3 * Unix SMB/Netbios implementation.
5 * RPC Pipe client / server routines
6 * Copyright (C) Andrew Tridgell 1992-1998
7 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
8 * Copyright (C) Paul Ashton 1997-1998.
9 * Copyright (C) Jeremy Allison 1999.
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 /* this module apparently provides an implementation of DCE/RPC over a
27 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
28 * documentation are available (in on-line form) from the X-Open group.
30 * this module should provide a level of abstraction between SMB
31 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
32 * data copies, and network traffic.
34 * in this version, which takes a "let's learn what's going on and
35 * get something running" approach, there is additional network
36 * traffic generated, but the code should be easier to understand...
38 * ... if you read the docs. or stare at packets for weeks on end.
44 extern int DEBUGLEVEL;
46 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
48 unsigned char *hash = p->ntlmssp_hash;
49 unsigned char index_i = hash[256];
50 unsigned char index_j = hash[257];
53 for( ind = 0; ind < len; ind++) {
58 index_j += hash[index_i];
61 hash[index_i] = hash[index_j];
64 t = hash[index_i] + hash[index_j];
65 data[ind] = data[ind] ^ hash[t];
72 /*******************************************************************
73 Generate the next PDU to be returned from the data in p->rdata.
74 We cheat here as this function doesn't handle the special auth
75 footers of the authenticated bind response reply.
76 ********************************************************************/
78 BOOL create_next_pdu(pipes_struct *p)
80 RPC_HDR_RESP hdr_resp;
81 BOOL auth_verify = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SIGN);
82 BOOL auth_seal = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SEAL);
84 uint32 data_space_available;
86 prs_struct outgoing_pdu;
92 * If we're in the fault state, keep returning fault PDU's until
93 * the pipe gets closed. JRA.
101 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
103 /* Change the incoming request header to a response. */
104 p->hdr.pkt_type = RPC_RESPONSE;
106 /* Set up rpc header flags. */
107 if (p->out_data.data_sent_length == 0)
108 p->hdr.flags = RPC_FLG_FIRST;
113 * Work out how much we can fit in a single PDU.
116 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
117 if(p->ntlmssp_auth_validated)
118 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
121 * The amount we send is the minimum of the available
122 * space and the amount left to send.
125 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
128 * Ensure there really is data left to send.
132 DEBUG(0,("create_next_pdu: no data left to send !\n"));
136 data_len = MIN(data_len_left, data_space_available);
139 * Set up the alloc hint. This should be the data left to
143 hdr_resp.alloc_hint = data_len_left;
146 * Set up the header lengths.
149 if (p->ntlmssp_auth_validated) {
150 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
151 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
152 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
154 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
159 * Work out if this PDU will be the last.
162 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
163 p->hdr.flags |= RPC_FLG_LAST;
166 * Init the parse struct to point at the outgoing
170 prs_init( &outgoing_pdu, 0, 4, MARSHALL);
171 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
173 /* Store the header in the data stream. */
174 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
175 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
179 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
180 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
184 /* Store the current offset. */
185 data_pos = prs_offset(&outgoing_pdu);
187 /* Copy the data into the PDU. */
188 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
190 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
191 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
196 * Set data to point to where we copied the data into.
199 data = prs_data_p(&outgoing_pdu) + data_pos;
201 if (p->hdr.auth_len > 0) {
204 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
205 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
208 crc32 = crc32_calc_buffer(data, data_len);
209 NTLMSSPcalc_p(p, (uchar*)data, data_len);
212 if (auth_seal || auth_verify) {
213 RPC_HDR_AUTH auth_info;
215 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
216 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
217 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
218 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
224 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
225 char *auth_data = prs_data_p(&outgoing_pdu);
227 p->ntlmssp_seq_num++;
228 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
229 crc32, p->ntlmssp_seq_num++);
230 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
231 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
232 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
235 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
240 * Setup the counts for this PDU.
243 p->out_data.data_sent_length += data_len;
244 p->out_data.current_pdu_len = p->hdr.frag_len;
245 p->out_data.current_pdu_sent = 0;
250 /*******************************************************************
251 Process an NTLMSSP authentication response.
252 If this function succeeds, the user has been authenticated
253 and their domain, name and calling workstation stored in
255 The initial challenge is stored in p->challenge.
256 *******************************************************************/
258 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
263 fstring unix_user_name;
266 BOOL guest_user = False;
267 struct smb_passwd *smb_pass = NULL;
268 struct passwd *pass = NULL;
269 uchar null_smb_passwd[16];
270 uchar *smb_passwd_ptr = NULL;
272 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
274 memset(p->user_name, '\0', sizeof(p->user_name));
275 memset(p->unix_user_name, '\0', sizeof(p->unix_user_name));
276 memset(p->domain, '\0', sizeof(p->domain));
277 memset(p->wks, '\0', sizeof(p->wks));
280 * Setup an empty password for a guest user.
283 memset(null_smb_passwd,0,16);
286 * We always negotiate UNICODE.
289 if (IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_UNICODE)) {
290 fstrcpy(user_name, dos_unistrn2((uint16*)ntlmssp_resp->user, ntlmssp_resp->hdr_usr.str_str_len/2));
291 fstrcpy(domain, dos_unistrn2((uint16*)ntlmssp_resp->domain, ntlmssp_resp->hdr_domain.str_str_len/2));
292 fstrcpy(wks, dos_unistrn2((uint16*)ntlmssp_resp->wks, ntlmssp_resp->hdr_wks.str_str_len/2));
294 fstrcpy(user_name, ntlmssp_resp->user);
295 fstrcpy(domain, ntlmssp_resp->domain);
296 fstrcpy(wks, ntlmssp_resp->wks);
299 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
301 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
302 memcpy(nt_owf, ntlmssp_resp->nt_resp, sizeof(nt_owf));
304 #ifdef DEBUG_PASSWORD
305 DEBUG(100,("lm, nt owfs, chal\n"));
306 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
307 dump_data(100, (char *)nt_owf, sizeof(nt_owf));
308 dump_data(100, (char *)p->challenge, 8);
312 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
315 if((strlen(user_name) == 0) &&
316 (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
320 fstrcpy(unix_user_name, lp_guestaccount(-1));
321 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", unix_user_name));
323 smb_passwd_ptr = null_smb_passwd;
328 * Pass the user through the NT -> unix user mapping
332 fstrcpy(unix_user_name, user_name);
333 (void)map_username(unix_user_name);
336 * Do the length checking only if user is not NULL.
339 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
341 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
343 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
345 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
347 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
353 * Find the user in the unix password db.
356 if(!(pass = Get_Pwnam(unix_user_name,True))) {
357 DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",unix_user_name));
365 if(!(p->ntlmssp_auth_validated = pass_check_smb(unix_user_name, domain,
366 (uchar*)p->challenge, lm_owf, nt_owf, NULL))) {
367 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
368 failed authentication on named pipe %s.\n", domain, unix_user_name, wks, p->name ));
373 if(!(smb_pass = getsmbpwnam(unix_user_name))) {
374 DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
382 if (smb_pass == NULL) {
383 DEBUG(1,("api_pipe_ntlmssp_verify: Couldn't find user '%s' in smb_passwd file.\n",
388 /* Quit if the account was disabled. */
389 if((smb_pass->acct_ctrl & ACB_DISABLED) || !smb_pass->smb_passwd) {
390 DEBUG(1,("Account for user '%s' was disabled.\n", unix_user_name));
394 if(!smb_pass->smb_nt_passwd) {
395 DEBUG(1,("Account for user '%s' has no NT password hash.\n", unix_user_name));
399 smb_passwd_ptr = smb_pass->smb_passwd;
403 * Set up the sign/seal data.
408 NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
420 for (ind = 0; ind < 256; ind++)
421 p->ntlmssp_hash[ind] = (unsigned char)ind;
423 for( ind = 0; ind < 256; ind++) {
426 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
428 tc = p->ntlmssp_hash[ind];
429 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
430 p->ntlmssp_hash[j] = tc;
433 p->ntlmssp_hash[256] = 0;
434 p->ntlmssp_hash[257] = 0;
436 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
437 p->ntlmssp_seq_num = 0;
441 fstrcpy(p->user_name, user_name);
442 fstrcpy(p->unix_user_name, unix_user_name);
443 fstrcpy(p->domain, domain);
444 fstrcpy(p->wks, wks);
447 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
450 p->uid = pass->pw_uid;
451 p->gid = pass->pw_gid;
453 p->ntlmssp_auth_validated = True;
457 /*******************************************************************
458 The switch table for the pipe names and the functions to handle them.
459 *******************************************************************/
463 char * pipe_clnt_name;
464 char * pipe_srv_name;
465 BOOL (*fn) (pipes_struct *, prs_struct *);
468 static struct api_cmd api_fd_commands[] =
470 { "lsarpc", "lsass", api_ntlsa_rpc },
471 { "samr", "lsass", api_samr_rpc },
472 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
473 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
474 { "NETLOGON", "lsass", api_netlog_rpc },
475 { "winreg", "winreg", api_reg_rpc },
476 { "spoolss", "spoolss", api_spoolss_rpc },
480 /*******************************************************************
481 This is the client reply to our challenge for an authenticated
482 bind request. The challenge we sent is in p->challenge.
483 *******************************************************************/
485 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
487 RPC_HDR_AUTHA autha_info;
488 RPC_AUTH_VERIFIER auth_verifier;
489 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
491 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
493 if (p->hdr.auth_len == 0) {
494 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
499 * Decode the authentication verifier response.
502 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
503 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
507 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
508 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
509 (int)autha_info.auth_type, (int)autha_info.auth_level ));
513 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
514 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
519 * Ensure this is a NTLMSSP_AUTH packet type.
522 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
523 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
527 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
528 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
533 * The following call actually checks the challenge/response data.
534 * for correctness against the given DOMAIN\user name.
537 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
545 /*******************************************************************
546 Marshall a bind_nak pdu.
547 *******************************************************************/
549 static BOOL setup_bind_nak(pipes_struct *p)
551 prs_struct outgoing_rpc;
555 /* Free any memory in the current return data buffer. */
556 prs_mem_free(&p->out_data.rdata);
559 * Marshall directly into the outgoing PDU space. We
560 * must do this as we need to set to the bind response
561 * header and are never sending more than one PDU here.
564 prs_init( &outgoing_rpc, 0, 4, MARSHALL);
565 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
569 * Initialize a bind_nak header.
572 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
573 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
576 * Marshall the header into the outgoing PDU.
579 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
580 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
585 * Now add the reject reason.
588 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero))
591 p->out_data.data_sent_length = 0;
592 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
593 p->out_data.current_pdu_sent = 0;
595 p->pipe_bound = False;
600 /*******************************************************************
601 Marshall a fault pdu.
602 *******************************************************************/
604 BOOL setup_fault_pdu(pipes_struct *p)
606 prs_struct outgoing_pdu;
608 RPC_HDR_RESP hdr_resp;
609 RPC_HDR_FAULT fault_resp;
611 /* Free any memory in the current return data buffer. */
612 prs_mem_free(&p->out_data.rdata);
615 * Marshall directly into the outgoing PDU space. We
616 * must do this as we need to set to the bind response
617 * header and are never sending more than one PDU here.
620 prs_init( &outgoing_pdu, 0, 4, MARSHALL);
621 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
624 * Initialize a fault header.
627 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
628 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
631 * Initialize the HDR_RESP and FAULT parts of the PDU.
634 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
636 fault_resp.status = 0x1c010002;
637 fault_resp.reserved = 0;
640 * Marshall the header into the outgoing PDU.
643 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
644 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
648 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
649 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
653 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
654 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
658 p->out_data.data_sent_length = 0;
659 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
660 p->out_data.current_pdu_sent = 0;
665 /*******************************************************************
666 Ensure a bind request has the correct abstract & transfer interface.
667 Used to reject unknown binds from Win2k.
668 *******************************************************************/
670 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
673 extern struct pipe_id_info pipe_names[];
676 fstrcpy(pname,"\\PIPE\\");
677 fstrcat(pname,pipe_name);
679 for(i=0;pipe_names[i].client_pipe; i++) {
680 if(strequal(pipe_names[i].client_pipe, pname))
684 if(pipe_names[i].client_pipe == NULL)
687 /* check the abstract interface */
688 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
689 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
690 sizeof(RPC_UUID)) != 0))
693 /* check the transfer interface */
694 if((transfer->version != pipe_names[i].trans_syntax.version) ||
695 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
696 sizeof(RPC_UUID)) != 0))
702 /*******************************************************************
703 Respond to a pipe bind request.
704 *******************************************************************/
706 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
710 RPC_HDR_AUTH auth_info;
712 fstring ack_pipe_name;
713 prs_struct out_hdr_ba;
715 prs_struct outgoing_rpc;
718 enum RPC_PKT_TYPE reply_pkt_type;
720 p->ntlmssp_auth_requested = False;
722 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
725 * Try and find the correct pipe name to ensure
726 * that this is a pipe name we support.
729 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
730 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
731 api_fd_commands[i].fn != NULL) {
732 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
733 api_fd_commands[i].pipe_clnt_name,
734 api_fd_commands[i].pipe_srv_name));
735 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
740 if (api_fd_commands[i].fn == NULL) {
741 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
743 if(!setup_bind_nak(p))
748 /* decode the bind request */
749 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
750 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
755 * Check if this is an authenticated request.
758 if (p->hdr.auth_len != 0) {
759 RPC_AUTH_VERIFIER auth_verifier;
760 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
763 * Decode the authentication verifier.
766 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
767 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
772 * We only support NTLMSSP_AUTH_TYPE requests.
775 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
776 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
777 auth_info.auth_type ));
781 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
782 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
786 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
787 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
791 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
792 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
793 auth_verifier.msg_type));
797 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
798 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
802 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
803 p->ntlmssp_auth_requested = True;
806 switch(p->hdr.pkt_type) {
808 /* name has to be \PIPE\xxxxx */
809 fstrcpy(ack_pipe_name, "\\PIPE\\");
810 fstrcat(ack_pipe_name, p->pipe_srv_name);
811 reply_pkt_type = RPC_BINDACK;
814 /* secondary address CAN be NULL
815 * as the specs say it's ignored.
816 * It MUST NULL to have the spoolss working.
818 fstrcpy(ack_pipe_name,"");
819 reply_pkt_type = RPC_ALTCONTRESP;
825 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
828 * Marshall directly into the outgoing PDU space. We
829 * must do this as we need to set to the bind response
830 * header and are never sending more than one PDU here.
833 prs_init( &outgoing_rpc, 0, 4, MARSHALL);
834 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
837 * Setup the memory to marshall the ba header, and the
841 if(!prs_init(&out_hdr_ba, 1024, 4, MARSHALL)) {
842 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
846 if(!prs_init(&out_auth, 1024, 4, MARSHALL)) {
847 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
848 prs_mem_free(&out_hdr_ba);
852 if (p->ntlmssp_auth_requested)
855 assoc_gid = hdr_rb.bba.assoc_gid;
858 * Create the bind response struct.
861 /* If the requested abstract synt uuid doesn't match our client pipe,
862 reject the bind_ack & set the transfer interface synt to all 0's,
863 ver 0 (observed when NT5 attempts to bind to abstract interfaces
865 Needed when adding entries to a DACL from NT5 - SK */
867 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
868 init_rpc_hdr_ba(&hdr_ba,
876 RPC_IFACE null_interface;
877 ZERO_STRUCT(null_interface);
878 /* Rejection reason: abstract syntax not supported */
879 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
880 MAX_PDU_FRAG_LEN, assoc_gid,
881 ack_pipe_name, 0x1, 0x2, 0x1,
889 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
890 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
895 * Now the authentication.
898 if (p->ntlmssp_auth_requested) {
899 RPC_AUTH_VERIFIER auth_verifier;
900 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
902 generate_random_buffer(p->challenge, 8, False);
904 /*** Authentication info ***/
906 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
907 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
908 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
912 /*** NTLMSSP verifier ***/
914 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
915 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
916 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
920 /* NTLMSSP challenge ***/
922 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
923 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
924 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
928 /* Auth len in the rpc header doesn't include auth_header. */
929 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
933 * Create the header, now we know the length.
936 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
938 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
942 * Marshall the header into the outgoing PDU.
945 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
946 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
951 * Now add the RPC_HDR_BA and any auth needed.
954 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
955 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
959 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
960 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
964 if(!p->ntlmssp_auth_requested)
965 p->pipe_bound = True;
968 * Setup the lengths for the initial reply.
971 p->out_data.data_sent_length = 0;
972 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
973 p->out_data.current_pdu_sent = 0;
975 prs_mem_free(&out_hdr_ba);
976 prs_mem_free(&out_auth);
982 prs_mem_free(&out_hdr_ba);
983 prs_mem_free(&out_auth);
987 /****************************************************************************
988 Deal with sign & seal processing on an RPC request.
989 ****************************************************************************/
991 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
994 * We always negotiate the following two bits....
996 BOOL auth_verify = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SIGN);
997 BOOL auth_seal = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SEAL);
1003 auth_len = p->hdr.auth_len;
1005 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1006 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1011 * The following is that length of the data we must verify or unseal.
1012 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1013 * preceeding the auth_data.
1016 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1017 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1019 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1020 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1024 * The data in rpc_in doesn't contain the RPC_HEADER as this
1025 * has already been consumed.
1027 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1028 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1029 crc32 = crc32_calc_buffer(data, data_len);
1032 old_offset = prs_offset(rpc_in);
1034 if (auth_seal || auth_verify) {
1035 RPC_HDR_AUTH auth_info;
1037 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1038 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1039 (unsigned int)old_offset + data_len ));
1043 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1044 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1050 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1051 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1053 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1056 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1059 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1060 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1061 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1065 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1066 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1067 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1071 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1072 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1078 * Return the current pointer to the data offset.
1081 if(!prs_set_offset(rpc_in, old_offset)) {
1082 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1083 (unsigned int)old_offset ));
1090 /****************************************************************************
1091 Find the correct RPC function to call for this request.
1092 If the pipe is authenticated then become the correct UNIX user
1093 before doing the call.
1094 ****************************************************************************/
1096 BOOL api_pipe_request(pipes_struct *p)
1100 BOOL changed_user_id = False;
1102 if (p->ntlmssp_auth_validated) {
1104 if(!become_authenticated_pipe_user(p)) {
1105 prs_mem_free(&p->out_data.rdata);
1109 changed_user_id = True;
1112 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1113 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1114 api_fd_commands[i].fn != NULL) {
1115 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1116 ret = api_fd_commands[i].fn(p, &p->in_data.data);
1121 unbecome_authenticated_pipe_user(p);
1126 /*******************************************************************
1127 Calls the underlying RPC function for a named pipe.
1128 ********************************************************************/
1130 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name, struct api_struct *api_rpc_cmds,
1135 uint32 offset1, offset2;
1137 /* interpret the command */
1138 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1140 slprintf(name, sizeof(name), "in_%s", rpc_name);
1141 prs_dump(name, p->hdr_req.opnum, rpc_in);
1143 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1144 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1145 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1150 if (api_rpc_cmds[fn_num].name == NULL) {
1152 * For an unknown RPC just return a fault PDU but
1153 * return True to allow RPC's on the pipe to continue
1154 * and not put the pipe into fault state. JRA.
1156 DEBUG(4, ("unknown\n"));
1161 offset1 = prs_offset(&p->out_data.rdata);
1163 /* do the actual command */
1164 if(!api_rpc_cmds[fn_num].fn(rpc_in, &p->out_data.rdata)) {
1165 DEBUG(0,("api_rpcTNP: %s: failed.\n", rpc_name));
1166 prs_mem_free(&p->out_data.rdata);
1170 slprintf(name, sizeof(name), "out_%s", rpc_name);
1171 offset2 = prs_offset(&p->out_data.rdata);
1172 prs_set_offset(&p->out_data.rdata, offset1);
1173 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1174 prs_set_offset(&p->out_data.rdata, offset2);
1176 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));