2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998.
7 * Copyright (C) Jeremy Allison 1999.
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 /* this module apparently provides an implementation of DCE/RPC over a
25 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
26 * documentation are available (in on-line form) from the X-Open group.
28 * this module should provide a level of abstraction between SMB
29 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
30 * data copies, and network traffic.
32 * in this version, which takes a "let's learn what's going on and
33 * get something running" approach, there is additional network
34 * traffic generated, but the code should be easier to understand...
36 * ... if you read the docs. or stare at packets for weeks on end.
43 #define DBGC_CLASS DBGC_RPC_SRV
45 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
47 unsigned char *hash = p->ntlmssp_hash;
48 unsigned char index_i = hash[256];
49 unsigned char index_j = hash[257];
52 for( ind = 0; ind < len; ind++) {
57 index_j += hash[index_i];
60 hash[index_i] = hash[index_j];
63 t = hash[index_i] + hash[index_j];
64 data[ind] = data[ind] ^ hash[t];
71 /*******************************************************************
72 Generate the next PDU to be returned from the data in p->rdata.
73 We cheat here as this function doesn't handle the special auth
74 footers of the authenticated bind response reply.
75 ********************************************************************/
77 BOOL create_next_pdu(pipes_struct *p)
79 RPC_HDR_RESP hdr_resp;
80 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
81 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
83 uint32 data_space_available;
85 prs_struct outgoing_pdu;
91 * If we're in the fault state, keep returning fault PDU's until
92 * the pipe gets closed. JRA.
96 setup_fault_pdu(p, NT_STATUS(0x1c010002));
100 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
102 /* Change the incoming request header to a response. */
103 p->hdr.pkt_type = RPC_RESPONSE;
105 /* Set up rpc header flags. */
106 if (p->out_data.data_sent_length == 0)
107 p->hdr.flags = RPC_FLG_FIRST;
112 * Work out how much we can fit in a single PDU.
115 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
116 if(p->ntlmssp_auth_validated)
117 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
120 * The amount we send is the minimum of the available
121 * space and the amount left to send.
124 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
127 * Ensure there really is data left to send.
131 DEBUG(0,("create_next_pdu: no data left to send !\n"));
135 data_len = MIN(data_len_left, data_space_available);
138 * Set up the alloc hint. This should be the data left to
142 hdr_resp.alloc_hint = data_len_left;
145 * Set up the header lengths.
148 if (p->ntlmssp_auth_validated) {
149 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
150 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
151 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
153 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
158 * Work out if this PDU will be the last.
161 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
162 p->hdr.flags |= RPC_FLG_LAST;
165 * Init the parse struct to point at the outgoing
169 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
170 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
172 /* Store the header in the data stream. */
173 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
174 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
175 prs_mem_free(&outgoing_pdu);
179 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
180 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
181 prs_mem_free(&outgoing_pdu);
185 /* Store the current offset. */
186 data_pos = prs_offset(&outgoing_pdu);
188 /* Copy the data into the PDU. */
189 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
191 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
192 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
193 prs_mem_free(&outgoing_pdu);
198 * Set data to point to where we copied the data into.
201 data = prs_data_p(&outgoing_pdu) + data_pos;
203 if (p->hdr.auth_len > 0) {
206 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
207 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
210 crc32 = crc32_calc_buffer(data, data_len);
211 NTLMSSPcalc_p(p, (uchar*)data, data_len);
214 if (auth_seal || auth_verify) {
215 RPC_HDR_AUTH auth_info;
217 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
218 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
219 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
220 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
221 prs_mem_free(&outgoing_pdu);
227 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
228 char *auth_data = prs_data_p(&outgoing_pdu);
230 p->ntlmssp_seq_num++;
231 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
232 crc32, p->ntlmssp_seq_num++);
233 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
234 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
235 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
236 prs_mem_free(&outgoing_pdu);
239 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
244 * Setup the counts for this PDU.
247 p->out_data.data_sent_length += data_len;
248 p->out_data.current_pdu_len = p->hdr.frag_len;
249 p->out_data.current_pdu_sent = 0;
251 prs_mem_free(&outgoing_pdu);
255 /*******************************************************************
256 Process an NTLMSSP authentication response.
257 If this function succeeds, the user has been authenticated
258 and their domain, name and calling workstation stored in
260 The initial challenge is stored in p->challenge.
261 *******************************************************************/
263 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
275 struct auth_context *auth_context = NULL;
276 auth_usersupplied_info *user_info = NULL;
277 auth_serversupplied_info *server_info = NULL;
279 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
281 memset(p->user_name, '\0', sizeof(p->user_name));
282 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
283 memset(p->domain, '\0', sizeof(p->domain));
284 memset(p->wks, '\0', sizeof(p->wks));
286 /* Set up for non-authenticated user. */
287 delete_nt_token(&p->pipe_user.nt_user_token);
288 p->pipe_user.ngroups = 0;
289 SAFE_FREE( p->pipe_user.groups);
292 * Setup an empty password for a guest user.
296 * We always negotiate UNICODE.
299 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
300 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
301 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
302 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
304 pull_ascii_fstring(user_name, ntlmssp_resp->user);
305 pull_ascii_fstring(domain, ntlmssp_resp->domain);
306 pull_ascii_fstring(wks, ntlmssp_resp->wks);
309 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
311 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
312 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
314 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
315 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
317 #ifdef DEBUG_PASSWORD
318 DEBUG(100,("lm, nt owfs, chal\n"));
319 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
320 dump_data(100, (char *)nt_owf, nt_pw_len);
321 dump_data(100, (char *)p->challenge, 8);
325 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
331 * Do the length checking only if user is not NULL.
334 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
336 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
338 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
340 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
342 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
347 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
349 if (!make_user_info_netlogon_network(&user_info,
350 user_name, domain, wks,
352 nt_owf, nt_pw_len)) {
353 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
357 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
359 (auth_context->free)(&auth_context);
360 free_user_info(&user_info);
362 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
364 if (!p->ntlmssp_auth_validated) {
365 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
366 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
367 free_server_info(&server_info);
372 * Set up the sign/seal data.
377 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
389 for (ind = 0; ind < 256; ind++)
390 p->ntlmssp_hash[ind] = (unsigned char)ind;
392 for( ind = 0; ind < 256; ind++) {
395 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
397 tc = p->ntlmssp_hash[ind];
398 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
399 p->ntlmssp_hash[j] = tc;
402 p->ntlmssp_hash[256] = 0;
403 p->ntlmssp_hash[257] = 0;
405 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
406 p->ntlmssp_seq_num = 0;
410 fstrcpy(p->user_name, user_name);
411 fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
412 fstrcpy(p->domain, domain);
413 fstrcpy(p->wks, wks);
416 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
419 if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
420 DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
421 free_server_info(&server_info);
425 memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
427 p->pipe_user.uid = pdb_get_uid(server_info->sam_account);
428 p->pipe_user.gid = pdb_get_gid(server_info->sam_account);
430 p->pipe_user.ngroups = server_info->n_groups;
431 if (p->pipe_user.ngroups) {
432 if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
433 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
434 free_server_info(&server_info);
439 if (server_info->ptok)
440 p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
442 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
443 p->pipe_user.nt_user_token = NULL;
444 free_server_info(&server_info);
448 p->ntlmssp_auth_validated = True;
450 free_server_info(&server_info);
454 /*******************************************************************
455 The switch table for the pipe names and the functions to handle them.
456 *******************************************************************/
460 char * pipe_clnt_name;
461 char * pipe_srv_name;
462 BOOL (*fn) (pipes_struct *);
465 static struct api_cmd api_fd_commands[] =
467 { "lsarpc", "lsass", api_ntlsa_rpc },
468 { "samr", "lsass", api_samr_rpc },
469 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
470 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
471 { "NETLOGON", "lsass", api_netlog_rpc },
472 { "winreg", "winreg", api_reg_rpc },
473 { "spoolss", "spoolss", api_spoolss_rpc },
474 { "netdfs", "netdfs" , api_netdfs_rpc },
478 /*******************************************************************
479 This is the client reply to our challenge for an authenticated
480 bind request. The challenge we sent is in p->challenge.
481 *******************************************************************/
483 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
485 RPC_HDR_AUTHA autha_info;
486 RPC_AUTH_VERIFIER auth_verifier;
487 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
489 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
491 if (p->hdr.auth_len == 0) {
492 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
497 * Decode the authentication verifier response.
500 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
501 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
505 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
506 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
507 (int)autha_info.auth_type, (int)autha_info.auth_level ));
511 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
512 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
517 * Ensure this is a NTLMSSP_AUTH packet type.
520 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
521 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
525 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
526 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
531 * The following call actually checks the challenge/response data.
532 * for correctness against the given DOMAIN\user name.
535 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
543 /*******************************************************************
544 Marshall a bind_nak pdu.
545 *******************************************************************/
547 static BOOL setup_bind_nak(pipes_struct *p)
549 prs_struct outgoing_rpc;
553 /* Free any memory in the current return data buffer. */
554 prs_mem_free(&p->out_data.rdata);
557 * Marshall directly into the outgoing PDU space. We
558 * must do this as we need to set to the bind response
559 * header and are never sending more than one PDU here.
562 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
563 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
567 * Initialize a bind_nak header.
570 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
571 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
574 * Marshall the header into the outgoing PDU.
577 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
578 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
579 prs_mem_free(&outgoing_rpc);
584 * Now add the reject reason.
587 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
588 prs_mem_free(&outgoing_rpc);
592 p->out_data.data_sent_length = 0;
593 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
594 p->out_data.current_pdu_sent = 0;
596 p->pipe_bound = False;
601 /*******************************************************************
602 Marshall a fault pdu.
603 *******************************************************************/
605 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
607 prs_struct outgoing_pdu;
609 RPC_HDR_RESP hdr_resp;
610 RPC_HDR_FAULT fault_resp;
612 /* Free any memory in the current return data buffer. */
613 prs_mem_free(&p->out_data.rdata);
616 * Marshall directly into the outgoing PDU space. We
617 * must do this as we need to set to the bind response
618 * header and are never sending more than one PDU here.
621 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
622 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
625 * Initialize a fault header.
628 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
629 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
632 * Initialize the HDR_RESP and FAULT parts of the PDU.
635 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
637 fault_resp.status = status;
638 fault_resp.reserved = 0;
641 * Marshall the header into the outgoing PDU.
644 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
645 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
646 prs_mem_free(&outgoing_pdu);
650 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
651 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
652 prs_mem_free(&outgoing_pdu);
656 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
657 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
658 prs_mem_free(&outgoing_pdu);
662 p->out_data.data_sent_length = 0;
663 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
664 p->out_data.current_pdu_sent = 0;
666 prs_mem_free(&outgoing_pdu);
670 /*******************************************************************
671 Ensure a bind request has the correct abstract & transfer interface.
672 Used to reject unknown binds from Win2k.
673 *******************************************************************/
675 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
678 extern struct pipe_id_info pipe_names[];
681 fstrcpy(pname,"\\PIPE\\");
682 fstrcat(pname,pipe_name);
685 #ifndef SUPPORT_NEW_LSARPC_UUID
687 /* check for the first pipe matching the name */
689 for ( i=0; pipe_names[i].client_pipe; i++ ) {
690 if ( strequal(pipe_names[i].client_pipe, pname) )
694 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
696 for ( i=0; pipe_names[i].client_pipe; i++ )
698 if ( strequal(pipe_names[i].client_pipe, pname)
699 && (abstract->version == pipe_names[i].abstr_syntax.version)
700 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) == 0)
701 && (transfer->version == pipe_names[i].trans_syntax.version)
702 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) == 0) )
709 if(pipe_names[i].client_pipe == NULL)
712 #ifndef SUPPORT_NEW_LSARPC_UUID
713 /* check the abstract interface */
714 if ( (abstract->version != pipe_names[i].abstr_syntax.version)
715 || (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) != 0) )
720 /* check the transfer interface */
721 if ( (transfer->version != pipe_names[i].trans_syntax.version)
722 || (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) != 0) )
730 /*******************************************************************
731 Respond to a pipe bind request.
732 *******************************************************************/
734 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
738 RPC_HDR_AUTH auth_info;
740 fstring ack_pipe_name;
741 prs_struct out_hdr_ba;
743 prs_struct outgoing_rpc;
746 enum RPC_PKT_TYPE reply_pkt_type;
748 p->ntlmssp_auth_requested = False;
750 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
753 * Try and find the correct pipe name to ensure
754 * that this is a pipe name we support.
757 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
758 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
759 api_fd_commands[i].fn != NULL) {
760 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
761 api_fd_commands[i].pipe_clnt_name,
762 api_fd_commands[i].pipe_srv_name));
763 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
768 if (api_fd_commands[i].fn == NULL) {
769 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
771 if(!setup_bind_nak(p))
776 /* decode the bind request */
777 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
778 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
783 * Check if this is an authenticated request.
786 if (p->hdr.auth_len != 0) {
787 RPC_AUTH_VERIFIER auth_verifier;
788 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
791 * Decode the authentication verifier.
794 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
795 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
800 * We only support NTLMSSP_AUTH_TYPE requests.
803 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
804 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
805 auth_info.auth_type ));
809 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
810 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
814 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
815 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
819 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
820 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
821 auth_verifier.msg_type));
825 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
826 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
830 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
831 p->ntlmssp_auth_requested = True;
834 switch(p->hdr.pkt_type) {
836 /* name has to be \PIPE\xxxxx */
837 fstrcpy(ack_pipe_name, "\\PIPE\\");
838 fstrcat(ack_pipe_name, p->pipe_srv_name);
839 reply_pkt_type = RPC_BINDACK;
842 /* secondary address CAN be NULL
843 * as the specs say it's ignored.
844 * It MUST NULL to have the spoolss working.
846 fstrcpy(ack_pipe_name,"");
847 reply_pkt_type = RPC_ALTCONTRESP;
853 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
856 * Marshall directly into the outgoing PDU space. We
857 * must do this as we need to set to the bind response
858 * header and are never sending more than one PDU here.
861 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
862 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
865 * Setup the memory to marshall the ba header, and the
869 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
870 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
871 prs_mem_free(&outgoing_rpc);
875 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
876 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
877 prs_mem_free(&outgoing_rpc);
878 prs_mem_free(&out_hdr_ba);
882 if (p->ntlmssp_auth_requested)
885 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
888 * Create the bind response struct.
891 /* If the requested abstract synt uuid doesn't match our client pipe,
892 reject the bind_ack & set the transfer interface synt to all 0's,
893 ver 0 (observed when NT5 attempts to bind to abstract interfaces
895 Needed when adding entries to a DACL from NT5 - SK */
897 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
898 init_rpc_hdr_ba(&hdr_ba,
906 RPC_IFACE null_interface;
907 ZERO_STRUCT(null_interface);
908 /* Rejection reason: abstract syntax not supported */
909 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
910 MAX_PDU_FRAG_LEN, assoc_gid,
911 ack_pipe_name, 0x1, 0x2, 0x1,
919 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
920 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
925 * Now the authentication.
928 if (p->ntlmssp_auth_requested) {
929 RPC_AUTH_VERIFIER auth_verifier;
930 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
932 generate_random_buffer(p->challenge, 8, False);
934 /*** Authentication info ***/
936 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
937 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
938 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
942 /*** NTLMSSP verifier ***/
944 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
945 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
946 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
950 /* NTLMSSP challenge ***/
952 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
953 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
954 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
958 /* Auth len in the rpc header doesn't include auth_header. */
959 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
963 * Create the header, now we know the length.
966 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
968 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
972 * Marshall the header into the outgoing PDU.
975 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
976 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
981 * Now add the RPC_HDR_BA and any auth needed.
984 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
985 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
989 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
990 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
994 if(!p->ntlmssp_auth_requested)
995 p->pipe_bound = True;
998 * Setup the lengths for the initial reply.
1001 p->out_data.data_sent_length = 0;
1002 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1003 p->out_data.current_pdu_sent = 0;
1005 prs_mem_free(&out_hdr_ba);
1006 prs_mem_free(&out_auth);
1012 prs_mem_free(&outgoing_rpc);
1013 prs_mem_free(&out_hdr_ba);
1014 prs_mem_free(&out_auth);
1018 /****************************************************************************
1019 Deal with sign & seal processing on an RPC request.
1020 ****************************************************************************/
1022 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1025 * We always negotiate the following two bits....
1027 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1028 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1034 auth_len = p->hdr.auth_len;
1036 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1037 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1042 * The following is that length of the data we must verify or unseal.
1043 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1044 * preceeding the auth_data.
1047 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1048 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1050 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1051 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1055 * The data in rpc_in doesn't contain the RPC_HEADER as this
1056 * has already been consumed.
1058 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1059 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1060 crc32 = crc32_calc_buffer(data, data_len);
1063 old_offset = prs_offset(rpc_in);
1065 if (auth_seal || auth_verify) {
1066 RPC_HDR_AUTH auth_info;
1068 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1069 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1070 (unsigned int)old_offset + data_len ));
1074 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1075 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1081 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1082 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1084 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1087 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1090 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1091 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1092 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1096 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1097 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1098 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1102 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1103 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1109 * Return the current pointer to the data offset.
1112 if(!prs_set_offset(rpc_in, old_offset)) {
1113 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1114 (unsigned int)old_offset ));
1121 /****************************************************************************
1122 Return a user struct for a pipe user.
1123 ****************************************************************************/
1125 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1127 if (p->ntlmssp_auth_validated) {
1128 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1130 extern struct current_user current_user;
1131 memcpy(user, ¤t_user, sizeof(struct current_user));
1137 /****************************************************************************
1138 Find the correct RPC function to call for this request.
1139 If the pipe is authenticated then become the correct UNIX user
1140 before doing the call.
1141 ****************************************************************************/
1143 BOOL api_pipe_request(pipes_struct *p)
1148 if (p->ntlmssp_auth_validated) {
1150 if(!become_authenticated_pipe_user(p)) {
1151 prs_mem_free(&p->out_data.rdata);
1156 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1157 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1158 api_fd_commands[i].fn != NULL) {
1159 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1160 set_current_rpc_talloc(p->mem_ctx);
1161 ret = api_fd_commands[i].fn(p);
1162 set_current_rpc_talloc(NULL);
1166 if(p->ntlmssp_auth_validated)
1167 unbecome_authenticated_pipe_user();
1172 /*******************************************************************
1173 Calls the underlying RPC function for a named pipe.
1174 ********************************************************************/
1176 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1177 const struct api_struct *api_rpc_cmds)
1181 uint32 offset1, offset2;
1183 /* interpret the command */
1184 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1186 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1187 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1189 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1190 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1191 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1196 if (api_rpc_cmds[fn_num].name == NULL) {
1198 * For an unknown RPC just return a fault PDU but
1199 * return True to allow RPC's on the pipe to continue
1200 * and not put the pipe into fault state. JRA.
1202 DEBUG(4, ("unknown\n"));
1203 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1207 offset1 = prs_offset(&p->out_data.rdata);
1209 /* do the actual command */
1210 if(!api_rpc_cmds[fn_num].fn(p)) {
1211 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1212 prs_mem_free(&p->out_data.rdata);
1216 if (p->bad_handle_fault_state) {
1217 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1218 p->bad_handle_fault_state = False;
1219 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1223 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1224 offset2 = prs_offset(&p->out_data.rdata);
1225 prs_set_offset(&p->out_data.rdata, offset1);
1226 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1227 prs_set_offset(&p->out_data.rdata, offset2);
1229 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1231 /* Check for buffer underflow in rpc parsing */
1233 if ((DEBUGLEVEL >= 10) &&
1234 (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1235 int data_len = p->in_data.data.buffer_size -
1236 p->in_data.data.data_offset;
1239 data = malloc(data_len);
1241 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1243 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data,