2 * Unix SMB/Netbios implementation.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1997-1998.
8 * Copyright (C) Jeremy Allison 1999.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
43 extern int DEBUGLEVEL;
45 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
47 unsigned char *hash = p->ntlmssp_hash;
48 unsigned char index_i = hash[256];
49 unsigned char index_j = hash[257];
52 for( ind = 0; ind < len; ind++) {
57 index_j += hash[index_i];
60 hash[index_i] = hash[index_j];
63 t = hash[index_i] + hash[index_j];
64 data[ind] = data[ind] ^ hash[t];
71 /*******************************************************************
72 Generate the next PDU to be returned from the data in p->rdata.
73 We cheat here as this function doesn't handle the special auth
74 footers of the authenticated bind response reply.
75 ********************************************************************/
77 BOOL create_next_pdu(pipes_struct *p)
79 RPC_HDR_RESP hdr_resp;
80 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
81 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
83 uint32 data_space_available;
85 prs_struct outgoing_pdu;
91 * If we're in the fault state, keep returning fault PDU's until
92 * the pipe gets closed. JRA.
96 setup_fault_pdu(p, NT_STATUS(0x1c010002));
100 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
102 /* Change the incoming request header to a response. */
103 p->hdr.pkt_type = RPC_RESPONSE;
105 /* Set up rpc header flags. */
106 if (p->out_data.data_sent_length == 0)
107 p->hdr.flags = RPC_FLG_FIRST;
112 * Work out how much we can fit in a single PDU.
115 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
116 if(p->ntlmssp_auth_validated)
117 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
120 * The amount we send is the minimum of the available
121 * space and the amount left to send.
124 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
127 * Ensure there really is data left to send.
131 DEBUG(0,("create_next_pdu: no data left to send !\n"));
135 data_len = MIN(data_len_left, data_space_available);
138 * Set up the alloc hint. This should be the data left to
142 hdr_resp.alloc_hint = data_len_left;
145 * Set up the header lengths.
148 if (p->ntlmssp_auth_validated) {
149 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
150 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
151 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
153 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
158 * Work out if this PDU will be the last.
161 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
162 p->hdr.flags |= RPC_FLG_LAST;
165 * Init the parse struct to point at the outgoing
169 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
170 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
172 /* Store the header in the data stream. */
173 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
174 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
175 prs_mem_free(&outgoing_pdu);
179 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
180 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
181 prs_mem_free(&outgoing_pdu);
185 /* Store the current offset. */
186 data_pos = prs_offset(&outgoing_pdu);
188 /* Copy the data into the PDU. */
189 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
191 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
192 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
193 prs_mem_free(&outgoing_pdu);
198 * Set data to point to where we copied the data into.
201 data = prs_data_p(&outgoing_pdu) + data_pos;
203 if (p->hdr.auth_len > 0) {
206 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
207 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
210 crc32 = crc32_calc_buffer(data, data_len);
211 NTLMSSPcalc_p(p, (uchar*)data, data_len);
214 if (auth_seal || auth_verify) {
215 RPC_HDR_AUTH auth_info;
217 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
218 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
219 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
220 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
221 prs_mem_free(&outgoing_pdu);
227 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
228 char *auth_data = prs_data_p(&outgoing_pdu);
230 p->ntlmssp_seq_num++;
231 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
232 crc32, p->ntlmssp_seq_num++);
233 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
234 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
235 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
236 prs_mem_free(&outgoing_pdu);
239 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
244 * Setup the counts for this PDU.
247 p->out_data.data_sent_length += data_len;
248 p->out_data.current_pdu_len = p->hdr.frag_len;
249 p->out_data.current_pdu_sent = 0;
251 prs_mem_free(&outgoing_pdu);
255 /*******************************************************************
256 Process an NTLMSSP authentication response.
257 If this function succeeds, the user has been authenticated
258 and their domain, name and calling workstation stored in
260 The initial challenge is stored in p->challenge.
261 *******************************************************************/
263 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
270 fstring pipe_user_name;
273 BOOL guest_user = False;
274 SAM_ACCOUNT *sampass = NULL;
275 uchar null_smb_passwd[16];
276 uchar *smb_passwd_ptr = NULL;
278 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
280 memset(p->user_name, '\0', sizeof(p->user_name));
281 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
282 memset(p->domain, '\0', sizeof(p->domain));
283 memset(p->wks, '\0', sizeof(p->wks));
285 /* Set up for non-authenticated user. */
286 delete_nt_token(&p->pipe_user.nt_user_token);
287 p->pipe_user.ngroups = 0;
288 safe_free( p->pipe_user.groups);
291 * Setup an empty password for a guest user.
294 memset(null_smb_passwd,0,16);
297 * We always negotiate UNICODE.
300 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
301 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
302 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
303 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
305 fstrcpy(user_name, ntlmssp_resp->user);
306 fstrcpy(domain, ntlmssp_resp->domain);
307 fstrcpy(wks, ntlmssp_resp->wks);
310 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
312 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
313 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
315 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
316 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
318 #ifdef DEBUG_PASSWORD
319 DEBUG(100,("lm, nt owfs, chal\n"));
320 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
321 dump_data(100, (char *)nt_owf, nt_pw_len);
322 dump_data(100, (char *)p->challenge, 8);
326 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
329 if((strlen(user_name) == 0) &&
330 (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
334 fstrcpy(pipe_user_name, lp_guestaccount(-1));
335 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
337 smb_passwd_ptr = null_smb_passwd;
342 * Pass the user through the NT -> unix user mapping
346 fstrcpy(pipe_user_name, user_name);
347 (void)map_username(pipe_user_name);
350 * Do the length checking only if user is not NULL.
353 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
355 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
357 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
359 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
361 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
370 p->ntlmssp_auth_validated =
371 NT_STATUS_IS_OK(pass_check_smb_with_chal(pipe_user_name, domain,
372 (uchar*)p->challenge,
375 if (!p->ntlmssp_auth_validated) {
376 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
377 failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name ));
382 pdb_init_sam(&sampass);
384 if(!pdb_getsampwnam(sampass, pipe_user_name)) {
385 DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
387 pdb_free_sam(sampass);
394 /* Quit if the account was disabled. */
395 if((pdb_get_acct_ctrl(sampass) & ACB_DISABLED) || !pdb_get_lanman_passwd(sampass)) {
396 DEBUG(1,("Account for user '%s' was disabled.\n", pipe_user_name));
397 pdb_free_sam(sampass);
401 if(!pdb_get_nt_passwd(sampass)) {
402 DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name));
403 pdb_free_sam(sampass);
407 smb_passwd_ptr = pdb_get_lanman_passwd(sampass);
411 * Set up the sign/seal data.
416 NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
428 for (ind = 0; ind < 256; ind++)
429 p->ntlmssp_hash[ind] = (unsigned char)ind;
431 for( ind = 0; ind < 256; ind++) {
434 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
436 tc = p->ntlmssp_hash[ind];
437 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
438 p->ntlmssp_hash[j] = tc;
441 p->ntlmssp_hash[256] = 0;
442 p->ntlmssp_hash[257] = 0;
444 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
445 p->ntlmssp_seq_num = 0;
449 fstrcpy(p->user_name, user_name);
450 fstrcpy(p->pipe_user_name, pipe_user_name);
451 fstrcpy(p->domain, domain);
452 fstrcpy(p->wks, wks);
455 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
458 p->pipe_user.uid = pdb_get_uid(sampass);
459 p->pipe_user.gid = pdb_get_gid(sampass);
461 /* Set up pipe user group membership. */
462 initialise_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
463 get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
465 /* Create an NT_USER_TOKEN struct for this user. */
466 p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
467 p->pipe_user.ngroups, p->pipe_user.groups,
470 p->ntlmssp_auth_validated = True;
472 pdb_free_sam(sampass);
476 /*******************************************************************
477 The switch table for the pipe names and the functions to handle them.
478 *******************************************************************/
482 char * pipe_clnt_name;
483 char * pipe_srv_name;
484 BOOL (*fn) (pipes_struct *);
487 static struct api_cmd api_fd_commands[] =
489 { "lsarpc", "lsass", api_ntlsa_rpc },
490 { "samr", "lsass", api_samr_rpc },
491 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
492 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
493 { "NETLOGON", "lsass", api_netlog_rpc },
494 { "winreg", "winreg", api_reg_rpc },
495 { "spoolss", "spoolss", api_spoolss_rpc },
497 { "netdfs", "netdfs" , api_netdfs_rpc },
502 /*******************************************************************
503 This is the client reply to our challenge for an authenticated
504 bind request. The challenge we sent is in p->challenge.
505 *******************************************************************/
507 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
509 RPC_HDR_AUTHA autha_info;
510 RPC_AUTH_VERIFIER auth_verifier;
511 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
513 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
515 if (p->hdr.auth_len == 0) {
516 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
521 * Decode the authentication verifier response.
524 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
525 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
529 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
530 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
531 (int)autha_info.auth_type, (int)autha_info.auth_level ));
535 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
536 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
541 * Ensure this is a NTLMSSP_AUTH packet type.
544 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
545 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
549 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
550 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
555 * The following call actually checks the challenge/response data.
556 * for correctness against the given DOMAIN\user name.
559 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
567 /*******************************************************************
568 Marshall a bind_nak pdu.
569 *******************************************************************/
571 static BOOL setup_bind_nak(pipes_struct *p)
573 prs_struct outgoing_rpc;
577 /* Free any memory in the current return data buffer. */
578 prs_mem_free(&p->out_data.rdata);
581 * Marshall directly into the outgoing PDU space. We
582 * must do this as we need to set to the bind response
583 * header and are never sending more than one PDU here.
586 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
587 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
591 * Initialize a bind_nak header.
594 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
595 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
598 * Marshall the header into the outgoing PDU.
601 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
602 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
603 prs_mem_free(&outgoing_rpc);
608 * Now add the reject reason.
611 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
612 prs_mem_free(&outgoing_rpc);
616 p->out_data.data_sent_length = 0;
617 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
618 p->out_data.current_pdu_sent = 0;
620 p->pipe_bound = False;
625 /*******************************************************************
626 Marshall a fault pdu.
627 *******************************************************************/
629 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
631 prs_struct outgoing_pdu;
633 RPC_HDR_RESP hdr_resp;
634 RPC_HDR_FAULT fault_resp;
636 /* Free any memory in the current return data buffer. */
637 prs_mem_free(&p->out_data.rdata);
640 * Marshall directly into the outgoing PDU space. We
641 * must do this as we need to set to the bind response
642 * header and are never sending more than one PDU here.
645 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
646 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
649 * Initialize a fault header.
652 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
653 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
656 * Initialize the HDR_RESP and FAULT parts of the PDU.
659 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
661 fault_resp.status = status;
662 fault_resp.reserved = 0;
665 * Marshall the header into the outgoing PDU.
668 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
669 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
670 prs_mem_free(&outgoing_pdu);
674 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
675 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
676 prs_mem_free(&outgoing_pdu);
680 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
681 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
682 prs_mem_free(&outgoing_pdu);
686 p->out_data.data_sent_length = 0;
687 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
688 p->out_data.current_pdu_sent = 0;
690 prs_mem_free(&outgoing_pdu);
694 /*******************************************************************
695 Ensure a bind request has the correct abstract & transfer interface.
696 Used to reject unknown binds from Win2k.
697 *******************************************************************/
699 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
702 extern struct pipe_id_info pipe_names[];
705 fstrcpy(pname,"\\PIPE\\");
706 fstrcat(pname,pipe_name);
708 for(i=0;pipe_names[i].client_pipe; i++) {
709 if(strequal(pipe_names[i].client_pipe, pname))
713 if(pipe_names[i].client_pipe == NULL)
716 /* check the abstract interface */
717 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
718 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
719 sizeof(RPC_UUID)) != 0))
722 /* check the transfer interface */
723 if((transfer->version != pipe_names[i].trans_syntax.version) ||
724 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
725 sizeof(RPC_UUID)) != 0))
731 /*******************************************************************
732 Respond to a pipe bind request.
733 *******************************************************************/
735 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
739 RPC_HDR_AUTH auth_info;
741 fstring ack_pipe_name;
742 prs_struct out_hdr_ba;
744 prs_struct outgoing_rpc;
747 enum RPC_PKT_TYPE reply_pkt_type;
749 p->ntlmssp_auth_requested = False;
751 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
754 * Try and find the correct pipe name to ensure
755 * that this is a pipe name we support.
758 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
759 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
760 api_fd_commands[i].fn != NULL) {
761 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
762 api_fd_commands[i].pipe_clnt_name,
763 api_fd_commands[i].pipe_srv_name));
764 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
769 if (api_fd_commands[i].fn == NULL) {
770 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
772 if(!setup_bind_nak(p))
777 /* decode the bind request */
778 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
779 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
784 * Check if this is an authenticated request.
787 if (p->hdr.auth_len != 0) {
788 RPC_AUTH_VERIFIER auth_verifier;
789 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
792 * Decode the authentication verifier.
795 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
796 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
801 * We only support NTLMSSP_AUTH_TYPE requests.
804 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
805 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
806 auth_info.auth_type ));
810 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
811 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
815 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
816 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
820 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
821 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
822 auth_verifier.msg_type));
826 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
827 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
831 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
832 p->ntlmssp_auth_requested = True;
835 switch(p->hdr.pkt_type) {
837 /* name has to be \PIPE\xxxxx */
838 fstrcpy(ack_pipe_name, "\\PIPE\\");
839 fstrcat(ack_pipe_name, p->pipe_srv_name);
840 reply_pkt_type = RPC_BINDACK;
843 /* secondary address CAN be NULL
844 * as the specs say it's ignored.
845 * It MUST NULL to have the spoolss working.
847 fstrcpy(ack_pipe_name,"");
848 reply_pkt_type = RPC_ALTCONTRESP;
854 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
857 * Marshall directly into the outgoing PDU space. We
858 * must do this as we need to set to the bind response
859 * header and are never sending more than one PDU here.
862 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
863 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
866 * Setup the memory to marshall the ba header, and the
870 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
871 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
872 prs_mem_free(&outgoing_rpc);
876 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
877 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
878 prs_mem_free(&outgoing_rpc);
879 prs_mem_free(&out_hdr_ba);
883 if (p->ntlmssp_auth_requested)
886 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
889 * Create the bind response struct.
892 /* If the requested abstract synt uuid doesn't match our client pipe,
893 reject the bind_ack & set the transfer interface synt to all 0's,
894 ver 0 (observed when NT5 attempts to bind to abstract interfaces
896 Needed when adding entries to a DACL from NT5 - SK */
898 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
899 init_rpc_hdr_ba(&hdr_ba,
907 RPC_IFACE null_interface;
908 ZERO_STRUCT(null_interface);
909 /* Rejection reason: abstract syntax not supported */
910 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
911 MAX_PDU_FRAG_LEN, assoc_gid,
912 ack_pipe_name, 0x1, 0x2, 0x1,
920 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
921 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
926 * Now the authentication.
929 if (p->ntlmssp_auth_requested) {
930 RPC_AUTH_VERIFIER auth_verifier;
931 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
933 generate_random_buffer(p->challenge, 8, False);
935 /*** Authentication info ***/
937 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
938 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
939 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
943 /*** NTLMSSP verifier ***/
945 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
946 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
947 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
951 /* NTLMSSP challenge ***/
953 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
954 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
955 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
959 /* Auth len in the rpc header doesn't include auth_header. */
960 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
964 * Create the header, now we know the length.
967 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
969 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
973 * Marshall the header into the outgoing PDU.
976 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
977 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
982 * Now add the RPC_HDR_BA and any auth needed.
985 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
986 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
990 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
991 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
995 if(!p->ntlmssp_auth_requested)
996 p->pipe_bound = True;
999 * Setup the lengths for the initial reply.
1002 p->out_data.data_sent_length = 0;
1003 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1004 p->out_data.current_pdu_sent = 0;
1006 prs_mem_free(&out_hdr_ba);
1007 prs_mem_free(&out_auth);
1013 prs_mem_free(&outgoing_rpc);
1014 prs_mem_free(&out_hdr_ba);
1015 prs_mem_free(&out_auth);
1019 /****************************************************************************
1020 Deal with sign & seal processing on an RPC request.
1021 ****************************************************************************/
1023 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1026 * We always negotiate the following two bits....
1028 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1029 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1035 auth_len = p->hdr.auth_len;
1037 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1038 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1043 * The following is that length of the data we must verify or unseal.
1044 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1045 * preceeding the auth_data.
1048 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1049 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1051 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1052 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1056 * The data in rpc_in doesn't contain the RPC_HEADER as this
1057 * has already been consumed.
1059 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1060 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1061 crc32 = crc32_calc_buffer(data, data_len);
1064 old_offset = prs_offset(rpc_in);
1066 if (auth_seal || auth_verify) {
1067 RPC_HDR_AUTH auth_info;
1069 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1070 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1071 (unsigned int)old_offset + data_len ));
1075 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1076 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1082 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1083 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1085 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1088 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1091 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1092 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1093 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1097 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1098 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1099 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1103 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1104 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1110 * Return the current pointer to the data offset.
1113 if(!prs_set_offset(rpc_in, old_offset)) {
1114 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1115 (unsigned int)old_offset ));
1122 /****************************************************************************
1123 Return a user struct for a pipe user.
1124 ****************************************************************************/
1126 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1128 if (p->ntlmssp_auth_validated) {
1129 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1131 extern struct current_user current_user;
1132 memcpy(user, ¤t_user, sizeof(struct current_user));
1138 /****************************************************************************
1139 Find the correct RPC function to call for this request.
1140 If the pipe is authenticated then become the correct UNIX user
1141 before doing the call.
1142 ****************************************************************************/
1144 BOOL api_pipe_request(pipes_struct *p)
1148 BOOL changed_user_id = False;
1150 if (p->ntlmssp_auth_validated) {
1152 if(!become_authenticated_pipe_user(p)) {
1153 prs_mem_free(&p->out_data.rdata);
1157 changed_user_id = True;
1160 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1161 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1162 api_fd_commands[i].fn != NULL) {
1163 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1164 set_current_rpc_talloc(p->mem_ctx);
1165 ret = api_fd_commands[i].fn(p);
1166 set_current_rpc_talloc(NULL);
1171 unbecome_authenticated_pipe_user(p);
1176 /*******************************************************************
1177 Calls the underlying RPC function for a named pipe.
1178 ********************************************************************/
1180 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1181 struct api_struct *api_rpc_cmds)
1185 uint32 offset1, offset2;
1187 /* interpret the command */
1188 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1190 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1191 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1193 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1194 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1195 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1200 if (api_rpc_cmds[fn_num].name == NULL) {
1202 * For an unknown RPC just return a fault PDU but
1203 * return True to allow RPC's on the pipe to continue
1204 * and not put the pipe into fault state. JRA.
1206 DEBUG(4, ("unknown\n"));
1207 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1211 offset1 = prs_offset(&p->out_data.rdata);
1213 /* do the actual command */
1214 if(!api_rpc_cmds[fn_num].fn(p)) {
1215 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1216 prs_mem_free(&p->out_data.rdata);
1220 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1221 offset2 = prs_offset(&p->out_data.rdata);
1222 prs_set_offset(&p->out_data.rdata, offset1);
1223 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1224 prs_set_offset(&p->out_data.rdata, offset2);
1226 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1228 /* Check for buffer underflow in rpc parsing */
1230 if ((DEBUGLEVEL >= 10) &&
1231 (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1232 int data_len = p->in_data.data.buffer_size -
1233 p->in_data.data.data_offset;
1236 data = malloc(data_len);
1238 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1240 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data,