (p->hdr.auth_len == 0) {
496 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
501 * Decode the authentication verifier response.
504 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
505 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
509 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
510 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
511 (int)autha_info.auth_type, (int)autha_info.auth_level ));
515 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
516 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
521 * Ensure this is a NTLMSSP_AUTH packet type.
524 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
525 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
529 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
530 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
535 * The following call actually checks the challenge/response data.
536 * for correctness against the given DOMAIN\user name.
539 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
547 /*******************************************************************
548 Marshall a bind_nak pdu.
549 *******************************************************************/
551 static BOOL setup_bind_nak(pipes_struct *p)
553 prs_struct outgoing_rpc;
557 /* Free any memory in the current return data buffer. */
558 prs_mem_free(&p->out_data.rdata);
561 * Marshall directly into the outgoing PDU space. We
562 * must do this as we need to set to the bind response
563 * header and are never sending more than one PDU here.
566 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
567 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
571 * Initialize a bind_nak header.
574 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
575 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
578 * Marshall the header into the outgoing PDU.
581 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
582 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
583 prs_mem_free(&outgoing_rpc);
588 * Now add the reject reason.
591 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
592 prs_mem_free(&outgoing_rpc);
596 p->out_data.data_sent_length = 0;
597 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
598 p->out_data.current_pdu_sent = 0;
600 p->pipe_bound = False;
605 /*******************************************************************
606 Marshall a fault pdu.
607 *******************************************************************/
609 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
611 prs_struct outgoing_pdu;
613 RPC_HDR_RESP hdr_resp;
614 RPC_HDR_FAULT fault_resp;
616 /* Free any memory in the current return data buffer. */
617 prs_mem_free(&p->out_data.rdata);
620 * Marshall directly into the outgoing PDU space. We
621 * must do this as we need to set to the bind response
622 * header and are never sending more than one PDU here.
625 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
626 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
629 * Initialize a fault header.
632 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
633 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
636 * Initialize the HDR_RESP and FAULT parts of the PDU.
639 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
641 fault_resp.status = status;
642 fault_resp.reserved = 0;
645 * Marshall the header into the outgoing PDU.
648 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
649 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
650 prs_mem_free(&outgoing_pdu);
654 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
655 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
656 prs_mem_free(&outgoing_pdu);
660 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
661 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
662 prs_mem_free(&outgoing_pdu);
666 p->out_data.data_sent_length = 0;
667 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
668 p->out_data.current_pdu_sent = 0;
670 prs_mem_free(&outgoing_pdu);
674 /*******************************************************************
675 Ensure a bind request has the correct abstract & transfer interface.
676 Used to reject unknown binds from Win2k.
677 *******************************************************************/
679 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
682 extern struct pipe_id_info pipe_names[];
685 fstrcpy(pname,"\\PIPE\\");
686 fstrcat(pname,pipe_name);
688 for(i=0;pipe_names[i].client_pipe; i++) {
689 if(strequal(pipe_names[i].client_pipe, pname))
693 if(pipe_names[i].client_pipe == NULL)
696 /* check the abstract interface */
697 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
698 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
699 sizeof(RPC_UUID)) != 0))
702 /* check the transfer interface */
703 if((transfer->version != pipe_names[i].trans_syntax.version) ||
704 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
705 sizeof(RPC_UUID)) != 0))
711 /*******************************************************************
712 Respond to a pipe bind request.
713 *******************************************************************/
715 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
719 RPC_HDR_AUTH auth_info;
721 fstring ack_pipe_name;
722 prs_struct out_hdr_ba;
724 prs_struct outgoing_rpc;
727 enum RPC_PKT_TYPE reply_pkt_type;
729 p->ntlmssp_auth_requested = False;
731 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
734 * Try and find the correct pipe name to ensure
735 * that this is a pipe name we support.
738 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
739 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
740 api_fd_commands[i].fn != NULL) {
741 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
742 api_fd_commands[i].pipe_clnt_name,
743 api_fd_commands[i].pipe_srv_name));
744 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
749 if (api_fd_commands[i].fn == NULL) {
750 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
752 if(!setup_bind_nak(p))
757 /* decode the bind request */
758 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
759 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
764 * Check if this is an authenticated request.
767 if (p->hdr.auth_len != 0) {
768 RPC_AUTH_VERIFIER auth_verifier;
769 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
772 * Decode the authentication verifier.
775 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
776 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
781 * We only support NTLMSSP_AUTH_TYPE requests.
784 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
785 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
786 auth_info.auth_type ));
790 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
791 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
795 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
796 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
800 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
801 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
802 auth_verifier.msg_type));
806 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
807 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
811 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
812 p->ntlmssp_auth_requested = True;
815 switch(p->hdr.pkt_type) {
817 /* name has to be \PIPE\xxxxx */
818 fstrcpy(ack_pipe_name, "\\PIPE\\");
819 fstrcat(ack_pipe_name, p->pipe_srv_name);
820 reply_pkt_type = RPC_BINDACK;
823 /* secondary address CAN be NULL
824 * as the specs say it's ignored.
825 * It MUST NULL to have the spoolss working.
827 fstrcpy(ack_pipe_name,"");
828 reply_pkt_type = RPC_ALTCONTRESP;
834 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
837 * Marshall directly into the outgoing PDU space. We
838 * must do this as we need to set to the bind response
839 * header and are never sending more than one PDU here.
842 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
843 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
846 * Setup the memory to marshall the ba header, and the
850 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
851 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
852 prs_mem_free(&outgoing_rpc);
856 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
857 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
858 prs_mem_free(&outgoing_rpc);
859 prs_mem_free(&out_hdr_ba);
863 if (p->ntlmssp_auth_requested)
866 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
869 * Create the bind response struct.
872 /* If the requested abstract synt uuid doesn't match our client pipe,
873 reject the bind_ack & set the transfer interface synt to all 0's,
874 ver 0 (observed when NT5 attempts to bind to abstract interfaces
876 Needed when adding entries to a DACL from NT5 - SK */
878 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
879 init_rpc_hdr_ba(&hdr_ba,
887 RPC_IFACE null_interface;
888 ZERO_STRUCT(null_interface);
889 /* Rejection reason: abstract syntax not supported */
890 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
891 MAX_PDU_FRAG_LEN, assoc_gid,
892 ack_pipe_name, 0x1, 0x2, 0x1,
900 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
901 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
906 * Now the authentication.
909 if (p->ntlmssp_auth_requested) {
910 RPC_AUTH_VERIFIER auth_verifier;
911 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
913 generate_random_buffer(p->challenge, 8, False);
915 /*** Authentication info ***/
917 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
918 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
919 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
923 /*** NTLMSSP verifier ***/
925 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
926 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
927 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
931 /* NTLMSSP challenge ***/
933 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
934 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
935 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
939 /* Auth len in the rpc header doesn't include auth_header. */
940 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
944 * Create the header, now we know the length.
947 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
949 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
953 * Marshall the header into the outgoing PDU.
956 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
957 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
962 * Now add the RPC_HDR_BA and any auth needed.
965 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
966 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
970 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
971 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
975 if(!p->ntlmssp_auth_requested)
976 p->pipe_bound = True;
979 * Setup the lengths for the initial reply.
982 p->out_data.data_sent_length = 0;
983 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
984 p->out_data.current_pdu_sent = 0;
986 prs_mem_free(&out_hdr_ba);
987 prs_mem_free(&out_auth);
993 prs_mem_free(&outgoing_rpc);
994 prs_mem_free(&out_hdr_ba);
995 prs_mem_free(&out_auth);
999 /****************************************************************************
1000 Deal with sign & seal processing on an RPC request.
1001 ****************************************************************************/
1003 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1006 * We always negotiate the following two bits....
1008 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1009 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1015 auth_len = p->hdr.auth_len;
1017 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1018 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1023 * The following is that length of the data we must verify or unseal.
1024 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1025 * preceeding the auth_data.
1028 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1029 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1031 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1032 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1036 * The data in rpc_in doesn't contain the RPC_HEADER as this
1037 * has already been consumed.
1039 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1040 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1041 crc32 = crc32_calc_buffer(data, data_len);
1044 old_offset = prs_offset(rpc_in);
1046 if (auth_seal || auth_verify) {
1047 RPC_HDR_AUTH auth_info;
1049 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1050 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1051 (unsigned int)old_offset + data_len ));
1055 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1056 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1062 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1063 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1065 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1068 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1071 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1072 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1073 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1077 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1078 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1079 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1083 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1084 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1090 * Return the current pointer to the data offset.
1093 if(!prs_set_offset(rpc_in, old_offset)) {
1094 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1095 (unsigned int)old_offset ));
1102 /****************************************************************************
1103 Return a user struct for a pipe user.
1104 ****************************************************************************/
1106 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1108 if (p->ntlmssp_auth_validated) {
1109 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1111 extern struct current_user current_user;
1112 memcpy(user, ¤t_user, sizeof(struct current_user));
1118 /****************************************************************************
1119 Find the correct RPC function to call for this request.
1120 If the pipe is authenticated then become the correct UNIX user
1121 before doing the call.
1122 ****************************************************************************/
1124 BOOL api_pipe_request(pipes_struct *p)
1129 if (p->ntlmssp_auth_validated) {
1131 if(!become_authenticated_pipe_user(p)) {
1132 prs_mem_free(&p->out_data.rdata);
1137 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1138 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1139 api_fd_commands[i].fn != NULL) {
1140 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1141 set_current_rpc_talloc(p->mem_ctx);
1142 ret = api_fd_commands[i].fn(p);
1143 set_current_rpc_talloc(NULL);
1147 if(p->ntlmssp_auth_validated)
1148 unbecome_authenticated_pipe_user();
1153 /*******************************************************************
1154 Calls the underlying RPC function for a named pipe.
1155 ********************************************************************/
1157 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1158 struct api_struct *api_rpc_cmds)
1162 uint32 offset1, offset2;
1164 /* interpret the command */
1165 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1167 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1168 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1170 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1171 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1172 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1177 if (api_rpc_cmds[fn_num].name == NULL) {
1179 * For an unknown RPC just return a fault PDU but
1180 * return True to allow RPC's on the pipe to continue
1181 * and not put the pipe into fault state. JRA.
1183 DEBUG(4, ("unknown\n"));
1184 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1188 offset1 = prs_offset(&p->out_data.rdata);
1190 /* do the actual command */
1191 if(!api_rpc_cmds[fn_num].fn(p)) {
1192 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1193 prs_mem_free(&p->out_data.rdata);
1197 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1198 offset2 = prs_offset(&p->out_data.rdata);
1199 prs_set_offset(&p->out_data.rdata, offset1);
1200 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1201 prs_set_offset(&p->out_data.rdata, offset2);
1203 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1205 /* Check for buffer underflow in rpc parsing */
1207 if ((DEBUGLEVEL >= 10) &&
1208 (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1209 int data_len = p->in_data.data.buffer_size -
1210 p->in_data.data.data_offset;
1213 data = malloc(data_len);
1215 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1217 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data,
git.samba.org / amitay / samba.git / blob