2 * Unix SMB/Netbios implementation.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1997-1998.
8 * Copyright (C) Jeremy Allison 1999.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
43 extern int DEBUGLEVEL;
45 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
47 unsigned char *hash = p->ntlmssp_hash;
48 unsigned char index_i = hash[256];
49 unsigned char index_j = hash[257];
52 for( ind = 0; ind < len; ind++) {
57 index_j += hash[index_i];
60 hash[index_i] = hash[index_j];
63 t = hash[index_i] + hash[index_j];
64 data[ind] = data[ind] ^ hash[t];
71 /*******************************************************************
72 Generate the next PDU to be returned from the data in p->rdata.
73 We cheat here as this function doesn't handle the special auth
74 footers of the authenticated bind response reply.
75 ********************************************************************/
77 BOOL create_next_pdu(pipes_struct *p)
79 RPC_HDR_RESP hdr_resp;
80 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
81 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
83 uint32 data_space_available;
85 prs_struct outgoing_pdu;
91 * If we're in the fault state, keep returning fault PDU's until
92 * the pipe gets closed. JRA.
96 setup_fault_pdu(p, 0x1c010002);
100 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
102 /* Change the incoming request header to a response. */
103 p->hdr.pkt_type = RPC_RESPONSE;
105 /* Set up rpc header flags. */
106 if (p->out_data.data_sent_length == 0)
107 p->hdr.flags = RPC_FLG_FIRST;
112 * Work out how much we can fit in a single PDU.
115 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
116 if(p->ntlmssp_auth_validated)
117 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
120 * The amount we send is the minimum of the available
121 * space and the amount left to send.
124 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
127 * Ensure there really is data left to send.
131 DEBUG(0,("create_next_pdu: no data left to send !\n"));
135 data_len = MIN(data_len_left, data_space_available);
138 * Set up the alloc hint. This should be the data left to
142 hdr_resp.alloc_hint = data_len_left;
145 * Set up the header lengths.
148 if (p->ntlmssp_auth_validated) {
149 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
150 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
151 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
153 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
158 * Work out if this PDU will be the last.
161 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
162 p->hdr.flags |= RPC_FLG_LAST;
165 * Init the parse struct to point at the outgoing
169 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
170 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
172 /* Store the header in the data stream. */
173 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
174 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
175 prs_mem_free(&outgoing_pdu);
179 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
180 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
181 prs_mem_free(&outgoing_pdu);
185 /* Store the current offset. */
186 data_pos = prs_offset(&outgoing_pdu);
188 /* Copy the data into the PDU. */
189 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
191 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
192 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
193 prs_mem_free(&outgoing_pdu);
198 * Set data to point to where we copied the data into.
201 data = prs_data_p(&outgoing_pdu) + data_pos;
203 if (p->hdr.auth_len > 0) {
206 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
207 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
210 crc32 = crc32_calc_buffer(data, data_len);
211 NTLMSSPcalc_p(p, (uchar*)data, data_len);
214 if (auth_seal || auth_verify) {
215 RPC_HDR_AUTH auth_info;
217 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
218 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
219 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
220 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
221 prs_mem_free(&outgoing_pdu);
227 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
228 char *auth_data = prs_data_p(&outgoing_pdu);
230 p->ntlmssp_seq_num++;
231 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
232 crc32, p->ntlmssp_seq_num++);
233 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
234 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
235 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
236 prs_mem_free(&outgoing_pdu);
239 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
244 * Setup the counts for this PDU.
247 p->out_data.data_sent_length += data_len;
248 p->out_data.current_pdu_len = p->hdr.frag_len;
249 p->out_data.current_pdu_sent = 0;
251 prs_mem_free(&outgoing_pdu);
255 /*******************************************************************
256 Process an NTLMSSP authentication response.
257 If this function succeeds, the user has been authenticated
258 and their domain, name and calling workstation stored in
260 The initial challenge is stored in p->challenge.
261 *******************************************************************/
263 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
268 fstring pipe_user_name;
271 BOOL guest_user = False;
272 SAM_ACCOUNT *sampass = NULL;
273 uchar null_smb_passwd[16];
274 uchar *smb_passwd_ptr = NULL;
276 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
278 memset(p->user_name, '\0', sizeof(p->user_name));
279 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
280 memset(p->domain, '\0', sizeof(p->domain));
281 memset(p->wks, '\0', sizeof(p->wks));
283 /* Set up for non-authenticated user. */
284 delete_nt_token(&p->pipe_user.nt_user_token);
285 p->pipe_user.ngroups = 0;
286 safe_free( p->pipe_user.groups);
289 * Setup an empty password for a guest user.
292 memset(null_smb_passwd,0,16);
295 * We always negotiate UNICODE.
298 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
299 fstrcpy(user_name, dos_unistrn2((uint16*)ntlmssp_resp->user, ntlmssp_resp->hdr_usr.str_str_len/2));
300 fstrcpy(domain, dos_unistrn2((uint16*)ntlmssp_resp->domain, ntlmssp_resp->hdr_domain.str_str_len/2));
301 fstrcpy(wks, dos_unistrn2((uint16*)ntlmssp_resp->wks, ntlmssp_resp->hdr_wks.str_str_len/2));
303 fstrcpy(user_name, ntlmssp_resp->user);
304 fstrcpy(domain, ntlmssp_resp->domain);
305 fstrcpy(wks, ntlmssp_resp->wks);
308 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
310 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
311 memcpy(nt_owf, ntlmssp_resp->nt_resp, sizeof(nt_owf));
313 #ifdef DEBUG_PASSWORD
314 DEBUG(100,("lm, nt owfs, chal\n"));
315 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
316 dump_data(100, (char *)nt_owf, sizeof(nt_owf));
317 dump_data(100, (char *)p->challenge, 8);
321 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
324 if((strlen(user_name) == 0) &&
325 (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
329 fstrcpy(pipe_user_name, lp_guestaccount(-1));
330 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
332 smb_passwd_ptr = null_smb_passwd;
337 * Pass the user through the NT -> unix user mapping
341 fstrcpy(pipe_user_name, user_name);
342 (void)map_username(pipe_user_name);
345 * Do the length checking only if user is not NULL.
348 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
350 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
352 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
354 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
356 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
365 if(!(p->ntlmssp_auth_validated = pass_check_smb(pipe_user_name, domain,
366 (uchar*)p->challenge, lm_owf, nt_owf, NULL))) {
367 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
368 failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name ));
373 pdb_init_sam(&sampass);
375 if(!pdb_getsampwnam(sampass, pipe_user_name)) {
376 DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
378 pdb_free_sam(sampass);
385 /* Quit if the account was disabled. */
386 if((pdb_get_acct_ctrl(sampass) & ACB_DISABLED) || !pdb_get_lanman_passwd(sampass)) {
387 DEBUG(1,("Account for user '%s' was disabled.\n", pipe_user_name));
388 pdb_free_sam(sampass);
392 if(!pdb_get_nt_passwd(sampass)) {
393 DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name));
394 pdb_free_sam(sampass);
398 smb_passwd_ptr = pdb_get_lanman_passwd(sampass);
402 * Set up the sign/seal data.
407 NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
419 for (ind = 0; ind < 256; ind++)
420 p->ntlmssp_hash[ind] = (unsigned char)ind;
422 for( ind = 0; ind < 256; ind++) {
425 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
427 tc = p->ntlmssp_hash[ind];
428 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
429 p->ntlmssp_hash[j] = tc;
432 p->ntlmssp_hash[256] = 0;
433 p->ntlmssp_hash[257] = 0;
435 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
436 p->ntlmssp_seq_num = 0;
440 fstrcpy(p->user_name, user_name);
441 fstrcpy(p->pipe_user_name, pipe_user_name);
442 fstrcpy(p->domain, domain);
443 fstrcpy(p->wks, wks);
446 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
449 p->pipe_user.uid = pdb_get_uid(sampass);
450 p->pipe_user.gid = pdb_get_uid(sampass);
452 /* Set up pipe user group membership. */
453 initialise_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
454 get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
456 /* Create an NT_USER_TOKEN struct for this user. */
457 p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
458 p->pipe_user.ngroups, p->pipe_user.groups,
461 p->ntlmssp_auth_validated = True;
463 pdb_free_sam(sampass);
467 /*******************************************************************
468 The switch table for the pipe names and the functions to handle them.
469 *******************************************************************/
473 char * pipe_clnt_name;
474 char * pipe_srv_name;
475 BOOL (*fn) (pipes_struct *);
478 static struct api_cmd api_fd_commands[] =
480 { "lsarpc", "lsass", api_ntlsa_rpc },
481 { "samr", "lsass", api_samr_rpc },
482 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
483 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
484 { "NETLOGON", "lsass", api_netlog_rpc },
485 { "winreg", "winreg", api_reg_rpc },
486 { "spoolss", "spoolss", api_spoolss_rpc },
488 { "netdfs", "netdfs" , api_netdfs_rpc },
493 /*******************************************************************
494 This is the client reply to our challenge for an authenticated
495 bind request. The challenge we sent is in p->challenge.
496 *******************************************************************/
498 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
500 RPC_HDR_AUTHA autha_info;
501 RPC_AUTH_VERIFIER auth_verifier;
502 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
504 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
506 if (p->hdr.auth_len == 0) {
507 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
512 * Decode the authentication verifier response.
515 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
516 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
520 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
521 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
522 (int)autha_info.auth_type, (int)autha_info.auth_level ));
526 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
527 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
532 * Ensure this is a NTLMSSP_AUTH packet type.
535 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
536 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
540 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
541 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
546 * The following call actually checks the challenge/response data.
547 * for correctness against the given DOMAIN\user name.
550 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
558 /*******************************************************************
559 Marshall a bind_nak pdu.
560 *******************************************************************/
562 static BOOL setup_bind_nak(pipes_struct *p)
564 prs_struct outgoing_rpc;
568 /* Free any memory in the current return data buffer. */
569 prs_mem_free(&p->out_data.rdata);
572 * Marshall directly into the outgoing PDU space. We
573 * must do this as we need to set to the bind response
574 * header and are never sending more than one PDU here.
577 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
578 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
582 * Initialize a bind_nak header.
585 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
586 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
589 * Marshall the header into the outgoing PDU.
592 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
593 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
594 prs_mem_free(&outgoing_rpc);
599 * Now add the reject reason.
602 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
603 prs_mem_free(&outgoing_rpc);
607 p->out_data.data_sent_length = 0;
608 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
609 p->out_data.current_pdu_sent = 0;
611 p->pipe_bound = False;
616 /*******************************************************************
617 Marshall a fault pdu.
618 *******************************************************************/
620 BOOL setup_fault_pdu(pipes_struct *p, uint32 status)
622 prs_struct outgoing_pdu;
624 RPC_HDR_RESP hdr_resp;
625 RPC_HDR_FAULT fault_resp;
627 /* Free any memory in the current return data buffer. */
628 prs_mem_free(&p->out_data.rdata);
631 * Marshall directly into the outgoing PDU space. We
632 * must do this as we need to set to the bind response
633 * header and are never sending more than one PDU here.
636 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
637 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
640 * Initialize a fault header.
643 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
644 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
647 * Initialize the HDR_RESP and FAULT parts of the PDU.
650 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
652 fault_resp.status = status;
653 fault_resp.reserved = 0;
656 * Marshall the header into the outgoing PDU.
659 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
660 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
661 prs_mem_free(&outgoing_pdu);
665 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
666 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
667 prs_mem_free(&outgoing_pdu);
671 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
672 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
673 prs_mem_free(&outgoing_pdu);
677 p->out_data.data_sent_length = 0;
678 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
679 p->out_data.current_pdu_sent = 0;
681 prs_mem_free(&outgoing_pdu);
685 /*******************************************************************
686 Ensure a bind request has the correct abstract & transfer interface.
687 Used to reject unknown binds from Win2k.
688 *******************************************************************/
690 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
693 extern struct pipe_id_info pipe_names[];
696 fstrcpy(pname,"\\PIPE\\");
697 fstrcat(pname,pipe_name);
699 for(i=0;pipe_names[i].client_pipe; i++) {
700 if(strequal(pipe_names[i].client_pipe, pname))
704 if(pipe_names[i].client_pipe == NULL)
707 /* check the abstract interface */
708 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
709 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
710 sizeof(RPC_UUID)) != 0))
713 /* check the transfer interface */
714 if((transfer->version != pipe_names[i].trans_syntax.version) ||
715 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
716 sizeof(RPC_UUID)) != 0))
722 /*******************************************************************
723 Respond to a pipe bind request.
724 *******************************************************************/
726 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
730 RPC_HDR_AUTH auth_info;
732 fstring ack_pipe_name;
733 prs_struct out_hdr_ba;
735 prs_struct outgoing_rpc;
738 enum RPC_PKT_TYPE reply_pkt_type;
740 p->ntlmssp_auth_requested = False;
742 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
745 * Try and find the correct pipe name to ensure
746 * that this is a pipe name we support.
749 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
750 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
751 api_fd_commands[i].fn != NULL) {
752 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
753 api_fd_commands[i].pipe_clnt_name,
754 api_fd_commands[i].pipe_srv_name));
755 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
760 if (api_fd_commands[i].fn == NULL) {
761 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
763 if(!setup_bind_nak(p))
768 /* decode the bind request */
769 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
770 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
775 * Check if this is an authenticated request.
778 if (p->hdr.auth_len != 0) {
779 RPC_AUTH_VERIFIER auth_verifier;
780 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
783 * Decode the authentication verifier.
786 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
787 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
792 * We only support NTLMSSP_AUTH_TYPE requests.
795 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
796 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
797 auth_info.auth_type ));
801 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
802 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
806 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
807 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
811 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
812 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
813 auth_verifier.msg_type));
817 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
818 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
822 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
823 p->ntlmssp_auth_requested = True;
826 switch(p->hdr.pkt_type) {
828 /* name has to be \PIPE\xxxxx */
829 fstrcpy(ack_pipe_name, "\\PIPE\\");
830 fstrcat(ack_pipe_name, p->pipe_srv_name);
831 reply_pkt_type = RPC_BINDACK;
834 /* secondary address CAN be NULL
835 * as the specs say it's ignored.
836 * It MUST NULL to have the spoolss working.
838 fstrcpy(ack_pipe_name,"");
839 reply_pkt_type = RPC_ALTCONTRESP;
845 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
848 * Marshall directly into the outgoing PDU space. We
849 * must do this as we need to set to the bind response
850 * header and are never sending more than one PDU here.
853 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
854 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
857 * Setup the memory to marshall the ba header, and the
861 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
862 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
863 prs_mem_free(&outgoing_rpc);
867 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
868 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
869 prs_mem_free(&outgoing_rpc);
870 prs_mem_free(&out_hdr_ba);
874 if (p->ntlmssp_auth_requested)
877 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
880 * Create the bind response struct.
883 /* If the requested abstract synt uuid doesn't match our client pipe,
884 reject the bind_ack & set the transfer interface synt to all 0's,
885 ver 0 (observed when NT5 attempts to bind to abstract interfaces
887 Needed when adding entries to a DACL from NT5 - SK */
889 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
890 init_rpc_hdr_ba(&hdr_ba,
898 RPC_IFACE null_interface;
899 ZERO_STRUCT(null_interface);
900 /* Rejection reason: abstract syntax not supported */
901 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
902 MAX_PDU_FRAG_LEN, assoc_gid,
903 ack_pipe_name, 0x1, 0x2, 0x1,
911 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
912 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
917 * Now the authentication.
920 if (p->ntlmssp_auth_requested) {
921 RPC_AUTH_VERIFIER auth_verifier;
922 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
924 generate_random_buffer(p->challenge, 8, False);
926 /*** Authentication info ***/
928 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
929 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
930 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
934 /*** NTLMSSP verifier ***/
936 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
937 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
938 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
942 /* NTLMSSP challenge ***/
944 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
945 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
946 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
950 /* Auth len in the rpc header doesn't include auth_header. */
951 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
955 * Create the header, now we know the length.
958 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
960 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
964 * Marshall the header into the outgoing PDU.
967 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
968 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
973 * Now add the RPC_HDR_BA and any auth needed.
976 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
977 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
981 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
982 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
986 if(!p->ntlmssp_auth_requested)
987 p->pipe_bound = True;
990 * Setup the lengths for the initial reply.
993 p->out_data.data_sent_length = 0;
994 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
995 p->out_data.current_pdu_sent = 0;
997 prs_mem_free(&out_hdr_ba);
998 prs_mem_free(&out_auth);
1004 prs_mem_free(&outgoing_rpc);
1005 prs_mem_free(&out_hdr_ba);
1006 prs_mem_free(&out_auth);
1010 /****************************************************************************
1011 Deal with sign & seal processing on an RPC request.
1012 ****************************************************************************/
1014 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1017 * We always negotiate the following two bits....
1019 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1020 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1026 auth_len = p->hdr.auth_len;
1028 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1029 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1034 * The following is that length of the data we must verify or unseal.
1035 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1036 * preceeding the auth_data.
1039 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1040 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1042 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1043 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1047 * The data in rpc_in doesn't contain the RPC_HEADER as this
1048 * has already been consumed.
1050 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1051 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1052 crc32 = crc32_calc_buffer(data, data_len);
1055 old_offset = prs_offset(rpc_in);
1057 if (auth_seal || auth_verify) {
1058 RPC_HDR_AUTH auth_info;
1060 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1061 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1062 (unsigned int)old_offset + data_len ));
1066 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1067 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1073 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1074 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1076 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1079 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1082 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1083 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1084 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1088 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1089 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1090 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1094 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1095 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1101 * Return the current pointer to the data offset.
1104 if(!prs_set_offset(rpc_in, old_offset)) {
1105 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1106 (unsigned int)old_offset ));
1113 /****************************************************************************
1114 Return a user struct for a pipe user.
1115 ****************************************************************************/
1117 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1119 if (p->ntlmssp_auth_validated) {
1120 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1122 extern struct current_user current_user;
1123 memcpy(user, ¤t_user, sizeof(struct current_user));
1129 /****************************************************************************
1130 Find the correct RPC function to call for this request.
1131 If the pipe is authenticated then become the correct UNIX user
1132 before doing the call.
1133 ****************************************************************************/
1135 BOOL api_pipe_request(pipes_struct *p)
1139 BOOL changed_user_id = False;
1141 if (p->ntlmssp_auth_validated) {
1143 if(!become_authenticated_pipe_user(p)) {
1144 prs_mem_free(&p->out_data.rdata);
1148 changed_user_id = True;
1151 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1152 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1153 api_fd_commands[i].fn != NULL) {
1154 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1155 set_current_rpc_talloc(p->mem_ctx);
1156 ret = api_fd_commands[i].fn(p);
1157 set_current_rpc_talloc(NULL);
1162 unbecome_authenticated_pipe_user(p);
1167 /*******************************************************************
1168 Calls the underlying RPC function for a named pipe.
1169 ********************************************************************/
1171 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1172 struct api_struct *api_rpc_cmds)
1176 uint32 offset1, offset2;
1178 /* interpret the command */
1179 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1181 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1182 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1184 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1185 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1186 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1191 if (api_rpc_cmds[fn_num].name == NULL) {
1193 * For an unknown RPC just return a fault PDU but
1194 * return True to allow RPC's on the pipe to continue
1195 * and not put the pipe into fault state. JRA.
1197 DEBUG(4, ("unknown\n"));
1198 setup_fault_pdu(p, 0x1c010002);
1202 offset1 = prs_offset(&p->out_data.rdata);
1204 /* do the actual command */
1205 if(!api_rpc_cmds[fn_num].fn(p)) {
1206 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1207 prs_mem_free(&p->out_data.rdata);
1211 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1212 offset2 = prs_offset(&p->out_data.rdata);
1213 prs_set_offset(&p->out_data.rdata, offset1);
1214 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1215 prs_set_offset(&p->out_data.rdata, offset2);
1217 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1219 /* Check for buffer underflow in rpc parsing */
1221 if ((DEBUGLEVEL >= 10) &&
1222 (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1223 int data_len = p->in_data.data.buffer_size -
1224 p->in_data.data.data_offset;
1227 data = malloc(data_len);
1229 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1231 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data,