2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998,
7 * Copyright (C) Jeremy Allison 1999,
8 * Copyright (C) Anthony Liguori 2003.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
44 #define DBGC_CLASS DBGC_RPC_SRV
46 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
48 unsigned char *hash = p->ntlmssp_hash;
49 unsigned char index_i = hash[256];
50 unsigned char index_j = hash[257];
53 for( ind = 0; ind < len; ind++) {
58 index_j += hash[index_i];
61 hash[index_i] = hash[index_j];
64 t = hash[index_i] + hash[index_j];
65 data[ind] = data[ind] ^ hash[t];
72 /*******************************************************************
73 Generate the next PDU to be returned from the data in p->rdata.
74 We cheat here as this function doesn't handle the special auth
75 footers of the authenticated bind response reply.
76 ********************************************************************/
78 BOOL create_next_pdu(pipes_struct *p)
80 RPC_HDR_RESP hdr_resp;
81 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
82 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
84 uint32 data_space_available;
86 prs_struct outgoing_pdu;
90 * If we're in the fault state, keep returning fault PDU's until
91 * the pipe gets closed. JRA.
95 setup_fault_pdu(p, NT_STATUS(0x1c010002));
99 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
101 /* Change the incoming request header to a response. */
102 p->hdr.pkt_type = RPC_RESPONSE;
104 /* Set up rpc header flags. */
105 if (p->out_data.data_sent_length == 0)
106 p->hdr.flags = RPC_FLG_FIRST;
111 * Work out how much we can fit in a single PDU.
114 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
115 if(p->ntlmssp_auth_validated)
116 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
119 * The amount we send is the minimum of the available
120 * space and the amount left to send.
123 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
126 * Ensure there really is data left to send.
130 DEBUG(0,("create_next_pdu: no data left to send !\n"));
134 data_len = MIN(data_len_left, data_space_available);
137 * Set up the alloc hint. This should be the data left to
141 hdr_resp.alloc_hint = data_len_left;
144 * Set up the header lengths.
147 if (p->ntlmssp_auth_validated) {
148 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
149 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
150 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
152 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
157 * Work out if this PDU will be the last.
160 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
161 p->hdr.flags |= RPC_FLG_LAST;
164 * Init the parse struct to point at the outgoing
168 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
169 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
171 /* Store the header in the data stream. */
172 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
173 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
174 prs_mem_free(&outgoing_pdu);
178 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
179 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
180 prs_mem_free(&outgoing_pdu);
184 /* Store the current offset. */
185 data_pos = prs_offset(&outgoing_pdu);
187 /* Copy the data into the PDU. */
189 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
190 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
191 prs_mem_free(&outgoing_pdu);
195 if (p->hdr.auth_len > 0) {
199 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
200 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
203 * Set data to point to where we copied the data into.
206 data = prs_data_p(&outgoing_pdu) + data_pos;
209 crc32 = crc32_calc_buffer(data, data_len);
210 NTLMSSPcalc_p(p, (uchar*)data, data_len);
213 if (auth_seal || auth_verify) {
214 RPC_HDR_AUTH auth_info;
216 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
217 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
218 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
219 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
220 prs_mem_free(&outgoing_pdu);
226 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
227 char *auth_data = prs_data_p(&outgoing_pdu);
229 p->ntlmssp_seq_num++;
230 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
231 crc32, p->ntlmssp_seq_num++);
232 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
233 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
234 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
235 prs_mem_free(&outgoing_pdu);
238 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
243 * Setup the counts for this PDU.
246 p->out_data.data_sent_length += data_len;
247 p->out_data.current_pdu_len = p->hdr.frag_len;
248 p->out_data.current_pdu_sent = 0;
250 prs_mem_free(&outgoing_pdu);
254 /*******************************************************************
255 Process an NTLMSSP authentication response.
256 If this function succeeds, the user has been authenticated
257 and their domain, name and calling workstation stored in
259 The initial challenge is stored in p->challenge.
260 *******************************************************************/
262 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
274 struct auth_context *auth_context = NULL;
275 auth_usersupplied_info *user_info = NULL;
276 auth_serversupplied_info *server_info = NULL;
278 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
280 memset(p->user_name, '\0', sizeof(p->user_name));
281 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
282 memset(p->domain, '\0', sizeof(p->domain));
283 memset(p->wks, '\0', sizeof(p->wks));
285 /* Set up for non-authenticated user. */
286 delete_nt_token(&p->pipe_user.nt_user_token);
287 p->pipe_user.ngroups = 0;
288 SAFE_FREE( p->pipe_user.groups);
291 * Setup an empty password for a guest user.
295 * We always negotiate UNICODE.
298 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
299 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
300 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
301 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
303 pull_ascii_fstring(user_name, ntlmssp_resp->user);
304 pull_ascii_fstring(domain, ntlmssp_resp->domain);
305 pull_ascii_fstring(wks, ntlmssp_resp->wks);
308 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
310 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
311 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
313 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
314 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
316 #ifdef DEBUG_PASSWORD
317 DEBUG(100,("lm, nt owfs, chal\n"));
318 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
319 dump_data(100, (char *)nt_owf, nt_pw_len);
320 dump_data(100, (char *)p->challenge, 8);
324 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
330 * Do the length checking only if user is not NULL.
333 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
335 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
337 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
339 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
341 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
346 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
348 if (!make_user_info_netlogon_network(&user_info,
349 user_name, domain, wks,
351 nt_owf, nt_pw_len)) {
352 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
356 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
358 (auth_context->free)(&auth_context);
359 free_user_info(&user_info);
361 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
363 if (!p->ntlmssp_auth_validated) {
364 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
365 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
366 free_server_info(&server_info);
371 * Set up the sign/seal data.
376 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
388 for (ind = 0; ind < 256; ind++)
389 p->ntlmssp_hash[ind] = (unsigned char)ind;
391 for( ind = 0; ind < 256; ind++) {
394 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
396 tc = p->ntlmssp_hash[ind];
397 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
398 p->ntlmssp_hash[j] = tc;
401 p->ntlmssp_hash[256] = 0;
402 p->ntlmssp_hash[257] = 0;
404 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
405 p->ntlmssp_seq_num = 0;
409 fstrcpy(p->user_name, user_name);
410 fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
411 fstrcpy(p->domain, domain);
412 fstrcpy(p->wks, wks);
415 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
418 if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
419 DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
420 free_server_info(&server_info);
424 memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
426 p->pipe_user.uid = pdb_get_uid(server_info->sam_account);
427 p->pipe_user.gid = pdb_get_gid(server_info->sam_account);
429 p->pipe_user.ngroups = server_info->n_groups;
430 if (p->pipe_user.ngroups) {
431 if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
432 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
433 free_server_info(&server_info);
438 if (server_info->ptok)
439 p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
441 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
442 p->pipe_user.nt_user_token = NULL;
443 free_server_info(&server_info);
447 p->ntlmssp_auth_validated = True;
449 free_server_info(&server_info);
453 /*******************************************************************
454 The switch table for the pipe names and the functions to handle them.
455 *******************************************************************/
464 struct api_struct *cmds;
468 static struct rpc_table *rpc_lookup;
469 static int rpc_lookup_size;
471 /*******************************************************************
472 This is the client reply to our challenge for an authenticated
473 bind request. The challenge we sent is in p->challenge.
474 *******************************************************************/
476 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
478 RPC_HDR_AUTHA autha_info;
479 RPC_AUTH_VERIFIER auth_verifier;
480 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
482 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
484 if (p->hdr.auth_len == 0) {
485 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
490 * Decode the authentication verifier response.
493 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
494 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
498 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
499 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
500 (int)autha_info.auth_type, (int)autha_info.auth_level ));
504 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
505 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
510 * Ensure this is a NTLMSSP_AUTH packet type.
513 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
514 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
518 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
519 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
524 * The following call actually checks the challenge/response data.
525 * for correctness against the given DOMAIN\user name.
528 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
536 /*******************************************************************
537 Marshall a bind_nak pdu.
538 *******************************************************************/
540 static BOOL setup_bind_nak(pipes_struct *p)
542 prs_struct outgoing_rpc;
546 /* Free any memory in the current return data buffer. */
547 prs_mem_free(&p->out_data.rdata);
550 * Marshall directly into the outgoing PDU space. We
551 * must do this as we need to set to the bind response
552 * header and are never sending more than one PDU here.
555 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
556 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
560 * Initialize a bind_nak header.
563 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
564 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
567 * Marshall the header into the outgoing PDU.
570 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
571 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
572 prs_mem_free(&outgoing_rpc);
577 * Now add the reject reason.
580 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
581 prs_mem_free(&outgoing_rpc);
585 p->out_data.data_sent_length = 0;
586 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
587 p->out_data.current_pdu_sent = 0;
589 p->pipe_bound = False;
594 /*******************************************************************
595 Marshall a fault pdu.
596 *******************************************************************/
598 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
600 prs_struct outgoing_pdu;
602 RPC_HDR_RESP hdr_resp;
603 RPC_HDR_FAULT fault_resp;
605 /* Free any memory in the current return data buffer. */
606 prs_mem_free(&p->out_data.rdata);
609 * Marshall directly into the outgoing PDU space. We
610 * must do this as we need to set to the bind response
611 * header and are never sending more than one PDU here.
614 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
615 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
618 * Initialize a fault header.
621 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
622 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
625 * Initialize the HDR_RESP and FAULT parts of the PDU.
628 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
630 fault_resp.status = status;
631 fault_resp.reserved = 0;
634 * Marshall the header into the outgoing PDU.
637 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
638 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
639 prs_mem_free(&outgoing_pdu);
643 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
644 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
645 prs_mem_free(&outgoing_pdu);
649 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
650 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
651 prs_mem_free(&outgoing_pdu);
655 p->out_data.data_sent_length = 0;
656 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
657 p->out_data.current_pdu_sent = 0;
659 prs_mem_free(&outgoing_pdu);
663 /*******************************************************************
664 Ensure a bind request has the correct abstract & transfer interface.
665 Used to reject unknown binds from Win2k.
666 *******************************************************************/
668 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
671 extern struct pipe_id_info pipe_names[];
674 fstrcpy(pname,"\\PIPE\\");
675 fstrcat(pname,pipe_name);
677 DEBUG(3,("check_bind_req for %s\n", pname));
679 #ifndef SUPPORT_NEW_LSARPC_UUID
681 /* check for the first pipe matching the name */
683 for ( i=0; pipe_names[i].client_pipe; i++ ) {
684 if ( strequal(pipe_names[i].client_pipe, pname) )
688 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
690 for ( i=0; pipe_names[i].client_pipe; i++ )
692 if ( strequal(pipe_names[i].client_pipe, pname)
693 && (abstract->version == pipe_names[i].abstr_syntax.version)
694 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) == 0)
695 && (transfer->version == pipe_names[i].trans_syntax.version)
696 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) == 0) )
703 if(pipe_names[i].client_pipe == NULL)
706 #ifndef SUPPORT_NEW_LSARPC_UUID
707 /* check the abstract interface */
708 if ( (abstract->version != pipe_names[i].abstr_syntax.version)
709 || (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) != 0) )
714 /* check the transfer interface */
715 if ( (transfer->version != pipe_names[i].trans_syntax.version)
716 || (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) != 0) )
724 /*******************************************************************
725 Register commands to an RPC pipe
726 *******************************************************************/
727 int rpc_pipe_register_commands(const char *clnt, const char *srv, const struct api_struct *cmds, int size)
729 struct rpc_table *rpc_entry;
732 /* We use a temporary variable because this call can fail and
733 rpc_lookup will still be valid afterwards. It could then succeed if
734 called again later */
735 rpc_entry = realloc(rpc_lookup,
736 ++rpc_lookup_size*sizeof(struct rpc_table));
737 if (NULL == rpc_entry) {
739 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
742 rpc_lookup = rpc_entry;
745 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
746 ZERO_STRUCTP(rpc_entry);
747 rpc_entry->pipe.clnt = strdup(clnt);
748 rpc_entry->pipe.srv = strdup(srv);
749 rpc_entry->cmds = realloc(rpc_entry->cmds,
750 (rpc_entry->n_cmds + size) *
751 sizeof(struct api_struct));
752 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds,
753 size * sizeof(struct api_struct));
754 rpc_entry->n_cmds += size;
759 /*******************************************************************
760 Respond to a pipe bind request.
761 *******************************************************************/
763 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
767 RPC_HDR_AUTH auth_info;
769 fstring ack_pipe_name;
770 prs_struct out_hdr_ba;
772 prs_struct outgoing_rpc;
775 enum RPC_PKT_TYPE reply_pkt_type;
777 p->ntlmssp_auth_requested = False;
779 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
782 * Try and find the correct pipe name to ensure
783 * that this is a pipe name we support.
787 for (i = 0; i < rpc_lookup_size; i++) {
788 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
789 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
790 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
791 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
796 if (i == rpc_lookup_size) {
797 if (!smb_probe_module("rpc", p->name)) {
798 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
800 if(!setup_bind_nak(p))
805 for (i = 0; i < rpc_lookup_size; i++) {
806 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
807 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
808 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
809 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
814 if (i == rpc_lookup_size) {
815 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
820 /* decode the bind request */
821 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
822 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
827 * Check if this is an authenticated request.
830 if (p->hdr.auth_len != 0) {
831 RPC_AUTH_VERIFIER auth_verifier;
832 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
835 * Decode the authentication verifier.
838 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
839 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
844 * We only support NTLMSSP_AUTH_TYPE requests.
847 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
848 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
849 auth_info.auth_type ));
853 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
854 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
858 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
859 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
863 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
864 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
865 auth_verifier.msg_type));
869 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
870 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
874 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
875 p->ntlmssp_auth_requested = True;
878 switch(p->hdr.pkt_type) {
880 /* name has to be \PIPE\xxxxx */
881 fstrcpy(ack_pipe_name, "\\PIPE\\");
882 fstrcat(ack_pipe_name, p->pipe_srv_name);
883 reply_pkt_type = RPC_BINDACK;
886 /* secondary address CAN be NULL
887 * as the specs say it's ignored.
888 * It MUST NULL to have the spoolss working.
890 fstrcpy(ack_pipe_name,"");
891 reply_pkt_type = RPC_ALTCONTRESP;
897 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
900 * Marshall directly into the outgoing PDU space. We
901 * must do this as we need to set to the bind response
902 * header and are never sending more than one PDU here.
905 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
906 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
909 * Setup the memory to marshall the ba header, and the
913 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
914 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
915 prs_mem_free(&outgoing_rpc);
919 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
920 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
921 prs_mem_free(&outgoing_rpc);
922 prs_mem_free(&out_hdr_ba);
926 if (p->ntlmssp_auth_requested)
929 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
932 * Create the bind response struct.
935 /* If the requested abstract synt uuid doesn't match our client pipe,
936 reject the bind_ack & set the transfer interface synt to all 0's,
937 ver 0 (observed when NT5 attempts to bind to abstract interfaces
939 Needed when adding entries to a DACL from NT5 - SK */
941 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
942 init_rpc_hdr_ba(&hdr_ba,
950 RPC_IFACE null_interface;
951 ZERO_STRUCT(null_interface);
952 /* Rejection reason: abstract syntax not supported */
953 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
954 MAX_PDU_FRAG_LEN, assoc_gid,
955 ack_pipe_name, 0x1, 0x2, 0x1,
963 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
964 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
969 * Now the authentication.
972 if (p->ntlmssp_auth_requested) {
973 RPC_AUTH_VERIFIER auth_verifier;
974 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
976 generate_random_buffer(p->challenge, 8, False);
978 /*** Authentication info ***/
980 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
981 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
982 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
986 /*** NTLMSSP verifier ***/
988 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
989 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
990 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
994 /* NTLMSSP challenge ***/
996 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
997 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
998 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
1002 /* Auth len in the rpc header doesn't include auth_header. */
1003 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1007 * Create the header, now we know the length.
1010 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
1012 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1016 * Marshall the header into the outgoing PDU.
1019 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1020 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1025 * Now add the RPC_HDR_BA and any auth needed.
1028 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1029 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1033 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1034 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1038 if(!p->ntlmssp_auth_requested)
1039 p->pipe_bound = True;
1042 * Setup the lengths for the initial reply.
1045 p->out_data.data_sent_length = 0;
1046 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1047 p->out_data.current_pdu_sent = 0;
1049 prs_mem_free(&out_hdr_ba);
1050 prs_mem_free(&out_auth);
1056 prs_mem_free(&outgoing_rpc);
1057 prs_mem_free(&out_hdr_ba);
1058 prs_mem_free(&out_auth);
1062 /****************************************************************************
1063 Deal with sign & seal processing on an RPC request.
1064 ****************************************************************************/
1066 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1069 * We always negotiate the following two bits....
1071 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1072 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1078 auth_len = p->hdr.auth_len;
1080 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1081 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1086 * The following is that length of the data we must verify or unseal.
1087 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1088 * preceeding the auth_data.
1091 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1092 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1094 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1095 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1099 * The data in rpc_in doesn't contain the RPC_HEADER as this
1100 * has already been consumed.
1102 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1103 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1104 crc32 = crc32_calc_buffer(data, data_len);
1107 old_offset = prs_offset(rpc_in);
1109 if (auth_seal || auth_verify) {
1110 RPC_HDR_AUTH auth_info;
1112 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1113 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1114 (unsigned int)old_offset + data_len ));
1118 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1119 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1125 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1126 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1128 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1131 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1134 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1135 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1136 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1140 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1141 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1142 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1146 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1147 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1153 * Return the current pointer to the data offset.
1156 if(!prs_set_offset(rpc_in, old_offset)) {
1157 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1158 (unsigned int)old_offset ));
1165 /****************************************************************************
1166 Return a user struct for a pipe user.
1167 ****************************************************************************/
1169 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1171 if (p->ntlmssp_auth_validated) {
1172 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1174 extern struct current_user current_user;
1175 memcpy(user, ¤t_user, sizeof(struct current_user));
1181 /****************************************************************************
1182 Find the correct RPC function to call for this request.
1183 If the pipe is authenticated then become the correct UNIX user
1184 before doing the call.
1185 ****************************************************************************/
1187 BOOL api_pipe_request(pipes_struct *p)
1192 if (p->ntlmssp_auth_validated) {
1194 if(!become_authenticated_pipe_user(p)) {
1195 prs_mem_free(&p->out_data.rdata);
1200 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
1202 for (i = 0; i < rpc_lookup_size; i++) {
1203 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1204 DEBUG(3,("Doing \\PIPE\\%s\n",
1205 rpc_lookup[i].pipe.clnt));
1206 set_current_rpc_talloc(p->mem_ctx);
1207 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1209 rpc_lookup[i].n_cmds);
1210 set_current_rpc_talloc(NULL);
1216 if (i == rpc_lookup_size) {
1217 smb_probe_module("rpc", p->name);
1219 for (i = 0; i < rpc_lookup_size; i++) {
1220 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1221 DEBUG(3,("Doing \\PIPE\\%s\n",
1222 rpc_lookup[i].pipe.clnt));
1223 set_current_rpc_talloc(p->mem_ctx);
1224 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1226 rpc_lookup[i].n_cmds);
1227 set_current_rpc_talloc(NULL);
1233 if(p->ntlmssp_auth_validated)
1234 unbecome_authenticated_pipe_user();
1239 /*******************************************************************
1240 Calls the underlying RPC function for a named pipe.
1241 ********************************************************************/
1243 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
1244 const struct api_struct *api_rpc_cmds, int n_cmds)
1248 uint32 offset1, offset2;
1250 /* interpret the command */
1251 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1253 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1254 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1256 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1257 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1258 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1263 if (fn_num == n_cmds) {
1265 * For an unknown RPC just return a fault PDU but
1266 * return True to allow RPC's on the pipe to continue
1267 * and not put the pipe into fault state. JRA.
1269 DEBUG(4, ("unknown\n"));
1270 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1274 offset1 = prs_offset(&p->out_data.rdata);
1276 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1277 fn_num, api_rpc_cmds[fn_num].fn));
1278 /* do the actual command */
1279 if(!api_rpc_cmds[fn_num].fn(p)) {
1280 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1281 prs_mem_free(&p->out_data.rdata);
1285 if (p->bad_handle_fault_state) {
1286 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1287 p->bad_handle_fault_state = False;
1288 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1292 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1293 offset2 = prs_offset(&p->out_data.rdata);
1294 prs_set_offset(&p->out_data.rdata, offset1);
1295 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1296 prs_set_offset(&p->out_data.rdata, offset2);
1298 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1300 /* Check for buffer underflow in rpc parsing */
1302 if ((DEBUGLEVEL >= 10) &&
1303 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
1304 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
1307 data = malloc(data_len);
1309 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1311 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);