2 * Unix SMB/Netbios implementation.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1997-1998.
8 * Copyright (C) Jeremy Allison 1999.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
43 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
45 unsigned char *hash = p->ntlmssp_hash;
46 unsigned char index_i = hash[256];
47 unsigned char index_j = hash[257];
50 for( ind = 0; ind < len; ind++) {
55 index_j += hash[index_i];
58 hash[index_i] = hash[index_j];
61 t = hash[index_i] + hash[index_j];
62 data[ind] = data[ind] ^ hash[t];
69 /*******************************************************************
70 Generate the next PDU to be returned from the data in p->rdata.
71 We cheat here as this function doesn't handle the special auth
72 footers of the authenticated bind response reply.
73 ********************************************************************/
75 BOOL create_next_pdu(pipes_struct *p)
77 RPC_HDR_RESP hdr_resp;
78 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
79 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
81 uint32 data_space_available;
83 prs_struct outgoing_pdu;
89 * If we're in the fault state, keep returning fault PDU's until
90 * the pipe gets closed. JRA.
94 setup_fault_pdu(p, NT_STATUS(0x1c010002));
98 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
100 /* Change the incoming request header to a response. */
101 p->hdr.pkt_type = RPC_RESPONSE;
103 /* Set up rpc header flags. */
104 if (p->out_data.data_sent_length == 0)
105 p->hdr.flags = RPC_FLG_FIRST;
110 * Work out how much we can fit in a single PDU.
113 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
114 if(p->ntlmssp_auth_validated)
115 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
118 * The amount we send is the minimum of the available
119 * space and the amount left to send.
122 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
125 * Ensure there really is data left to send.
129 DEBUG(0,("create_next_pdu: no data left to send !\n"));
133 data_len = MIN(data_len_left, data_space_available);
136 * Set up the alloc hint. This should be the data left to
140 hdr_resp.alloc_hint = data_len_left;
143 * Set up the header lengths.
146 if (p->ntlmssp_auth_validated) {
147 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
148 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
149 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
151 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
156 * Work out if this PDU will be the last.
159 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
160 p->hdr.flags |= RPC_FLG_LAST;
163 * Init the parse struct to point at the outgoing
167 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
168 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
170 /* Store the header in the data stream. */
171 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
172 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
173 prs_mem_free(&outgoing_pdu);
177 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
178 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
179 prs_mem_free(&outgoing_pdu);
183 /* Store the current offset. */
184 data_pos = prs_offset(&outgoing_pdu);
186 /* Copy the data into the PDU. */
187 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
189 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
190 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
191 prs_mem_free(&outgoing_pdu);
196 * Set data to point to where we copied the data into.
199 data = prs_data_p(&outgoing_pdu) + data_pos;
201 if (p->hdr.auth_len > 0) {
204 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
205 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
208 crc32 = crc32_calc_buffer(data, data_len);
209 NTLMSSPcalc_p(p, (uchar*)data, data_len);
212 if (auth_seal || auth_verify) {
213 RPC_HDR_AUTH auth_info;
215 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
216 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
217 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
218 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
219 prs_mem_free(&outgoing_pdu);
225 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
226 char *auth_data = prs_data_p(&outgoing_pdu);
228 p->ntlmssp_seq_num++;
229 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
230 crc32, p->ntlmssp_seq_num++);
231 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
232 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
233 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
234 prs_mem_free(&outgoing_pdu);
237 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
242 * Setup the counts for this PDU.
245 p->out_data.data_sent_length += data_len;
246 p->out_data.current_pdu_len = p->hdr.frag_len;
247 p->out_data.current_pdu_sent = 0;
249 prs_mem_free(&outgoing_pdu);
253 /*******************************************************************
254 Process an NTLMSSP authentication response.
255 If this function succeeds, the user has been authenticated
256 and their domain, name and calling workstation stored in
258 The initial challenge is stored in p->challenge.
259 *******************************************************************/
261 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
268 fstring pipe_user_name;
274 auth_usersupplied_info *user_info = NULL;
275 auth_serversupplied_info *server_info = NULL;
280 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
282 memset(p->user_name, '\0', sizeof(p->user_name));
283 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
284 memset(p->domain, '\0', sizeof(p->domain));
285 memset(p->wks, '\0', sizeof(p->wks));
287 /* Set up for non-authenticated user. */
288 delete_nt_token(&p->pipe_user.nt_user_token);
289 p->pipe_user.ngroups = 0;
290 SAFE_FREE( p->pipe_user.groups);
293 * Setup an empty password for a guest user.
297 * We always negotiate UNICODE.
300 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
301 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
302 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
303 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
305 pull_ascii_fstring(user_name, ntlmssp_resp->user);
306 pull_ascii_fstring(domain, ntlmssp_resp->domain);
307 pull_ascii_fstring(wks, ntlmssp_resp->wks);
310 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
312 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
313 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
315 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
316 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
318 #ifdef DEBUG_PASSWORD
319 DEBUG(100,("lm, nt owfs, chal\n"));
320 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
321 dump_data(100, (char *)nt_owf, nt_pw_len);
322 dump_data(100, (char *)p->challenge, 8);
326 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
329 if((strlen(user_name) == 0) &&
330 (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
333 fstrcpy(pipe_user_name, lp_guestaccount(-1));
334 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
339 * Do the length checking only if user is not NULL.
342 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
344 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
346 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
348 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
350 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
355 if (!make_user_info_netlogon_network(&user_info,
356 user_name, domain, wks, (uchar*)p->challenge,
358 nt_owf, nt_pw_len)) {
359 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
363 nt_status = check_password(user_info, &server_info);
365 free_user_info(&user_info);
367 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
369 if (!p->ntlmssp_auth_validated) {
370 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
371 failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name ));
372 free_server_info(&server_info);
377 * Set up the sign/seal data.
382 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
394 for (ind = 0; ind < 256; ind++)
395 p->ntlmssp_hash[ind] = (unsigned char)ind;
397 for( ind = 0; ind < 256; ind++) {
400 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
402 tc = p->ntlmssp_hash[ind];
403 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
404 p->ntlmssp_hash[j] = tc;
407 p->ntlmssp_hash[256] = 0;
408 p->ntlmssp_hash[257] = 0;
410 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
411 p->ntlmssp_seq_num = 0;
415 fstrcpy(p->user_name, user_name);
416 fstrcpy(p->pipe_user_name, pipe_user_name);
417 fstrcpy(p->domain, domain);
418 fstrcpy(p->wks, wks);
421 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
424 puid = pdb_get_uid(server_info->sam_account);
425 pgid = pdb_get_gid(server_info->sam_account);
427 if (!puid || !pgid) {
428 DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
429 free_server_info(&server_info);
433 p->pipe_user.uid = *puid;
434 p->pipe_user.gid = *pgid;
436 /* Set up pipe user group membership. */
437 initialise_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
438 get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
440 if (server_info->ptok)
441 add_supplementary_nt_login_groups(&p->pipe_user.ngroups, &p->pipe_user.groups, &server_info->ptok);
443 /* Create an NT_USER_TOKEN struct for this user. */
444 p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
445 p->pipe_user.ngroups, p->pipe_user.groups,
446 server_info->guest, server_info->ptok);
448 p->ntlmssp_auth_validated = True;
450 pdb_free_sam(&server_info->sam_account);
454 /*******************************************************************
455 The switch table for the pipe names and the functions to handle them.
456 *******************************************************************/
460 char * pipe_clnt_name;
461 char * pipe_srv_name;
462 BOOL (*fn) (pipes_struct *);
465 static struct api_cmd api_fd_commands[] =
467 { "lsarpc", "lsass", api_ntlsa_rpc },
468 { "samr", "lsass", api_samr_rpc },
469 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
470 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
471 { "NETLOGON", "lsass", api_netlog_rpc },
472 { "winreg", "winreg", api_reg_rpc },
473 { "spoolss", "spoolss", api_spoolss_rpc },
474 { "netdfs", "netdfs" , api_netdfs_rpc },
478 /*******************************************************************
479 This is the client reply to our challenge for an authenticated
480 bind request. The challenge we sent is in p->challenge.
481 *******************************************************************/
483 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
485 RPC_HDR_AUTHA autha_info;
486 RPC_AUTH_VERIFIER auth_verifier;
487 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
489 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
491 if (p->hdr.auth_len == 0) {
492 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
497 * Decode the authentication verifier response.
500 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
501 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
505 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
506 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
507 (int)autha_info.auth_type, (int)autha_info.auth_level ));
511 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
512 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
517 * Ensure this is a NTLMSSP_AUTH packet type.
520 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
521 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
525 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
526 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
531 * The following call actually checks the challenge/response data.
532 * for correctness against the given DOMAIN\user name.
535 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
543 /*******************************************************************
544 Marshall a bind_nak pdu.
545 *******************************************************************/
547 static BOOL setup_bind_nak(pipes_struct *p)
549 prs_struct outgoing_rpc;
553 /* Free any memory in the current return data buffer. */
554 prs_mem_free(&p->out_data.rdata);
557 * Marshall directly into the outgoing PDU space. We
558 * must do this as we need to set to the bind response
559 * header and are never sending more than one PDU here.
562 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
563 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
567 * Initialize a bind_nak header.
570 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
571 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
574 * Marshall the header into the outgoing PDU.
577 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
578 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
579 prs_mem_free(&outgoing_rpc);
584 * Now add the reject reason.
587 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
588 prs_mem_free(&outgoing_rpc);
592 p->out_data.data_sent_length = 0;
593 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
594 p->out_data.current_pdu_sent = 0;
596 p->pipe_bound = False;
601 /*******************************************************************
602 Marshall a fault pdu.
603 *******************************************************************/
605 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
607 prs_struct outgoing_pdu;
609 RPC_HDR_RESP hdr_resp;
610 RPC_HDR_FAULT fault_resp;
612 /* Free any memory in the current return data buffer. */
613 prs_mem_free(&p->out_data.rdata);
616 * Marshall directly into the outgoing PDU space. We
617 * must do this as we need to set to the bind response
618 * header and are never sending more than one PDU here.
621 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
622 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
625 * Initialize a fault header.
628 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
629 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
632 * Initialize the HDR_RESP and FAULT parts of the PDU.
635 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
637 fault_resp.status = status;
638 fault_resp.reserved = 0;
641 * Marshall the header into the outgoing PDU.
644 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
645 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
646 prs_mem_free(&outgoing_pdu);
650 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
651 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
652 prs_mem_free(&outgoing_pdu);
656 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
657 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
658 prs_mem_free(&outgoing_pdu);
662 p->out_data.data_sent_length = 0;
663 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
664 p->out_data.current_pdu_sent = 0;
666 prs_mem_free(&outgoing_pdu);
670 /*******************************************************************
671 Ensure a bind request has the correct abstract & transfer interface.
672 Used to reject unknown binds from Win2k.
673 *******************************************************************/
675 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
678 extern struct pipe_id_info pipe_names[];
681 fstrcpy(pname,"\\PIPE\\");
682 fstrcat(pname,pipe_name);
684 for(i=0;pipe_names[i].client_pipe; i++) {
685 if(strequal(pipe_names[i].client_pipe, pname))
689 if(pipe_names[i].client_pipe == NULL)
692 /* check the abstract interface */
693 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
694 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
695 sizeof(RPC_UUID)) != 0))
698 /* check the transfer interface */
699 if((transfer->version != pipe_names[i].trans_syntax.version) ||
700 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
701 sizeof(RPC_UUID)) != 0))
707 /*******************************************************************
708 Respond to a pipe bind request.
709 *******************************************************************/
711 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
715 RPC_HDR_AUTH auth_info;
717 fstring ack_pipe_name;
718 prs_struct out_hdr_ba;
720 prs_struct outgoing_rpc;
723 enum RPC_PKT_TYPE reply_pkt_type;
725 p->ntlmssp_auth_requested = False;
727 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
730 * Try and find the correct pipe name to ensure
731 * that this is a pipe name we support.
734 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
735 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
736 api_fd_commands[i].fn != NULL) {
737 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
738 api_fd_commands[i].pipe_clnt_name,
739 api_fd_commands[i].pipe_srv_name));
740 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
745 if (api_fd_commands[i].fn == NULL) {
746 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
748 if(!setup_bind_nak(p))
753 /* decode the bind request */
754 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
755 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
760 * Check if this is an authenticated request.
763 if (p->hdr.auth_len != 0) {
764 RPC_AUTH_VERIFIER auth_verifier;
765 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
768 * Decode the authentication verifier.
771 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
772 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
777 * We only support NTLMSSP_AUTH_TYPE requests.
780 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
781 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
782 auth_info.auth_type ));
786 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
787 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
791 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
792 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
796 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
797 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
798 auth_verifier.msg_type));
802 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
803 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
807 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
808 p->ntlmssp_auth_requested = True;
811 switch(p->hdr.pkt_type) {
813 /* name has to be \PIPE\xxxxx */
814 fstrcpy(ack_pipe_name, "\\PIPE\\");
815 fstrcat(ack_pipe_name, p->pipe_srv_name);
816 reply_pkt_type = RPC_BINDACK;
819 /* secondary address CAN be NULL
820 * as the specs say it's ignored.
821 * It MUST NULL to have the spoolss working.
823 fstrcpy(ack_pipe_name,"");
824 reply_pkt_type = RPC_ALTCONTRESP;
830 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
833 * Marshall directly into the outgoing PDU space. We
834 * must do this as we need to set to the bind response
835 * header and are never sending more than one PDU here.
838 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
839 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
842 * Setup the memory to marshall the ba header, and the
846 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
847 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
848 prs_mem_free(&outgoing_rpc);
852 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
853 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
854 prs_mem_free(&outgoing_rpc);
855 prs_mem_free(&out_hdr_ba);
859 if (p->ntlmssp_auth_requested)
862 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
865 * Create the bind response struct.
868 /* If the requested abstract synt uuid doesn't match our client pipe,
869 reject the bind_ack & set the transfer interface synt to all 0's,
870 ver 0 (observed when NT5 attempts to bind to abstract interfaces
872 Needed when adding entries to a DACL from NT5 - SK */
874 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
875 init_rpc_hdr_ba(&hdr_ba,
883 RPC_IFACE null_interface;
884 ZERO_STRUCT(null_interface);
885 /* Rejection reason: abstract syntax not supported */
886 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
887 MAX_PDU_FRAG_LEN, assoc_gid,
888 ack_pipe_name, 0x1, 0x2, 0x1,
896 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
897 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
902 * Now the authentication.
905 if (p->ntlmssp_auth_requested) {
906 RPC_AUTH_VERIFIER auth_verifier;
907 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
909 generate_random_buffer(p->challenge, 8, False);
911 /*** Authentication info ***/
913 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
914 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
915 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
919 /*** NTLMSSP verifier ***/
921 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
922 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
923 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
927 /* NTLMSSP challenge ***/
929 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
930 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
931 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
935 /* Auth len in the rpc header doesn't include auth_header. */
936 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
940 * Create the header, now we know the length.
943 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
945 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
949 * Marshall the header into the outgoing PDU.
952 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
953 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
958 * Now add the RPC_HDR_BA and any auth needed.
961 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
962 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
966 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
967 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
971 if(!p->ntlmssp_auth_requested)
972 p->pipe_bound = True;
975 * Setup the lengths for the initial reply.
978 p->out_data.data_sent_length = 0;
979 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
980 p->out_data.current_pdu_sent = 0;
982 prs_mem_free(&out_hdr_ba);
983 prs_mem_free(&out_auth);
989 prs_mem_free(&outgoing_rpc);
990 prs_mem_free(&out_hdr_ba);
991 prs_mem_free(&out_auth);
995 /****************************************************************************
996 Deal with sign & seal processing on an RPC request.
997 ****************************************************************************/
999 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1002 * We always negotiate the following two bits....
1004 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1005 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1011 auth_len = p->hdr.auth_len;
1013 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1014 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1019 * The following is that length of the data we must verify or unseal.
1020 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1021 * preceeding the auth_data.
1024 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1025 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1027 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1028 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1032 * The data in rpc_in doesn't contain the RPC_HEADER as this
1033 * has already been consumed.
1035 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1036 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1037 crc32 = crc32_calc_buffer(data, data_len);
1040 old_offset = prs_offset(rpc_in);
1042 if (auth_seal || auth_verify) {
1043 RPC_HDR_AUTH auth_info;
1045 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1046 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1047 (unsigned int)old_offset + data_len ));
1051 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1052 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1058 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1059 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1061 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1064 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1067 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1068 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1069 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1073 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1074 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1075 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1079 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1080 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1086 * Return the current pointer to the data offset.
1089 if(!prs_set_offset(rpc_in, old_offset)) {
1090 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1091 (unsigned int)old_offset ));
1098 /****************************************************************************
1099 Return a user struct for a pipe user.
1100 ****************************************************************************/
1102 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1104 if (p->ntlmssp_auth_validated) {
1105 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1107 extern struct current_user current_user;
1108 memcpy(user, ¤t_user, sizeof(struct current_user));
1114 /****************************************************************************
1115 Find the correct RPC function to call for this request.
1116 If the pipe is authenticated then become the correct UNIX user
1117 before doing the call.
1118 ****************************************************************************/
1120 BOOL api_pipe_request(pipes_struct *p)
1125 if (p->ntlmssp_auth_validated) {
1127 if(!become_authenticated_pipe_user(p)) {
1128 prs_mem_free(&p->out_data.rdata);
1133 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1134 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1135 api_fd_commands[i].fn != NULL) {
1136 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1137 set_current_rpc_talloc(p->mem_ctx);
1138 ret = api_fd_commands[i].fn(p);
1139 set_current_rpc_talloc(NULL);
1143 if(p->ntlmssp_auth_validated)
1144 unbecome_authenticated_pipe_user();
1149 /*******************************************************************
1150 Calls the underlying RPC function for a named pipe.
1151 ********************************************************************/
1153 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1154 struct api_struct *api_rpc_cmds)
1158 uint32 offset1, offset2;
1160 /* interpret the command */
1161 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1163 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1164 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1166 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1167 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1168 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1173 if (api_rpc_cmds[fn_num].name == NULL) {
1175 * For an unknown RPC just return a fault PDU but
1176 * return True to allow RPC's on the pipe to continue
1177 * and not put the pipe into fault state. JRA.
1179 DEBUG(4, ("unknown\n"));
1180 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1184 offset1 = prs_offset(&p->out_data.rdata);
1186 /* do the actual command */
1187 if(!api_rpc_cmds[fn_num].fn(p)) {
1188 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1189 prs_mem_free(&p->out_data.rdata);
1193 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1194 offset2 = prs_offset(&p->out_data.rdata);
1195 prs_set_offset(&p->out_data.rdata, offset1);
1196 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1197 prs_set_offset(&p->out_data.rdata, offset2);
1199 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1201 /* Check for buffer underflow in rpc parsing */
1203 if ((DEBUGLEVEL >= 10) &&
1204 (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1205 int data_len = p->in_data.data.buffer_size -
1206 p->in_data.data.data_offset;
1209 data = malloc(data_len);
1211 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1213 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data,