2 * Unix SMB/Netbios implementation.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1997-1998.
8 * Copyright (C) Jeremy Allison 1999.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
43 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
45 unsigned char *hash = p->ntlmssp_hash;
46 unsigned char index_i = hash[256];
47 unsigned char index_j = hash[257];
50 for( ind = 0; ind < len; ind++) {
55 index_j += hash[index_i];
58 hash[index_i] = hash[index_j];
61 t = hash[index_i] + hash[index_j];
62 data[ind] = data[ind] ^ hash[t];
69 /*******************************************************************
70 Generate the next PDU to be returned from the data in p->rdata.
71 We cheat here as this function doesn't handle the special auth
72 footers of the authenticated bind response reply.
73 ********************************************************************/
75 BOOL create_next_pdu(pipes_struct *p)
77 RPC_HDR_RESP hdr_resp;
78 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
79 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
81 uint32 data_space_available;
83 prs_struct outgoing_pdu;
89 * If we're in the fault state, keep returning fault PDU's until
90 * the pipe gets closed. JRA.
94 setup_fault_pdu(p, NT_STATUS(0x1c010002));
98 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
100 /* Change the incoming request header to a response. */
101 p->hdr.pkt_type = RPC_RESPONSE;
103 /* Set up rpc header flags. */
104 if (p->out_data.data_sent_length == 0)
105 p->hdr.flags = RPC_FLG_FIRST;
110 * Work out how much we can fit in a single PDU.
113 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
114 if(p->ntlmssp_auth_validated)
115 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
118 * The amount we send is the minimum of the available
119 * space and the amount left to send.
122 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
125 * Ensure there really is data left to send.
129 DEBUG(0,("create_next_pdu: no data left to send !\n"));
133 data_len = MIN(data_len_left, data_space_available);
136 * Set up the alloc hint. This should be the data left to
140 hdr_resp.alloc_hint = data_len_left;
143 * Set up the header lengths.
146 if (p->ntlmssp_auth_validated) {
147 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
148 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
149 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
151 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
156 * Work out if this PDU will be the last.
159 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
160 p->hdr.flags |= RPC_FLG_LAST;
163 * Init the parse struct to point at the outgoing
167 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
168 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
170 /* Store the header in the data stream. */
171 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
172 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
173 prs_mem_free(&outgoing_pdu);
177 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
178 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
179 prs_mem_free(&outgoing_pdu);
183 /* Store the current offset. */
184 data_pos = prs_offset(&outgoing_pdu);
186 /* Copy the data into the PDU. */
187 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
189 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
190 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
191 prs_mem_free(&outgoing_pdu);
196 * Set data to point to where we copied the data into.
199 data = prs_data_p(&outgoing_pdu) + data_pos;
201 if (p->hdr.auth_len > 0) {
204 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
205 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
208 crc32 = crc32_calc_buffer(data, data_len);
209 NTLMSSPcalc_p(p, (uchar*)data, data_len);
212 if (auth_seal || auth_verify) {
213 RPC_HDR_AUTH auth_info;
215 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
216 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
217 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
218 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
219 prs_mem_free(&outgoing_pdu);
225 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
226 char *auth_data = prs_data_p(&outgoing_pdu);
228 p->ntlmssp_seq_num++;
229 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
230 crc32, p->ntlmssp_seq_num++);
231 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
232 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
233 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
234 prs_mem_free(&outgoing_pdu);
237 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
242 * Setup the counts for this PDU.
245 p->out_data.data_sent_length += data_len;
246 p->out_data.current_pdu_len = p->hdr.frag_len;
247 p->out_data.current_pdu_sent = 0;
249 prs_mem_free(&outgoing_pdu);
253 /*******************************************************************
254 Process an NTLMSSP authentication response.
255 If this function succeeds, the user has been authenticated
256 and their domain, name and calling workstation stored in
258 The initial challenge is stored in p->challenge.
259 *******************************************************************/
261 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
273 auth_usersupplied_info *user_info = NULL;
274 auth_serversupplied_info *server_info = NULL;
279 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
281 memset(p->user_name, '\0', sizeof(p->user_name));
282 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
283 memset(p->domain, '\0', sizeof(p->domain));
284 memset(p->wks, '\0', sizeof(p->wks));
286 /* Set up for non-authenticated user. */
287 delete_nt_token(&p->pipe_user.nt_user_token);
288 p->pipe_user.ngroups = 0;
289 SAFE_FREE( p->pipe_user.groups);
292 * Setup an empty password for a guest user.
296 * We always negotiate UNICODE.
299 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
300 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
301 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
302 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
304 pull_ascii_fstring(user_name, ntlmssp_resp->user);
305 pull_ascii_fstring(domain, ntlmssp_resp->domain);
306 pull_ascii_fstring(wks, ntlmssp_resp->wks);
309 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
311 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
312 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
314 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
315 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
317 #ifdef DEBUG_PASSWORD
318 DEBUG(100,("lm, nt owfs, chal\n"));
319 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
320 dump_data(100, (char *)nt_owf, nt_pw_len);
321 dump_data(100, (char *)p->challenge, 8);
325 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
331 * Do the length checking only if user is not NULL.
334 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
336 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
338 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
340 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
342 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
347 if (!make_user_info_netlogon_network(&user_info,
348 user_name, domain, wks, (uchar*)p->challenge,
350 nt_owf, nt_pw_len)) {
351 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
355 nt_status = check_password(user_info, &server_info);
357 free_user_info(&user_info);
359 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
361 if (!p->ntlmssp_auth_validated) {
362 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
363 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
364 free_server_info(&server_info);
369 * Set up the sign/seal data.
374 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
386 for (ind = 0; ind < 256; ind++)
387 p->ntlmssp_hash[ind] = (unsigned char)ind;
389 for( ind = 0; ind < 256; ind++) {
392 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
394 tc = p->ntlmssp_hash[ind];
395 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
396 p->ntlmssp_hash[j] = tc;
399 p->ntlmssp_hash[256] = 0;
400 p->ntlmssp_hash[257] = 0;
402 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
403 p->ntlmssp_seq_num = 0;
407 fstrcpy(p->user_name, user_name);
408 fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
409 fstrcpy(p->domain, domain);
410 fstrcpy(p->wks, wks);
413 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
416 puid = pdb_get_uid(server_info->sam_account);
417 pgid = pdb_get_gid(server_info->sam_account);
419 if (!puid || !pgid) {
420 DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
421 free_server_info(&server_info);
425 p->pipe_user.uid = *puid;
426 p->pipe_user.gid = *pgid;
428 /* Set up pipe user group membership. */
429 initialise_groups(p->pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
430 get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
432 if (server_info->ptok)
433 add_supplementary_nt_login_groups(&p->pipe_user.ngroups, &p->pipe_user.groups, &server_info->ptok);
435 /* Create an NT_USER_TOKEN struct for this user. */
436 p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
437 p->pipe_user.ngroups, p->pipe_user.groups,
438 server_info->guest, server_info->ptok);
440 p->ntlmssp_auth_validated = True;
442 pdb_free_sam(&server_info->sam_account);
446 /*******************************************************************
447 The switch table for the pipe names and the functions to handle them.
448 *******************************************************************/
452 char * pipe_clnt_name;
453 char * pipe_srv_name;
454 BOOL (*fn) (pipes_struct *);
457 static struct api_cmd api_fd_commands[] =
459 { "lsarpc", "lsass", api_ntlsa_rpc },
460 { "samr", "lsass", api_samr_rpc },
461 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
462 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
463 { "NETLOGON", "lsass", api_netlog_rpc },
464 { "winreg", "winreg", api_reg_rpc },
465 { "spoolss", "spoolss", api_spoolss_rpc },
466 { "netdfs", "netdfs" , api_netdfs_rpc },
470 /*******************************************************************
471 This is the client reply to our challenge for an authenticated
472 bind request. The challenge we sent is in p->challenge.
473 *******************************************************************/
475 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
477 RPC_HDR_AUTHA autha_info;
478 RPC_AUTH_VERIFIER auth_verifier;
479 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
481 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
483 if (p->hdr.auth_len == 0) {
484 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
489 * Decode the authentication verifier response.
492 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
493 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
497 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
498 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
499 (int)autha_info.auth_type, (int)autha_info.auth_level ));
503 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
504 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
509 * Ensure this is a NTLMSSP_AUTH packet type.
512 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
513 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
517 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
518 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
523 * The following call actually checks the challenge/response data.
524 * for correctness against the given DOMAIN\user name.
527 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
535 /*******************************************************************
536 Marshall a bind_nak pdu.
537 *******************************************************************/
539 static BOOL setup_bind_nak(pipes_struct *p)
541 prs_struct outgoing_rpc;
545 /* Free any memory in the current return data buffer. */
546 prs_mem_free(&p->out_data.rdata);
549 * Marshall directly into the outgoing PDU space. We
550 * must do this as we need to set to the bind response
551 * header and are never sending more than one PDU here.
554 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
555 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
559 * Initialize a bind_nak header.
562 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
563 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
566 * Marshall the header into the outgoing PDU.
569 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
570 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
571 prs_mem_free(&outgoing_rpc);
576 * Now add the reject reason.
579 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
580 prs_mem_free(&outgoing_rpc);
584 p->out_data.data_sent_length = 0;
585 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
586 p->out_data.current_pdu_sent = 0;
588 p->pipe_bound = False;
593 /*******************************************************************
594 Marshall a fault pdu.
595 *******************************************************************/
597 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
599 prs_struct outgoing_pdu;
601 RPC_HDR_RESP hdr_resp;
602 RPC_HDR_FAULT fault_resp;
604 /* Free any memory in the current return data buffer. */
605 prs_mem_free(&p->out_data.rdata);
608 * Marshall directly into the outgoing PDU space. We
609 * must do this as we need to set to the bind response
610 * header and are never sending more than one PDU here.
613 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
614 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
617 * Initialize a fault header.
620 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
621 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
624 * Initialize the HDR_RESP and FAULT parts of the PDU.
627 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
629 fault_resp.status = status;
630 fault_resp.reserved = 0;
633 * Marshall the header into the outgoing PDU.
636 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
637 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
638 prs_mem_free(&outgoing_pdu);
642 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
643 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
644 prs_mem_free(&outgoing_pdu);
648 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
649 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
650 prs_mem_free(&outgoing_pdu);
654 p->out_data.data_sent_length = 0;
655 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
656 p->out_data.current_pdu_sent = 0;
658 prs_mem_free(&outgoing_pdu);
662 /*******************************************************************
663 Ensure a bind request has the correct abstract & transfer interface.
664 Used to reject unknown binds from Win2k.
665 *******************************************************************/
667 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
670 extern struct pipe_id_info pipe_names[];
673 fstrcpy(pname,"\\PIPE\\");
674 fstrcat(pname,pipe_name);
676 for(i=0;pipe_names[i].client_pipe; i++) {
677 if(strequal(pipe_names[i].client_pipe, pname))
681 if(pipe_names[i].client_pipe == NULL)
684 /* check the abstract interface */
685 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
686 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
687 sizeof(RPC_UUID)) != 0))
690 /* check the transfer interface */
691 if((transfer->version != pipe_names[i].trans_syntax.version) ||
692 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
693 sizeof(RPC_UUID)) != 0))
699 /*******************************************************************
700 Respond to a pipe bind request.
701 *******************************************************************/
703 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
707 RPC_HDR_AUTH auth_info;
709 fstring ack_pipe_name;
710 prs_struct out_hdr_ba;
712 prs_struct outgoing_rpc;
715 enum RPC_PKT_TYPE reply_pkt_type;
717 p->ntlmssp_auth_requested = False;
719 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
722 * Try and find the correct pipe name to ensure
723 * that this is a pipe name we support.
726 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
727 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
728 api_fd_commands[i].fn != NULL) {
729 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
730 api_fd_commands[i].pipe_clnt_name,
731 api_fd_commands[i].pipe_srv_name));
732 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
737 if (api_fd_commands[i].fn == NULL) {
738 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
740 if(!setup_bind_nak(p))
745 /* decode the bind request */
746 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
747 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
752 * Check if this is an authenticated request.
755 if (p->hdr.auth_len != 0) {
756 RPC_AUTH_VERIFIER auth_verifier;
757 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
760 * Decode the authentication verifier.
763 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
764 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
769 * We only support NTLMSSP_AUTH_TYPE requests.
772 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
773 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
774 auth_info.auth_type ));
778 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
779 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
783 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
784 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
788 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
789 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
790 auth_verifier.msg_type));
794 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
795 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
799 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
800 p->ntlmssp_auth_requested = True;
803 switch(p->hdr.pkt_type) {
805 /* name has to be \PIPE\xxxxx */
806 fstrcpy(ack_pipe_name, "\\PIPE\\");
807 fstrcat(ack_pipe_name, p->pipe_srv_name);
808 reply_pkt_type = RPC_BINDACK;
811 /* secondary address CAN be NULL
812 * as the specs say it's ignored.
813 * It MUST NULL to have the spoolss working.
815 fstrcpy(ack_pipe_name,"");
816 reply_pkt_type = RPC_ALTCONTRESP;
822 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
825 * Marshall directly into the outgoing PDU space. We
826 * must do this as we need to set to the bind response
827 * header and are never sending more than one PDU here.
830 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
831 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
834 * Setup the memory to marshall the ba header, and the
838 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
839 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
840 prs_mem_free(&outgoing_rpc);
844 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
845 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
846 prs_mem_free(&outgoing_rpc);
847 prs_mem_free(&out_hdr_ba);
851 if (p->ntlmssp_auth_requested)
854 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
857 * Create the bind response struct.
860 /* If the requested abstract synt uuid doesn't match our client pipe,
861 reject the bind_ack & set the transfer interface synt to all 0's,
862 ver 0 (observed when NT5 attempts to bind to abstract interfaces
864 Needed when adding entries to a DACL from NT5 - SK */
866 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
867 init_rpc_hdr_ba(&hdr_ba,
875 RPC_IFACE null_interface;
876 ZERO_STRUCT(null_interface);
877 /* Rejection reason: abstract syntax not supported */
878 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
879 MAX_PDU_FRAG_LEN, assoc_gid,
880 ack_pipe_name, 0x1, 0x2, 0x1,
888 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
889 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
894 * Now the authentication.
897 if (p->ntlmssp_auth_requested) {
898 RPC_AUTH_VERIFIER auth_verifier;
899 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
901 generate_random_buffer(p->challenge, 8, False);
903 /*** Authentication info ***/
905 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
906 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
907 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
911 /*** NTLMSSP verifier ***/
913 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
914 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
915 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
919 /* NTLMSSP challenge ***/
921 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
922 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
923 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
927 /* Auth len in the rpc header doesn't include auth_header. */
928 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
932 * Create the header, now we know the length.
935 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
937 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
941 * Marshall the header into the outgoing PDU.
944 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
945 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
950 * Now add the RPC_HDR_BA and any auth needed.
953 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
954 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
958 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
959 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
963 if(!p->ntlmssp_auth_requested)
964 p->pipe_bound = True;
967 * Setup the lengths for the initial reply.
970 p->out_data.data_sent_length = 0;
971 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
972 p->out_data.current_pdu_sent = 0;
974 prs_mem_free(&out_hdr_ba);
975 prs_mem_free(&out_auth);
981 prs_mem_free(&outgoing_rpc);
982 prs_mem_free(&out_hdr_ba);
983 prs_mem_free(&out_auth);
987 /****************************************************************************
988 Deal with sign & seal processing on an RPC request.
989 ****************************************************************************/
991 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
994 * We always negotiate the following two bits....
996 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
997 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1003 auth_len = p->hdr.auth_len;
1005 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1006 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1011 * The following is that length of the data we must verify or unseal.
1012 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1013 * preceeding the auth_data.
1016 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1017 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1019 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1020 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1024 * The data in rpc_in doesn't contain the RPC_HEADER as this
1025 * has already been consumed.
1027 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1028 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1029 crc32 = crc32_calc_buffer(data, data_len);
1032 old_offset = prs_offset(rpc_in);
1034 if (auth_seal || auth_verify) {
1035 RPC_HDR_AUTH auth_info;
1037 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1038 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1039 (unsigned int)old_offset + data_len ));
1043 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1044 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1050 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1051 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1053 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1056 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1059 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1060 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1061 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1065 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1066 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1067 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1071 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1072 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1078 * Return the current pointer to the data offset.
1081 if(!prs_set_offset(rpc_in, old_offset)) {
1082 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1083 (unsigned int)old_offset ));
1090 /****************************************************************************
1091 Return a user struct for a pipe user.
1092 ****************************************************************************/
1094 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1096 if (p->ntlmssp_auth_validated) {
1097 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1099 extern struct current_user current_user;
1100 memcpy(user, ¤t_user, sizeof(struct current_user));
1106 /****************************************************************************
1107 Find the correct RPC function to call for this request.
1108 If the pipe is authenticated then become the correct UNIX user
1109 before doing the call.
1110 ****************************************************************************/
1112 BOOL api_pipe_request(pipes_struct *p)
1117 if (p->ntlmssp_auth_validated) {
1119 if(!become_authenticated_pipe_user(p)) {
1120 prs_mem_free(&p->out_data.rdata);
1125 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1126 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1127 api_fd_commands[i].fn != NULL) {
1128 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1129 set_current_rpc_talloc(p->mem_ctx);
1130 ret = api_fd_commands[i].fn(p);
1131 set_current_rpc_talloc(NULL);
1135 if(p->ntlmssp_auth_validated)
1136 unbecome_authenticated_pipe_user();
1141 /*******************************************************************
1142 Calls the underlying RPC function for a named pipe.
1143 ********************************************************************/
1145 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1146 struct api_struct *api_rpc_cmds)
1150 uint32 offset1, offset2;
1152 /* interpret the command */
1153 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1155 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1156 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1158 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1159 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1160 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1165 if (api_rpc_cmds[fn_num].name == NULL) {
1167 * For an unknown RPC just return a fault PDU but
1168 * return True to allow RPC's on the pipe to continue
1169 * and not put the pipe into fault state. JRA.
1171 DEBUG(4, ("unknown\n"));
1172 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1176 offset1 = prs_offset(&p->out_data.rdata);
1178 /* do the actual command */
1179 if(!api_rpc_cmds[fn_num].fn(p)) {
1180 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1181 prs_mem_free(&p->out_data.rdata);
1185 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1186 offset2 = prs_offset(&p->out_data.rdata);
1187 prs_set_offset(&p->out_data.rdata, offset1);
1188 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1189 prs_set_offset(&p->out_data.rdata, offset2);
1191 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1193 /* Check for buffer underflow in rpc parsing */
1195 if ((DEBUGLEVEL >= 10) &&
1196 (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1197 int data_len = p->in_data.data.buffer_size -
1198 p->in_data.data.data_offset;
1201 data = malloc(data_len);
1203 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1205 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data,