3 * Unix SMB/Netbios implementation.
5 * RPC Pipe client / server routines
6 * Copyright (C) Andrew Tridgell 1992-1998
7 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
8 * Copyright (C) Paul Ashton 1997-1998.
9 * Copyright (C) Jeremy Allison 1999.
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 /* this module apparently provides an implementation of DCE/RPC over a
27 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
28 * documentation are available (in on-line form) from the X-Open group.
30 * this module should provide a level of abstraction between SMB
31 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
32 * data copies, and network traffic.
34 * in this version, which takes a "let's learn what's going on and
35 * get something running" approach, there is additional network
36 * traffic generated, but the code should be easier to understand...
38 * ... if you read the docs. or stare at packets for weeks on end.
44 extern int DEBUGLEVEL;
46 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
48 unsigned char *hash = p->ntlmssp_hash;
49 unsigned char index_i = hash[256];
50 unsigned char index_j = hash[257];
53 for( ind = 0; ind < len; ind++) {
58 index_j += hash[index_i];
61 hash[index_i] = hash[index_j];
64 t = hash[index_i] + hash[index_j];
65 data[ind] = data[ind] ^ hash[t];
72 /*******************************************************************
73 Generate the next PDU to be returned from the data in p->rdata.
74 We cheat here as this function doesn't handle the special auth
75 footers of the authenticated bind response reply.
76 ********************************************************************/
78 BOOL create_next_pdu(pipes_struct *p)
80 RPC_HDR_RESP hdr_resp;
81 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
82 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
84 uint32 data_space_available;
86 prs_struct outgoing_pdu;
92 * If we're in the fault state, keep returning fault PDU's until
93 * the pipe gets closed. JRA.
101 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
103 /* Change the incoming request header to a response. */
104 p->hdr.pkt_type = RPC_RESPONSE;
106 /* Set up rpc header flags. */
107 if (p->out_data.data_sent_length == 0)
108 p->hdr.flags = RPC_FLG_FIRST;
113 * Work out how much we can fit in a single PDU.
116 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
117 if(p->ntlmssp_auth_validated)
118 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
121 * The amount we send is the minimum of the available
122 * space and the amount left to send.
125 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
128 * Ensure there really is data left to send.
132 DEBUG(0,("create_next_pdu: no data left to send !\n"));
136 data_len = MIN(data_len_left, data_space_available);
139 * Set up the alloc hint. This should be the data left to
143 hdr_resp.alloc_hint = data_len_left;
146 * Set up the header lengths.
149 if (p->ntlmssp_auth_validated) {
150 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
151 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
152 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
154 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
159 * Work out if this PDU will be the last.
162 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
163 p->hdr.flags |= RPC_FLG_LAST;
166 * Init the parse struct to point at the outgoing
170 prs_init( &outgoing_pdu, 0, 4, p->mem_ctx, MARSHALL);
171 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
173 /* Store the header in the data stream. */
174 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
175 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
176 prs_mem_free(&outgoing_pdu);
180 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
181 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
182 prs_mem_free(&outgoing_pdu);
186 /* Store the current offset. */
187 data_pos = prs_offset(&outgoing_pdu);
189 /* Copy the data into the PDU. */
190 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
192 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
193 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
194 prs_mem_free(&outgoing_pdu);
199 * Set data to point to where we copied the data into.
202 data = prs_data_p(&outgoing_pdu) + data_pos;
204 if (p->hdr.auth_len > 0) {
207 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
208 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
211 crc32 = crc32_calc_buffer(data, data_len);
212 NTLMSSPcalc_p(p, (uchar*)data, data_len);
215 if (auth_seal || auth_verify) {
216 RPC_HDR_AUTH auth_info;
218 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
219 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
220 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
221 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
222 prs_mem_free(&outgoing_pdu);
228 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
229 char *auth_data = prs_data_p(&outgoing_pdu);
231 p->ntlmssp_seq_num++;
232 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
233 crc32, p->ntlmssp_seq_num++);
234 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
235 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
236 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
237 prs_mem_free(&outgoing_pdu);
240 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
245 * Setup the counts for this PDU.
248 p->out_data.data_sent_length += data_len;
249 p->out_data.current_pdu_len = p->hdr.frag_len;
250 p->out_data.current_pdu_sent = 0;
252 prs_mem_free(&outgoing_pdu);
256 /*******************************************************************
257 Process an NTLMSSP authentication response.
258 If this function succeeds, the user has been authenticated
259 and their domain, name and calling workstation stored in
261 The initial challenge is stored in p->challenge.
262 *******************************************************************/
264 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
269 fstring pipe_user_name;
272 BOOL guest_user = False;
273 struct smb_passwd *smb_pass = NULL;
274 struct passwd *pass = NULL;
275 uchar null_smb_passwd[16];
276 uchar *smb_passwd_ptr = NULL;
278 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
280 memset(p->user_name, '\0', sizeof(p->user_name));
281 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
282 memset(p->domain, '\0', sizeof(p->domain));
283 memset(p->wks, '\0', sizeof(p->wks));
285 /* Set up for non-authenticated user. */
286 delete_nt_token(&p->pipe_user.nt_user_token);
287 p->pipe_user.ngroups = 0;
288 safe_free( p->pipe_user.groups);
291 * Setup an empty password for a guest user.
294 memset(null_smb_passwd,0,16);
297 * We always negotiate UNICODE.
300 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
301 fstrcpy(user_name, dos_unistrn2((uint16*)ntlmssp_resp->user, ntlmssp_resp->hdr_usr.str_str_len/2));
302 fstrcpy(domain, dos_unistrn2((uint16*)ntlmssp_resp->domain, ntlmssp_resp->hdr_domain.str_str_len/2));
303 fstrcpy(wks, dos_unistrn2((uint16*)ntlmssp_resp->wks, ntlmssp_resp->hdr_wks.str_str_len/2));
305 fstrcpy(user_name, ntlmssp_resp->user);
306 fstrcpy(domain, ntlmssp_resp->domain);
307 fstrcpy(wks, ntlmssp_resp->wks);
310 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
312 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
313 memcpy(nt_owf, ntlmssp_resp->nt_resp, sizeof(nt_owf));
315 #ifdef DEBUG_PASSWORD
316 DEBUG(100,("lm, nt owfs, chal\n"));
317 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
318 dump_data(100, (char *)nt_owf, sizeof(nt_owf));
319 dump_data(100, (char *)p->challenge, 8);
323 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
326 if((strlen(user_name) == 0) &&
327 (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
331 fstrcpy(pipe_user_name, lp_guestaccount(-1));
332 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
334 smb_passwd_ptr = null_smb_passwd;
339 * Pass the user through the NT -> unix user mapping
343 fstrcpy(pipe_user_name, user_name);
344 (void)map_username(pipe_user_name);
347 * Do the length checking only if user is not NULL.
350 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
352 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
354 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
356 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
358 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
364 * Find the user in the unix password db.
367 if(!(pass = Get_Pwnam(pipe_user_name,True))) {
368 DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",pipe_user_name));
376 if(!(p->ntlmssp_auth_validated = pass_check_smb(pipe_user_name, domain,
377 (uchar*)p->challenge, lm_owf, nt_owf, NULL))) {
378 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
379 failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name ));
384 if(!(smb_pass = getsmbpwnam(pipe_user_name))) {
385 DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
393 if (smb_pass == NULL) {
394 DEBUG(1,("api_pipe_ntlmssp_verify: Couldn't find user '%s' in smb_passwd file.\n",
399 /* Quit if the account was disabled. */
400 if((smb_pass->acct_ctrl & ACB_DISABLED) || !smb_pass->smb_passwd) {
401 DEBUG(1,("Account for user '%s' was disabled.\n", pipe_user_name));
405 if(!smb_pass->smb_nt_passwd) {
406 DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name));
410 smb_passwd_ptr = smb_pass->smb_passwd;
414 * Set up the sign/seal data.
419 NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
431 for (ind = 0; ind < 256; ind++)
432 p->ntlmssp_hash[ind] = (unsigned char)ind;
434 for( ind = 0; ind < 256; ind++) {
437 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
439 tc = p->ntlmssp_hash[ind];
440 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
441 p->ntlmssp_hash[j] = tc;
444 p->ntlmssp_hash[256] = 0;
445 p->ntlmssp_hash[257] = 0;
447 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
448 p->ntlmssp_seq_num = 0;
452 fstrcpy(p->user_name, user_name);
453 fstrcpy(p->pipe_user_name, pipe_user_name);
454 fstrcpy(p->domain, domain);
455 fstrcpy(p->wks, wks);
458 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
461 p->pipe_user.uid = pass->pw_uid;
462 p->pipe_user.gid = pass->pw_gid;
464 /* Set up pipe user group membership. */
465 initialise_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
466 initialize_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
467 get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
469 /* Create an NT_USER_TOKEN struct for this user. */
470 p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
471 p->pipe_user.ngroups, p->pipe_user.groups);
473 p->ntlmssp_auth_validated = True;
477 /*******************************************************************
478 The switch table for the pipe names and the functions to handle them.
479 *******************************************************************/
483 char * pipe_clnt_name;
484 char * pipe_srv_name;
485 BOOL (*fn) (pipes_struct *);
488 static struct api_cmd api_fd_commands[] =
490 { "lsarpc", "lsass", api_ntlsa_rpc },
491 { "samr", "lsass", api_samr_rpc },
492 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
493 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
494 { "NETLOGON", "lsass", api_netlog_rpc },
495 { "winreg", "winreg", api_reg_rpc },
496 { "spoolss", "spoolss", api_spoolss_rpc },
498 { "netdfs", "netdfs" , api_netdfs_rpc },
503 /*******************************************************************
504 This is the client reply to our challenge for an authenticated
505 bind request. The challenge we sent is in p->challenge.
506 *******************************************************************/
508 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
510 RPC_HDR_AUTHA autha_info;
511 RPC_AUTH_VERIFIER auth_verifier;
512 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
514 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
516 if (p->hdr.auth_len == 0) {
517 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
522 * Decode the authentication verifier response.
525 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
526 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
530 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
531 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
532 (int)autha_info.auth_type, (int)autha_info.auth_level ));
536 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
537 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
542 * Ensure this is a NTLMSSP_AUTH packet type.
545 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
546 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
550 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
551 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
556 * The following call actually checks the challenge/response data.
557 * for correctness against the given DOMAIN\user name.
560 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
568 /*******************************************************************
569 Marshall a bind_nak pdu.
570 *******************************************************************/
572 static BOOL setup_bind_nak(pipes_struct *p)
574 prs_struct outgoing_rpc;
578 /* Free any memory in the current return data buffer. */
579 prs_mem_free(&p->out_data.rdata);
582 * Marshall directly into the outgoing PDU space. We
583 * must do this as we need to set to the bind response
584 * header and are never sending more than one PDU here.
587 prs_init( &outgoing_rpc, 0, 4, p->mem_ctx, MARSHALL);
588 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
592 * Initialize a bind_nak header.
595 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
596 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
599 * Marshall the header into the outgoing PDU.
602 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
603 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
604 prs_mem_free(&outgoing_rpc);
609 * Now add the reject reason.
612 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
613 prs_mem_free(&outgoing_rpc);
617 p->out_data.data_sent_length = 0;
618 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
619 p->out_data.current_pdu_sent = 0;
621 p->pipe_bound = False;
626 /*******************************************************************
627 Marshall a fault pdu.
628 *******************************************************************/
630 BOOL setup_fault_pdu(pipes_struct *p)
632 prs_struct outgoing_pdu;
634 RPC_HDR_RESP hdr_resp;
635 RPC_HDR_FAULT fault_resp;
637 /* Free any memory in the current return data buffer. */
638 prs_mem_free(&p->out_data.rdata);
641 * Marshall directly into the outgoing PDU space. We
642 * must do this as we need to set to the bind response
643 * header and are never sending more than one PDU here.
646 prs_init( &outgoing_pdu, 0, 4, p->mem_ctx, MARSHALL);
647 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
650 * Initialize a fault header.
653 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
654 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
657 * Initialize the HDR_RESP and FAULT parts of the PDU.
660 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
662 fault_resp.status = 0x1c010002;
663 fault_resp.reserved = 0;
666 * Marshall the header into the outgoing PDU.
669 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
670 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
671 prs_mem_free(&outgoing_pdu);
675 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
676 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
677 prs_mem_free(&outgoing_pdu);
681 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
682 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
683 prs_mem_free(&outgoing_pdu);
687 p->out_data.data_sent_length = 0;
688 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
689 p->out_data.current_pdu_sent = 0;
691 prs_mem_free(&outgoing_pdu);
695 /*******************************************************************
696 Ensure a bind request has the correct abstract & transfer interface.
697 Used to reject unknown binds from Win2k.
698 *******************************************************************/
700 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
703 extern struct pipe_id_info pipe_names[];
706 fstrcpy(pname,"\\PIPE\\");
707 fstrcat(pname,pipe_name);
709 for(i=0;pipe_names[i].client_pipe; i++) {
710 if(strequal(pipe_names[i].client_pipe, pname))
714 if(pipe_names[i].client_pipe == NULL)
717 /* check the abstract interface */
718 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
719 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
720 sizeof(RPC_UUID)) != 0))
723 /* check the transfer interface */
724 if((transfer->version != pipe_names[i].trans_syntax.version) ||
725 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
726 sizeof(RPC_UUID)) != 0))
732 /*******************************************************************
733 Respond to a pipe bind request.
734 *******************************************************************/
736 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
740 RPC_HDR_AUTH auth_info;
742 fstring ack_pipe_name;
743 prs_struct out_hdr_ba;
745 prs_struct outgoing_rpc;
748 enum RPC_PKT_TYPE reply_pkt_type;
750 p->ntlmssp_auth_requested = False;
752 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
755 * Try and find the correct pipe name to ensure
756 * that this is a pipe name we support.
759 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
760 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
761 api_fd_commands[i].fn != NULL) {
762 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
763 api_fd_commands[i].pipe_clnt_name,
764 api_fd_commands[i].pipe_srv_name));
765 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
770 if (api_fd_commands[i].fn == NULL) {
771 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
773 if(!setup_bind_nak(p))
778 /* decode the bind request */
779 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
780 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
785 * Check if this is an authenticated request.
788 if (p->hdr.auth_len != 0) {
789 RPC_AUTH_VERIFIER auth_verifier;
790 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
793 * Decode the authentication verifier.
796 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
797 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
802 * We only support NTLMSSP_AUTH_TYPE requests.
805 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
806 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
807 auth_info.auth_type ));
811 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
812 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
816 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
817 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
821 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
822 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
823 auth_verifier.msg_type));
827 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
828 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
832 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
833 p->ntlmssp_auth_requested = True;
836 switch(p->hdr.pkt_type) {
838 /* name has to be \PIPE\xxxxx */
839 fstrcpy(ack_pipe_name, "\\PIPE\\");
840 fstrcat(ack_pipe_name, p->pipe_srv_name);
841 reply_pkt_type = RPC_BINDACK;
844 /* secondary address CAN be NULL
845 * as the specs say it's ignored.
846 * It MUST NULL to have the spoolss working.
848 fstrcpy(ack_pipe_name,"");
849 reply_pkt_type = RPC_ALTCONTRESP;
855 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
858 * Marshall directly into the outgoing PDU space. We
859 * must do this as we need to set to the bind response
860 * header and are never sending more than one PDU here.
863 prs_init( &outgoing_rpc, 0, 4, p->mem_ctx, MARSHALL);
864 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
867 * Setup the memory to marshall the ba header, and the
871 if(!prs_init(&out_hdr_ba, 1024, 4, p->mem_ctx, MARSHALL)) {
872 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
873 prs_mem_free(&outgoing_rpc);
877 if(!prs_init(&out_auth, 1024, 4, p->mem_ctx, MARSHALL)) {
878 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
879 prs_mem_free(&outgoing_rpc);
880 prs_mem_free(&out_hdr_ba);
884 if (p->ntlmssp_auth_requested)
887 assoc_gid = hdr_rb.bba.assoc_gid;
890 * Create the bind response struct.
893 /* If the requested abstract synt uuid doesn't match our client pipe,
894 reject the bind_ack & set the transfer interface synt to all 0's,
895 ver 0 (observed when NT5 attempts to bind to abstract interfaces
897 Needed when adding entries to a DACL from NT5 - SK */
899 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
900 init_rpc_hdr_ba(&hdr_ba,
908 RPC_IFACE null_interface;
909 ZERO_STRUCT(null_interface);
910 /* Rejection reason: abstract syntax not supported */
911 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
912 MAX_PDU_FRAG_LEN, assoc_gid,
913 ack_pipe_name, 0x1, 0x2, 0x1,
921 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
922 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
927 * Now the authentication.
930 if (p->ntlmssp_auth_requested) {
931 RPC_AUTH_VERIFIER auth_verifier;
932 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
934 generate_random_buffer(p->challenge, 8, False);
936 /*** Authentication info ***/
938 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
939 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
940 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
944 /*** NTLMSSP verifier ***/
946 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
947 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
948 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
952 /* NTLMSSP challenge ***/
954 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
955 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
956 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
960 /* Auth len in the rpc header doesn't include auth_header. */
961 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
965 * Create the header, now we know the length.
968 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
970 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
974 * Marshall the header into the outgoing PDU.
977 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
978 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
983 * Now add the RPC_HDR_BA and any auth needed.
986 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
987 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
991 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
992 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
996 if(!p->ntlmssp_auth_requested)
997 p->pipe_bound = True;
1000 * Setup the lengths for the initial reply.
1003 p->out_data.data_sent_length = 0;
1004 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1005 p->out_data.current_pdu_sent = 0;
1007 prs_mem_free(&out_hdr_ba);
1008 prs_mem_free(&out_auth);
1014 prs_mem_free(&outgoing_rpc);
1015 prs_mem_free(&out_hdr_ba);
1016 prs_mem_free(&out_auth);
1020 /****************************************************************************
1021 Deal with sign & seal processing on an RPC request.
1022 ****************************************************************************/
1024 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1027 * We always negotiate the following two bits....
1029 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1030 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1036 auth_len = p->hdr.auth_len;
1038 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1039 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1044 * The following is that length of the data we must verify or unseal.
1045 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1046 * preceeding the auth_data.
1049 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1050 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1052 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1053 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1057 * The data in rpc_in doesn't contain the RPC_HEADER as this
1058 * has already been consumed.
1060 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1061 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1062 crc32 = crc32_calc_buffer(data, data_len);
1065 old_offset = prs_offset(rpc_in);
1067 if (auth_seal || auth_verify) {
1068 RPC_HDR_AUTH auth_info;
1070 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1071 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1072 (unsigned int)old_offset + data_len ));
1076 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1077 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1083 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1084 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1086 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1089 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1092 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1093 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1094 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1098 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1099 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1100 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1104 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1105 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1111 * Return the current pointer to the data offset.
1114 if(!prs_set_offset(rpc_in, old_offset)) {
1115 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1116 (unsigned int)old_offset ));
1123 /****************************************************************************
1124 Find the correct RPC function to call for this request.
1125 If the pipe is authenticated then become the correct UNIX user
1126 before doing the call.
1127 ****************************************************************************/
1129 BOOL api_pipe_request(pipes_struct *p)
1133 BOOL changed_user_id = False;
1135 if (p->ntlmssp_auth_validated) {
1137 if(!become_authenticated_pipe_user(p)) {
1138 prs_mem_free(&p->out_data.rdata);
1142 changed_user_id = True;
1145 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1146 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1147 api_fd_commands[i].fn != NULL) {
1148 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1149 ret = api_fd_commands[i].fn(p);
1154 unbecome_authenticated_pipe_user(p);
1159 /*******************************************************************
1160 Calls the underlying RPC function for a named pipe.
1161 ********************************************************************/
1163 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1164 struct api_struct *api_rpc_cmds)
1168 uint32 offset1, offset2;
1170 /* interpret the command */
1171 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1173 slprintf(name, sizeof(name), "in_%s", rpc_name);
1174 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1176 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1177 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1178 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1183 if (api_rpc_cmds[fn_num].name == NULL) {
1185 * For an unknown RPC just return a fault PDU but
1186 * return True to allow RPC's on the pipe to continue
1187 * and not put the pipe into fault state. JRA.
1189 DEBUG(4, ("unknown\n"));
1194 offset1 = prs_offset(&p->out_data.rdata);
1196 /* do the actual command */
1197 if(!api_rpc_cmds[fn_num].fn(p)) {
1198 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1199 prs_mem_free(&p->out_data.rdata);
1203 slprintf(name, sizeof(name), "out_%s", rpc_name);
1204 offset2 = prs_offset(&p->out_data.rdata);
1205 prs_set_offset(&p->out_data.rdata, offset1);
1206 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1207 prs_set_offset(&p->out_data.rdata, offset2);
1209 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
git.samba.org / nivanova / samba-autobuild / .git / blob