2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998.
7 * Copyright (C) Jeremy Allison 1999.
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 /* this module apparently provides an implementation of DCE/RPC over a
25 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
26 * documentation are available (in on-line form) from the X-Open group.
28 * this module should provide a level of abstraction between SMB
29 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
30 * data copies, and network traffic.
32 * in this version, which takes a "let's learn what's going on and
33 * get something running" approach, there is additional network
34 * traffic generated, but the code should be easier to understand...
36 * ... if you read the docs. or stare at packets for weeks on end.
42 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
44 unsigned char *hash = p->ntlmssp_hash;
45 unsigned char index_i = hash[256];
46 unsigned char index_j = hash[257];
49 for( ind = 0; ind < len; ind++) {
54 index_j += hash[index_i];
57 hash[index_i] = hash[index_j];
60 t = hash[index_i] + hash[index_j];
61 data[ind] = data[ind] ^ hash[t];
68 /*******************************************************************
69 Generate the next PDU to be returned from the data in p->rdata.
70 We cheat here as this function doesn't handle the special auth
71 footers of the authenticated bind response reply.
72 ********************************************************************/
74 BOOL create_next_pdu(pipes_struct *p)
76 RPC_HDR_RESP hdr_resp;
77 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
78 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
80 uint32 data_space_available;
82 prs_struct outgoing_pdu;
88 * If we're in the fault state, keep returning fault PDU's until
89 * the pipe gets closed. JRA.
93 setup_fault_pdu(p, NT_STATUS(0x1c010002));
97 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
99 /* Change the incoming request header to a response. */
100 p->hdr.pkt_type = RPC_RESPONSE;
102 /* Set up rpc header flags. */
103 if (p->out_data.data_sent_length == 0)
104 p->hdr.flags = RPC_FLG_FIRST;
109 * Work out how much we can fit in a single PDU.
112 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
113 if(p->ntlmssp_auth_validated)
114 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
117 * The amount we send is the minimum of the available
118 * space and the amount left to send.
121 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
124 * Ensure there really is data left to send.
128 DEBUG(0,("create_next_pdu: no data left to send !\n"));
132 data_len = MIN(data_len_left, data_space_available);
135 * Set up the alloc hint. This should be the data left to
139 hdr_resp.alloc_hint = data_len_left;
142 * Set up the header lengths.
145 if (p->ntlmssp_auth_validated) {
146 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
147 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
148 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
150 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
155 * Work out if this PDU will be the last.
158 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
159 p->hdr.flags |= RPC_FLG_LAST;
162 * Init the parse struct to point at the outgoing
166 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
167 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
169 /* Store the header in the data stream. */
170 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
171 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
172 prs_mem_free(&outgoing_pdu);
176 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
177 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
178 prs_mem_free(&outgoing_pdu);
182 /* Store the current offset. */
183 data_pos = prs_offset(&outgoing_pdu);
185 /* Copy the data into the PDU. */
186 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
188 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
189 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
190 prs_mem_free(&outgoing_pdu);
195 * Set data to point to where we copied the data into.
198 data = prs_data_p(&outgoing_pdu) + data_pos;
200 if (p->hdr.auth_len > 0) {
203 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
204 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
207 crc32 = crc32_calc_buffer(data, data_len);
208 NTLMSSPcalc_p(p, (uchar*)data, data_len);
211 if (auth_seal || auth_verify) {
212 RPC_HDR_AUTH auth_info;
214 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
215 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
216 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
217 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
218 prs_mem_free(&outgoing_pdu);
224 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
225 char *auth_data = prs_data_p(&outgoing_pdu);
227 p->ntlmssp_seq_num++;
228 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
229 crc32, p->ntlmssp_seq_num++);
230 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
231 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
232 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
233 prs_mem_free(&outgoing_pdu);
236 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
241 * Setup the counts for this PDU.
244 p->out_data.data_sent_length += data_len;
245 p->out_data.current_pdu_len = p->hdr.frag_len;
246 p->out_data.current_pdu_sent = 0;
248 prs_mem_free(&outgoing_pdu);
252 /*******************************************************************
253 Process an NTLMSSP authentication response.
254 If this function succeeds, the user has been authenticated
255 and their domain, name and calling workstation stored in
257 The initial challenge is stored in p->challenge.
258 *******************************************************************/
260 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
272 struct auth_context *auth_context = NULL;
273 auth_usersupplied_info *user_info = NULL;
274 auth_serversupplied_info *server_info = NULL;
279 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
281 memset(p->user_name, '\0', sizeof(p->user_name));
282 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
283 memset(p->domain, '\0', sizeof(p->domain));
284 memset(p->wks, '\0', sizeof(p->wks));
286 /* Set up for non-authenticated user. */
287 delete_nt_token(&p->pipe_user.nt_user_token);
288 p->pipe_user.ngroups = 0;
289 SAFE_FREE( p->pipe_user.groups);
292 * Setup an empty password for a guest user.
296 * We always negotiate UNICODE.
299 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
300 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
301 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
302 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
304 pull_ascii_fstring(user_name, ntlmssp_resp->user);
305 pull_ascii_fstring(domain, ntlmssp_resp->domain);
306 pull_ascii_fstring(wks, ntlmssp_resp->wks);
309 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
311 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
312 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
314 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
315 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
317 #ifdef DEBUG_PASSWORD
318 DEBUG(100,("lm, nt owfs, chal\n"));
319 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
320 dump_data(100, (char *)nt_owf, nt_pw_len);
321 dump_data(100, (char *)p->challenge, 8);
325 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
331 * Do the length checking only if user is not NULL.
334 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
336 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
338 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
340 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
342 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
347 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
349 if (!make_user_info_netlogon_network(&user_info,
350 user_name, domain, wks,
352 nt_owf, nt_pw_len)) {
353 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
357 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
359 (auth_context->free)(&auth_context);
360 free_user_info(&user_info);
362 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
364 if (!p->ntlmssp_auth_validated) {
365 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
366 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
367 free_server_info(&server_info);
372 * Set up the sign/seal data.
377 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
389 for (ind = 0; ind < 256; ind++)
390 p->ntlmssp_hash[ind] = (unsigned char)ind;
392 for( ind = 0; ind < 256; ind++) {
395 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
397 tc = p->ntlmssp_hash[ind];
398 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
399 p->ntlmssp_hash[j] = tc;
402 p->ntlmssp_hash[256] = 0;
403 p->ntlmssp_hash[257] = 0;
405 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
406 p->ntlmssp_seq_num = 0;
410 fstrcpy(p->user_name, user_name);
411 fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
412 fstrcpy(p->domain, domain);
413 fstrcpy(p->wks, wks);
416 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
419 if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
420 DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
421 free_server_info(&server_info);
425 memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
427 uid = pdb_get_uid(server_info->sam_account);
428 gid = pdb_get_gid(server_info->sam_account);
430 p->pipe_user.uid = uid;
431 p->pipe_user.gid = gid;
433 /* Set up pipe user group membership. */
434 initialise_groups(p->pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
435 get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
437 if (server_info->ptok)
438 add_supplementary_nt_login_groups(&p->pipe_user.ngroups, &p->pipe_user.groups, &server_info->ptok);
440 /* Create an NT_USER_TOKEN struct for this user. */
441 p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
442 p->pipe_user.ngroups, p->pipe_user.groups,
443 server_info->guest, server_info->ptok);
445 p->ntlmssp_auth_validated = True;
447 pdb_free_sam(&server_info->sam_account);
451 /*******************************************************************
452 The switch table for the pipe names and the functions to handle them.
453 *******************************************************************/
457 char * pipe_clnt_name;
458 char * pipe_srv_name;
459 BOOL (*fn) (pipes_struct *);
462 static struct api_cmd api_fd_commands[] =
464 { "lsarpc", "lsass", api_ntlsa_rpc },
465 { "samr", "lsass", api_samr_rpc },
466 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
467 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
468 { "NETLOGON", "lsass", api_netlog_rpc },
469 { "winreg", "winreg", api_reg_rpc },
470 { "spoolss", "spoolss", api_spoolss_rpc },
471 { "netdfs", "netdfs" , api_netdfs_rpc },
475 /*******************************************************************
476 This is the client reply to our challenge for an authenticated
477 bind request. The challenge we sent is in p->challenge.
478 *******************************************************************/
480 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
482 RPC_HDR_AUTHA autha_info;
483 RPC_AUTH_VERIFIER auth_verifier;
484 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
486 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
488 if (p->hdr.auth_len == 0) {
489 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
494 * Decode the authentication verifier response.
497 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
498 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
502 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
503 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
504 (int)autha_info.auth_type, (int)autha_info.auth_level ));
508 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
509 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
514 * Ensure this is a NTLMSSP_AUTH packet type.
517 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
518 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
522 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
523 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
528 * The following call actually checks the challenge/response data.
529 * for correctness against the given DOMAIN\user name.
532 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
540 /*******************************************************************
541 Marshall a bind_nak pdu.
542 *******************************************************************/
544 static BOOL setup_bind_nak(pipes_struct *p)
546 prs_struct outgoing_rpc;
550 /* Free any memory in the current return data buffer. */
551 prs_mem_free(&p->out_data.rdata);
554 * Marshall directly into the outgoing PDU space. We
555 * must do this as we need to set to the bind response
556 * header and are never sending more than one PDU here.
559 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
560 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
564 * Initialize a bind_nak header.
567 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
568 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
571 * Marshall the header into the outgoing PDU.
574 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
575 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
576 prs_mem_free(&outgoing_rpc);
581 * Now add the reject reason.
584 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
585 prs_mem_free(&outgoing_rpc);
589 p->out_data.data_sent_length = 0;
590 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
591 p->out_data.current_pdu_sent = 0;
593 p->pipe_bound = False;
598 /*******************************************************************
599 Marshall a fault pdu.
600 *******************************************************************/
602 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
604 prs_struct outgoing_pdu;
606 RPC_HDR_RESP hdr_resp;
607 RPC_HDR_FAULT fault_resp;
609 /* Free any memory in the current return data buffer. */
610 prs_mem_free(&p->out_data.rdata);
613 * Marshall directly into the outgoing PDU space. We
614 * must do this as we need to set to the bind response
615 * header and are never sending more than one PDU here.
618 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
619 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
622 * Initialize a fault header.
625 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
626 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
629 * Initialize the HDR_RESP and FAULT parts of the PDU.
632 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
634 fault_resp.status = status;
635 fault_resp.reserved = 0;
638 * Marshall the header into the outgoing PDU.
641 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
642 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
643 prs_mem_free(&outgoing_pdu);
647 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
648 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
649 prs_mem_free(&outgoing_pdu);
653 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
654 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
655 prs_mem_free(&outgoing_pdu);
659 p->out_data.data_sent_length = 0;
660 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
661 p->out_data.current_pdu_sent = 0;
663 prs_mem_free(&outgoing_pdu);
667 /*******************************************************************
668 Ensure a bind request has the correct abstract & transfer interface.
669 Used to reject unknown binds from Win2k.
670 *******************************************************************/
672 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
675 extern struct pipe_id_info pipe_names[];
678 fstrcpy(pname,"\\PIPE\\");
679 fstrcat(pname,pipe_name);
681 for(i=0;pipe_names[i].client_pipe; i++) {
682 if(strequal(pipe_names[i].client_pipe, pname))
686 if(pipe_names[i].client_pipe == NULL)
689 /* check the abstract interface */
690 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
691 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
692 sizeof(RPC_UUID)) != 0))
695 /* check the transfer interface */
696 if((transfer->version != pipe_names[i].trans_syntax.version) ||
697 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
698 sizeof(RPC_UUID)) != 0))
704 /*******************************************************************
705 Respond to a pipe bind request.
706 *******************************************************************/
708 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
712 RPC_HDR_AUTH auth_info;
714 fstring ack_pipe_name;
715 prs_struct out_hdr_ba;
717 prs_struct outgoing_rpc;
720 enum RPC_PKT_TYPE reply_pkt_type;
722 p->ntlmssp_auth_requested = False;
724 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
727 * Try and find the correct pipe name to ensure
728 * that this is a pipe name we support.
731 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
732 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
733 api_fd_commands[i].fn != NULL) {
734 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
735 api_fd_commands[i].pipe_clnt_name,
736 api_fd_commands[i].pipe_srv_name));
737 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
742 if (api_fd_commands[i].fn == NULL) {
743 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
745 if(!setup_bind_nak(p))
750 /* decode the bind request */
751 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
752 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
757 * Check if this is an authenticated request.
760 if (p->hdr.auth_len != 0) {
761 RPC_AUTH_VERIFIER auth_verifier;
762 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
765 * Decode the authentication verifier.
768 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
769 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
774 * We only support NTLMSSP_AUTH_TYPE requests.
777 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
778 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
779 auth_info.auth_type ));
783 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
784 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
788 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
789 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
793 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
794 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
795 auth_verifier.msg_type));
799 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
800 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
804 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
805 p->ntlmssp_auth_requested = True;
808 switch(p->hdr.pkt_type) {
810 /* name has to be \PIPE\xxxxx */
811 fstrcpy(ack_pipe_name, "\\PIPE\\");
812 fstrcat(ack_pipe_name, p->pipe_srv_name);
813 reply_pkt_type = RPC_BINDACK;
816 /* secondary address CAN be NULL
817 * as the specs say it's ignored.
818 * It MUST NULL to have the spoolss working.
820 fstrcpy(ack_pipe_name,"");
821 reply_pkt_type = RPC_ALTCONTRESP;
827 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
830 * Marshall directly into the outgoing PDU space. We
831 * must do this as we need to set to the bind response
832 * header and are never sending more than one PDU here.
835 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
836 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
839 * Setup the memory to marshall the ba header, and the
843 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
844 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
845 prs_mem_free(&outgoing_rpc);
849 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
850 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
851 prs_mem_free(&outgoing_rpc);
852 prs_mem_free(&out_hdr_ba);
856 if (p->ntlmssp_auth_requested)
859 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
862 * Create the bind response struct.
865 /* If the requested abstract synt uuid doesn't match our client pipe,
866 reject the bind_ack & set the transfer interface synt to all 0's,
867 ver 0 (observed when NT5 attempts to bind to abstract interfaces
869 Needed when adding entries to a DACL from NT5 - SK */
871 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
872 init_rpc_hdr_ba(&hdr_ba,
880 RPC_IFACE null_interface;
881 ZERO_STRUCT(null_interface);
882 /* Rejection reason: abstract syntax not supported */
883 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
884 MAX_PDU_FRAG_LEN, assoc_gid,
885 ack_pipe_name, 0x1, 0x2, 0x1,
893 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
894 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
899 * Now the authentication.
902 if (p->ntlmssp_auth_requested) {
903 RPC_AUTH_VERIFIER auth_verifier;
904 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
906 generate_random_buffer(p->challenge, 8, False);
908 /*** Authentication info ***/
910 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
911 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
912 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
916 /*** NTLMSSP verifier ***/
918 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
919 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
920 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
924 /* NTLMSSP challenge ***/
926 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
927 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
928 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
932 /* Auth len in the rpc header doesn't include auth_header. */
933 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
937 * Create the header, now we know the length.
940 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
942 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
946 * Marshall the header into the outgoing PDU.
949 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
950 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
955 * Now add the RPC_HDR_BA and any auth needed.
958 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
959 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
963 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
964 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
968 if(!p->ntlmssp_auth_requested)
969 p->pipe_bound = True;
972 * Setup the lengths for the initial reply.
975 p->out_data.data_sent_length = 0;
976 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
977 p->out_data.current_pdu_sent = 0;
979 prs_mem_free(&out_hdr_ba);
980 prs_mem_free(&out_auth);
986 prs_mem_free(&outgoing_rpc);
987 prs_mem_free(&out_hdr_ba);
988 prs_mem_free(&out_auth);
992 /****************************************************************************
993 Deal with sign & seal processing on an RPC request.
994 ****************************************************************************/
996 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
999 * We always negotiate the following two bits....
1001 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1002 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1008 auth_len = p->hdr.auth_len;
1010 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1011 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1016 * The following is that length of the data we must verify or unseal.
1017 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1018 * preceeding the auth_data.
1021 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1022 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1024 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1025 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1029 * The data in rpc_in doesn't contain the RPC_HEADER as this
1030 * has already been consumed.
1032 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1033 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1034 crc32 = crc32_calc_buffer(data, data_len);
1037 old_offset = prs_offset(rpc_in);
1039 if (auth_seal || auth_verify) {
1040 RPC_HDR_AUTH auth_info;
1042 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1043 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1044 (unsigned int)old_offset + data_len ));
1048 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1049 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1055 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1056 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1058 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1061 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1064 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1065 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1066 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1070 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1071 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1072 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1076 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1077 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1083 * Return the current pointer to the data offset.
1086 if(!prs_set_offset(rpc_in, old_offset)) {
1087 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1088 (unsigned int)old_offset ));
1095 /****************************************************************************
1096 Return a user struct for a pipe user.
1097 ****************************************************************************/
1099 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1101 if (p->ntlmssp_auth_validated) {
1102 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1104 extern struct current_user current_user;
1105 memcpy(user, ¤t_user, sizeof(struct current_user));
1111 /****************************************************************************
1112 Find the correct RPC function to call for this request.
1113 If the pipe is authenticated then become the correct UNIX user
1114 before doing the call.
1115 ****************************************************************************/
1117 BOOL api_pipe_request(pipes_struct *p)
1122 if (p->ntlmssp_auth_validated) {
1124 if(!become_authenticated_pipe_user(p)) {
1125 prs_mem_free(&p->out_data.rdata);
1130 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1131 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1132 api_fd_commands[i].fn != NULL) {
1133 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1134 set_current_rpc_talloc(p->mem_ctx);
1135 ret = api_fd_commands[i].fn(p);
1136 set_current_rpc_talloc(NULL);
1140 if(p->ntlmssp_auth_validated)
1141 unbecome_authenticated_pipe_user();
1146 /*******************************************************************
1147 Calls the underlying RPC function for a named pipe.
1148 ********************************************************************/
1150 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1151 struct api_struct *api_rpc_cmds)
1155 uint32 offset1, offset2;
1157 /* interpret the command */
1158 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1160 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1161 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1163 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1164 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1165 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1170 if (api_rpc_cmds[fn_num].name == NULL) {
1172 * For an unknown RPC just return a fault PDU but
1173 * return True to allow RPC's on the pipe to continue
1174 * and not put the pipe into fault state. JRA.
1176 DEBUG(4, ("unknown\n"));
1177 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1181 offset1 = prs_offset(&p->out_data.rdata);
1183 /* do the actual command */
1184 if(!api_rpc_cmds[fn_num].fn(p)) {
1185 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1186 prs_mem_free(&p->out_data.rdata);
1190 if (p->bad_handle_fault_state) {
1191 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1192 p->bad_handle_fault_state = False;
1193 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1197 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1198 offset2 = prs_offset(&p->out_data.rdata);
1199 prs_set_offset(&p->out_data.rdata, offset1);
1200 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1201 prs_set_offset(&p->out_data.rdata, offset2);
1203 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1205 /* Check for buffer underflow in rpc parsing */
1207 if ((DEBUGLEVEL >= 10) &&
1208 (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1209 int data_len = p->in_data.data.buffer_size -
1210 p->in_data.data.data_offset;
1213 data = malloc(data_len);
1215 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1217 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data,